[newlib-cygwin.git] / winsup / cygwin / security.h

/* security.h: security declarations

   Copyright 2000, 2001, 2002 Red Hat, Inc.

This file is part of Cygwin.

This software is a copyrighted work licensed under the terms of the
Cygwin license.  Please consult the file "CYGWIN_LICENSE" for
details. */

#ifndef _SECURITY_H
#define _SECURITY_H

#include <accctrl.h>

#define DEFAULT_UID DOMAIN_USER_RID_ADMIN
#define UNKNOWN_UID 400 /* Non conflicting number */
#define UNKNOWN_GID 401

#define MAX_SID_LEN 40
#define MAX_DACL_LEN(n) (sizeof (ACL) \
		   + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))

#define NO_SID ((PSID)NULL)

class cygpsid {
protected:
  PSID psid;
public:
  cygpsid () {}
  cygpsid (PSID nsid) { psid = nsid; }
  operator const PSID () { return psid; }
  const PSID operator= (PSID nsid) { return psid = nsid;}
  __uid32_t get_id (BOOL search_grp, int *type = NULL);
  int get_uid () { return get_id (FALSE); }
  int get_gid () { return get_id (TRUE); }

  char *string (char *nsidstr) const;

  bool operator== (const PSID nsid) const
    {
      if (!psid || !nsid)
	return nsid == psid;
      return EqualSid (psid, nsid);
    }
  bool operator!= (const PSID nsid) const
    { return !(*this == nsid); }
  bool operator== (const char *nsidstr) const;
  bool operator!= (const char *nsidstr) const
    { return !(*this == nsidstr); }

  void debug_print (const char *prefix = NULL) const
    {
      char buf[256];
      debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
    }
};

class cygsid : public cygpsid {
  char sbuf[MAX_SID_LEN];

  const PSID getfromstr (const char *nsidstr);
  PSID get_sid (DWORD s, DWORD cnt, DWORD *r);

  inline const PSID assign (const PSID nsid)
    {
      if (!nsid)
	psid = NO_SID;
      else
	{
	  psid = (PSID) sbuf;
	  CopySid (MAX_SID_LEN, psid, nsid);
	}
      return psid;
    }

public:
  static void init();
  inline operator const PSID () { return psid; }

  inline const PSID operator= (cygsid &nsid)
    { return assign (nsid); }
  inline const PSID operator= (const PSID nsid)
    { return assign (nsid); }
  inline const PSID operator= (const char *nsidstr)
    { return getfromstr (nsidstr); }

  inline cygsid () : cygpsid ((PSID) sbuf) {}
  inline cygsid (const PSID nsid) { *this = nsid; }
  inline cygsid (const char *nstrsid) { *this = nstrsid; }

  inline PSID set () { return psid = (PSID) sbuf; }

  BOOL getfrompw (const struct passwd *pw);
  BOOL getfromgr (const struct __group32 *gr);
};

typedef enum { cygsidlist_empty, cygsidlist_alloc, cygsidlist_auto } cygsidlist_type;
class cygsidlist {
  int maxcount;
public:
  int count;
  cygsid *sids;
  cygsidlist_type type;

  cygsidlist (cygsidlist_type t, int m)
    {
      type = t;
      count = 0;
      maxcount = m;
      if (t == cygsidlist_alloc)
	sids = alloc_sids (m);
      else
	sids = new cygsid [m];
    }
  ~cygsidlist () { if (type == cygsidlist_auto) delete [] sids; }

  BOOL add (const PSID nsi) /* Only with auto for now */
    {
      if (count >= maxcount)
	{
	  cygsid *tmp = new cygsid [ 2 * maxcount];
	  if (!tmp)
	    return FALSE;
	  maxcount *= 2;
	  for (int i = 0; i < count; ++i)
	    tmp[i] = sids[i];
	  delete [] sids;
	  sids = tmp;
	}
      sids[count++] = nsi;
      return TRUE;
    }
  BOOL add (cygsid &nsi) { return add ((PSID) nsi); }
  BOOL add (const char *sidstr)
    { cygsid nsi (sidstr); return add (nsi); }
  BOOL addfromgr (struct __group32 *gr) /* Only with alloc */
    { return sids[count++].getfromgr (gr); }

  BOOL operator+= (cygsid &si) { return add (si); }
  BOOL operator+= (const char *sidstr) { return add (sidstr); }
  BOOL operator+= (const PSID psid) { return add (psid); }

  int position (const PSID sid) const
    {
      for (int i = 0; i < count; ++i)
	if (sids[i] == sid)
	  return i;
      return -1;
    }

  BOOL contains (const PSID sid) const { return position (sid) >= 0; }
  cygsid *alloc_sids (int n);
  void free_sids ();
  void debug_print (const char *prefix = NULL) const
    {
      debug_printf ("-- begin sidlist ---");
      if (!count)
	debug_printf ("No elements");
      for (int i = 0; i < count; ++i)
	sids[i].debug_print (prefix);
      debug_printf ("-- ende sidlist ---");
    }
};

class user_groups {
public:
  cygsid pgsid;
  cygsidlist sgsids;
  BOOL ischanged;

  BOOL issetgroups () const { return (sgsids.type == cygsidlist_alloc); }
  void update_supp (const cygsidlist &newsids)
    {
      sgsids.free_sids ();
      sgsids = newsids;
      ischanged = TRUE;
    }
  void clear_supp ()
    {
      if (issetgroups ())
	{
	  sgsids.free_sids ();
	  ischanged = TRUE;
	}
    }
  void update_pgrp (const PSID sid)
    {
      pgsid = sid;
      ischanged = TRUE;
    }
};

extern cygsid well_known_null_sid;
extern cygsid well_known_world_sid;
extern cygsid well_known_local_sid;
extern cygsid well_known_creator_owner_sid;
extern cygsid well_known_creator_group_sid;
extern cygsid well_known_dialup_sid;
extern cygsid well_known_network_sid;
extern cygsid well_known_batch_sid;
extern cygsid well_known_interactive_sid;
extern cygsid well_known_service_sid;
extern cygsid well_known_authenticated_users_sid;
extern cygsid well_known_system_sid;
extern cygsid well_known_admins_sid;

inline BOOL
legal_sid_type (SID_NAME_USE type)
{
  return type == SidTypeUser  || type == SidTypeGroup
      || type == SidTypeAlias || type == SidTypeWellKnownGroup;
}

extern bool allow_ntea;
extern bool allow_ntsec;
extern bool allow_smbntsec;

/* File manipulation */
int __stdcall set_process_privileges ();
int __stdcall get_file_attribute (int, const char *, mode_t *,
				  __uid32_t * = NULL, __gid32_t * = NULL);
int __stdcall set_file_attribute (int, const char *, int);
int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int);
int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, mode_t *,
				  __uid32_t * = NULL, __gid32_t * = NULL);
LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size);
LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size);
BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
int __stdcall check_file_access (const char *, int);

void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
			     void *sd_buf, DWORD sd_buf_size);

bool get_sids_info (cygpsid, cygpsid, __uid32_t * , __gid32_t *);

/* Try a subauthentication. */
HANDLE subauth (struct passwd *pw);
/* Try creating a token directly. */
HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
/* Verify an existing token */
BOOL verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL * pintern = NULL);

/* Extract U-domain\user field from passwd entry. */
void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
/* Get default logonserver for a domain. */
BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);

/* sec_helper.cc: Security helper functions. */
int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false);

/* shared.cc: */
/* Retrieve a security descriptor that allows all access */
SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);

/* Various types of security attributes for use in Create* functions. */
extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid1, PSID sid2, 
						  DWORD access2, BOOL inherit)
  __attribute__ ((regparm (3)));
extern BOOL sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID, 
		     PSID sid2 = NO_SID, DWORD access2 = 0);

int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len);
BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len);
PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
	  PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);

extern inline SECURITY_ATTRIBUTES *
sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
{
  return __sec_user (sa_buf, sid1, sid2, access2, FALSE);
}

extern inline SECURITY_ATTRIBUTES *
sec_user (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
{
  return __sec_user (sa_buf, sid1, sid2, access2, TRUE);
}
#endif /*_SECURITY_H*/
Commit	Line	Data
f0338f54 CF	1	/* security.h: security declarations
f0338f54 CF	2
b31c68c4	3	Copyright 2000, 2001, 2002 Red Hat, Inc.
f0338f54 CF	4
	5	This file is part of Cygwin.
	6
	7	This software is a copyrighted work licensed under the terms of the
	8	Cygwin license. Please consult the file "CYGWIN_LICENSE" for
	9	details. */
	10
7119fc0d PH	11	#ifndef _SECURITY_H
	12	#define _SECURITY_H
	13
74fcdaec	14	#include <accctrl.h>
c0d1968a	15
17db1105	16	#define DEFAULT_UID DOMAIN_USER_RID_ADMIN
565e8015 CV	17	#define UNKNOWN_UID 400 /* Non conflicting number */
565e8015 CV	18	#define UNKNOWN_GID 401
17db1105	19
2b0a111f	20	#define MAX_SID_LEN 40
043bc3e1 CV	21	#define MAX_DACL_LEN(n) (sizeof (ACL) \
043bc3e1 CV	22	+ (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
2b0a111f CV	23
	24	#define NO_SID ((PSID)NULL)
	25
4a21c2d5 CV	26	class cygpsid {
4a21c2d5 CV	27	protected:
d551169a	28	PSID psid;
4a21c2d5 CV	29	public:
	30	cygpsid () {}
	31	cygpsid (PSID nsid) { psid = nsid; }
	32	operator const PSID () { return psid; }
	33	const PSID operator= (PSID nsid) { return psid = nsid;}
	34	__uid32_t get_id (BOOL search_grp, int *type = NULL);
	35	int get_uid () { return get_id (FALSE); }
	36	int get_gid () { return get_id (TRUE); }
	37
	38	char string (char nsidstr) const;
	39
	40	bool operator== (const PSID nsid) const
	41	{
	42	if (!psid \|\| !nsid)
	43	return nsid == psid;
	44	return EqualSid (psid, nsid);
	45	}
	46	bool operator!= (const PSID nsid) const
	47	{ return !(*this == nsid); }
	48	bool operator== (const char *nsidstr) const;
	49	bool operator!= (const char *nsidstr) const
	50	{ return !(*this == nsidstr); }
	51
	52	void debug_print (const char *prefix = NULL) const
	53	{
	54	char buf[256];
	55	debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
	56	}
	57	};
	58
	59	class cygsid : public cygpsid {
d551169a	60	char sbuf[MAX_SID_LEN];
2b0a111f CV	61
	62	const PSID getfromstr (const char *nsidstr);
	63	PSID get_sid (DWORD s, DWORD cnt, DWORD *r);
	64
1fcc912f CV	65	inline const PSID assign (const PSID nsid)
	66	{
	67	if (!nsid)
1ff9f4b9	68	psid = NO_SID;
1fcc912f	69	else
1ff9f4b9 CF	70	{
	71	psid = (PSID) sbuf;
	72	CopySid (MAX_SID_LEN, psid, nsid);
	73	}
1fcc912f CV	74	return psid;
	75	}
	76
d551169a	77	public:
85ecb9be	78	static void init();
243a041b CF	79	inline operator const PSID () { return psid; }
	80
	81	inline const PSID operator= (cygsid &nsid)
	82	{ return assign (nsid); }
	83	inline const PSID operator= (const PSID nsid)
	84	{ return assign (nsid); }
	85	inline const PSID operator= (const char *nsidstr)
	86	{ return getfromstr (nsidstr); }
	87
4a21c2d5	88	inline cygsid () : cygpsid ((PSID) sbuf) {}
2b0a111f CV	89	inline cygsid (const PSID nsid) { *this = nsid; }
2b0a111f CV	90	inline cygsid (const char nstrsid) { this = nstrsid; }
d551169a CV	91
	92	inline PSID set () { return psid = (PSID) sbuf; }
	93
b2939a81	94	BOOL getfrompw (const struct passwd *pw);
57196405	95	BOOL getfromgr (const struct __group32 *gr);
1fcc912f CV	96	};
1fcc912f CV	97
5a8746b7	98	typedef enum { cygsidlist_empty, cygsidlist_alloc, cygsidlist_auto } cygsidlist_type;
1fcc912f	99	class cygsidlist {
5519d543	100	int maxcount;
1fcc912f CV	101	public:
	102	int count;
	103	cygsid *sids;
5519d543	104	cygsidlist_type type;
1fcc912f	105
5519d543 CV	106	cygsidlist (cygsidlist_type t, int m)
	107	{
	108	type = t;
	109	count = 0;
	110	maxcount = m;
	111	if (t == cygsidlist_alloc)
	112	sids = alloc_sids (m);
	113	else
	114	sids = new cygsid [m];
	115	}
	116	~cygsidlist () { if (type == cygsidlist_auto) delete [] sids; }
1fcc912f	117
5519d543	118	BOOL add (const PSID nsi) /* Only with auto for now */
1fcc912f	119	{
5519d543	120	if (count >= maxcount)
a113a3c5	121	{
5519d543 CV	122	cygsid tmp = new cygsid [ 2 maxcount];
	123	if (!tmp)
	124	return FALSE;
	125	maxcount *= 2;
	126	for (int i = 0; i < count; ++i)
	127	tmp[i] = sids[i];
	128	delete [] sids;
	129	sids = tmp;
	130	}
1fcc912f CV	131	sids[count++] = nsi;
	132	return TRUE;
	133	}
5519d543	134	BOOL add (cygsid &nsi) { return add ((PSID) nsi); }
1fcc912f CV	135	BOOL add (const char *sidstr)
1fcc912f CV	136	{ cygsid nsi (sidstr); return add (nsi); }
5519d543 CV	137	BOOL addfromgr (struct __group32 gr) / Only with alloc */
5519d543 CV	138	{ return sids[count++].getfromgr (gr); }
462f4eff	139
1fcc912f CV	140	BOOL operator+= (cygsid &si) { return add (si); }
1fcc912f CV	141	BOOL operator+= (const char *sidstr) { return add (sidstr); }
5519d543	142	BOOL operator+= (const PSID psid) { return add (psid); }
1fcc912f	143
5519d543	144	int position (const PSID sid) const
1fcc912f CV	145	{
1fcc912f CV	146	for (int i = 0; i < count; ++i)
1ff9f4b9	147	if (sids[i] == sid)
5519d543 CV	148	return i;
5519d543 CV	149	return -1;
1fcc912f	150	}
5519d543 CV	151
	152	BOOL contains (const PSID sid) const { return position (sid) >= 0; }
	153	cygsid *alloc_sids (int n);
	154	void free_sids ();
1fcc912f CV	155	void debug_print (const char *prefix = NULL) const
	156	{
	157	debug_printf ("-- begin sidlist ---");
	158	if (!count)
1ff9f4b9	159	debug_printf ("No elements");
1fcc912f	160	for (int i = 0; i < count; ++i)
1ff9f4b9	161	sids[i].debug_print (prefix);
1fcc912f CV	162	debug_printf ("-- ende sidlist ---");
1fcc912f CV	163	}
d551169a CV	164	};
d551169a CV	165
5519d543 CV	166	class user_groups {
	167	public:
	168	cygsid pgsid;
	169	cygsidlist sgsids;
	170	BOOL ischanged;
	171
	172	BOOL issetgroups () const { return (sgsids.type == cygsidlist_alloc); }
	173	void update_supp (const cygsidlist &newsids)
	174	{
	175	sgsids.free_sids ();
	176	sgsids = newsids;
	177	ischanged = TRUE;
	178	}
5a8746b7 CV	179	void clear_supp ()
5a8746b7 CV	180	{
4a21c2d5	181	if (issetgroups ())
a113a3c5	182	{
4a21c2d5 CV	183	sgsids.free_sids ();
	184	ischanged = TRUE;
	185	}
5a8746b7	186	}
5519d543 CV	187	void update_pgrp (const PSID sid)
	188	{
	189	pgsid = sid;
	190	ischanged = TRUE;
	191	}
	192	};
	193
3a157c0d	194	extern cygsid well_known_null_sid;
2b0a111f	195	extern cygsid well_known_world_sid;
1fcc912f CV	196	extern cygsid well_known_local_sid;
1fcc912f CV	197	extern cygsid well_known_creator_owner_sid;
85ecb9be	198	extern cygsid well_known_creator_group_sid;
1fcc912f CV	199	extern cygsid well_known_dialup_sid;
	200	extern cygsid well_known_network_sid;
	201	extern cygsid well_known_batch_sid;
	202	extern cygsid well_known_interactive_sid;
	203	extern cygsid well_known_service_sid;
	204	extern cygsid well_known_authenticated_users_sid;
	205	extern cygsid well_known_system_sid;
3a157c0d	206	extern cygsid well_known_admins_sid;
1fcc912f CV	207
	208	inline BOOL
	209	legal_sid_type (SID_NAME_USE type)
	210	{
	211	return type == SidTypeUser \|\| type == SidTypeGroup
	212	\|\| type == SidTypeAlias \|\| type == SidTypeWellKnownGroup;
	213	}
2b0a111f	214
3872e9a4 CF	215	extern bool allow_ntea;
	216	extern bool allow_ntsec;
	217	extern bool allow_smbntsec;
c0d1968a	218
f0338f54 CF	219	/* File manipulation */
f0338f54 CF	220	int __stdcall set_process_privileges ();
407b8df6	221	int __stdcall get_file_attribute (int, const char , mode_t ,
a8d7ae61	222	__uid32_t * = NULL, __gid32_t * = NULL);
f0338f54	223	int __stdcall set_file_attribute (int, const char *, int);
2e8abfc1	224	int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int);
407b8df6	225	int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, mode_t *,
74fcdaec	226	__uid32_t * = NULL, __gid32_t * = NULL);
c0d1968a CV	227	LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size);
	228	LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size);
	229	BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
	230	BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
cf762b08	231	int __stdcall check_file_access (const char *, int);
c0d1968a	232
86fb0393 CV	233	void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
	234	void *sd_buf, DWORD sd_buf_size);
	235
4a21c2d5 CV	236	bool get_sids_info (cygpsid, cygpsid, __uid32_t * , __gid32_t *);
4a21c2d5 CV	237
57ff940d CV	238	/* Try a subauthentication. */
57ff940d CV	239	HANDLE subauth (struct passwd *pw);
1fcc912f	240	/* Try creating a token directly. */
5519d543	241	HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
ebbdc703	242	/* Verify an existing token */
5519d543	243	BOOL verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL * pintern = NULL);
1fcc912f CV	244
	245	/* Extract U-domain\user field from passwd entry. */
	246	void extract_nt_dom_user (const struct passwd pw, char domain, char *user);
1eb934b7 CV	247	/* Get default logonserver for a domain. */
1eb934b7 CV	248	BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);
c0d1968a CV	249
c0d1968a CV	250	/* sec_helper.cc: Security helper functions. */
153e83c6	251	int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false);
f0338f54	252
c0d1968a CV	253	/* shared.cc: */
	254	/* Retrieve a security descriptor that allows all access */
	255	SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
	256
f0338f54 CF	257	/* Various types of security attributes for use in Create* functions. */
f0338f54 CF	258	extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
c61ada9b PH	259	extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid1, PSID sid2,
c61ada9b PH	260	DWORD access2, BOOL inherit)
cecb74ae	261	__attribute__ ((regparm (3)));
c61ada9b PH	262	extern BOOL sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID,
c61ada9b PH	263	PSID sid2 = NO_SID, DWORD access2 = 0);
f0338f54 CF	264
f0338f54 CF	265	int __stdcall NTReadEA (const char file, const char attrname, char *buf, int len);
149da470	266	BOOL __stdcall NTWriteEA (const char file, const char attrname, const char *buf, int len);
2e8abfc1	267	PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
de0557f7	268	PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);
cecb74ae CF	269
cecb74ae CF	270	extern inline SECURITY_ATTRIBUTES *
c61ada9b	271	sec_user_nih (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
cecb74ae	272	{
c61ada9b	273	return __sec_user (sa_buf, sid1, sid2, access2, FALSE);
cecb74ae CF	274	}
	275
	276	extern inline SECURITY_ATTRIBUTES *
c61ada9b	277	sec_user (char sa_buf[], PSID sid1 = NULL, PSID sid2 = NULL, DWORD access2 = 0)
cecb74ae	278	{
c61ada9b	279	return __sec_user (sa_buf, sid1, sid2, access2, TRUE);
cecb74ae	280	}
7119fc0d	281	#endif /_SECURITY_H/