[newlib-cygwin.git] / winsup / cygwin / security.h

/* security.h: security declarations

   Copyright 2000, 2001, 2002 Red Hat, Inc.

This file is part of Cygwin.

This software is a copyrighted work licensed under the terms of the
Cygwin license.  Please consult the file "CYGWIN_LICENSE" for
details. */

#include <accctrl.h>

#define DEFAULT_UID DOMAIN_USER_RID_ADMIN
#define DEFAULT_GID DOMAIN_ALIAS_RID_ADMINS

#define MAX_SID_LEN 40
#define MAX_DACL_LEN(n) (sizeof (ACL) \
		   + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))

#define NO_SID ((PSID)NULL)

class cygsid {
  PSID psid;
  char sbuf[MAX_SID_LEN];

  const PSID getfromstr (const char *nsidstr);
  PSID get_sid (DWORD s, DWORD cnt, DWORD *r);

  inline const PSID assign (const PSID nsid)
    {
      if (!nsid)
	psid = NO_SID;
      else
	{
	  psid = (PSID) sbuf;
	  CopySid (MAX_SID_LEN, psid, nsid);
	}
      return psid;
    }

public:
  inline operator const PSID () { return psid; }

  inline const PSID operator= (cygsid &nsid)
    { return assign (nsid); }
  inline const PSID operator= (const PSID nsid)
    { return assign (nsid); }
  inline const PSID operator= (const char *nsidstr)
    { return getfromstr (nsidstr); }

  inline cygsid () : psid ((PSID) sbuf) {}
  inline cygsid (const PSID nsid) { *this = nsid; }
  inline cygsid (const char *nstrsid) { *this = nstrsid; }

  inline PSID set () { return psid = (PSID) sbuf; }

  BOOL getfrompw (const struct passwd *pw);
  BOOL getfromgr (const struct __group32 *gr);

  int get_id (BOOL search_grp, int *type = NULL);
  inline int get_uid () { return get_id (FALSE); }
  inline int get_gid () { return get_id (TRUE); }

  char *string (char *nsidstr) const;

  inline BOOL operator== (const PSID nsid) const
    {
      if (!psid || !nsid)
	return nsid == psid;
      return EqualSid (psid, nsid);
    }
  inline BOOL operator== (const char *nsidstr) const
    {
      cygsid nsid (nsidstr);
      return *this == nsid;
    }
  inline BOOL operator!= (const PSID nsid) const
    { return !(*this == nsid); }
  inline BOOL operator!= (const char *nsidstr) const
    { return !(*this == nsidstr); }

  void debug_print (const char *prefix = NULL) const
    {
      char buf[256];
      debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
    }
};

typedef enum { cygsidlist_empty, cygsidlist_alloc, cygsidlist_auto } cygsidlist_type;
class cygsidlist {
  int maxcount;
public:
  int count;
  cygsid *sids;
  cygsidlist_type type;

  cygsidlist (cygsidlist_type t, int m)
    {
      type = t;
      count = 0;
      maxcount = m;
      if (t == cygsidlist_alloc)
	sids = alloc_sids (m);
      else
	sids = new cygsid [m];
    }
  ~cygsidlist () { if (type == cygsidlist_auto) delete [] sids; }

  BOOL add (const PSID nsi) /* Only with auto for now */
    {
      if (count >= maxcount)
        {
	  cygsid *tmp = new cygsid [ 2 * maxcount];
	  if (!tmp)
	    return FALSE;
	  maxcount *= 2;
	  for (int i = 0; i < count; ++i)
	    tmp[i] = sids[i];
	  delete [] sids;
	  sids = tmp;
	}
      sids[count++] = nsi;
      return TRUE;
    }
  BOOL add (cygsid &nsi) { return add ((PSID) nsi); }
  BOOL add (const char *sidstr)
    { cygsid nsi (sidstr); return add (nsi); }
  BOOL addfromgr (struct __group32 *gr) /* Only with alloc */
    { return sids[count++].getfromgr (gr); }

  BOOL operator+= (cygsid &si) { return add (si); }
  BOOL operator+= (const char *sidstr) { return add (sidstr); }
  BOOL operator+= (const PSID psid) { return add (psid); }

  int position (const PSID sid) const
    {
      for (int i = 0; i < count; ++i)
	if (sids[i] == sid)
	  return i;
      return -1;
    }

  BOOL contains (const PSID sid) const { return position (sid) >= 0; }
  cygsid *alloc_sids (int n);
  void free_sids ();
  void debug_print (const char *prefix = NULL) const
    {
      debug_printf ("-- begin sidlist ---");
      if (!count)
	debug_printf ("No elements");
      for (int i = 0; i < count; ++i)
	sids[i].debug_print (prefix);
      debug_printf ("-- ende sidlist ---");
    }
};

class user_groups {
public:
  cygsid pgsid;
  cygsidlist sgsids;
  BOOL ischanged;

  BOOL issetgroups () const { return (sgsids.type == cygsidlist_alloc); }
  void update_supp (const cygsidlist &newsids)
    {
      sgsids.free_sids ();
      sgsids = newsids;
      ischanged = TRUE;
    }
  void clear_supp ()
    {
      sgsids.free_sids ();
      ischanged = TRUE;
    }
  void update_pgrp (const PSID sid)
    {
      pgsid = sid;
      ischanged = TRUE;
    }
};

extern cygsid well_known_null_sid;
extern cygsid well_known_world_sid;
extern cygsid well_known_local_sid;
extern cygsid well_known_creator_owner_sid;
extern cygsid well_known_dialup_sid;
extern cygsid well_known_network_sid;
extern cygsid well_known_batch_sid;
extern cygsid well_known_interactive_sid;
extern cygsid well_known_service_sid;
extern cygsid well_known_authenticated_users_sid;
extern cygsid well_known_system_sid;
extern cygsid well_known_admins_sid;

inline BOOL
legal_sid_type (SID_NAME_USE type)
{
  return type == SidTypeUser  || type == SidTypeGroup
      || type == SidTypeAlias || type == SidTypeWellKnownGroup;
}

extern BOOL allow_ntea;
extern BOOL allow_ntsec;
extern BOOL allow_smbntsec;

/* These both functions are needed to allow walking through the passwd
   and group lists so they are somehow security related. Besides that
   I didn't find a better place to declare them. */
extern struct passwd *internal_getpwent (int);
extern struct __group32 *internal_getgrent (int);

/* File manipulation */
int __stdcall set_process_privileges ();
int __stdcall get_file_attribute (int, const char *, int *,
				  __uid32_t * = NULL, __gid32_t * = NULL);
int __stdcall set_file_attribute (int, const char *, int);
int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int);
int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, int *,
				  __uid32_t * = NULL, __gid32_t * = NULL);
LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size);
LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size);
BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);

void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
			     void *sd_buf, DWORD sd_buf_size);

/* Try a subauthentication. */
HANDLE subauth (struct passwd *pw);
/* Try creating a token directly. */
HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
/* Verify an existing token */
BOOL verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL * pintern = NULL);

/* Extract U-domain\user field from passwd entry. */
void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
/* Get default logonserver for a domain. */
BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);

/* sec_helper.cc: Security helper functions. */
BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid);
int set_process_privilege (const char *privilege, BOOL enable = TRUE);

/* shared.cc: */
/* Retrieve a security descriptor that allows all access */
SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);

/* Various types of security attributes for use in Create* functions. */
extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit)
  __attribute__ ((regparm (3)));
extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID);

int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len);
BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len);
PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
	  PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);

extern inline SECURITY_ATTRIBUTES *
sec_user_nih (char sa_buf[], PSID sid = NULL)
{
  return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih;
}

extern inline SECURITY_ATTRIBUTES *
sec_user (char sa_buf[], PSID sid = NULL)
{
  return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none_nih;
}
Commit	Line	Data
f0338f54 CF	1	/* security.h: security declarations
f0338f54 CF	2
b31c68c4	3	Copyright 2000, 2001, 2002 Red Hat, Inc.
f0338f54 CF	4
	5	This file is part of Cygwin.
	6
	7	This software is a copyrighted work licensed under the terms of the
	8	Cygwin license. Please consult the file "CYGWIN_LICENSE" for
	9	details. */
	10
74fcdaec	11	#include <accctrl.h>
c0d1968a	12
17db1105 CV	13	#define DEFAULT_UID DOMAIN_USER_RID_ADMIN
	14	#define DEFAULT_GID DOMAIN_ALIAS_RID_ADMINS
	15
2b0a111f	16	#define MAX_SID_LEN 40
043bc3e1 CV	17	#define MAX_DACL_LEN(n) (sizeof (ACL) \
043bc3e1 CV	18	+ (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
2b0a111f CV	19
	20	#define NO_SID ((PSID)NULL)
	21
d551169a CV	22	class cygsid {
	23	PSID psid;
	24	char sbuf[MAX_SID_LEN];
2b0a111f CV	25
	26	const PSID getfromstr (const char *nsidstr);
	27	PSID get_sid (DWORD s, DWORD cnt, DWORD *r);
	28
1fcc912f CV	29	inline const PSID assign (const PSID nsid)
	30	{
	31	if (!nsid)
1ff9f4b9	32	psid = NO_SID;
1fcc912f	33	else
1ff9f4b9 CF	34	{
	35	psid = (PSID) sbuf;
	36	CopySid (MAX_SID_LEN, psid, nsid);
	37	}
1fcc912f CV	38	return psid;
	39	}
	40
d551169a	41	public:
243a041b CF	42	inline operator const PSID () { return psid; }
	43
	44	inline const PSID operator= (cygsid &nsid)
	45	{ return assign (nsid); }
	46	inline const PSID operator= (const PSID nsid)
	47	{ return assign (nsid); }
	48	inline const PSID operator= (const char *nsidstr)
	49	{ return getfromstr (nsidstr); }
	50
d551169a	51	inline cygsid () : psid ((PSID) sbuf) {}
2b0a111f CV	52	inline cygsid (const PSID nsid) { *this = nsid; }
2b0a111f CV	53	inline cygsid (const char nstrsid) { this = nstrsid; }
d551169a CV	54
	55	inline PSID set () { return psid = (PSID) sbuf; }
	56
b2939a81	57	BOOL getfrompw (const struct passwd *pw);
57196405	58	BOOL getfromgr (const struct __group32 *gr);
2b0a111f CV	59
	60	int get_id (BOOL search_grp, int *type = NULL);
	61	inline int get_uid () { return get_id (FALSE); }
	62	inline int get_gid () { return get_id (TRUE); }
	63
1fcc912f	64	char string (char nsidstr) const;
2b0a111f	65
2b0a111f	66	inline BOOL operator== (const PSID nsid) const
d551169a CV	67	{
d551169a CV	68	if (!psid \|\| !nsid)
1ff9f4b9	69	return nsid == psid;
d551169a CV	70	return EqualSid (psid, nsid);
d551169a CV	71	}
2b0a111f CV	72	inline BOOL operator== (const char *nsidstr) const
	73	{
	74	cygsid nsid (nsidstr);
	75	return *this == nsid;
	76	}
	77	inline BOOL operator!= (const PSID nsid) const
	78	{ return !(*this == nsid); }
	79	inline BOOL operator!= (const char *nsidstr) const
	80	{ return !(*this == nsidstr); }
	81
1fcc912f CV	82	void debug_print (const char *prefix = NULL) const
	83	{
	84	char buf[256];
	85	debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
	86	}
	87	};
	88
5a8746b7	89	typedef enum { cygsidlist_empty, cygsidlist_alloc, cygsidlist_auto } cygsidlist_type;
1fcc912f	90	class cygsidlist {
5519d543	91	int maxcount;
1fcc912f CV	92	public:
	93	int count;
	94	cygsid *sids;
5519d543	95	cygsidlist_type type;
1fcc912f	96
5519d543 CV	97	cygsidlist (cygsidlist_type t, int m)
	98	{
	99	type = t;
	100	count = 0;
	101	maxcount = m;
	102	if (t == cygsidlist_alloc)
	103	sids = alloc_sids (m);
	104	else
	105	sids = new cygsid [m];
	106	}
	107	~cygsidlist () { if (type == cygsidlist_auto) delete [] sids; }
1fcc912f	108
5519d543	109	BOOL add (const PSID nsi) /* Only with auto for now */
1fcc912f	110	{
5519d543 CV	111	if (count >= maxcount)
	112	{
	113	cygsid tmp = new cygsid [ 2 maxcount];
	114	if (!tmp)
	115	return FALSE;
	116	maxcount *= 2;
	117	for (int i = 0; i < count; ++i)
	118	tmp[i] = sids[i];
	119	delete [] sids;
	120	sids = tmp;
	121	}
1fcc912f CV	122	sids[count++] = nsi;
	123	return TRUE;
	124	}
5519d543	125	BOOL add (cygsid &nsi) { return add ((PSID) nsi); }
1fcc912f CV	126	BOOL add (const char *sidstr)
1fcc912f CV	127	{ cygsid nsi (sidstr); return add (nsi); }
5519d543 CV	128	BOOL addfromgr (struct __group32 gr) / Only with alloc */
5519d543 CV	129	{ return sids[count++].getfromgr (gr); }
462f4eff	130
1fcc912f CV	131	BOOL operator+= (cygsid &si) { return add (si); }
1fcc912f CV	132	BOOL operator+= (const char *sidstr) { return add (sidstr); }
5519d543	133	BOOL operator+= (const PSID psid) { return add (psid); }
1fcc912f	134
5519d543	135	int position (const PSID sid) const
1fcc912f CV	136	{
1fcc912f CV	137	for (int i = 0; i < count; ++i)
1ff9f4b9	138	if (sids[i] == sid)
5519d543 CV	139	return i;
5519d543 CV	140	return -1;
1fcc912f	141	}
5519d543 CV	142
	143	BOOL contains (const PSID sid) const { return position (sid) >= 0; }
	144	cygsid *alloc_sids (int n);
	145	void free_sids ();
1fcc912f CV	146	void debug_print (const char *prefix = NULL) const
	147	{
	148	debug_printf ("-- begin sidlist ---");
	149	if (!count)
1ff9f4b9	150	debug_printf ("No elements");
1fcc912f	151	for (int i = 0; i < count; ++i)
1ff9f4b9	152	sids[i].debug_print (prefix);
1fcc912f CV	153	debug_printf ("-- ende sidlist ---");
1fcc912f CV	154	}
d551169a CV	155	};
d551169a CV	156
5519d543 CV	157	class user_groups {
	158	public:
	159	cygsid pgsid;
	160	cygsidlist sgsids;
	161	BOOL ischanged;
	162
	163	BOOL issetgroups () const { return (sgsids.type == cygsidlist_alloc); }
	164	void update_supp (const cygsidlist &newsids)
	165	{
	166	sgsids.free_sids ();
	167	sgsids = newsids;
	168	ischanged = TRUE;
	169	}
5a8746b7 CV	170	void clear_supp ()
	171	{
	172	sgsids.free_sids ();
	173	ischanged = TRUE;
	174	}
5519d543 CV	175	void update_pgrp (const PSID sid)
	176	{
	177	pgsid = sid;
	178	ischanged = TRUE;
	179	}
	180	};
	181
3a157c0d	182	extern cygsid well_known_null_sid;
2b0a111f	183	extern cygsid well_known_world_sid;
1fcc912f CV	184	extern cygsid well_known_local_sid;
	185	extern cygsid well_known_creator_owner_sid;
	186	extern cygsid well_known_dialup_sid;
	187	extern cygsid well_known_network_sid;
	188	extern cygsid well_known_batch_sid;
	189	extern cygsid well_known_interactive_sid;
	190	extern cygsid well_known_service_sid;
	191	extern cygsid well_known_authenticated_users_sid;
	192	extern cygsid well_known_system_sid;
3a157c0d	193	extern cygsid well_known_admins_sid;
1fcc912f CV	194
	195	inline BOOL
	196	legal_sid_type (SID_NAME_USE type)
	197	{
	198	return type == SidTypeUser \|\| type == SidTypeGroup
	199	\|\| type == SidTypeAlias \|\| type == SidTypeWellKnownGroup;
	200	}
2b0a111f	201
86fb0393	202	extern BOOL allow_ntea;
c0d1968a CV	203	extern BOOL allow_ntsec;
	204	extern BOOL allow_smbntsec;
	205
d551169a CV	206	/* These both functions are needed to allow walking through the passwd
	207	and group lists so they are somehow security related. Besides that
	208	I didn't find a better place to declare them. */
	209	extern struct passwd *internal_getpwent (int);
57196405	210	extern struct __group32 *internal_getgrent (int);
d551169a	211
f0338f54 CF	212	/* File manipulation */
	213	int __stdcall set_process_privileges ();
	214	int __stdcall get_file_attribute (int, const char , int ,
a8d7ae61	215	__uid32_t * = NULL, __gid32_t * = NULL);
f0338f54	216	int __stdcall set_file_attribute (int, const char *, int);
2e8abfc1	217	int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int);
74fcdaec CF	218	int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, int *,
74fcdaec CF	219	__uid32_t * = NULL, __gid32_t * = NULL);
c0d1968a CV	220	LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size);
	221	LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size);
	222	BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
	223	BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
	224
86fb0393 CV	225	void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
	226	void *sd_buf, DWORD sd_buf_size);
	227
57ff940d CV	228	/* Try a subauthentication. */
57ff940d CV	229	HANDLE subauth (struct passwd *pw);
1fcc912f	230	/* Try creating a token directly. */
5519d543	231	HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
ebbdc703	232	/* Verify an existing token */
5519d543	233	BOOL verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL * pintern = NULL);
1fcc912f CV	234
	235	/* Extract U-domain\user field from passwd entry. */
	236	void extract_nt_dom_user (const struct passwd pw, char domain, char *user);
1eb934b7 CV	237	/* Get default logonserver for a domain. */
1eb934b7 CV	238	BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);
c0d1968a CV	239
c0d1968a CV	240	/* sec_helper.cc: Security helper functions. */
57196405	241	BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid);
3c8e92d9	242	int set_process_privilege (const char *privilege, BOOL enable = TRUE);
f0338f54	243
c0d1968a CV	244	/* shared.cc: */
	245	/* Retrieve a security descriptor that allows all access */
	246	SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
	247
f0338f54 CF	248	/* Various types of security attributes for use in Create* functions. */
f0338f54 CF	249	extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
cecb74ae CF	250	extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit)
cecb74ae CF	251	__attribute__ ((regparm (3)));
043bc3e1	252	extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID);
f0338f54 CF	253
f0338f54 CF	254	int __stdcall NTReadEA (const char file, const char attrname, char *buf, int len);
149da470	255	BOOL __stdcall NTWriteEA (const char file, const char attrname, const char *buf, int len);
2e8abfc1	256	PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
de0557f7	257	PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);
cecb74ae CF	258
	259	extern inline SECURITY_ATTRIBUTES *
	260	sec_user_nih (char sa_buf[], PSID sid = NULL)
	261	{
	262	return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih;
	263	}
	264
	265	extern inline SECURITY_ATTRIBUTES *
	266	sec_user (char sa_buf[], PSID sid = NULL)
	267	{
	268	return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none_nih;
	269	}