1 /* security.h: security declarations
3 Copyright 2000, 2001, 2002 Red Hat, Inc.
5 This file is part of Cygwin.
7 This software is a copyrighted work licensed under the terms of the
8 Cygwin license. Please consult the file "CYGWIN_LICENSE" for
13 #define DEFAULT_UID DOMAIN_USER_RID_ADMIN
14 #define UNKNOWN_UID 400 /* Non conflicting number */
15 #define UNKNOWN_GID 401
17 #define MAX_SID_LEN 40
18 #define MAX_DACL_LEN(n) (sizeof (ACL) \
19 + (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
21 #define NO_SID ((PSID)NULL)
28 cygpsid (PSID nsid) { psid = nsid; }
29 operator const PSID () { return psid; }
30 const PSID operator= (PSID nsid) { return psid = nsid;}
31 __uid32_t get_id (BOOL search_grp, int *type = NULL);
32 int get_uid () { return get_id (FALSE); }
33 int get_gid () { return get_id (TRUE); }
35 char *string (char *nsidstr) const;
37 bool operator== (const PSID nsid) const
41 return EqualSid (psid, nsid);
43 bool operator!= (const PSID nsid) const
44 { return !(*this == nsid); }
45 bool operator== (const char *nsidstr) const;
46 bool operator!= (const char *nsidstr) const
47 { return !(*this == nsidstr); }
49 void debug_print (const char *prefix = NULL) const
52 debug_printf ("%s %s", prefix ?: "", string (buf) ?: "NULL");
56 class cygsid : public cygpsid {
57 char sbuf[MAX_SID_LEN];
59 const PSID getfromstr (const char *nsidstr);
60 PSID get_sid (DWORD s, DWORD cnt, DWORD *r);
62 inline const PSID assign (const PSID nsid)
69 CopySid (MAX_SID_LEN, psid, nsid);
76 inline operator const PSID () { return psid; }
78 inline const PSID operator= (cygsid &nsid)
79 { return assign (nsid); }
80 inline const PSID operator= (const PSID nsid)
81 { return assign (nsid); }
82 inline const PSID operator= (const char *nsidstr)
83 { return getfromstr (nsidstr); }
85 inline cygsid () : cygpsid ((PSID) sbuf) {}
86 inline cygsid (const PSID nsid) { *this = nsid; }
87 inline cygsid (const char *nstrsid) { *this = nstrsid; }
89 inline PSID set () { return psid = (PSID) sbuf; }
91 BOOL getfrompw (const struct passwd *pw);
92 BOOL getfromgr (const struct __group32 *gr);
95 typedef enum { cygsidlist_empty, cygsidlist_alloc, cygsidlist_auto } cygsidlist_type;
101 cygsidlist_type type;
103 cygsidlist (cygsidlist_type t, int m)
108 if (t == cygsidlist_alloc)
109 sids = alloc_sids (m);
111 sids = new cygsid [m];
113 ~cygsidlist () { if (type == cygsidlist_auto) delete [] sids; }
115 BOOL add (const PSID nsi) /* Only with auto for now */
117 if (count >= maxcount)
119 cygsid *tmp = new cygsid [ 2 * maxcount];
123 for (int i = 0; i < count; ++i)
131 BOOL add (cygsid &nsi) { return add ((PSID) nsi); }
132 BOOL add (const char *sidstr)
133 { cygsid nsi (sidstr); return add (nsi); }
134 BOOL addfromgr (struct __group32 *gr) /* Only with alloc */
135 { return sids[count++].getfromgr (gr); }
137 BOOL operator+= (cygsid &si) { return add (si); }
138 BOOL operator+= (const char *sidstr) { return add (sidstr); }
139 BOOL operator+= (const PSID psid) { return add (psid); }
141 int position (const PSID sid) const
143 for (int i = 0; i < count; ++i)
149 BOOL contains (const PSID sid) const { return position (sid) >= 0; }
150 cygsid *alloc_sids (int n);
152 void debug_print (const char *prefix = NULL) const
154 debug_printf ("-- begin sidlist ---");
156 debug_printf ("No elements");
157 for (int i = 0; i < count; ++i)
158 sids[i].debug_print (prefix);
159 debug_printf ("-- ende sidlist ---");
169 BOOL issetgroups () const { return (sgsids.type == cygsidlist_alloc); }
170 void update_supp (const cygsidlist &newsids)
184 void update_pgrp (const PSID sid)
191 extern cygsid well_known_null_sid;
192 extern cygsid well_known_world_sid;
193 extern cygsid well_known_local_sid;
194 extern cygsid well_known_creator_owner_sid;
195 extern cygsid well_known_creator_group_sid;
196 extern cygsid well_known_dialup_sid;
197 extern cygsid well_known_network_sid;
198 extern cygsid well_known_batch_sid;
199 extern cygsid well_known_interactive_sid;
200 extern cygsid well_known_service_sid;
201 extern cygsid well_known_authenticated_users_sid;
202 extern cygsid well_known_system_sid;
203 extern cygsid well_known_admins_sid;
206 legal_sid_type (SID_NAME_USE type)
208 return type == SidTypeUser || type == SidTypeGroup
209 || type == SidTypeAlias || type == SidTypeWellKnownGroup;
212 extern bool allow_ntea;
213 extern bool allow_ntsec;
214 extern bool allow_smbntsec;
216 /* File manipulation */
217 int __stdcall set_process_privileges ();
218 int __stdcall get_file_attribute (int, const char *, mode_t *,
219 __uid32_t * = NULL, __gid32_t * = NULL);
220 int __stdcall set_file_attribute (int, const char *, int);
221 int __stdcall set_file_attribute (int, const char *, __uid32_t, __gid32_t, int);
222 int __stdcall get_object_attribute (HANDLE handle, SE_OBJECT_TYPE object_type, mode_t *,
223 __uid32_t * = NULL, __gid32_t * = NULL);
224 LONG __stdcall read_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, LPDWORD sd_size);
225 LONG __stdcall write_sd(const char *file, PSECURITY_DESCRIPTOR sd_buf, DWORD sd_size);
226 BOOL __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
227 BOOL __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
228 int __stdcall check_file_access (const char *, int);
230 void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
231 void *sd_buf, DWORD sd_buf_size);
233 bool get_sids_info (cygpsid, cygpsid, __uid32_t * , __gid32_t *);
235 /* Try a subauthentication. */
236 HANDLE subauth (struct passwd *pw);
237 /* Try creating a token directly. */
238 HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
239 /* Verify an existing token */
240 BOOL verify_token (HANDLE token, cygsid &usersid, user_groups &groups, BOOL * pintern = NULL);
242 /* Extract U-domain\user field from passwd entry. */
243 void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
244 /* Get default logonserver for a domain. */
245 BOOL get_logon_server (const char * domain, char * server, WCHAR *wserver = NULL);
247 /* sec_helper.cc: Security helper functions. */
248 int set_process_privilege (const char *privilege, bool enable = true, bool use_thread = false);
251 /* Retrieve a security descriptor that allows all access */
252 SECURITY_DESCRIPTOR *__stdcall get_null_sd (void);
254 /* Various types of security attributes for use in Create* functions. */
255 extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
256 extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid2, BOOL inherit)
257 __attribute__ ((regparm (3)));
258 extern BOOL sec_acl (PACL acl, BOOL admins, PSID sid1 = NO_SID, PSID sid2 = NO_SID);
260 int __stdcall NTReadEA (const char *file, const char *attrname, char *buf, int len);
261 BOOL __stdcall NTWriteEA (const char *file, const char *attrname, const char *buf, int len);
262 PSECURITY_DESCRIPTOR alloc_sd (__uid32_t uid, __gid32_t gid, int attribute,
263 PSECURITY_DESCRIPTOR sd_ret, DWORD *sd_size_ret);
265 extern inline SECURITY_ATTRIBUTES *
266 sec_user_nih (char sa_buf[], PSID sid = NULL)
268 return allow_ntsec ? __sec_user (sa_buf, sid, FALSE) : &sec_none_nih;
271 extern inline SECURITY_ATTRIBUTES *
272 sec_user (char sa_buf[], PSID sid = NULL)
274 return allow_ntsec ? __sec_user (sa_buf, sid, TRUE) : &sec_none_nih;