[newlib-cygwin/main] Cygwin: fetch_account_from_windows: skip LookupAccountSid for SIDs known to fail

Thu, 10 Apr 2025 03:54:30 -0700 

https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=e04891d67ac77a0b8c1ecb8ce312c5ff8891cc46

commit e04891d67ac77a0b8c1ecb8ce312c5ff8891cc46
Author:     Corinna Vinschen <cori...@vinschen.de>
AuthorDate: Thu Apr 10 11:56:38 2025 +0200
Commit:     Corinna Vinschen <cori...@vinschen.de>
CommitDate: Thu Apr 10 12:04:02 2025 +0200

    Cygwin: fetch_account_from_windows: skip LookupAccountSid for SIDs known to 
fail
    
    LookupAccountSid might take a long time if an SID cannot be resolved.
    While we know some SIDs never resolved by LookupAccountSid, we call it
    anyway and only handle them after it returned with error.
    
    (Partially?) fix this latency problem by skipping the LookupAccountSid
    call for SID groups never resolved anyway.
    
    Reported-by: LluĂ­s Batlle i Rossell <vi...@viric.name>
    Fixes: 1ca20a1cd208 ("Introduce reading passwd/group entries from SAM/AD.")
    Signed-off-by: Corinna Vinschen <cori...@vinschen.de>

Diff:
---
 winsup/cygwin/release/3.6.2 |  6 ++++++
 winsup/cygwin/uinfo.cc      | 21 +++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/winsup/cygwin/release/3.6.2 b/winsup/cygwin/release/3.6.2
new file mode 100644
index 000000000000..aee5e4408150
--- /dev/null
+++ b/winsup/cygwin/release/3.6.2
@@ -0,0 +1,6 @@
+Fixes:
+------
+
+- Fix a high latency problem when trying to fetch SID info for SIDs
+  not resolved by Windows functions anyway.
+  Addresses: https://cygwin.com/pipermail/cygwin/2025-April/257916.html
diff --git a/winsup/cygwin/uinfo.cc b/winsup/cygwin/uinfo.cc
index 27dc2892c859..83883f9f654e 100644
--- a/winsup/cygwin/uinfo.cc
+++ b/winsup/cygwin/uinfo.cc
@@ -1983,6 +1983,27 @@ pwdgrp::fetch_account_from_windows (fetch_user_arg_t 
&arg, cyg_ldap *pldap)
       break;
     case SID_arg:
       sid = *arg.sid;
+
+      /* SIDs we want to filter out before hitting LookupAccountSidW.
+        If the latency of the AD connection is high, LookupAccountSidW
+        might take a long time before returning with ERROR_NONE_MAPPED. */
+
+      /* Capability SIDs, just drop out, we don't handle them */
+      if (sid_id_auth (sid) == 15 /* SECURITY_APP_PACKAGE_AUTHORITY */
+         && sid_sub_auth (sid, 0) == SECURITY_CAPABILITY_BASE_RID)
+       return NULL;
+      /* IIS APPPOOL */
+      if (sid_id_auth (sid) == 5 /* SECURITY_NT_AUTHORITY */
+         && sid_sub_auth (sid, 0) == SECURITY_APPPOOL_ID_BASE_RID)
+       break;
+      /* AzureAD SIDs */
+      if (sid_id_auth (sid) == 12 /* AzureAD ID */
+         && sid_sub_auth (sid, 0) == 1 /* Azure ID base RID */)
+       break;
+      /* Samba user/group SIDs */
+      if (sid_id_auth (sid) == 22)
+       break;
+
       ret = LookupAccountSidW (NULL, sid, name, &nlen, dom, &dlen, &acc_type);
       if (!ret
          && cygheap->dom.member_machine ()

Reply via email to