51303cbd0c
* cygserver.h (CYGWIN_SERVER_VERSION_API): Bump. (request_code_t): Define CYGSERVER_REQUEST_SETPWD request type. * cygserver_msg.h (client_request_msg::retval): Use default value of -1 for retval if msglen is 0. * cygserver_sem.h (client_request_sem::retval): Ditto. * cygserver_shm.h (client_request_shm::retval): Ditto. * cygserver_setpwd.h: New file. * external.cc (cygwin_internal): Implement new CW_SET_PRIV_KEY type. * sec_auth.cc (open_local_policy): Make externally available. Get ACCESS_MASK as argument. (create_token): Accommodate change to open_local_policy. (lsaauth): Ditto. (lsaprivkeyauth): New function fetching token by retrieving password stored in Cygwin or Interix LSA private data area and calling LogonUser with it. * security.h (lsaprivkeyauth): Declare. (open_local_policy): Declare. * setlsapwd.cc: New file implementing setting LSA private data password using LsaStorePrivateData or by calling cygserver if available. * syscalls.cc (seteuid32): Add workaround to get the original token when switching back to the original privileged user, even if setgroups group list is still active. Add long comment to explain why. Call lsaprivkeyauth first, only if that fails call lsaauth or create_token. * include/cygwin/version.h: Bump API minor number. * include/sys/cygwin.h (cygwin_getinfo_types): Add CW_SET_PRIV_KEY.
91 lines
2.3 KiB
C++
91 lines
2.3 KiB
C++
/* setlsapwd.cc: Set LSA private data password for current user.
|
|
|
|
Copyright 2008 Red Hat, Inc.
|
|
|
|
This file is part of Cygwin.
|
|
|
|
This software is a copyrighted work licensed under the terms of the
|
|
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
|
|
details. */
|
|
|
|
#include "winsup.h"
|
|
#include "shared_info.h"
|
|
#include "cygerrno.h"
|
|
#include "path.h"
|
|
#include "fhandler.h"
|
|
#include "dtable.h"
|
|
#include "cygheap.h"
|
|
#include "security.h"
|
|
#include "cygserver_setpwd.h"
|
|
#include "ntdll.h"
|
|
#include <ntsecapi.h>
|
|
#include <stdlib.h>
|
|
#include <wchar.h>
|
|
|
|
#ifdef USE_SERVER
|
|
/*
|
|
* client_request_setpwd Constructor
|
|
*/
|
|
|
|
client_request_setpwd::client_request_setpwd (PUNICODE_STRING passwd)
|
|
: client_request (CYGSERVER_REQUEST_SETPWD, &_parameters, sizeof (_parameters))
|
|
{
|
|
memset (_parameters.in.passwd, 0, sizeof _parameters.in.passwd);
|
|
if (passwd->Length > 0 && passwd->Length < 256 * sizeof (WCHAR))
|
|
wcpncpy (_parameters.in.passwd, passwd->Buffer, 255);
|
|
|
|
msglen (sizeof (_parameters.in));
|
|
}
|
|
|
|
#endif /* USE_SERVER */
|
|
|
|
unsigned long
|
|
setlsapwd (const char *passwd)
|
|
{
|
|
unsigned long ret = (unsigned long) -1;
|
|
HANDLE lsa = INVALID_HANDLE_VALUE;
|
|
WCHAR sid[128];
|
|
WCHAR key_name[128 + wcslen (CYGWIN_LSA_KEY_PREFIX)];
|
|
PWCHAR data_buf = NULL;
|
|
UNICODE_STRING key;
|
|
UNICODE_STRING data;
|
|
|
|
wcpcpy (wcpcpy (key_name, CYGWIN_LSA_KEY_PREFIX),
|
|
cygheap->user.get_windows_id (sid));
|
|
RtlInitUnicodeString (&key, key_name);
|
|
if (!passwd || ! *passwd
|
|
|| sys_mbstowcs_alloc (&data_buf, HEAP_NOTHEAP, passwd))
|
|
{
|
|
NTSTATUS status = STATUS_ACCESS_DENIED;
|
|
|
|
memset (&data, 0, sizeof data);
|
|
if (data_buf)
|
|
RtlInitUnicodeString (&data, data_buf);
|
|
/* First try it locally. Works for admin accounts. */
|
|
if ((lsa = open_local_policy (POLICY_CREATE_SECRET))
|
|
!= INVALID_HANDLE_VALUE)
|
|
{
|
|
status = LsaStorePrivateData (lsa, &key, data.Length ? &data : NULL);
|
|
if (NT_SUCCESS (status))
|
|
ret = 0;
|
|
LsaClose (lsa);
|
|
}
|
|
if (ret)
|
|
#ifdef USE_SERVER
|
|
{
|
|
/* If that fails, ask cygserver. */
|
|
client_request_setpwd request (&data);
|
|
if (request.make_request () == -1 || request.error_code ())
|
|
set_errno (request.error_code ());
|
|
else
|
|
ret = 0;
|
|
}
|
|
#else
|
|
__seterrno_from_nt_status (status);
|
|
#endif
|
|
if (data_buf)
|
|
free (data_buf);
|
|
}
|
|
return ret;
|
|
}
|