* cyglsa.h (SECURITY_STRING): Define.
(enum _SECPKG_NAME_TYPE): Define. (struct _SECPKG_CALL_INFO): Define. (struct _LSA_SECPKG_FUNCS): Extend to full size. Define unused functions lazily. (cygprf_t): Define. * sec_auth.cc (lsaauth): Use actual primary group if no admins group. Add (disabled) code to fetch token from profil data.
This commit is contained in:
parent
9035519215
commit
c68cb84e88
@ -1,3 +1,14 @@
|
|||||||
|
2008-07-10 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
|
* cyglsa.h (SECURITY_STRING): Define.
|
||||||
|
(enum _SECPKG_NAME_TYPE): Define.
|
||||||
|
(struct _SECPKG_CALL_INFO): Define.
|
||||||
|
(struct _LSA_SECPKG_FUNCS): Extend to full size. Define unused
|
||||||
|
functions lazily.
|
||||||
|
(cygprf_t): Define.
|
||||||
|
* sec_auth.cc (lsaauth): Use actual primary group if no admins group.
|
||||||
|
Add (disabled) code to fetch token from profil data.
|
||||||
|
|
||||||
2008-07-09 Corinna Vinschen <corinna@vinschen.de>
|
2008-07-09 Corinna Vinschen <corinna@vinschen.de>
|
||||||
|
|
||||||
* sec_auth.cc (verify_token): Allow builtin groups missing in a token
|
* sec_auth.cc (verify_token): Allow builtin groups missing in a token
|
||||||
|
@ -23,6 +23,8 @@ extern "C" {
|
|||||||
/* Datastructures not defined in w32api. */
|
/* Datastructures not defined in w32api. */
|
||||||
typedef PVOID *PLSA_CLIENT_REQUEST;
|
typedef PVOID *PLSA_CLIENT_REQUEST;
|
||||||
|
|
||||||
|
typedef UNICODE_STRING SECURITY_STRING, *PSECURITY_STRING;
|
||||||
|
|
||||||
typedef struct _SECPKG_CLIENT_INFO
|
typedef struct _SECPKG_CLIENT_INFO
|
||||||
{
|
{
|
||||||
LUID LogonId;
|
LUID LogonId;
|
||||||
@ -33,6 +35,23 @@ typedef struct _SECPKG_CLIENT_INFO
|
|||||||
BOOLEAN Restricted;
|
BOOLEAN Restricted;
|
||||||
} SECPKG_CLIENT_INFO, *PSECPKG_CLIENT_INFO;
|
} SECPKG_CLIENT_INFO, *PSECPKG_CLIENT_INFO;
|
||||||
|
|
||||||
|
typedef enum _SECPKG_NAME_TYPE
|
||||||
|
{
|
||||||
|
SecNameSamCompatible,
|
||||||
|
SecNameAlternateId,
|
||||||
|
SecNameFlat,
|
||||||
|
SecNameDN,
|
||||||
|
SecNameSPN
|
||||||
|
} SECPKG_NAME_TYPE, *PSECPKG_NAME_TYPE;
|
||||||
|
|
||||||
|
typedef struct _SECPKG_CALL_INFO
|
||||||
|
{
|
||||||
|
ULONG ProcessId;
|
||||||
|
ULONG ThreadId;
|
||||||
|
ULONG Attributes;
|
||||||
|
ULONG CallCount;
|
||||||
|
} SECPKG_CALL_INFO, *PSECPKG_CALL_INFO;
|
||||||
|
|
||||||
/* The table returned by LsaApInitializePackage is actually a
|
/* The table returned by LsaApInitializePackage is actually a
|
||||||
LSA_SECPKG_FUNCTION_TABLE even though that's not documented.
|
LSA_SECPKG_FUNCTION_TABLE even though that's not documented.
|
||||||
We need only a subset of this table, basically the LSA_DISPATCH_TABLE
|
We need only a subset of this table, basically the LSA_DISPATCH_TABLE
|
||||||
@ -41,7 +60,7 @@ typedef struct _LSA_SECPKG_FUNCS
|
|||||||
{
|
{
|
||||||
NTSTATUS (NTAPI *CreateLogonSession)(PLUID);
|
NTSTATUS (NTAPI *CreateLogonSession)(PLUID);
|
||||||
NTSTATUS (NTAPI *DeleteLogonSession)(PLUID);
|
NTSTATUS (NTAPI *DeleteLogonSession)(PLUID);
|
||||||
NTSTATUS (NTAPI *AddCredentials)(PVOID); /* wrong prototype, unused */
|
NTSTATUS (NTAPI *AddCredentials)(PLUID, ULONG, PLSA_STRING, PLSA_STRING);
|
||||||
NTSTATUS (NTAPI *GetCredentials)(PVOID); /* wrong prototype, unused */
|
NTSTATUS (NTAPI *GetCredentials)(PVOID); /* wrong prototype, unused */
|
||||||
NTSTATUS (NTAPI *DeleteCredentials)(PVOID); /* wrong prototype, unused */
|
NTSTATUS (NTAPI *DeleteCredentials)(PVOID); /* wrong prototype, unused */
|
||||||
PVOID (NTAPI *AllocateLsaHeap)(ULONG);
|
PVOID (NTAPI *AllocateLsaHeap)(ULONG);
|
||||||
@ -54,10 +73,41 @@ typedef struct _LSA_SECPKG_FUNCS
|
|||||||
PVOID, PVOID);
|
PVOID, PVOID);
|
||||||
NTSTATUS (NTAPI *ImpersonateClient)(VOID);
|
NTSTATUS (NTAPI *ImpersonateClient)(VOID);
|
||||||
NTSTATUS (NTAPI *UnloadPackage)(VOID);
|
NTSTATUS (NTAPI *UnloadPackage)(VOID);
|
||||||
NTSTATUS (NTAPI *DuplicateHandle)(HANDLE,PHANDLE);
|
NTSTATUS (NTAPI *DuplicateHandle)(HANDLE, PHANDLE);
|
||||||
NTSTATUS (NTAPI *SaveSupplementalCredentials)(VOID);
|
NTSTATUS (NTAPI *SaveSupplementalCredentials)(VOID);
|
||||||
NTSTATUS (NTAPI *CreateThread)(PVOID); /* wrong prototype, unused */
|
NTSTATUS (NTAPI *CreateThread)(PVOID); /* wrong prototype, unused */
|
||||||
NTSTATUS (NTAPI *GetClientInfo)(PSECPKG_CLIENT_INFO);
|
NTSTATUS (NTAPI *GetClientInfo)(PSECPKG_CLIENT_INFO);
|
||||||
|
NTSTATUS (NTAPI *RegisterNotification)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *CancelNotification)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *MapBuffer)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *CreateToken)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *AuditLogon)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *CallPackage)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *FreeReturnBuffer)(PVOID); /* wrong prototype, unused */
|
||||||
|
BOOLEAN (NTAPI *GetCallInfo)(PSECPKG_CALL_INFO);
|
||||||
|
NTSTATUS (NTAPI *CallPackageEx)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *CreateSharedMemory)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *AllocateSharedMemory)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *FreeSharedMemory)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *DeleteSharedMemory)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *OpenSamUser)(PSECURITY_STRING, SECPKG_NAME_TYPE,
|
||||||
|
PSECURITY_STRING, BOOLEAN, ULONG, PVOID *);
|
||||||
|
NTSTATUS (NTAPI *GetUserCredentials)(PVOID, PVOID, PULONG, PVOID *, PULONG);
|
||||||
|
NTSTATUS (NTAPI *GetUserAuthData)(PVOID, PUCHAR *, PULONG);
|
||||||
|
NTSTATUS (NTAPI *CloseSamUser)(PVOID);
|
||||||
|
NTSTATUS (NTAPI *ConvertAuthDataToToken)(PVOID, ULONG,
|
||||||
|
SECURITY_IMPERSONATION_LEVEL,
|
||||||
|
PTOKEN_SOURCE, SECURITY_LOGON_TYPE,
|
||||||
|
PUNICODE_STRING, PHANDLE, PLUID,
|
||||||
|
PUNICODE_STRING, PNTSTATUS);
|
||||||
|
NTSTATUS (NTAPI *ClientCallback)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *UpdateCredentials)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *GetAuthDataForUser)(PSECURITY_STRING, SECPKG_NAME_TYPE,
|
||||||
|
PSECURITY_STRING, PUCHAR *, PULONG,
|
||||||
|
PUNICODE_STRING);
|
||||||
|
NTSTATUS (NTAPI *CrackSingleName)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *AuditAccountLogon)(PVOID); /* wrong prototype, unused */
|
||||||
|
NTSTATUS (NTAPI *CallPackagePassthrough)(PVOID); /* wrong prototype, unused */
|
||||||
} LSA_SECPKG_FUNCS, *PLSA_SECPKG_FUNCS;
|
} LSA_SECPKG_FUNCS, *PLSA_SECPKG_FUNCS;
|
||||||
|
|
||||||
typedef enum _LSA_TOKEN_INFORMATION_TYPE
|
typedef enum _LSA_TOKEN_INFORMATION_TYPE
|
||||||
@ -142,6 +192,16 @@ typedef struct
|
|||||||
BYTE data[1];
|
BYTE data[1];
|
||||||
} cyglsa_t;
|
} cyglsa_t;
|
||||||
|
|
||||||
|
typedef struct
|
||||||
|
{
|
||||||
|
DWORD magic_pre;
|
||||||
|
HANDLE token;
|
||||||
|
DWORD magic_post;
|
||||||
|
} cygprf_t;
|
||||||
|
|
||||||
|
#define MAGIC_PRE 0x12345678UL
|
||||||
|
#define MAGIC_POST 0x87654321UL
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -1016,10 +1016,13 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
|||||||
authinf_size += gsize; /* Groups + Group SIDs */
|
authinf_size += gsize; /* Groups + Group SIDs */
|
||||||
/* When trying to define the admins group as primary group on Vista,
|
/* When trying to define the admins group as primary group on Vista,
|
||||||
LsaLogonUser fails with error STATUS_INVALID_OWNER. As workaround
|
LsaLogonUser fails with error STATUS_INVALID_OWNER. As workaround
|
||||||
we define "Local" as primary group here. First, this adds the otherwise
|
we define "Local" as primary group here. Seteuid32 sets the primary
|
||||||
missing "Local" group to the group list and second, seteuid32
|
group to the group set in /etc/passwd anyway. */
|
||||||
sets the primary group to the group set in /etc/passwd anyway. */
|
if (new_groups.pgsid == well_known_admins_sid)
|
||||||
pgrpsid = well_known_local_sid;
|
pgrpsid = well_known_local_sid;
|
||||||
|
else
|
||||||
|
pgrpsid = new_groups.pgsid;
|
||||||
|
|
||||||
authinf_size += GetLengthSid (pgrpsid); /* Primary Group SID */
|
authinf_size += GetLengthSid (pgrpsid); /* Primary Group SID */
|
||||||
|
|
||||||
authinf_size += psize; /* Privileges */
|
authinf_size += psize; /* Privileges */
|
||||||
@ -1104,7 +1107,20 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
if (profile)
|
if (profile)
|
||||||
LsaFreeReturnBuffer (profile);
|
{
|
||||||
|
#ifdef JUST_ANOTHER_NONWORKING_SOLUTION
|
||||||
|
/* See ../lsaauth/cyglsa.c. */
|
||||||
|
cygprf_t *prf = (cygprf_t *) profile;
|
||||||
|
if (prf->magic_pre == MAGIC_PRE && prf->magic_post == MAGIC_POST
|
||||||
|
&& prf->token)
|
||||||
|
{
|
||||||
|
CloseHandle (user_token);
|
||||||
|
user_token = prf->token;
|
||||||
|
system_printf ("Got token through profile: %p", user_token);
|
||||||
|
}
|
||||||
|
#endif /* JUST_ANOTHER_NONWORKING_SOLUTION */
|
||||||
|
LsaFreeReturnBuffer (profile);
|
||||||
|
}
|
||||||
|
|
||||||
if (wincap.has_mandatory_integrity_control ())
|
if (wincap.has_mandatory_integrity_control ())
|
||||||
{
|
{
|
||||||
|
Loading…
x
Reference in New Issue
Block a user