[newlib-cygwin/main] Cygwin: fetch_account_from_windows: skip LookupAccountSid for SIDs known to fail
Corinna Vinschen
corinna@sourceware.org
Thu Apr 10 10:05:43 GMT 2025
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=e04891d67ac77a0b8c1ecb8ce312c5ff8891cc46
commit e04891d67ac77a0b8c1ecb8ce312c5ff8891cc46
Author: Corinna Vinschen <corinna@vinschen.de>
AuthorDate: Thu Apr 10 11:56:38 2025 +0200
Commit: Corinna Vinschen <corinna@vinschen.de>
CommitDate: Thu Apr 10 12:04:02 2025 +0200
Cygwin: fetch_account_from_windows: skip LookupAccountSid for SIDs known to fail
LookupAccountSid might take a long time if an SID cannot be resolved.
While we know some SIDs never resolved by LookupAccountSid, we call it
anyway and only handle them after it returned with error.
(Partially?) fix this latency problem by skipping the LookupAccountSid
call for SID groups never resolved anyway.
Reported-by: Lluís Batlle i Rossell <viric@viric.name>
Fixes: 1ca20a1cd208 ("Introduce reading passwd/group entries from SAM/AD.")
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/release/3.6.2 | 6 ++++++
winsup/cygwin/uinfo.cc | 21 +++++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/winsup/cygwin/release/3.6.2 b/winsup/cygwin/release/3.6.2
new file mode 100644
index 000000000000..aee5e4408150
--- /dev/null
+++ b/winsup/cygwin/release/3.6.2
@@ -0,0 +1,6 @@
+Fixes:
+------
+
+- Fix a high latency problem when trying to fetch SID info for SIDs
+ not resolved by Windows functions anyway.
+ Addresses: https://cygwin.com/pipermail/cygwin/2025-April/257916.html
diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index 27dc2892c859..83883f9f654e 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -1983,6 +1983,27 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap)
break;
case SID_arg:
sid = *arg.sid;
+
+ /* SIDs we want to filter out before hitting LookupAccountSidW.
+ If the latency of the AD connection is high, LookupAccountSidW
+ might take a long time before returning with ERROR_NONE_MAPPED. */
+
+ /* Capability SIDs, just drop out, we don't handle them */
+ if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */
+ && sid_sub_auth (sid, 0) == SECURITY_CAPABILITY_BASE_RID)
+ return NULL;
+ /* IIS APPPOOL */
+ if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
+ && sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
+ break;
+ /* AzureAD SIDs */
+ if (sid_id_auth (sid) == 12 /* AzureAD ID */
+ && sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */)
+ break;
+ /* Samba user/group SIDs */
+ if (sid_id_auth (sid) == 22)
+ break;
+
ret = LookupAccountSidW (NULL, sid, name, &nlen, dom, &dlen, &acc_type);
if (!ret
&& cygheap->dom.member_machine ()
More information about the Cygwin-cvs
mailing list