Will all SIDs fit into |SECURITY_MAX_SID_SIZE| bytes ? / was: Re: Switching groups with newgrp - how to get the new group with |GetTokenInformation()| ?

gs-cygwin.com@gluelogic.com gs-cygwin.com@gluelogic.com
Sun Feb 25 22:32:22 GMT 2024 

On Sun, Feb 25, 2024 at 10:04:29PM +0100, Roland Mainz via Cygwin wrote:
> On Sat, Feb 24, 2024 at 7:57 PM Corinna Vinschen via Cygwin
> <cygwin@cygwin.com> wrote:
> >
> > On Feb 24 15:38, Roland Mainz via Cygwin wrote:
> > > On Thu, Feb 22, 2024 at 8:11 PM Corinna Vinschen via Cygwin
> > > <cygwin@cygwin.com> wrote:
> > > > On Feb 22 18:38, Roland Mainz via Cygwin wrote:
> > > > > If I switch the current user's group with /usr/bin/newgrp, how can a
> > > > > (native) Win32 process use
> > > > > |GetTokenInformation(GetCurrentThreadToken(), ...)| to find out which
> > > > > group is the new "current group" (e.g. which |TokenInformationClass|
> > > > > should I use) ?
> > > >
> > > >   PSID sidbuf = (PSID) alloca (SECURITY_MAX_SID_SIZE);
> > > [snip]
> > >
> > > Win32/NT API question: All known SIDs will fit into
> > > |SECURITY_MAX_SID_SIZE| bytes, right ? I'm asking because right now
> > > the ms-nfs41-client code assumes that all SIDs use a variable amount
> > > of memory, and we always have to ask the Win32/NT API about the number
> > > of bytes to allocate. If |SECURITY_MAX_SID_SIZE| is the global maximum
> > > limit for all Windows versions, then we could simplify the code a
> > > lot...
> >
> > Yes.  ACLs are size restricted to 64K, though, but that shouldn't be
> > much of a problem usally.
> 
> Erm... why ACLs? I was asking about the memory allocation size for an SID.
> 
> Example:
> Right now our code uses two calls to |LookupAccountNameA()| for the
> conversion from a Windows account name to Windows SID.
> The first call gets the allocation size for a SID, our code then
> allocates that memory, and then does a second call to
> |LookupAccountNameA()| to fill that memory with that SID.
> 
> If |SECURITY_MAX_SID_SIZE| (currently 68 bytes) is the maximum memory
> size a Windows syscall can return for a SID, then the code above could
> be simplified to a |sidmem =
> malloc(SECURITY_MAX_SID_SIZE)|+|LookupAccountNameA(..., sidmem, ...)|.
> 
> The same could be done in many many other places, leading to a
> considerable reduction of Win32 system library calls.
> 
> Question is whether the assumption about |SECURITY_MAX_SID_SIZE| is correct...

A robust solution which also reduces syscalls does not necessarily
require a precise answer here.

I suggest writing a wrapper function which has on the stack
  CSTR sidbuf[SECURITY_MAX_SID_SIZE];
and calls LookupAccountNameA() passing sidbuf as Sid.
If it succeeds, then malloc() returned cbSid value and copy sidbuf[].
If it fails because the buffer is too small, then malloc() the returned
cbSid value and call LookupAccountNameA() again.

Doing the above will keep memory use to a minimum, and will generally
call LookupAccountNameA() once per wrapper func invocation rather than
twice.

Cheers, Glenn

More information about the Cygwin mailing list