* cyglsa.h: New header file.
* environ.cc: Disable subauth settings. * grp.cc: Accomodate cygsidlist's count now being a method. * sec_helper.cc (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Remove. (mandatory_medium_integrity_sid): Remove. (mandatory_high_integrity_sid): Remove. (mandatory_system_integrity_sid): Remove. (fake_logon_sid): Add. (cygsid::get_sid): Add well_known parameter. Set well_known_sid accordingly. (cygsid::getfromstr): Ditto. (cygsidlist::alloc_sids): Move here from security.cc. (cygsidlist::free_sids): Ditto. (cygsidlist::add): Move here from security.h. Add well_known parameter. Set well_known_sid accordingly. Don't allow duplicate SIDs. * security.cc: Include cyglsa.h and cygwin/version.h. Throughout accomodate cygsidlist's count now being a method. Throughout drop redundant "contains" tests. (get_user_local_groups): Add local groups as well known SIDs. (get_token_group_sidlist): Add well known groups as well known SIDs. (get_server_groups): Ditto. Only call get_unix_group_sidlist after get_user_local_groups to maintain "well_known_sid" attribute. (get_initgroups_sidlist): Add well known groups as well known SIDs. (get_setgroups_sidlist): Add usersid and struct passwd parameter to allow calling get_server_groups from here. (get_system_priv_list): Make static. Return size of TOKEN_PRIVILEGES structure. (get_priv_list): Ditto. (create_token): Accomodate above changes. Drop misguided attempt to add MIC SIDs to created user token. Print returned token as hex value. (subauth): Disable. (lsaauth): New function implementing client side of LSA authentication. * security.h (class cygsid): Add well_known_sid attribute. Accomodate throughout. Add *= operator to create a well known SID. (class cygsidlist): Rename count to cnt. Make count a method. (cygsidlist::add): Move to sec_helper.cc. (cygsidlist::operator *=): New method to add well known SID. (cygsidlist::non_well_known_count): New method returning number of non well known SIDs in list. (cygsidlist::next_non_well_known_sid): New method returning next non well known SID by index. (mandatory_medium_integrity_sid): Drop declaration. (mandatory_high_integrity_sid): Drop declaration. (mandatory_system_integrity_sid): Drop declaration. (fake_logon_sid): Add declaration. (subauth): Disable declaration. (lsaauth): Add declaration. * syscalls.cc (seteuid32): Disable subauthentication. Add LSA authentication. * wincap.h: Define needs_logon_sid_in_sid_list throughout. * wincap.cc: Ditto.
This commit is contained in:
Corinna Vinschen
149
winsup/cygwin/cyglsa.h
Normal file
149
winsup/cygwin/cyglsa.h
Normal file
@@ -0,0 +1,149 @@
|
||||
/* cyglsa.h: Header file for Cygwin LSA authentication
|
||||
|
||||
Copyright 2006 Red Hat, Inc.
|
||||
|
||||
Written by Corinna Vinschen <corinna@vinschen.de>
|
||||
|
||||
This file is part of Cygwin.
|
||||
|
||||
This software is a copyrighted work licensed under the terms of the
|
||||
Cygwin license. Please consult the file "CYGWIN_LICENSE" for details. */
|
||||
|
||||
#ifndef _CYGLSA_H
|
||||
#define _CYGLSA_H
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
#define CYG_LSA_PKGNAME "CygwinLsa"
|
||||
|
||||
#define CYG_LSA_MAGIC 0x0379f014LU
|
||||
|
||||
/* Datastructures not defined in w32api. */
|
||||
typedef PVOID *PLSA_CLIENT_REQUEST;
|
||||
|
||||
typedef struct _SECPKG_CLIENT_INFO
|
||||
{
|
||||
LUID LogonId;
|
||||
ULONG ProcessID;
|
||||
ULONG ThreadID;
|
||||
BOOLEAN HasTcbPrivilege;
|
||||
BOOLEAN Impersonating;
|
||||
BOOLEAN Restricted;
|
||||
} SECPKG_CLIENT_INFO, *PSECPKG_CLIENT_INFO;
|
||||
|
||||
/* The table returned by LsaApInitializePackage is actually a
|
||||
LSA_SECPKG_FUNCTION_TABLE even though that's not documented.
|
||||
We need only a subset of this table, basically the LSA_DISPATCH_TABLE
|
||||
plus the pointer to the GetClientInfo function. */
|
||||
typedef struct _LSA_SECPKG_FUNCS
|
||||
{
|
||||
NTSTATUS (NTAPI *CreateLogonSession)(PLUID);
|
||||
NTSTATUS (NTAPI *DeleteLogonSession)(PLUID);
|
||||
NTSTATUS (NTAPI *AddCredentials)(PVOID); /* wrong prototype, unused */
|
||||
NTSTATUS (NTAPI *GetCredentials)(PVOID); /* wrong prototype, unused */
|
||||
NTSTATUS (NTAPI *DeleteCredentials)(PVOID); /* wrong prototype, unused */
|
||||
PVOID (NTAPI *AllocateLsaHeap)(ULONG);
|
||||
VOID (NTAPI *FreeLsaHeap)(PVOID);
|
||||
NTSTATUS (NTAPI *AllocateClientBuffer)(PLSA_CLIENT_REQUEST, ULONG, PVOID *);
|
||||
NTSTATUS (NTAPI *FreeClientBuffer)(PLSA_CLIENT_REQUEST, PVOID);
|
||||
NTSTATUS (NTAPI *CopyToClientBuffer)(PLSA_CLIENT_REQUEST, ULONG,
|
||||
PVOID, PVOID);
|
||||
NTSTATUS (NTAPI *CopyFromClientBuffer)(PLSA_CLIENT_REQUEST, ULONG,
|
||||
PVOID, PVOID);
|
||||
NTSTATUS (NTAPI *ImpersonateClient)(VOID);
|
||||
NTSTATUS (NTAPI *UnloadPackage)(VOID);
|
||||
NTSTATUS (NTAPI *DuplicateHandle)(HANDLE,PHANDLE);
|
||||
NTSTATUS (NTAPI *SaveSupplementalCredentials)(VOID);
|
||||
NTSTATUS (NTAPI *CreateThread)(PVOID); /* wrong prototype, unused */
|
||||
NTSTATUS (NTAPI *GetClientInfo)(PSECPKG_CLIENT_INFO);
|
||||
} LSA_SECPKG_FUNCS, *PLSA_SECPKG_FUNCS;
|
||||
|
||||
typedef enum _LSA_TOKEN_INFORMATION_TYPE
|
||||
{
|
||||
LsaTokenInformationNull,
|
||||
LsaTokenInformationV1,
|
||||
LsaTokenInformationV2
|
||||
} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE;
|
||||
|
||||
typedef struct _LSA_TOKEN_INFORMATION_V2
|
||||
{
|
||||
LARGE_INTEGER ExpirationTime;
|
||||
TOKEN_USER User;
|
||||
PTOKEN_GROUPS Groups;
|
||||
TOKEN_PRIMARY_GROUP PrimaryGroup;
|
||||
PTOKEN_PRIVILEGES Privileges;
|
||||
TOKEN_OWNER Owner;
|
||||
TOKEN_DEFAULT_DACL DefaultDacl;
|
||||
} LSA_TOKEN_INFORMATION_V2, *PLSA_TOKEN_INFORMATION_V2;
|
||||
|
||||
/* These structures are eqivalent to the appropriate Windows structures,
|
||||
using 32 bit offsets instead of pointers. These datastructures are
|
||||
used to transfer the logon information to the LSA authentication package.
|
||||
We can't use the LSA_TOKEN_INFORMATION_V2 structure directly, because
|
||||
its size differs between 32 bit and 64 bit Windows. */
|
||||
|
||||
typedef DWORD OFFSET;
|
||||
|
||||
typedef struct _CYG_SID_AND_ATTRIBUTES
|
||||
{
|
||||
OFFSET Sid;
|
||||
DWORD Attributes;
|
||||
} CYG_SID_AND_ATTRIBUTES, *PCYG_SID_AND_ATTRIBUTES;
|
||||
|
||||
typedef struct _CYG_TOKEN_USER
|
||||
{
|
||||
CYG_SID_AND_ATTRIBUTES User;
|
||||
} CYG_TOKEN_USER, *PCYG_TOKEN_USER;
|
||||
|
||||
typedef struct _CYG_TOKEN_GROUPS
|
||||
{
|
||||
DWORD GroupCount;
|
||||
CYG_SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY];
|
||||
} CYG_TOKEN_GROUPS, *PCYG_TOKEN_GROUPS;
|
||||
|
||||
typedef struct _CYG_TOKEN_PRIMARY_GROUP
|
||||
{
|
||||
OFFSET PrimaryGroup;
|
||||
} CYG_TOKEN_PRIMARY_GROUP, *PCYG_TOKEN_PRIMARY_GROUP;
|
||||
|
||||
typedef struct _CYG_TOKEN_OWNER
|
||||
{
|
||||
OFFSET Owner;
|
||||
} CYG_TOKEN_OWNER, *PCYG_TOKEN_OWNER;
|
||||
|
||||
typedef struct _CYG_TOKEN_DEFAULT_DACL
|
||||
{
|
||||
OFFSET DefaultDacl;
|
||||
} CYG_TOKEN_DEFAULT_DACL, *PCYG_TOKEN_DEFAULT_DACL;
|
||||
|
||||
typedef struct _CYG_LSA_TOKEN_INFORMATION
|
||||
{
|
||||
LARGE_INTEGER ExpirationTime;
|
||||
CYG_TOKEN_USER User;
|
||||
OFFSET Groups;
|
||||
CYG_TOKEN_PRIMARY_GROUP PrimaryGroup;
|
||||
OFFSET Privileges;
|
||||
CYG_TOKEN_OWNER Owner;
|
||||
CYG_TOKEN_DEFAULT_DACL DefaultDacl;
|
||||
} CYG_LSA_TOKEN_INFORMATION, *PCYG_LSA_TOKEN_INFORMATION;
|
||||
|
||||
/* This is the structure created by security.cc:lsaauth(), which is given to
|
||||
LsaApLogonUser to create the token information returned to the LSA. */
|
||||
typedef struct
|
||||
{
|
||||
DWORD magic;
|
||||
DWORD checksum;
|
||||
CHAR username[UNLEN + 1];
|
||||
CHAR domain[INTERNET_MAX_HOST_NAME_LENGTH + 1];
|
||||
ULONG inf_size;
|
||||
CYG_LSA_TOKEN_INFORMATION inf;
|
||||
BYTE data[1];
|
||||
} cyglsa_t;
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* _CYGLSA_H */
|
||||
Reference in New Issue
Block a user