]>
Commit | Line | Data |
---|---|---|
f0338f54 CF |
1 | /* security.h: security declarations |
2 | ||
b31c68c4 | 3 | Copyright 2000, 2001, 2002 Red Hat, Inc. |
f0338f54 CF |
4 | |
5 | This file is part of Cygwin. | |
6 | ||
7 | This software is a copyrighted work licensed under the terms of the | |
8 | Cygwin license. Please consult the file "CYGWIN_LICENSE" for | |
9 | details. */ | |
10 | ||
74fcdaec | 11 | #include <accctrl.h> |
c0d1968a | 12 | |
17db1105 CV |
13 | #define DEFAULT_UID DOMAIN_USER_RID_ADMIN |
14 | #define DEFAULT_GID DOMAIN_ALIAS_RID_ADMINS | |
15 | ||
2b0a111f | 16 | #define MAX_SID_LEN 40 |
043bc3e1 CV |
17 | #define MAX_DACL_LEN(n) (sizeof (ACL) \ |
18 | + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN)) | |
2b0a111f CV |
19 | |
20 | #define NO_SID ((PSID)NULL) | |
21 | ||
d551169a CV |
22 | class cygsid { |
23 | PSID psid; | |
24 | char sbuf[MAX_SID_LEN]; | |
2b0a111f CV |
25 | |
26 | const PSID getfromstr (const char *nsidstr); | |
27 | PSID get_sid (DWORD s, DWORD cnt, DWORD *r); | |
28 | ||
1fcc912f CV |
29 | inline const PSID assign (const PSID nsid) |
30 | { | |
31 | if (!nsid) | |
1ff9f4b9 | 32 | psid = NO_SID; |
1fcc912f | 33 | else |
1ff9f4b9 CF |
34 | { |
35 | psid = (PSID) sbuf; | |
36 | CopySid (MAX_SID_LEN, psid, nsid); | |
37 | } | |
1fcc912f CV |
38 | return psid; |
39 | } | |
40 | ||
d551169a | 41 | public: |
243a041b CF |
42 | inline operator const PSID () { return psid; } |
43 | ||
44 | inline const PSID operator= (cygsid &nsid) | |
45 | { return assign (nsid); } | |
46 | inline const PSID operator= (const PSID nsid) | |
47 | { return assign (nsid); } | |
48 | inline const PSID operator= (const char *nsidstr) | |
49 | { return getfromstr (nsidstr); } | |
50 | ||
d551169a | 51 | inline cygsid () : psid ((PSID) sbuf) {} |
2b0a111f CV |
52 | inline cygsid (const PSID nsid) { *this = nsid; } |
53 | inline cygsid (const char *nstrsid) { *this = nstrsid; } | |
d551169a CV |
54 | |
55 | inline PSID set () { return psid = (PSID) sbuf; } | |
56 | ||
b2939a81 | 57 | BOOL getfrompw (const struct passwd *pw); |
57196405 | 58 | BOOL getfromgr (const struct __group32 *gr); |
2b0a111f CV |
59 | |
60 | int get_id (BOOL search_grp, int *type = NULL); | |
61 | inline int get_uid () { return get_id (FALSE); } | |
62 | inline int get_gid () { return get_id (TRUE); } | |
63 | ||
1fcc912f | 64 | char *string (char *nsidstr) const; |
2b0a111f | 65 | |
2b0a111f | 66 | inline BOOL operator== (const PSID nsid) const |
d551169a CV |
67 | { |
68 | if (!psid || !nsid) | |
1ff9f4b9 | 69 | return nsid == psid; |
d551169a CV |
70 | return EqualSid (psid, nsid); |
71 | } | |
2b0a111f CV |
72 | inline BOOL operator== (const char *nsidstr) const |
73 | { | |
74 | cygsid nsid (nsidstr); | |
75 | return *this == nsid; | |
76 | } | |
77 | inline BOOL operator!= (const PSID nsid) const | |
78 | { return !(*this == nsid); } | |
79 | inline BOOL operator!= (const char *nsidstr) const | |
80 | { return !(*this == nsidstr); } | |
81 | ||
1fcc912f CV |
82 | void debug_print (const char *prefix = NULL) const |
83 | { | |
84 | char buf[256]; | |
85 | debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL"); | |
86 | } | |
87 | }; | |
88 | ||
5a8746b7 | 89 | typedef enum { cygsidlist_empty, cygsidlist_alloc, cygsidlist_auto } cygsidlist_type; |
1fcc912f | 90 | class cygsidlist { |
5519d543 | 91 | int maxcount; |
1fcc912f CV |
92 | public: |
93 | int count; | |
94 | cygsid *sids; | |
5519d543 | 95 | cygsidlist_type type; |
1fcc912f | 96 | |
5519d543 CV |
97 | cygsidlist (cygsidlist_type t, int m) |
98 | { | |
99 | type = t; | |
100 | count = 0; | |
101 | maxcount = m; | |
102 | if (t == cygsidlist_alloc) | |
103 | sids = alloc_sids (m); | |
104 | else | |
105 | sids = new cygsid [m]; | |
106 | } | |
107 | ~cygsidlist () { if (type == cygsidlist_auto) delete [] sids; } | |
1fcc912f | 108 | |
5519d543 | 109 | BOOL add (const PSID nsi) /* Only with auto for now */ |
1fcc912f | 110 | { |
5519d543 CV |
111 | if (count >= maxcount) |
112 | { | |
113 | cygsid *tmp = new cygsid [ 2 * maxcount]; | |
114 | if (!tmp) | |
115 | return FALSE; | |
116 | maxcount *= 2; | |
117 | for (int i = 0; i < count; ++i) | |
118 | tmp[i] = sids[i]; | |
119 | delete [] sids; | |
120 | sids = tmp; | |
121 | } | |
1fcc912f CV |
122 | sids[count++] = nsi; |
123 | return TRUE; | |
124 | } | |
5519d543 | 125 | BOOL add (cygsid &nsi) { return add ((PSID) nsi); } |
1fcc912f CV |
126 | BOOL add (const char *sidstr) |
127 | { cygsid nsi (sidstr); return add (nsi); } | |
5519d543 CV |
128 | BOOL addfromgr (struct __group32 *gr) /* Only with alloc */ |
129 | { return sids[count++].getfromgr (gr); } | |
462f4eff | 130 | |
1fcc912f CV |
131 | BOOL operator+= (cygsid &si) { return add (si); } |
132 | BOOL operator+= (const char *sidstr) { return add (sidstr); } | |
5519d543 | 133 | BOOL operator+= (const PSID psid) { return add (psid); } |
1fcc912f | 134 | |
5519d543 | 135 | int position (const PSID sid) const |
1fcc912f CV |
136 | { |
137 | for (int i = 0; i < count; ++i) | |
1ff9f4b9 | 138 | if (sids[i] == sid) |
5519d543 CV |
139 | return i; |
140 | return -1; | |
1fcc912f | 141 | } |
5519d543 CV |
142 | |
143 | BOOL contains (const PSID sid) const { return position (sid) >= 0; } | |
144 | cygsid *alloc_sids (int n); | |
145 | void free_sids (); | |
1fcc912f CV |
146 | void debug_print (const char *prefix = NULL) const |
147 | { | |
148 | debug_printf ("-- begin sidlist ---"); | |
149 | if (!count) | |
1ff9f4b9 | 150 | debug_printf ("No elements"); |
1fcc912f | 151 | for (int i = 0; i < count; ++i) |
1ff9f4b9 | 152 | sids[i].debug_print (prefix); |
1fcc912f CV |
153 | debug_printf ("-- ende sidlist ---"); |
154 | } | |
d551169a CV |
155 | }; |
156 | ||
5519d543 CV |
157 | class user_groups { |
158 | public: | |
159 | cygsid pgsid; | |
160 | cygsidlist sgsids; | |
161 | BOOL ischanged; | |
162 | ||
163 | BOOL issetgroups () const { return (sgsids.type == cygsidlist_alloc); } | |
164 | void update_supp (const cygsidlist &newsids) | |
165 | { | |
166 | sgsids.free_sids (); | |
167 | sgsids = newsids; | |
168 | ischanged = TRUE; | |
169 | } | |
5a8746b7 CV |
170 | void clear_supp () |
171 | { | |
172 | sgsids.free_sids (); | |
173 | ischanged = TRUE; | |
174 | } | |
5519d543 CV |
175 | void update_pgrp (const PSID sid) |
176 | { | |
177 | pgsid = sid; | |
178 | ischanged = TRUE; | |
179 | } | |
180 | }; | |
181 | ||
3a157c0d | 182 | extern cygsid well_known_null_sid; |
2b0a111f | 183 | extern cygsid well_known_world_sid; |
1fcc912f CV |
184 | extern cygsid well_known_local_sid; |
185 | extern cygsid well_known_creator_owner_sid; | |
186 | extern cygsid well_known_dialup_sid; | |
187 | extern cygsid well_known_network_sid; | |
188 | extern cygsid well_known_batch_sid; | |
189 | extern cygsid well_known_interactive_sid; | |
190 | extern cygsid well_known_service_sid; | |
191 | extern cygsid well_known_authenticated_users_sid; | |
192 | extern cygsid well_known_system_sid; | |
3a157c0d | 193 | extern cygsid well_known_admins_sid; |
1fcc912f CV |
194 | |
195 | inline BOOL | |
196 | legal_sid_type (SID_NAME_USE type) | |
197 | { | |
198 | return type == SidTypeUser || type == SidTypeGroup | |
199 | || type == SidTypeAlias || type == SidTypeWellKnownGroup; | |
200 | } | |
2b0a111f | 201 | |
86fb0393 | 202 | extern BOOL allow_ntea; |
c0d1968a CV |
203 | extern BOOL allow_ntsec; |
204 | extern BOOL allow_smbntsec; | |
205 | ||
d551169a CV |
206 | /* These both functions are needed to allow walking through the passwd |
207 | and group lists so they are somehow security related. Besides that | |
208 | I didn't find a better place to declare them. */ | |
209 | extern struct passwd *internal_getpwent (int); | |
57196405 | 210 | extern struct __group32 *internal_getgrent (int); |
d551169a | 211 | |
f0338f54 CF |
212 | /* File manipulation */ |
213 | int __stdcall set_process_privileges (); | |
214 | int __stdcall get_file_attribute (int, const char *, int *, | |
a8d7ae61 | 215 | __uid32_t * = NULL, __gid32_t * = NULL); |
f0338f54 | 216 | int __stdcall set_file_attribute (int, const char *, int); |
2e8abfc1 | 217 | int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int); |
74fcdaec CF |
218 | int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, int *, |
219 | __uid32_t * = NULL, __gid32_t * = NULL); | |
c0d1968a CV |
220 | LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size); |
221 | LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size); | |
222 | BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit); | |
223 | BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit); | |
224 | ||
86fb0393 CV |
225 | void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa, |
226 | void *sd_buf, DWORD sd_buf_size); | |
227 | ||
57ff940d CV |
228 | /* Try a subauthentication. */ |
229 | HANDLE subauth (struct passwd *pw); | |
1fcc912f | 230 | /* Try creating a token directly. */ |
5519d543 | 231 | HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw); |
ebbdc703 | 232 | /* Verify an existing token */ |
5519d543 | 233 | BOOL verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL * pintern = NULL); |
1fcc912f CV |
234 | |
235 | /* Extract U-domain\user field from passwd entry. */ | |
236 | void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user); | |
1eb934b7 CV |
237 | /* Get default logonserver for a domain. */ |
238 | BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL); | |
c0d1968a CV |
239 | |
240 | /* sec_helper.cc: Security helper functions. */ | |
57196405 | 241 | BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid); |
3c8e92d9 | 242 | int set_process_privilege (const char *privilege, BOOL enable = TRUE); |
f0338f54 | 243 | |
c0d1968a CV |
244 | /* shared.cc: */ |
245 | /* Retrieve a security descriptor that allows all access */ | |
246 | SECURITY_DESCRIPTOR *__stdcall get_null_sd (void); | |
247 | ||
f0338f54 CF |
248 | /* Various types of security attributes for use in Create* functions. */ |
249 | extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih; | |
cecb74ae CF |
250 | extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit) |
251 | __attribute__ ((regparm (3))); | |
043bc3e1 | 252 | extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID); |
f0338f54 CF |
253 | |
254 | int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len); | |
149da470 | 255 | BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len); |
2e8abfc1 | 256 | PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, |
de0557f7 | 257 | PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret); |
cecb74ae CF |
258 | |
259 | extern inline SECURITY_ATTRIBUTES * | |
260 | sec_user_nih (char sa_buf[], PSID sid = NULL) | |
261 | { | |
262 | return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih; | |
263 | } | |
264 | ||
265 | extern inline SECURITY_ATTRIBUTES * | |
266 | sec_user (char sa_buf[], PSID sid = NULL) | |
267 | { | |
268 | return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none_nih; | |
269 | } |