* autoload.cc: Add load statements for `LookupAccountNameW',
`LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory',
`LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum',
`NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and
`NtCreateToken'.
* ntdll.h: Add declaration for `NtCreateToken'.
* sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid',
`well_known_network_sid', `well_known_batch_sid',
`well_known_interactive_sid', `well_known_service_sid' and
`well_known_authenticated_users_sid'.
(cygsid::string): Define as const method.
(cygsid::get_sid): Set psid to NO_SID on error.
(cygsid::getfromstr): Ditto.
(cygsid::getfrompw): Simplify.
(cygsid::getfromgr): Check for gr == NULL.
(legal_sid_type): Move to security.h.
(set_process_privilege): Return -1 on error, otherwise 0 or 1 related
to previous privilege setting.
* security.cc (extract_nt_dom_user): Remove `static'.
(lsa2wchar): New function.
(open_local_policy): Ditto.
(close_local_policy): Ditto.
(get_lsa_srv_inf): Ditto.
(get_logon_server): Ditto.
(get_logon_server_and_user_domain): Ditto.
(get_user_groups): Ditto.
(is_group_member): Ditto.
(get_user_local_groups): Ditto.
(sid_in_token_groups): Ditto.
(get_user_primary_group): Ditto.
(get_group_sidlist): Ditto.
(get_system_priv_list): Ditto.
(get_priv_list): Ditto.
(get_dacl): Ditto.
(create_token): Ditto.
(subauth): Return immediately if SE_TCB_NAME can't be assigned.
Change all return statements in case of error to jumps to `out'
label. Add `out' label to support cleanup.
* security.h: Add extern declarations for `well_known_local_sid',
`well_known_dialup_sid', `well_known_network_sid',
`well_known_batch_sid', `well_known_interactive_sid',
`well_known_service_sid' and `well_known_authenticated_users_sid'.
Add extern declarations for functions `create_token',
`extract_nt_dom_user' and `get_logon_server_and_user_domain'.
(class cygsid): Add method `assign'. Change operator= to call new
`assign' method. Add `debug_print' method.
(class cygsidlist): New class.
(legal_sid_type): Moved from sec_helper.cc to here.
* spawn.cc (spawn_guts) Revert reversion of previous patch.
Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid'
again.
* syscalls.cc (seteuid): Rearranged. Call `create_token' now when
needed. Call `subauth' if `create_token' fails. Try setting token
owner and primary group only if token was not explicitely created
by `create_token'.
* uinfo.cc (internal_getlogin): Try harder to generate correct user
information. Especially don't trust return value of `GetUserName'.
This commit is contained in:
Corinna Vinschen
@ -26,6 +26,18 @@ class cygsid {
|
||||
const PSID getfromstr (const char *nsidstr);
|
||||
PSID get_sid (DWORD s, DWORD cnt, DWORD *r);
|
||||
|
||||
inline const PSID assign (const PSID nsid)
|
||||
{
|
||||
if (!nsid)
|
||||
psid = NO_SID;
|
||||
else
|
||||
{
|
||||
psid = (PSID) sbuf;
|
||||
CopySid (MAX_SID_LEN, psid, nsid);
|
||||
}
|
||||
return psid;
|
||||
}
|
||||
|
||||
public:
|
||||
inline cygsid () : psid ((PSID) sbuf) {}
|
||||
inline cygsid (const PSID nsid) { *this = nsid; }
|
||||
@ -40,19 +52,12 @@ public:
|
||||
inline int get_uid () { return get_id (FALSE); }
|
||||
inline int get_gid () { return get_id (TRUE); }
|
||||
|
||||
char *string (char *nsidstr);
|
||||
char *string (char *nsidstr) const;
|
||||
|
||||
inline const PSID operator= (cygsid &nsid)
|
||||
{ return assign (nsid); }
|
||||
inline const PSID operator= (const PSID nsid)
|
||||
{
|
||||
if (!nsid)
|
||||
psid = NULL;
|
||||
else
|
||||
{
|
||||
psid = (PSID) sbuf;
|
||||
CopySid (MAX_SID_LEN, psid, nsid);
|
||||
}
|
||||
return psid;
|
||||
}
|
||||
{ return assign (nsid); }
|
||||
inline const PSID operator= (const char *nsidstr)
|
||||
{ return getfromstr (nsidstr); }
|
||||
|
||||
@ -73,12 +78,77 @@ public:
|
||||
{ return !(*this == nsidstr); }
|
||||
|
||||
inline operator const PSID () { return psid; }
|
||||
|
||||
void debug_print (const char *prefix = NULL) const
|
||||
{
|
||||
char buf[256];
|
||||
debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
|
||||
}
|
||||
};
|
||||
|
||||
class cygsidlist {
|
||||
public:
|
||||
int count;
|
||||
cygsid *sids;
|
||||
|
||||
cygsidlist () : count (0), sids (NULL) {}
|
||||
~cygsidlist () { delete [] sids; }
|
||||
|
||||
BOOL add (cygsid &nsi)
|
||||
{
|
||||
cygsid *tmp = new cygsid [count + 1];
|
||||
if (!tmp)
|
||||
return FALSE;
|
||||
for (int i = 0; i < count; ++i)
|
||||
tmp[i] = sids[i];
|
||||
delete [] sids;
|
||||
sids = tmp;
|
||||
sids[count++] = nsi;
|
||||
return TRUE;
|
||||
}
|
||||
BOOL add (const PSID nsid) { return add (nsid); }
|
||||
BOOL add (const char *sidstr)
|
||||
{ cygsid nsi (sidstr); return add (nsi); }
|
||||
|
||||
BOOL operator+= (cygsid &si) { return add (si); }
|
||||
BOOL operator+= (const char *sidstr) { return add (sidstr); }
|
||||
|
||||
BOOL contains (cygsid &sid) const
|
||||
{
|
||||
for (int i = 0; i < count; ++i)
|
||||
if (sids[i] == sid)
|
||||
return TRUE;
|
||||
return FALSE;
|
||||
}
|
||||
void debug_print (const char *prefix = NULL) const
|
||||
{
|
||||
debug_printf ("-- begin sidlist ---");
|
||||
if (!count)
|
||||
debug_printf ("No elements");
|
||||
for (int i = 0; i < count; ++i)
|
||||
sids[i].debug_print (prefix);
|
||||
debug_printf ("-- ende sidlist ---");
|
||||
}
|
||||
};
|
||||
|
||||
extern cygsid well_known_admin_sid;
|
||||
extern cygsid well_known_system_sid;
|
||||
extern cygsid well_known_creator_owner_sid;
|
||||
extern cygsid well_known_world_sid;
|
||||
extern cygsid well_known_local_sid;
|
||||
extern cygsid well_known_creator_owner_sid;
|
||||
extern cygsid well_known_dialup_sid;
|
||||
extern cygsid well_known_network_sid;
|
||||
extern cygsid well_known_batch_sid;
|
||||
extern cygsid well_known_interactive_sid;
|
||||
extern cygsid well_known_service_sid;
|
||||
extern cygsid well_known_authenticated_users_sid;
|
||||
extern cygsid well_known_system_sid;
|
||||
extern cygsid well_known_admin_sid;
|
||||
|
||||
inline BOOL
|
||||
legal_sid_type (SID_NAME_USE type)
|
||||
{
|
||||
return type == SidTypeUser || type == SidTypeGroup
|
||||
|| type == SidTypeAlias || type == SidTypeWellKnownGroup;
|
||||
}
|
||||
|
||||
extern BOOL allow_ntsec;
|
||||
extern BOOL allow_smbntsec;
|
||||
@ -102,6 +172,13 @@ BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PS
|
||||
|
||||
/* Try a subauthentication. */
|
||||
HANDLE subauth (struct passwd *pw);
|
||||
/* Try creating a token directly. */
|
||||
HANDLE create_token (cygsid &usersid, cygsid &pgrpsid);
|
||||
|
||||
/* Extract U-domain\user field from passwd entry. */
|
||||
void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
|
||||
/* Get default logonserver and domain for this box. */
|
||||
BOOL get_logon_server_and_user_domain (char *logonserver, char *domain);
|
||||
|
||||
/* sec_helper.cc: Security helper functions. */
|
||||
BOOL __stdcall is_grp_member (uid_t uid, gid_t gid);
|
||||
|
||||
Reference in New Issue
Block a user