/* security.h: security declarations
- Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Red Hat, Inc.
+ Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
+ 2010, 2011 Red Hat, Inc.
This file is part of Cygwin.
#include <accctrl.h>
+/* Special file attribute set, for instance, in open() and mkdir() to
+ flag that a file has just been created. Used in alloc_sd, see there. */
+#define S_JUSTCREATED 0x80000000
+
#define DEFAULT_UID DOMAIN_USER_RID_ADMIN
#define UNKNOWN_UID 400 /* Non conflicting number */
#define UNKNOWN_GID 401
#define MAX_SID_LEN 40
#define MAX_DACL_LEN(n) (sizeof (ACL) \
+ (n) * (sizeof (ACCESS_ALLOWED_ACE) - sizeof (DWORD) + MAX_SID_LEN))
-#define ACL_DEFAULT_SIZE 3072
+#define SD_MIN_SIZE (sizeof (SECURITY_DESCRIPTOR) + MAX_DACL_LEN (1))
+#define ACL_MAXIMUM_SIZE 65532 /* Yeah, right. 64K - sizeof (DWORD). */
+#define SD_MAXIMUM_SIZE 65536
#define NO_SID ((PSID)NULL)
#ifndef SE_CREATE_TOKEN_PRIVILEGE
#define FILE_WRITE_BITS (FILE_WRITE_DATA | GENERIC_WRITE | GENERIC_ALL)
#define FILE_EXEC_BITS (FILE_EXECUTE | GENERIC_EXECUTE | GENERIC_ALL)
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+ /* We need these declarations, otherwise g++ complains that the below
+ inline methods use an undefined function, if ntdll.h isn't included. */
+ BOOLEAN NTAPI RtlEqualSid (PSID, PSID);
+ NTSTATUS NTAPI RtlCopySid (ULONG, PSID, PSID);
+#ifdef __cplusplus
+}
+#endif
+
class cygpsid {
protected:
PSID psid;
{
if (!psid || !nsid)
return nsid == psid;
- return EqualSid (psid, nsid);
+ return RtlEqualSid (psid, nsid);
}
bool operator!= (const PSID nsid) const
{ return !(*this == nsid); }
else
{
psid = (PSID) sbuf;
- CopySid (MAX_SID_LEN, psid, nsid);
+ RtlCopySid (MAX_SID_LEN, psid, nsid);
well_known_sid = well_known;
}
return psid;
cygsid above. */
BOOL operator+= (cygsid &si) { return add ((PSID) si, false); }
BOOL operator+= (const char *sidstr) { cygsid nsi (sidstr);
- return add ((PSID) nsi, false); }
+ return add ((PSID) nsi, false); }
BOOL operator+= (const PSID psid) { return add (psid, false); }
BOOL operator*= (cygsid &si) { return add ((PSID) si, true); }
BOOL operator*= (const char *sidstr) { cygsid nsi (sidstr);
- return add ((PSID) nsi, true); }
+ return add ((PSID) nsi, true); }
BOOL operator*= (const PSID psid) { return add (psid, true); }
void count (int ncnt)
{
int wcnt = 0;
for (int i = 0; i < cnt; ++i)
- if (!sids[i].is_well_known_sid ())
+ if (!sids[i].is_well_known_sid ())
++wcnt;
return wcnt;
}
int next_non_well_known_sid (int idx)
{
while (++idx < cnt)
- if (!sids[idx].is_well_known_sid ())
+ if (!sids[idx].is_well_known_sid ())
return idx;
return -1;
}
}
inline operator const PSECURITY_DESCRIPTOR () { return psd; }
inline operator PSECURITY_DESCRIPTOR *() { return &psd; }
+ inline void operator =(PSECURITY_DESCRIPTOR nsd) { psd = nsd; }
};
class user_groups {
extern cygpsid well_known_null_sid;
extern cygpsid well_known_world_sid;
extern cygpsid well_known_local_sid;
+extern cygpsid well_known_console_logon_sid;
extern cygpsid well_known_creator_owner_sid;
extern cygpsid well_known_creator_group_sid;
extern cygpsid well_known_dialup_sid;
extern cygpsid well_known_authenticated_users_sid;
extern cygpsid well_known_this_org_sid;
extern cygpsid well_known_system_sid;
+extern cygpsid well_known_builtin_sid;
extern cygpsid well_known_admins_sid;
+extern cygpsid well_known_users_sid;
extern cygpsid fake_logon_sid;
+extern cygpsid mandatory_medium_integrity_sid;
+extern cygpsid mandatory_high_integrity_sid;
+extern cygpsid mandatory_system_integrity_sid;
+extern cygpsid well_known_samba_unix_user_fake_sid;
-bool privilege_luid (const char *pname, LUID *luid);
+bool privilege_luid (const PWCHAR pname, LUID &luid, bool &high_integrity);
+
+inline BOOL
+well_known_sid_type (SID_NAME_USE type)
+{
+ return type == SidTypeAlias || type == SidTypeWellKnownGroup;
+}
inline BOOL
legal_sid_type (SID_NAME_USE type)
|| type == SidTypeAlias || type == SidTypeWellKnownGroup;
}
-extern bool allow_ntsec;
-extern bool allow_smbntsec;
-
+class path_conv;
/* File manipulation */
int __stdcall get_file_attribute (HANDLE, path_conv &, mode_t *,
- __uid32_t *, __gid32_t *);
+ __uid32_t *, __gid32_t *)
+ __attribute__ ((regparm (3)));
int __stdcall set_file_attribute (HANDLE, path_conv &,
- __uid32_t, __gid32_t, int);
-int __stdcall get_reg_attribute (HKEY hkey, mode_t *, __uid32_t *, __gid32_t *);
-LONG __stdcall get_file_sd (HANDLE fh, path_conv &, security_descriptor &sd);
-LONG __stdcall set_file_sd (HANDLE fh, path_conv &, security_descriptor &sd);
-bool __stdcall add_access_allowed_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
-bool __stdcall add_access_denied_ace (PACL acl, int offset, DWORD attributes, PSID sid, size_t &len_add, DWORD inherit);
-int __stdcall check_file_access (path_conv &, int);
-int __stdcall check_registry_access (HANDLE, int);
-
-void set_security_attribute (int attribute, PSECURITY_ATTRIBUTES psa,
+ __uid32_t, __gid32_t, mode_t)
+ __attribute__ ((regparm (3)));
+int __stdcall get_object_sd (HANDLE, security_descriptor &)
+ __attribute__ ((regparm (2)));
+int __stdcall get_object_attribute (HANDLE, __uid32_t *, __gid32_t *, mode_t *)
+ __attribute__ ((regparm (3)));
+int __stdcall set_object_attribute (HANDLE, __uid32_t, __gid32_t, mode_t)
+ __attribute__ ((regparm (3)));
+int __stdcall create_object_sd_from_attribute (HANDLE, __uid32_t, __gid32_t,
+ mode_t, security_descriptor &)
+ __attribute__ ((regparm (3)));
+int __stdcall set_object_sd (HANDLE, security_descriptor &, bool)
+ __attribute__ ((regparm (3)));
+
+int __stdcall get_reg_attribute (HKEY hkey, mode_t *, __uid32_t *, __gid32_t *)
+ __attribute__ ((regparm (3)));
+LONG __stdcall get_file_sd (HANDLE fh, path_conv &, security_descriptor &, bool)
+ __attribute__ ((regparm (3)));
+LONG __stdcall set_file_sd (HANDLE fh, path_conv &, security_descriptor &, bool)
+ __attribute__ ((regparm (3)));
+bool __stdcall add_access_allowed_ace (PACL, int, DWORD, PSID, size_t &, DWORD)
+ __attribute__ ((regparm (3)));
+bool __stdcall add_access_denied_ace (PACL, int, DWORD, PSID, size_t &, DWORD)
+ __attribute__ ((regparm (3)));
+int __stdcall check_file_access (path_conv &, int, bool)
+ __attribute__ ((regparm (3)));
+int __stdcall check_registry_access (HANDLE, int, bool)
+ __attribute__ ((regparm (3)));
+
+void set_security_attribute (path_conv &pc, int attribute,
+ PSECURITY_ATTRIBUTES psa,
security_descriptor &sd_buf);
bool get_sids_info (cygpsid, cygpsid, __uid32_t * , __gid32_t *);
int getacl (HANDLE, path_conv &, int, __acl32 *);
int setacl (HANDLE, path_conv &, int, __acl32 *, bool &);
-struct _UNICODE_STRING;
-void __stdcall str2buf2uni (_UNICODE_STRING &, WCHAR *, const char *) __attribute__ ((regparm (3)));
-void __stdcall str2uni_cat (_UNICODE_STRING &, const char *) __attribute__ ((regparm (2)));
-
+/* Set impersonation or restricted token. */
+void set_imp_token (HANDLE token, int type);
/* Function creating a token by calling NtCreateToken. */
HANDLE create_token (cygsid &usersid, user_groups &groups, struct passwd * pw);
/* LSA authentication function. */
HANDLE lsaauth (cygsid &, user_groups &, struct passwd *);
+/* LSA private key storage authentication, same as when using service logons. */
+HANDLE lsaprivkeyauth (struct passwd *pw);
/* Verify an existing token */
bool verify_token (HANDLE token, cygsid &usersid, user_groups &groups, bool *pintern = NULL);
/* Get groups of a user */
bool get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw);
/* Extract U-domain\user field from passwd entry. */
-void extract_nt_dom_user (const struct passwd *pw, char *domain, char *user);
+void extract_nt_dom_user (const struct passwd *pw, PWCHAR domain, PWCHAR user);
/* Get default logonserver for a domain. */
-bool get_logon_server (const char * domain, char * server, WCHAR *wserver,
- bool rediscovery);
+bool get_logon_server (PWCHAR domain, PWCHAR wserver, bool rediscovery);
+
+HANDLE open_local_policy (ACCESS_MASK access);
/* sec_helper.cc: Security helper functions. */
int set_privilege (HANDLE token, DWORD privilege, bool enable);
#define pop_self_privilege() pop_thread_privilege()
/* shared.cc: */
-/* Retrieve a security descriptor that allows all access */
-SECURITY_DESCRIPTOR *__stdcall get_null_sd ();
/* Various types of security attributes for use in Create* functions. */
extern SECURITY_ATTRIBUTES sec_none, sec_none_nih, sec_all, sec_all_nih;
-extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID sa_buf, PSID sid1, PSID sid2,
- DWORD access2, BOOL inherit)
- __attribute__ ((regparm (3)));
+extern SECURITY_ATTRIBUTES *__stdcall __sec_user (PVOID, PSID, PSID,
+ DWORD, BOOL)
+ __attribute__ ((regparm (3)));
+extern PSECURITY_DESCRIPTOR _everyone_sd (void *buf, ACCESS_MASK access);
+#define everyone_sd(access) (_everyone_sd (alloca (SD_MIN_SIZE), (access)))
+
+#define sec_none_cloexec(f) (((f) & O_CLOEXEC ? &sec_none_nih : &sec_none))
+
extern bool sec_acl (PACL acl, bool original, bool admins, PSID sid1 = NO_SID,
PSID sid2 = NO_SID, DWORD access2 = 0);
-ssize_t __stdcall read_ea (HANDLE hdl, path_conv &pc, const char *name,
- char *value, size_t size);
-int __stdcall write_ea (HANDLE hdl, path_conv &pc, const char *name,
- const char *value, size_t size, int flags);
+ssize_t __stdcall read_ea (HANDLE, path_conv &, const char *,
+ char *, size_t)
+ __attribute__ ((regparm (3)));
+int __stdcall write_ea (HANDLE, path_conv &, const char *, const char *,
+ size_t, int)
+ __attribute__ ((regparm (3)));
/* Note: sid1 is usually (read: currently always) the current user's
effective sid (cygheap->user.sid ()). */
{
return __sec_user (sa_buf, sid1, sid2, access2, TRUE);
}
+
#endif /*_SECURITY_H*/