diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2006-07-25 23:23:23 +0400 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2006-07-25 23:23:23 +0400 |
| commit | 70e476d27be8e49146c49e8d6e1319100b84d5eb (patch) | |
| tree | 1827e4d9dec3e1eb523db1df6a53e64c1c234518 /winsup/cygwin/security.cc | |
| parent | e9d500b6a04e842ffaf04fd1cb6048b44fb99e67 (diff) | |
2006-07-25 Corinna Vinschen <corinna@vinschen.de>
* include/cygwin/version.h: Bump DLL version to 1.7.0.
2006-07-25 Corinna Vinschen <corinna@vinschen.de>
* select.h: Remove.
* fhandler_socket.cc: Don't include select.h.
* select.cc: Ditto.
2006-07-25 Corinna Vinschen <corinna@vinschen.de>
* cygtls.h: Drop socket related includes.
(struct _local_storage): Remove exitsock and exitsock_sin. Add
select_sockevt.
* cygtls.cc: Accomodate above change throughout.
* fhandler.h (class fhandler_socket): Make wsock_evt public.
* fhandler_socket.cc (fhandler_socket::fhandler_socket): Accomodate
reordering members.
(fhandler_socket::evaluate_events): Drop FD_CONNECT event as soon as
it gets read once. Never remove FD_WRITE event here.
(fhandler_socket::wait_for_events): Wait 50 ms instead of INFINITE for
socket events.
(fhandler_socket::accept): Fix conditional. Set wsock_events members
of accepted socket to useful start values.
(fhandler_socket::recv_internal): Always drop FD_READ/FD_OOB events from
wsock_events after the call to WSARecvFrom.
(fhandler_socket::send_internal): Drop FD_WRITE event from wsock_events
if the call to WSASendTo fails with WSAEWOULDBLOCK. Fix return value
condition.
* select.cc (struct socketinf): Change to accomodate using socket event
handling.
(peek_socket): Use event handling for peeking socket.
(thread_socket): Ditto.
(start_thread_socket): Ditto.
(socket_cleanup): Same here.
* tlsoffsets.h: Regenerate.
2006-07-20 Corinna Vinschen <corinna@vinschen.de>
* fhandler.h (class fhandler_socket): Rearrange slightly to keep
event handling methods and members together. Drop owner status flag.
Split wait method. Rename event handling methods for readability.
* fhandler_socket.cc (struct wsa_event): Add owner field.
(LOCK_EVENTS): New macro.
(UNLOCK_EVENTS): Ditto.
(fhandler_socket::init_events): rename from prepare.
(fhandler_socket::evaluate_events): First half of former wait method.
Do everything but wait. Allow specifiying whether or not events from
event_mask should be erased from wsock_events->events. Simplify
OOB handling. Allow sending SIGURG to any process (group).
(fhandler_socket::wait_for_events): Second half of former wait method.
Call evaluate_events and wait in a loop if socket is blocking.
(fhandler_socket::release_events): Rename from release.
(fhandler_socket::connect): Accomodate above name changes.
(fhandler_socket::accept): Ditto.
(fhandler_socket::recv_internal): Ditto.
(fhandler_socket::send_internal): Ditto.
(fhandler_socket::close): Ditto.
(fhandler_socket::fcntl): Always set owner to given input value on
F_SETOWN. Handle F_GETOWN.
* net.cc (fdsock): Accomodate above name changes.
2006-07-20 Corinna Vinschen <corinna@vinschen.de>
* fhandler_socket.cc (fhandler_socket::wait): Set Winsock errno to
WSAEWOULDBLOCK instead of WSAEINPROGRESS.
2006-07-18 Brian Ford <Brian.Ford@FlightSafety.com>
Corinna Vinschen <corinna@vinschen.de>
* winsup.h (mmap_region_status): New enum.
(mmap_is_attached_or_noreserve_page): Adjust prototype and rename
as below.
* mmap.cc (mmap_is_attached_or_noreserve_page): Rename
mmap_is_attached_or_noreserve. Add region length parameter.
Return enum above.
* exceptions.cc (_cygtls::handle_exceptions): Accomodate above.
* fhandler.cc (fhandler_base::raw_read): Call above for NOACCESS
errors and retry on success to allow reads into untouched
MAP_NORESERVE buffers.
2006-07-18 Corinna Vinschen <corinna@vinschen.de>
* cygwin.din (posix_openpt): Export.
* tty.cc (posix_openpt): New function.
* include/cygwin/stdlib.h (posix_openpt): Declare.
* include/cygwin/version.h: Bump API minor number.
2006-07-14 Corinna Vinschen <corinna@vinschen.de>
* security.cc (get_token_group_sidlist): Always add the interactive
group to the token. Add comment. Create logon_id group SID by
copying it from incoming group list.
(create_token): Add subauth_token parameter. Use information in
subauth_token if present. Tweak SourceIdentifier if subauth_token
is present for debugging purposes.
* security.h (create_token): Add subauth_token parameter in declaration.
* syscalls.cc (seteuid32): Call subauth first. Call create_token
regardless. Use subauth token in call to create_token if subauth
succeeded.
2006-07-13 Corinna Vinschen <corinna@vinschen.de>
* include/netinet/in.h: Update copyright.
2006-07-13 Corinna Vinschen <corinna@vinschen.de>
* fhandler_socket.cc (fhandler_socket::wait): Rework function so that
WaitForMultipleObjects is really only called when necessary.
2006-07-12 Corinna Vinschen <corinna@vinschen.de>
* include/netdb.h: Declare rcmd, rcmd_af, rexec, rresvport,
rresvport_af, iruserok, iruserok_sa, ruserok.
2006-07-12 Corinna Vinschen <corinna@vinschen.de>
* Makefile.in (DLL_OFILES): Drop iruserok.o. Add rcmd.o.
* autoload.cc (rcmd): Drop definition.
* cygwin.din: Export bindresvport, bindresvport_sa, iruserok_sa,
rcmd_af, rresvport_af.
* net.cc (cygwin_rcmd): Remove.
(last_used_bindresvport): Rename from last_used_rrecvport.
(cygwin_bindresvport_sa): New function implementing bindresvport_sa.
(cygwin_bindresvport): New function implementing bindresvport.
(cygwin_rresvport): Remove.
* include/cygwin/version.h: Bump API minor number.
* include/netinet/in.h: Declare bindresvport and bindresvport_sa.
* libc/iruserok.c: Remove file.
* libc/rcmd.cc: New file implementing rcmd, rcmd_af, rresvport,
rresvport_af, iruserok_sa, iruserok and ruserok.
2006-07-12 Corinna Vinschen <corinna@vinschen.de>
* fhandler_socket.cc (fhandler_socket::getsockname): Return valid
result for unbound sockets.
2006-07-11 Corinna Vinschen <corinna@vinschen.de>
* fhandler_socket.cc (fhandler_socket::fixup_after_fork): Handle
wsock_mtx and wsock_evt on fork, thus handling close_on_exec correctly.
(fhandler_socket::fixup_after_exec): Drop misguided attempt to handle
close_on_exec here.
(fhandler_socket::dup): Call fixup_after_fork with NULL parent.
Add comment.
(fhandler_socket::set_close_on_exec): Handle wsock_mtx and wsock_evt.
2006-07-10 Corinna Vinschen <corinna@vinschen.de>
* fhandler.h (class fhandler_socket): Add wsock_mtx, wsock_evt
and wsock_events members. Remove closed status flag, add listener
status flag. Accomodate new implementation of socket event handling
methods. Declare recv* and send* functions ssize_t as the POSIX
equivalents.
(fhandler_socket::recv_internal): Declare.
(fhandler_socket::send_internal): Ditto.
* fhandler_socket.cc (EVENT_MASK): Define mask of selected events.
(fhandler_socket::fhandler_socket): Initialize new members.
(fhandler_socket::af_local_setblocking): Don't actually set the
socket to blocking mode. Keep sane event selection.
(fhandler_socket::af_local_unsetblocking): Don't actually set the
socket to previous blocking setting, just remember it.
(struct wsa_event): New structure to keep event data per shared
socket.
(NUM_SOCKS): Define number of shared sockets concurrently handled by
all active Cygwin processes.
(wsa_events): New shared datastructure keeping all wsa_event records.
(socket_serial_number): New shared variable to identify shared sockets.
(wsa_slot_mtx): Global mutex to serialize wsa_events access.
(search_wsa_event_slot): New static function to select a new wsa_event
slot for a new socket.
(fhandler_socket::prepare): Rewrite. Prepare event selection
per new socket.
(fhandler_socket::wait): Rewrite. Wait for socket events in thread
safe and multiple process safe.
(fhandler_socket::release): Rewrite. Close per-socket descriptor
mutex handle and event handle.
(fhandler_socket::dup): Duplicate wsock_mtx and wsock_evt. Fix
copy-paste error in debug output.
(fhandler_socket::connect): Accomodate new event handling.
(fhandler_socket::listen): Set listener flag on successful listen.
(fhandler_socket::accept): Accomodate new event handling.
(fhandler_socket::recv_internal): New inline method centralizing
common recv code.
(fhandler_socket::recvfrom): Call recv_internal now.
(fhandler_socket::recvmsg): Ditto. Streamline copying from iovec
to WSABUF.
(fhandler_socket::send_internal): New inline method centralizing
common send code.
(fhandler_socket::sendto): Call send_internal now.
(fhandler_socket::sendmsg): Ditto. Streamline copying from iovec
to WSABUF.
(fhandler_socket::close): Call release now.
(fhandler_socket::ioctl): Never actually switch to blocking mode.
Just keep track of the setting.
* net.cc (fdsock): Call prepare now.
(cygwin_connect): Revert again to event driven technique.
(cygwin_accept): Ditto.
* poll.cc (poll): Don't call recvfrom on a listening socket.
Remove special case for failing recvfrom.
* include/sys/socket.h: Declare recv* and send* functions ssize_t as
requested by POSIX.
2006-07-07 Corinna Vinschen <corinna@vinschen.de>
* net.cc (cygwin_inet_ntop): Fix data type of forth parameter.
2006-07-06 Corinna Vinschen <corinna@vinschen.de>
* include/cygwin/in6.h (struct in6_addr): Fix typo.
2006-07-06 Corinna Vinschen <corinna@vinschen.de>
* cygwin.din: Export in6addr_any, in6addr_loopback, freeaddrinfo,
gai_strerror, getaddrinfo, getnameinfo.
* fhandler_socket.cc: Include cygwin/in6.h.
(get_inet_addr): Accomodate AF_INET6 usage.
(fhandler_socket::connect): Ditto.
(fhandler_socket::listen): Ditto.
(fhandler_socket::sendto): Ditto.
* net.cc: Include cygwin/in6.h.
(in6addr_any): Define.
(in6addr_loopback): Define.
(cygwin_socket): Accomodate AF_INET6 usage.
(socketpair): Bind socketpairs only to loopback for security.
(inet_pton4): New static function.
(inet_pton6): Ditto.
(cygwin_inet_pton): New AF_INET6 aware inet_pton implementation.
(inet_ntop4): New static function.
(inet_ntop6): Ditto.
(cygwin_inet_ntop): New AF_INET6 aware inet_ntop implementation.
(ga_aistruct): New static function.
(ga_clone): Ditto.
(ga_echeck): Ditto.
(ga_nsearch): Ditto.
(ga_port): Ditto.
(ga_serv): Ditto.
(ga_unix): Ditto.
(gn_ipv46): Ditto.
(ipv4_freeaddrinfo): Ditto.
(ipv4_getaddrinfo): Ditto.
(ipv4_getnameinfo): Ditto.
(gai_errmap_t): New structure holding error code - error string mapping.
(cygwin_gai_strerror): New function implementing gai_strerror.
(w32_to_gai_err): New static function.
(get_ipv6_funcs): Ditto.
(load_ipv6_funcs): Ditto.
(cygwin_freeaddrinfo): New function implementing freeaddrinfo.
(cygwin_getaddrinfo): New function implementing getaddrinfo.
(cygwin_getnameinfo): New function implementing getnameinfo.
* include/netdb.h: Include stdint.h and cygwin/socket.h. Define
data types and macros used by getaddrinfo and friends. Declare
freeaddrinfo, gai_strerror, getaddrinfo and getnameinfo.
* include/cygwin/in.h: Add IPv6 related IPPROTOs. Remove definition
of struct sockaddr_in6. Include cygwin/in6.h instead.
* include/cygwin/in6.h: New header file defining IPv6 releated
data types and macros.
* include/cygwin/socket.h: Enable AF_INET6 and PF_INET6. Add
IPv6 related socket options.
* include/cygwin/version.h: Bump API minor number.
2006-07-06 Corinna Vinschen <corinna@vinschen.de>
* autoload.cc (DsGetDcNameA): Define.
(NetGetAnyDCName): Define.
* security.cc: Include dsgetdc.h.
(DsGetDcNameA): Declare.
(DS_FORCE_REDISCOVERY): Define.
(get_logon_server): Add bool parameter to control rediscovery of DC.
Use DsGetDcNameA function if supported, NetGetDCName/NetGetAnyDCName
otherwise.
(get_server_groups): Rediscover DC if get_user_groups fails and
try again.
(get_reg_security): Use correct error code macro when testing
RegGetKeySecurity return value.
* security.h (get_logon_server): Remove default vaue from wserver
parameter. Add rediscovery parameter.
* uinfo.cc (cygheap_user::env_logsrv): Accomodate rediscovery parameter
in call to get_logon_server.
Diffstat (limited to 'winsup/cygwin/security.cc')
| -rw-r--r-- | winsup/cygwin/security.cc | 126 |
1 files changed, 95 insertions, 31 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc index 23f86e369..0970805ec 100644 --- a/winsup/cygwin/security.cc +++ b/winsup/cygwin/security.cc @@ -28,6 +28,7 @@ details. */ #include <ntsecapi.h> #include <subauth.h> #include <aclapi.h> +#include <dsgetdc.h> #include "cygerrno.h" #include "security.h" #include "path.h" @@ -208,13 +209,21 @@ close_local_policy (LSA_HANDLE &lsa) lsa = INVALID_HANDLE_VALUE; } +/* CV, 2006-07-06: Missing in w32api. */ +extern "C" DWORD WINAPI DsGetDcNameA (LPCSTR, LPCSTR, GUID *, LPCSTR, ULONG, + PDOMAIN_CONTROLLER_INFOA *); +#define DS_FORCE_REDISCOVERY 1 + bool -get_logon_server (const char *domain, char *server, WCHAR *wserver) +get_logon_server (const char *domain, char *server, WCHAR *wserver, + bool rediscovery) { - WCHAR wdomain[INTERNET_MAX_HOST_NAME_LENGTH + 1]; - NET_API_STATUS ret; + DWORD dret; + PDOMAIN_CONTROLLER_INFOA pci; + NET_API_STATUS nret; WCHAR *buf; DWORD size = INTERNET_MAX_HOST_NAME_LENGTH + 1; + WCHAR wdomain[size]; /* Empty domain is interpreted as local system */ if ((GetComputerName (server + 2, &size)) && @@ -226,18 +235,37 @@ get_logon_server (const char *domain, char *server, WCHAR *wserver) return true; } - /* Try to get the primary domain controller for the domain */ - sys_mbstowcs (wdomain, domain, INTERNET_MAX_HOST_NAME_LENGTH + 1); - if ((ret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf)) == STATUS_SUCCESS) + /* Try to get any available domain controller for this domain */ + dret = DsGetDcNameA (NULL, domain, NULL, NULL, + rediscovery ? DS_FORCE_REDISCOVERY : 0, &pci); + if (dret == ERROR_SUCCESS) { - sys_wcstombs (server, INTERNET_MAX_HOST_NAME_LENGTH + 1, buf); - if (wserver) - for (WCHAR *ptr1 = buf; (*wserver++ = *ptr1++);) - ; - NetApiBufferFree (buf); + strcpy (server, pci->DomainControllerName); + sys_mbstowcs (wserver, server, INTERNET_MAX_HOST_NAME_LENGTH + 1); + NetApiBufferFree (pci); + debug_printf ("DC: rediscovery: %d, server: %s", rediscovery, server); return true; } - __seterrno_from_win_error (ret); + else if (dret == ERROR_PROC_NOT_FOUND) + { + /* NT4 w/o DSClient */ + sys_mbstowcs (wdomain, domain, INTERNET_MAX_HOST_NAME_LENGTH + 1); + if (rediscovery) + nret = NetGetAnyDCName (NULL, wdomain, (LPBYTE *) &buf); + else + nret = NetGetDCName (NULL, wdomain, (LPBYTE *) &buf); + if (nret == NERR_Success) + { + sys_wcstombs (server, INTERNET_MAX_HOST_NAME_LENGTH + 1, buf); + if (wserver) + for (WCHAR *ptr1 = buf; (*wserver++ = *ptr1++);) + ; + NetApiBufferFree (buf); + debug_printf ("NT: rediscovery: %d, server: %s", rediscovery, server); + return true; + } + } + __seterrno_from_win_error (nret); return false; } @@ -473,7 +501,11 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, grp_list += well_known_network_sid; if (sid_in_token_groups (my_grps, well_known_batch_sid)) grp_list += well_known_batch_sid; - if (sid_in_token_groups (my_grps, well_known_interactive_sid)) + /* This is a problem on 2K3 (only domain controllers?!?) which only + enables tools for selected special groups. A subauth token is + only NETWORK, but NETWORK has no access to these tools. Therefore + we always add INTERACTIVE here. */ + /*if (sid_in_token_groups (my_grps, well_known_interactive_sid))*/ grp_list += well_known_interactive_sid; if (sid_in_token_groups (my_grps, well_known_service_sid)) grp_list += well_known_service_sid; @@ -485,11 +517,13 @@ get_token_group_sidlist (cygsidlist &grp_list, PTOKEN_GROUPS my_grps, } if (get_ll (auth_luid) != 999LL) /* != SYSTEM_LUID */ { - char buf[64]; - __small_sprintf (buf, "S-1-5-5-%u-%u", auth_luid.HighPart, - auth_luid.LowPart); - grp_list += buf; - auth_pos = grp_list.count - 1; + for (DWORD i = 0; i < my_grps->GroupCount; ++i) + if (my_grps->Groups[i].Attributes & SE_GROUP_LOGON_ID) + { + grp_list += my_grps->Groups[i].Sid; + auth_pos = grp_list.count - 1; + break; + } } } @@ -511,7 +545,9 @@ get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw) grp_list += well_known_world_sid; grp_list += well_known_authenticated_users_sid; extract_nt_dom_user (pw, domain, user); - if (get_logon_server (domain, server, wserver)) + if (get_logon_server (domain, server, wserver, false) + && !get_user_groups (wserver, grp_list, user, domain) + && get_logon_server (domain, server, wserver, true)) get_user_groups (wserver, grp_list, user, domain); get_unix_group_sidlist (pw, grp_list); return get_user_local_groups (grp_list, usersid); @@ -780,7 +816,8 @@ done: } HANDLE -create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) +create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw, + HANDLE subauth_token) { NTSTATUS ret; LSA_HANDLE lsa = INVALID_HANDLE_VALUE; @@ -803,7 +840,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) TOKEN_STATISTICS stats; memcpy (source.SourceName, "Cygwin.1", 8); source.SourceIdentifier.HighPart = 0; - source.SourceIdentifier.LowPart = 0x0101; + source.SourceIdentifier.LowPart = (subauth_token ? 0x0102 : 0x0101); HANDLE token = INVALID_HANDLE_VALUE; HANDLE primary_token = INVALID_HANDLE_VALUE; @@ -824,33 +861,60 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) owner.Owner = usersid; /* Retrieve authentication id and group list from own process. */ - if (hProcToken) + HANDLE get_token; + if (subauth_token) + { + debug_printf ("get_token = subauth_token"); + get_token = subauth_token; + } + else + { + debug_printf ("get_token = hProcToken"); + get_token = hProcToken; + } + if (get_token) { /* Switching user context to SYSTEM doesn't inherit the authentication id of the user account running current process. */ if (usersid != well_known_system_sid) - if (!GetTokenInformation (hProcToken, TokenStatistics, + if (!GetTokenInformation (get_token, TokenStatistics, &stats, sizeof stats, &size)) debug_printf - ("GetTokenInformation(hProcToken, TokenStatistics), %E"); + ("GetTokenInformation(get_token, TokenStatistics), %E"); else auth_luid = stats.AuthenticationId; /* Retrieving current processes group list to be able to inherit some important well known group sids. */ - if (!GetTokenInformation (hProcToken, TokenGroups, NULL, 0, &size) && - GetLastError () != ERROR_INSUFFICIENT_BUFFER) - debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E"); + if (!GetTokenInformation (get_token, TokenGroups, NULL, 0, &size) + && GetLastError () != ERROR_INSUFFICIENT_BUFFER) + debug_printf ("GetTokenInformation(get_token, TokenGroups), %E"); else if (!(my_tok_gsids = (PTOKEN_GROUPS) malloc (size))) debug_printf ("malloc (my_tok_gsids) failed."); - else if (!GetTokenInformation (hProcToken, TokenGroups, my_tok_gsids, + else if (!GetTokenInformation (get_token, TokenGroups, my_tok_gsids, size, &size)) { - debug_printf ("GetTokenInformation(hProcToken, TokenGroups), %E"); + debug_printf ("GetTokenInformation(get_token, TokenGroups), %E"); free (my_tok_gsids); my_tok_gsids = NULL; } } + if (subauth_token) + { + if (!GetTokenInformation (subauth_token, TokenPrivileges, NULL, 0, &size) + && GetLastError () != ERROR_INSUFFICIENT_BUFFER) + debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E"); + else if (!(privs = (PTOKEN_PRIVILEGES) malloc (size))) + debug_printf ("malloc (privs) failed."); + else if (!GetTokenInformation (subauth_token, TokenPrivileges, privs, + size, &size)) + { + debug_printf ("GetTokenInformation(subauth_token, TokenPrivileges), %E"); + free (privs); + privs = NULL; + } + } + /* Create list of groups, the user is member in. */ int auth_pos; @@ -878,7 +942,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw) new_tok_gsids->Groups[auth_pos].Attributes |= SE_GROUP_LOGON_ID; /* Retrieve list of privileges of that user. */ - if (!(privs = get_priv_list (lsa, usersid, tmp_gsids))) + if (!privs && !(privs = get_priv_list (lsa, usersid, tmp_gsids))) goto out; /* Let's be heroic... */ @@ -1299,7 +1363,7 @@ get_reg_security (HANDLE handle, security_descriptor &sd_ret) | OWNER_SECURITY_INFORMATION, sd_ret, &len); } - if (ret != STATUS_SUCCESS) + if (ret != ERROR_SUCCESS) { __seterrno (); return -1; |