diff options
| author | Corinna Vinschen <corinna@vinschen.de> | 2014-02-09 23:44:56 +0400 |
|---|---|---|
| committer | Corinna Vinschen <corinna@vinschen.de> | 2014-02-09 23:44:56 +0400 |
| commit | 1ca20a1cd208e95f5e38ed8b8bcc6a2dad376228 (patch) | |
| tree | 0c90ef25cc428eed933d882d3d73c333a42c6319 /winsup/cygwin/security.h | |
| parent | 01fc6f8d21299ef8e196d2155cd35973d08f398e (diff) | |
Introduce reading passwd/group entries from SAM/AD. Introduce
/etc/nsswitch.conf file to configure it.
* Makefile.in (DLL_OFILES): Add ldap.o.
* autoload.cc: Import ldap functions from wldap32.dll.
(DsEnumerateDomainTrustsW): Import.
(NetGroupGetInfo): Import.
* cygheap.h (class cygheap_domain_info): New class to keep global
domain info.
(class cygheap_pwdgrp): New class to keep passwd/group caches and
configuration info from /etc/nssswitch.conf.
(struct init_cygheap): Add cygheap_domain_info member "dom" and
cygheap_pwdgrp member "pg".
* cygtls.h (struct _local_storage): Remove unused member "res".
Rearrange slightly, Add members pwbuf and grbuf to implement non-caching
passwd/group fetching from SAM/AD. Make pw_pos and pw_pos unsigned.
* fhandler_disk_file.cc (fhandler_base::fstat_by_nfs_ea): Add RFC 2307
uid/gid mapping.
* fhandler_process.cc: Drop including pwdgrp.h.
* fhandler_procsysvipc.cc: Ditto.
* fhandler_registry.cc (fhandler_registry::fstat): Set key uid/gid
to ILLEGAL_UID/ILLEGAL_GID rather than UNKNOWN_UID/UNKNOWN_GID.
* grp.cc (group_buf): Drop.
(gr): Drop.
(pwdgrp::parse_group): Fill pg_grp.
(pwdgrp::read_group): Remove.
(pwdgrp::init_grp): New method.
(pwdgrp::prep_tls_grbuf): New method.
(pwdgrp::find_group): New methods.
(internal_getgrsid): Convert to call new pwdgrp methods.
(internal_getgrnam): Ditto.
(internal_getgrgid): Ditto.
(getgrgid_r): Drop 2nd parameter from internal_getgrgid call.
(getgrgid32): Ditto.
(getgrnam_r): Ditto for internal_getgrnam.
(getgrnam32): Ditto.
(getgrent32): Convert to call new pwdgrp methods.
(internal_getgrent): Remove.
(internal_getgroups): Simplify, especially drop calls to
internal_getgrent.
* ldap.cc: New file implementing cyg_ldap class for LDAP access to AD
and RFC 2307 server.
* ldap.h: New header, declaring cyg_ldap class.
* passwd.cc (passwd_buf): Drop.
(pr): Drop.
(pwdgrp::parse_passwd): Fill pg_pwd.
(pwdgrp::read_passwd): Remove.
(pwdgrp::init_pwd): New method.
(pwdgrp::prep_tls_pwbuf): New method.
(find_user): New methods.
(internal_getpwsid): Convert to call new pwdgrp methods.
(internal_getpwnam): Ditto.
(internal_getpwuid): Ditto.
(getpwuid32): Drop 2nd parameter from internal_getpwuid call.
(getpwuid_r): Ditto.
(getpwnam): Ditto for internal_getpwnam.
(getpwnam_r): Ditto.
(getpwent): Convert to call new pwdgrp methods.
* path.cc (class etc): Remove all methods.
* path.h (class etc): Drop.
* pinfo.cc (pinfo_basic::pinfo_basic): Set gid to ILLEGAL_GID rather
than UNKNOWN_GID.
(pinfo_init): Ditto.
* pwdgrp.h (internal_getpwnam): Drop 2nd parameter from declaration.
(internal_getpwuid): Ditto.
(internal_getgrgid): Ditto.
(internal_getgrnam): Ditto.
(internal_getgrent): Drop declaration.
(enum fetch_user_arg_type_t): New type.
(struct fetch_user_arg_t): New type.
(struct pg_pwd): New type.
(struct pg_grp): New type.
(class pwdgrp): Rework to provide functions for file and db requests
and caching.
(class ugid_cache_t): New class to provide RFC 2307 uid map caching.
(ugid_cache): Declare.
* sec_acl.cc: Drop including pwdgrp.h.
* sec_auth.cc: Drop including dsgetdc.h and pwdgrp.h.
(get_logon_server): Convert third parameter to ULONG flags argument
to allow arbitrary flags values in DsGetDcNameW call and change calls
to this function throughout. Use cached account domain name rather
than calling GetComputerNameW.
(get_unix_group_sidlist): Remove.
(get_server_groups): Drop call to get_unix_group_sidlist.
(verify_token): Rework token group check without calling
internal_getgrent.
* sec_helper.cc (cygpsid::pstring): New methods, like string() but
return pointer to end of string.
(cygsid::getfromstr): Add wide character implementation.
(get_sids_info): Add RFC 2307 uid/gid mapping for Samba shares.
* security.cc: Drop including pwdgrp.h.
* security.h (DEFAULT_UID): Remove.
(UNKNOWN_UID): Remove.
(UNKNOWN_GID): Remove.
(uinfo_init): Move here from winsup.h.
(ILLEGAL_UID): Ditto.
(ILLEGAL_GID): Ditto.
(UNIX_POSIX_OFFSET): Define. Add lengthy comment.
(UNIX_POSIX_MASK): Ditto.
(MAP_UNIX_TO_CYGWIN_ID): Ditto.
(ILLEGAL_UID16): Move here from winsup.h.
(ILLEGAL_GID16): Ditto.
(uid16touid32): Ditto.
(gid16togid32): Ditto.
(sid_id_auth): New convenience macro for SID component access.
(sid_sub_auth_count): Ditto.
(sid_sub_auth): Ditto.
(sid_sub_auth_rid): Ditto.
(cygpsid::pstring): Declare.
(cygsid::getfromstr): Declare wide character variant.
(cygsid::operator=): Ditto.
(cygsid::operator*=): Ditto.
(get_logon_server): Change declaration according to source code.
* setlsapwd.cc (setlsapwd): Drop 2nd parameter from internal_getpwnam
call.
* shared.cc (memory_init): Call cygheap->pg.init in first process.
* syscalls.cc: Drop including pwdgrp.h.
* tlsoffsets.h: Regenerate.
* tlsoffsets64.h: Ditto.
* uinfo.cc (internal_getlogin): Drop gratuitious internal_getpwuid
call. Fix debug output. Overwrite user gid in border case of a
missing passwd file while a group file exists.
(pwdgrp::add_line): Allocate memory on cygheap.
(pwdgrp::load): Remove.
(ugid_cache): Define.
(cygheap_pwdgrp::init): New method.
(cygheap_pwdgrp::nss_init_line): New method.
(cygheap_pwdgrp::_nss_init): New method.
(cygheap_domain_info::init): New method.
(logon_sid): Define.
(get_logon_sid): New function.
(pwdgrp::add_account_post_fetch): New method.
(pwdgrp::add_account_from_file): New methods.
(pwdgrp::add_account_from_windows): New methods.
(pwdgrp::check_file): New method.
(pwdgrp::fetch_account_from_line): New method.
(pwdgrp::fetch_account_from_file): New method.
(pwdgrp::fetch_account_from_windows): New method.
* winsup.h: Move aforementioned macros and declarations to security.h.
Diffstat (limited to 'winsup/cygwin/security.h')
| -rw-r--r-- | winsup/cygwin/security.h | 49 |
1 files changed, 45 insertions, 4 deletions
diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h index 940afc5d7..8edd76833 100644 --- a/winsup/cygwin/security.h +++ b/winsup/cygwin/security.h @@ -12,14 +12,38 @@ details. */ #pragma once #include <accctrl.h> +#include <dsgetdc.h> /* Special file attribute set, for instance, in open() and mkdir() to flag that a file has just been created. Used in alloc_sd, see there. */ #define S_JUSTCREATED 0x80000000 -#define DEFAULT_UID DOMAIN_USER_RID_ADMIN -#define UNKNOWN_UID 400 /* Non conflicting number */ -#define UNKNOWN_GID 401 +/* UID/GID */ +void uinfo_init (); + +#define ILLEGAL_UID ((uid_t)-1) +#define ILLEGAL_GID ((gid_t)-1) + +/* For UNIX accounts not mapped to Windows accounts via winbind, Samba returns + SIDs of the form S-1-22-x-y, with x == 1 for users and x == 2 for groups, + and y == UNIX uid/gid. NFS returns no SIDs at all, but the plain UNIX + uid/gid values. + + UNIX uid/gid values are mapped to Cygwin uid/gid values 0xff000000 + + unix uid/gid. This *might* collide with a posix_offset of some trusted + domain, but it's *very* unlikely. Define the mapping as macro. */ +#define UNIX_POSIX_OFFSET (0xff000000) +#define UNIX_POSIX_MASK (0x00ffffff) +#define MAP_UNIX_TO_CYGWIN_ID(id) (UNIX_POSIX_OFFSET \ + | ((id) & UNIX_POSIX_MASK)) + +#ifndef __x86_64__ +#define ILLEGAL_UID16 ((__uid16_t)-1) +#define ILLEGAL_GID16 ((__gid16_t)-1) +#define uid16touid32(u16) ((u16)==ILLEGAL_UID16?ILLEGAL_UID:(uid_t)(u16)) +#define gid16togid32(g16) ((g16)==ILLEGAL_GID16?ILLEGAL_GID:(gid_t)(g16)) +#endif + #define MAX_SID_LEN 40 #define MAX_DACL_LEN(n) (sizeof (ACL) \ @@ -92,6 +116,16 @@ cygpsid NO_COPY name = (PSID) &name##_struct; #define FILE_WRITE_BITS (FILE_WRITE_DATA | GENERIC_WRITE | GENERIC_ALL) #define FILE_EXEC_BITS (FILE_EXECUTE | GENERIC_EXECUTE | GENERIC_ALL) +/* Convenience macros. The Windows SID access functions are crude. */ +#define sid_id_auth(s) \ + (RtlIdentifierAuthoritySid (s)->Value[5]) +#define sid_sub_auth_count(s) \ + (*RtlSubAuthorityCountSid ((s))) +#define sid_sub_auth(s,i) \ + (*RtlSubAuthoritySid ((s),(i))) +#define sid_sub_auth_rid(s) \ + (*RtlSubAuthoritySid ((s), (*RtlSubAuthorityCountSid ((s)) - 1))) + #ifdef __cplusplus extern "C" { @@ -116,7 +150,9 @@ public: int get_uid () { return get_id (FALSE); } int get_gid () { return get_id (TRUE); } + PWCHAR pstring (PWCHAR nsidstr) const; PWCHAR string (PWCHAR nsidstr) const; + char *pstring (char *nsidstr) const; char *string (char *nsidstr) const; bool operator== (const PSID nsid) const @@ -142,6 +178,7 @@ class cygsid : public cygpsid { char sbuf[MAX_SID_LEN]; bool well_known_sid; + const PSID getfromstr (PCWSTR nsidstr, bool well_known); const PSID getfromstr (const char *nsidstr, bool well_known); PSID get_sid (DWORD s, DWORD cnt, DWORD *r, bool well_known); @@ -169,12 +206,16 @@ public: { return assign (nsid, nsid.well_known_sid); } inline const PSID operator= (const PSID nsid) { return assign (nsid, false); } + inline const PSID operator= (PCWSTR nsidstr) + { return getfromstr (nsidstr, false); } inline const PSID operator= (const char *nsidstr) { return getfromstr (nsidstr, false); } inline const PSID operator*= (cygsid &nsid) { return assign (nsid, true); } inline const PSID operator*= (const PSID nsid) { return assign (nsid, true); } + inline const PSID operator*= (PCWSTR nsidstr) + { return getfromstr (nsidstr, true); } inline const PSID operator*= (const char *nsidstr) { return getfromstr (nsidstr, true); } @@ -414,7 +455,7 @@ bool get_server_groups (cygsidlist &grp_list, PSID usersid, struct passwd *pw); /* Extract U-domain\user field from passwd entry. */ void extract_nt_dom_user (const struct passwd *pw, PWCHAR domain, PWCHAR user); /* Get default logonserver for a domain. */ -bool get_logon_server (PWCHAR domain, PWCHAR wserver, bool rediscovery); +bool get_logon_server (PWCHAR domain, PWCHAR wserver, ULONG flags); HANDLE lsa_open_policy (PWCHAR server, ACCESS_MASK access); void lsa_close_policy (HANDLE lsa); |