* Makefile.in: Add object files `sec_helper.cc' and `sec_acl.cc'.

* security.cc: Swap out several functions.
        * sec_acl.cc: New file. Move Sun compatibel ACL functions from
        `security.cc' to here.
        * sec_helper.cc: New file. Move security helper functions from
        `security.cc' to here.
        * security.h: Changed to accomodate the above changes.

        * grp.cc: Replace `group_in_memory_p' by `group_state'.
        Eliminate group_sem throughout.
        (enum grp_state): New enumeration type.
        (read_etc_group): Make race safe.
        * security.cc: Eliminate group_sem throughout.
This commit is contained in:
Corinna Vinschen 2001-04-20 13:02:32 +00:00
parent 125261f738
commit c0d1968a18
7 changed files with 1574 additions and 1462 deletions

View File

@ -1,3 +1,21 @@
Fri Apr 20 14:50:00 2001 Corinna Vinschen <corinna@vinschen.de>
* Makefile.in: Add object files `sec_helper.cc' and `sec_acl.cc'.
* security.cc: Swap out several functions.
* sec_acl.cc: New file. Move Sun compatibel ACL functions from
`security.cc' to here.
* sec_helper.cc: New file. Move security helper functions from
`security.cc' to here.
* security.h: Changed to accomodate the above changes.
Fri Apr 20 14:12:00 2001 Corinna Vinschen <corinna@vinschen.de>
* grp.cc: Replace `group_in_memory_p' by `group_state'.
Eliminate group_sem throughout.
(enum grp_state): New enumeration type.
(read_etc_group): Make race safe.
* security.cc: Eliminate group_sem throughout.
Thu Apr 19 9:40:00 2001 Corinna Vinschen <corinna@vinschen.de> Thu Apr 19 9:40:00 2001 Corinna Vinschen <corinna@vinschen.de>
* mmap.cc (mmap): Drop usage of the same memory area if the same * mmap.cc (mmap): Drop usage of the same memory area if the same

View File

@ -122,7 +122,7 @@ DLL_OFILES:=assert.o autoload.o cygheap.o dcrt0.o debug.o delqueue.o dir.o \
fork.o glob.o grp.o heap.o init.o ioctl.o localtime.o malloc.o \ fork.o glob.o grp.o heap.o init.o ioctl.o localtime.o malloc.o \
miscfuncs.o mmap.o net.o ntea.o passwd.o path.o pinfo.o pipe.o poll.o \ miscfuncs.o mmap.o net.o ntea.o passwd.o path.o pinfo.o pipe.o poll.o \
pthread.o regexp.o regerror.o regsub.o registry.o resource.o scandir.o \ pthread.o regexp.o regerror.o regsub.o registry.o resource.o scandir.o \
sched.o security.o select.o shared.o shortcut.o signal.o sigproc.o \ sched.o sec_acl.o sec_helper.o security.o select.o shared.o shortcut.o signal.o sigproc.o \
smallprint.o spawn.o strace.o strsep.o sync.o syscalls.o sysconf.o \ smallprint.o spawn.o strace.o strsep.o sync.o syscalls.o sysconf.o \
syslog.o termios.o thread.o times.o tty.o uinfo.o uname.o wait.o \ syslog.o termios.o thread.o times.o tty.o uinfo.o uname.o wait.o \
window.o \ window.o \

View File

@ -42,12 +42,17 @@ static int max_lines = 0;
static int grp_pos = 0; static int grp_pos = 0;
#endif #endif
/* Set to 1 when /etc/group has been read in by read_etc_group (). */ /* Set to loaded when /etc/passwd has been read in by read_etc_passwd ().
/* Functions in this file need to check the value of group_in_memory_p Set to emulated if passwd is emulated. */
and read in the group file if it isn't set. */ /* Functions in this file need to check the value of passwd_state
/* FIXME: This should be static but this is called in uinfo_init outside and read in the password file if it isn't set. */
this file */ enum grp_state {
int group_in_memory_p = 0; uninitialized = 0,
initializing,
emulated,
loaded
};
static grp_state group_state = uninitialized;
static int static int
parse_grp (struct group &grp, const char *line) parse_grp (struct group &grp, const char *line)
@ -132,50 +137,64 @@ extern PSID get_admin_sid ();
void void
read_etc_group () read_etc_group ()
{ {
extern int group_sem;
char linebuf [200]; char linebuf [200];
char group_name [MAX_USER_NAME]; char group_name [MAX_USER_NAME];
DWORD group_name_len = MAX_USER_NAME; DWORD group_name_len = MAX_USER_NAME;
strncpy (group_name, "Administrators", sizeof (group_name)); strncpy (group_name, "Administrators", sizeof (group_name));
++group_sem; static pthread_mutex_t etc_group_mutex = (pthread_mutex_t) PTHREAD_MUTEX_INITIALIZER;
FILE *f = fopen (etc_group, "rt"); pthread_mutex_lock (&etc_group_mutex);
--group_sem;
if (f) /* if we got blocked by the mutex, then etc_group may have been processed */
if (group_state != uninitialized)
{ {
while (fgets (linebuf, sizeof (linebuf), f) != NULL) pthread_mutex_unlock(&etc_group_mutex);
return;
}
if (group_state != initializing)
{
group_state = initializing;
FILE *f = fopen (etc_group, "rt");
if (f)
{ {
if (strlen (linebuf)) while (fgets (linebuf, sizeof (linebuf), f) != NULL)
add_grp_line (linebuf); {
if (strlen (linebuf))
add_grp_line (linebuf);
}
fclose (f);
group_state = loaded;
} }
else /* /etc/group doesn't exist -- create default one in memory */
fclose (f);
}
else /* /etc/group doesn't exist -- create default one in memory */
{
char domain_name [MAX_DOMAIN_NAME];
DWORD domain_name_len = MAX_DOMAIN_NAME;
SID_NAME_USE acType;
debug_printf ("Emulating /etc/group");
if (! LookupAccountSidA (NULL ,
get_admin_sid () ,
group_name,
&group_name_len,
domain_name,
&domain_name_len,
&acType))
{ {
strcpy (group_name, "unknown"); char domain_name [MAX_DOMAIN_NAME];
debug_printf ("Failed to get local admins group name. %E"); DWORD domain_name_len = MAX_DOMAIN_NAME;
} SID_NAME_USE acType;
debug_printf ("Emulating /etc/group");
if (! LookupAccountSidA (NULL ,
get_admin_sid () ,
group_name,
&group_name_len,
domain_name,
&domain_name_len,
&acType))
{
strcpy (group_name, "unknown");
debug_printf ("Failed to get local admins group name. %E");
}
snprintf (linebuf, sizeof (linebuf), "%s::%u:\n", group_name, DEFAULT_GID); snprintf (linebuf, sizeof (linebuf), "%s::%u:\n", group_name, DEFAULT_GID);
add_grp_line (linebuf); add_grp_line (linebuf);
group_state = emulated;
}
} }
group_in_memory_p = 1; pthread_mutex_unlock(&etc_group_mutex);
} }
extern "C" extern "C"
@ -183,7 +202,7 @@ struct group *
getgrgid (gid_t gid) getgrgid (gid_t gid)
{ {
struct group * default_grp = NULL; struct group * default_grp = NULL;
if (!group_in_memory_p) if (group_state <= initializing)
read_etc_group(); read_etc_group();
for (int i = 0; i < curr_lines; i++) for (int i = 0; i < curr_lines; i++)
@ -201,7 +220,7 @@ extern "C"
struct group * struct group *
getgrnam (const char *name) getgrnam (const char *name)
{ {
if (!group_in_memory_p) if (group_state <= initializing)
read_etc_group(); read_etc_group();
for (int i = 0; i < curr_lines; i++) for (int i = 0; i < curr_lines; i++)
@ -223,7 +242,7 @@ extern "C"
struct group * struct group *
getgrent() getgrent()
{ {
if (!group_in_memory_p) if (group_state <= initializing)
read_etc_group(); read_etc_group();
if (grp_pos < curr_lines) if (grp_pos < curr_lines)
@ -247,7 +266,7 @@ getgroups (int gidsetsize, gid_t *grouplist, gid_t gid, const char *username)
DWORD size; DWORD size;
int cnt = 0; int cnt = 0;
if (!group_in_memory_p) if (group_state <= initializing)
read_etc_group(); read_etc_group();
if (allow_ntsec && if (allow_ntsec &&

1060
winsup/cygwin/sec_acl.cc Normal file

File diff suppressed because it is too large Load Diff

399
winsup/cygwin/sec_helper.cc Normal file
View File

@ -0,0 +1,399 @@
/* sec_helper.cc: NT security helper functions
Copyright 2000, 2001 Cygnus Solutions.
Written by Corinna Vinschen <corinna@vinschen.de>
This file is part of Cygwin.
This software is a copyrighted work licensed under the terms of the
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
details. */
#include "winsup.h"
#include <grp.h>
#include <pwd.h>
#include <unistd.h>
#include <stdlib.h>
#include <errno.h>
#include <limits.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/acl.h>
#include <ctype.h>
#include <wingdi.h>
#include <winuser.h>
#include "cygerrno.h"
#include "perprocess.h"
#include "fhandler.h"
#include "path.h"
#include "dtable.h"
#include "sync.h"
#include "sigproc.h"
#include "pinfo.h"
#include "cygheap.h"
#include "security.h"
SID_IDENTIFIER_AUTHORITY sid_auth[] = {
{SECURITY_NULL_SID_AUTHORITY},
{SECURITY_WORLD_SID_AUTHORITY},
{SECURITY_LOCAL_SID_AUTHORITY},
{SECURITY_CREATOR_SID_AUTHORITY},
{SECURITY_NON_UNIQUE_AUTHORITY},
{SECURITY_NT_AUTHORITY}
};
char *
convert_sid_to_string_sid (PSID psid, char *sid_str)
{
char t[32];
DWORD i;
if (!psid || !sid_str)
return NULL;
strcpy (sid_str, "S-1-");
__small_sprintf(t, "%u", GetSidIdentifierAuthority (psid)->Value[5]);
strcat (sid_str, t);
for (i = 0; i < *GetSidSubAuthorityCount (psid); ++i)
{
__small_sprintf(t, "-%lu", *GetSidSubAuthority (psid, i));
strcat (sid_str, t);
}
return sid_str;
}
PSID
get_sid (PSID psid, DWORD s, DWORD cnt, DWORD *r)
{
DWORD i;
if (!psid || s > 5 || cnt < 1 || cnt > 8)
return NULL;
InitializeSid(psid, &sid_auth[s], cnt);
for (i = 0; i < cnt; ++i)
memcpy ((char *) psid + 8 + sizeof (DWORD) * i, &r[i], sizeof (DWORD));
return psid;
}
PSID
convert_string_sid_to_sid (PSID psid, const char *sid_str)
{
char sid_buf[256];
char *t, *lasts;
DWORD cnt = 0;
DWORD s = 0;
DWORD i, r[8];
if (!sid_str || strncmp (sid_str, "S-1-", 4))
return NULL;
strcpy (sid_buf, sid_str);
for (t = sid_buf + 4, i = 0;
cnt < 8 && (t = strtok_r (t, "-", &lasts));
t = NULL, ++i)
if (i == 0)
s = strtoul (t, NULL, 10);
else
r[cnt++] = strtoul (t, NULL, 10);
return get_sid (psid, s, cnt, r);
}
BOOL
get_pw_sid (PSID sid, struct passwd *pw)
{
char *sp = pw->pw_gecos ? strrchr (pw->pw_gecos, ',') : NULL;
if (!sp)
return FALSE;
return convert_string_sid_to_sid (sid, ++sp) != NULL;
}
BOOL
get_gr_sid (PSID sid, struct group *gr)
{
return convert_string_sid_to_sid (sid, gr->gr_passwd) != NULL;
}
PSID
get_admin_sid ()
{
static NO_COPY char admin_sid_buf[MAX_SID_LEN];
static NO_COPY PSID admin_sid = NULL;
if (!admin_sid)
{
admin_sid = (PSID) admin_sid_buf;
convert_string_sid_to_sid (admin_sid, "S-1-5-32-544");
}
return admin_sid;
}
PSID
get_system_sid ()
{
static NO_COPY char system_sid_buf[MAX_SID_LEN];
static NO_COPY PSID system_sid = NULL;
if (!system_sid)
{
system_sid = (PSID) system_sid_buf;
convert_string_sid_to_sid (system_sid, "S-1-5-18");
}
return system_sid;
}
PSID
get_creator_owner_sid ()
{
static NO_COPY char owner_sid_buf[MAX_SID_LEN];
static NO_COPY PSID owner_sid = NULL;
if (!owner_sid)
{
owner_sid = (PSID) owner_sid_buf;
convert_string_sid_to_sid (owner_sid, "S-1-3-0");
}
return owner_sid;
}
PSID
get_world_sid ()
{
static NO_COPY char world_sid_buf[MAX_SID_LEN];
static NO_COPY PSID world_sid = NULL;
if (!world_sid)
{
world_sid = (PSID) world_sid_buf;
convert_string_sid_to_sid (world_sid, "S-1-1-0");
}
return world_sid;
}
int
get_id_from_sid (PSID psid, BOOL search_grp, int *type)
{
if (!IsValidSid (psid))
{
__seterrno ();
small_printf ("IsValidSid failed with %E");
return -1;
}
/* First try to get SID from passwd or group entry */
if (allow_ntsec)
{
char sidbuf[MAX_SID_LEN];
PSID sid = (PSID) sidbuf;
int id = -1;
if (!search_grp)
{
struct passwd *pw;
while ((pw = getpwent ()) != NULL)
{
if (get_pw_sid (sid, pw) && EqualSid (psid, sid))
{
id = pw->pw_uid;
break;
}
}
endpwent ();
if (id >= 0)
{
if (type)
*type = USER;
return id;
}
}
if (search_grp || type)
{
struct group *gr;
while ((gr = getgrent ()) != NULL)
{
if (get_gr_sid (sid, gr) && EqualSid (psid, sid))
{
id = gr->gr_gid;
break;
}
}
endgrent ();
if (id >= 0)
{
if (type)
*type = GROUP;
return id;
}
}
}
/* We use the RID as default UID/GID */
int id = *GetSidSubAuthority(psid, *GetSidSubAuthorityCount(psid) - 1);
/*
* The RID maybe -1 if accountname == computername.
* In this case we search for the accountname in the passwd and group files.
* If type is needed, we search in each case.
*/
if (id == -1 || type)
{
char account[MAX_USER_NAME];
char domain[MAX_COMPUTERNAME_LENGTH+1];
DWORD acc_len = MAX_USER_NAME;
DWORD dom_len = MAX_COMPUTERNAME_LENGTH+1;
SID_NAME_USE acc_type;
if (!LookupAccountSid (NULL, psid, account, &acc_len,
domain, &dom_len, &acc_type))
{
__seterrno ();
return -1;
}
switch (acc_type)
{
case SidTypeGroup:
case SidTypeAlias:
case SidTypeWellKnownGroup:
if (type)
*type = GROUP;
if (id == -1)
{
struct group *gr = getgrnam (account);
if (gr)
id = gr->gr_gid;
}
break;
case SidTypeUser:
if (type)
*type = USER;
if (id == -1)
{
struct passwd *pw = getpwnam (account);
if (pw)
id = pw->pw_uid;
}
break;
default:
break;
}
}
if (id == -1)
id = getuid ();
return id;
}
int
get_id_from_sid (PSID psid, BOOL search_grp)
{
return get_id_from_sid (psid, search_grp, NULL);
}
BOOL
legal_sid_type (SID_NAME_USE type)
{
return type == SidTypeUser || type == SidTypeGroup
|| SidTypeAlias || SidTypeWellKnownGroup;
}
BOOL
is_grp_member (uid_t uid, gid_t gid)
{
extern int getgroups (int, gid_t *, gid_t, const char *);
BOOL grp_member = TRUE;
struct passwd *pw = getpwuid (uid);
gid_t grps[NGROUPS_MAX];
int cnt = getgroups (NGROUPS_MAX, grps,
pw ? pw->pw_gid : myself->gid,
pw ? pw->pw_name : cygheap->user.name ());
int i;
for (i = 0; i < cnt; ++i)
if (grps[i] == gid)
break;
grp_member = (i < cnt);
return grp_member;
}
BOOL
lookup_name (const char *name, const char *logsrv, PSID ret_sid)
{
char sidbuf[MAX_SID_LEN];
PSID sid = (PSID) sidbuf;
DWORD sidlen;
char domuser[MAX_COMPUTERNAME_LENGTH+MAX_USER_NAME+1];
char dom[MAX_COMPUTERNAME_LENGTH+1];
DWORD domlen;
SID_NAME_USE acc_type;
debug_printf ("name : %s", name ? name : "NULL");
if (!name)
return FALSE;
if (cygheap->user.domain ())
{
strcat (strcat (strcpy (domuser, cygheap->user.domain ()), "\\"), name);
if (LookupAccountName (NULL, domuser,
sid, (sidlen = MAX_SID_LEN, &sidlen),
dom, (domlen = MAX_COMPUTERNAME_LENGTH, &domlen),
&acc_type)
&& legal_sid_type (acc_type))
goto got_it;
if (logsrv && *logsrv
&& LookupAccountName (logsrv, domuser,
sid, (sidlen = MAX_SID_LEN, &sidlen),
dom, (domlen = MAX_COMPUTERNAME_LENGTH,&domlen),
&acc_type)
&& legal_sid_type (acc_type))
goto got_it;
}
if (logsrv && *logsrv)
{
if (LookupAccountName (logsrv, name,
sid, (sidlen = MAX_SID_LEN, &sidlen),
dom, (domlen = MAX_COMPUTERNAME_LENGTH, &domlen),
&acc_type)
&& legal_sid_type (acc_type))
goto got_it;
if (acc_type == SidTypeDomain)
{
strcat (strcat (strcpy (domuser, dom), "\\"), name);
if (LookupAccountName (logsrv, domuser,
sid,(sidlen = MAX_SID_LEN, &sidlen),
dom,(domlen = MAX_COMPUTERNAME_LENGTH,&domlen),
&acc_type))
goto got_it;
}
}
if (LookupAccountName (NULL, name,
sid, (sidlen = MAX_SID_LEN, &sidlen),
dom, (domlen = 100, &domlen),
&acc_type)
&& legal_sid_type (acc_type))
goto got_it;
if (acc_type == SidTypeDomain)
{
strcat (strcat (strcpy (domuser, dom), "\\"), name);
if (LookupAccountName (NULL, domuser,
sid, (sidlen = MAX_SID_LEN, &sidlen),
dom, (domlen = MAX_COMPUTERNAME_LENGTH, &domlen),
&acc_type))
goto got_it;
}
debug_printf ("LookupAccountName(%s) %E", name);
__seterrno ();
return FALSE;
got_it:
debug_printf ("sid : [%d]", *GetSidSubAuthority((PSID) sid,
*GetSidSubAuthorityCount((PSID) sid) - 1));
if (ret_sid)
memcpy (ret_sid, sid, sidlen);
return TRUE;
}

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +1,6 @@
/* security.h: security declarations /* security.h: security declarations
Copyright 2000 Red Hat, Inc. Copyright 2000, 2001 Red Hat, Inc.
This file is part of Cygwin. This file is part of Cygwin.
@ -8,30 +8,51 @@ This software is a copyrighted work licensed under the terms of the
Cygwin license. Please consult the file "CYGWIN_LICENSE" for Cygwin license. Please consult the file "CYGWIN_LICENSE" for
details. */ details. */
#define DONT_INHERIT (0)
#define INHERIT_ALL (CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE)
#define INHERIT_ONLY (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE)
extern BOOL allow_ntsec;
extern BOOL allow_smbntsec;
/* File manipulation */ /* File manipulation */
int __stdcall set_process_privileges (); int __stdcall set_process_privileges ();
int __stdcall get_file_attribute (int, const char *, int *, int __stdcall get_file_attribute (int, const char *, int *,
uid_t * = NULL, gid_t * = NULL); uid_t * = NULL, gid_t * = NULL);
int __stdcall set_file_attribute (int, const char *, int); int __stdcall set_file_attribute (int, const char *, int);
int __stdcall set_file_attribute (int, const char *, uid_t, gid_t, int, const char *); int __stdcall set_file_attribute (int, const char *, uid_t, gid_t, int, const char *);
extern BOOL allow_ntsec; LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size);
extern BOOL allow_smbntsec; LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size);
BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
/* sec_helper.cc: Security helper functions. */
char *__stdcall convert_sid_to_string_sid (PSID psid, char *sid_str);
PSID __stdcall convert_string_sid_to_sid (PSID psid, const char *sid_str);
PSID __stdcall get_sid (PSID psid, DWORD s, DWORD cnt, DWORD *r);
BOOL __stdcall get_pw_sid (PSID sid, struct passwd *pw);
BOOL __stdcall get_gr_sid (PSID sid, struct group *gr);
PSID __stdcall get_admin_sid ();
PSID __stdcall get_system_sid ();
PSID __stdcall get_creator_owner_sid ();
PSID __stdcall get_world_sid ();
int get_id_from_sid (PSID psid, BOOL search_grp, int *type);
int __stdcall get_id_from_sid (PSID psid, BOOL search_grp);
BOOL __stdcall legal_sid_type (SID_NAME_USE type);
BOOL __stdcall is_grp_member (uid_t uid, gid_t gid);
/* `lookup_name' should be called instead of LookupAccountName. /* `lookup_name' should be called instead of LookupAccountName.
* logsrv may be NULL, in this case only the local system is used for lookup. * logsrv may be NULL, in this case only the local system is used for lookup.
* The buffer for ret_sid (40 Bytes) has to be allocated by the caller! */ * The buffer for ret_sid (40 Bytes) has to be allocated by the caller! */
BOOL __stdcall lookup_name (const char *, const char *, PSID); BOOL __stdcall lookup_name (const char *, const char *, PSID);
char *__stdcall convert_sid_to_string_sid (PSID, char *);
PSID __stdcall convert_string_sid_to_sid (PSID, const char *);
BOOL __stdcall get_pw_sid (PSID, struct passwd *);
/* Retrieve a security descriptor that allows all access */
SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
int __stdcall get_id_from_sid (PSID, BOOL);
extern inline int get_uid_from_sid (PSID psid) { return get_id_from_sid (psid, FALSE);} extern inline int get_uid_from_sid (PSID psid) { return get_id_from_sid (psid, FALSE);}
extern inline int get_gid_from_sid (PSID psid) { return get_id_from_sid (psid, TRUE); } extern inline int get_gid_from_sid (PSID psid) { return get_id_from_sid (psid, TRUE); }
/* shared.cc: */
/* Retrieve a security descriptor that allows all access */
SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
/* Various types of security attributes for use in Create* functions. */ /* Various types of security attributes for use in Create* functions. */
extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih; extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
extern SECURITY_ATTRIBUTES *__stdcall sec_user (PVOID sa_buf, PSID sid2 = NULL, BOOL inherit = TRUE); extern SECURITY_ATTRIBUTES *__stdcall sec_user (PVOID sa_buf, PSID sid2 = NULL, BOOL inherit = TRUE);