This is the mail archive of the
cygwin
mailing list for the Cygwin project.
PATCH: login under privileged user != SYSTEM
- From: Charles Wilson <cygwin at cwilson dot fastmail dot fm>
- To: Cygwin Mailing List <cygwin at cygwin dot com>
- Date: Thu, 17 Apr 2008 01:48:54 -0400
- Subject: PATCH: login under privileged user != SYSTEM
I've been trying to get all the bugs in inetutils-1.5 squashed, and I
ran into an issue with rlogin when rlogind was running under a
privileged user (that is, not SYSTEM), as is required for Windows Server
2003, 2008, and Vista.
The problem was, although rsh would honor my .rhosts and allow
passwordless operation, rlogin would not. It always asked for my password.
Internally, rlogind *knew* that the incoming connection was
"authenticated" via .rhosts, so it invoked login thus:
login -p -h <incoming hostname> -f -- <username>
where the '-f' SHOULD mean "this is already authenticated, don't ask for
the password again". But it wasn't working, because login was hardcoded
to compare the current uid to 18 (that is, SYSTEM), before allowing
passwordless auth. But rlogind/login were not running under SYSTEM.
I don't think you can simply replace the code in login, the way we did
in many of the servers, tho:
#ifdef __CYGWIN__
-#define ROOT_UID 18
+#define ROOT_UID getuid()
#else
#define ROOT_UID 0
#endif
because then you'd allow passwordless auth no matter what account login
was running under. Now, it might fail later, assuming we added code to
check whether some future setuid() succeeded or not, but I think that's
too late in the process.
So, for *login*, I changed the code from
if (uid == ROOT_UID)
to
if (is_a_ROOT_UID(uid))
and implemented a function that, depending on the underlying windows
version, either
(1) compares to 18
(2) checks that the account with the specified uid has the following
privileges:
+ SeAssignPrimaryTokenPrivilege
+ SeCreateTokenPrivilege
+ SeTcbPrivilege
+ SeIncreaseQuotaPrivilege
+ SeServiceLogonRight
(On NT/2k/XP, uid = 18 is an automatic "yes", but if uid != 18, then we
fall back to the Vista check-privileges procedure)
With these changes, I can now get passwordless rlogin when inetd is
running under a privileged user, and not SYSTEM.
Most of the code was adapted from editrights/main.c...
--
Chuck
diff -urN old/login-1.9-7/Makefile new/login-1.9-7/Makefile
--- old/login-1.9-7/Makefile 2003-08-11 15:01:41.000000000 -0400
+++ new/login-1.9-7/Makefile 2008-04-17 00:30:15.515625000 -0400
@@ -18,8 +18,8 @@
#
CFLAGS= -O
-SRCS= login.c
-OBJS= login.o
+SRCS= login.c testWindowsPrivileges.c
+OBJS= login.o testWindowsPrivileges.o
MAN= login.1
prefix=/usr
docdir=/usr/share/doc/Cygwin
@@ -27,28 +27,28 @@
DESTDIR=
EXEEXT=.exe
-all: login${EXEEXT}
+all: login$(EXEEXT)
-login${EXEEXT}: login.o
- ${CC} -o $@ ${CFLAGS} $< -lcrypt
+login$(EXEEXT): login.o testWindowsPrivileges.o
+ $(CC) -o $@ $(CFLAGS) $^ -lcrypt
clean:
- rm -f ${OBJS} core login${EXEEXT}.stackdump login${EXEEXT}
+ rm -f $(OBJS) core login$(EXEEXT).stackdump login$(EXEEXT)
cleandir: clean
- rm -f ${MAN} tags .depend
+ rm -f $(MAN) tags .depend
-depend: ${SRCS}
- mkdep -p ${CFLAGS} ${SRCS}
+depend: $(SRCS)
+ mkdep -p $(CFLAGS) $(SRCS)
-install: login${EXEEXT}
- -mkdir -p ${DESTDIR}${prefix}/bin ${DESTDIR}${docdir} ${DESTDIR}${mandir}
- install -s -m 4755 login${EXEEXT} ${DESTDIR}${prefix}/bin/login${EXEEXT}
- install -m 644 login.README ${DESTDIR}${docdir}/login.README
- install -m 644 login.1 ${DESTDIR}${mandir}/login.1
+install: login$(EXEEXT)
+ -mkdir -p $(DESTDIR)$(prefix)/bin $(DESTDIR)$(docdir) $(DESTDIR)$(mandir)
+ install -s -m 4755 login$(EXEEXT) $(DESTDIR)$(prefix)/bin/login$(EXEEXT)
+ install -m 644 login.README $(DESTDIR)$(docdir)/login.README
+ install -m 644 login.1 $(DESTDIR)$(mandir)/login.1
-lint: ${SRCS}
- lint ${CFLAGS} ${SRCS}
+lint: $(SRCS)
+ lint $(CFLAGS) $(SRCS)
-tags: ${SRCS}
- ctags ${SRCS}
+tags: $(SRCS)
+ ctags $(SRCS)
diff -urN old/login-1.9-7/login.README new/login-1.9-7/login.README
--- old/login-1.9-7/login.README 2002-08-07 14:14:53.000000000 -0400
+++ new/login-1.9-7/login.README 2008-04-17 01:26:49.968750000 -0400
@@ -8,9 +8,29 @@
======================================================================
This version now supports login w/o password, supported beginning with
-Cygwin version 1.3.6. Note that this is explicitely allowed for the
-SYSTEM user only! This change now allows interactive login with rlogin(1)
-and rsh(1) using rhosts authentication.
+Cygwin version 1.3.6. Note that this is explicitely allowed only in
+limited cases:
+ (1) NT/2k/XP: SYSTEM user, or a specially privileged user (see below)
+ (2) Windows Server 2003, 2008, and Vista: a specially privileged user
+
+The user account that login is invoked by must have the following
+privileges:
+ SeAssignPrimaryTokenPrivilege
+ SeCreateTokenPrivilege
+ SeTcbPrivilege
+ SeIncreaseQuotaPrivilege
+ SeServiceLogonRight
+On NT/2k/XP, the SYSTEM user (aka LocalSystem) has these privileges.
+However, on newer versions of Windows, it does not, and a special
+user account must be created. Most of the <server>-config scripts
+can create this account for you (such as ssh-host-config from the
+openssh package, or iu-config from the inetutils package, etc).
+
+The user account should also be a member of the local Administrators
+group (unless you are on NT/2k/XP, and are using SYSTEM).
+
+This change now allows interactive login with rlogin(1) and rsh(1) using
+rhosts authentication.
Login(1) uses all new logon features of 1.1.3. Moreover it's code is
slighty cleaned up to avoid compiler warnings.
@@ -20,7 +40,7 @@
can use `crypt.exe' from the crypt package on the same site or you
copy your encrypted password from your Linux box.
-The rest of the description is for NT/W2K.
+The rest of the description is for NT/W2K/XP/Vista/...
For usage with NT/W2K security, `login' is patched to allow login of
domain users. Setting CYGWIN=ntsec is mandatory for that feature.
diff -urN old/login-1.9-7/login.c new/login-1.9-7/login.c
--- old/login-1.9-7/login.c 2003-08-11 15:01:41.000000000 -0400
+++ new/login-1.9-7/login.c 2008-04-17 01:16:37.343750000 -0400
@@ -71,11 +71,22 @@
#endif
#ifdef __CYGWIN__
-#define ROOT_UID 18 // system
+static int is_a_ROOT_UID(uid_t uid);
+extern int testUserRightsByUID(uid_t uid, const char** strRightsToTest, ULONG intRightsToTestCount);
#else
-#define ROOT_UID 0
+#define is_a_ROOT_UID(uid) ((int) ((uid) == 0))
#endif
+static void getloginname();
+static void timedout();
+static void motd();
+static void sigint();
+static void checknologin();
+static void dolastlog(int quiet);
+static void badlogin(char *name);
+static void getstr(char *buf, int cnt, char *err);
+static void sleepexit(int eval);
+
/*
* This bounds the time given to login. Not a define so it can
* be patched on machines where it's too small.
@@ -101,7 +112,6 @@
gid_t priv_gid;
uid_t priv_uid;
#endif
- void timedout();
char *domain, *salt, *envinit[1], *ttyn, *pp;
char tbuf[MAXPATHLEN + 2];
char *ttyname(), *crypt(), *getpass();
@@ -131,7 +141,7 @@
break;
case 'h':
#ifndef __CYGWIN__
- if (getuid()) {
+ if (!is_a_ROOT_UID(getuid())) {
fprintf(stderr,
"login: -h for super-user only.\n");
exit(1);
@@ -198,7 +208,7 @@
else
salt = "xx";
/* if user not super-user, check for disabled logins */
- if (pwd == NULL || pwd->pw_uid)
+ if (pwd == NULL || !is_a_ROOT_UID(pwd->pw_uid))
checknologin();
/*
@@ -208,8 +218,8 @@
if (fflag && pwd) {
int uid = getuid();
- passwd_req = pwd->pw_uid == ROOT_UID ||
- (uid != ROOT_UID && uid != pwd->pw_uid);
+ passwd_req = is_a_ROOT_UID(pwd->pw_uid) ||
+ ((!is_a_ROOT_UID(uid)) && (uid != pwd->pw_uid));
}
/*
@@ -342,7 +352,7 @@
if (tty[sizeof("tty")-1] == 'd')
syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
- if (pwd->pw_uid == 0)
+ if (is_a_ROOT_UID(pwd->pw_uid))
if (hostname)
syslog(LOG_NOTICE, "ROOT LOGIN ON %s FROM %s",
tty, hostname);
@@ -373,7 +383,7 @@
exit(0);
}
-getloginname()
+static void getloginname()
{
register int ch;
register char *p;
@@ -401,7 +411,7 @@
}
}
-timedout()
+static void timedout()
{
fprintf(stderr, "Login timed out after %d seconds\n", timeout);
exit(0);
@@ -409,10 +419,10 @@
jmp_buf motdinterrupt;
-motd()
+static void motd()
{
register int fd, nchars;
- void (*oldint)(), sigint();
+ void (*oldint)();
char tbuf[8192];
if ((fd = open(MOTDFILE, O_RDONLY, 0)) < 0)
@@ -425,12 +435,12 @@
(void)close(fd);
}
-sigint()
+static void sigint()
{
longjmp(motdinterrupt, 1);
}
-checknologin()
+static void checknologin()
{
register int fd, nchars;
char tbuf[8192];
@@ -442,8 +452,7 @@
}
}
-dolastlog(quiet)
- int quiet;
+static void dolastlog(int quiet)
{
struct lastlog ll;
int fd;
@@ -474,8 +483,7 @@
}
}
-badlogin(name)
- char *name;
+static void badlogin(char *name)
{
if (failures == 0)
return;
@@ -488,9 +496,7 @@
}
-getstr(buf, cnt, err)
- char *buf, *err;
- int cnt;
+static void getstr(char *buf, int cnt, char *err)
{
char ch;
@@ -505,10 +511,103 @@
} while (ch);
}
-sleepexit(eval)
- int eval;
+static void sleepexit(int eval)
{
sleep((u_int)5);
exit(eval);
}
+#ifdef __CYGWIN__
+static int is_a_ROOT_UID(uid_t uid)
+{
+ static const uid_t SYSTEM_UID = 18;
+ static const gid_t ADMIN_GID = 544;
+ static const char* REQUIRED_PRIVS[] = {
+ "SeAssignPrimaryTokenPrivilege",
+ "SeCreateTokenPrivilege",
+ "SeTcbPrivilege",
+ //"SeDenyInteractiveLogonRight",
+ //"SeDenyNetworkLogonRight",
+ //"SeDenyRemoteInteractiveLogonRight",
+ "SeIncreaseQuotaPrivilege",
+ "SeServiceLogonRight"
+ };
+ static const ULONG NUM_REQUIRED_PRIV = 5;
+
+ int check_capabilities = 0;
+ OSVERSIONINFOEX osvi;
+ BOOL bOsVersionInfoEx;
+ struct passwd *pw;
+
+ ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
+ osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
+ if( !(bOsVersionInfoEx = GetVersionEx ((OSVERSIONINFO *) &osvi)) )
+ return 0; /* not a root id */
+
+ if (VER_PLATFORM_WIN32_WINDOWS==osvi.dwPlatformId)
+ return 1; /* everybody is a root user on Win9x */
+
+ if ((VER_PLATFORM_WIN32_NT==osvi.dwPlatformId) &&
+ (osvi.dwMajorVersion == 4))
+ {
+ /* NT kernel, but older than W2k */
+ /* only check for SYSTEM_UID */
+ return (uid == SYSTEM_UID);
+ }
+
+ if ((VER_PLATFORM_WIN32_NT==osvi.dwPlatformId) &&
+ (osvi.dwMajorVersion == 5))
+ {
+ /* Windows Server 2003 R2, Windows Server 2003,
+ Windows XP, or Windows 2000. */
+ if (osvi.dwMinorVersion < 2)
+ {
+ /* 2k or XP; check for SYSTEM_UID */
+ if (uid == SYSTEM_UID)
+ return 1;
+ /* otherwise, need to check capabilities */
+ }
+ check_capabilities = 1;
+ }
+
+ if ((VER_PLATFORM_WIN32_NT==osvi.dwPlatformId) &&
+ (osvi.dwMajorVersion == 6))
+ {
+ /* Vista, Server2008, and above */
+ check_capabilities = 1;
+ }
+
+ if (!check_capabilities)
+ {
+ /* how did we get here? Some unsupported OS -- either
+ too new, or too old. Just say it's not a root user,
+ which will effectively force the client to re-
+ authenticate */
+ return 0;
+ }
+
+ /* check capabilities */
+ pw = getpwuid(uid);
+
+ /* not in /etc/passwd. say it is not root. */
+ if (!pw)
+ return 0;
+
+ /* Should make sure gid is Administrators (544)
+ * However, by default cyg_server is a member of both
+ * Administrators and Users, and the primary one --
+ * which is easy to get to via struct passwd -- is Users.
+ * So, we really have to crib code from mkgroups, and
+ * enumerate through all the members of the Administrators
+ * group, then use cygwin_internal(CW_GET_UID_FROM_SID, ...)
+ * and compare see if one of those uid's matches this one.
+ * for now, punt.
+ *
+ * if (pw->pw_gid != ADMIN_GID)
+ * return 0;
+ */
+
+ /* returns non-zero if the account DOES have all specified privileges */
+ return testUserRightsByUID(uid, REQUIRED_PRIVS, NUM_REQUIRED_PRIV);
+}
+#endif
diff -urN old/login-1.9-7/testWindowsPrivileges.c new/login-1.9-7/testWindowsPrivileges.c
--- old/login-1.9-7/testWindowsPrivileges.c 1969-12-31 19:00:00.000000000 -0500
+++ new/login-1.9-7/testWindowsPrivileges.c 2008-04-17 00:50:55.171875000 -0400
@@ -0,0 +1,229 @@
+/***************************************************************************
+* testWindowsPrivileges -- adapted from editrights/main.c. Original
+* copyright notice and license text follows.
+*
+* ==========================================================================
+* editrights version 1.01: a cygwin application to edit user
+* rights on a windows NT system
+*
+* Copyright (c) 2003, Chris Rodgers <editrights-at-bulk.rodgers.org.uk>
+* All rights reserved.
+*
+* Redistribution and use in source and binary forms, with or
+* without modification, are permitted provided that the following
+* conditions are met:
+*
+* Redistributions of source code must retain the above copyright notice,
+* this list of conditions and the following disclaimer.
+*
+* Redistributions in binary form must reproduce the above copyright
+* notice, this list of conditions and the following disclaimer in the
+* documentation and/or other materials provided with the distribution.
+*
+* The name of Chris Rodgers may not be used to endorse or promote
+* products derived from this software without specific prior written
+* permission.
+*
+* THIS SOFTWARE IS PROVIDED BY CHRIS RODGERS "AS IS" AND ANY EXPRESS
+* OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+* ARE DISCLAIMED. IN NO EVENT SHALL CHRIS RODGERS BE LIABLE FOR ANY
+* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+* GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+* IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+* IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+* ==========================================================================
+*
+****************************************************************************/
+
+/* Copyright (C) 2007 Jari Aalto; Licenced under GPL v2 or later */
+
+#include <unistd.h>
+#include <pwd.h>
+#include <sys/cygwin.h>
+#include <syslog.h>
+#include <wchar.h>
+#include <windows.h>
+#include <wininet.h>
+#include <lmcons.h>
+#include <ntsecapi.h>
+#include <ddk/ntstatus.h>
+
+/* Macros */
+#define NTCHECKERROR(StatusWanted,LogLevel,Function,API,retval) if(retval!=StatusWanted) { \
+ syslog(LogLevel,"Error in " Function " (" API " returned 0x%x)",retval); \
+ NTCHECKERROR_FAILED = 1; }
+
+/* Prototypes */
+PSID getSID(LSA_HANDLE hLSA, const char* strUser);
+PLSA_UNICODE_STRING makeLSAStringA(PLSA_UNICODE_STRING strLSA, const char* strIn, size_t len);
+LSA_HANDLE openPolicy(const char* strMachine, ACCESS_MASK access);
+int testUserRights(LSA_HANDLE hLSA, const char* strUser, const char** strRightsToTest, ULONG intRightsToTestCount);
+int testUserRightsByUID(uid_t uid, const char** strRightsToTest, ULONG intRightsToTestCount);
+
+/* like testUserRights, returns 0 if uid does NOT have all of the required privileged,
+ and returns non-zero if it DOES. */
+int testUserRightsByUID(uid_t uid, const char** strRightsToTest, ULONG intRightsToTestCount)
+{
+ int retVal = 0;
+ LSA_HANDLE hLSA;
+ struct passwd* pw;
+ char strUser [UNLEN + 1];
+ char* domain = (char *) alloca (INTERNET_MAX_HOST_NAME_LENGTH + 1);
+
+ pw = getpwuid(uid);
+ if (!pw) return retVal;
+ cygwin_internal(CW_EXTRACT_DOMAIN_AND_USER, pw, domain, strUser);
+
+ hLSA=openPolicy(NULL,POLICY_ALL_ACCESS); /* always this machine */
+ if (hLSA)
+ {
+ retVal = testUserRights(hLSA, strUser, strRightsToTest, intRightsToTestCount);
+ LsaClose(hLSA);
+ }
+ return retVal;
+}
+
+/* Set an LSA_UNICODE_STRING based on an ascii string. *
+ * strLSA->Buffer must point to allocated storage of *
+ * size (len+1) * sizeof(WCHAR). */
+PLSA_UNICODE_STRING makeLSAStringA(PLSA_UNICODE_STRING strLSA, const char* strIn, size_t len)
+{
+ if (!strIn) /* Fed NULL pointer */
+ {
+ strLSA->Buffer[0]=0; /* unicode NULL char */
+ strLSA->Length=0;
+ strLSA->MaximumLength=0;
+ }
+ else
+ {
+ mbstate_t mbst = {0}; /* multibyte char initial state. */
+ mbsrtowcs(strLSA->Buffer, &strIn, len, &mbst);
+ strLSA->Buffer[len]=0; /* NULL terminate. */
+ strLSA->Length=wcslen(strLSA->Buffer) * sizeof(WCHAR);
+ strLSA->MaximumLength=strLSA->Length + sizeof(WCHAR);
+ }
+ return strLSA;
+}
+
+/* Open a connection to the Local Security Authority *
+ * Policy object on the specified system. */
+LSA_HANDLE openPolicy(const char* strMachine, ACCESS_MASK access)
+{
+ LSA_OBJECT_ATTRIBUTES objattr;
+ LSA_HANDLE hLSA;
+ NTSTATUS status;
+ LSA_UNICODE_STRING machine;
+ int c;
+ int NTCHECKERROR_FAILED = 0;
+
+ c = strMachine ? strlen(strMachine) : 0;
+ machine.Buffer=(PWSTR)alloca((c+1)*2); /* Keep within this function so we *
+ * can use alloca(...) */
+ makeLSAStringA(&machine,strMachine,c);
+
+ objattr.Length=sizeof(objattr); /* Reserved structure */
+ objattr.RootDirectory=NULL;
+ objattr.ObjectName=NULL;
+ objattr.Attributes=0;
+ objattr.SecurityDescriptor=NULL;
+ objattr.SecurityQualityOfService=NULL;
+
+ status=LsaOpenPolicy(
+ machine.Length ? &machine : NULL, /* If no machine, use localhost. */
+ &objattr,access,&hLSA);
+ NTCHECKERROR(STATUS_SUCCESS,LOG_WARNING,"openPolicy","LsaOpenPolicy",status)
+ return hLSA;
+}
+
+int testUserRights(LSA_HANDLE hLSA, const char* strUser, const char** strRightsToTest, ULONG intRightsToTestCount)
+{
+ /* Test if the user has the specified rights. Returns zero if they don't all match, non-zero if they do all match. */
+ PLSA_UNICODE_STRING UserRights;
+ ULONG CountOfRights;
+ NTSTATUS status;
+ int c,d;
+ int intMatched=0;
+ int NTCHECKERROR_FAILED = 0;
+
+ PSID Sid=getSID(hLSA,strUser);
+ if (!Sid)
+ {
+ return 0;
+ }
+
+ status=LsaEnumerateAccountRights(
+ hLSA,
+ Sid,
+ &UserRights,
+ &CountOfRights
+ );
+
+ LocalFree(Sid);
+
+ NTCHECKERROR(STATUS_SUCCESS && status!=STATUS_OBJECT_NAME_NOT_FOUND,LOG_WARNING,\
+ "testUserRights","LsaEnumerateAccountRights",status);
+ if (NTCHECKERROR_FAILED)
+ {
+ return 0;
+ }
+
+ for (c=0;c<CountOfRights;c++)
+ {
+ const wchar_t* src=UserRights[c].Buffer;
+ size_t len=wcslen(src);
+ mbstate_t mbst = {0}; /* multibyte char initial state. */
+ char* rightname=alloca(len+1); /* allocate 1 byte per character + 1 byte for null terminator. */
+ rightname[wcsrtombs(rightname, &src, len, &mbst)]='\0';
+ for (d=0;d<intRightsToTestCount;d++)
+ {
+ if (!stricmp(rightname,strRightsToTest[d])) intMatched++;
+ }
+ }
+ return(intMatched==intRightsToTestCount);
+}
+
+/* Warning: The caller must call LocalFree() on the returned PSID */
+PSID getSID(LSA_HANDLE hLSA, const char* strUser)
+{
+ LSA_UNICODE_STRING lsastrUser;
+ PLSA_REFERENCED_DOMAIN_LIST referencedDomains;
+ PLSA_TRANSLATED_SID sids;
+ int c;
+ ULONG cSubAuth, NewSidLength;
+ PSID NewSid;
+ NTSTATUS status;
+ LPTSTR strSid;
+ BOOL bStatus;
+ int NTCHECKERROR_FAILED = 0;
+
+ c = strUser ? strlen(strUser) : 0;
+ lsastrUser.Buffer=(PWSTR)alloca((c+1)*2); /* Keep within this function so we *
+ * can use alloca() */
+ makeLSAStringA(&lsastrUser,strUser,c);
+
+ status=LsaLookupNames(hLSA,1,&lsastrUser,&referencedDomains,&sids);
+ NTCHECKERROR(STATUS_SUCCESS,LOG_WARNING,"getSID","LsaLookupNames",status);
+ if (NTCHECKERROR_FAILED)
+ {
+ if (referencedDomains) { LsaFreeMemory(referencedDomains); }
+ if (sids) { LsaFreeMemory(sids); }
+ return NewSid; /* which is NULL */
+ }
+
+ cSubAuth = *GetSidSubAuthorityCount(referencedDomains->Domains[sids->DomainIndex].Sid);
+ NewSidLength = GetSidLengthRequired((UCHAR) (cSubAuth + 1));
+ NewSid = (PSID) LocalAlloc(0, NewSidLength);
+ CopySid(NewSidLength,NewSid,referencedDomains->Domains[sids->DomainIndex].Sid);
+ *GetSidSubAuthorityCount(NewSid) = (UCHAR) cSubAuth + 1;
+ *GetSidSubAuthority(NewSid, cSubAuth) = sids->RelativeId;
+
+ LsaFreeMemory(referencedDomains);
+ LsaFreeMemory(sids);
+
+ return NewSid;
+}
+
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/