1 /* security.h: security declarations
3 Copyright 2000, 2001, 2002 Red Hat, Inc.
5 This file is part of Cygwin.
7 This software is a copyrighted work licensed under the terms of the
8 Cygwin license. Please consult the file "CYGWIN_LICENSE" for
16 #define DEFAULT_UID DOMAIN_USER_RID_ADMIN
17 #define UNKNOWN_UID 400 /* Non conflicting number */
18 #define UNKNOWN_GID 401
20 #define MAX_SID_LEN 40
21 #define MAX_DACL_LEN(n) (sizeof (ACL) \
22 + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
24 #define NO_SID ((PSID)NULL)
31 cygpsid (PSID nsid
) { psid
= nsid
; }
32 operator const PSID () { return psid
; }
33 const PSID
operator= (PSID nsid
) { return psid
= nsid
;}
34 __uid32_t
get_id (BOOL search_grp
, int *type
= NULL
);
35 int get_uid () { return get_id (FALSE
); }
36 int get_gid () { return get_id (TRUE
); }
38 char *string (char *nsidstr
) const;
40 bool operator== (const PSID nsid
) const
44 return EqualSid (psid
, nsid
);
46 bool operator!= (const PSID nsid
) const
47 { return !(*this == nsid
); }
48 bool operator== (const char *nsidstr
) const;
49 bool operator!= (const char *nsidstr
) const
50 { return !(*this == nsidstr
); }
52 void debug_print (const char *prefix
= NULL
) const
55 debug_printf ("%s %s", prefix
?: "", string (buf
) ?: "NULL");
59 class cygsid
: public cygpsid
{
60 char sbuf
[MAX_SID_LEN
];
62 const PSID
getfromstr (const char *nsidstr
);
63 PSID
get_sid (DWORD s
, DWORD cnt
, DWORD
*r
);
65 inline const PSID
assign (const PSID nsid
)
72 CopySid (MAX_SID_LEN
, psid
, nsid
);
79 inline operator const PSID () { return psid
; }
81 inline const PSID
operator= (cygsid
&nsid
)
82 { return assign (nsid
); }
83 inline const PSID
operator= (const PSID nsid
)
84 { return assign (nsid
); }
85 inline const PSID
operator= (const char *nsidstr
)
86 { return getfromstr (nsidstr
); }
88 inline cygsid () : cygpsid ((PSID
) sbuf
) {}
89 inline cygsid (const PSID nsid
) { *this = nsid
; }
90 inline cygsid (const char *nstrsid
) { *this = nstrsid
; }
92 inline PSID
set () { return psid
= (PSID
) sbuf
; }
94 BOOL
getfrompw (const struct passwd
*pw
);
95 BOOL
getfromgr (const struct __group32
*gr
);
98 typedef enum { cygsidlist_empty
, cygsidlist_alloc
, cygsidlist_auto
} cygsidlist_type
;
104 cygsidlist_type type
;
106 cygsidlist (cygsidlist_type t
, int m
)
111 if (t
== cygsidlist_alloc
)
112 sids
= alloc_sids (m
);
114 sids
= new cygsid
[m
];
116 ~cygsidlist () { if (type
== cygsidlist_auto
) delete [] sids
; }
118 BOOL
add (const PSID nsi
) /* Only with auto for now */
120 if (count
>= maxcount
)
122 cygsid
*tmp
= new cygsid
[ 2 * maxcount
];
126 for (int i
= 0; i
< count
; ++i
)
134 BOOL
add (cygsid
&nsi
) { return add ((PSID
) nsi
); }
135 BOOL
add (const char *sidstr
)
136 { cygsid
nsi (sidstr
); return add (nsi
); }
137 BOOL
addfromgr (struct __group32
*gr
) /* Only with alloc */
138 { return sids
[count
++].getfromgr (gr
); }
140 BOOL
operator+= (cygsid
&si
) { return add (si
); }
141 BOOL
operator+= (const char *sidstr
) { return add (sidstr
); }
142 BOOL
operator+= (const PSID psid
) { return add (psid
); }
144 int position (const PSID sid
) const
146 for (int i
= 0; i
< count
; ++i
)
152 BOOL
contains (const PSID sid
) const { return position (sid
) >= 0; }
153 cygsid
*alloc_sids (int n
);
155 void debug_print (const char *prefix
= NULL
) const
157 debug_printf ("-- begin sidlist ---");
159 debug_printf ("No elements");
160 for (int i
= 0; i
< count
; ++i
)
161 sids
[i
].debug_print (prefix
);
162 debug_printf ("-- ende sidlist ---");
172 BOOL
issetgroups () const { return (sgsids
.type
== cygsidlist_alloc
); }
173 void update_supp (const cygsidlist
&newsids
)
187 void update_pgrp (const PSID sid
)
194 extern cygsid well_known_null_sid
;
195 extern cygsid well_known_world_sid
;
196 extern cygsid well_known_local_sid
;
197 extern cygsid well_known_creator_owner_sid
;
198 extern cygsid well_known_creator_group_sid
;
199 extern cygsid well_known_dialup_sid
;
200 extern cygsid well_known_network_sid
;
201 extern cygsid well_known_batch_sid
;
202 extern cygsid well_known_interactive_sid
;
203 extern cygsid well_known_service_sid
;
204 extern cygsid well_known_authenticated_users_sid
;
205 extern cygsid well_known_system_sid
;
206 extern cygsid well_known_admins_sid
;
209 legal_sid_type (SID_NAME_USE type
)
211 return type
== SidTypeUser
|| type
== SidTypeGroup
212 || type
== SidTypeAlias
|| type
== SidTypeWellKnownGroup
;
215 extern bool allow_ntea
;
216 extern bool allow_ntsec
;
217 extern bool allow_smbntsec
;
219 /* File manipulation */
220 int __stdcall
set_process_privileges ();
221 int __stdcall
get_file_attribute (int, const char *, mode_t
*,
222 __uid32_t
* = NULL
, __gid32_t
* = NULL
);
223 int __stdcall
set_file_attribute (int, const char *, int);
224 int __stdcall
set_file_attribute (int, const char *, __uid32_t
, __gid32_t
, int);
225 int __stdcall
get_object_attribute (HANDLE handle
, SE_OBJECT_TYPE object_type
, mode_t
*,
226 __uid32_t
* = NULL
, __gid32_t
* = NULL
);
227 LONG __stdcall
read_sd(const char *file
, PSECURITY_DESCRIPTOR sd_buf
, LPDWORD sd_size
);
228 LONG __stdcall
write_sd(const char *file
, PSECURITY_DESCRIPTOR sd_buf
, DWORD sd_size
);
229 BOOL __stdcall
add_access_allowed_ace (PACL acl
, int offset
, DWORD attributes
, PSID sid
, size_t &len_add
, DWORD inherit
);
230 BOOL __stdcall
add_access_denied_ace (PACL acl
, int offset
, DWORD attributes
, PSID sid
, size_t &len_add
, DWORD inherit
);
231 int __stdcall
check_file_access (const char *, int);
233 void set_security_attribute (int attribute
, PSECURITY_ATTRIBUTES psa
,
234 void *sd_buf
, DWORD sd_buf_size
);
236 bool get_sids_info (cygpsid
, cygpsid
, __uid32_t
* , __gid32_t
*);
238 /* Try a subauthentication. */
239 HANDLE
subauth (struct passwd
*pw
);
240 /* Try creating a token directly. */
241 HANDLE
create_token (cygsid
&usersid
, user_groups
&groups
, struct passwd
* pw
);
242 /* Verify an existing token */
243 BOOL
verify_token (HANDLE token
, cygsid
&usersid
, user_groups
&groups
, BOOL
* pintern
= NULL
);
245 /* Extract U-domain\user field from passwd entry. */
246 void extract_nt_dom_user (const struct passwd
*pw
, char *domain
, char *user
);
247 /* Get default logonserver for a domain. */
248 BOOL
get_logon_server (const char * domain
, char * server
, WCHAR
*wserver
= NULL
);
250 /* sec_helper.cc: Security helper functions. */
251 int set_process_privilege (const char *privilege
, bool enable
= true, bool use_thread
= false);
254 /* Retrieve a security descriptor that allows all access */
255 SECURITY_DESCRIPTOR
*__stdcall
get_null_sd (void);
257 /* Various types of security attributes for use in Create* functions. */
258 extern SECURITY_ATTRIBUTES sec_none
, sec_none_nih
, sec_all
, sec_all_nih
;
259 extern SECURITY_ATTRIBUTES
*__stdcall
__sec_user (PVOID sa_buf
, PSID sid1
, PSID sid2
,
260 DWORD access2
, BOOL inherit
)
261 __attribute__ ((regparm (3)));
262 extern BOOL
sec_acl (PACL acl
, bool original
, bool admins
, PSID sid1
= NO_SID
,
263 PSID sid2
= NO_SID
, DWORD access2
= 0);
265 int __stdcall
NTReadEA (const char *file
, const char *attrname
, char *buf
, int len
);
266 BOOL __stdcall
NTWriteEA (const char *file
, const char *attrname
, const char *buf
, int len
);
267 PSECURITY_DESCRIPTOR
alloc_sd (__uid32_t uid
, __gid32_t gid
, int attribute
,
268 PSECURITY_DESCRIPTOR sd_ret
, DWORD
*sd_size_ret
);
270 extern inline SECURITY_ATTRIBUTES
*
271 sec_user_nih (char sa_buf
[], PSID sid1
= NULL
, PSID sid2
= NULL
, DWORD access2
= 0)
273 return __sec_user (sa_buf
, sid1
, sid2
, access2
, FALSE
);
276 extern inline SECURITY_ATTRIBUTES
*
277 sec_user (char sa_buf
[], PSID sid1
= NULL
, PSID sid2
= NULL
, DWORD access2
= 0)
279 return __sec_user (sa_buf
, sid1
, sid2
, access2
, TRUE
);
281 #endif /*_SECURITY_H*/