diff options
-rw-r--r-- | winsup/cygwin/uinfo.cc | 47 |
1 files changed, 29 insertions, 18 deletions
diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc index 21d729d..acbc945 100644 --- a/winsup/cygwin/uinfo.cc +++ b/winsup/cygwin/uinfo.cc @@ -2624,9 +2624,15 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) + (sid_sub_auth_rid (sid) & 0xff); #else if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */) - uid = 0x10000 + 0x100 * sid_id_auth (sid) - + 0x10 * sid_sub_auth (sid, 0) - + (sid_sub_auth_rid (sid) & 0xf); + { + /* Filter out all SIDs not referring to an App Package, for + instance, Capability SIDs (S-1-15-3-...) */ + if (sid_sub_auth (sid, 0) != SECURITY_APP_PACKAGE_BASE_RID) + return NULL; + uid = 0x10000 + 0x100 * sid_id_auth (sid) + + 0x10 * SECURITY_APP_PACKAGE_BASE_RID + + (sid_sub_auth_rid (sid) & 0xf); + } else if (sid_id_auth (sid) != 5 /* SECURITY_NT_AUTHORITY */) uid = 0x10000 + 0x100 * sid_id_auth (sid) + (sid_sub_auth_rid (sid) & 0xff); @@ -2682,21 +2688,8 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) fully_qualified_name = true; acc_type = SidTypeUnknown; } - else if (sid_id_auth (sid) == 12 && sid_sub_auth (sid, 0) == 1) - { - /* Special AzureAD group SID which can't be resolved by - LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed - as group entry, not as passwd entry. */ - if (is_passwd ()) - return NULL; - uid = gid = 0x1001; - wcpcpy (dom, L"AzureAD"); - wcpcpy (name = namebuf, L"Group"); - fully_qualified_name = true; - acc_type = SidTypeUnknown; - } - else if (sid_id_auth (sid) == 5 && - sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID) + else if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ + && sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID) { /* Special IIS APPPOOL group SID which can't be resolved by LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed @@ -2728,6 +2721,24 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) } acc_type = SidTypeUnknown; } + else if (sid_id_auth (sid) == 12 /* AzureAD ID */ + && sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */) + { + /* Special AzureAD group SID which can't be resolved by + LookupAccountSid (ERROR_NONE_MAPPED). This is only allowed + as group entry, not as passwd entry. */ + if (is_passwd ()) + return NULL; + uid = gid = 0x1001; + wcpcpy (dom, L"AzureAD"); + wcpcpy (name = namebuf, L"Group"); + fully_qualified_name = true; + acc_type = SidTypeUnknown; + } + else if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */ + && sid_sub_auth (sid, 0) == SECURITY_CAPABILITY_BASE_RID) + /* Filter out Capability SIDs */ + return NULL; else if (sid_id_auth (sid) == 22) { /* Samba UNIX Users/Groups |