Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

msnfs41client: Patch to remove hardcoded domain, Win32AuthentificationId in NFSv4.1 client id hash, VC19 installer config+misc, 2024-06-11
Posted by Anonymous on Tue 11th Jun 2024 17:21
raw | new post

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
From c83dd8f0c5e40274985eb1c74b4ebcf710c8fb8a Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 11 Jun 2024 14:06:51 +0200 Subject: [PATCH 1/5] daemon,cygwin: Do not hardcode and/or overwrite domainname Do not hardcode the domain name to "GLOBAL.LOC", nor overwrite a domain name which has been previously set. msnfs41client.bash will still set the system's domain name to "GLOBAL.LOC" if there is no domain name. Reported-by: Dan Shelton <dan.f.shelton@gmail.com> Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- cygwin/devel/msnfs41client.bash | 16 ++++++++++++---- daemon/idmap.c | 20 ++++++++++++++++---- daemon/idmap.h | 2 +- daemon/nfs41_daemon.c | 5 ++++- 4 files changed, 33 insertions(+), 10 deletions(-) diff --git a/cygwin/devel/msnfs41client.bash b/cygwin/devel/msnfs41client.bash index ffce9be..2b66485 100644 --- a/cygwin/devel/msnfs41client.bash +++ b/cygwin/devel/msnfs41client.bash @@ -143,7 +143,13 @@ function nfsclient_install bcdedit /dbgsettings local # set domain name + typeset win_domainname='' + if [[ -f '/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Domain' ]] ; then + win_domainname="$( strings '/proc/registry/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Domain' )" + fi + if [[ "${win_domainname}" == '' ]] ; then regtool -s set '/HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Domain' 'GLOBAL.LOC' + fi # disable DFS sc query Dfsc @@ -204,10 +210,11 @@ function nfsclient_rundeamon { set -o nounset - printf '# user='%s' uname='%s' isadmin=%d\n' \ + printf '# user="%s" uname="%s" isadmin=%d domainname="%s"\n' \ "$(id -u -n)" \ "$(uname -a)" \ - "$(is_windows_admin_account ; printf "%d\n" $((${?}?0:1)))" + "$(is_windows_admin_account ; printf "%d\n" $((${?}?0:1)))" \ + "$(domainname)" # sync before starting nfs41 client daemon, to limit the damage # if the kernel module generates a crash on startup @@ -301,10 +308,11 @@ function nfsclient_system_rundeamon { set -o nounset - printf '# user='%s' uname='%s' isadmin=%d\n' \ + printf '# user="%s" uname="%s" isadmin=%d domainname="%s"\n' \ "$(id -u -n)" \ "$(uname -a)" \ - "$(is_windows_admin_account ; printf "%d\n" $((${?}?0:1)))" + "$(is_windows_admin_account ; printf "%d\n" $((${?}?0:1)))" \ + "$(domainname)" # sync before starting nfs41 client daemon, to limit the damage # if the kernel module generates a crash on startup diff --git a/daemon/idmap.c b/daemon/idmap.c index 8fe4fd4..82d058f 100644 --- a/daemon/idmap.c +++ b/daemon/idmap.c @@ -84,6 +84,7 @@ static const char CONFIG_FILENAME[] = "C:\\etc\\ms-nfs41-idmap.conf"; struct idmap_config { /* ldap server information */ char hostname[NFS41_HOSTNAME_LEN+1]; + char localdomain_name[NFS41_HOSTNAME_LEN+1]; UINT port; UINT version; UINT timeout; @@ -728,7 +729,8 @@ static int idmap_lookup_user( ("# ATTR_USER_NAME: cygwin_getent_passwd: returned '%s', uid=%u, gid=%u\n", lookup->value, (unsigned int)cy_uid, (unsigned int)cy_gid)); (void)snprintf(principal_name, sizeof(principal_name), - "%s@%s", (const char *)lookup->value, "GLOBAL.LOC"); + "%s@%s", (const char *)lookup->value, + context->config.localdomain_name); StringCchCopyA(user->username, VAL_LEN, lookup->value); StringCchCopyA(user->principal, VAL_LEN, principal_name); user->uid = cy_uid; @@ -758,7 +760,8 @@ static int idmap_lookup_user( ("# ATTR_PRINCIPAL: cygwin_getent_passwd: returned '%s', uid=%u, gid=%u\n", lookup->value, (unsigned int)cy_uid, (unsigned int)cy_gid)); (void)snprintf(principal_name, sizeof(principal_name), - "%s@%s", (const char *)lookup->value, "GLOBAL.LOC"); + "%s@%s", (const char *)lookup->value, + context->config.localdomain_name); if (!strcmp(principal_name, lookup->value)) { StringCchCopyA(user->username, VAL_LEN, search_name); @@ -785,7 +788,8 @@ static int idmap_lookup_user( DPRINTF(CYGWINIDLVL, ("# ATTR_UID: cygwin_getent_passwd: returned '%s', uid=%u, gid=%u\n", res_username, (unsigned int)cy_uid, (unsigned int)cy_gid)); - (void)snprintf(principal_name, sizeof(principal_name), "%s@%s", res_username, "GLOBAL.LOC"); + (void)snprintf(principal_name, sizeof(principal_name), + "%s@%s", res_username, context->config.localdomain_name); StringCchCopyA(user->username, VAL_LEN, res_username); StringCchCopyA(user->principal, VAL_LEN, principal_name); @@ -929,7 +933,7 @@ out: /* public idmap interface */ int nfs41_idmap_create( - struct idmap_context **context_out) + struct idmap_context **context_out, const char *localdomain_name) { struct idmap_context *context; int status = NO_ERROR; @@ -940,6 +944,14 @@ int nfs41_idmap_create( goto out; } + (void)strcpy_s(context->config.localdomain_name, + sizeof(context->config.localdomain_name), + localdomain_name); + if (context == NULL) { + status = GetLastError(); + goto out; + } + /* initialize the caches */ cache_init(&context->users, &user_cache_ops); cache_init(&context->groups, &group_cache_ops); diff --git a/daemon/idmap.h b/daemon/idmap.h index 82b5867..6a74458 100644 --- a/daemon/idmap.h +++ b/daemon/idmap.h @@ -30,7 +30,7 @@ typedef struct idmap_context nfs41_idmapper; int nfs41_idmap_create( - nfs41_idmapper **context_out); + nfs41_idmapper **context_out, const char *localdomain_name); void nfs41_idmap_free( nfs41_idmapper *context); diff --git a/daemon/nfs41_daemon.c b/daemon/nfs41_daemon.c index febca0d..4797b00 100644 --- a/daemon/nfs41_daemon.c +++ b/daemon/nfs41_daemon.c @@ -762,7 +762,10 @@ VOID ServiceStart(DWORD argc, LPTSTR *argv) nfs41_server_list_init(); if (cmd_args.ldap_enable) { - status = nfs41_idmap_create(&(nfs41_dg.idmapper)); + EASSERT(nfs41_dg.localdomain_name[0] != '\0'); + + status = nfs41_idmap_create(&(nfs41_dg.idmapper), + nfs41_dg.localdomain_name); if (status) { eprintf("id mapping initialization failed with %d\n", status); goto out_logs; -- 2.45.1 From a34d4989fea0ec44920d93d3e504920e170bb099 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 11 Jun 2024 15:04:26 +0200 Subject: [PATCH 2/5] libtirpc: Add debug code to hunt for callback deadlocks Add debug code to hunt for callback deadlocks Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- libtirpc/src/clnt_vc.c | 59 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/libtirpc/src/clnt_vc.c b/libtirpc/src/clnt_vc.c index f15eb38..7b3962f 100644 --- a/libtirpc/src/clnt_vc.c +++ b/libtirpc/src/clnt_vc.c @@ -93,6 +93,9 @@ #include <rpc/rpc.h> #include "rpc_com.h" +#define DEBUG_TIRPC_CB_DEADLOCKS 1 + + #define MCALL_MSG_SIZE 24 #define CMGROUP_MAX 16 @@ -175,6 +178,7 @@ static cond_t *vc_cv; /* XXX Need Windows signal/event stuff XXX */ #define release_fd_lock(fd, mask) { \ mutex_lock(&clnt_fd_lock); \ + assert(vc_fd_locks[(fd)] != 0); \ vc_fd_locks[(fd)] = 0; \ \ cond_broadcast(&vc_cv[(fd)]); \ @@ -195,6 +199,20 @@ static const char clnt_vc_str[] = "clnt_vc_create"; static const char clnt_read_vc_str[] = "read_vc"; static const char __no_mem_str[] = "out of memory"; +#ifdef DEBUG_TIRPC_CB_DEADLOCKS +#define TIRPCDbgEnter() __try { +#define TIRPCDbgLeave() ; } \ + __except(EXCEPTION_EXECUTE_HANDLER) { \ + (void)fprintf(stderr, \ + "#### FATAL: exception in " \ + "thr=%04lx'%s'/%ld ####\n", \ + (long)GetCurrentThreadId(), \ + __FILE__, (long)__LINE__); } +#else +#define TIRPCDbgEnter() +#define TIRPCDbgLeave() +#endif /* DEBUG_TIRPC_CB_DEADLOCKS */ + /* callback thread */ #define CALLBACK_TIMEOUT 5000 #define RQCRED_SIZE 400 /* this size is excessive */ @@ -211,19 +229,44 @@ static unsigned int WINAPI clnt_cb_thread(void *args) (void)fprintf(stderr/*stdout*/, "%04lx: cb: Callback thread running\n", (long)GetCurrentThreadId()); + +#ifdef DEBUG_TIRPC_CB_DEADLOCKS + int cond_wait_timed_fails; + DWORD lasterr; + +loop_restart: +#endif /* DEBUG_TIRPC_CB_DEADLOCKS */ while(1) { cb_req header; void *res = NULL; + +#ifdef DEBUG_TIRPC_CB_DEADLOCKS + TIRPCDbgEnter(); +#endif /* DEBUG_TIRPC_CB_DEADLOCKS */ mutex_lock(&clnt_fd_lock); +#ifdef DEBUG_TIRPC_CB_DEADLOCKS + cond_wait_timed_fails = 0; +#endif /* DEBUG_TIRPC_CB_DEADLOCKS */ while (vc_fd_locks[ct->ct_fd] || !ct->use_stored_reply_msg || (ct->use_stored_reply_msg && ct->reply_msg.rm_direction != CALL)) { if (cl->shutdown) break; - if (!cond_wait_timed(&vc_cv[ct->ct_fd], &clnt_fd_lock, - CALLBACK_TIMEOUT)) + if (!cond_wait_timed(&vc_cv[ct->ct_fd], &clnt_fd_lock, + CALLBACK_TIMEOUT)) { +#ifdef DEBUG_TIRPC_CB_DEADLOCKS + lasterr = GetLastError(); + if (cond_wait_timed_fails++ > 2) { + mutex_unlock(&clnt_fd_lock); + (void)fprintf(stdout, + "%04lx: cb: possible deadlockm, lasterr=%d\n", + (long)GetCurrentThreadId(), (int)lasterr); + goto loop_restart; + } +#endif /* DEBUG_TIRPC_CB_DEADLOCKS */ if (!vc_fd_locks[ct->ct_fd]) break; + } } vc_fd_locks[ct->ct_fd] = 1; mutex_unlock(&clnt_fd_lock); @@ -316,6 +359,9 @@ skip_setlastfrag: ct->ct_wait.tv_sec = saved_timeout_sec; ct->ct_wait.tv_usec = saved_timeout_usec; release_fd_lock(ct->ct_fd, mask); +#ifdef DEBUG_TIRPC_CB_DEADLOCKS + TIRPCDbgLeave(); +#endif /* DEBUG_TIRPC_CB_DEADLOCKS */ } out: return status; @@ -541,7 +587,9 @@ clnt_vc_call(cl, proc, xdr_args, args_ptr, xdr_results, results_ptr, timeout) #else /* XXX Need Windows signal/event stuff XXX */ #endif - enum clnt_stat status; + enum clnt_stat status = RPC_SYSTEMERROR; + + TIRPCDbgEnter(); assert(cl != NULL); @@ -586,7 +634,8 @@ call_again: } if (! shipnow) { release_fd_lock(ct->ct_fd, mask); - return (RPC_SUCCESS); + status = RPC_SUCCESS; + goto out_status; } #ifdef NO_CB_4_KRB5P @@ -711,6 +760,8 @@ call_again: out: status = ct->ct_error.re_status; release_fd_lock(ct->ct_fd, mask); +out_status: + TIRPCDbgLeave(); return status; } -- 2.45.1 From 9b5619ff7dcb589d910574ce724b114d5effc613 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 11 Jun 2024 16:13:58 +0200 Subject: [PATCH 3/5] daemon: Logging same user with different AuthenticationIds causes session issues Logging same user with different AuthenticationIds (same user, one time as normal login, and one time with Adminstrator priviledges) causes NFSv4.1 session issues. Issue is that each AuthenticationId LUID requires a seperate nfs_mount, but |nfs41_client_owner()| does not generate a different hash. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- daemon/nfs41_client.c | 26 ++++++++++++++++++++++++++ daemon/util.c | 21 +++++++++++++++++++++ daemon/util.h | 1 + 3 files changed, 48 insertions(+) diff --git a/daemon/nfs41_client.c b/daemon/nfs41_client.c index 361794d..8b16cf4 100644 --- a/daemon/nfs41_client.c +++ b/daemon/nfs41_client.c @@ -369,6 +369,7 @@ int nfs41_client_owner( const ULONGLONG time_created = GetTickCount64(); int status; char username[UNLEN+1]; + LUID authenticationid; /* * gisburn: What about primary group (for /usr/bin/newgrp @@ -381,6 +382,19 @@ int nfs41_client_owner( goto out; } + if (!get_token_authenticationid(GetCurrentThreadEffectiveToken(), + &authenticationid)) { + status = GetLastError(); + eprintf("get_token_authenticationid() failed with %d\n", status); + goto out; + } + + DPRINTF(0, ("nfs41_client_owner: " + "username='%s' authenticationid=(0x%x/0x%lx)\n", + username, + (int)authenticationid.LowPart, + (long)authenticationid.HighPart)); + /* owner.verifier = "time created" */ memcpy(owner->co_verifier, &time_created, sizeof(time_created)); @@ -415,6 +429,18 @@ int nfs41_client_owner( goto out_hash; } + if (!CryptHashData(hash, (const BYTE*)&authenticationid.LowPart, (DWORD)sizeof(DWORD), 0)) { + status = GetLastError(); + eprintf("CryptHashData() failed with %d\n", status); + goto out_hash; + } + + if (!CryptHashData(hash, (const BYTE*)&authenticationid.HighPart, (DWORD)sizeof(LONG), 0)) { + status = GetLastError(); + eprintf("CryptHashData() failed with %d\n", status); + goto out_hash; + } + if (!CryptHashData(hash, (const BYTE*)&port, (DWORD)sizeof(port), 0)) { status = GetLastError(); eprintf("CryptHashData() failed with %d\n", status); diff --git a/daemon/util.c b/daemon/util.c index 79a2312..c4e0dd7 100644 --- a/daemon/util.c +++ b/daemon/util.c @@ -842,6 +842,27 @@ bool get_token_primarygroup_name(HANDLE tok, char *out_buffer) return true; } +bool get_token_authenticationid(HANDLE tok, LUID *out_authenticationid) +{ + DWORD tokdatalen; + PTOKEN_GROUPS_AND_PRIVILEGES ptgp; + + tokdatalen = sizeof(TOKEN_GROUPS_AND_PRIVILEGES)+GETTOKINFO_EXTRA_BUFFER; + ptgp = _alloca(tokdatalen); + if (!GetTokenInformation(tok, TokenGroupsAndPrivileges, ptgp, + tokdatalen, &tokdatalen)) { + eprintf("get_token_authenticationid: " + "GetTokenInformation(tok=0x%p, TokenGroupsAndPrivileges) failed, " + "status=%d\n", + (void *)tok, (int)GetLastError()); + return false; + } + + *out_authenticationid = ptgp->AuthenticationId; + + return true; +} + bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv) { TOKEN_PRIVILEGES tp; diff --git a/daemon/util.h b/daemon/util.h index e350cf8..20922a3 100644 --- a/daemon/util.h +++ b/daemon/util.h @@ -306,6 +306,7 @@ bool getwinntversionnnumbers(DWORD *MajorVersionPtr, DWORD *MinorVersionPtr, DWO bool get_token_user_name(HANDLE tok, char *out_buffer); bool get_token_primarygroup_name(HANDLE tok, char *out_buffer); +bool get_token_authenticationid(HANDLE tok, LUID *out_authenticationid); bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv); -- 2.45.1 From a7d4c6742a29a6212d0f6d717a905b32647e5f21 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 11 Jun 2024 16:50:13 +0200 Subject: [PATCH 4/5] build.vc19,daemon: Factor out access token code to its own source file Factor out access token code to its own source file Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- build.vc19/nfsd/nfsd.vcxproj | 2 + daemon/accesstoken.c | 185 +++++++++++++++++++++++++++++++++++ daemon/accesstoken.h | 33 +++++++ daemon/daemon_debug.c | 1 + daemon/nfs41_client.c | 1 + daemon/nfs41_daemon.c | 1 + daemon/open.c | 1 + daemon/util.c | 162 ------------------------------ daemon/util.h | 6 -- 9 files changed, 224 insertions(+), 168 deletions(-) create mode 100644 daemon/accesstoken.c create mode 100644 daemon/accesstoken.h diff --git a/build.vc19/nfsd/nfsd.vcxproj b/build.vc19/nfsd/nfsd.vcxproj index 4b1ec49..cc98f3c 100644 --- a/build.vc19/nfsd/nfsd.vcxproj +++ b/build.vc19/nfsd/nfsd.vcxproj @@ -172,6 +172,7 @@ </Link> </ItemDefinitionGroup> <ItemGroup> + <ClCompile Include="..\..\daemon\accesstoken.c" /> <ClCompile Include="..\..\daemon\acl.c" /> <ClCompile Include="..\..\daemon\callback_server.c" /> <ClCompile Include="..\..\daemon\callback_xdr.c" /> @@ -213,6 +214,7 @@ <ClCompile Include="..\..\daemon\volume.c" /> </ItemGroup> <ItemGroup> + <ClInclude Include="..\..\daemon\accesstoken.h" /> <ClInclude Include="..\..\daemon\cpvparser1.h" /> <ClInclude Include="..\..\daemon\daemon_debug.h" /> <ClInclude Include="..\..\daemon\delegation.h" /> diff --git a/daemon/accesstoken.c b/daemon/accesstoken.c new file mode 100644 index 0000000..a164b4e --- /dev/null +++ b/daemon/accesstoken.c @@ -0,0 +1,185 @@ +/* + * NFSv4.1 client for Windows + * Copyright (C) 2024 Roland Mainz <roland.mainz@nrubsig.org> + * + * Roland Mainz <roland.mainz@nrubsig.org> + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at + * your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * without any warranty; without even the implied warranty of merchantability + * or fitness for a particular purpose. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA + */ + +#include "accesstoken.h" +#include "daemon_debug.h" +#include <Lmcons.h> + +/* + * Performance hack: + * GETTOKINFO_EXTRA_BUFFER - extra space for more data + * |GetTokenInformation()| for |TOKEN_USER| and |TOKEN_PRIMARY_GROUP| + * always fails in Win10 with |ERROR_INSUFFICIENT_BUFFER| if you + * just pass the |sizeof(TOKEN_*)| value. Instead of calling + * |GetTokenInformation()| with |NULL| arg to obtain the size to + * allocate we just provide 2048 bytes of extra space after the + * |TOKEN_*| size, and pray it is enough + */ +#define GETTOKINFO_EXTRA_BUFFER (2048) + +bool get_token_user_name(HANDLE tok, char *out_buffer) +{ + DWORD tokdatalen; + PTOKEN_USER ptuser; + PSID pusid; + DWORD namesize = UNLEN+1; + char domainbuffer[UNLEN+1]; + DWORD domainbuffer_size = sizeof(domainbuffer); + SID_NAME_USE name_use; + + tokdatalen = sizeof(TOKEN_USER)+GETTOKINFO_EXTRA_BUFFER; + ptuser = _alloca(tokdatalen); + if (!GetTokenInformation(tok, TokenUser, ptuser, + tokdatalen, &tokdatalen)) { + eprintf("get_token_username: " + "GetTokenInformation(tok=0x%p, TokenUser) failed, " + "status=%d\n", + (void *)tok, (int)GetLastError()); + return false; + } + + pusid = ptuser->User.Sid; + +#ifdef NFS41_DRIVER_SID_CACHE + if (sidcache_getcached_bysid(&user_sidcache, pusid, out_buffer)) { + return true; + } +#endif /* NFS41_DRIVER_SID_CACHE */ + + if (!LookupAccountSidA(NULL, pusid, out_buffer, &namesize, + domainbuffer, &domainbuffer_size, &name_use)) { + eprintf("get_token_user_name: " + "LookupAccountSidA() failed, status=%d\n", + (int)GetLastError()); + return false; + } + +#ifdef NFS41_DRIVER_SID_CACHE + sidcache_add(&user_sidcache, out_buffer, pusid); +#endif /* NFS41_DRIVER_SID_CACHE */ + + return true; +} + +bool get_token_primarygroup_name(HANDLE tok, char *out_buffer) +{ + DWORD tokdatalen; + PTOKEN_PRIMARY_GROUP ptpgroup; + PSID pgsid; + DWORD namesize = GNLEN+1; + char domainbuffer[UNLEN+1]; + DWORD domainbuffer_size = sizeof(domainbuffer); + SID_NAME_USE name_use; + + tokdatalen = sizeof(TOKEN_PRIMARY_GROUP)+GETTOKINFO_EXTRA_BUFFER; + ptpgroup = _alloca(tokdatalen); + if (!GetTokenInformation(tok, TokenPrimaryGroup, ptpgroup, + tokdatalen, &tokdatalen)) { + eprintf("get_token_primarygroup_name: " + "GetTokenInformation(tok=0x%p, TokenPrimaryGroup) failed, " + "status=%d\n", + (void *)tok, (int)GetLastError()); + return false; + } + + pgsid = ptpgroup->PrimaryGroup; + +#ifdef NFS41_DRIVER_SID_CACHE + if (sidcache_getcached_bysid(&group_sidcache, pgsid, out_buffer)) { + return true; + } +#endif /* NFS41_DRIVER_SID_CACHE */ + + if (!LookupAccountSidA(NULL, pgsid, out_buffer, &namesize, + domainbuffer, &domainbuffer_size, &name_use)) { + eprintf("get_token_primarygroup_name: " + "LookupAccountSidA() failed, status=%d\n", + (int)GetLastError()); + return false; + } + +#ifdef NFS41_DRIVER_SID_CACHE + sidcache_add(&group_sidcache, out_buffer, pgsid); +#endif /* NFS41_DRIVER_SID_CACHE */ + + return true; +} + +bool get_token_authenticationid(HANDLE tok, LUID *out_authenticationid) +{ + DWORD tokdatalen; + PTOKEN_GROUPS_AND_PRIVILEGES ptgp; + + tokdatalen = sizeof(TOKEN_GROUPS_AND_PRIVILEGES)+GETTOKINFO_EXTRA_BUFFER; + ptgp = _alloca(tokdatalen); + if (!GetTokenInformation(tok, TokenGroupsAndPrivileges, ptgp, + tokdatalen, &tokdatalen)) { + eprintf("get_token_authenticationid: " + "GetTokenInformation(tok=0x%p, TokenGroupsAndPrivileges) failed, " + "status=%d\n", + (void *)tok, (int)GetLastError()); + return false; + } + + *out_authenticationid = ptgp->AuthenticationId; + + return true; +} + +bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv) +{ + TOKEN_PRIVILEGES tp; + LUID luid; + bool res; + + if(!LookupPrivilegeValueA(NULL, seprivname, &luid)) { + DPRINTF(1, ("set_token_privilege: " + "LookupPrivilegeValue(seprivname='%s') failed, " + "status=%d\n", + seprivname, + (int)GetLastError())); + res = false; + goto out; + } + + tp.PrivilegeCount = 1; + tp.Privileges[0].Luid = luid; + tp.Privileges[0].Attributes = enable_priv?(SE_PRIVILEGE_ENABLED):0; + + if(!AdjustTokenPrivileges(tok, + FALSE, &tp, sizeof(TOKEN_PRIVILEGES), + NULL, NULL)) { + DPRINTF(1, ("set_token_privilege: " + "AdjustTokenPrivileges() for '%s' failed, status=%d\n", + seprivname, + (int)GetLastError())); + res = false; + goto out; + } + + res = true; +out: + DPRINTF(0, + ("set_token_privilege(seprivname='%s',enable_priv=%d), res=%d\n", + seprivname, (int)enable_priv, (int)res)); + + return res; +} diff --git a/daemon/accesstoken.h b/daemon/accesstoken.h new file mode 100644 index 0000000..67f49cd --- /dev/null +++ b/daemon/accesstoken.h @@ -0,0 +1,33 @@ +/* + * NFSv4.1 client for Windows + * Copyright (C) 2024 Roland Mainz <roland.mainz@nrubsig.org> + * + * Roland Mainz <roland.mainz@nrubsig.org> + * + * This library is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or (at + * your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * without any warranty; without even the implied warranty of merchantability + * or fitness for a particular purpose. See the GNU Lesser General Public + * License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA + */ + +#ifndef __NFS41_DAEMON_ACCESSTOKEN_H__ +#define __NFS41_DAEMON_ACCESSTOKEN_H__ 1 + +#include <Windows.h> +#include <stdbool.h> + +bool get_token_user_name(HANDLE tok, char *out_buffer); +bool get_token_primarygroup_name(HANDLE tok, char *out_buffer); +bool get_token_authenticationid(HANDLE tok, LUID *out_authenticationid); +bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv); + +#endif /* !__NFS41_DAEMON_ACCESSTOKEN_H__ */ diff --git a/daemon/daemon_debug.c b/daemon/daemon_debug.c index df9620a..05e0c0a 100644 --- a/daemon/daemon_debug.c +++ b/daemon/daemon_debug.c @@ -32,6 +32,7 @@ #include "service.h" #include "rpc/rpc.h" #include "rpc/auth_sspi.h" +#include "accesstoken.h" extern int g_debug_level = DEFAULT_DEBUG_LEVEL; diff --git a/daemon/nfs41_client.c b/daemon/nfs41_client.c index 8b16cf4..8df4390 100644 --- a/daemon/nfs41_client.c +++ b/daemon/nfs41_client.c @@ -31,6 +31,7 @@ #include "delegation.h" #include "daemon_debug.h" #include "nfs41_ops.h" +#include "accesstoken.h" uint32_t nfs41_exchange_id_flags( diff --git a/daemon/nfs41_daemon.c b/daemon/nfs41_daemon.c index 4797b00..3456c08 100644 --- a/daemon/nfs41_daemon.c +++ b/daemon/nfs41_daemon.c @@ -40,6 +40,7 @@ #include "daemon_debug.h" #include "upcall.h" #include "sid.h" +#include "accesstoken.h" #include "util.h" /* nfs41_dg.num_worker_threads sets the actual number of worker threads */ diff --git a/daemon/open.c b/daemon/open.c index ccfda2f..dfaf17f 100644 --- a/daemon/open.c +++ b/daemon/open.c @@ -34,6 +34,7 @@ #include "upcall.h" #include "util.h" #include "idmap.h" +#include "accesstoken.h" static int create_open_state( IN const char *path, diff --git a/daemon/util.c b/daemon/util.c index c4e0dd7..c764303 100644 --- a/daemon/util.c +++ b/daemon/util.c @@ -25,7 +25,6 @@ #include <stdio.h> #include <stdlib.h> #include <wincrypt.h> /* for Crypt*() functions */ -#include <Lmcons.h> #include "daemon_debug.h" #include "util.h" @@ -741,164 +740,3 @@ bool getwinntversionnnumbers( return false; #endif /* _WIN64 */ } - -/* - * Performance hack: - * GETTOKINFO_EXTRA_BUFFER - extra space for more data - * |GetTokenInformation()| for |TOKEN_USER| and |TOKEN_PRIMARY_GROUP| - * always fails in Win10 with |ERROR_INSUFFICIENT_BUFFER| if you - * just pass the |sizeof(TOKEN_*)| value. Instead of calling - * |GetTokenInformation()| with |NULL| arg to obtain the size to - * allocate we just provide 2048 bytes of extra space after the - * |TOKEN_*| size, and pray it is enough - */ -#define GETTOKINFO_EXTRA_BUFFER (2048) - -bool get_token_user_name(HANDLE tok, char *out_buffer) -{ - DWORD tokdatalen; - PTOKEN_USER ptuser; - PSID pusid; - DWORD namesize = UNLEN+1; - char domainbuffer[UNLEN+1]; - DWORD domainbuffer_size = sizeof(domainbuffer); - SID_NAME_USE name_use; - - tokdatalen = sizeof(TOKEN_USER)+GETTOKINFO_EXTRA_BUFFER; - ptuser = _alloca(tokdatalen); - if (!GetTokenInformation(tok, TokenUser, ptuser, - tokdatalen, &tokdatalen)) { - eprintf("get_token_username: " - "GetTokenInformation(tok=0x%p, TokenUser) failed, " - "status=%d\n", - (void *)tok, (int)GetLastError()); - return false; - } - - pusid = ptuser->User.Sid; - -#ifdef NFS41_DRIVER_SID_CACHE - if (sidcache_getcached_bysid(&user_sidcache, pusid, out_buffer)) { - return true; - } -#endif /* NFS41_DRIVER_SID_CACHE */ - - if (!LookupAccountSidA(NULL, pusid, out_buffer, &namesize, - domainbuffer, &domainbuffer_size, &name_use)) { - eprintf("get_token_user_name: " - "LookupAccountSidA() failed, status=%d\n", - (int)GetLastError()); - return false; - } - -#ifdef NFS41_DRIVER_SID_CACHE - sidcache_add(&user_sidcache, out_buffer, pusid); -#endif /* NFS41_DRIVER_SID_CACHE */ - - return true; -} - -bool get_token_primarygroup_name(HANDLE tok, char *out_buffer) -{ - DWORD tokdatalen; - PTOKEN_PRIMARY_GROUP ptpgroup; - PSID pgsid; - DWORD namesize = GNLEN+1; - char domainbuffer[UNLEN+1]; - DWORD domainbuffer_size = sizeof(domainbuffer); - SID_NAME_USE name_use; - - tokdatalen = sizeof(TOKEN_PRIMARY_GROUP)+GETTOKINFO_EXTRA_BUFFER; - ptpgroup = _alloca(tokdatalen); - if (!GetTokenInformation(tok, TokenPrimaryGroup, ptpgroup, - tokdatalen, &tokdatalen)) { - eprintf("get_token_primarygroup_name: " - "GetTokenInformation(tok=0x%p, TokenPrimaryGroup) failed, " - "status=%d\n", - (void *)tok, (int)GetLastError()); - return false; - } - - pgsid = ptpgroup->PrimaryGroup; - -#ifdef NFS41_DRIVER_SID_CACHE - if (sidcache_getcached_bysid(&group_sidcache, pgsid, out_buffer)) { - return true; - } -#endif /* NFS41_DRIVER_SID_CACHE */ - - if (!LookupAccountSidA(NULL, pgsid, out_buffer, &namesize, - domainbuffer, &domainbuffer_size, &name_use)) { - eprintf("get_token_primarygroup_name: " - "LookupAccountSidA() failed, status=%d\n", - (int)GetLastError()); - return false; - } - -#ifdef NFS41_DRIVER_SID_CACHE - sidcache_add(&group_sidcache, out_buffer, pgsid); -#endif /* NFS41_DRIVER_SID_CACHE */ - - return true; -} - -bool get_token_authenticationid(HANDLE tok, LUID *out_authenticationid) -{ - DWORD tokdatalen; - PTOKEN_GROUPS_AND_PRIVILEGES ptgp; - - tokdatalen = sizeof(TOKEN_GROUPS_AND_PRIVILEGES)+GETTOKINFO_EXTRA_BUFFER; - ptgp = _alloca(tokdatalen); - if (!GetTokenInformation(tok, TokenGroupsAndPrivileges, ptgp, - tokdatalen, &tokdatalen)) { - eprintf("get_token_authenticationid: " - "GetTokenInformation(tok=0x%p, TokenGroupsAndPrivileges) failed, " - "status=%d\n", - (void *)tok, (int)GetLastError()); - return false; - } - - *out_authenticationid = ptgp->AuthenticationId; - - return true; -} - -bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv) -{ - TOKEN_PRIVILEGES tp; - LUID luid; - bool res; - - if(!LookupPrivilegeValueA(NULL, seprivname, &luid)) { - DPRINTF(1, ("set_token_privilege: " - "LookupPrivilegeValue(seprivname='%s') failed, " - "status=%d\n", - seprivname, - (int)GetLastError())); - res = false; - goto out; - } - - tp.PrivilegeCount = 1; - tp.Privileges[0].Luid = luid; - tp.Privileges[0].Attributes = enable_priv?(SE_PRIVILEGE_ENABLED):0; - - if(!AdjustTokenPrivileges(tok, - FALSE, &tp, sizeof(TOKEN_PRIVILEGES), - NULL, NULL)) { - DPRINTF(1, ("set_token_privilege: " - "AdjustTokenPrivileges() for '%s' failed, status=%d\n", - seprivname, - (int)GetLastError())); - res = false; - goto out; - } - - res = true; -out: - DPRINTF(0, - ("set_token_privilege(seprivname='%s',enable_priv=%d), res=%d\n", - seprivname, (int)enable_priv, (int)res)); - - return res; -} diff --git a/daemon/util.h b/daemon/util.h index 20922a3..7f7d585 100644 --- a/daemon/util.h +++ b/daemon/util.h @@ -304,10 +304,4 @@ bool_t waitcriticalsection(LPCRITICAL_SECTION cs); bool getwinntversionnnumbers(DWORD *MajorVersionPtr, DWORD *MinorVersionPtr, DWORD *BuildNumberPtr); -bool get_token_user_name(HANDLE tok, char *out_buffer); -bool get_token_primarygroup_name(HANDLE tok, char *out_buffer); -bool get_token_authenticationid(HANDLE tok, LUID *out_authenticationid); -bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv); - - #endif /* !__NFS41_DAEMON_UTIL_H__ */ -- 2.45.1 From c8a9b25ed433e8947dc938bbf6a48d6f949fe127 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Tue, 11 Jun 2024 17:46:50 +0200 Subject: [PATCH 5/5] build.vc19: Add Visual Studio 19 Installer install configuration Add Visual Studio 19 Installer install configuration, so users can replicate the exact build configuration. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- build.vc19/ms-nfs41-client.vsconfig | 57 +++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100755 build.vc19/ms-nfs41-client.vsconfig diff --git a/build.vc19/ms-nfs41-client.vsconfig b/build.vc19/ms-nfs41-client.vsconfig new file mode 100755 index 0000000..f11cd52 --- /dev/null +++ b/build.vc19/ms-nfs41-client.vsconfig @@ -0,0 +1,57 @@ +{ + "version": "1.0", + "components": [ + "Microsoft.VisualStudio.Component.CoreEditor", + "Microsoft.VisualStudio.Workload.CoreEditor", + "Microsoft.VisualStudio.Component.NuGet", + "Microsoft.Net.Component.4.6.1.TargetingPack", + "Microsoft.VisualStudio.Component.Roslyn.Compiler", + "Microsoft.VisualStudio.Component.Roslyn.LanguageServices", + "Microsoft.VisualStudio.ComponentGroup.WebToolsExtensions", + "Microsoft.Net.Component.4.8.SDK", + "Microsoft.VisualStudio.Component.TypeScript.4.3", + "Microsoft.VisualStudio.Component.JavaScript.TypeScript", + "Microsoft.Component.MSBuild", + "Microsoft.VisualStudio.Component.TextTemplating", + "Microsoft.VisualStudio.Component.Debugger.JustInTime", + "Component.Microsoft.VisualStudio.LiveShare", + "Microsoft.VisualStudio.Component.IntelliCode", + "Microsoft.VisualStudio.Component.VC.CoreIde", + "Microsoft.VisualStudio.Component.VC.Tools.x86.x64", + "Microsoft.VisualStudio.Component.Graphics.Tools", + "Microsoft.VisualStudio.Component.VC.DiagnosticTools", + "Microsoft.VisualStudio.Component.Windows10SDK.19041", + "Microsoft.VisualStudio.Component.VC.Redist.14.Latest", + "Microsoft.VisualStudio.ComponentGroup.NativeDesktop.Core", + "Microsoft.VisualStudio.Component.VC.Tools.ARM64", + "Microsoft.VisualStudio.ComponentGroup.WebToolsExtensions.CMake", + "Microsoft.VisualStudio.Component.VC.CMake.Project", + "Microsoft.VisualStudio.Component.VC.ATL", + "Microsoft.VisualStudio.Component.VC.TestAdapterForBoostTest", + "Microsoft.VisualStudio.Component.VC.TestAdapterForGoogleTest", + "Microsoft.VisualStudio.Component.VC.ATLMFC", + "Microsoft.VisualStudio.Component.VC.CLI.Support", + "Microsoft.VisualStudio.Component.VC.ASAN", + "Microsoft.VisualStudio.Component.VC.Modules.x86.x64", + "Microsoft.VisualStudio.Component.VC.Llvm.ClangToolset", + "Microsoft.VisualStudio.Component.VC.Llvm.Clang", + "Microsoft.VisualStudio.ComponentGroup.NativeDesktop.Llvm.Clang", + "Microsoft.VisualStudio.Component.Windows10SDK.18362", + "Microsoft.Component.VC.Runtime.UCRTSDK", + "Microsoft.VisualStudio.Workload.NativeDesktop", + "Microsoft.VisualStudio.Component.VC.Tools.ARM64EC", + "Microsoft.VisualStudio.Component.VC.Tools.ARM", + "Microsoft.VisualStudio.Component.Git", + "Microsoft.VisualStudio.Component.VC.Runtimes.ARM.Spectre", + "Microsoft.VisualStudio.Component.VC.Runtimes.ARM64.Spectre", + "Microsoft.VisualStudio.Component.VC.Runtimes.ARM64EC.Spectre", + "Microsoft.VisualStudio.Component.VC.Runtimes.x86.x64.Spectre", + "Microsoft.VisualStudio.Component.VC.ATL.ARM", + "Microsoft.VisualStudio.Component.VC.ATL.ARM64", + "Microsoft.VisualStudio.Component.VC.ATL.ARM64EC", + "Microsoft.VisualStudio.Component.VC.MFC.ARM", + "Microsoft.VisualStudio.Component.VC.MFC.ARM64", + "Microsoft.VisualStudio.Component.VC.MFC.ARM64EC", + "Microsoft.VisualStudio.Component.Windows10SDK.20348" + ] +} \ No newline at end of file -- 2.45.1

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at