msnfs41client: SetupExeNotStarting, SysUserAPCLoop, WinSGRefix+misc, 2024-05-27
Posted by Anonymous on Mon 27th May 2024 16:13
raw | new post

From feff77f103c9cf51ff08be404c3a49cd0ccf2659 Mon Sep 17 00:00:00 2001
From: Roland Mainz <roland.mainz@nrubsig.org>
Date: Mon, 27 May 2024 11:31:29 +0200
Subject: [PATCH 1/4] cygwin,tests: Add newgrp(1)/sg(1)-style "winsg" util to
 switch primary group [refix]

Add missing Makefile for "winsg" utility

Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
---
 tests/winsg/Makefile | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 tests/winsg/Makefile

diff --git a/tests/winsg/Makefile b/tests/winsg/Makefile
new file mode 100644
index 0000000..19f96db
--- /dev/null
+++ b/tests/winsg/Makefile
@@ -0,0 +1,23 @@
+#
+# Makefile for winsg
+#
+
+# POSIX Makefile
+
+all: winsg.i686.exe winsg.x86_64.exe winsg.exe
+
+winsg.i686.exe: winsg.c
+       clang -target i686-pc-windows-gnu -Wall -DUNICODE=1 -D_UNICODE=1 -g winsg.c -o winsg.i686.exe
+
+winsg.x86_64.exe: winsg.c
+       clang -target x86_64-pc-windows-gnu -Wall -DUNICODE=1 -D_UNICODE=1 -g winsg.c -o winsg.x86_64.exe
+
+winsg.exe: winsg.x86_64.exe
+       ln -s winsg.x86_64.exe winsg.exe
+
+clean:
+       rm -fv \
+               winsg.i686.exe \
+               winsg.x86_64.exe \
+               winsg.exe \
+# EOF.
--
2.43.0

From 4e8f4e6892691682d795f11d6e423dc9c7589cd0 Mon Sep 17 00:00:00 2001
From: Roland Mainz <roland.mainz@nrubsig.org>
Date: Mon, 27 May 2024 15:31:46 +0200
Subject: [PATCH 2/4] sys,tests: Cannot run Cygwin setup.exe on NFSv4.1 share

Fix the problem that Cygwin setup.exe could not start from
a NFSv4.1 share.

|SeCreateClientSecurityFromSubjectContext()| had |ServerIsRemote|
set to |TRUE|, which caused "Activation Context" creation to fail
in our driver code in |SeCreateClientSecurityFromSubjectContext()|
with |STATUS_BAD_IMPERSONATION_LEVEL|, as Cygwin setup.exe
does some impersonation stunts itself.

The fix switches |ServerIsRemote=FALSE| + we add
a testcase entry to tests/manual_testing.txt

Reported-by: Martin Wege <martin.l.wege@gmail.com>
Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
---
 sys/nfs41_driver.c       | 30 ++++++++++++++++++++++++++----
 tests/manual_testing.txt |  8 ++++++++
 2 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c
index 57dac0a..2f512c2 100644
--- a/sys/nfs41_driver.c
+++ b/sys/nfs41_driver.c
@@ -1545,8 +1545,15 @@ NTSTATUS nfs41_UpcallCreate(
         sec_qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
         sec_qos.EffectiveOnly = 0;
         entry->psec_ctx = &entry->sec_ctx;
+        /*
+         * Arg |ServerIsRemote| must be |FALSE|, otherwise processes
+         * like Cygwin setup-x86_64.exe can fail during "Activation
+         * Context" creation in
+         * |SeCreateClientSecurityFromSubjectContext()| with
+         * |STATUS_BAD_IMPERSONATION_LEVEL|
+         */
         status = SeCreateClientSecurityFromSubjectContext(&sec_ctx, &sec_qos,
-                    1, entry->psec_ctx);
+                    FALSE, entry->psec_ctx);
         if (status != STATUS_SUCCESS) {
             print_error("nfs41_UpcallCreate: "
                 "SeCreateClientSecurityFromSubjectContext failed with %x\n",
@@ -3045,8 +3052,15 @@ NTSTATUS nfs41_GetLUID(
     sec_qos.ImpersonationLevel = SecurityIdentification;
     sec_qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
     sec_qos.EffectiveOnly = 0;
-    status = SeCreateClientSecurityFromSubjectContext(&sec_ctx, &sec_qos, 1,
-                &clnt_sec_ctx);
+    /*
+     * Arg |ServerIsRemote| must be |FALSE|, otherwise processes
+     * like Cygwin setup-x86_64.exe can fail during "Activation
+     * Context" creation in
+     * |SeCreateClientSecurityFromSubjectContext()| with
+     * |STATUS_BAD_IMPERSONATION_LEVEL|
+     */
+    status = SeCreateClientSecurityFromSubjectContext(&sec_ctx, &sec_qos,
+        FALSE, &clnt_sec_ctx);
     if (status) {
         print_error("nfs41_GetLUID: SeCreateClientSecurityFromSubjectContext "
              "failed %x\n", status);
@@ -3078,7 +3092,15 @@ NTSTATUS nfs41_get_sec_ctx(
     sec_qos.ImpersonationLevel = level;
     sec_qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
     sec_qos.EffectiveOnly = 0;
-    status = SeCreateClientSecurityFromSubjectContext(&ctx, &sec_qos, 1, out_ctx);
+    /*
+     * Arg |ServerIsRemote| must be |FALSE|, otherwise processes
+     * like Cygwin setup-x86_64.exe can fail during "Activation
+     * Context" creation in
+     * |SeCreateClientSecurityFromSubjectContext()| with
+     * |STATUS_BAD_IMPERSONATION_LEVEL|
+     */
+    status = SeCreateClientSecurityFromSubjectContext(&ctx, &sec_qos,
+        FALSE, out_ctx);
     if (status != STATUS_SUCCESS) {
         print_error("SeCreateClientSecurityFromSubjectContext "
             "failed with %x\n", status);
diff --git a/tests/manual_testing.txt b/tests/manual_testing.txt
index 50029e0..7ce7c2f 100644
--- a/tests/manual_testing.txt
+++ b/tests/manual_testing.txt
@@ -271,4 +271,12 @@ autoreconf
 make -j8 all


+#
+# Run Cygwin installer from NFSv4.1 share
+#
+wget 'https://www.cygwin.com/setup-x86_64.exe'
+chmod a+rx setup-x86_64.exe
+# check whether this will open the Cygwin installer window
+./setup-x86_64 --no-admin
+
 # EOF.
--
2.43.0

From 5ef218798d5fc376e5d56a764e949127f15c464b Mon Sep 17 00:00:00 2001
From: Roland Mainz <roland.mainz@nrubsig.org>
Date: Mon, 27 May 2024 15:44:31 +0200
Subject: [PATCH 3/4] sys: Endless loop in |nfs41_UpcallWaitForReply()| with
 |STATUS_USER_APC|

Fix an endless loop in |nfs41_UpcallWaitForReply()| where
|KeWaitForSingleObject()| is always interrupted with |STATUS_USER_APC|.
This happens if cygwin1.dll and the binary which uses it is on
an NFSv4.1 share.

Reported-by: Martin Wege <martin.l.wege@gmail.com>
Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
---
 sys/nfs41_driver.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/nfs41_driver.c b/sys/nfs41_driver.c
index 2f512c2..d05025c 100644
--- a/sys/nfs41_driver.c
+++ b/sys/nfs41_driver.c
@@ -1612,7 +1612,7 @@ NTSTATUS nfs41_UpcallWaitForReply(
     timeout.QuadPart = RELATIVE(SECONDS(secs));
 retry_wait:
     status = KeWaitForSingleObject(&entry->cond, Executive,
-                UserMode, TRUE, &timeout);
+                UserMode, FALSE, &timeout);

     if (status == STATUS_TIMEOUT)
             status = STATUS_NETWORK_UNREACHABLE;
--
2.43.0

From ff9933cbdd530829d0e894823135faf6a3d54faa Mon Sep 17 00:00:00 2001
From: Roland Mainz <roland.mainz@nrubsig.org>
Date: Mon, 27 May 2024 15:52:26 +0200
Subject: [PATCH 4/4] cygwin: Fixup permissions for binaries in /bin too

Fixup permissions (chmod a+rx *.exe) for binaries in /bin too

Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com>
---
 cygwin/Makefile.install | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cygwin/Makefile.install b/cygwin/Makefile.install
index aa0e9df..5aa2cc1 100644
--- a/cygwin/Makefile.install
+++ b/cygwin/Makefile.install
@@ -92,6 +92,7 @@ installdest:
                cp '/cygdrive/c/Program Files (x86)/Windows Kits/10/bin/x86/ucrt/ucrtbased.dll' $(DESTDIR)/$(CYGWIN_BASEPATH)/sbin/. ; \
        fi
        @ printf "# Set file flags\n"
+       (cd $(DESTDIR)/$(CYGWIN_BASEPATH)/bin/ && chmod a+rx *.exe)
        (cd $(DESTDIR)/$(CYGWIN_BASEPATH)/sbin/ && chmod a+rx *.exe *.dll)
        (cd $(DESTDIR)/$(CYGWIN_BASEPATH)/lib/msnfs41client/ && chmod a+rx *.dll)
        @printf "\n#\n# TEST sbin dir is %s\n#\n" "$(DESTDIR)/$(CYGWIN_BASEPATH)/sbin/"
--
2.43.0