]>
Commit | Line | Data |
---|---|---|
f0338f54 CF |
1 | /* security.h: security declarations |
2 | ||
b31c68c4 | 3 | Copyright 2000, 2001, 2002 Red Hat, Inc. |
f0338f54 CF |
4 | |
5 | This file is part of Cygwin. | |
6 | ||
7 | This software is a copyrighted work licensed under the terms of the | |
8 | Cygwin license. Please consult the file "CYGWIN_LICENSE" for | |
9 | details. */ | |
10 | ||
7119fc0d PH |
11 | #ifndef _SECURITY_H |
12 | #define _SECURITY_H | |
13 | ||
74fcdaec | 14 | #include <accctrl.h> |
c0d1968a | 15 | |
17db1105 | 16 | #define DEFAULT_UID DOMAIN_USER_RID_ADMIN |
565e8015 CV |
17 | #define UNKNOWN_UID 400 /* Non conflicting number */ |
18 | #define UNKNOWN_GID 401 | |
17db1105 | 19 | |
2b0a111f | 20 | #define MAX_SID_LEN 40 |
043bc3e1 CV |
21 | #define MAX_DACL_LEN(n) (sizeof (ACL) \ |
22 | + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN)) | |
2b0a111f CV |
23 | |
24 | #define NO_SID ((PSID)NULL) | |
25 | ||
4a21c2d5 CV |
26 | class cygpsid { |
27 | protected: | |
d551169a | 28 | PSID psid; |
4a21c2d5 CV |
29 | public: |
30 | cygpsid () {} | |
31 | cygpsid (PSID nsid) { psid = nsid; } | |
32 | operator const PSID () { return psid; } | |
33 | const PSID operator= (PSID nsid) { return psid = nsid;} | |
34 | __uid32_t get_id (BOOL search_grp, int *type = NULL); | |
35 | int get_uid () { return get_id (FALSE); } | |
36 | int get_gid () { return get_id (TRUE); } | |
37 | ||
38 | char *string (char *nsidstr) const; | |
39 | ||
40 | bool operator== (const PSID nsid) const | |
41 | { | |
42 | if (!psid || !nsid) | |
43 | return nsid == psid; | |
44 | return EqualSid (psid, nsid); | |
45 | } | |
46 | bool operator!= (const PSID nsid) const | |
47 | { return !(*this == nsid); } | |
48 | bool operator== (const char *nsidstr) const; | |
49 | bool operator!= (const char *nsidstr) const | |
50 | { return !(*this == nsidstr); } | |
51 | ||
52 | void debug_print (const char *prefix = NULL) const | |
53 | { | |
54 | char buf[256]; | |
55 | debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL"); | |
56 | } | |
57 | }; | |
58 | ||
59 | class cygsid : public cygpsid { | |
d551169a | 60 | char sbuf[MAX_SID_LEN]; |
2b0a111f CV |
61 | |
62 | const PSID getfromstr (const char *nsidstr); | |
63 | PSID get_sid (DWORD s, DWORD cnt, DWORD *r); | |
64 | ||
1fcc912f CV |
65 | inline const PSID assign (const PSID nsid) |
66 | { | |
67 | if (!nsid) | |
1ff9f4b9 | 68 | psid = NO_SID; |
1fcc912f | 69 | else |
1ff9f4b9 CF |
70 | { |
71 | psid = (PSID) sbuf; | |
72 | CopySid (MAX_SID_LEN, psid, nsid); | |
73 | } | |
1fcc912f CV |
74 | return psid; |
75 | } | |
76 | ||
d551169a | 77 | public: |
85ecb9be | 78 | static void init(); |
243a041b CF |
79 | inline operator const PSID () { return psid; } |
80 | ||
81 | inline const PSID operator= (cygsid &nsid) | |
82 | { return assign (nsid); } | |
83 | inline const PSID operator= (const PSID nsid) | |
84 | { return assign (nsid); } | |
85 | inline const PSID operator= (const char *nsidstr) | |
86 | { return getfromstr (nsidstr); } | |
87 | ||
4a21c2d5 | 88 | inline cygsid () : cygpsid ((PSID) sbuf) {} |
2b0a111f CV |
89 | inline cygsid (const PSID nsid) { *this = nsid; } |
90 | inline cygsid (const char *nstrsid) { *this = nstrsid; } | |
d551169a CV |
91 | |
92 | inline PSID set () { return psid = (PSID) sbuf; } | |
93 | ||
b2939a81 | 94 | BOOL getfrompw (const struct passwd *pw); |
57196405 | 95 | BOOL getfromgr (const struct __group32 *gr); |
1fcc912f CV |
96 | }; |
97 | ||
5a8746b7 | 98 | typedef enum { cygsidlist_empty, cygsidlist_alloc, cygsidlist_auto } cygsidlist_type; |
1fcc912f | 99 | class cygsidlist { |
5519d543 | 100 | int maxcount; |
1fcc912f CV |
101 | public: |
102 | int count; | |
103 | cygsid *sids; | |
5519d543 | 104 | cygsidlist_type type; |
1fcc912f | 105 | |
5519d543 CV |
106 | cygsidlist (cygsidlist_type t, int m) |
107 | { | |
108 | type = t; | |
109 | count = 0; | |
110 | maxcount = m; | |
111 | if (t == cygsidlist_alloc) | |
112 | sids = alloc_sids (m); | |
113 | else | |
114 | sids = new cygsid [m]; | |
115 | } | |
116 | ~cygsidlist () { if (type == cygsidlist_auto) delete [] sids; } | |
1fcc912f | 117 | |
5519d543 | 118 | BOOL add (const PSID nsi) /* Only with auto for now */ |
1fcc912f | 119 | { |
5519d543 | 120 | if (count >= maxcount) |
a113a3c5 | 121 | { |
5519d543 CV |
122 | cygsid *tmp = new cygsid [ 2 * maxcount]; |
123 | if (!tmp) | |
124 | return FALSE; | |
125 | maxcount *= 2; | |
126 | for (int i = 0; i < count; ++i) | |
127 | tmp[i] = sids[i]; | |
128 | delete [] sids; | |
129 | sids = tmp; | |
130 | } | |
1fcc912f CV |
131 | sids[count++] = nsi; |
132 | return TRUE; | |
133 | } | |
5519d543 | 134 | BOOL add (cygsid &nsi) { return add ((PSID) nsi); } |
1fcc912f CV |
135 | BOOL add (const char *sidstr) |
136 | { cygsid nsi (sidstr); return add (nsi); } | |
5519d543 CV |
137 | BOOL addfromgr (struct __group32 *gr) /* Only with alloc */ |
138 | { return sids[count++].getfromgr (gr); } | |
462f4eff | 139 | |
1fcc912f CV |
140 | BOOL operator+= (cygsid &si) { return add (si); } |
141 | BOOL operator+= (const char *sidstr) { return add (sidstr); } | |
5519d543 | 142 | BOOL operator+= (const PSID psid) { return add (psid); } |
1fcc912f | 143 | |
5519d543 | 144 | int position (const PSID sid) const |
1fcc912f CV |
145 | { |
146 | for (int i = 0; i < count; ++i) | |
1ff9f4b9 | 147 | if (sids[i] == sid) |
5519d543 CV |
148 | return i; |
149 | return -1; | |
1fcc912f | 150 | } |
5519d543 CV |
151 | |
152 | BOOL contains (const PSID sid) const { return position (sid) >= 0; } | |
153 | cygsid *alloc_sids (int n); | |
154 | void free_sids (); | |
1fcc912f CV |
155 | void debug_print (const char *prefix = NULL) const |
156 | { | |
157 | debug_printf ("-- begin sidlist ---"); | |
158 | if (!count) | |
1ff9f4b9 | 159 | debug_printf ("No elements"); |
1fcc912f | 160 | for (int i = 0; i < count; ++i) |
1ff9f4b9 | 161 | sids[i].debug_print (prefix); |
1fcc912f CV |
162 | debug_printf ("-- ende sidlist ---"); |
163 | } | |
d551169a CV |
164 | }; |
165 | ||
5519d543 CV |
166 | class user_groups { |
167 | public: | |
168 | cygsid pgsid; | |
169 | cygsidlist sgsids; | |
170 | BOOL ischanged; | |
171 | ||
172 | BOOL issetgroups () const { return (sgsids.type == cygsidlist_alloc); } | |
173 | void update_supp (const cygsidlist &newsids) | |
174 | { | |
175 | sgsids.free_sids (); | |
176 | sgsids = newsids; | |
177 | ischanged = TRUE; | |
178 | } | |
5a8746b7 CV |
179 | void clear_supp () |
180 | { | |
4a21c2d5 | 181 | if (issetgroups ()) |
a113a3c5 | 182 | { |
4a21c2d5 CV |
183 | sgsids.free_sids (); |
184 | ischanged = TRUE; | |
185 | } | |
5a8746b7 | 186 | } |
5519d543 CV |
187 | void update_pgrp (const PSID sid) |
188 | { | |
189 | pgsid = sid; | |
190 | ischanged = TRUE; | |
191 | } | |
192 | }; | |
193 | ||
3a157c0d | 194 | extern cygsid well_known_null_sid; |
2b0a111f | 195 | extern cygsid well_known_world_sid; |
1fcc912f CV |
196 | extern cygsid well_known_local_sid; |
197 | extern cygsid well_known_creator_owner_sid; | |
85ecb9be | 198 | extern cygsid well_known_creator_group_sid; |
1fcc912f CV |
199 | extern cygsid well_known_dialup_sid; |
200 | extern cygsid well_known_network_sid; | |
201 | extern cygsid well_known_batch_sid; | |
202 | extern cygsid well_known_interactive_sid; | |
203 | extern cygsid well_known_service_sid; | |
204 | extern cygsid well_known_authenticated_users_sid; | |
205 | extern cygsid well_known_system_sid; | |
3a157c0d | 206 | extern cygsid well_known_admins_sid; |
1fcc912f CV |
207 | |
208 | inline BOOL | |
209 | legal_sid_type (SID_NAME_USE type) | |
210 | { | |
211 | return type == SidTypeUser || type == SidTypeGroup | |
212 | || type == SidTypeAlias || type == SidTypeWellKnownGroup; | |
213 | } | |
2b0a111f | 214 | |
3872e9a4 CF |
215 | extern bool allow_ntea; |
216 | extern bool allow_ntsec; | |
217 | extern bool allow_smbntsec; | |
c0d1968a | 218 | |
f0338f54 CF |
219 | /* File manipulation */ |
220 | int __stdcall set_process_privileges (); | |
407b8df6 | 221 | int __stdcall get_file_attribute (int, const char *, mode_t *, |
a8d7ae61 | 222 | __uid32_t * = NULL, __gid32_t * = NULL); |
f0338f54 | 223 | int __stdcall set_file_attribute (int, const char *, int); |
2e8abfc1 | 224 | int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int); |
407b8df6 | 225 | int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, mode_t *, |
74fcdaec | 226 | __uid32_t * = NULL, __gid32_t * = NULL); |
c0d1968a CV |
227 | LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size); |
228 | LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size); | |
229 | BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit); | |
230 | BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit); | |
cf762b08 | 231 | int __stdcall check_file_access (const char *, int); |
c0d1968a | 232 | |
86fb0393 CV |
233 | void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa, |
234 | void *sd_buf, DWORD sd_buf_size); | |
235 | ||
4a21c2d5 CV |
236 | bool get_sids_info (cygpsid, cygpsid, __uid32_t * , __gid32_t *); |
237 | ||
57ff940d CV |
238 | /* Try a subauthentication. */ |
239 | HANDLE subauth (struct passwd *pw); | |
1fcc912f | 240 | /* Try creating a token directly. */ |
5519d543 | 241 | HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw); |
ebbdc703 | 242 | /* Verify an existing token */ |
5519d543 | 243 | BOOL verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL * pintern = NULL); |
1fcc912f CV |
244 | |
245 | /* Extract U-domain\user field from passwd entry. */ | |
246 | void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user); | |
1eb934b7 CV |
247 | /* Get default logonserver for a domain. */ |
248 | BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL); | |
c0d1968a CV |
249 | |
250 | /* sec_helper.cc: Security helper functions. */ | |
153e83c6 | 251 | int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false); |
f0338f54 | 252 | |
c0d1968a CV |
253 | /* shared.cc: */ |
254 | /* Retrieve a security descriptor that allows all access */ | |
255 | SECURITY_DESCRIPTOR *__stdcall get_null_sd (void); | |
256 | ||
f0338f54 CF |
257 | /* Various types of security attributes for use in Create* functions. */ |
258 | extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih; | |
c61ada9b PH |
259 | extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, |
260 | DWORD access2, BOOL inherit) | |
cecb74ae | 261 | __attribute__ ((regparm (3))); |
c61ada9b PH |
262 | extern BOOL sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID, |
263 | PSID sid2 = NO_SID, DWORD access2 = 0); | |
f0338f54 CF |
264 | |
265 | int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len); | |
149da470 | 266 | BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len); |
2e8abfc1 | 267 | PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute, |
de0557f7 | 268 | PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret); |
cecb74ae CF |
269 | |
270 | extern inline SECURITY_ATTRIBUTES * | |
c61ada9b | 271 | sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0) |
cecb74ae | 272 | { |
c61ada9b | 273 | return __sec_user (sa_buf, sid1, sid2, access2, FALSE); |
cecb74ae CF |
274 | } |
275 | ||
276 | extern inline SECURITY_ATTRIBUTES * | |
c61ada9b | 277 | sec_user (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0) |
cecb74ae | 278 | { |
c61ada9b | 279 | return __sec_user (sa_buf, sid1, sid2, access2, TRUE); |
cecb74ae | 280 | } |
7119fc0d | 281 | #endif /*_SECURITY_H*/ |