From 1fcc912f135e11aa78a4ed529c70d6887cfcb317 Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <corinna@vinschen.de>
Date: Sun, 20 May 2001 08:10:47 +0000
Subject:         * autoload.cc: Add load statements for `LookupAccountNameW', 
        `LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory',        
 `LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum',        
 `NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and        
 `NtCreateToken'.         * ntdll.h: Add declaration for `NtCreateToken'.     
    * sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid',     
    `well_known_network_sid', `well_known_batch_sid',        
 `well_known_interactive_sid', `well_known_service_sid' and        
 `well_known_authenticated_users_sid'.         (cygsid::string): Define as
 const method.         (cygsid::get_sid): Set psid to NO_SID on error.        
 (cygsid::getfromstr): Ditto.         (cygsid::getfrompw): Simplify.        
 (cygsid::getfromgr): Check for gr == NULL.         (legal_sid_type): Move to
 security.h.         (set_process_privilege): Return -1 on error, otherwise 0
 or 1 related         to previous privilege setting.         * security.cc
 (extract_nt_dom_user): Remove `static'.         (lsa2wchar): New function.   
      (open_local_policy): Ditto.         (close_local_policy): Ditto.        
 (get_lsa_srv_inf): Ditto.         (get_logon_server): Ditto.        
 (get_logon_server_and_user_domain): Ditto.         (get_user_groups): Ditto. 
        (is_group_member): Ditto.         (get_user_local_groups): Ditto.     
    (sid_in_token_groups): Ditto.         (get_user_primary_group): Ditto.    
     (get_group_sidlist): Ditto.         (get_system_priv_list): Ditto.       
  (get_priv_list): Ditto.         (get_dacl): Ditto.         (create_token):
 Ditto.         (subauth): Return immediately if SE_TCB_NAME can't be
 assigned.         Change all return statements in case of error to jumps to
 `out'         label. Add `out' label to support cleanup.         *
 security.h: Add extern declarations for `well_known_local_sid',        
 `well_known_dialup_sid', `well_known_network_sid',        
 `well_known_batch_sid', `well_known_interactive_sid',        
 `well_known_service_sid' and `well_known_authenticated_users_sid'.        
 Add extern declarations for functions `create_token',        
 `extract_nt_dom_user' and `get_logon_server_and_user_domain'.         (class
 cygsid): Add method `assign'. Change operator= to call new         `assign'
 method. Add `debug_print' method.         (class cygsidlist): New class.     
    (legal_sid_type): Moved from sec_helper.cc to here.         * spawn.cc
 (spawn_guts) Revert reversion of previous patch.         Call `RevertToSelf'
 and `ImpersonateLoggedOnUser' instead of `seteuid'         again.         *
 syscalls.cc (seteuid): Rearranged. Call `create_token' now when        
 needed. Call `subauth' if `create_token' fails. Try setting token        
 owner and primary group only if token was not explicitely created         by
 `create_token'.         * uinfo.cc (internal_getlogin): Try harder to
 generate correct user         information. Especially don't trust return
 value of `GetUserName'.

---
 winsup/cygwin/security.h | 105 ++++++++++++++++++++++++++++++++++++++++-------
 1 file changed, 91 insertions(+), 14 deletions(-)

(limited to 'winsup/cygwin/security.h')

diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h
index 5f2a381..c915c1b 100644
--- a/winsup/cygwin/security.h
+++ b/winsup/cygwin/security.h
@@ -26,6 +26,18 @@ class cygsid {
   const PSID getfromstr (const char *nsidstr);
   PSID get_sid (DWORD s, DWORD cnt, DWORD *r);
 
+  inline const PSID assign (const PSID nsid)
+    {
+      if (!nsid)
+        psid = NO_SID;
+      else
+        {
+          psid = (PSID) sbuf;
+          CopySid (MAX_SID_LEN, psid, nsid);
+        }
+      return psid;
+    }
+
 public:
   inline cygsid () : psid ((PSID) sbuf) {}
   inline cygsid (const PSID nsid) { *this = nsid; }
@@ -40,19 +52,12 @@ public:
   inline int get_uid () { return get_id (FALSE); }
   inline int get_gid () { return get_id (TRUE); }
 
-  char *string (char *nsidstr);
+  char *string (char *nsidstr) const;
 
+  inline const PSID operator= (cygsid &nsid)
+    { return assign (nsid); }
   inline const PSID operator= (const PSID nsid)
-    {
-      if (!nsid)
-        psid = NULL;
-      else
-        {
-	  psid = (PSID) sbuf;
-	  CopySid (MAX_SID_LEN, psid, nsid);
-	}
-      return psid;
-    }
+    { return assign (nsid); }
   inline const PSID operator= (const char *nsidstr)
     { return getfromstr (nsidstr); }
 
@@ -73,12 +78,77 @@ public:
     { return !(*this == nsidstr); }
 
   inline operator const PSID () { return psid; }
+
+  void debug_print (const char *prefix = NULL) const
+    {
+      char buf[256];
+      debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
+    }
+};
+
+class cygsidlist {
+public:
+  int count;
+  cygsid *sids;
+
+  cygsidlist () : count (0), sids (NULL) {}
+  ~cygsidlist () { delete [] sids; }
+
+  BOOL add (cygsid &nsi)
+    {
+      cygsid *tmp = new cygsid [count + 1];
+      if (!tmp)
+        return FALSE;
+      for (int i = 0; i < count; ++i)
+        tmp[i] = sids[i];
+      delete [] sids;
+      sids = tmp;
+      sids[count++] = nsi;
+      return TRUE;
+    }
+  BOOL add (const PSID nsid) { return add (nsid); }
+  BOOL add (const char *sidstr)
+    { cygsid nsi (sidstr); return add (nsi); }
+  
+  BOOL operator+= (cygsid &si) { return add (si); }
+  BOOL operator+= (const char *sidstr) { return add (sidstr); }
+
+  BOOL contains (cygsid &sid) const
+    {
+      for (int i = 0; i < count; ++i)
+        if (sids[i] == sid)
+	  return TRUE;
+      return FALSE;
+    }
+  void debug_print (const char *prefix = NULL) const
+    {
+      debug_printf ("-- begin sidlist ---");
+      if (!count)
+        debug_printf ("No elements");
+      for (int i = 0; i < count; ++i)
+        sids[i].debug_print (prefix);
+      debug_printf ("-- ende sidlist ---");
+    }
 };
 
-extern cygsid well_known_admin_sid;
-extern cygsid well_known_system_sid;
-extern cygsid well_known_creator_owner_sid;
 extern cygsid well_known_world_sid;
+extern cygsid well_known_local_sid;
+extern cygsid well_known_creator_owner_sid;
+extern cygsid well_known_dialup_sid;
+extern cygsid well_known_network_sid;
+extern cygsid well_known_batch_sid;
+extern cygsid well_known_interactive_sid;
+extern cygsid well_known_service_sid;
+extern cygsid well_known_authenticated_users_sid;
+extern cygsid well_known_system_sid;
+extern cygsid well_known_admin_sid;
+
+inline BOOL
+legal_sid_type (SID_NAME_USE type)
+{
+  return type == SidTypeUser  || type == SidTypeGroup
+      || type == SidTypeAlias || type == SidTypeWellKnownGroup;
+}
 
 extern BOOL allow_ntsec;
 extern BOOL allow_smbntsec;
@@ -102,6 +172,13 @@ BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PS
 
 /* Try a subauthentication. */
 HANDLE subauth (struct passwd *pw);
+/* Try creating a token directly. */
+HANDLE create_token (cygsid &usersid, cygsid &pgrpsid);
+
+/* Extract U-domain\user field from passwd entry. */
+void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
+/* Get default logonserver and domain for this box. */
+BOOL get_logon_server_and_user_domain (char *logonserver, char *domain);
 
 /* sec_helper.cc: Security helper functions. */
 BOOL __stdcall is_grp_member (uid_t uid, gid_t gid);
-- 
cgit v1.1