This is the mail archive of the mailing list for the Cygwin project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: ntsec patch 1: uid==gid, chmod, alloc_sd, is_grp_member

Corinna Vinschen wrote:
Hello, Corinna
> Isn't the impersonation token automatically read by OpenProcessToken()
> when an impersonation took place?

I don't think so.

> > Thus I suggest that we use the method of the patch for now, and think
> > of improving is_grp_member if/as we get specific reports of problems.
> > What do you think?
> Do you mean my one liner?  If so, I agree.  My patch is just a starting
> point.

- Has anybody reported problems with incorrect owner modes for a file owner
  different from the current process user? If not, I wouldn't even start
  writing code for it. 
  We know it can't work all the time, and that to work assuming the default
  group membership, it needs mkgroup -u (or PDC lookup). Yesterday I checked 
  that at a medium size company (~ 150 persons). There where a total of
  1047 names in the gr_mem fields. getgroups32 scans them all, every time. 
  That would be for every file stat.
- I am a little bit confused by your patch. Your intention is to skip the token
  lookup if the file uid isn't that of the current user. You then fall to the
  bottom of getgroups32. But there the gid is ALWAYS included in the group
  list (because in the context of getgroups the gid is that of the user, not
  that of a file). Thus your small patch will always report that the uid is
  a member of the gid.

> Could you then please resend the parts of your #1 patch we agreed upon?

OK. Do you want to call is_grp_member all the time or only if the current user
is the file owner?


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]