1 /* security.h: security declarations
3 Copyright 2000, 2001, 2002 Red Hat, Inc.
5 This file is part of Cygwin.
7 This software is a copyrighted work licensed under the terms of the
8 Cygwin license. Please consult the file "CYGWIN_LICENSE" for
11 #define DONT_INHERIT (0)
12 #define INHERIT_ALL (CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE)
13 #define INHERIT_ONLY (INHERIT_ONLY_ACE|CONTAINER_INHERIT_ACE|OBJECT_INHERIT_ACE)
15 #define DEFAULT_UID DOMAIN_USER_RID_ADMIN
16 #define DEFAULT_GID DOMAIN_ALIAS_RID_ADMINS
18 #define MAX_SID_LEN 40
19 #define MAX_DACL_LEN(n) (sizeof (ACL) \
20 + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
22 #define NO_SID ((PSID)NULL)
26 char sbuf[MAX_SID_LEN];
28 const PSID getfromstr (const char *nsidstr);
29 PSID get_sid (DWORD s, DWORD cnt, DWORD *r);
31 inline const PSID assign (const PSID nsid)
38 CopySid (MAX_SID_LEN, psid, nsid);
44 inline operator const PSID () { return psid; }
46 inline const PSID operator= (cygsid &nsid)
47 { return assign (nsid); }
48 inline const PSID operator= (const PSID nsid)
49 { return assign (nsid); }
50 inline const PSID operator= (const char *nsidstr)
51 { return getfromstr (nsidstr); }
53 inline cygsid () : psid ((PSID) sbuf) {}
54 inline cygsid (const PSID nsid) { *this = nsid; }
55 inline cygsid (const char *nstrsid) { *this = nstrsid; }
57 inline PSID set () { return psid = (PSID) sbuf; }
59 BOOL getfrompw (const struct passwd *pw);
60 BOOL getfromgr (const struct __group32 *gr);
62 int get_id (BOOL search_grp, int *type = NULL);
63 inline int get_uid () { return get_id (FALSE); }
64 inline int get_gid () { return get_id (TRUE); }
66 char *string (char *nsidstr) const;
68 inline BOOL operator== (const PSID nsid) const
72 return EqualSid (psid, nsid);
74 inline BOOL operator== (const char *nsidstr) const
76 cygsid nsid (nsidstr);
79 inline BOOL operator!= (const PSID nsid) const
80 { return !(*this == nsid); }
81 inline BOOL operator!= (const char *nsidstr) const
82 { return !(*this == nsidstr); }
84 void debug_print (const char *prefix = NULL) const
87 debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
96 cygsidlist () : count (0), sids (NULL) {}
97 ~cygsidlist () { delete [] sids; }
99 BOOL add (cygsid &nsi)
101 cygsid *tmp = new cygsid [count + 1];
104 for (int i = 0; i < count; ++i)
111 BOOL add (const PSID nsid) { return add (nsid); }
112 BOOL add (const char *sidstr)
113 { cygsid nsi (sidstr); return add (nsi); }
115 BOOL operator+= (cygsid &si) { return add (si); }
116 BOOL operator+= (const char *sidstr) { return add (sidstr); }
118 BOOL contains (cygsid &sid) const
120 for (int i = 0; i < count; ++i)
125 void debug_print (const char *prefix = NULL) const
127 debug_printf ("-- begin sidlist ---");
129 debug_printf ("No elements");
130 for (int i = 0; i < count; ++i)
131 sids[i].debug_print (prefix);
132 debug_printf ("-- ende sidlist ---");
136 extern cygsid well_known_null_sid;
137 extern cygsid well_known_world_sid;
138 extern cygsid well_known_local_sid;
139 extern cygsid well_known_creator_owner_sid;
140 extern cygsid well_known_dialup_sid;
141 extern cygsid well_known_network_sid;
142 extern cygsid well_known_batch_sid;
143 extern cygsid well_known_interactive_sid;
144 extern cygsid well_known_service_sid;
145 extern cygsid well_known_authenticated_users_sid;
146 extern cygsid well_known_system_sid;
147 extern cygsid well_known_admins_sid;
150 legal_sid_type (SID_NAME_USE type)
152 return type == SidTypeUser || type == SidTypeGroup
153 || type == SidTypeAlias || type == SidTypeWellKnownGroup;
156 extern BOOL allow_ntea;
157 extern BOOL allow_ntsec;
158 extern BOOL allow_smbntsec;
160 /* These both functions are needed to allow walking through the passwd
161 and group lists so they are somehow security related. Besides that
162 I didn't find a better place to declare them. */
163 extern struct passwd *internal_getpwent (int);
164 extern struct __group32 *internal_getgrent (int);
166 /* File manipulation */
167 int __stdcall set_process_privileges ();
168 int __stdcall get_file_attribute (int, const char *, int *,
169 __uid32_t * = NULL, __gid32_t * = NULL);
170 int __stdcall set_file_attribute (int, const char *, int);
171 int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int);
172 LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size);
173 LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size);
174 BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
175 BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
177 void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
178 void *sd_buf, DWORD sd_buf_size);
180 /* Try a subauthentication. */
181 HANDLE subauth (struct passwd *pw);
182 /* Try creating a token directly. */
183 HANDLE create_token (cygsid &usersid, cygsid &pgrpsid);
184 /* Verify an existing token */
185 BOOL verify_token (HANDLE token, cygsid &usersid, cygsid &pgrpsid, BOOL * pintern = NULL);
187 /* Extract U-domain\user field from passwd entry. */
188 void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
189 /* Get default logonserver for a domain. */
190 BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);
192 /* sec_helper.cc: Security helper functions. */
193 BOOL __stdcall is_grp_member (__uid32_t uid, __gid32_t gid);
194 int set_process_privilege (const char *privilege, BOOL enable = TRUE);
197 /* Retrieve a security descriptor that allows all access */
198 SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
200 /* Various types of security attributes for use in Create* functions. */
201 extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
202 extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit)
203 __attribute__ ((regparm (3)));
204 extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID);
206 int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len);
207 BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len);
208 PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
209 PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);
211 extern inline SECURITY_ATTRIBUTES *
212 sec_user_nih (char sa_buf[], PSID sid = NULL)
214 return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih;
217 extern inline SECURITY_ATTRIBUTES *
218 sec_user (char sa_buf[], PSID sid = NULL)
220 return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none_nih;