* Makefile.in (DLL_OFILES): Add setlsapwd.o.

	* cygserver.h (CYGWIN_SERVER_VERSION_API): Bump.
	(request_code_t): Define CYGSERVER_REQUEST_SETPWD request type.
	* cygserver_msg.h (client_request_msg::retval): Use default value of -1
	for retval if msglen is 0.
	* cygserver_sem.h (client_request_sem::retval): Ditto.
	* cygserver_shm.h (client_request_shm::retval): Ditto.
	* cygserver_setpwd.h: New file.
	* external.cc (cygwin_internal): Implement new CW_SET_PRIV_KEY type.
	* sec_auth.cc (open_local_policy): Make externally available.
	Get ACCESS_MASK as argument.
	(create_token): Accommodate change to open_local_policy.
	(lsaauth): Ditto.
	(lsaprivkeyauth): New function fetching token by retrieving
	password stored in Cygwin or Interix LSA private data area and
	calling LogonUser with it.
	* security.h (lsaprivkeyauth): Declare.
	(open_local_policy): Declare.
	* setlsapwd.cc: New file implementing setting LSA private data password
	using LsaStorePrivateData or by calling cygserver if available.
	* syscalls.cc (seteuid32): Add workaround to get the original token
	when switching back to the original privileged user, even if
	setgroups group list is still active.  Add long comment to explain why.
	Call lsaprivkeyauth first, only if that fails call lsaauth or
	create_token.
	* include/cygwin/version.h: Bump API minor number.
	* include/sys/cygwin.h (cygwin_getinfo_types): Add CW_SET_PRIV_KEY.

1 files changed, 90 insertions, 0 deletions

diff --git a/winsup/cygwin/setlsapwd.cc b/winsup/cygwin/setlsapwd.cc
new file mode 100644
index 000000000..34284afd3
--- /dev/null
+++ b/winsup/cygwin/setlsapwd.cc
@@ -0,0 +1,90 @@
+/* setlsapwd.cc: Set LSA private data password for current user.
+
+   Copyright 2008 Red Hat, Inc.
+
+This file is part of Cygwin.
+
+This software is a copyrighted work licensed under the terms of the
+Cygwin license.  Please consult the file "CYGWIN_LICENSE" for
+details. */
+
+#include "winsup.h"
+#include "shared_info.h"
+#include "cygerrno.h"
+#include "path.h"
+#include "fhandler.h"
+#include "dtable.h"
+#include "cygheap.h"
+#include "security.h"
+#include "cygserver_setpwd.h"
+#include "ntdll.h"
+#include <ntsecapi.h>
+#include <stdlib.h>
+#include <wchar.h>
+
+#ifdef USE_SERVER
+/*
+ * client_request_setpwd Constructor
+ */
+
+client_request_setpwd::client_request_setpwd (PUNICODE_STRING passwd)
+  : client_request (CYGSERVER_REQUEST_SETPWD, &_parameters, sizeof (_parameters))
+{
+  memset (_parameters.in.passwd, 0, sizeof _parameters.in.passwd);
+  if (passwd->Length > 0 && passwd->Length < 256 * sizeof (WCHAR))
+    wcpncpy (_parameters.in.passwd, passwd->Buffer, 255);
+
+  msglen (sizeof (_parameters.in));
+}
+
+#endif /* USE_SERVER */
+
+unsigned long
+setlsapwd (const char *passwd)
+{
+  unsigned long ret = (unsigned long) -1;
+  HANDLE lsa = INVALID_HANDLE_VALUE;
+  WCHAR sid[128];
+  WCHAR key_name[128 + wcslen (CYGWIN_LSA_KEY_PREFIX)];
+  PWCHAR data_buf = NULL;
+  UNICODE_STRING key;
+  UNICODE_STRING data;
+
+  wcpcpy (wcpcpy (key_name, CYGWIN_LSA_KEY_PREFIX),
+	  cygheap->user.get_windows_id (sid));
+  RtlInitUnicodeString (&key, key_name);
+  if (!passwd || ! *passwd
+      || sys_mbstowcs_alloc (&data_buf, HEAP_NOTHEAP, passwd))
+    {
+      NTSTATUS status = STATUS_ACCESS_DENIED;
+
+      memset (&data, 0, sizeof data);
+      if (data_buf)
+	RtlInitUnicodeString (&data, data_buf);
+      /* First try it locally.  Works for admin accounts. */
+      if ((lsa = open_local_policy (POLICY_CREATE_SECRET))
+	  != INVALID_HANDLE_VALUE)
+	{
+	  status = LsaStorePrivateData (lsa, &key, data.Length ? &data : NULL);
+	  if (NT_SUCCESS (status))
+	    ret = 0;
+	  LsaClose (lsa);
+	}
+      if (ret)
+#ifdef USE_SERVER
+	{
+	  /* If that fails, ask cygserver. */
+	  client_request_setpwd request (&data);
+	  if (request.make_request () == -1 || request.error_code ())
+	    set_errno (request.error_code ());
+	  else
+	    ret = 0;
+	}
+#else
+      __seterrno_from_nt_status (status);
+#endif
+      if (data_buf)
+	free (data_buf);
+    }
+  return ret;
+}