diff --git a/msys2-runtime/0048-Cygwin-do-retrieve-AzureAD-users-information-again.patch b/msys2-runtime/0048-Cygwin-do-retrieve-AzureAD-users-information-again.patch new file mode 100644 index 00000000000..dc43e067b53 --- /dev/null +++ b/msys2-runtime/0048-Cygwin-do-retrieve-AzureAD-users-information-again.patch @@ -0,0 +1,73 @@ +From 1a222c8a01c2981a9343611c0d3a6afdff55d87b Mon Sep 17 00:00:00 2001 +From: Johannes Schindelin +Date: Tue, 3 Jun 2025 08:53:57 +0200 +Subject: [PATCH 48/N] Cygwin: do retrieve AzureAD users' information again + +In 48e7d63268 (Cygwin: fetch_account_from_windows: skip LookupAccountSid +for SIDs known to fail, 2025-04-10), several SIDs acquired a shortcut +where a potentially expensive `LookupAccountSid()` call is avoided for +SIDs that "cannot be resolved". + +However, as reported by Robert Fensterman (and independently discovered +by myself), some of the SIDs that received this special shortcut _do_ +get resolved by `LookupAccountSid()` calls: AzureAD users' SIDs. + +With those SIDs, that newly-introduced shortcut actually does more harm +than good because there is no other way to retrieve the desired +information, resulting in permission problems. + +One symptom of this is that `mintty` can no longer access `/dev/ptmx` +and simply errors out with "Error: Could not fork child process: There +are no available terminals (-1)". + +Another symptom is that `tmux` is no longer able to create new sessions. +Yet another symptom is new files are unintentionally written with +restricted permissions (copying an `.exe` file, for example, disallows +the copied version to be executed). + +The most likely reason why AzureAD SIDs were included in above-mentioned +commit is that special AzureAD _group_ SIDs are not recognized by +`LookupAccountSid()`, as per the code comment for the `azure_grp_sid` +variable. It is plausible that this fact was mistaken to extend to all +AzureAD SIDs, a notion disproved by the counter example of my personal +experience with my own AzureAD user account. Unfortunately, the only way +to find out whether `LookupAccountSid()` works with a given AzureAD SID +or not is to call that function. + +To make regular AzureAD user accounts work again, let's just drop the +AzureAD part from that special shortcut. + +My understanding of the other SIDs handled by that shortcut (Capability +SIDs, IIS APPPOOL and Samba user/group SIDs) is insufficient to +determine whether they, too, can be resolved by `LookupAccountSid()` in +some cases (and would therefore equally need to be excluded from that +shortcut). At least as far as the Capability SIDs go, I am rather +confident from reading the context (the commit's message, as well as the +report that led to that commit) that the shortcut is safe, and I could +imagine that the same is true for IIS APPPOOL and Samba SIDs. Absent any +further insight, I therefore decided to leave the rest of 48e7d63268 +(Cygwin: fetch_account_from_windows: skip LookupAccountSid for SIDs +known to fail, 2025-04-10) intact. + +Reported-by: Robert Fensterman +Fixes: 48e7d63268 (Cygwin: fetch_account_from_windows: skip LookupAccountSid for SIDs known to fail, 2025-04-10) +Signed-off-by: Johannes Schindelin +--- + winsup/cygwin/uinfo.cc | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc +index 7c2581d..4323cb1 100644 +--- a/winsup/cygwin/uinfo.cc ++++ b/winsup/cygwin/uinfo.cc +@@ -1996,10 +1996,6 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t &arg, cyg_ldap *pldap) + if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */ + && sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID) + break; +- /* AzureAD SIDs */ +- if (sid_id_auth (sid) == 12 /* AzureAD ID */ +- && sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */) +- break; + /* Samba user/group SIDs */ + if (sid_id_auth (sid) == 22) + break; diff --git a/msys2-runtime/PKGBUILD b/msys2-runtime/PKGBUILD index 23d1b2bf898..2d42fcffd53 100644 --- a/msys2-runtime/PKGBUILD +++ b/msys2-runtime/PKGBUILD @@ -4,7 +4,7 @@ pkgbase=msys2-runtime pkgname=('msys2-runtime' 'msys2-runtime-devel') pkgver=3.6.2 -pkgrel=1 +pkgrel=2 pkgdesc="Cygwin POSIX emulation engine" arch=('x86_64') url="https://www.cygwin.com/" @@ -73,9 +73,10 @@ source=('msys2-runtime'::git+https://github.com/cygwin/cygwin#tag=cygwin-${pkgve 0044-Make-paths-WCS-MBS-conversion-explicit.patch 0045-Use-MB_CUR_MAX-6-by-default.patch 0046-Change-the-default-base-address-for-x86_64.patch - 0047-msys2-runtime-restore-fast-path-for-current-user-pri.patch) + 0047-msys2-runtime-restore-fast-path-for-current-user-pri.patch + 0048-Cygwin-do-retrieve-AzureAD-users-information-again.patch) sha256sums=('9fb4bbcbd498a207e07a0d05161f86efbc60466f10b96c33d0b76194bd40a806' - '6a03e8f8c5e6f008b9e0cb66de35de68634aa7fbb41b5c09e80b84db87d57dca' + 'e94bccf1cafe0717d0a19df35f69bdfe122bcdfcffac47a107c18fb50b4a5911' 'e4082aff332507d6d5fefa5b7da2fcbbaa8b593ca158dbb1fe026a26b0e09d91' '1cd177791994917d0c4df391fdc96993c3275eddd2b5f475532c0f478b2be8eb' '81d0f97d558b413c1b6fc592c7c0c7cac0b8f1c650e6fb13c01f4ee25b049fce' @@ -122,7 +123,8 @@ sha256sums=('9fb4bbcbd498a207e07a0d05161f86efbc60466f10b96c33d0b76194bd40a806' '18ee1eaa6ee1877536672fb02fc1a102b9cbbb65f5238b532c18ad4ea9b8910b' '8507ce68f7c29cacf89994e08eb89e66d2907a65ce7793cd8019e01a2705e425' 'bbdd536345d096ee80191d936c1638baa9bb2d76f6118d0cf34e63cee8eb5dde' - 'da5ae57f1603ae3e08f27cc68da690f68dbb44f2f84f9bbc7e4a6d2456832348') + 'da5ae57f1603ae3e08f27cc68da690f68dbb44f2f84f9bbc7e4a6d2456832348' + '53d30f6e2a3fabfaf6dd928c5e1d4c37311410fce33146969365f9c36b0e1bad') # Helper macros to help make tasks easier # apply_patch_with_msg() { @@ -223,7 +225,8 @@ prepare() { 0044-Make-paths-WCS-MBS-conversion-explicit.patch \ 0045-Use-MB_CUR_MAX-6-by-default.patch \ 0046-Change-the-default-base-address-for-x86_64.patch \ - 0047-msys2-runtime-restore-fast-path-for-current-user-pri.patch + 0047-msys2-runtime-restore-fast-path-for-current-user-pri.patch \ + 0048-Cygwin-do-retrieve-AzureAD-users-information-again.patch } build() { diff --git a/msys2-runtime/msys2-runtime.commit b/msys2-runtime/msys2-runtime.commit index cf4b4528ff5..7800bf3e6b0 100644 --- a/msys2-runtime/msys2-runtime.commit +++ b/msys2-runtime/msys2-runtime.commit @@ -1 +1 @@ -0b9a01b6b59f03187dcf1b184addc93e8555415c +ceeecb01e13d0965a8993f04cf756096ba91dc35