* external.cc (cygwin_internal): Implement CW_CYGNAME_FROM_WINNAME.

	Add lengthy comment to explain what we do and why.
	* include/sys/cygwin.h (cygwin_getinfo_types): Add
	CW_CYGNAME_FROM_WINNAME.

diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog
index eb6e6589a98e5aa9a0cc47db62ca7f06c82674e4..3eeb6ceaede4204e5a6f7596ffbf6eeccdcf0ad9 100644 (file)
--- a/winsup/cygwin/ChangeLog
+++ b/winsup/cygwin/ChangeLog
@@ -1,3 +1,10 @@
+2014-05-15  Corinna Vinschen  <corinna@vinschen.de>
+
+       * external.cc (cygwin_internal): Implement CW_CYGNAME_FROM_WINNAME.
+       Add lengthy comment to explain what we do and why.
+       * include/sys/cygwin.h (cygwin_getinfo_types): Add
+       CW_CYGNAME_FROM_WINNAME.
+
 2014-05-14  Corinna Vinschen  <corinna@vinschen.de>
 
        * sec_auth.cc (get_server_groups): Call get_logon_server only for

diff --git a/winsup/cygwin/external.cc b/winsup/cygwin/external.cc
index 8eec5b1db9bc5ba358f5aa2c2635c464bf39b0f3..4480375be37616db1c44c5042163d5c6a62b1d84 100644 (file)
--- a/winsup/cygwin/external.cc
+++ b/winsup/cygwin/external.cc
@@ -619,6 +619,61 @@ cygwin_internal (cygwin_getinfo_types t, ...)
        }
        break;
 
+      case CW_CYGNAME_FROM_WINNAME:
+       {
+         /* This functionality has been added mainly for sshd.  Sshd
+            calls getpwnam() with the username of the non-privileged
+            user used for privilege separation.  This is usually a
+            fixed string "sshd".  However, when using usernames from
+            the Windows DBs, it's no safe bet anymore if the username
+            is "sshd", it could also be "DOMAIN+sshd".  So what we do
+            here is this:
+
+            Sshd calls cygwin_internal (CW_CYGNAME_FROM_WINNAME,
+                                        "sshd",
+                                        username_buffer,
+                                        sizeof username_buffer);
+            
+            If this call succeeds, sshd expects the correct Cygwin
+            username of the unprivileged sshd account in username_buffer.
+
+            The below code checks for a Windows username matching the
+            incoming username, and then fetches the Cygwin username with
+            the matching SID.  This is our username used for privsep then.
+
+            Of course, other applications with similar needs can use the
+            same method. */
+         const char *winname = va_arg (arg, const char *);
+         char *buffer = va_arg (arg, char *);
+         size_t buflen = va_arg (arg, size_t);
+
+         if (!winname || !buffer || !buflen)
+           break;
+
+         PWCHAR name;
+         if (!sys_mbstowcs_alloc (&name, HEAP_BUF, winname))
+           break;
+
+         cygsid sid;
+         DWORD slen = SECURITY_MAX_SID_SIZE;
+         WCHAR dom[DNLEN + 1];
+         DWORD dlen = DNLEN + 1;
+         SID_NAME_USE acc_type;
+
+         if (!LookupAccountNameW (NULL, name, sid, &slen, dom, &dlen,
+                                  &acc_type))
+           break;
+
+         struct passwd *pw = internal_getpwsid (sid);
+         if (!pw)
+           break;
+
+         buffer[0] = '\0';
+         strncat (buffer, pw->pw_name, buflen - 1);
+         res = 0;
+       }
+       break;
+
       default:
        set_errno (ENOSYS);
     }

diff --git a/winsup/cygwin/include/sys/cygwin.h b/winsup/cygwin/include/sys/cygwin.h
index 17fa12d436227c87c8a26414dab34c9deb055aa2..7e344ecab80f434422d2428b121ef25fef73e5b0 100644 (file)
--- a/winsup/cygwin/include/sys/cygwin.h
+++ b/winsup/cygwin/include/sys/cygwin.h
@@ -149,7 +149,8 @@ typedef enum
     CW_ENDENT,
     CW_GETNSSSEP,
     CW_GETPWSID,
-    CW_GETGRSID
+    CW_GETGRSID,
+    CW_CYGNAME_FROM_WINNAME
   } cygwin_getinfo_types;
 
 #define CW_LOCK_PINFO CW_LOCK_PINFO
@@ -206,6 +207,7 @@ typedef enum
 #define CW_GETNSSSEP CW_GETNSSSEP
 #define CW_GETPWSID CW_GETPWSID
 #define CW_GETGRSID CW_GETGRSID
+#define CW_CYGNAME_FROM_WINNAME CW_CYGNAME_FROM_WINNAME
 
 /* Token type for CW_SET_EXTERNAL_TOKEN */
 enum