* cyglsa.h: New header file.
* environ.cc: Disable subauth settings. * grp.cc: Accomodate cygsidlist's count now being a method. * sec_helper.cc (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Remove. (mandatory_medium_integrity_sid): Remove. (mandatory_high_integrity_sid): Remove. (mandatory_system_integrity_sid): Remove. (fake_logon_sid): Add. (cygsid::get_sid): Add well_known parameter. Set well_known_sid accordingly. (cygsid::getfromstr): Ditto. (cygsidlist::alloc_sids): Move here from security.cc. (cygsidlist::free_sids): Ditto. (cygsidlist::add): Move here from security.h. Add well_known parameter. Set well_known_sid accordingly. Don't allow duplicate SIDs. * security.cc: Include cyglsa.h and cygwin/version.h. Throughout accomodate cygsidlist's count now being a method. Throughout drop redundant "contains" tests. (get_user_local_groups): Add local groups as well known SIDs. (get_token_group_sidlist): Add well known groups as well known SIDs. (get_server_groups): Ditto. Only call get_unix_group_sidlist after get_user_local_groups to maintain "well_known_sid" attribute. (get_initgroups_sidlist): Add well known groups as well known SIDs. (get_setgroups_sidlist): Add usersid and struct passwd parameter to allow calling get_server_groups from here. (get_system_priv_list): Make static. Return size of TOKEN_PRIVILEGES structure. (get_priv_list): Ditto. (create_token): Accomodate above changes. Drop misguided attempt to add MIC SIDs to created user token. Print returned token as hex value. (subauth): Disable. (lsaauth): New function implementing client side of LSA authentication. * security.h (class cygsid): Add well_known_sid attribute. Accomodate throughout. Add *= operator to create a well known SID. (class cygsidlist): Rename count to cnt. Make count a method. (cygsidlist::add): Move to sec_helper.cc. (cygsidlist::operator *=): New method to add well known SID. (cygsidlist::non_well_known_count): New method returning number of non well known SIDs in list. (cygsidlist::next_non_well_known_sid): New method returning next non well known SID by index. (mandatory_medium_integrity_sid): Drop declaration. (mandatory_high_integrity_sid): Drop declaration. (mandatory_system_integrity_sid): Drop declaration. (fake_logon_sid): Add declaration. (subauth): Disable declaration. (lsaauth): Add declaration. * syscalls.cc (seteuid32): Disable subauthentication. Add LSA authentication. * wincap.h: Define needs_logon_sid_in_sid_list throughout. * wincap.cc: Ditto.
This commit is contained in:
@@ -67,15 +67,8 @@ MKSID (well_known_system_sid, "S-1-5-18",
|
||||
MKSID (well_known_admins_sid, "S-1-5-32-544",
|
||||
SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
||||
DOMAIN_ALIAS_RID_ADMINS);
|
||||
|
||||
#define SECURITY_MANDATORY_INTEGRITY_AUTHORITY {0,0,0,0,0,16}
|
||||
|
||||
MKSID (mandatory_medium_integrity_sid, "S-1-64-8192",
|
||||
SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 8192);
|
||||
MKSID (mandatory_high_integrity_sid, "S-1-64-12288",
|
||||
SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 12288);
|
||||
MKSID (mandatory_system_integrity_sid, "S-1-64-16384",
|
||||
SECURITY_MANDATORY_INTEGRITY_AUTHORITY, 1, 16384);
|
||||
MKSID (fake_logon_sid, "S-1-5-5-0-0",
|
||||
SECURITY_NT_AUTHORITY, 3, SECURITY_LOGON_IDS_RID, 0, 0);
|
||||
|
||||
bool
|
||||
cygpsid::operator== (const char *nsidstr) const
|
||||
@@ -135,7 +128,7 @@ cygpsid::string (char *nsidstr) const
|
||||
}
|
||||
|
||||
PSID
|
||||
cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r)
|
||||
cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known)
|
||||
{
|
||||
DWORD i;
|
||||
SID_IDENTIFIER_AUTHORITY sid_auth = {0,0,0,0,0,0};
|
||||
@@ -150,11 +143,12 @@ cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r)
|
||||
InitializeSid (psid, &sid_auth, cnt);
|
||||
for (i = 0; i < cnt; ++i)
|
||||
memcpy ((char *) psid + 8 + sizeof (DWORD) * i, &r[i], sizeof (DWORD));
|
||||
well_known_sid = well_known;
|
||||
return psid;
|
||||
}
|
||||
|
||||
const PSID
|
||||
cygsid::getfromstr (const char *nsidstr)
|
||||
cygsid::getfromstr (const char *nsidstr, bool well_known)
|
||||
{
|
||||
char *lasts;
|
||||
DWORD s, cnt = 0;
|
||||
@@ -166,7 +160,7 @@ cygsid::getfromstr (const char *nsidstr)
|
||||
while (cnt < 8 && *lasts == '-')
|
||||
r[cnt++] = strtoul (lasts + 1, &lasts, 10);
|
||||
if (!*lasts)
|
||||
return get_sid (s, cnt, r);
|
||||
return get_sid (s, cnt, r, well_known);
|
||||
}
|
||||
return psid = NO_SID;
|
||||
}
|
||||
@@ -185,6 +179,48 @@ cygsid::getfromgr (const struct __group32 *gr)
|
||||
return (*this = sp) != NULL;
|
||||
}
|
||||
|
||||
cygsid *
|
||||
cygsidlist::alloc_sids (int n)
|
||||
{
|
||||
if (n > 0)
|
||||
return (cygsid *) cmalloc (HEAP_STR, n * sizeof (cygsid));
|
||||
else
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void
|
||||
cygsidlist::free_sids ()
|
||||
{
|
||||
if (sids)
|
||||
cfree (sids);
|
||||
sids = NULL;
|
||||
cnt = maxcnt = 0;
|
||||
type = cygsidlist_empty;
|
||||
}
|
||||
|
||||
BOOL
|
||||
cygsidlist::add (const PSID nsi, bool well_known)
|
||||
{
|
||||
if (contains (nsi))
|
||||
return TRUE;
|
||||
if (cnt >= maxcnt)
|
||||
{
|
||||
cygsid *tmp = new cygsid [2 * maxcnt];
|
||||
if (!tmp)
|
||||
return FALSE;
|
||||
maxcnt *= 2;
|
||||
for (int i = 0; i < cnt; ++i)
|
||||
tmp[i] = sids[i];
|
||||
delete [] sids;
|
||||
sids = tmp;
|
||||
}
|
||||
if (well_known)
|
||||
sids[cnt++] *= nsi;
|
||||
else
|
||||
sids[cnt++] = nsi;
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
bool
|
||||
get_sids_info (cygpsid owner_sid, cygpsid group_sid, __uid32_t * uidret, __gid32_t * gidret)
|
||||
{
|
||||
|
Reference in New Issue
Block a user