* sec_helper.cc (sid_auth): Remove.

(well_known_this_org_sid): New well known sid.
	(SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Define.
	(mandatory_medium_integrity_sid): New well known sid.
	(mandatory_high_integrity_sid): Ditto.
	(mandatory_system_integrity_sid): Ditto.
	(cygsid::get_sid): Use local SID_IDENTIFIER_AUTHORITY.  Allow all
	authorities fitting in a UCHAR.
	* security.cc (get_token_group_sidlist): Always add the local
	group to the token.  Add comment.  Add "This Organization" group
	if available in incoming group list.
	(get_server_groups): Only add world and authenticated users groups
	if not already in list.
	(create_token): Add matching mandatory integrity SID to group list
	on systems supporting Mandatory Integrity Control.
	* security.h (well_known_this_org_sid): Define.
	(mandatory_medium_integrity_sid): Define.
	(mandatory_high_integrity_sid): Define.
	(mandatory_system_integrity_sid): Define.
	* wincap.h: Define has_mandatory_integrity_control throughout.
	* wincap.cc: Ditto.
This commit is contained in:
Corinna Vinschen
2006-11-08 11:38:05 +00:00
parent 86bc8fadff
commit 2fd2ddf3f5
6 changed files with 76 additions and 14 deletions

View File

@ -493,7 +493,9 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
auth_pos = -1;
if (my_grps)
{
if (sid_in_token_groups (my_grps, well_known_local_sid))
/* In Vista the Local SID is missing in a token constructed by
subauthentication. We add the group unconditionally now. */
/*if (sid_in_token_groups (my_grps, well_known_local_sid))*/
grp_list += well_known_local_sid;
if (sid_in_token_groups (my_grps, well_known_dialup_sid))
grp_list += well_known_dialup_sid;
@ -509,6 +511,8 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps,
grp_list += well_known_interactive_sid;
if (sid_in_token_groups (my_grps, well_known_service_sid))
grp_list += well_known_service_sid;
if (sid_in_token_groups (my_grps, well_known_this_org_sid))
grp_list += well_known_this_org_sid;
}
else
{
@ -542,8 +546,10 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw)
return true;
}
grp_list += well_known_world_sid;
grp_list += well_known_authenticated_users_sid;
if (!grp_list.contains (well_known_world_sid))
grp_list += well_known_world_sid;
if (!grp_list.contains (well_known_authenticated_users_sid))
grp_list += well_known_authenticated_users_sid;
extract_nt_dom_user (pw, domain, user);
if (get_logon_server (domain, server, wserver, false)
&& !get_user_groups (wserver, grp_list, user, domain)
@ -928,6 +934,15 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw,
else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid, pw,
my_tok_gsids, auth_luid, auth_pos))
goto out;
if (wincap.has_mandatory_integrity_control ())
{
if (usersid == well_known_system_sid)
tmp_gsids += mandatory_system_integrity_sid;
else if (tmp_gsids.contains (well_known_admins_sid))
tmp_gsids += mandatory_high_integrity_sid;
else
tmp_gsids += mandatory_medium_integrity_sid;
}
/* Primary group. */
pgrp.PrimaryGroup = new_groups.pgsid;