diff options
author | Corinna Vinschen <corinna@vinschen.de> | 2006-11-27 12:59:59 +0000 |
---|---|---|
committer | Corinna Vinschen <corinna@vinschen.de> | 2006-11-27 12:59:59 +0000 |
commit | b825c587ba9e851002570b81f9f35196b7a96100 (patch) | |
tree | 4f45a13329a6ac1cf399647ba96988538ccba0bf /winsup/cygwin/cyglsa.h | |
parent | b6bb405954f9713a2153e08dfc781f9146a42b9d (diff) | |
download | cygnal-b825c587ba9e851002570b81f9f35196b7a96100.tar.gz cygnal-b825c587ba9e851002570b81f9f35196b7a96100.tar.bz2 cygnal-b825c587ba9e851002570b81f9f35196b7a96100.zip |
* cyglsa.h: New header file.
* environ.cc: Disable subauth settings.
* grp.cc: Accomodate cygsidlist's count now being a method.
* sec_helper.cc (SECURITY_MANDATORY_INTEGRITY_AUTHORITY): Remove.
(mandatory_medium_integrity_sid): Remove.
(mandatory_high_integrity_sid): Remove.
(mandatory_system_integrity_sid): Remove.
(fake_logon_sid): Add.
(cygsid::get_sid): Add well_known parameter. Set well_known_sid
accordingly.
(cygsid::getfromstr): Ditto.
(cygsidlist::alloc_sids): Move here from security.cc.
(cygsidlist::free_sids): Ditto.
(cygsidlist::add): Move here from security.h. Add well_known parameter.
Set well_known_sid accordingly. Don't allow duplicate SIDs.
* security.cc: Include cyglsa.h and cygwin/version.h. Throughout
accomodate cygsidlist's count now being a method. Throughout drop
redundant "contains" tests.
(get_user_local_groups): Add local groups as well known SIDs.
(get_token_group_sidlist): Add well known groups as well known SIDs.
(get_server_groups): Ditto. Only call get_unix_group_sidlist after
get_user_local_groups to maintain "well_known_sid" attribute.
(get_initgroups_sidlist): Add well known groups as well known SIDs.
(get_setgroups_sidlist): Add usersid and struct passwd parameter to
allow calling get_server_groups from here.
(get_system_priv_list): Make static. Return size of TOKEN_PRIVILEGES
structure.
(get_priv_list): Ditto.
(create_token): Accomodate above changes. Drop misguided attempt to
add MIC SIDs to created user token. Print returned token as hex value.
(subauth): Disable.
(lsaauth): New function implementing client side of LSA authentication.
* security.h (class cygsid): Add well_known_sid attribute. Accomodate
throughout. Add *= operator to create a well known SID.
(class cygsidlist): Rename count to cnt. Make count a method.
(cygsidlist::add): Move to sec_helper.cc.
(cygsidlist::operator *=): New method to add well known SID.
(cygsidlist::non_well_known_count): New method returning number of
non well known SIDs in list.
(cygsidlist::next_non_well_known_sid): New method returning next non
well known SID by index.
(mandatory_medium_integrity_sid): Drop declaration.
(mandatory_high_integrity_sid): Drop declaration.
(mandatory_system_integrity_sid): Drop declaration.
(fake_logon_sid): Add declaration.
(subauth): Disable declaration.
(lsaauth): Add declaration.
* syscalls.cc (seteuid32): Disable subauthentication. Add LSA
authentication.
* wincap.h: Define needs_logon_sid_in_sid_list throughout.
* wincap.cc: Ditto.
Diffstat (limited to 'winsup/cygwin/cyglsa.h')
-rw-r--r-- | winsup/cygwin/cyglsa.h | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/winsup/cygwin/cyglsa.h b/winsup/cygwin/cyglsa.h new file mode 100644 index 000000000..4af9e8cd0 --- /dev/null +++ b/winsup/cygwin/cyglsa.h @@ -0,0 +1,149 @@ +/* cyglsa.h: Header file for Cygwin LSA authentication + + Copyright 2006 Red Hat, Inc. + + Written by Corinna Vinschen <corinna@vinschen.de> + +This file is part of Cygwin. + +This software is a copyrighted work licensed under the terms of the +Cygwin license. Please consult the file "CYGWIN_LICENSE" for details. */ + +#ifndef _CYGLSA_H +#define _CYGLSA_H + +#ifdef __cplusplus +extern "C" { +#endif + +#define CYG_LSA_PKGNAME "CygwinLsa" + +#define CYG_LSA_MAGIC 0x0379f014LU + +/* Datastructures not defined in w32api. */ +typedef PVOID *PLSA_CLIENT_REQUEST; + +typedef struct _SECPKG_CLIENT_INFO +{ + LUID LogonId; + ULONG ProcessID; + ULONG ThreadID; + BOOLEAN HasTcbPrivilege; + BOOLEAN Impersonating; + BOOLEAN Restricted; +} SECPKG_CLIENT_INFO, *PSECPKG_CLIENT_INFO; + +/* The table returned by LsaApInitializePackage is actually a + LSA_SECPKG_FUNCTION_TABLE even though that's not documented. + We need only a subset of this table, basically the LSA_DISPATCH_TABLE + plus the pointer to the GetClientInfo function. */ +typedef struct _LSA_SECPKG_FUNCS +{ + NTSTATUS (NTAPI *CreateLogonSession)(PLUID); + NTSTATUS (NTAPI *DeleteLogonSession)(PLUID); + NTSTATUS (NTAPI *AddCredentials)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *GetCredentials)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *DeleteCredentials)(PVOID); /* wrong prototype, unused */ + PVOID (NTAPI *AllocateLsaHeap)(ULONG); + VOID (NTAPI *FreeLsaHeap)(PVOID); + NTSTATUS (NTAPI *AllocateClientBuffer)(PLSA_CLIENT_REQUEST, ULONG, PVOID *); + NTSTATUS (NTAPI *FreeClientBuffer)(PLSA_CLIENT_REQUEST, PVOID); + NTSTATUS (NTAPI *CopyToClientBuffer)(PLSA_CLIENT_REQUEST, ULONG, + PVOID, PVOID); + NTSTATUS (NTAPI *CopyFromClientBuffer)(PLSA_CLIENT_REQUEST, ULONG, + PVOID, PVOID); + NTSTATUS (NTAPI *ImpersonateClient)(VOID); + NTSTATUS (NTAPI *UnloadPackage)(VOID); + NTSTATUS (NTAPI *DuplicateHandle)(HANDLE,PHANDLE); + NTSTATUS (NTAPI *SaveSupplementalCredentials)(VOID); + NTSTATUS (NTAPI *CreateThread)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *GetClientInfo)(PSECPKG_CLIENT_INFO); +} LSA_SECPKG_FUNCS, *PLSA_SECPKG_FUNCS; + +typedef enum _LSA_TOKEN_INFORMATION_TYPE +{ + LsaTokenInformationNull, + LsaTokenInformationV1, + LsaTokenInformationV2 +} LSA_TOKEN_INFORMATION_TYPE, *PLSA_TOKEN_INFORMATION_TYPE; + +typedef struct _LSA_TOKEN_INFORMATION_V2 +{ + LARGE_INTEGER ExpirationTime; + TOKEN_USER User; + PTOKEN_GROUPS Groups; + TOKEN_PRIMARY_GROUP PrimaryGroup; + PTOKEN_PRIVILEGES Privileges; + TOKEN_OWNER Owner; + TOKEN_DEFAULT_DACL DefaultDacl; +} LSA_TOKEN_INFORMATION_V2, *PLSA_TOKEN_INFORMATION_V2; + +/* These structures are eqivalent to the appropriate Windows structures, + using 32 bit offsets instead of pointers. These datastructures are + used to transfer the logon information to the LSA authentication package. + We can't use the LSA_TOKEN_INFORMATION_V2 structure directly, because + its size differs between 32 bit and 64 bit Windows. */ + +typedef DWORD OFFSET; + +typedef struct _CYG_SID_AND_ATTRIBUTES +{ + OFFSET Sid; + DWORD Attributes; +} CYG_SID_AND_ATTRIBUTES, *PCYG_SID_AND_ATTRIBUTES; + +typedef struct _CYG_TOKEN_USER +{ + CYG_SID_AND_ATTRIBUTES User; +} CYG_TOKEN_USER, *PCYG_TOKEN_USER; + +typedef struct _CYG_TOKEN_GROUPS +{ + DWORD GroupCount; + CYG_SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; +} CYG_TOKEN_GROUPS, *PCYG_TOKEN_GROUPS; + +typedef struct _CYG_TOKEN_PRIMARY_GROUP +{ + OFFSET PrimaryGroup; +} CYG_TOKEN_PRIMARY_GROUP, *PCYG_TOKEN_PRIMARY_GROUP; + +typedef struct _CYG_TOKEN_OWNER +{ + OFFSET Owner; +} CYG_TOKEN_OWNER, *PCYG_TOKEN_OWNER; + +typedef struct _CYG_TOKEN_DEFAULT_DACL +{ + OFFSET DefaultDacl; +} CYG_TOKEN_DEFAULT_DACL, *PCYG_TOKEN_DEFAULT_DACL; + +typedef struct _CYG_LSA_TOKEN_INFORMATION +{ + LARGE_INTEGER ExpirationTime; + CYG_TOKEN_USER User; + OFFSET Groups; + CYG_TOKEN_PRIMARY_GROUP PrimaryGroup; + OFFSET Privileges; + CYG_TOKEN_OWNER Owner; + CYG_TOKEN_DEFAULT_DACL DefaultDacl; +} CYG_LSA_TOKEN_INFORMATION, *PCYG_LSA_TOKEN_INFORMATION; + +/* This is the structure created by security.cc:lsaauth(), which is given to + LsaApLogonUser to create the token information returned to the LSA. */ +typedef struct +{ + DWORD magic; + DWORD checksum; + CHAR username[UNLEN + 1]; + CHAR domain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; + ULONG inf_size; + CYG_LSA_TOKEN_INFORMATION inf; + BYTE data[1]; +} cyglsa_t; + +#ifdef __cplusplus +} +#endif + +#endif /* _CYGLSA_H */ |