diff --git a/winsup/cygwin/ChangeLog b/winsup/cygwin/ChangeLog index f3c6bad29..eb1489b11 100644 --- a/winsup/cygwin/ChangeLog +++ b/winsup/cygwin/ChangeLog @@ -1,3 +1,14 @@ +2008-07-10 Corinna Vinschen + + * cyglsa.h (SECURITY_STRING): Define. + (enum _SECPKG_NAME_TYPE): Define. + (struct _SECPKG_CALL_INFO): Define. + (struct _LSA_SECPKG_FUNCS): Extend to full size. Define unused + functions lazily. + (cygprf_t): Define. + * sec_auth.cc (lsaauth): Use actual primary group if no admins group. + Add (disabled) code to fetch token from profil data. + 2008-07-09 Corinna Vinschen * sec_auth.cc (verify_token): Allow builtin groups missing in a token diff --git a/winsup/cygwin/cyglsa.h b/winsup/cygwin/cyglsa.h index b9da92b61..4349de8cd 100644 --- a/winsup/cygwin/cyglsa.h +++ b/winsup/cygwin/cyglsa.h @@ -23,6 +23,8 @@ extern "C" { /* Datastructures not defined in w32api. */ typedef PVOID *PLSA_CLIENT_REQUEST; +typedef UNICODE_STRING SECURITY_STRING, *PSECURITY_STRING; + typedef struct _SECPKG_CLIENT_INFO { LUID LogonId; @@ -33,6 +35,23 @@ typedef struct _SECPKG_CLIENT_INFO BOOLEAN Restricted; } SECPKG_CLIENT_INFO, *PSECPKG_CLIENT_INFO; +typedef enum _SECPKG_NAME_TYPE +{ + SecNameSamCompatible, + SecNameAlternateId, + SecNameFlat, + SecNameDN, + SecNameSPN +} SECPKG_NAME_TYPE, *PSECPKG_NAME_TYPE; + +typedef struct _SECPKG_CALL_INFO +{ + ULONG ProcessId; + ULONG ThreadId; + ULONG Attributes; + ULONG CallCount; +} SECPKG_CALL_INFO, *PSECPKG_CALL_INFO; + /* The table returned by LsaApInitializePackage is actually a LSA_SECPKG_FUNCTION_TABLE even though that's not documented. We need only a subset of this table, basically the LSA_DISPATCH_TABLE @@ -41,7 +60,7 @@ typedef struct _LSA_SECPKG_FUNCS { NTSTATUS (NTAPI *CreateLogonSession)(PLUID); NTSTATUS (NTAPI *DeleteLogonSession)(PLUID); - NTSTATUS (NTAPI *AddCredentials)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *AddCredentials)(PLUID, ULONG, PLSA_STRING, PLSA_STRING); NTSTATUS (NTAPI *GetCredentials)(PVOID); /* wrong prototype, unused */ NTSTATUS (NTAPI *DeleteCredentials)(PVOID); /* wrong prototype, unused */ PVOID (NTAPI *AllocateLsaHeap)(ULONG); @@ -54,10 +73,41 @@ typedef struct _LSA_SECPKG_FUNCS PVOID, PVOID); NTSTATUS (NTAPI *ImpersonateClient)(VOID); NTSTATUS (NTAPI *UnloadPackage)(VOID); - NTSTATUS (NTAPI *DuplicateHandle)(HANDLE,PHANDLE); + NTSTATUS (NTAPI *DuplicateHandle)(HANDLE, PHANDLE); NTSTATUS (NTAPI *SaveSupplementalCredentials)(VOID); NTSTATUS (NTAPI *CreateThread)(PVOID); /* wrong prototype, unused */ NTSTATUS (NTAPI *GetClientInfo)(PSECPKG_CLIENT_INFO); + NTSTATUS (NTAPI *RegisterNotification)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *CancelNotification)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *MapBuffer)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *CreateToken)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *AuditLogon)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *CallPackage)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *FreeReturnBuffer)(PVOID); /* wrong prototype, unused */ + BOOLEAN (NTAPI *GetCallInfo)(PSECPKG_CALL_INFO); + NTSTATUS (NTAPI *CallPackageEx)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *CreateSharedMemory)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *AllocateSharedMemory)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *FreeSharedMemory)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *DeleteSharedMemory)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *OpenSamUser)(PSECURITY_STRING, SECPKG_NAME_TYPE, + PSECURITY_STRING, BOOLEAN, ULONG, PVOID *); + NTSTATUS (NTAPI *GetUserCredentials)(PVOID, PVOID, PULONG, PVOID *, PULONG); + NTSTATUS (NTAPI *GetUserAuthData)(PVOID, PUCHAR *, PULONG); + NTSTATUS (NTAPI *CloseSamUser)(PVOID); + NTSTATUS (NTAPI *ConvertAuthDataToToken)(PVOID, ULONG, + SECURITY_IMPERSONATION_LEVEL, + PTOKEN_SOURCE, SECURITY_LOGON_TYPE, + PUNICODE_STRING, PHANDLE, PLUID, + PUNICODE_STRING, PNTSTATUS); + NTSTATUS (NTAPI *ClientCallback)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *UpdateCredentials)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *GetAuthDataForUser)(PSECURITY_STRING, SECPKG_NAME_TYPE, + PSECURITY_STRING, PUCHAR *, PULONG, + PUNICODE_STRING); + NTSTATUS (NTAPI *CrackSingleName)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *AuditAccountLogon)(PVOID); /* wrong prototype, unused */ + NTSTATUS (NTAPI *CallPackagePassthrough)(PVOID); /* wrong prototype, unused */ } LSA_SECPKG_FUNCS, *PLSA_SECPKG_FUNCS; typedef enum _LSA_TOKEN_INFORMATION_TYPE @@ -142,6 +192,16 @@ typedef struct BYTE data[1]; } cyglsa_t; +typedef struct +{ + DWORD magic_pre; + HANDLE token; + DWORD magic_post; +} cygprf_t; + +#define MAGIC_PRE 0x12345678UL +#define MAGIC_POST 0x87654321UL + #ifdef __cplusplus } #endif diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc index db76fcd79..99fe7076c 100644 --- a/winsup/cygwin/sec_auth.cc +++ b/winsup/cygwin/sec_auth.cc @@ -1016,10 +1016,13 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw) authinf_size += gsize; /* Groups + Group SIDs */ /* When trying to define the admins group as primary group on Vista, LsaLogonUser fails with error STATUS_INVALID_OWNER. As workaround - we define "Local" as primary group here. First, this adds the otherwise - missing "Local" group to the group list and second, seteuid32 - sets the primary group to the group set in /etc/passwd anyway. */ - pgrpsid = well_known_local_sid; + we define "Local" as primary group here. Seteuid32 sets the primary + group to the group set in /etc/passwd anyway. */ + if (new_groups.pgsid == well_known_admins_sid) + pgrpsid = well_known_local_sid; + else + pgrpsid = new_groups.pgsid; + authinf_size += GetLengthSid (pgrpsid); /* Primary Group SID */ authinf_size += psize; /* Privileges */ @@ -1104,7 +1107,20 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw) goto out; } if (profile) - LsaFreeReturnBuffer (profile); + { +#ifdef JUST_ANOTHER_NONWORKING_SOLUTION + /* See ../lsaauth/cyglsa.c. */ + cygprf_t *prf = (cygprf_t *) profile; + if (prf->magic_pre == MAGIC_PRE && prf->magic_post == MAGIC_POST + && prf->token) + { + CloseHandle (user_token); + user_token = prf->token; + system_printf ("Got token through profile: %p", user_token); + } +#endif /* JUST_ANOTHER_NONWORKING_SOLUTION */ + LsaFreeReturnBuffer (profile); + } if (wincap.has_mandatory_integrity_control ()) {