* cyglsa.h: New header file.

* environ.cc: Disable subauth settings.
	* grp.cc: Accomodate cygsidlist's count now being a method.
	* sec_helper.cc (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Remove.
	(mandatory_medium_integrity_sid): Remove.
	(mandatory_high_integrity_sid): Remove.
	(mandatory_system_integrity_sid): Remove.
	(fake_logon_sid): Add.
	(cygsid::get_sid): Add well_known parameter.  Set well_known_sid
	accordingly.
	(cygsid::getfromstr): Ditto.
	(cygsidlist::alloc_sids): Move here from security.cc.
	(cygsidlist::free_sids): Ditto.
	(cygsidlist::add): Move here from security.h.  Add well_known parameter.
	Set well_known_sid accordingly.  Don't allow duplicate SIDs.
	* security.cc: Include cyglsa.h and cygwin/version.h.  Throughout
	accomodate cygsidlist's count now being a method.  Throughout drop
	redundant "contains" tests.
	(get_user_local_groups): Add local groups as well known SIDs.
	(get_token_group_sidlist): Add well known groups as well known SIDs.
	(get_server_groups): Ditto.  Only call get_unix_group_sidlist after
	get_user_local_groups to maintain "well_known_sid" attribute.
	(get_initgroups_sidlist): Add well known groups as well known SIDs.
	(get_setgroups_sidlist): Add usersid and struct passwd parameter to
	allow calling get_server_groups from here.
	(get_system_priv_list): Make static.  Return size of TOKEN_PRIVILEGES
	structure.
	(get_priv_list): Ditto.
	(create_token): Accomodate above changes.  Drop misguided attempt to
	add MIC SIDs to created user token.  Print returned token as hex value.
	(subauth): Disable.
	(lsaauth): New function implementing client side of LSA authentication.
	* security.h (class cygsid): Add well_known_sid attribute.  Accomodate
	throughout.  Add *= operator to create a well known SID.
	(class cygsidlist): Rename count to cnt.  Make count a method.
	(cygsidlist::add): Move to sec_helper.cc.
	(cygsidlist::operator *=): New method to add well known SID.
	(cygsidlist::non_well_known_count): New method returning number of
	non well known SIDs in list.
	(cygsidlist::next_non_well_known_sid): New method returning next non
	well known SID by index.
	(mandatory_medium_integrity_sid): Drop declaration.
	(mandatory_high_integrity_sid): Drop declaration.
	(mandatory_system_integrity_sid): Drop declaration.
	(fake_logon_sid): Add declaration.
	(subauth): Disable declaration.
	(lsaauth): Add declaration.
	* syscalls.cc (seteuid32): Disable subauthentication.  Add LSA
	authentication.
	* wincap.h: Define needs_logon_sid_in_sid_list throughout.
	* wincap.cc: Ditto.
This commit is contained in:
Corinna Vinschen
2006-11-27 12:59:59 +00:00
parent b6bb405954
commit b825c587ba
10 changed files with 685 additions and 184 deletions

View File

@@ -67,15 +67,8 @@ MKSID (well_known_system_sid, "S-1-5-18",
MKSID (well_known_admins_sid, "S-1-5-32-544",
SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS);
#define SECURITY_MANDATORY_INTEGRITY_AUTHORITY {0,0,0,0,0,16}
MKSID (mandatory_medium_integrity_sid, "S-1-64-8192",
SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 8192);
MKSID (mandatory_high_integrity_sid, "S-1-64-12288",
SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 12288);
MKSID (mandatory_system_integrity_sid, "S-1-64-16384",
SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 16384);
MKSID (fake_logon_sid, "S-1-5-5-0-0",
SECURITY_NT_AUTHORITY, 3, SECURITY_LOGON_IDS_RID, 0, 0);
bool
cygpsid::operator== (const char *nsidstr) const
@@ -135,7 +128,7 @@ cygpsid::string (char *nsidstr) const
}
PSID
cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r)
cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known)
{
DWORD i;
SID_IDENTIFIER_AUTHORITY sid_auth = {0,0,0,0,0,0};
@@ -150,11 +143,12 @@ cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r)
InitializeSid (psid, &sid_auth, cnt);
for (i = 0; i < cnt; ++i)
memcpy ((char *) psid + 8 + sizeof (DWORD) * i, &r[i], sizeof (DWORD));
well_known_sid = well_known;
return psid;
}
const PSID
cygsid::getfromstr (const char *nsidstr)
cygsid::getfromstr (const char *nsidstr, bool well_known)
{
char *lasts;
DWORD s, cnt = 0;
@@ -166,7 +160,7 @@ cygsid::getfromstr (const char *nsidstr)
while (cnt < 8 && *lasts == '-')
r[cnt++] = strtoul (lasts + 1, &lasts, 10);
if (!*lasts)
return get_sid (s, cnt, r);
return get_sid (s, cnt, r, well_known);
}
return psid = NO_SID;
}
@@ -185,6 +179,48 @@ cygsid::getfromgr (const struct __group32 *gr)
return (*this = sp) != NULL;
}
cygsid *
cygsidlist::alloc_sids (int n)
{
if (n > 0)
return (cygsid *) cmalloc (HEAP_STR, n * sizeof (cygsid));
else
return NULL;
}
void
cygsidlist::free_sids ()
{
if (sids)
cfree (sids);
sids = NULL;
cnt = maxcnt = 0;
type = cygsidlist_empty;
}
BOOL
cygsidlist::add (const PSID nsi, bool well_known)
{
if (contains (nsi))
return TRUE;
if (cnt >= maxcnt)
{
cygsid *tmp = new cygsid [2 * maxcnt];
if (!tmp)
return FALSE;
maxcnt *= 2;
for (int i = 0; i < cnt; ++i)
tmp[i] = sids[i];
delete [] sids;
sids = tmp;
}
if (well_known)
sids[cnt++] *= nsi;
else
sids[cnt++] = nsi;
return TRUE;
}
bool
get_sids_info (cygpsid owner_sid, cygpsid group_sid, __uid32_t * uidret, __gid32_t * gidret)
{