...before calling any of its method. It's no safe bet that
it's already initialized when calling s4uauth and adding it
to load_user_profile certainly doesn't hurt.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
In case of a local machine account login, pi.lpProfilePath points
to the buffer returned by NetUserGetInfo, but NetApiBufferFree
is called prior to calling LoadUserProfileW. Fix by copying over
usri3_profile to the local userpath buffer, just as in the AD case.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
This never really worked. While at it, restructure code to
do common stuff only in one spot. Improve debug output.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Does this work? There's not much feedback given.
TODO: We might want to try unloading the user profile at process
exit as well, FWIW.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Commit 649911fb40 avoids the
calls to NetUserGetGroups and NetUserGetLocalGroups since
these can take a lot of time. The same problem potentially
occurs when loading the user profile. The code fetches
the roaming profile path calling NetUserGetInfo, which also
can be rather slow.
To avoid this problem, fetch the profile patch using LDAP.
Also, don't bail out early if the user's registry hive already
exists. This may result in outdated information.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
NetUserGetGroups and NetUserGetLocalGroups sometimes take a lot of time
(up to more than 2 mins) for no apparent reason.
Call s4uauth to generate an identification token for the user and fetch
the group list from there. This is *much* faster.
Keep the old code only for the sake of WOW64 on Vista and Windows 7,
which don't implement MsV1_0S4ULogon.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
s4uath was only callable to create an impersonation token so
far. Rework the function to allow creating an identification
token for informational purposes even from untrusted processes.
Take domainname and username instead of a passwd pointer to be
more multi-purpose.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Up to Vista CreateProcessAsUser only worked with primary tokens,
so convert S4U impersonation token to primary token. MSDN still
documents it that way, but actually an impersonation token is
sufficient since Windows 7.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Under WOW64 on 64 bit Windows 7, MsV1_0S4ULogon appears to be
unimplemented, probably under Vista as well. Re-enable
create_token method, to allow basic seteuid on W7 WOW64 and
Vista as well.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
for domain accounts we try KerbS4ULogon first, MsV1_0S4ULogon
second. But we only fetch the package id for the supporting
authentication package (Kerberos/MsV1_0) once at the start.
Duplicate LsaLookupAuthenticationPackage call and move into the
Kerb/MsV1_0 branches so that it fetches the correct package id
for the method we call next.
Curious enough this worked before. Apparently both methods
work with the MICROSOFT_KERBEROS_NAME_A package id. However,
requesting and using the right authentication package id is
the prudent thing to do.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
- This simple and official method replaces cyglsa and "create token"
methods. No network share access, same as before.
- lsaauth and create_token are disabled now. If problems crop up,
they can be easily reactivated. If no problems crop up, they
can be removed in a while, together with the lsaauth subdir.
- Bump Cygwin version to 3.0.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
The previous patch failed with password-less auth because in
that case the return code from get_server_groups wasn't tested.
Fix that. Also make sure that get_server_groups does not
check if the account is disabled or locked out when just fetching
the group list for initgroups or getgrouplist.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
So far seteuid could change uid to any existing account, given
sufficient permissions of the caller. This is kind of bad since
it disallows admins to refuse login to disabled or locked out
accounts.
Add check for the account's UF_ACCOUNTDISABLE or UF_LOCKOUT flags
and don't let the user in, if one of the flags is set.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
commit 67fd2101 introduced a bad bug. Changing sys_privs to a static
area and just returning a pointer is nice... *if* the calling code doesn't
call free() on it. Make sure callers check pointer for sys_privs and
refrain from calling free, if so.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Convert sys_privs to const struct with TOKEN_PRIVILEGES layout.
Drop function get_system_priv_list. Just use pointer to sys_privs.
Dropping max_sys_priv from wincaps requires to make sure that the
bitfield is 8 byte aligned on x86_64, otherwise gcc (5.3 only?)
apparently breaks access to the bitfield (off by 4 bytes).
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Bump GPLv2+ to GPLv3+ for some files, clarify BSD 2-clause.
Everything else stays under GPLv3+.
New Linking Exception exempts resulting executables from LGPLv3 section 4.
Add CONTRIBUTORS file to keep track of licensing.
Remove 'Copyright Red Hat Inc' comments.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
A user token can be up to 64K in size. The group list might take a lot
of that so use tmp_pathbuf allocated space rather than stack space
allocted via alloca. In create_token the TOKEN_GROUP was allocated via
malloc, but the code is needlessly complicated. Simplify by using
tmp_pathbuf as well.
* sec_auth.cc (verify_token): Allocate TOKEN_GROUP via tmp_pathbuf.
(create_token): Ditto.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
* sec_auth.cc (get_token_group_sidlist): Drop auth_luid and
auth_pos parameter. Remove code adding a logon SID.
(get_initgroups_sidlist): Drop auth_luid and auth_pos parameter.
Drop in call to get_token_group_sidlist. Accommodate in callers.
(get_setgroups_sidlist): Ditto.
(create_token): Explicitely set auth_luid to ANONYMOUS_LOGON_LUID
or LOCALSERVICE_LUID depending on OS. Explain why.
Remove handling of logon SID since we don't generate one anymore.
(lsaauth): Drop now unused local variable auth_luid and auth_pos.
* wincap.h (wincaps::has_broken_whoami): New element.
* wincap.cc: Implement above element throughout.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
If the calling process doesn't have sufficient privileges to
fetch the linked token of an admin-user token, cygwin_logon_user
fails. This patch changes that by returning the original,
unprivileged token of the admin user to allow authentication
and calling setuid for the current process.
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
(LoadUserProfileW): Import.
* registry.cc (get_registry_hive_path): Move to sec_auth.cc.
(load_registry_hive): Remove.
* registry.h (get_registry_hive_path): Drop declaration.
(load_registry_hive): Ditto.
* sec_auth.cc (get_user_profile_directory): Moved from registry.cc and
renamed. Take third parameter with buffer length.
(load_user_profile): New function taking over for load_registry_hive.
Use official functions to load profile. If profile is missing, create
it on Vista and later.
* security.h (get_user_profile_directory): Declare.
(load_user_profile): Declare.
* syscalls.cc (seteuid32): Replace call to load_registry_hive with call
to load_user_profile.
* uinfo.cc (cygheap_user::env_userprofile): Replace call to
get_registry_hive_path with call to get_user_profile_directory.
(CID 60021).
* sec_auth.cc (cygwin_logon_user): Securely erase password copy.
(lsaprivkeyauth): Avoid trying to dereference data if no key is stored
in the registry (CID 60122). Securely erase passwords after usage.
non-builtin accounts.
* uinfo.cc (pwdgrp::fetch_account_from_windows): Check incoming
account name for validity in terms of the current name prefixing rules
and refuse invalid names.
/etc/nsswitch.conf file to configure it.
* Makefile.in (DLL_OFILES): Add ldap.o.
* autoload.cc: Import ldap functions from wldap32.dll.
(DsEnumerateDomainTrustsW): Import.
(NetGroupGetInfo): Import.
* cygheap.h (class cygheap_domain_info): New class to keep global
domain info.
(class cygheap_pwdgrp): New class to keep passwd/group caches and
configuration info from /etc/nssswitch.conf.
(struct init_cygheap): Add cygheap_domain_info member "dom" and
cygheap_pwdgrp member "pg".
* cygtls.h (struct _local_storage): Remove unused member "res".
Rearrange slightly, Add members pwbuf and grbuf to implement non-caching
passwd/group fetching from SAM/AD. Make pw_pos and pw_pos unsigned.
* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Add RFC 2307
uid/gid mapping.
* fhandler_process.cc: Drop including pwdgrp.h.
* fhandler_procsysvipc.cc: Ditto.
* fhandler_registry.cc (fhandler_registry::fstat): Set key uid/gid
to ILLEGAL_UID/ILLEGAL_GID rather than UNKNOWN_UID/UNKNOWN_GID.
* grp.cc (group_buf): Drop.
(gr): Drop.
(pwdgrp::parse_group): Fill pg_grp.
(pwdgrp::read_group): Remove.
(pwdgrp::init_grp): New method.
(pwdgrp::prep_tls_grbuf): New method.
(pwdgrp::find_group): New methods.
(internal_getgrsid): Convert to call new pwdgrp methods.
(internal_getgrnam): Ditto.
(internal_getgrgid): Ditto.
(getgrgid_r): Drop 2nd parameter from internal_getgrgid call.
(getgrgid32): Ditto.
(getgrnam_r): Ditto for internal_getgrnam.
(getgrnam32): Ditto.
(getgrent32): Convert to call new pwdgrp methods.
(internal_getgrent): Remove.
(internal_getgroups): Simplify, especially drop calls to
internal_getgrent.
* ldap.cc: New file implementing cyg_ldap class for LDAP access to AD
and RFC 2307 server.
* ldap.h: New header, declaring cyg_ldap class.
* passwd.cc (passwd_buf): Drop.
(pr): Drop.
(pwdgrp::parse_passwd): Fill pg_pwd.
(pwdgrp::read_passwd): Remove.
(pwdgrp::init_pwd): New method.
(pwdgrp::prep_tls_pwbuf): New method.
(find_user): New methods.
(internal_getpwsid): Convert to call new pwdgrp methods.
(internal_getpwnam): Ditto.
(internal_getpwuid): Ditto.
(getpwuid32): Drop 2nd parameter from internal_getpwuid call.
(getpwuid_r): Ditto.
(getpwnam): Ditto for internal_getpwnam.
(getpwnam_r): Ditto.
(getpwent): Convert to call new pwdgrp methods.
* path.cc (class etc): Remove all methods.
* path.h (class etc): Drop.
* pinfo.cc (pinfo_basic::pinfo_basic): Set gid to ILLEGAL_GID rather
than UNKNOWN_GID.
(pinfo_init): Ditto.
* pwdgrp.h (internal_getpwnam): Drop 2nd parameter from declaration.
(internal_getpwuid): Ditto.
(internal_getgrgid): Ditto.
(internal_getgrnam): Ditto.
(internal_getgrent): Drop declaration.
(enum fetch_user_arg_type_t): New type.
(struct fetch_user_arg_t): New type.
(struct pg_pwd): New type.
(struct pg_grp): New type.
(class pwdgrp): Rework to provide functions for file and db requests
and caching.
(class ugid_cache_t): New class to provide RFC 2307 uid map caching.
(ugid_cache): Declare.
* sec_acl.cc: Drop including pwdgrp.h.
* sec_auth.cc: Drop including dsgetdc.h and pwdgrp.h.
(get_logon_server): Convert third parameter to ULONG flags argument
to allow arbitrary flags values in DsGetDcNameW call and change calls
to this function throughout. Use cached account domain name rather
than calling GetComputerNameW.
(get_unix_group_sidlist): Remove.
(get_server_groups): Drop call to get_unix_group_sidlist.
(verify_token): Rework token group check without calling
internal_getgrent.
* sec_helper.cc (cygpsid::pstring): New methods, like string() but
return pointer to end of string.
(cygsid::getfromstr): Add wide character implementation.
(get_sids_info): Add RFC 2307 uid/gid mapping for Samba shares.
* security.cc: Drop including pwdgrp.h.
* security.h (DEFAULT_UID): Remove.
(UNKNOWN_UID): Remove.
(UNKNOWN_GID): Remove.
(uinfo_init): Move here from winsup.h.
(ILLEGAL_UID): Ditto.
(ILLEGAL_GID): Ditto.
(UNIX_POSIX_OFFSET): Define. Add lengthy comment.
(UNIX_POSIX_MASK): Ditto.
(MAP_UNIX_TO_CYGWIN_ID): Ditto.
(ILLEGAL_UID16): Move here from winsup.h.
(ILLEGAL_GID16): Ditto.
(uid16touid32): Ditto.
(gid16togid32): Ditto.
(sid_id_auth): New convenience macro for SID component access.
(sid_sub_auth_count): Ditto.
(sid_sub_auth): Ditto.
(sid_sub_auth_rid): Ditto.
(cygpsid::pstring): Declare.
(cygsid::getfromstr): Declare wide character variant.
(cygsid::operator=): Ditto.
(cygsid::operator*=): Ditto.
(get_logon_server): Change declaration according to source code.
* setlsapwd.cc (setlsapwd): Drop 2nd parameter from internal_getpwnam
call.
* shared.cc (memory_init): Call cygheap->pg.init in first process.
* syscalls.cc: Drop including pwdgrp.h.
* tlsoffsets.h: Regenerate.
* tlsoffsets64.h: Ditto.
* uinfo.cc (internal_getlogin): Drop gratuitious internal_getpwuid
call. Fix debug output. Overwrite user gid in border case of a
missing passwd file while a group file exists.
(pwdgrp::add_line): Allocate memory on cygheap.
(pwdgrp::load): Remove.
(ugid_cache): Define.
(cygheap_pwdgrp::init): New method.
(cygheap_pwdgrp::nss_init_line): New method.
(cygheap_pwdgrp::_nss_init): New method.
(cygheap_domain_info::init): New method.
(logon_sid): Define.
(get_logon_sid): New function.
(pwdgrp::add_account_post_fetch): New method.
(pwdgrp::add_account_from_file): New methods.
(pwdgrp::add_account_from_windows): New methods.
(pwdgrp::check_file): New method.
(pwdgrp::fetch_account_from_line): New method.
(pwdgrp::fetch_account_from_file): New method.
(pwdgrp::fetch_account_from_windows): New method.
* winsup.h: Move aforementioned macros and declarations to security.h.
(lsa_open_policy): Declare.
(lsa_close_policy): Declare.
* sec_auth.cc (lsa_open_policy): Rename from open_local_policy. Take
server name as parameter. Return NULL in case of error, rather than
INVALID_HANDLE_VALUE.
(lsa_close_policy): Rename from close_local_policy. Make externally
available. Get handle by value.
(create_token): Convert call to open_local_policy/close_local_policy
according to aforementioned changes.
(lsaauth): Ditto.
(lsaprivkeyauth): Ditto.
* setlsapwd.cc (setlsapwd): Ditto.
Corinna Vinschen