2022-08-04 22:58:50 +08:00
|
|
|
/* sec/helper.cc: NT security helper functions
|
2001-04-20 21:02:32 +08:00
|
|
|
|
|
|
|
Written by Corinna Vinschen <corinna@vinschen.de>
|
|
|
|
|
|
|
|
This file is part of Cygwin.
|
|
|
|
|
|
|
|
This software is a copyrighted work licensed under the terms of the
|
|
|
|
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
|
|
|
|
details. */
|
|
|
|
|
|
|
|
#include "winsup.h"
|
|
|
|
#include <stdlib.h>
|
2016-03-12 23:39:19 +08:00
|
|
|
#include <stdarg.h>
|
2016-01-07 01:41:36 +08:00
|
|
|
#include <cygwin/acl.h>
|
2015-08-18 00:29:24 +08:00
|
|
|
#include <sys/queue.h>
|
|
|
|
#include <authz.h>
|
2008-07-11 18:00:36 +08:00
|
|
|
#include <wchar.h>
|
2001-04-20 21:02:32 +08:00
|
|
|
#include "cygerrno.h"
|
2001-07-27 03:22:24 +08:00
|
|
|
#include "security.h"
|
2001-04-20 21:02:32 +08:00
|
|
|
#include "path.h"
|
* devices.cc: New file.
* devices.gperf: New file.
* devices.shilka: New file.
* cygwin-gperf: New file.
* cygwin-shilka: New file.
* fhandler_fifo.cc: New file.
* fhandler_nodevice.cc : New file. Reorganize headers so that path.h precedes
fhandler.h throughout. Remove device argument and unit arguments from fhandler
constructors throughout. Remove pc arguments to fhandler functions and use
internal pc element instead, throughout. Use dev element in pc throughout.
Use major/minor elements rather than units and device numbers previously in
fhandler class. Use correct methods for fhandler file names rather than
directly accessing file name variables, throughout.
* Makefile.in (DLL_OFILES): Add devices.o, fhandler_fifo.o
* dcrt0.cc (dll_crt0_1): Call device::init.
* devices.h: Renumber devices based on more Linux-like major/minor numbers.
Add more devices. Declare standard device storage.
(device): Declare struct.
* dir.cc (opendir): Use new 'build_fh_name' to construct a fhandler_* type.
* dtable.cc (dtable::get_debugger_info): Ditto.
(cygwin_attach_handle_to_fd): Ditto.
(dtable::release): Remove special FH_SOCKET case in favor of generic
"need_fixup_before" test.
(dtable::init_std_file_from_handle): Use either build_fh_dev or build_fh_name
to build standard fhandler.
(dtable::build_fh_name): Renamed from dtable::build_fhandler_from_name. Move
out of dtable class. Don't accept a path_conv argument. Just build it here
and pass it to:
(build_fh_pc): Renamed from dtable::build_fhandler. Move out of dtable class.
Use intrinsic device type in path_conv to create new fhandler.
(build_fh_dev): Renamed from dtable::build_fhandler. Move out of dtable class.
Simplify arguments to just take new 'device' type and a name. Just return
pointer to fhandler rather than trying to insert into dtable.
(dtable::dup_worker): Accommodate above build_fh name changes.
(dtable::find_fifo): New (currently broken) function.
(handle_to_fn): Use strechr for efficiency.
* dtable.h: Reflect above build_fh name changes and argument differences.
(fhandler_base *&operator []): Return self rather than copy of self.
* fhandler.cc (fhandler_base::operator =): Use pc element to set normalized
path.
(fhandler_base::set_name): Ditto.
(fhandler_base::raw_read): Use method to access name.
(fhandler_base::write): Correctly use get_output_handle rather than get_handle.
(handler_base::device_access_denied): New function.
(fhandler_base::open): Eliminate pc argument and use pc element of
fhandler_base throughout.
(fhandler_base::fstat): Detect if device is based in filesystem and use
fstat_fs to calculate stat, if so.
(fhandler_base::fhandler_base): Eliminate handling of file names and, instead,
just free appropriate component from pc.
(fhandler_base::opendir): Remove path_conv parameter.
* fhandler.h: Remove all device flags.
(fhandler_base::pc): New element.
(fhandler_base::set_name): Change argument to path_conv.
(fhandler_base::error): New function.
(fhandler_base::exists): New function.
(fhandler_base::pc_binmode): New function.
(fhandler_base::dev): New function.
(fhandler_base::open_fs): New function.
(fhandler_base::fstat_fs): New function.
(fhandler_base::fstat_by_name): New function.
(fhandler_base::fstat_by_handle): New function.
(fhandler_base::isfifo): New function.
(fhandler_base::is_slow): New function.
(fhandler_base::is_auto_device): New function.
(fhandler_base::is_fs_special): New function.
(fhandler_base::device_access_denied): New function.
(fhandler_base::operator DWORD&): New operator.
(fhandler_base::get_name): Return normalized path from pc.
(fhandler_base::get_win32_name): Return windows path from pc.
(fhandler_base::isdevice): Renamed from is_device.
(fhandler_base::get_native_name): Return device format.
(fhandler_fifo): New class.
(fhandler_nodevice): New class.
(select_stuff::device_specific): Remove array.
(select_stuff::device_specific_pipe): New class element.
(select_stuff::device_specific_socket): New class element.
(select_stuff::device_specific_serial): New class element.
(select_stuff::select_stuff): Initialize new elements.
* fhandler_disk_file.cc (fhandler_base::fstat_by_handle): Move to base class
from fhandler_disk_file.
(fhandler_base::fstat_by_name): Ditto.
(fhandler_base::fstat_by_name): Ditto.
(fhandler_disk_file::open): Move most functionality into
fhandler_base::open_fs.
(fhandler_base::open_fs): New function.
(fhandler_disk_file::close): Move most functionality into
fhandler_base::close_fs.
(fhandler_base::close_fs): New function.
* fhandler_mem.cc (fhandler_dev_mem::open): Use device name in debugging
output.
* fhandler_socket.cc (fhandler_socket::set_connect_secret): Copy standard
urandom device into appropriate place.
(fhandler_socket::accept): Reflect change in fdsock return value.
* fhandler_tty.cc: See "throughouts" above.
* net.cc: Accommodate fdsock change throughout.
(fdsock): Return success or failure, accept fd argument and device argument.
* path.cc (symlink_info::major): New element.
(symlink_info::minor): New element.
(symlink_info::parse_device): Declare new function.
(fs_info::update): Accommodate changes in path_conv class.
(path_conv::fillin): Ditto.
(path_conv::return_and_clear_normalized_path): Eliminate.
(path_conv::set_normalized_path): New function.
(path_conv::path_conv): Set info in dev element. Use path_conv methods Check
for FH_FS rather than FH_BAD to indicate when to fill in filesystem stuff.
where appropriate rather than direct access. Use set_normalized_path to set
normalized path.
(windows_device_names): Eliminate.
(get_dev): Ditto.
(get_raw_device_number): Ditto.
(get_device_number): Ditto.
(win32_device_name): Call new device name parser to do most of the heavy
lifting.
(mount_info::conv_to_win32_path): Fill in dev field as appropriate.
(symlink_worker): Handle new device files.
(symlink_info::check): Ditto.
(symlink_info::parse_device): Define new function.
* path.h (executable_states): Move here from fhandler.h.
(fs_info): Rename variables to *_storage and create methods for accessing same.
(path_conv): Add dev element, remove devn and unit and adjust inline methods to
accommodate.
(set_normalized_path): Declare new function.
* pinfo.cc (_pinfo::commune_recv): Add broken support for handling fifos.
(_pinfo::commune_send): Ditto.
* pipe.cc (fhandler_pipe::close): check for existence of handle before closing
it.
(handler_pipe::create): Rename from make_pipe. Change arguments to accept
fhandler_pipe array. Accommodate fifos.
(pipe): Rework to deal with fhandler_pipe::create changes.
(_pipe): Ditto.
* select.cc: Use individual device_specific types throughout rather than
indexing with obsolete device number.
(set_bits): Use is_socket call rather than checking device number.
* shared_info.h (CURR_MOUNT_MAGIC): Update.
(conv_to_win32_path): Reflect addition of device argument.
* syscalls.cc (mknod_worker): New function.
(open): Use build_fh_name to build fhandler.
(chown_worker): Detect if this is an 'auto' device rather than an on-filesystem
device and handle appropriately.
(chmod_device): New function.
(chmod): Detect if this is an 'auto' device rather than an on-filesystem device
and handle appropriately. Use chmod_device to set mode of in-filesystem
devices.
(stat_worker): Eliminate path_conv argument. Call build_fh_name to construct
fhandler. Use fh->error() rather than pc->error to detect errors in fhandler
construction.
(access_worker): New function pulled from access. Accommodate in-filesystem
devices.
(access): Use access_worker.
(fpathconf): Detect if this is an 'auto' device rather than an on-filesystem
device and handle appropriately.
(mknod_worker): New function.
(mknod32): New function.
(chroot): Free normalized path -- assuming it was actually cmalloced.
* tty.cc (create_tty_master): Tweak for new device class.
(tty::common_init): Ditto.
* winsup.h (stat_worker): Remove.
(symlink_worker): Declare.
* exceptions.cc (set_process_mask): Just call sig_dispatch_pending and don't
worry about pending_signals since sig_dispatch_pending should always do the
right thing now.
(sig_handle): Reorganize SIGCONT handling to more closely conform to SUSv3.
* pinfo.h: Move __SIG enum to sigproc.h.
(PICOM_FIFO): New enum element.
(_pinfo): Remove 'thread2signal' stuff throughout class.
(_pinfo::commune_send): Make varargs.
(_pinfo::sigtodo): Eliminate.
(_pinfo::thread2signal): Ditto.
* signal.cc (kill_worker): Eliminate call to setthread2signal.
* sigproc.cc (local_sigtodo): Eliminate.
(getlocal_sigtodo): Ditto.
(sigelem): New class.
(pending_signals): New class.
(sigqueue): New variable, start of sigqueue linked list.
(sigcatch_nonmain): Eliminate.
(sigcatch_main): Eliminate.
(sigcatch_nosync): Eliminate.
(sigcomplete_nonmain): Eliminate.
(pending_signals): Eliminate.
(sig_clear): Call signal thread to clear pending signals, unless already in
signal thread.
(sigpending): Call signal thread to get pending signals.
(sig_dispatch_pending): Eliminate use of pending_signals and just check
sigqueue.
(sigproc_terminate): Eliminate all of the obsolete semaphore stuff. Close
signal pipe handle.
(sig_send): Eliminate all of the obsolete semaphore stuff and use pipe to send
signals.
(getevent): Eliminate.
(pending_signals::add): New function.
(pending_signals::del): New function.
(pending_signals::next): New function.
(wait_sig): Eliminate all of the obsolete semaphore stuff. Use pipe to
communicate and maintain a linked list of signals.
* sigproc.h: Move __SIG defines here. Add __SIGPENDING.
(sig_dispatch_pending): Remove "C" specifier.
(sig_handle): Accept a mask argument.
* thread.cc: Remove signal handling considerations throughout.
2003-09-25 08:37:18 +08:00
|
|
|
#include "fhandler.h"
|
2001-04-20 21:02:32 +08:00
|
|
|
#include "dtable.h"
|
|
|
|
#include "pinfo.h"
|
|
|
|
#include "cygheap.h"
|
2007-07-19 16:33:22 +08:00
|
|
|
#include "ntdll.h"
|
2014-02-10 03:44:56 +08:00
|
|
|
#include "ldap.h"
|
2001-04-20 21:02:32 +08:00
|
|
|
|
2002-07-01 22:31:28 +08:00
|
|
|
/* General purpose security attribute objects for global use. */
|
2013-04-23 17:44:36 +08:00
|
|
|
static NO_COPY_RO SECURITY_DESCRIPTOR null_sdp =
|
|
|
|
{ SECURITY_DESCRIPTOR_REVISION, 0, SE_DACL_PRESENT,
|
|
|
|
NULL, NULL, NULL, NULL };
|
|
|
|
SECURITY_ATTRIBUTES NO_COPY_RO sec_none =
|
|
|
|
{ sizeof (SECURITY_ATTRIBUTES), NULL, TRUE };
|
|
|
|
SECURITY_ATTRIBUTES NO_COPY_RO sec_none_nih =
|
|
|
|
{ sizeof (SECURITY_ATTRIBUTES), NULL, FALSE };
|
|
|
|
SECURITY_ATTRIBUTES NO_COPY_RO sec_all =
|
|
|
|
{ sizeof (SECURITY_ATTRIBUTES), &null_sdp, TRUE };
|
|
|
|
SECURITY_ATTRIBUTES NO_COPY_RO sec_all_nih =
|
|
|
|
{ sizeof (SECURITY_ATTRIBUTES), &null_sdp, FALSE };
|
2002-07-01 22:31:28 +08:00
|
|
|
|
2006-11-24 00:44:55 +08:00
|
|
|
MKSID (well_known_null_sid, "S-1-0-0",
|
|
|
|
SECURITY_NULL_SID_AUTHORITY, 1, SECURITY_NULL_RID);
|
|
|
|
MKSID (well_known_world_sid, "S-1-1-0",
|
|
|
|
SECURITY_WORLD_SID_AUTHORITY, 1, SECURITY_WORLD_RID);
|
|
|
|
MKSID (well_known_local_sid, "S-1-2-0",
|
|
|
|
SECURITY_LOCAL_SID_AUTHORITY, 1, SECURITY_LOCAL_RID);
|
2011-10-16 00:31:57 +08:00
|
|
|
MKSID (well_known_console_logon_sid, "S-1-2-1",
|
|
|
|
SECURITY_LOCAL_SID_AUTHORITY, 1, 1);
|
2006-11-24 00:44:55 +08:00
|
|
|
MKSID (well_known_creator_owner_sid, "S-1-3-0",
|
|
|
|
SECURITY_CREATOR_SID_AUTHORITY, 1, SECURITY_CREATOR_OWNER_RID);
|
|
|
|
MKSID (well_known_creator_group_sid, "S-1-3-1",
|
|
|
|
SECURITY_CREATOR_SID_AUTHORITY, 1, SECURITY_CREATOR_GROUP_RID);
|
|
|
|
MKSID (well_known_dialup_sid, "S-1-5-1",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_DIALUP_RID);
|
|
|
|
MKSID (well_known_network_sid, "S-1-5-2",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_NETWORK_RID);
|
|
|
|
MKSID (well_known_batch_sid, "S-1-5-3",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_BATCH_RID);
|
|
|
|
MKSID (well_known_interactive_sid, "S-1-5-4",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_INTERACTIVE_RID);
|
|
|
|
MKSID (well_known_service_sid, "S-1-5-6",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_SERVICE_RID);
|
|
|
|
MKSID (well_known_authenticated_users_sid, "S-1-5-11",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_AUTHENTICATED_USER_RID);
|
|
|
|
MKSID (well_known_this_org_sid, "S-1-5-15",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, 15);
|
|
|
|
MKSID (well_known_system_sid, "S-1-5-18",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SYSTEM_RID);
|
2014-03-07 02:54:08 +08:00
|
|
|
MKSID (well_known_local_service_sid, "S-1-5-19",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SERVICE_RID);
|
|
|
|
MKSID (well_known_network_service_sid, "S-1-5-20",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_NETWORK_SERVICE_RID);
|
2010-02-13 01:40:42 +08:00
|
|
|
MKSID (well_known_builtin_sid, "S-1-5-32",
|
|
|
|
SECURITY_NT_AUTHORITY, 1, SECURITY_BUILTIN_DOMAIN_RID);
|
2006-11-24 00:44:55 +08:00
|
|
|
MKSID (well_known_admins_sid, "S-1-5-32-544",
|
|
|
|
SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
|
|
|
DOMAIN_ALIAS_RID_ADMINS);
|
2010-01-08 23:55:27 +08:00
|
|
|
MKSID (well_known_users_sid, "S-1-5-32-545",
|
|
|
|
SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
|
|
|
DOMAIN_ALIAS_RID_USERS);
|
2014-03-07 02:54:08 +08:00
|
|
|
MKSID (trusted_installer_sid,
|
|
|
|
"S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464",
|
|
|
|
SECURITY_NT_AUTHORITY, SECURITY_SERVICE_ID_RID_COUNT,
|
|
|
|
SECURITY_SERVICE_ID_BASE_RID, 956008885U, 3418522649U, 1831038044U,
|
|
|
|
1853292631U, 2271478464U);
|
2008-04-22 18:45:34 +08:00
|
|
|
MKSID (mandatory_medium_integrity_sid, "S-1-16-8192",
|
|
|
|
SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_MEDIUM_RID);
|
|
|
|
MKSID (mandatory_high_integrity_sid, "S-1-16-12288",
|
|
|
|
SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_HIGH_RID);
|
|
|
|
MKSID (mandatory_system_integrity_sid, "S-1-16-16384",
|
|
|
|
SECURITY_MANDATORY_LABEL_AUTHORITY, 1, SECURITY_MANDATORY_SYSTEM_RID);
|
2009-04-09 17:19:03 +08:00
|
|
|
/* UNIX accounts on a Samba server have the SID prefix "S-1-22-1" */
|
|
|
|
#define SECURITY_SAMBA_UNIX_AUTHORITY {0,0,0,0,0,22}
|
|
|
|
MKSID (well_known_samba_unix_user_fake_sid, "S-1-22-1-0",
|
|
|
|
SECURITY_SAMBA_UNIX_AUTHORITY, 2, 1, 0);
|
2006-11-08 19:38:05 +08:00
|
|
|
|
2003-02-04 22:58:04 +08:00
|
|
|
bool
|
|
|
|
cygpsid::operator== (const char *nsidstr) const
|
|
|
|
{
|
|
|
|
cygsid nsid (nsidstr);
|
|
|
|
return psid == nsid;
|
|
|
|
}
|
|
|
|
|
2013-04-23 17:44:36 +08:00
|
|
|
uid_t
|
2014-02-27 20:57:27 +08:00
|
|
|
cygpsid::get_id (BOOL search_grp, int *type, cyg_ldap *pldap)
|
2003-02-04 22:58:04 +08:00
|
|
|
{
|
|
|
|
/* First try to get SID from group, then passwd */
|
2013-04-23 17:44:36 +08:00
|
|
|
uid_t id = ILLEGAL_UID;
|
2003-02-04 22:58:04 +08:00
|
|
|
|
|
|
|
if (search_grp)
|
|
|
|
{
|
2013-04-23 17:44:36 +08:00
|
|
|
struct group *gr;
|
2003-02-04 22:58:04 +08:00
|
|
|
if (cygheap->user.groups.pgsid == psid)
|
|
|
|
id = myself->gid;
|
2015-08-18 02:24:49 +08:00
|
|
|
else if (sid_id_auth (psid) == 22 && cygheap->pg.nss_grp_db ())
|
2014-03-03 20:03:47 +08:00
|
|
|
{
|
2016-03-13 00:56:21 +08:00
|
|
|
/* Samba UNIX group? Try to map to Cygwin gid. If there's no
|
2014-03-03 20:03:47 +08:00
|
|
|
mapping in the cache, try to fetch it from the configured
|
|
|
|
RFC 2307 domain (see last comment in cygheap_domain_info::init()
|
2016-03-13 00:56:21 +08:00
|
|
|
for more information) and add it to the mapping cache.
|
|
|
|
If this is a user, not a group, make sure to skip the subsequent
|
|
|
|
internal_getgrsid call, otherwise we end up with a fake group
|
|
|
|
entry for a UNIX user account. */
|
|
|
|
if (sid_sub_auth (psid, 0) == 2)
|
2014-03-03 20:03:47 +08:00
|
|
|
{
|
2016-03-13 00:56:21 +08:00
|
|
|
gid_t gid = sid_sub_auth_rid (psid);
|
|
|
|
gid_t map_gid = cygheap->ugid_cache.get_gid (gid);
|
|
|
|
if (map_gid == ILLEGAL_GID)
|
|
|
|
{
|
|
|
|
if (pldap->open (cygheap->dom.get_rfc2307_domain ())
|
|
|
|
== NO_ERROR)
|
|
|
|
map_gid = pldap->remap_gid (gid);
|
2020-03-11 20:36:41 +08:00
|
|
|
if (map_gid == ILLEGAL_GID)
|
2016-03-13 00:56:21 +08:00
|
|
|
map_gid = MAP_UNIX_TO_CYGWIN_ID (gid);
|
|
|
|
cygheap->ugid_cache.add_gid (gid, map_gid);
|
|
|
|
}
|
|
|
|
id = (uid_t) map_gid;
|
2014-03-03 20:03:47 +08:00
|
|
|
}
|
|
|
|
}
|
2014-02-27 20:57:27 +08:00
|
|
|
else if ((gr = internal_getgrsid (*this, pldap)))
|
2003-02-04 22:58:04 +08:00
|
|
|
id = gr->gr_gid;
|
2014-03-03 20:03:47 +08:00
|
|
|
if ((gid_t) id != ILLEGAL_GID)
|
2003-03-10 04:31:07 +08:00
|
|
|
{
|
2003-02-04 22:58:04 +08:00
|
|
|
if (type)
|
|
|
|
*type = GROUP;
|
|
|
|
return id;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!search_grp || type)
|
|
|
|
{
|
|
|
|
struct passwd *pw;
|
|
|
|
if (*this == cygheap->user.sid ())
|
|
|
|
id = myself->uid;
|
2016-03-13 00:56:21 +08:00
|
|
|
else if (sid_id_auth (psid) == 22 && sid_sub_auth (psid, 0) == 1
|
|
|
|
&& cygheap->pg.nss_pwd_db ())
|
2014-03-03 20:03:47 +08:00
|
|
|
{
|
|
|
|
/* Samba UNIX user. See comment above. */
|
|
|
|
uid_t uid = sid_sub_auth_rid (psid);
|
|
|
|
uid_t map_uid = cygheap->ugid_cache.get_uid (uid);
|
|
|
|
if (map_uid == ILLEGAL_UID)
|
|
|
|
{
|
2014-06-25 17:10:50 +08:00
|
|
|
if (pldap->open (cygheap->dom.get_rfc2307_domain ()) == NO_ERROR)
|
2014-03-03 20:03:47 +08:00
|
|
|
map_uid = pldap->remap_uid (uid);
|
|
|
|
if (map_uid == ILLEGAL_UID)
|
|
|
|
map_uid = MAP_UNIX_TO_CYGWIN_ID (uid);
|
|
|
|
cygheap->ugid_cache.add_uid (uid, map_uid);
|
|
|
|
}
|
|
|
|
id = map_uid;
|
|
|
|
}
|
2014-02-27 20:57:27 +08:00
|
|
|
else if ((pw = internal_getpwsid (*this, pldap)))
|
2003-02-04 22:58:04 +08:00
|
|
|
id = pw->pw_uid;
|
2018-08-27 19:30:55 +08:00
|
|
|
if (id != ILLEGAL_UID)
|
|
|
|
{
|
|
|
|
if (type)
|
|
|
|
*type = USER;
|
|
|
|
return id;
|
|
|
|
}
|
2003-02-04 22:58:04 +08:00
|
|
|
}
|
2018-08-27 19:30:55 +08:00
|
|
|
if (type)
|
|
|
|
*type = 0; /* undefined type */
|
|
|
|
return ILLEGAL_UID;
|
2003-02-04 22:58:04 +08:00
|
|
|
}
|
|
|
|
|
2008-02-15 00:47:11 +08:00
|
|
|
PWCHAR
|
2014-02-10 03:44:56 +08:00
|
|
|
cygpsid::pstring (PWCHAR nsidstr) const
|
2008-02-15 00:47:11 +08:00
|
|
|
{
|
|
|
|
UNICODE_STRING sid;
|
|
|
|
|
2008-02-16 01:53:11 +08:00
|
|
|
if (!psid || !nsidstr)
|
2008-02-15 00:47:11 +08:00
|
|
|
return NULL;
|
|
|
|
RtlInitEmptyUnicodeString (&sid, nsidstr, 256);
|
|
|
|
RtlConvertSidToUnicodeString (&sid, psid, FALSE);
|
2014-02-10 03:44:56 +08:00
|
|
|
return nsidstr + sid.Length / sizeof (WCHAR);
|
|
|
|
}
|
|
|
|
|
|
|
|
PWCHAR
|
|
|
|
cygpsid::string (PWCHAR nsidstr) const
|
|
|
|
{
|
|
|
|
if (pstring (nsidstr))
|
|
|
|
return nsidstr;
|
|
|
|
return NULL;
|
2008-02-15 00:47:11 +08:00
|
|
|
}
|
2003-02-04 22:58:04 +08:00
|
|
|
|
|
|
|
char *
|
2014-02-10 03:44:56 +08:00
|
|
|
cygpsid::pstring (char *nsidstr) const
|
2003-02-04 22:58:04 +08:00
|
|
|
{
|
|
|
|
char *t;
|
|
|
|
DWORD i;
|
|
|
|
|
|
|
|
if (!psid || !nsidstr)
|
|
|
|
return NULL;
|
|
|
|
strcpy (nsidstr, "S-1-");
|
|
|
|
t = nsidstr + sizeof ("S-1-") - 1;
|
2014-02-10 03:44:56 +08:00
|
|
|
t += __small_sprintf (t, "%u", sid_id_auth (psid));
|
2014-05-06 20:02:48 +08:00
|
|
|
for (i = 0; i < sid_sub_auth_count (psid); ++i)
|
2014-02-10 03:44:56 +08:00
|
|
|
t += __small_sprintf (t, "-%lu", sid_sub_auth (psid, i));
|
|
|
|
return t;
|
|
|
|
}
|
|
|
|
|
|
|
|
char *
|
|
|
|
cygpsid::string (char *nsidstr) const
|
|
|
|
{
|
|
|
|
if (pstring (nsidstr))
|
|
|
|
return nsidstr;
|
|
|
|
return NULL;
|
2003-02-04 22:58:04 +08:00
|
|
|
}
|
|
|
|
|
2001-04-20 21:02:32 +08:00
|
|
|
PSID
|
2006-11-27 20:59:59 +08:00
|
|
|
cygsid::get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known)
|
2001-04-20 21:02:32 +08:00
|
|
|
{
|
|
|
|
DWORD i;
|
2011-04-04 17:00:02 +08:00
|
|
|
SID_IDENTIFIER_AUTHORITY sid_auth = { SECURITY_NULL_SID_AUTHORITY };
|
|
|
|
# define SECURITY_NT_AUTH 5
|
2001-04-20 21:02:32 +08:00
|
|
|
|
2015-10-22 21:38:42 +08:00
|
|
|
/* 2015-10-22: Note that we let slip SIDs with a subauthority count of 0.
|
|
|
|
There are systems, which generate the SID S-1-0 as group ownership SID,
|
|
|
|
see https://cygwin.com/ml/cygwin/2015-10/msg00141.html. */
|
|
|
|
if (s > 255 || cnt > SID_MAX_SUB_AUTHORITIES)
|
* autoload.cc: Add load statements for `LookupAccountNameW',
`LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory',
`LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum',
`NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and
`NtCreateToken'.
* ntdll.h: Add declaration for `NtCreateToken'.
* sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid',
`well_known_network_sid', `well_known_batch_sid',
`well_known_interactive_sid', `well_known_service_sid' and
`well_known_authenticated_users_sid'.
(cygsid::string): Define as const method.
(cygsid::get_sid): Set psid to NO_SID on error.
(cygsid::getfromstr): Ditto.
(cygsid::getfrompw): Simplify.
(cygsid::getfromgr): Check for gr == NULL.
(legal_sid_type): Move to security.h.
(set_process_privilege): Return -1 on error, otherwise 0 or 1 related
to previous privilege setting.
* security.cc (extract_nt_dom_user): Remove `static'.
(lsa2wchar): New function.
(open_local_policy): Ditto.
(close_local_policy): Ditto.
(get_lsa_srv_inf): Ditto.
(get_logon_server): Ditto.
(get_logon_server_and_user_domain): Ditto.
(get_user_groups): Ditto.
(is_group_member): Ditto.
(get_user_local_groups): Ditto.
(sid_in_token_groups): Ditto.
(get_user_primary_group): Ditto.
(get_group_sidlist): Ditto.
(get_system_priv_list): Ditto.
(get_priv_list): Ditto.
(get_dacl): Ditto.
(create_token): Ditto.
(subauth): Return immediately if SE_TCB_NAME can't be assigned.
Change all return statements in case of error to jumps to `out'
label. Add `out' label to support cleanup.
* security.h: Add extern declarations for `well_known_local_sid',
`well_known_dialup_sid', `well_known_network_sid',
`well_known_batch_sid', `well_known_interactive_sid',
`well_known_service_sid' and `well_known_authenticated_users_sid'.
Add extern declarations for functions `create_token',
`extract_nt_dom_user' and `get_logon_server_and_user_domain'.
(class cygsid): Add method `assign'. Change operator= to call new
`assign' method. Add `debug_print' method.
(class cygsidlist): New class.
(legal_sid_type): Moved from sec_helper.cc to here.
* spawn.cc (spawn_guts) Revert reversion of previous patch.
Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid'
again.
* syscalls.cc (seteuid): Rearranged. Call `create_token' now when
needed. Call `subauth' if `create_token' fails. Try setting token
owner and primary group only if token was not explicitely created
by `create_token'.
* uinfo.cc (internal_getlogin): Try harder to generate correct user
information. Especially don't trust return value of `GetUserName'.
2001-05-20 16:10:47 +08:00
|
|
|
{
|
|
|
|
psid = NO_SID;
|
|
|
|
return NULL;
|
|
|
|
}
|
2006-11-08 19:38:05 +08:00
|
|
|
sid_auth.Value[5] = s;
|
* fork.cc (fork): Eliminate superfluous call to getuid().
* security.h: New define `NO_SID'. Remove declarations of functions
moved to methods into class cygsid.
(class cygsid): Declare new methods `getfromstr', `get_sid',
`getfrompw', `getfromgr', `get_rid', `get_uid', `get_gid', `string'
and new constructors and operators =, == and !=.
Declare new global cygsids `well_known_XXX_sid' substituting the
corresponding `get_XXX_sid' functions. Remove declarations of
these functions.
* sec_helper.cc (well_known_admin_sid): New global variable.
(well_known_system_sid): Ditto
(well_known_creator_owner_sid): Ditto
(well_known_world_sid): Ditto
(cygsid::string): New method, substituting `convert_sid_to_string_sid'.
(cygsid::get_sid): New method, substituting `get_sid'.
(cygsid::getfromstr): New method, substituting
`convert_string_sid_to_sid'.
(cygsid::getfrompw): New method, substituting `get_pw_sid'.
(cygsid::getfromgr): New method, substituting `get_gr_sid'.
(cygsid::get_id): New method, substituting `get_id_from_sid'.
(get_admin_sid): Eliminated.
(get_system_sid): Ditto.
(get_creator_owner_sid): Ditto.
(get_world_sid): Ditto.
* grp.cc: Use new cygsid methods and well known sids throughout.
* registry.cc: Ditto.
* sec_acl.cc: Ditto.
* security.cc: Ditto.
* shared.cc: Ditto.
* syscalls.cc (seteuid): Ditto. Eliminate redundant conditional.
* uinfo.cc (internal_getlogin): Ditto.
* spawn.cc (spawn_guts) Revert previous patch.
2001-05-16 03:23:31 +08:00
|
|
|
set ();
|
2011-04-28 16:34:49 +08:00
|
|
|
RtlInitializeSid (psid, &sid_auth, cnt);
|
2014-05-06 20:28:33 +08:00
|
|
|
PISID dsid = (PISID) psid;
|
2001-04-20 21:02:32 +08:00
|
|
|
for (i = 0; i < cnt; ++i)
|
2014-05-06 20:02:48 +08:00
|
|
|
dsid->SubAuthority[i] = r[i];
|
2011-04-04 17:00:02 +08:00
|
|
|
/* If the well_known flag isn't set explicitely, we check the SID
|
|
|
|
for being a well-known SID ourselves. That's necessary because this
|
|
|
|
cygsid is created from a SID string, usually from /etc/passwd or
|
|
|
|
/etc/group. The calling code just doesn't know if the SID is well-known
|
|
|
|
or not. All SIDs are well-known SIDs, except those in the non-unique NT
|
|
|
|
authority range. */
|
|
|
|
if (well_known)
|
|
|
|
well_known_sid = well_known;
|
|
|
|
else
|
|
|
|
well_known_sid = (s != SECURITY_NT_AUTH
|
2012-07-06 21:49:53 +08:00
|
|
|
|| r[0] != SECURITY_NT_NON_UNIQUE);
|
2001-04-20 21:02:32 +08:00
|
|
|
return psid;
|
|
|
|
}
|
|
|
|
|
2014-02-10 03:44:56 +08:00
|
|
|
const PSID
|
|
|
|
cygsid::getfromstr (PCWSTR nsidstr, bool well_known)
|
|
|
|
{
|
|
|
|
PWCHAR lasts;
|
|
|
|
DWORD s, cnt = 0;
|
2014-05-06 20:28:33 +08:00
|
|
|
DWORD r[SID_MAX_SUB_AUTHORITIES];
|
2014-02-10 03:44:56 +08:00
|
|
|
|
|
|
|
if (nsidstr && !wcsncmp (nsidstr, L"S-1-", 4))
|
|
|
|
{
|
|
|
|
s = wcstoul (nsidstr + 4, &lasts, 10);
|
2014-05-06 20:28:33 +08:00
|
|
|
while (cnt < SID_MAX_SUB_AUTHORITIES && *lasts == '-')
|
2014-02-10 03:44:56 +08:00
|
|
|
r[cnt++] = wcstoul (lasts + 1, &lasts, 10);
|
|
|
|
if (!*lasts)
|
|
|
|
return get_sid (s, cnt, r, well_known);
|
|
|
|
}
|
|
|
|
return psid = NO_SID;
|
|
|
|
}
|
|
|
|
|
* fork.cc (fork): Eliminate superfluous call to getuid().
* security.h: New define `NO_SID'. Remove declarations of functions
moved to methods into class cygsid.
(class cygsid): Declare new methods `getfromstr', `get_sid',
`getfrompw', `getfromgr', `get_rid', `get_uid', `get_gid', `string'
and new constructors and operators =, == and !=.
Declare new global cygsids `well_known_XXX_sid' substituting the
corresponding `get_XXX_sid' functions. Remove declarations of
these functions.
* sec_helper.cc (well_known_admin_sid): New global variable.
(well_known_system_sid): Ditto
(well_known_creator_owner_sid): Ditto
(well_known_world_sid): Ditto
(cygsid::string): New method, substituting `convert_sid_to_string_sid'.
(cygsid::get_sid): New method, substituting `get_sid'.
(cygsid::getfromstr): New method, substituting
`convert_string_sid_to_sid'.
(cygsid::getfrompw): New method, substituting `get_pw_sid'.
(cygsid::getfromgr): New method, substituting `get_gr_sid'.
(cygsid::get_id): New method, substituting `get_id_from_sid'.
(get_admin_sid): Eliminated.
(get_system_sid): Ditto.
(get_creator_owner_sid): Ditto.
(get_world_sid): Ditto.
* grp.cc: Use new cygsid methods and well known sids throughout.
* registry.cc: Ditto.
* sec_acl.cc: Ditto.
* security.cc: Ditto.
* shared.cc: Ditto.
* syscalls.cc (seteuid): Ditto. Eliminate redundant conditional.
* uinfo.cc (internal_getlogin): Ditto.
* spawn.cc (spawn_guts) Revert previous patch.
2001-05-16 03:23:31 +08:00
|
|
|
const PSID
|
2006-11-27 20:59:59 +08:00
|
|
|
cygsid::getfromstr (const char *nsidstr, bool well_known)
|
2001-04-20 21:02:32 +08:00
|
|
|
{
|
2002-11-12 23:51:11 +08:00
|
|
|
char *lasts;
|
|
|
|
DWORD s, cnt = 0;
|
2014-05-06 20:28:33 +08:00
|
|
|
DWORD r[SID_MAX_SUB_AUTHORITIES];
|
2001-04-20 21:02:32 +08:00
|
|
|
|
2002-11-12 23:51:11 +08:00
|
|
|
if (nsidstr && !strncmp (nsidstr, "S-1-", 4))
|
* autoload.cc: Add load statements for `LookupAccountNameW',
`LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory',
`LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum',
`NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and
`NtCreateToken'.
* ntdll.h: Add declaration for `NtCreateToken'.
* sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid',
`well_known_network_sid', `well_known_batch_sid',
`well_known_interactive_sid', `well_known_service_sid' and
`well_known_authenticated_users_sid'.
(cygsid::string): Define as const method.
(cygsid::get_sid): Set psid to NO_SID on error.
(cygsid::getfromstr): Ditto.
(cygsid::getfrompw): Simplify.
(cygsid::getfromgr): Check for gr == NULL.
(legal_sid_type): Move to security.h.
(set_process_privilege): Return -1 on error, otherwise 0 or 1 related
to previous privilege setting.
* security.cc (extract_nt_dom_user): Remove `static'.
(lsa2wchar): New function.
(open_local_policy): Ditto.
(close_local_policy): Ditto.
(get_lsa_srv_inf): Ditto.
(get_logon_server): Ditto.
(get_logon_server_and_user_domain): Ditto.
(get_user_groups): Ditto.
(is_group_member): Ditto.
(get_user_local_groups): Ditto.
(sid_in_token_groups): Ditto.
(get_user_primary_group): Ditto.
(get_group_sidlist): Ditto.
(get_system_priv_list): Ditto.
(get_priv_list): Ditto.
(get_dacl): Ditto.
(create_token): Ditto.
(subauth): Return immediately if SE_TCB_NAME can't be assigned.
Change all return statements in case of error to jumps to `out'
label. Add `out' label to support cleanup.
* security.h: Add extern declarations for `well_known_local_sid',
`well_known_dialup_sid', `well_known_network_sid',
`well_known_batch_sid', `well_known_interactive_sid',
`well_known_service_sid' and `well_known_authenticated_users_sid'.
Add extern declarations for functions `create_token',
`extract_nt_dom_user' and `get_logon_server_and_user_domain'.
(class cygsid): Add method `assign'. Change operator= to call new
`assign' method. Add `debug_print' method.
(class cygsidlist): New class.
(legal_sid_type): Moved from sec_helper.cc to here.
* spawn.cc (spawn_guts) Revert reversion of previous patch.
Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid'
again.
* syscalls.cc (seteuid): Rearranged. Call `create_token' now when
needed. Call `subauth' if `create_token' fails. Try setting token
owner and primary group only if token was not explicitely created
by `create_token'.
* uinfo.cc (internal_getlogin): Try harder to generate correct user
information. Especially don't trust return value of `GetUserName'.
2001-05-20 16:10:47 +08:00
|
|
|
{
|
2002-11-12 23:51:11 +08:00
|
|
|
s = strtoul (nsidstr + 4, &lasts, 10);
|
2014-05-06 20:28:33 +08:00
|
|
|
while (cnt < SID_MAX_SUB_AUTHORITIES && *lasts == '-')
|
2002-11-12 23:51:11 +08:00
|
|
|
r[cnt++] = strtoul (lasts + 1, &lasts, 10);
|
|
|
|
if (!*lasts)
|
2006-11-27 20:59:59 +08:00
|
|
|
return get_sid (s, cnt, r, well_known);
|
* autoload.cc: Add load statements for `LookupAccountNameW',
`LsaClose', `LsaEnumerateAccountRights', `LsaFreeMemory',
`LsaOpenPolicy', `LsaQueryInformationPolicy', `NetLocalGroupEnum',
`NetLocalGroupGetMembers', `NetServerEnum', `NetUserGetGroups' and
`NtCreateToken'.
* ntdll.h: Add declaration for `NtCreateToken'.
* sec_helper.cc: Add `well_known_local_sid', `well_known_dialup_sid',
`well_known_network_sid', `well_known_batch_sid',
`well_known_interactive_sid', `well_known_service_sid' and
`well_known_authenticated_users_sid'.
(cygsid::string): Define as const method.
(cygsid::get_sid): Set psid to NO_SID on error.
(cygsid::getfromstr): Ditto.
(cygsid::getfrompw): Simplify.
(cygsid::getfromgr): Check for gr == NULL.
(legal_sid_type): Move to security.h.
(set_process_privilege): Return -1 on error, otherwise 0 or 1 related
to previous privilege setting.
* security.cc (extract_nt_dom_user): Remove `static'.
(lsa2wchar): New function.
(open_local_policy): Ditto.
(close_local_policy): Ditto.
(get_lsa_srv_inf): Ditto.
(get_logon_server): Ditto.
(get_logon_server_and_user_domain): Ditto.
(get_user_groups): Ditto.
(is_group_member): Ditto.
(get_user_local_groups): Ditto.
(sid_in_token_groups): Ditto.
(get_user_primary_group): Ditto.
(get_group_sidlist): Ditto.
(get_system_priv_list): Ditto.
(get_priv_list): Ditto.
(get_dacl): Ditto.
(create_token): Ditto.
(subauth): Return immediately if SE_TCB_NAME can't be assigned.
Change all return statements in case of error to jumps to `out'
label. Add `out' label to support cleanup.
* security.h: Add extern declarations for `well_known_local_sid',
`well_known_dialup_sid', `well_known_network_sid',
`well_known_batch_sid', `well_known_interactive_sid',
`well_known_service_sid' and `well_known_authenticated_users_sid'.
Add extern declarations for functions `create_token',
`extract_nt_dom_user' and `get_logon_server_and_user_domain'.
(class cygsid): Add method `assign'. Change operator= to call new
`assign' method. Add `debug_print' method.
(class cygsidlist): New class.
(legal_sid_type): Moved from sec_helper.cc to here.
* spawn.cc (spawn_guts) Revert reversion of previous patch.
Call `RevertToSelf' and `ImpersonateLoggedOnUser' instead of `seteuid'
again.
* syscalls.cc (seteuid): Rearranged. Call `create_token' now when
needed. Call `subauth' if `create_token' fails. Try setting token
owner and primary group only if token was not explicitely created
by `create_token'.
* uinfo.cc (internal_getlogin): Try harder to generate correct user
information. Especially don't trust return value of `GetUserName'.
2001-05-20 16:10:47 +08:00
|
|
|
}
|
2002-11-12 23:51:11 +08:00
|
|
|
return psid = NO_SID;
|
2001-04-20 21:02:32 +08:00
|
|
|
}
|
|
|
|
|
2016-03-12 23:39:19 +08:00
|
|
|
const PSID
|
|
|
|
cygsid::create (DWORD auth, DWORD subauth_cnt, ...)
|
|
|
|
{
|
|
|
|
va_list ap;
|
|
|
|
PSID sid;
|
|
|
|
|
|
|
|
if (subauth_cnt > SID_MAX_SUB_AUTHORITIES)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
DWORD subauth[subauth_cnt];
|
|
|
|
|
|
|
|
va_start (ap, subauth_cnt);
|
|
|
|
for (DWORD i = 0; i < subauth_cnt; ++i)
|
|
|
|
subauth[i] = va_arg (ap, DWORD);
|
|
|
|
sid = get_sid (auth, subauth_cnt, subauth, false);
|
|
|
|
va_end (ap);
|
|
|
|
return sid;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool
|
|
|
|
cygsid::append (DWORD rid)
|
|
|
|
{
|
|
|
|
if (psid == NO_SID)
|
|
|
|
return false;
|
|
|
|
PISID dsid = (PISID) psid;
|
|
|
|
if (dsid->SubAuthorityCount >= SID_MAX_SUB_AUTHORITIES)
|
|
|
|
return false;
|
|
|
|
dsid->SubAuthority[dsid->SubAuthorityCount++] = rid;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2006-11-27 20:59:59 +08:00
|
|
|
cygsid *
|
|
|
|
cygsidlist::alloc_sids (int n)
|
|
|
|
{
|
|
|
|
if (n > 0)
|
|
|
|
return (cygsid *) cmalloc (HEAP_STR, n * sizeof (cygsid));
|
|
|
|
else
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
cygsidlist::free_sids ()
|
|
|
|
{
|
|
|
|
if (sids)
|
|
|
|
cfree (sids);
|
|
|
|
sids = NULL;
|
|
|
|
cnt = maxcnt = 0;
|
|
|
|
type = cygsidlist_empty;
|
|
|
|
}
|
|
|
|
|
|
|
|
BOOL
|
|
|
|
cygsidlist::add (const PSID nsi, bool well_known)
|
2007-02-20 08:16:18 +08:00
|
|
|
{
|
|
|
|
if (contains (nsi))
|
2006-11-27 20:59:59 +08:00
|
|
|
return TRUE;
|
|
|
|
if (cnt >= maxcnt)
|
|
|
|
{
|
|
|
|
cygsid *tmp = new cygsid [2 * maxcnt];
|
2007-02-20 08:16:18 +08:00
|
|
|
if (!tmp)
|
2006-11-27 20:59:59 +08:00
|
|
|
return FALSE;
|
|
|
|
maxcnt *= 2;
|
|
|
|
for (int i = 0; i < cnt; ++i)
|
|
|
|
tmp[i] = sids[i];
|
|
|
|
delete [] sids;
|
|
|
|
sids = tmp;
|
|
|
|
}
|
2007-02-20 08:16:18 +08:00
|
|
|
if (well_known)
|
2006-11-27 20:59:59 +08:00
|
|
|
sids[cnt++] *= nsi;
|
|
|
|
else
|
|
|
|
sids[cnt++] = nsi;
|
|
|
|
return TRUE;
|
2007-02-20 08:16:18 +08:00
|
|
|
}
|
2006-11-27 20:59:59 +08:00
|
|
|
|
2003-11-26 21:23:27 +08:00
|
|
|
PSECURITY_DESCRIPTOR
|
|
|
|
security_descriptor::malloc (size_t nsize)
|
|
|
|
{
|
2006-10-22 22:57:43 +08:00
|
|
|
free ();
|
|
|
|
if ((psd = (PSECURITY_DESCRIPTOR) ::malloc (nsize)))
|
2006-12-21 01:14:23 +08:00
|
|
|
sd_size = nsize;
|
2003-11-26 21:23:27 +08:00
|
|
|
return psd;
|
|
|
|
}
|
|
|
|
|
|
|
|
PSECURITY_DESCRIPTOR
|
|
|
|
security_descriptor::realloc (size_t nsize)
|
|
|
|
{
|
2006-10-22 22:57:43 +08:00
|
|
|
PSECURITY_DESCRIPTOR tmp;
|
2007-02-20 08:16:18 +08:00
|
|
|
|
2009-10-31 17:31:47 +08:00
|
|
|
/* Can't re-use buffer allocated by GetSecurityInfo. */
|
|
|
|
if (psd && !sd_size)
|
|
|
|
free ();
|
2006-12-21 01:14:23 +08:00
|
|
|
if (!(tmp = (PSECURITY_DESCRIPTOR) ::realloc (psd, nsize)))
|
|
|
|
return NULL;
|
2003-11-26 21:23:27 +08:00
|
|
|
sd_size = nsize;
|
|
|
|
return psd = tmp;
|
|
|
|
}
|
|
|
|
|
|
|
|
void
|
2005-07-05 11:16:46 +08:00
|
|
|
security_descriptor::free ()
|
2003-11-26 21:23:27 +08:00
|
|
|
{
|
|
|
|
if (psd)
|
2009-10-31 03:58:53 +08:00
|
|
|
{
|
|
|
|
if (!sd_size)
|
|
|
|
LocalFree (psd);
|
|
|
|
else
|
|
|
|
::free (psd);
|
|
|
|
}
|
2003-11-26 21:23:27 +08:00
|
|
|
psd = NULL;
|
|
|
|
sd_size = 0;
|
|
|
|
}
|
|
|
|
|
2008-07-11 18:00:36 +08:00
|
|
|
#undef TEXT
|
|
|
|
#define TEXT(q) L##q
|
|
|
|
|
2011-10-16 00:31:57 +08:00
|
|
|
/* Index must match the corresponding foo_PRIVILEGE value, see security.h. */
|
|
|
|
static const struct {
|
|
|
|
const wchar_t *name;
|
2011-12-18 07:39:47 +08:00
|
|
|
bool high_integrity; /* UAC: High Mandatory Label required to
|
2011-10-16 00:31:57 +08:00
|
|
|
be allowed to enable this privilege in
|
|
|
|
the user token. */
|
|
|
|
} cygpriv[] =
|
2001-04-21 04:36:13 +08:00
|
|
|
{
|
2011-10-16 00:31:57 +08:00
|
|
|
{ L"", false },
|
|
|
|
{ L"", false },
|
|
|
|
{ SE_CREATE_TOKEN_NAME, true },
|
|
|
|
{ SE_ASSIGNPRIMARYTOKEN_NAME, true },
|
|
|
|
{ SE_LOCK_MEMORY_NAME, false },
|
|
|
|
{ SE_INCREASE_QUOTA_NAME, true },
|
|
|
|
{ SE_MACHINE_ACCOUNT_NAME, false },
|
|
|
|
{ SE_TCB_NAME, true },
|
|
|
|
{ SE_SECURITY_NAME, true },
|
|
|
|
{ SE_TAKE_OWNERSHIP_NAME, true },
|
|
|
|
{ SE_LOAD_DRIVER_NAME, true },
|
|
|
|
{ SE_SYSTEM_PROFILE_NAME, true },
|
|
|
|
{ SE_SYSTEMTIME_NAME, true },
|
|
|
|
{ SE_PROF_SINGLE_PROCESS_NAME, true },
|
|
|
|
{ SE_INC_BASE_PRIORITY_NAME, true },
|
|
|
|
{ SE_CREATE_PAGEFILE_NAME, true },
|
|
|
|
{ SE_CREATE_PERMANENT_NAME, false },
|
|
|
|
{ SE_BACKUP_NAME, true },
|
|
|
|
{ SE_RESTORE_NAME, true },
|
|
|
|
{ SE_SHUTDOWN_NAME, false },
|
|
|
|
{ SE_DEBUG_NAME, true },
|
|
|
|
{ SE_AUDIT_NAME, false },
|
|
|
|
{ SE_SYSTEM_ENVIRONMENT_NAME, true },
|
|
|
|
{ SE_CHANGE_NOTIFY_NAME, false },
|
|
|
|
{ SE_REMOTE_SHUTDOWN_NAME, true },
|
|
|
|
{ SE_UNDOCK_NAME, false },
|
|
|
|
{ SE_SYNC_AGENT_NAME, false },
|
|
|
|
{ SE_ENABLE_DELEGATION_NAME, false },
|
|
|
|
{ SE_MANAGE_VOLUME_NAME, true },
|
|
|
|
{ SE_IMPERSONATE_NAME, true },
|
|
|
|
{ SE_CREATE_GLOBAL_NAME, false },
|
|
|
|
{ SE_TRUSTED_CREDMAN_ACCESS_NAME, false },
|
|
|
|
{ SE_RELABEL_NAME, true },
|
2012-07-06 21:49:53 +08:00
|
|
|
{ SE_INC_WORKING_SET_NAME, false },
|
2011-10-16 00:31:57 +08:00
|
|
|
{ SE_TIME_ZONE_NAME, true },
|
|
|
|
{ SE_CREATE_SYMBOLIC_LINK_NAME, true }
|
2005-04-03 21:06:43 +08:00
|
|
|
};
|
2001-04-21 04:36:13 +08:00
|
|
|
|
2007-07-19 16:33:22 +08:00
|
|
|
bool
|
2011-10-16 00:31:57 +08:00
|
|
|
privilege_luid (const PWCHAR pname, LUID &luid, bool &high_integrity)
|
2005-04-03 21:06:43 +08:00
|
|
|
{
|
2007-07-19 16:33:22 +08:00
|
|
|
ULONG idx;
|
|
|
|
for (idx = SE_CREATE_TOKEN_PRIVILEGE;
|
|
|
|
idx <= SE_MAX_WELL_KNOWN_PRIVILEGE;
|
|
|
|
++idx)
|
2011-10-16 00:31:57 +08:00
|
|
|
if (!wcscmp (cygpriv[idx].name, pname))
|
2007-07-19 16:33:22 +08:00
|
|
|
{
|
2011-10-16 00:31:57 +08:00
|
|
|
luid.HighPart = 0;
|
|
|
|
luid.LowPart = idx;
|
|
|
|
high_integrity = cygpriv[idx].high_integrity;
|
2007-07-19 16:33:22 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
2005-04-03 21:06:43 +08:00
|
|
|
}
|
|
|
|
|
2008-07-11 18:00:36 +08:00
|
|
|
static const wchar_t *
|
2007-07-19 16:33:22 +08:00
|
|
|
privilege_name (const LUID &priv_luid)
|
2005-04-03 21:06:43 +08:00
|
|
|
{
|
2007-07-19 16:33:22 +08:00
|
|
|
if (priv_luid.HighPart || priv_luid.LowPart < SE_CREATE_TOKEN_PRIVILEGE
|
|
|
|
|| priv_luid.LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE)
|
2008-07-11 18:00:36 +08:00
|
|
|
return L"<unknown privilege>";
|
2011-10-16 00:31:57 +08:00
|
|
|
return cygpriv[priv_luid.LowPart].name;
|
2005-04-03 21:06:43 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
int
|
2007-07-19 16:33:22 +08:00
|
|
|
set_privilege (HANDLE token, DWORD privilege, bool enable)
|
2005-04-03 21:06:43 +08:00
|
|
|
{
|
|
|
|
int ret = -1;
|
|
|
|
TOKEN_PRIVILEGES new_priv, orig_priv;
|
2007-07-19 16:33:22 +08:00
|
|
|
ULONG size;
|
|
|
|
NTSTATUS status;
|
2001-04-21 04:36:13 +08:00
|
|
|
|
|
|
|
new_priv.PrivilegeCount = 1;
|
2007-07-19 16:33:22 +08:00
|
|
|
new_priv.Privileges[0].Luid.HighPart = 0L;
|
|
|
|
new_priv.Privileges[0].Luid.LowPart = privilege;
|
2001-04-21 04:36:13 +08:00
|
|
|
new_priv.Privileges[0].Attributes = enable ? SE_PRIVILEGE_ENABLED : 0;
|
|
|
|
|
2007-07-19 16:33:22 +08:00
|
|
|
status = NtAdjustPrivilegesToken (token, FALSE, &new_priv, sizeof orig_priv,
|
|
|
|
&orig_priv, &size);
|
|
|
|
if (!NT_SUCCESS (status))
|
2001-04-21 04:36:13 +08:00
|
|
|
{
|
2007-07-19 16:33:22 +08:00
|
|
|
__seterrno_from_nt_status (status);
|
2001-04-21 04:36:13 +08:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2005-04-03 21:06:43 +08:00
|
|
|
/* If orig_priv.PrivilegeCount is 0, the privilege hasn't been changed. */
|
|
|
|
if (!orig_priv.PrivilegeCount)
|
|
|
|
ret = enable ? 1 : 0;
|
|
|
|
else
|
|
|
|
ret = (orig_priv.Privileges[0].Attributes & SE_PRIVILEGE_ENABLED) ? 1 : 0;
|
2001-04-21 04:36:13 +08:00
|
|
|
|
|
|
|
out:
|
2007-03-30 00:37:36 +08:00
|
|
|
if (ret < 0)
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("%d = set_privilege((token %p) %W, %d)", ret, token,
|
2007-07-19 16:33:22 +08:00
|
|
|
privilege_name (new_priv.Privileges[0].Luid), enable);
|
2001-04-21 04:36:13 +08:00
|
|
|
return ret;
|
|
|
|
}
|
2002-07-01 22:31:28 +08:00
|
|
|
|
2007-03-30 00:37:36 +08:00
|
|
|
/* This is called very early in process initialization. The code must
|
|
|
|
not depend on anything. */
|
2004-04-17 05:22:13 +08:00
|
|
|
void
|
2005-04-03 21:06:43 +08:00
|
|
|
set_cygwin_privileges (HANDLE token)
|
2004-04-17 05:22:13 +08:00
|
|
|
{
|
2010-04-16 01:17:59 +08:00
|
|
|
/* Setting these rights at process startup allows processes running under
|
|
|
|
user tokens which are in the administrstors group to have root-like
|
|
|
|
permissions. */
|
|
|
|
/* Allow to access all files, independent of their ACL settings. */
|
2007-07-19 16:33:22 +08:00
|
|
|
set_privilege (token, SE_RESTORE_PRIVILEGE, true);
|
|
|
|
set_privilege (token, SE_BACKUP_PRIVILEGE, true);
|
2010-04-16 01:17:59 +08:00
|
|
|
/* Allow full access to other user's processes. */
|
|
|
|
set_privilege (token, SE_DEBUG_PRIVILEGE, true);
|
2011-10-16 00:31:57 +08:00
|
|
|
#if 0
|
|
|
|
/* Allow to create global shared memory. This isn't required anymore since
|
2010-04-16 01:17:59 +08:00
|
|
|
Cygwin 1.7. It uses its own subdirectories in the global NT namespace
|
2011-10-16 00:31:57 +08:00
|
|
|
which isn't affected by the SE_CREATE_GLOBAL_PRIVILEGE restriction. */
|
2013-04-23 17:44:36 +08:00
|
|
|
set_privilege (token, SE_CREATE_GLOBAL_PRIVILEGE, true);
|
2011-10-16 00:31:57 +08:00
|
|
|
#endif
|
2004-04-17 05:22:13 +08:00
|
|
|
}
|
|
|
|
|
2003-12-08 06:37:12 +08:00
|
|
|
bool
|
2003-09-16 08:45:50 +08:00
|
|
|
sec_acl (PACL acl, bool original, bool admins, PSID sid1, PSID sid2, DWORD access2)
|
2002-07-01 22:31:28 +08:00
|
|
|
{
|
2011-04-28 17:30:36 +08:00
|
|
|
NTSTATUS status;
|
2010-04-17 23:51:09 +08:00
|
|
|
size_t acl_len = MAX_DACL_LEN (5);
|
2003-09-27 09:56:36 +08:00
|
|
|
LPVOID pAce;
|
2003-09-16 08:45:50 +08:00
|
|
|
cygpsid psid;
|
2002-07-01 22:31:28 +08:00
|
|
|
|
2005-06-08 03:31:42 +08:00
|
|
|
#ifdef DEBUGGING
|
|
|
|
if ((unsigned long) acl % 4)
|
|
|
|
api_fatal ("Incorrectly aligned incoming ACL buffer!");
|
|
|
|
#endif
|
2011-04-28 17:30:36 +08:00
|
|
|
status = RtlCreateAcl (acl, acl_len, ACL_REVISION);
|
|
|
|
if (!NT_SUCCESS (status))
|
2002-07-01 22:31:28 +08:00
|
|
|
{
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlCreateAcl: %y", status);
|
2003-12-08 06:37:12 +08:00
|
|
|
return false;
|
2002-07-01 22:31:28 +08:00
|
|
|
}
|
|
|
|
if (sid1)
|
2011-04-29 18:38:12 +08:00
|
|
|
{
|
|
|
|
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, sid1);
|
|
|
|
if (!NT_SUCCESS (status))
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlAddAccessAllowedAce(sid1) %y", status);
|
2011-04-29 18:38:12 +08:00
|
|
|
}
|
2003-09-16 17:24:52 +08:00
|
|
|
if (original && (psid = cygheap->user.saved_sid ())
|
2003-09-16 08:45:50 +08:00
|
|
|
&& psid != sid1 && psid != well_known_system_sid)
|
2011-04-29 18:38:12 +08:00
|
|
|
{
|
|
|
|
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL, psid);
|
|
|
|
if (!NT_SUCCESS (status))
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlAddAccessAllowedAce(original) %y", status);
|
2011-04-29 18:38:12 +08:00
|
|
|
}
|
2003-09-16 08:45:50 +08:00
|
|
|
if (sid2)
|
2011-04-29 18:38:12 +08:00
|
|
|
{
|
|
|
|
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, access2, sid2);
|
|
|
|
if (!NT_SUCCESS (status))
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlAddAccessAllowedAce(sid2) %y", status);
|
2011-04-29 18:38:12 +08:00
|
|
|
}
|
2002-07-01 22:31:28 +08:00
|
|
|
if (admins)
|
2011-04-29 18:38:12 +08:00
|
|
|
{
|
|
|
|
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
well_known_admins_sid);
|
|
|
|
if (!NT_SUCCESS (status))
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlAddAccessAllowedAce(admin) %y", status);
|
2011-04-29 18:38:12 +08:00
|
|
|
}
|
|
|
|
status = RtlAddAccessAllowedAce (acl, ACL_REVISION, GENERIC_ALL,
|
|
|
|
well_known_system_sid);
|
|
|
|
if (!NT_SUCCESS (status))
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlAddAccessAllowedAce(system) %y", status);
|
2011-04-28 17:30:36 +08:00
|
|
|
status = RtlFirstFreeAce (acl, &pAce);
|
|
|
|
if (NT_SUCCESS (status) && pAce)
|
2003-09-27 09:56:36 +08:00
|
|
|
acl->AclSize = (char *) pAce - (char *) acl;
|
|
|
|
else
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlFirstFreeAce: %y", status);
|
2003-09-27 09:56:36 +08:00
|
|
|
|
2003-12-08 06:37:12 +08:00
|
|
|
return true;
|
2002-07-01 22:31:28 +08:00
|
|
|
}
|
|
|
|
|
2022-05-24 03:52:52 +08:00
|
|
|
PSECURITY_ATTRIBUTES
|
2003-09-16 08:45:50 +08:00
|
|
|
__sec_user (PVOID sa_buf, PSID sid1, PSID sid2, DWORD access2, BOOL inherit)
|
2002-07-01 22:31:28 +08:00
|
|
|
{
|
|
|
|
PSECURITY_ATTRIBUTES psa = (PSECURITY_ATTRIBUTES) sa_buf;
|
2012-07-06 21:49:53 +08:00
|
|
|
PISECURITY_DESCRIPTOR psd = (PISECURITY_DESCRIPTOR)
|
2002-07-01 22:31:28 +08:00
|
|
|
((char *) sa_buf + sizeof (*psa));
|
|
|
|
PACL acl = (PACL) ((char *) sa_buf + sizeof (*psa) + sizeof (*psd));
|
2011-04-28 23:54:47 +08:00
|
|
|
NTSTATUS status;
|
2002-07-01 22:31:28 +08:00
|
|
|
|
2005-06-08 03:31:42 +08:00
|
|
|
#ifdef DEBUGGING
|
|
|
|
if ((unsigned long) sa_buf % 4)
|
|
|
|
api_fatal ("Incorrectly aligned incoming SA buffer!");
|
|
|
|
#endif
|
2007-02-23 23:15:50 +08:00
|
|
|
if (!sec_acl (acl, true, true, sid1, sid2, access2))
|
2002-07-01 22:31:28 +08:00
|
|
|
return inherit ? &sec_none : &sec_none_nih;
|
|
|
|
|
2011-04-28 17:30:36 +08:00
|
|
|
RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
|
2011-04-28 23:54:47 +08:00
|
|
|
status = RtlSetDaclSecurityDescriptor (psd, TRUE, acl, FALSE);
|
|
|
|
if (!NT_SUCCESS (status))
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlSetDaclSecurityDescriptor %y", status);
|
2002-07-01 22:31:28 +08:00
|
|
|
|
|
|
|
psa->nLength = sizeof (SECURITY_ATTRIBUTES);
|
|
|
|
psa->lpSecurityDescriptor = psd;
|
|
|
|
psa->bInheritHandle = inherit;
|
|
|
|
return psa;
|
|
|
|
}
|
2008-04-19 04:13:37 +08:00
|
|
|
|
2012-06-04 00:46:53 +08:00
|
|
|
/* Helper function to create a file security descriptor which allows
|
|
|
|
full access to admins, system, and the sid given as parameter. See
|
|
|
|
try_to_bin for how it's used. */
|
|
|
|
|
|
|
|
PSECURITY_DESCRIPTOR
|
|
|
|
_recycler_sd (void *buf, bool users, bool dir)
|
|
|
|
{
|
|
|
|
NTSTATUS status;
|
2012-07-06 21:49:53 +08:00
|
|
|
PISECURITY_DESCRIPTOR psd = (PISECURITY_DESCRIPTOR) buf;
|
2012-08-17 07:34:45 +08:00
|
|
|
|
2012-06-04 00:46:53 +08:00
|
|
|
if (!psd)
|
|
|
|
return NULL;
|
|
|
|
RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
|
|
|
|
PACL dacl = (PACL) (psd + 1);
|
|
|
|
RtlCreateAcl (dacl, MAX_DACL_LEN (3), ACL_REVISION);
|
|
|
|
RtlAddAccessAllowedAceEx (dacl, ACL_REVISION,
|
Reapply POSIX ACL changes.
- New, unified implementation of POSIX permission and ACL handling. The
new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
they allow to inherit the S_ISGID bit. ACL inheritance now really
works as desired, in a limited, but theoretically equivalent fashion
even for non-Cygwin processes.
To accommodate Windows default ACLs, the new code ignores SYSTEM and
Administrators group permissions when computing the MASK/CLASS_OBJ
permission mask on old ACLs, and it doesn't deny access to SYSTEM and
Administrators group based on the value of MASK/CLASS_OBJ when
creating the new ACLs.
The new code now handles the S_ISGID bit on directories as on Linux:
Setting S_ISGID on a directory causes new files and subdirs created
within to inherit its group, rather than the primary group of the user
who created the file. This only works for files and directories
created by Cygwin processes.
2015-05-29 Corinna Vinschen <corinna@vinschen.de>
Reapply POSIX ACL changes.
* utils.xml (setfacl): Show new option output.
(getfacl): Show new option output.
* sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL.
Apply umask, if so. Align comments.
* security.cc (set_created_file_access): Fix permission masking by
incoming requested file mode.
* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
for SYSTEM and Admins group.
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
* fhandler.h (fhandler_pty_slave::facl): Add prototype.
* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
(fhandler_pty_slave::fchown): Fix uid/gid handling.
* sec_acl.cc (set_posix_access): Drop superfluous class_idx variable.
Simplify and move around code in a few places. To improve ACL
readability, add r/w permissions to Admins ACE appended to pty ACL.
Add comment to explain Windows ACE Mask filtering being in the way of
creating a real CLASS_OBJ.
(get_posix_access): Fake CLASS_OBJ for ptys. Explain why.
* security.cc (get_object_attribute): Add S_IFCHR flag to attributes
when calling get_posix_access.
* sec_acl.cc (set_posix_access): Move merging group perms into owner
perms in case of owner == group after mask has been computed. Take
mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE.
* sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw
the ACCESS_ALLOWED_ACE.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly
set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment
to explain why.
* security.cc (set_created_file_access): Ditto.
* sec_acl.cc (set_posix_access): Replace previous patch. Return
EINVAL if uid and/or guid is invalid and not backed by an actual
Windows account.
* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.
* sec_acl.cc (set_posix_access): Handle files with owner == group.
Rephrase switch statement checking against unfiltered a_type value.
(get_posix_access): Handle files with owner == group.
* sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up
CLASS_OBJ mask on old-style ACLs. Fix a comment.
* sec_acl.cc (set_posix_access): Always make sure Admins have
WRITE_DAC and WRITE_OWNER permissions.
* security.h (create_object_sd_from_attribute): Drop handle parameter
from prototype.
* security.cc (create_object_sd_from_attribute): Drop handle parameter.
Just create the standard POSIXy security descriptor.
(set_object_attribute): Accommodate dropped paramter in call to
create_object_sd_from_attribute.
* fhandler_tty.cc: Ditto, throughout.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in
mask computation.
* fhandler.cc (fhandler_base::open_with_arch): Call open with mode
not umasked.
(fhandler_base::open): Explicitely umask mode on NFS here. Call new
set_created_file_access rather than set_file_attribute.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement
setting permissions on filesystems supporting ACLs using the new
set_posix_access call.
(fhandler_disk_file::fchown): Ditto.
(fhandler_disk_file::mkdir): Call new set_created_file_access rather
than set_file_attribute.
* fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add
WRITE_OWNER access to allow writing group in case of SGID bit set.
Call new set_created_file_access rather than set_file_attribute.
* path.cc (symlink_worker): Call new set_created_file_access rather
than set_file_attribute.
* sec_acl.cc (searchace): Un-staticize.
(set_posix_access): New, complementary functionality to
get_posix_access.
(setacl): Implement in terms of get_posix_access/set_posix_access.
(get_posix_access): Add handling for just created files requiring
their first Cygwin ACL. Fix new_style recognition. Handle SGID
bit. For old-style ACLs, ignore SYSTEM and Administrators when
computing the {DEF_}CLASS_OBJ perms.
* security.cc (get_file_sd): Revamp comment. Change and (hopefully)
speed up inheritance processing for just created files.
(alloc_sd): Remove.
(set_security_attribute): Call set_posix_access instead of alloc_sd.
(get_object_attribute): Fix return value.
(create_object_sd_from_attribute): Call set_posix_access instead of
alloc_sd.
(set_file_attribute): Remove.
(set_created_file_access): New function implemented in terms of
get_posix_access/set_posix_access.
* security.h (set_file_attribute): Remove prototype.
(set_created_file_access): Add prototype.
(searchace): Ditto.
(set_posix_access): Ditto.
* syscalls.cc (open): Call open_with_arch with mode not umasked.
* sec_acl.cc: Change preceeding comment explaining new-style ACLs.
Describe how to generate deny ACEs in more detail. Accommodate the
fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than
a special Cygwin ACE. Improve further comments.
(CYG_ACE_NEW_STYLE): Define.
(get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix
CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single
NULL deny ACE if the inheritance flags say so.
* sec_helper.cc (well_known_cygwin_sid): Remove.
* security.h (well_known_cygwin_sid): Drop declaration.
* sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo.
(get_posix_access): Rename index variable from i to idx. Define only
once at top level.
* security.cc (add_access_allowed_ace): Drop unused parameter "offset".
Accommodate throughout.
(add_access_denied_ace): Ditto.
* sec_acl.cc: Accommodate above change throughout.
* security.h (add_access_allowed_ace): Adjust prototype to above change.
(add_access_denied_ace): Ditto.
* sec_acl.cc (get_posix_access): Handle multiple ACEs for the
owner and primary group of the file. Handle the default primary
group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit
set. Add comments. Minor code rearrangements.
Preliminary read side implementation of new permission handling.
* acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain.
* sec_acl.cc: Add leading comment to explain new ACL style.
Add definitions and macros to use for bits in new Cygwin ACL.
(DENY_RWX): New mask value for all temporary deny bits.
(getace): Add bool parameter to decide when leaving all bits intact,
rather than filtering them per the already set bits.
(get_posix_access): New function, taking over functionality to read
POSIX ACL from SECURITY_DESCRIPTOR.
(getacl): Just call get_posix_access.
* sec_helper.cc (well_known_cygwin_sid): Define.
* security.cc (get_attribute_from_acl): Remove.
(get_info_from_sd): Remove.
(get_reg_sd): Call get_posix_access instead of get_info_from_sd.
(get_file_attribute): Ditto.
(get_object_attribute): Ditto.
* security.h (well_known_cygwin_sid): Declare.
(get_posix_access): Add prototype.
* Throughout, use simpler ACE macros from Windows' accctrl.h.
* getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
* setfacl.c: Align more to Linux tool.
(delacl): New function to delete acl entries only.
(modacl): Drop delete functionality. Add handling of recomputing the
mask and default mask values.
(delallacl): Rename from delacl.
(setfacl): Call delacl in Delete case. Call delallacl in DeleteAll
and DeleteDef case.
(usage): Accommodate new options. Rearrange and rephrase slightly.
(longopts): Emit 'x' in --delete case. Add --no-mask and --mask
options.
(opts): Add -x and -n options.
(main): Handle -d and -x the same. Handle -n and --mask options.
Drop handling for -r option.
* getfacl.c (usage): Align more closely to Linux version. Add new
options -c, -e, -E. Change formatting to accommodate longer options.
(longopts): Rename --noname to --numeric. Keep --noname for backward
compatibility. Add --omit-header, --all-effective and --no-effective
options.
(opts): Add -c, -e and -E option.
(main): Handle new -c, -e, and -E options.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 17:52:29 +08:00
|
|
|
dir ? SUB_CONTAINERS_AND_OBJECTS_INHERIT
|
2012-06-04 00:46:53 +08:00
|
|
|
: NO_INHERITANCE,
|
|
|
|
FILE_ALL_ACCESS, well_known_admins_sid);
|
|
|
|
RtlAddAccessAllowedAceEx (dacl, ACL_REVISION,
|
Reapply POSIX ACL changes.
- New, unified implementation of POSIX permission and ACL handling. The
new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
they allow to inherit the S_ISGID bit. ACL inheritance now really
works as desired, in a limited, but theoretically equivalent fashion
even for non-Cygwin processes.
To accommodate Windows default ACLs, the new code ignores SYSTEM and
Administrators group permissions when computing the MASK/CLASS_OBJ
permission mask on old ACLs, and it doesn't deny access to SYSTEM and
Administrators group based on the value of MASK/CLASS_OBJ when
creating the new ACLs.
The new code now handles the S_ISGID bit on directories as on Linux:
Setting S_ISGID on a directory causes new files and subdirs created
within to inherit its group, rather than the primary group of the user
who created the file. This only works for files and directories
created by Cygwin processes.
2015-05-29 Corinna Vinschen <corinna@vinschen.de>
Reapply POSIX ACL changes.
* utils.xml (setfacl): Show new option output.
(getfacl): Show new option output.
* sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL.
Apply umask, if so. Align comments.
* security.cc (set_created_file_access): Fix permission masking by
incoming requested file mode.
* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
for SYSTEM and Admins group.
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
* fhandler.h (fhandler_pty_slave::facl): Add prototype.
* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
(fhandler_pty_slave::fchown): Fix uid/gid handling.
* sec_acl.cc (set_posix_access): Drop superfluous class_idx variable.
Simplify and move around code in a few places. To improve ACL
readability, add r/w permissions to Admins ACE appended to pty ACL.
Add comment to explain Windows ACE Mask filtering being in the way of
creating a real CLASS_OBJ.
(get_posix_access): Fake CLASS_OBJ for ptys. Explain why.
* security.cc (get_object_attribute): Add S_IFCHR flag to attributes
when calling get_posix_access.
* sec_acl.cc (set_posix_access): Move merging group perms into owner
perms in case of owner == group after mask has been computed. Take
mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE.
* sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw
the ACCESS_ALLOWED_ACE.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly
set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment
to explain why.
* security.cc (set_created_file_access): Ditto.
* sec_acl.cc (set_posix_access): Replace previous patch. Return
EINVAL if uid and/or guid is invalid and not backed by an actual
Windows account.
* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.
* sec_acl.cc (set_posix_access): Handle files with owner == group.
Rephrase switch statement checking against unfiltered a_type value.
(get_posix_access): Handle files with owner == group.
* sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up
CLASS_OBJ mask on old-style ACLs. Fix a comment.
* sec_acl.cc (set_posix_access): Always make sure Admins have
WRITE_DAC and WRITE_OWNER permissions.
* security.h (create_object_sd_from_attribute): Drop handle parameter
from prototype.
* security.cc (create_object_sd_from_attribute): Drop handle parameter.
Just create the standard POSIXy security descriptor.
(set_object_attribute): Accommodate dropped paramter in call to
create_object_sd_from_attribute.
* fhandler_tty.cc: Ditto, throughout.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in
mask computation.
* fhandler.cc (fhandler_base::open_with_arch): Call open with mode
not umasked.
(fhandler_base::open): Explicitely umask mode on NFS here. Call new
set_created_file_access rather than set_file_attribute.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement
setting permissions on filesystems supporting ACLs using the new
set_posix_access call.
(fhandler_disk_file::fchown): Ditto.
(fhandler_disk_file::mkdir): Call new set_created_file_access rather
than set_file_attribute.
* fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add
WRITE_OWNER access to allow writing group in case of SGID bit set.
Call new set_created_file_access rather than set_file_attribute.
* path.cc (symlink_worker): Call new set_created_file_access rather
than set_file_attribute.
* sec_acl.cc (searchace): Un-staticize.
(set_posix_access): New, complementary functionality to
get_posix_access.
(setacl): Implement in terms of get_posix_access/set_posix_access.
(get_posix_access): Add handling for just created files requiring
their first Cygwin ACL. Fix new_style recognition. Handle SGID
bit. For old-style ACLs, ignore SYSTEM and Administrators when
computing the {DEF_}CLASS_OBJ perms.
* security.cc (get_file_sd): Revamp comment. Change and (hopefully)
speed up inheritance processing for just created files.
(alloc_sd): Remove.
(set_security_attribute): Call set_posix_access instead of alloc_sd.
(get_object_attribute): Fix return value.
(create_object_sd_from_attribute): Call set_posix_access instead of
alloc_sd.
(set_file_attribute): Remove.
(set_created_file_access): New function implemented in terms of
get_posix_access/set_posix_access.
* security.h (set_file_attribute): Remove prototype.
(set_created_file_access): Add prototype.
(searchace): Ditto.
(set_posix_access): Ditto.
* syscalls.cc (open): Call open_with_arch with mode not umasked.
* sec_acl.cc: Change preceeding comment explaining new-style ACLs.
Describe how to generate deny ACEs in more detail. Accommodate the
fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than
a special Cygwin ACE. Improve further comments.
(CYG_ACE_NEW_STYLE): Define.
(get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix
CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single
NULL deny ACE if the inheritance flags say so.
* sec_helper.cc (well_known_cygwin_sid): Remove.
* security.h (well_known_cygwin_sid): Drop declaration.
* sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo.
(get_posix_access): Rename index variable from i to idx. Define only
once at top level.
* security.cc (add_access_allowed_ace): Drop unused parameter "offset".
Accommodate throughout.
(add_access_denied_ace): Ditto.
* sec_acl.cc: Accommodate above change throughout.
* security.h (add_access_allowed_ace): Adjust prototype to above change.
(add_access_denied_ace): Ditto.
* sec_acl.cc (get_posix_access): Handle multiple ACEs for the
owner and primary group of the file. Handle the default primary
group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit
set. Add comments. Minor code rearrangements.
Preliminary read side implementation of new permission handling.
* acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain.
* sec_acl.cc: Add leading comment to explain new ACL style.
Add definitions and macros to use for bits in new Cygwin ACL.
(DENY_RWX): New mask value for all temporary deny bits.
(getace): Add bool parameter to decide when leaving all bits intact,
rather than filtering them per the already set bits.
(get_posix_access): New function, taking over functionality to read
POSIX ACL from SECURITY_DESCRIPTOR.
(getacl): Just call get_posix_access.
* sec_helper.cc (well_known_cygwin_sid): Define.
* security.cc (get_attribute_from_acl): Remove.
(get_info_from_sd): Remove.
(get_reg_sd): Call get_posix_access instead of get_info_from_sd.
(get_file_attribute): Ditto.
(get_object_attribute): Ditto.
* security.h (well_known_cygwin_sid): Declare.
(get_posix_access): Add prototype.
* Throughout, use simpler ACE macros from Windows' accctrl.h.
* getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
* setfacl.c: Align more to Linux tool.
(delacl): New function to delete acl entries only.
(modacl): Drop delete functionality. Add handling of recomputing the
mask and default mask values.
(delallacl): Rename from delacl.
(setfacl): Call delacl in Delete case. Call delallacl in DeleteAll
and DeleteDef case.
(usage): Accommodate new options. Rearrange and rephrase slightly.
(longopts): Emit 'x' in --delete case. Add --no-mask and --mask
options.
(opts): Add -x and -n options.
(main): Handle -d and -x the same. Handle -n and --mask options.
Drop handling for -r option.
* getfacl.c (usage): Align more closely to Linux version. Add new
options -c, -e, -E. Change formatting to accommodate longer options.
(longopts): Rename --noname to --numeric. Keep --noname for backward
compatibility. Add --omit-header, --all-effective and --no-effective
options.
(opts): Add -c, -e and -E option.
(main): Handle new -c, -e, and -E options.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 17:52:29 +08:00
|
|
|
dir ? SUB_CONTAINERS_AND_OBJECTS_INHERIT
|
2012-06-04 00:46:53 +08:00
|
|
|
: NO_INHERITANCE,
|
|
|
|
FILE_ALL_ACCESS, well_known_system_sid);
|
2012-08-17 07:34:45 +08:00
|
|
|
if (users)
|
Reapply POSIX ACL changes.
- New, unified implementation of POSIX permission and ACL handling. The
new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
they allow to inherit the S_ISGID bit. ACL inheritance now really
works as desired, in a limited, but theoretically equivalent fashion
even for non-Cygwin processes.
To accommodate Windows default ACLs, the new code ignores SYSTEM and
Administrators group permissions when computing the MASK/CLASS_OBJ
permission mask on old ACLs, and it doesn't deny access to SYSTEM and
Administrators group based on the value of MASK/CLASS_OBJ when
creating the new ACLs.
The new code now handles the S_ISGID bit on directories as on Linux:
Setting S_ISGID on a directory causes new files and subdirs created
within to inherit its group, rather than the primary group of the user
who created the file. This only works for files and directories
created by Cygwin processes.
2015-05-29 Corinna Vinschen <corinna@vinschen.de>
Reapply POSIX ACL changes.
* utils.xml (setfacl): Show new option output.
(getfacl): Show new option output.
* sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL.
Apply umask, if so. Align comments.
* security.cc (set_created_file_access): Fix permission masking by
incoming requested file mode.
* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
for SYSTEM and Admins group.
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
* fhandler.h (fhandler_pty_slave::facl): Add prototype.
* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
(fhandler_pty_slave::fchown): Fix uid/gid handling.
* sec_acl.cc (set_posix_access): Drop superfluous class_idx variable.
Simplify and move around code in a few places. To improve ACL
readability, add r/w permissions to Admins ACE appended to pty ACL.
Add comment to explain Windows ACE Mask filtering being in the way of
creating a real CLASS_OBJ.
(get_posix_access): Fake CLASS_OBJ for ptys. Explain why.
* security.cc (get_object_attribute): Add S_IFCHR flag to attributes
when calling get_posix_access.
* sec_acl.cc (set_posix_access): Move merging group perms into owner
perms in case of owner == group after mask has been computed. Take
mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE.
* sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw
the ACCESS_ALLOWED_ACE.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly
set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment
to explain why.
* security.cc (set_created_file_access): Ditto.
* sec_acl.cc (set_posix_access): Replace previous patch. Return
EINVAL if uid and/or guid is invalid and not backed by an actual
Windows account.
* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.
* sec_acl.cc (set_posix_access): Handle files with owner == group.
Rephrase switch statement checking against unfiltered a_type value.
(get_posix_access): Handle files with owner == group.
* sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up
CLASS_OBJ mask on old-style ACLs. Fix a comment.
* sec_acl.cc (set_posix_access): Always make sure Admins have
WRITE_DAC and WRITE_OWNER permissions.
* security.h (create_object_sd_from_attribute): Drop handle parameter
from prototype.
* security.cc (create_object_sd_from_attribute): Drop handle parameter.
Just create the standard POSIXy security descriptor.
(set_object_attribute): Accommodate dropped paramter in call to
create_object_sd_from_attribute.
* fhandler_tty.cc: Ditto, throughout.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in
mask computation.
* fhandler.cc (fhandler_base::open_with_arch): Call open with mode
not umasked.
(fhandler_base::open): Explicitely umask mode on NFS here. Call new
set_created_file_access rather than set_file_attribute.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement
setting permissions on filesystems supporting ACLs using the new
set_posix_access call.
(fhandler_disk_file::fchown): Ditto.
(fhandler_disk_file::mkdir): Call new set_created_file_access rather
than set_file_attribute.
* fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add
WRITE_OWNER access to allow writing group in case of SGID bit set.
Call new set_created_file_access rather than set_file_attribute.
* path.cc (symlink_worker): Call new set_created_file_access rather
than set_file_attribute.
* sec_acl.cc (searchace): Un-staticize.
(set_posix_access): New, complementary functionality to
get_posix_access.
(setacl): Implement in terms of get_posix_access/set_posix_access.
(get_posix_access): Add handling for just created files requiring
their first Cygwin ACL. Fix new_style recognition. Handle SGID
bit. For old-style ACLs, ignore SYSTEM and Administrators when
computing the {DEF_}CLASS_OBJ perms.
* security.cc (get_file_sd): Revamp comment. Change and (hopefully)
speed up inheritance processing for just created files.
(alloc_sd): Remove.
(set_security_attribute): Call set_posix_access instead of alloc_sd.
(get_object_attribute): Fix return value.
(create_object_sd_from_attribute): Call set_posix_access instead of
alloc_sd.
(set_file_attribute): Remove.
(set_created_file_access): New function implemented in terms of
get_posix_access/set_posix_access.
* security.h (set_file_attribute): Remove prototype.
(set_created_file_access): Add prototype.
(searchace): Ditto.
(set_posix_access): Ditto.
* syscalls.cc (open): Call open_with_arch with mode not umasked.
* sec_acl.cc: Change preceeding comment explaining new-style ACLs.
Describe how to generate deny ACEs in more detail. Accommodate the
fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than
a special Cygwin ACE. Improve further comments.
(CYG_ACE_NEW_STYLE): Define.
(get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix
CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single
NULL deny ACE if the inheritance flags say so.
* sec_helper.cc (well_known_cygwin_sid): Remove.
* security.h (well_known_cygwin_sid): Drop declaration.
* sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo.
(get_posix_access): Rename index variable from i to idx. Define only
once at top level.
* security.cc (add_access_allowed_ace): Drop unused parameter "offset".
Accommodate throughout.
(add_access_denied_ace): Ditto.
* sec_acl.cc: Accommodate above change throughout.
* security.h (add_access_allowed_ace): Adjust prototype to above change.
(add_access_denied_ace): Ditto.
* sec_acl.cc (get_posix_access): Handle multiple ACEs for the
owner and primary group of the file. Handle the default primary
group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit
set. Add comments. Minor code rearrangements.
Preliminary read side implementation of new permission handling.
* acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain.
* sec_acl.cc: Add leading comment to explain new ACL style.
Add definitions and macros to use for bits in new Cygwin ACL.
(DENY_RWX): New mask value for all temporary deny bits.
(getace): Add bool parameter to decide when leaving all bits intact,
rather than filtering them per the already set bits.
(get_posix_access): New function, taking over functionality to read
POSIX ACL from SECURITY_DESCRIPTOR.
(getacl): Just call get_posix_access.
* sec_helper.cc (well_known_cygwin_sid): Define.
* security.cc (get_attribute_from_acl): Remove.
(get_info_from_sd): Remove.
(get_reg_sd): Call get_posix_access instead of get_info_from_sd.
(get_file_attribute): Ditto.
(get_object_attribute): Ditto.
* security.h (well_known_cygwin_sid): Declare.
(get_posix_access): Add prototype.
* Throughout, use simpler ACE macros from Windows' accctrl.h.
* getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
* setfacl.c: Align more to Linux tool.
(delacl): New function to delete acl entries only.
(modacl): Drop delete functionality. Add handling of recomputing the
mask and default mask values.
(delallacl): Rename from delacl.
(setfacl): Call delacl in Delete case. Call delallacl in DeleteAll
and DeleteDef case.
(usage): Accommodate new options. Rearrange and rephrase slightly.
(longopts): Emit 'x' in --delete case. Add --no-mask and --mask
options.
(opts): Add -x and -n options.
(main): Handle -d and -x the same. Handle -n and --mask options.
Drop handling for -r option.
* getfacl.c (usage): Align more closely to Linux version. Add new
options -c, -e, -E. Change formatting to accommodate longer options.
(longopts): Rename --noname to --numeric. Keep --noname for backward
compatibility. Add --omit-header, --all-effective and --no-effective
options.
(opts): Add -c, -e and -E option.
(main): Handle new -c, -e, and -E options.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 17:52:29 +08:00
|
|
|
RtlAddAccessAllowedAceEx (dacl, ACL_REVISION, INHERIT_NO_PROPAGATE,
|
2012-06-04 00:46:53 +08:00
|
|
|
FILE_GENERIC_READ | FILE_GENERIC_EXECUTE
|
|
|
|
| FILE_APPEND_DATA | FILE_WRITE_ATTRIBUTES,
|
|
|
|
well_known_users_sid);
|
|
|
|
else
|
|
|
|
RtlAddAccessAllowedAceEx (dacl, ACL_REVISION,
|
Reapply POSIX ACL changes.
- New, unified implementation of POSIX permission and ACL handling. The
new ACLs now store the POSIX ACL MASK/CLASS_OBJ permission mask, and
they allow to inherit the S_ISGID bit. ACL inheritance now really
works as desired, in a limited, but theoretically equivalent fashion
even for non-Cygwin processes.
To accommodate Windows default ACLs, the new code ignores SYSTEM and
Administrators group permissions when computing the MASK/CLASS_OBJ
permission mask on old ACLs, and it doesn't deny access to SYSTEM and
Administrators group based on the value of MASK/CLASS_OBJ when
creating the new ACLs.
The new code now handles the S_ISGID bit on directories as on Linux:
Setting S_ISGID on a directory causes new files and subdirs created
within to inherit its group, rather than the primary group of the user
who created the file. This only works for files and directories
created by Cygwin processes.
2015-05-29 Corinna Vinschen <corinna@vinschen.de>
Reapply POSIX ACL changes.
* utils.xml (setfacl): Show new option output.
(getfacl): Show new option output.
* sec_acl.cc (get_posix_access): Check for Cygwin "standard" ACL.
Apply umask, if so. Align comments.
* security.cc (set_created_file_access): Fix permission masking by
incoming requested file mode.
* sec_acl.cc (set_posix_access): Apply mask only in terms of execute bit
for SYSTEM and Admins group.
* sec_acl.cc (set_posix_access): Don't create DENY ACEs for USER and
GROUP entries if they are the same as USER_OBJ or GROUP_OBJ.
* fhandler.h (fhandler_pty_slave::facl): Add prototype.
* fhandler_tty.cc (fhandler_pty_slave::facl): New method.
(fhandler_pty_slave::fchown): Fix uid/gid handling.
* sec_acl.cc (set_posix_access): Drop superfluous class_idx variable.
Simplify and move around code in a few places. To improve ACL
readability, add r/w permissions to Admins ACE appended to pty ACL.
Add comment to explain Windows ACE Mask filtering being in the way of
creating a real CLASS_OBJ.
(get_posix_access): Fake CLASS_OBJ for ptys. Explain why.
* security.cc (get_object_attribute): Add S_IFCHR flag to attributes
when calling get_posix_access.
* sec_acl.cc (set_posix_access): Move merging group perms into owner
perms in case of owner == group after mask has been computed. Take
mask into account when doing so to avoid unnecessary ACCESS_DENIED_ACE.
* sec_acl.cc (get_posix_access): Only set saw_group_obj flag if we saw
the ACCESS_ALLOWED_ACE.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Deliberatly
set GROUP_OBJ and CLASS_OBJ perms to new group perms. Add comment
to explain why.
* security.cc (set_created_file_access): Ditto.
* sec_acl.cc (set_posix_access): Replace previous patch. Return
EINVAL if uid and/or guid is invalid and not backed by an actual
Windows account.
* sec_acl.cc (set_posix_access): Workaround owner/group SIDs being NULL.
* sec_acl.cc (set_posix_access): Handle files with owner == group.
Rephrase switch statement checking against unfiltered a_type value.
(get_posix_access): Handle files with owner == group.
* sec_acl.cc (get_posix_access): Don't use GROUP_OBJ access to fix up
CLASS_OBJ mask on old-style ACLs. Fix a comment.
* sec_acl.cc (set_posix_access): Always make sure Admins have
WRITE_DAC and WRITE_OWNER permissions.
* security.h (create_object_sd_from_attribute): Drop handle parameter
from prototype.
* security.cc (create_object_sd_from_attribute): Drop handle parameter.
Just create the standard POSIXy security descriptor.
(set_object_attribute): Accommodate dropped paramter in call to
create_object_sd_from_attribute.
* fhandler_tty.cc: Ditto, throughout.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Fix typo in
mask computation.
* fhandler.cc (fhandler_base::open_with_arch): Call open with mode
not umasked.
(fhandler_base::open): Explicitely umask mode on NFS here. Call new
set_created_file_access rather than set_file_attribute.
* fhandler_disk_file.cc (fhandler_disk_file::fchmod): Reimplement
setting permissions on filesystems supporting ACLs using the new
set_posix_access call.
(fhandler_disk_file::fchown): Ditto.
(fhandler_disk_file::mkdir): Call new set_created_file_access rather
than set_file_attribute.
* fhandler_socket.cc (fhandler_socket::bind): Don't umask here. Add
WRITE_OWNER access to allow writing group in case of SGID bit set.
Call new set_created_file_access rather than set_file_attribute.
* path.cc (symlink_worker): Call new set_created_file_access rather
than set_file_attribute.
* sec_acl.cc (searchace): Un-staticize.
(set_posix_access): New, complementary functionality to
get_posix_access.
(setacl): Implement in terms of get_posix_access/set_posix_access.
(get_posix_access): Add handling for just created files requiring
their first Cygwin ACL. Fix new_style recognition. Handle SGID
bit. For old-style ACLs, ignore SYSTEM and Administrators when
computing the {DEF_}CLASS_OBJ perms.
* security.cc (get_file_sd): Revamp comment. Change and (hopefully)
speed up inheritance processing for just created files.
(alloc_sd): Remove.
(set_security_attribute): Call set_posix_access instead of alloc_sd.
(get_object_attribute): Fix return value.
(create_object_sd_from_attribute): Call set_posix_access instead of
alloc_sd.
(set_file_attribute): Remove.
(set_created_file_access): New function implemented in terms of
get_posix_access/set_posix_access.
* security.h (set_file_attribute): Remove prototype.
(set_created_file_access): Add prototype.
(searchace): Ditto.
(set_posix_access): Ditto.
* syscalls.cc (open): Call open_with_arch with mode not umasked.
* sec_acl.cc: Change preceeding comment explaining new-style ACLs.
Describe how to generate deny ACEs in more detail. Accommodate the
fact that a NULL deny ACE is used for {DEF_}CLASS_OBJ, rather than
a special Cygwin ACE. Improve further comments.
(CYG_ACE_NEW_STYLE): Define.
(get_posix_access): Change from Cygwin ACE to NULL deny ACE. Fix
CLASS_OBJ handling to generate CLASS_OBJ and DEF_CLASS_OBJ from a single
NULL deny ACE if the inheritance flags say so.
* sec_helper.cc (well_known_cygwin_sid): Remove.
* security.h (well_known_cygwin_sid): Drop declaration.
* sec_acl.cc (CYG_ACE_ISBITS_TO_WIN): Fix typo.
(get_posix_access): Rename index variable from i to idx. Define only
once at top level.
* security.cc (add_access_allowed_ace): Drop unused parameter "offset".
Accommodate throughout.
(add_access_denied_ace): Ditto.
* sec_acl.cc: Accommodate above change throughout.
* security.h (add_access_allowed_ace): Adjust prototype to above change.
(add_access_denied_ace): Ditto.
* sec_acl.cc (get_posix_access): Handle multiple ACEs for the
owner and primary group of the file. Handle the default primary
group ACE as DEF_GROUP_OBJ entry if the directory has the S_ISGID bit
set. Add comments. Minor code rearrangements.
Preliminary read side implementation of new permission handling.
* acl.h (MAX_ACL_ENTRIES): Raise to 2730. Add comment to explain.
* sec_acl.cc: Add leading comment to explain new ACL style.
Add definitions and macros to use for bits in new Cygwin ACL.
(DENY_RWX): New mask value for all temporary deny bits.
(getace): Add bool parameter to decide when leaving all bits intact,
rather than filtering them per the already set bits.
(get_posix_access): New function, taking over functionality to read
POSIX ACL from SECURITY_DESCRIPTOR.
(getacl): Just call get_posix_access.
* sec_helper.cc (well_known_cygwin_sid): Define.
* security.cc (get_attribute_from_acl): Remove.
(get_info_from_sd): Remove.
(get_reg_sd): Call get_posix_access instead of get_info_from_sd.
(get_file_attribute): Ditto.
(get_object_attribute): Ditto.
* security.h (well_known_cygwin_sid): Declare.
(get_posix_access): Add prototype.
* Throughout, use simpler ACE macros from Windows' accctrl.h.
* getfacl.c (main): Special-case SYSTEM and Admins group. Add comments.
* setfacl.c: Align more to Linux tool.
(delacl): New function to delete acl entries only.
(modacl): Drop delete functionality. Add handling of recomputing the
mask and default mask values.
(delallacl): Rename from delacl.
(setfacl): Call delacl in Delete case. Call delallacl in DeleteAll
and DeleteDef case.
(usage): Accommodate new options. Rearrange and rephrase slightly.
(longopts): Emit 'x' in --delete case. Add --no-mask and --mask
options.
(opts): Add -x and -n options.
(main): Handle -d and -x the same. Handle -n and --mask options.
Drop handling for -r option.
* getfacl.c (usage): Align more closely to Linux version. Add new
options -c, -e, -E. Change formatting to accommodate longer options.
(longopts): Rename --noname to --numeric. Keep --noname for backward
compatibility. Add --omit-header, --all-effective and --no-effective
options.
(opts): Add -c, -e and -E option.
(main): Handle new -c, -e, and -E options.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
2015-06-24 17:52:29 +08:00
|
|
|
dir ? SUB_CONTAINERS_AND_OBJECTS_INHERIT
|
2012-06-04 00:46:53 +08:00
|
|
|
: NO_INHERITANCE,
|
|
|
|
FILE_ALL_ACCESS, cygheap->user.sid ());
|
|
|
|
LPVOID ace;
|
|
|
|
status = RtlFirstFreeAce (dacl, &ace);
|
|
|
|
if (!NT_SUCCESS (status))
|
|
|
|
{
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlFirstFreeAce: %y", status);
|
2012-06-04 00:46:53 +08:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
dacl->AclSize = (char *) ace - (char *) dacl;
|
|
|
|
RtlSetDaclSecurityDescriptor (psd, TRUE, dacl, FALSE);
|
|
|
|
/* If the directory DACL is not marked as protected, shell32 thinks
|
|
|
|
the recycle dir is corrupted. As soon as Explorer accesses the
|
|
|
|
Recycler, the user will get a GUI dialog "The Recycle Bin on X:\
|
|
|
|
is corrupted. Do you want to empty the Recycle Bin for this drive?"
|
|
|
|
Of course we want to avoid that. */
|
|
|
|
if (dir)
|
|
|
|
psd->Control |= SE_DACL_PROTECTED;
|
|
|
|
return psd;
|
|
|
|
}
|
|
|
|
|
2008-04-19 04:13:37 +08:00
|
|
|
/* Helper function to create an event security descriptor which only allows
|
|
|
|
specific access to everyone. Only the creating process has all access
|
|
|
|
rights. */
|
|
|
|
|
|
|
|
PSECURITY_DESCRIPTOR
|
|
|
|
_everyone_sd (void *buf, ACCESS_MASK access)
|
|
|
|
{
|
2011-04-28 17:30:36 +08:00
|
|
|
NTSTATUS status;
|
2012-07-06 21:49:53 +08:00
|
|
|
PISECURITY_DESCRIPTOR psd = (PISECURITY_DESCRIPTOR) buf;
|
2008-04-19 04:13:37 +08:00
|
|
|
|
|
|
|
if (psd)
|
|
|
|
{
|
2011-04-28 17:30:36 +08:00
|
|
|
RtlCreateSecurityDescriptor (psd, SECURITY_DESCRIPTOR_REVISION);
|
2008-04-19 04:13:37 +08:00
|
|
|
PACL dacl = (PACL) (psd + 1);
|
2011-04-28 17:30:36 +08:00
|
|
|
RtlCreateAcl (dacl, MAX_DACL_LEN (1), ACL_REVISION);
|
2011-04-29 18:38:12 +08:00
|
|
|
status = RtlAddAccessAllowedAce (dacl, ACL_REVISION, access,
|
|
|
|
well_known_world_sid);
|
|
|
|
if (!NT_SUCCESS (status))
|
2008-04-19 04:13:37 +08:00
|
|
|
{
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlAddAccessAllowedAce: %y", status);
|
2008-04-19 04:13:37 +08:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
LPVOID ace;
|
2011-04-28 17:30:36 +08:00
|
|
|
status = RtlFirstFreeAce (dacl, &ace);
|
|
|
|
if (!NT_SUCCESS (status))
|
2008-04-19 04:13:37 +08:00
|
|
|
{
|
2013-04-23 17:44:36 +08:00
|
|
|
debug_printf ("RtlFirstFreeAce: %y", status);
|
2008-04-19 04:13:37 +08:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
dacl->AclSize = (char *) ace - (char *) dacl;
|
2011-04-28 23:54:47 +08:00
|
|
|
RtlSetDaclSecurityDescriptor (psd, TRUE, dacl, FALSE);
|
2008-04-19 04:13:37 +08:00
|
|
|
}
|
|
|
|
return psd;
|
|
|
|
}
|
|
|
|
|
2022-08-22 20:25:05 +08:00
|
|
|
static NO_COPY SRWLOCK authz_lock = SRWLOCK_INIT;
|
|
|
|
#define AUTHZ_LOCK() (AcquireSRWLockExclusive (&authz_lock))
|
|
|
|
#define AUTHZ_UNLOCK() (ReleaseSRWLockExclusive (&authz_lock))
|
|
|
|
|
|
|
|
static NO_COPY SRWLOCK user_ctx_lock = SRWLOCK_INIT;
|
|
|
|
#define USER_CTX_LOCK() (AcquireSRWLockExclusive (&user_ctx_lock))
|
|
|
|
#define USER_CTX_UNLOCK() (ReleaseSRWLockExclusive (&user_ctx_lock))
|
|
|
|
|
|
|
|
static NO_COPY SRWLOCK slist_lock = SRWLOCK_INIT;
|
|
|
|
#define SLIST_LOCK() (AcquireSRWLockExclusive (&slist_lock))
|
|
|
|
#define SLIST_UNLOCK() (ReleaseSRWLockExclusive (&slist_lock))
|
|
|
|
|
2015-08-18 00:29:24 +08:00
|
|
|
static LUID authz_dummy_luid = { 0 };
|
|
|
|
|
|
|
|
class authz_ctx_cache_entry
|
|
|
|
{
|
|
|
|
SLIST_ENTRY (authz_ctx_cache_entry) ctx_next;
|
|
|
|
cygsid sid;
|
|
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE ctx_hdl;
|
|
|
|
|
|
|
|
authz_ctx_cache_entry ()
|
|
|
|
: sid (NO_SID), ctx_hdl (NULL)
|
|
|
|
{
|
|
|
|
ctx_next.sle_next = NULL;
|
|
|
|
}
|
|
|
|
authz_ctx_cache_entry (bool)
|
|
|
|
: sid (NO_SID), ctx_hdl (NULL)
|
|
|
|
{
|
|
|
|
ctx_next.sle_next = NULL;
|
|
|
|
}
|
|
|
|
void set (PSID psid, AUTHZ_CLIENT_CONTEXT_HANDLE hdl)
|
|
|
|
{
|
|
|
|
sid = psid;
|
|
|
|
ctx_hdl = hdl;
|
|
|
|
}
|
|
|
|
bool is (PSID psid) const { return RtlEqualSid (sid, psid); }
|
|
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE context () const { return ctx_hdl; }
|
|
|
|
|
|
|
|
friend class authz_ctx_cache;
|
|
|
|
};
|
|
|
|
|
|
|
|
class authz_ctx_cache
|
|
|
|
{
|
|
|
|
SLIST_HEAD (, authz_ctx_cache_entry) ctx_list;
|
|
|
|
|
|
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE context (PSID);
|
|
|
|
|
|
|
|
friend class authz_ctx;
|
|
|
|
};
|
|
|
|
|
|
|
|
class authz_ctx
|
|
|
|
{
|
|
|
|
AUTHZ_RESOURCE_MANAGER_HANDLE authz_hdl;
|
|
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE user_ctx_hdl;
|
|
|
|
authz_ctx_cache ctx_cache;
|
|
|
|
operator AUTHZ_RESOURCE_MANAGER_HANDLE ();
|
|
|
|
|
|
|
|
friend class authz_ctx_cache;
|
|
|
|
public:
|
2015-09-02 06:05:46 +08:00
|
|
|
bool get_user_attribute (mode_t *, PSECURITY_DESCRIPTOR, PSID);
|
2015-08-18 00:29:24 +08:00
|
|
|
};
|
|
|
|
|
|
|
|
/* Authz handles are not inheritable. */
|
|
|
|
static NO_COPY authz_ctx authz;
|
|
|
|
|
|
|
|
authz_ctx::operator AUTHZ_RESOURCE_MANAGER_HANDLE ()
|
|
|
|
{
|
|
|
|
if (!authz_hdl)
|
|
|
|
{
|
|
|
|
/* Create handle to Authz resource manager */
|
2022-08-22 20:25:05 +08:00
|
|
|
AUTHZ_LOCK ();
|
2015-08-18 00:29:24 +08:00
|
|
|
if (!authz_hdl
|
|
|
|
&& !AuthzInitializeResourceManager (AUTHZ_RM_FLAG_NO_AUDIT,
|
|
|
|
NULL, NULL, NULL, NULL,
|
|
|
|
&authz_hdl))
|
|
|
|
debug_printf ("AuthzInitializeResourceManager, %E");
|
2022-08-22 20:25:05 +08:00
|
|
|
AUTHZ_UNLOCK ();
|
2015-08-18 00:29:24 +08:00
|
|
|
}
|
|
|
|
return authz_hdl;
|
|
|
|
}
|
|
|
|
|
|
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE
|
|
|
|
authz_ctx_cache::context (PSID user_sid)
|
|
|
|
{
|
|
|
|
authz_ctx_cache_entry *entry;
|
|
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE ctx_hdl = NULL;
|
|
|
|
|
|
|
|
SLIST_FOREACH (entry, &ctx_list, ctx_next)
|
|
|
|
{
|
|
|
|
if (entry->is (user_sid))
|
|
|
|
return entry->context ();
|
|
|
|
}
|
|
|
|
entry = new authz_ctx_cache_entry (true);
|
|
|
|
/* If the user is the current user, prefer to create the context from the
|
|
|
|
token, as outlined in MSDN. */
|
|
|
|
if (RtlEqualSid (user_sid, cygheap->user.sid ())
|
|
|
|
&& !AuthzInitializeContextFromToken (0, cygheap->user.issetuid ()
|
|
|
|
? cygheap->user.primary_token ()
|
|
|
|
: hProcToken,
|
|
|
|
authz, NULL, authz_dummy_luid,
|
|
|
|
NULL, &ctx_hdl))
|
|
|
|
debug_printf ("AuthzInitializeContextFromToken, %E");
|
|
|
|
/* In any other case, create the context from the user SID. */
|
|
|
|
else if (!AuthzInitializeContextFromSid (0, user_sid, authz, NULL,
|
|
|
|
authz_dummy_luid, NULL, &ctx_hdl))
|
|
|
|
debug_printf ("AuthzInitializeContextFromSid, %E");
|
|
|
|
else
|
|
|
|
{
|
|
|
|
entry->set (user_sid, ctx_hdl);
|
2022-08-22 20:25:05 +08:00
|
|
|
SLIST_LOCK ();
|
2015-08-18 00:29:24 +08:00
|
|
|
SLIST_INSERT_HEAD (&ctx_list, entry, ctx_next);
|
2022-08-22 20:25:05 +08:00
|
|
|
SLIST_UNLOCK ();
|
2015-08-18 00:29:24 +08:00
|
|
|
return entry->context ();
|
|
|
|
}
|
|
|
|
delete entry;
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Ask Authz for the effective user permissions of the user with SID user_sid
|
|
|
|
on the object with security descriptor psd. We're caching the handles for
|
|
|
|
the Authz resource manager and the user contexts. */
|
2015-09-02 06:05:46 +08:00
|
|
|
bool
|
2015-08-18 00:29:24 +08:00
|
|
|
authz_ctx::get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd,
|
|
|
|
PSID user_sid)
|
|
|
|
{
|
|
|
|
/* If the owner is the main user of the process token (not some impersonated
|
|
|
|
user), cache the user context in the global user_ctx_hdl variable. */
|
|
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE ctx_hdl = NULL;
|
|
|
|
if (RtlEqualSid (user_sid, cygheap->user.sid ())
|
|
|
|
&& !cygheap->user.issetuid ())
|
|
|
|
{
|
2018-04-12 15:43:12 +08:00
|
|
|
/* Avoid lock in default case. */
|
2015-08-18 00:29:24 +08:00
|
|
|
if (!user_ctx_hdl)
|
|
|
|
{
|
2022-08-22 20:25:05 +08:00
|
|
|
USER_CTX_LOCK ();
|
2018-04-12 15:43:12 +08:00
|
|
|
/* Check user_ctx_hdl again under lock to avoid overwriting
|
|
|
|
user_ctx_hdl if it has already been initialized. */
|
|
|
|
if (!user_ctx_hdl
|
|
|
|
&& !AuthzInitializeContextFromToken (0, hProcToken, authz, NULL,
|
|
|
|
authz_dummy_luid, NULL,
|
|
|
|
&user_ctx_hdl))
|
2015-08-18 00:29:24 +08:00
|
|
|
debug_printf ("AuthzInitializeContextFromToken, %E");
|
2022-08-22 20:25:05 +08:00
|
|
|
USER_CTX_UNLOCK ();
|
2015-08-18 00:29:24 +08:00
|
|
|
}
|
|
|
|
if (user_ctx_hdl)
|
|
|
|
ctx_hdl = user_ctx_hdl;
|
|
|
|
}
|
|
|
|
if (!ctx_hdl && !(ctx_hdl = ctx_cache.context (user_sid)))
|
2015-09-02 06:05:46 +08:00
|
|
|
return false;
|
2015-08-18 00:29:24 +08:00
|
|
|
/* All set, check access. */
|
|
|
|
ACCESS_MASK access = 0;
|
|
|
|
DWORD error = 0;
|
|
|
|
AUTHZ_ACCESS_REQUEST req = {
|
|
|
|
.DesiredAccess = MAXIMUM_ALLOWED,
|
|
|
|
.PrincipalSelfSid = NULL,
|
|
|
|
.ObjectTypeList = NULL,
|
|
|
|
.ObjectTypeListLength = 0,
|
|
|
|
.OptionalArguments = NULL
|
|
|
|
};
|
|
|
|
AUTHZ_ACCESS_REPLY repl = {
|
|
|
|
.ResultListLength = 1,
|
|
|
|
.GrantedAccessMask = &access,
|
|
|
|
.SaclEvaluationResults = NULL,
|
|
|
|
.Error = &error
|
|
|
|
};
|
|
|
|
if (AuthzAccessCheck (0, ctx_hdl, &req, NULL, psd, NULL, 0, &repl, NULL))
|
|
|
|
{
|
|
|
|
if (access & FILE_READ_BITS)
|
2015-09-02 06:05:46 +08:00
|
|
|
*attribute |= S_IROTH;
|
2015-08-18 00:29:24 +08:00
|
|
|
if (access & FILE_WRITE_BITS)
|
2015-09-02 06:05:46 +08:00
|
|
|
*attribute |= S_IWOTH;
|
2015-08-18 00:29:24 +08:00
|
|
|
if (access & FILE_EXEC_BITS)
|
2015-09-02 06:05:46 +08:00
|
|
|
*attribute |= S_IXOTH;
|
|
|
|
return true;
|
2015-08-18 00:29:24 +08:00
|
|
|
}
|
2015-09-02 06:05:46 +08:00
|
|
|
return false;
|
2015-08-18 00:29:24 +08:00
|
|
|
}
|
|
|
|
|
2015-09-02 06:05:46 +08:00
|
|
|
bool
|
|
|
|
authz_get_user_attribute (mode_t *attribute, PSECURITY_DESCRIPTOR psd,
|
|
|
|
PSID user_sid)
|
2015-08-18 00:29:24 +08:00
|
|
|
{
|
2015-09-02 06:05:46 +08:00
|
|
|
*attribute = 0;
|
|
|
|
return authz.get_user_attribute (attribute, psd, user_sid);
|
2015-08-18 00:29:24 +08:00
|
|
|
}
|