search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gdi32: Always consume the subst structure.
[wine/wine-kai.git] / server / token.c
blobc350fc9c989adcd066e1e87dde0dcdfb3fa38c60
1 /*
2 * Tokens
3 *
4 * Copyright (C) 1998 Alexandre Julliard
5 * Copyright (C) 2003 Mike McCormack
6 * Copyright (C) 2005 Robert Shearman
7 *
8 * This library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public
10 * License as published by the Free Software Foundation; either
11 * version 2.1 of the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 */
22
23 #include "config.h"
24
25 #include <assert.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <stdarg.h>
29
30 #include "ntstatus.h"
31 #define WIN32_NO_STATUS
32 #include "windef.h"
33 #include "winternl.h"
34
35 #include "handle.h"
36 #include "thread.h"
37 #include "process.h"
38 #include "request.h"
39 #include "security.h"
40
41 #include "wine/unicode.h"
42
43 #define MAX_SUBAUTH_COUNT 1
44
45 const LUID SeIncreaseQuotaPrivilege = { 5, 0 };
46 const LUID SeSecurityPrivilege = { 8, 0 };
47 const LUID SeTakeOwnershipPrivilege = { 9, 0 };
48 const LUID SeLoadDriverPrivilege = { 10, 0 };
49 const LUID SeSystemProfilePrivilege = { 11, 0 };
50 const LUID SeSystemtimePrivilege = { 12, 0 };
51 const LUID SeProfileSingleProcessPrivilege = { 13, 0 };
52 const LUID SeIncreaseBasePriorityPrivilege = { 14, 0 };
53 const LUID SeCreatePagefilePrivilege = { 15, 0 };
54 const LUID SeBackupPrivilege = { 17, 0 };
55 const LUID SeRestorePrivilege = { 18, 0 };
56 const LUID SeShutdownPrivilege = { 19, 0 };
57 const LUID SeDebugPrivilege = { 20, 0 };
58 const LUID SeSystemEnvironmentPrivilege = { 22, 0 };
59 const LUID SeChangeNotifyPrivilege = { 23, 0 };
60 const LUID SeRemoteShutdownPrivilege = { 24, 0 };
61 const LUID SeUndockPrivilege = { 25, 0 };
62 const LUID SeManageVolumePrivilege = { 28, 0 };
63 const LUID SeImpersonatePrivilege = { 29, 0 };
64 const LUID SeCreateGlobalPrivilege = { 30, 0 };
65
66 static const SID world_sid = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY }, { SECURITY_WORLD_RID } };
67 static const SID local_sid = { SID_REVISION, 1, { SECURITY_LOCAL_SID_AUTHORITY }, { SECURITY_LOCAL_RID } };
68 static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_INTERACTIVE_RID } };
69 static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } };
70 static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } };
71 static const PSID security_world_sid = (PSID)&world_sid;
72 static const PSID security_local_sid = (PSID)&local_sid;
73 const PSID security_interactive_sid = (PSID)&interactive_sid;
74 static const PSID security_authenticated_user_sid = (PSID)&authenticated_user_sid;
75 static const PSID security_local_system_sid = (PSID)&local_system_sid;
76
77 struct token
78 {
79 struct object obj; /* object header */
80 struct list privileges; /* privileges available to the token */
81 struct list groups; /* groups that the user of this token belongs to (sid_and_attributes) */
82 SID *user; /* SID of user this token represents */
83 unsigned primary; /* is this a primary or impersonation token? */
84 ACL *default_dacl; /* the default DACL to assign to objects created by this user */
85 TOKEN_SOURCE source; /* source of the token */
86 };
87
88 struct privilege
89 {
90 struct list entry;
91 LUID luid;
92 unsigned enabled : 1; /* is the privilege currently enabled? */
93 unsigned def : 1; /* is the privilege enabled by default? */
94 };
95
96 struct sid_and_attributes
97 {
98 struct list entry;
99 unsigned enabled : 1; /* is the sid currently enabled? */
100 unsigned def : 1; /* is the sid enabled by default? */
101 unsigned logon : 1; /* is this a logon sid? */
102 unsigned mandatory: 1; /* is this sid always enabled? */
103 unsigned owner : 1; /* can this sid be an owner of an object? */
104 unsigned resource : 1; /* is this a domain-local group? */
105 unsigned deny_only: 1; /* is this a sid that should be use for denying only? */
106 SID sid;
107 };
108
109 static void token_dump( struct object *obj, int verbose );
110 static unsigned int token_map_access( struct object *obj, unsigned int access );
111 static void token_destroy( struct object *obj );
112
113 static const struct object_ops token_ops =
114 {
115 sizeof(struct token), /* size */
116 token_dump, /* dump */
117 no_add_queue, /* add_queue */
118 NULL, /* remove_queue */
119 NULL, /* signaled */
120 NULL, /* satisfied */
121 no_signal, /* signal */
122 no_get_fd, /* get_fd */
123 token_map_access, /* map_access */
124 no_lookup_name, /* lookup_name */
125 no_close_handle, /* close_handle */
126 token_destroy /* destroy */
127 };
128
129
130 static void token_dump( struct object *obj, int verbose )
131 {
132 fprintf( stderr, "Security token\n" );
133 /* FIXME: dump token members */
134 }
135
136 static unsigned int token_map_access( struct object *obj, unsigned int access )
137 {
138 if (access & GENERIC_READ) access |= TOKEN_READ;
139 if (access & GENERIC_WRITE) access |= TOKEN_WRITE;
140 if (access & GENERIC_EXECUTE) access |= STANDARD_RIGHTS_EXECUTE;
141 if (access & GENERIC_ALL) access |= TOKEN_ALL_ACCESS;
142 return access & ~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL);
143 }
144
145 static SID *security_sid_alloc( const SID_IDENTIFIER_AUTHORITY *idauthority, int subauthcount, const unsigned int subauth[] )
146 {
147 int i;
148 SID *sid = mem_alloc( FIELD_OFFSET(SID, SubAuthority[subauthcount]) );
149 if (!sid) return NULL;
150 sid->Revision = SID_REVISION;
151 sid->SubAuthorityCount = subauthcount;
152 sid->IdentifierAuthority = *idauthority;
153 for (i = 0; i < subauthcount; i++)
154 sid->SubAuthority[i] = subauth[i];
155 return sid;
156 }
157
158 static inline int security_equal_sid( const SID *sid1, const SID *sid2 )
159 {
160 return ((sid1->SubAuthorityCount == sid2->SubAuthorityCount) &&
161 !memcmp( sid1, sid2, FIELD_OFFSET(SID, SubAuthority[sid1->SubAuthorityCount]) ));
162 }
163
164 void security_set_thread_token( struct thread *thread, obj_handle_t handle )
165 {
166 if (!handle)
167 {
168 if (thread->token)
169 release_object( thread->token );
170 thread->token = NULL;
171 }
172 else
173 {
174 struct token *token = (struct token *)get_handle_obj( current->process,
175 handle,
176 TOKEN_IMPERSONATE,
177 &token_ops );
178 if (token)
179 {
180 if (thread->token)
181 release_object( thread->token );
182 thread->token = token;
183 }
184 }
185 }
186
187 static const ACE_HEADER *ace_next( const ACE_HEADER *ace )
188 {
189 return (const ACE_HEADER *)((const char *)ace + ace->AceSize);
190 }
191
192 static int acl_is_valid( const ACL *acl, size_t size )
193 {
194 ULONG i;
195 const ACE_HEADER *ace;
196
197 if (size < sizeof(ACL))
198 return FALSE;
199
200 size = min(size, MAX_ACL_LEN);
201
202 size -= sizeof(ACL);
203
204 ace = (const ACE_HEADER *)(acl + 1);
205 for (i = 0; i < acl->AceCount; i++)
206 {
207 const SID *sid;
208 size_t sid_size;
209
210 if (size < sizeof(ACE_HEADER))
211 return FALSE;
212 if (size < ace->AceSize)
213 return FALSE;
214 size -= ace->AceSize;
215 switch (ace->AceType)
216 {
217 case ACCESS_DENIED_ACE_TYPE:
218 sid = (const SID *)&((const ACCESS_DENIED_ACE *)ace)->SidStart;
219 sid_size = ace->AceSize - FIELD_OFFSET(ACCESS_DENIED_ACE, SidStart);
220 break;
221 case ACCESS_ALLOWED_ACE_TYPE:
222 sid = (const SID *)&((const ACCESS_ALLOWED_ACE *)ace)->SidStart;
223 sid_size = ace->AceSize - FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart);
224 break;
225 case SYSTEM_AUDIT_ACE_TYPE:
226 sid = (const SID *)&((const SYSTEM_AUDIT_ACE *)ace)->SidStart;
227 sid_size = ace->AceSize - FIELD_OFFSET(SYSTEM_AUDIT_ACE, SidStart);
228 break;
229 case SYSTEM_ALARM_ACE_TYPE:
230 sid = (const SID *)&((const SYSTEM_ALARM_ACE *)ace)->SidStart;
231 sid_size = ace->AceSize - FIELD_OFFSET(SYSTEM_ALARM_ACE, SidStart);
232 break;
233 default:
234 return FALSE;
235 }
236 if (sid_size < FIELD_OFFSET(SID, SubAuthority[0]) ||
237 sid_size < FIELD_OFFSET(SID, SubAuthority[sid->SubAuthorityCount]))
238 return FALSE;
239 ace = ace_next( ace );
240 }
241 return TRUE;
242 }
243
244 /* gets the discretionary access control list from a security descriptor */
245 static inline const ACL *sd_get_dacl( const struct security_descriptor *sd, int *present )
246 {
247 *present = (sd->control & SE_DACL_PRESENT ? TRUE : FALSE);
248
249 if (sd->dacl_len)
250 return (const ACL *)((const char *)(sd + 1) +
251 sd->owner_len + sd->group_len + sd->sacl_len);
252 else
253 return NULL;
254 }
255
256 /* gets the system access control list from a security descriptor */
257 static inline const ACL *sd_get_sacl( const struct security_descriptor *sd, int *present )
258 {
259 *present = (sd->control & SE_SACL_PRESENT ? TRUE : FALSE);
260
261 if (sd->sacl_len)
262 return (const ACL *)((const char *)(sd + 1) +
263 sd->owner_len + sd->group_len);
264 else
265 return NULL;
266 }
267
268 /* gets the owner from a security descriptor */
269 static inline const SID *sd_get_owner( const struct security_descriptor *sd )
270 {
271 if (sd->owner_len)
272 return (const SID *)(sd + 1);
273 else
274 return NULL;
275 }
276
277 /* gets the primary group from a security descriptor */
278 static inline const SID *sd_get_group( const struct security_descriptor *sd )
279 {
280 if (sd->group_len)
281 return (const SID *)((const char *)(sd + 1) + sd->owner_len);
282 else
283 return NULL;
284 }
285
286 /* checks whether all members of a security descriptor fit inside the size
287 * of memory specified */
288 static int sd_is_valid( const struct security_descriptor *sd, size_t size )
289 {
290 size_t offset = sizeof(struct security_descriptor);
291 const SID *group;
292 const SID *owner;
293 const ACL *sacl;
294 const ACL *dacl;
295 int dummy;
296
297 if (size < offset)
298 return FALSE;
299
300 if ((sd->owner_len >= FIELD_OFFSET(SID, SubAuthority[255])) ||
301 (offset + sd->owner_len > size))
302 return FALSE;
303 owner = sd_get_owner( sd );
304 if (owner)
305 {
306 size_t needed_size = FIELD_OFFSET(SID, SubAuthority[owner->SubAuthorityCount]);
307 if ((sd->owner_len < sizeof(SID)) || (needed_size > sd->owner_len))
308 return FALSE;
309 }
310 offset += sd->owner_len;
311
312 if ((sd->group_len >= FIELD_OFFSET(SID, SubAuthority[255])) ||
313 (offset + sd->group_len > size))
314 return FALSE;
315 group = sd_get_group( sd );
316 if (group)
317 {
318 size_t needed_size = FIELD_OFFSET(SID, SubAuthority[group->SubAuthorityCount]);
319 if ((sd->owner_len < sizeof(SID)) || (needed_size > sd->owner_len))
320 return FALSE;
321 }
322 offset += sd->group_len;
323
324 if ((sd->sacl_len >= MAX_ACL_LEN) || (offset + sd->sacl_len > size))
325 return FALSE;
326 sacl = sd_get_sacl( sd, &dummy );
327 if (sacl && !acl_is_valid( sacl, sd->sacl_len ))
328 return FALSE;
329 offset += sd->sacl_len;
330
331 if ((sd->dacl_len >= MAX_ACL_LEN) || (offset + sd->dacl_len > size))
332 return FALSE;
333 dacl = sd_get_dacl( sd, &dummy );
334 if (dacl && !acl_is_valid( dacl, sd->dacl_len ))
335 return FALSE;
336 offset += sd->dacl_len;
337
338 return TRUE;
339 }
340
341 /* maps from generic rights to specific rights as given by a mapping */
342 static inline void map_generic_mask(unsigned int *mask, const GENERIC_MAPPING *mapping)
343 {
344 if (*mask & GENERIC_READ) *mask |= mapping->GenericRead;
345 if (*mask & GENERIC_WRITE) *mask |= mapping->GenericWrite;
346 if (*mask & GENERIC_EXECUTE) *mask |= mapping->GenericExecute;
347 if (*mask & GENERIC_ALL) *mask |= mapping->GenericAll;
348 *mask &= 0x0FFFFFFF;
349 }
350
351 static inline int is_equal_luid( const LUID *luid1, const LUID *luid2 )
352 {
353 return (luid1->LowPart == luid2->LowPart && luid1->HighPart == luid2->HighPart);
354 }
355
356 static inline void luid_and_attr_from_privilege( LUID_AND_ATTRIBUTES *out, const struct privilege *in)
357 {
358 out->Luid = in->luid;
359 out->Attributes =
360 (in->enabled ? SE_PRIVILEGE_ENABLED : 0) |
361 (in->def ? SE_PRIVILEGE_ENABLED_BY_DEFAULT : 0);
362 }
363
364 static struct privilege *privilege_add( struct token *token, const LUID *luid, int enabled )
365 {
366 struct privilege *privilege = mem_alloc( sizeof(*privilege) );
367 if (privilege)
368 {
369 privilege->luid = *luid;
370 privilege->def = privilege->enabled = (enabled != 0);
371 list_add_tail( &token->privileges, &privilege->entry );
372 }
373 return privilege;
374 }
375
376 static inline void privilege_remove( struct privilege *privilege )
377 {
378 list_remove( &privilege->entry );
379 free( privilege );
380 }
381
382 static void token_destroy( struct object *obj )
383 {
384 struct token* token;
385 struct list *cursor, *cursor_next;
386
387 assert( obj->ops == &token_ops );
388 token = (struct token *)obj;
389
390 free( token->user );
391
392 LIST_FOR_EACH_SAFE( cursor, cursor_next, &token->privileges )
393 {
394 struct privilege *privilege = LIST_ENTRY( cursor, struct privilege, entry );
395 privilege_remove( privilege );
396 }
397
398 LIST_FOR_EACH_SAFE( cursor, cursor_next, &token->groups )
399 {
400 struct sid_and_attributes *group = LIST_ENTRY( cursor, struct sid_and_attributes, entry );
401 list_remove( &group->entry );
402 free( group );
403 }
404
405 free( token->default_dacl );
406 }
407
408 /* creates a new token.
409 * groups may be NULL if group_count is 0.
410 * privs may be NULL if priv_count is 0.
411 * default_dacl may be NULL, indicating that all objects created by the user
412 * are unsecured.
413 */
414 static struct token *create_token( unsigned primary, const SID *user,
415 const SID_AND_ATTRIBUTES *groups, unsigned int group_count,
416 const LUID_AND_ATTRIBUTES *privs, unsigned int priv_count,
417 const ACL *default_dacl, TOKEN_SOURCE source )
418 {
419 struct token *token = alloc_object( &token_ops );
420 if (token)
421 {
422 int i;
423
424 list_init( &token->privileges );
425 list_init( &token->groups );
426 token->primary = primary;
427
428 /* copy user */
429 token->user = memdup( user, FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]) );
430 if (!token->user)
431 {
432 release_object( token );
433 return NULL;
434 }
435
436 /* copy groups */
437 for (i = 0; i < group_count; i++)
438 {
439 size_t size = FIELD_OFFSET( struct sid_and_attributes, sid.SubAuthority[((const SID *)groups[i].Sid)->SubAuthorityCount] );
440 struct sid_and_attributes *group = mem_alloc( size );
441 memcpy( &group->sid, groups[i].Sid, FIELD_OFFSET( SID, SubAuthority[((const SID *)groups[i].Sid)->SubAuthorityCount] ) );
442 group->enabled = TRUE;
443 group->def = TRUE;
444 group->logon = FALSE;
445 group->mandatory = (groups[i].Attributes & SE_GROUP_MANDATORY) ? TRUE : FALSE;
446 group->owner = FALSE;
447 group->resource = FALSE;
448 group->deny_only = FALSE;
449 list_add_tail( &token->groups, &group->entry );
450 }
451
452 /* copy privileges */
453 for (i = 0; i < priv_count; i++)
454 {
455 /* note: we don't check uniqueness: the caller must make sure
456 * privs doesn't contain any duplicate luids */
457 if (!privilege_add( token, &privs[i].Luid,
458 privs[i].Attributes & SE_PRIVILEGE_ENABLED ))
459 {
460 release_object( token );
461 return NULL;
462 }
463 }
464
465 if (default_dacl)
466 {
467 token->default_dacl = memdup( default_dacl, default_dacl->AclSize );
468 if (!token->default_dacl)
469 {
470 release_object( token );
471 return NULL;
472 }
473 }
474 else
475 token->default_dacl = NULL;
476
477 token->source = source;
478 }
479 return token;
480 }
481
482 static ACL *create_default_dacl( const SID *user )
483 {
484 ACCESS_ALLOWED_ACE *aaa;
485 ACL *default_dacl;
486 SID *sid;
487 size_t default_dacl_size = sizeof(ACL) +
488 2*(sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) +
489 sizeof(local_system_sid) +
490 FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]);
491
492 default_dacl = mem_alloc( default_dacl_size );
493 if (!default_dacl) return NULL;
494
495 default_dacl->AclRevision = MAX_ACL_REVISION;
496 default_dacl->Sbz1 = 0;
497 default_dacl->AclSize = default_dacl_size;
498 default_dacl->AceCount = 2;
499 default_dacl->Sbz2 = 0;
500
501 /* GENERIC_ALL for Local System */
502 aaa = (ACCESS_ALLOWED_ACE *)(default_dacl + 1);
503 aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
504 aaa->Header.AceFlags = 0;
505 aaa->Header.AceSize = (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) +
506 sizeof(local_system_sid);
507 aaa->Mask = GENERIC_ALL;
508 sid = (SID *)&aaa->SidStart;
509 memcpy( sid, &local_system_sid, sizeof(local_system_sid) );
510
511 /* GENERIC_ALL for specified user */
512 aaa = (ACCESS_ALLOWED_ACE *)((const char *)aaa + aaa->Header.AceSize);
513 aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
514 aaa->Header.AceFlags = 0;
515 aaa->Header.AceSize = (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) +
516 FIELD_OFFSET( SID, SubAuthority[user->SubAuthorityCount] );
517 aaa->Mask = GENERIC_ALL;
518 sid = (SID *)&aaa->SidStart;
519 memcpy( sid, user, FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]) );
520
521 return default_dacl;
522 }
523
524 struct sid_data
525 {
526 SID_IDENTIFIER_AUTHORITY idauth;
527 int count;
528 unsigned int subauth[MAX_SUBAUTH_COUNT];
529 };
530
531 struct token *token_create_admin( void )
532 {
533 struct token *token = NULL;
534 static const SID_IDENTIFIER_AUTHORITY nt_authority = { SECURITY_NT_AUTHORITY };
535 static const unsigned int alias_admins_subauth[] = { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS };
536 static const unsigned int alias_users_subauth[] = { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS };
537 PSID alias_admins_sid;
538 PSID alias_users_sid;
539 ACL *default_dacl = create_default_dacl( &local_system_sid );
540
541 alias_admins_sid = security_sid_alloc( &nt_authority, sizeof(alias_admins_subauth)/sizeof(alias_admins_subauth[0]),
542 alias_admins_subauth );
543 alias_users_sid = security_sid_alloc( &nt_authority, sizeof(alias_users_subauth)/sizeof(alias_users_subauth[0]),
544 alias_users_subauth );
545
546 if (alias_admins_sid && alias_users_sid && default_dacl)
547 {
548 const LUID_AND_ATTRIBUTES admin_privs[] =
549 {
550 { SeChangeNotifyPrivilege , SE_PRIVILEGE_ENABLED },
551 { SeSecurityPrivilege , 0 },
552 { SeBackupPrivilege , 0 },
553 { SeRestorePrivilege , 0 },
554 { SeSystemtimePrivilege , 0 },
555 { SeShutdownPrivilege , 0 },
556 { SeRemoteShutdownPrivilege , 0 },
557 { SeTakeOwnershipPrivilege , 0 },
558 { SeDebugPrivilege , 0 },
559 { SeSystemEnvironmentPrivilege , 0 },
560 { SeSystemProfilePrivilege , 0 },
561 { SeProfileSingleProcessPrivilege, 0 },
562 { SeIncreaseBasePriorityPrivilege, 0 },
563 { SeLoadDriverPrivilege , 0 },
564 { SeCreatePagefilePrivilege , 0 },
565 { SeIncreaseQuotaPrivilege , 0 },
566 { SeUndockPrivilege , 0 },
567 { SeManageVolumePrivilege , 0 },
568 { SeImpersonatePrivilege , SE_PRIVILEGE_ENABLED },
569 { SeCreateGlobalPrivilege , SE_PRIVILEGE_ENABLED },
570 };
571 /* note: we don't include non-builtin groups here for the user -
572 * telling us these is the job of a client-side program */
573 const SID_AND_ATTRIBUTES admin_groups[] =
574 {
575 { security_world_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
576 { security_local_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
577 { security_interactive_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
578 { security_authenticated_user_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
579 { alias_admins_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
580 { alias_users_sid, SE_GROUP_ENABLED|SE_GROUP_ENABLED_BY_DEFAULT|SE_GROUP_MANDATORY },
581 };
582 static const TOKEN_SOURCE admin_source = {"SeMgr", {0, 0}};
583 /* note: we just set the user sid to be the interactive builtin sid -
584 * we should really translate the UNIX user id to a sid */
585 token = create_token( TRUE, &interactive_sid,
586 admin_groups, sizeof(admin_groups)/sizeof(admin_groups[0]),
587 admin_privs, sizeof(admin_privs)/sizeof(admin_privs[0]),
588 default_dacl, admin_source );
589 }
590
591 if (alias_admins_sid)
592 free( alias_admins_sid );
593 if (alias_users_sid)
594 free( alias_users_sid );
595 if (default_dacl)
596 free( default_dacl );
597
598 return token;
599 }
600
601 static struct privilege *token_find_privilege( struct token *token, const LUID *luid, int enabled_only )
602 {
603 struct privilege *privilege;
604 LIST_FOR_EACH_ENTRY( privilege, &token->privileges, struct privilege, entry )
605 {
606 if (is_equal_luid( luid, &privilege->luid ))
607 {
608 if (enabled_only && !privilege->enabled)
609 return NULL;
610 return privilege;
611 }
612 }
613 return NULL;
614 }
615
616 static unsigned int token_adjust_privileges( struct token *token, const LUID_AND_ATTRIBUTES *privs,
617 unsigned int count, LUID_AND_ATTRIBUTES *mod_privs,
618 unsigned int mod_privs_count )
619 {
620 int i;
621 unsigned int modified_count = 0;
622
623 for (i = 0; i < count; i++)
624 {
625 struct privilege *privilege =
626 token_find_privilege( token, &privs[i].Luid, FALSE );
627 if (!privilege)
628 {
629 set_error( STATUS_NOT_ALL_ASSIGNED );
630 continue;
631 }
632
633 if (privs[i].Attributes & SE_PRIVILEGE_REMOVE)
634 privilege_remove( privilege );
635 else
636 {
637 /* save previous state for caller */
638 if (mod_privs_count)
639 {
640 luid_and_attr_from_privilege(mod_privs, privilege);
641 mod_privs++;
642 mod_privs_count--;
643 modified_count++;
644 }
645
646 if (privs[i].Attributes & SE_PRIVILEGE_ENABLED)
647 privilege->enabled = TRUE;
648 else
649 privilege->enabled = FALSE;
650 }
651 }
652 return modified_count;
653 }
654
655 static void token_disable_privileges( struct token *token )
656 {
657 struct privilege *privilege;
658 LIST_FOR_EACH_ENTRY( privilege, &token->privileges, struct privilege, entry )
659 privilege->enabled = FALSE;
660 }
661
662 int token_check_privileges( struct token *token, int all_required,
663 const LUID_AND_ATTRIBUTES *reqprivs,
664 unsigned int count, LUID_AND_ATTRIBUTES *usedprivs)
665 {
666 int i;
667 unsigned int enabled_count = 0;
668
669 for (i = 0; i < count; i++)
670 {
671 struct privilege *privilege =
672 token_find_privilege( token, &reqprivs[i].Luid, TRUE );
673
674 if (usedprivs)
675 usedprivs[i] = reqprivs[i];
676
677 if (privilege && privilege->enabled)
678 {
679 enabled_count++;
680 if (usedprivs)
681 usedprivs[i].Attributes |= SE_PRIVILEGE_USED_FOR_ACCESS;
682 }
683 }
684
685 if (all_required)
686 return (enabled_count == count);
687 else
688 return (enabled_count > 0);
689 }
690
691 static int token_sid_present( struct token *token, const SID *sid, int deny )
692 {
693 struct sid_and_attributes *group;
694
695 if (security_equal_sid( token->user, sid )) return TRUE;
696
697 LIST_FOR_EACH_ENTRY( group, &token->groups, struct sid_and_attributes, entry )
698 {
699 if (!group->enabled) continue;
700 if (group->deny_only && !deny) continue;
701
702 if (security_equal_sid( &group->sid, sid )) return TRUE;
703 }
704
705 return FALSE;
706 }
707
708 /* checks access to a security descriptor. sd must have been validated by caller.
709 * it returns STATUS_SUCCESS if access was granted to the object, or an error
710 * status code if not, giving the reason. errors not relating to giving access
711 * to the object are returned in the status parameter. granted_access and
712 * status always have a valid value stored in them on return. */
713 static unsigned int token_access_check( struct token *token,
714 const struct security_descriptor *sd,
715 unsigned int desired_access,
716 LUID_AND_ATTRIBUTES *privs,
717 unsigned int *priv_count,
718 const GENERIC_MAPPING *mapping,
719 unsigned int *granted_access,
720 unsigned int *status )
721 {
722 unsigned int current_access = 0;
723 unsigned int denied_access = 0;
724 ULONG i;
725 const ACL *dacl;
726 int dacl_present;
727 const ACE_HEADER *ace;
728 const SID *owner;
729
730 /* assume success, but no access rights */
731 *status = STATUS_SUCCESS;
732 *granted_access = 0;
733
734 /* fail if desired_access contains generic rights */
735 if (desired_access & (GENERIC_READ|GENERIC_WRITE|GENERIC_EXECUTE|GENERIC_ALL))
736 {
737 *priv_count = 0;
738 *status = STATUS_GENERIC_NOT_MAPPED;
739 return STATUS_ACCESS_DENIED;
740 }
741
742 dacl = sd_get_dacl( sd, &dacl_present );
743 owner = sd_get_owner( sd );
744 if (!owner || !sd_get_group( sd ))
745 {
746 *priv_count = 0;
747 *status = STATUS_INVALID_SECURITY_DESCR;
748 return STATUS_ACCESS_DENIED;
749 }
750
751 /* 1: Grant desired access if the object is unprotected */
752 if (!dacl_present)
753 {
754 *priv_count = 0;
755 *granted_access = desired_access;
756 return STATUS_SUCCESS;
757 }
758 if (!dacl)
759 {
760 *priv_count = 0;
761 return STATUS_ACCESS_DENIED;
762 }
763
764 /* 2: Check if caller wants access to system security part. Note: access
765 * is only granted if specifically asked for */
766 if (desired_access & ACCESS_SYSTEM_SECURITY)
767 {
768 const LUID_AND_ATTRIBUTES security_priv = { SeSecurityPrivilege, 0 };
769 LUID_AND_ATTRIBUTES retpriv = security_priv;
770 if (token_check_privileges( token, TRUE, &security_priv, 1, &retpriv ))
771 {
772 if (priv_count)
773 {
774 /* assumes that there will only be one privilege to return */
775 if (*priv_count >= 1)
776 {
777 *priv_count = 1;
778 *privs = retpriv;
779 }
780 else
781 {
782 *priv_count = 1;
783 return STATUS_BUFFER_TOO_SMALL;
784 }
785 }
786 current_access |= ACCESS_SYSTEM_SECURITY;
787 if (desired_access == current_access)
788 {
789 *granted_access = current_access;
790 return STATUS_SUCCESS;
791 }
792 }
793 else
794 {
795 *priv_count = 0;
796 return STATUS_PRIVILEGE_NOT_HELD;
797 }
798 }
799 else if (priv_count) *priv_count = 0;
800
801 /* 3: Check whether the token is the owner */
802 /* NOTE: SeTakeOwnershipPrivilege is not checked for here - it is instead
803 * checked when a "set owner" call is made, overriding the access rights
804 * determined here. */
805 if (token_sid_present( token, owner, FALSE ))
806 {
807 current_access |= (READ_CONTROL | WRITE_DAC);
808 if (desired_access == current_access)
809 {
810 *granted_access = current_access;
811 return STATUS_SUCCESS;
812 }
813 }
814
815 /* 4: Grant rights according to the DACL */
816 ace = (const ACE_HEADER *)(dacl + 1);
817 for (i = 0; i < dacl->AceCount; i++)
818 {
819 const ACCESS_ALLOWED_ACE *aa_ace;
820 const ACCESS_DENIED_ACE *ad_ace;
821 const SID *sid;
822 switch (ace->AceType)
823 {
824 case ACCESS_DENIED_ACE_TYPE:
825 ad_ace = (const ACCESS_DENIED_ACE *)ace;
826 sid = (const SID *)&ad_ace->SidStart;
827 if (token_sid_present( token, sid, TRUE ))
828 {
829 unsigned int access = ad_ace->Mask;
830 map_generic_mask(&access, mapping);
831 if (desired_access & MAXIMUM_ALLOWED)
832 denied_access |= access;
833 else
834 {
835 denied_access |= (access & ~current_access);
836 if (desired_access & access)
837 {
838 *granted_access = 0;
839 return STATUS_SUCCESS;
840 }
841 }
842 }
843 break;
844 case ACCESS_ALLOWED_ACE_TYPE:
845 aa_ace = (const ACCESS_ALLOWED_ACE *)ace;
846 sid = (const SID *)&aa_ace->SidStart;
847 if (token_sid_present( token, sid, FALSE ))
848 {
849 unsigned int access = aa_ace->Mask;
850 map_generic_mask(&access, mapping);
851 if (desired_access & MAXIMUM_ALLOWED)
852 current_access |= access;
853 else
854 current_access |= (access & ~denied_access);
855 }
856 break;
857 }
858
859 /* don't bother carrying on checking if we've already got all of
860 * rights we need */
861 if (desired_access == *granted_access)
862 break;
863
864 ace = ace_next( ace );
865 }
866
867 if (desired_access & MAXIMUM_ALLOWED)
868 {
869 *granted_access = current_access & ~denied_access;
870 if (*granted_access)
871 return STATUS_SUCCESS;
872 else
873 return STATUS_ACCESS_DENIED;
874 }
875 else
876 {
877 if ((current_access & desired_access) == desired_access)
878 {
879 *granted_access = current_access & desired_access;
880 return STATUS_SUCCESS;
881 }
882 else
883 return STATUS_ACCESS_DENIED;
884 }
885 }
886
887 const ACL *token_get_default_dacl( struct token *token )
888 {
889 return token->default_dacl;
890 }
891
892 /* open a security token */
893 DECL_HANDLER(open_token)
894 {
895 if (req->flags & OPEN_TOKEN_THREAD)
896 {
897 struct thread *thread = get_thread_from_handle( req->handle, 0 );
898 if (thread)
899 {
900 if (thread->token)
901 reply->token = alloc_handle( current->process, thread->token, req->access,
902 req->attributes );
903 else
904 set_error(STATUS_NO_TOKEN);
905 release_object( thread );
906 }
907 }
908 else
909 {
910 struct process *process = get_process_from_handle( req->handle, 0 );
911 if (process)
912 {
913 if (process->token)
914 reply->token = alloc_handle( current->process, process->token, req->access,
915 req->attributes );
916 else
917 set_error(STATUS_NO_TOKEN);
918 release_object( process );
919 }
920 }
921 }
922
923 /* adjust the privileges held by a token */
924 DECL_HANDLER(adjust_token_privileges)
925 {
926 struct token *token;
927 unsigned int access = TOKEN_ADJUST_PRIVILEGES;
928
929 if (req->get_modified_state) access |= TOKEN_QUERY;
930
931 if ((token = (struct token *)get_handle_obj( current->process, req->handle,
932 access, &token_ops )))
933 {
934 const LUID_AND_ATTRIBUTES *privs = get_req_data();
935 LUID_AND_ATTRIBUTES *modified_privs = NULL;
936 unsigned int priv_count = get_req_data_size() / sizeof(LUID_AND_ATTRIBUTES);
937 unsigned int modified_priv_count = 0;
938
939 if (req->get_modified_state && !req->disable_all)
940 {
941 int i;
942 /* count modified privs */
943 for (i = 0; i < priv_count; i++)
944 {
945 struct privilege *privilege =
946 token_find_privilege( token, &privs[i].Luid, FALSE );
947 if (privilege && req->get_modified_state)
948 modified_priv_count++;
949 }
950 reply->len = modified_priv_count;
951 modified_priv_count = min( modified_priv_count, get_reply_max_size() / sizeof(*modified_privs) );
952 if (modified_priv_count)
953 modified_privs = set_reply_data_size( modified_priv_count * sizeof(*modified_privs) );
954 }
955 reply->len = modified_priv_count * sizeof(*modified_privs);
956
957 if (req->disable_all)
958 token_disable_privileges( token );
959 else
960 modified_priv_count = token_adjust_privileges( token, privs,
961 priv_count, modified_privs, modified_priv_count );
962
963 release_object( token );
964 }
965 }
966
967 /* retrieves the list of privileges that may be held be the token */
968 DECL_HANDLER(get_token_privileges)
969 {
970 struct token *token;
971
972 if ((token = (struct token *)get_handle_obj( current->process, req->handle,
973 TOKEN_QUERY,
974 &token_ops )))
975 {
976 int priv_count = 0;
977 LUID_AND_ATTRIBUTES *privs;
978 struct privilege *privilege;
979
980 LIST_FOR_EACH_ENTRY( privilege, &token->privileges, struct privilege, entry )
981 priv_count++;
982
983 reply->len = priv_count * sizeof(*privs);
984 if (reply->len <= get_reply_max_size())
985 {
986 privs = set_reply_data_size( priv_count * sizeof(*privs) );
987 if (privs)
988 {
989 int i = 0;
990 LIST_FOR_EACH_ENTRY( privilege, &token->privileges, struct privilege, entry )
991 {
992 luid_and_attr_from_privilege( &privs[i], privilege );
993 i++;
994 }
995 }
996 }
997 else
998 set_error(STATUS_BUFFER_TOO_SMALL);
999
1000 release_object( token );
1001 }
1002 }
1003
1004 /* creates a duplicate of the token */
1005 DECL_HANDLER(duplicate_token)
1006 {
1007 struct token *src_token;
1008 if ((src_token = (struct token *)get_handle_obj( current->process, req->handle,
1009 TOKEN_DUPLICATE,
1010 &token_ops )))
1011 {
1012 /* FIXME: use req->impersonation_level */
1013 struct token *token = create_token( req->primary, src_token->user,
1014 NULL, 0, NULL, 0,
1015 src_token->default_dacl,
1016 src_token->source );
1017 if (token)
1018 {
1019 struct privilege *privilege;
1020 struct sid_and_attributes *group;
1021 unsigned int access;
1022
1023 /* copy groups */
1024 LIST_FOR_EACH_ENTRY( group, &src_token->groups, struct sid_and_attributes, entry )
1025 {
1026 size_t size = FIELD_OFFSET( struct sid_and_attributes, sid.SubAuthority[group->sid.SubAuthorityCount] );
1027 struct sid_and_attributes *newgroup = mem_alloc( size );
1028 memcpy( newgroup, group, size );
1029 list_add_tail( &token->groups, &newgroup->entry );
1030 }
1031
1032 /* copy privileges */
1033 LIST_FOR_EACH_ENTRY( privilege, &src_token->privileges, struct privilege, entry )
1034 privilege_add( token, &privilege->luid, privilege->enabled );
1035
1036 access = req->access;
1037 if (access & MAXIMUM_ALLOWED) access = TOKEN_ALL_ACCESS; /* FIXME: needs general solution */
1038 reply->new_handle = alloc_handle( current->process, token, access, req->attributes);
1039 release_object( token );
1040 }
1041 release_object( src_token );
1042 }
1043 }
1044
1045 /* checks the specified privileges are held by the token */
1046 DECL_HANDLER(check_token_privileges)
1047 {
1048 struct token *token;
1049
1050 if ((token = (struct token *)get_handle_obj( current->process, req->handle,
1051 TOKEN_QUERY,
1052 &token_ops )))
1053 {
1054 unsigned int count = get_req_data_size() / sizeof(LUID_AND_ATTRIBUTES);
1055 if (get_reply_max_size() >= count * sizeof(LUID_AND_ATTRIBUTES))
1056 {
1057 LUID_AND_ATTRIBUTES *usedprivs = set_reply_data_size( count * sizeof(*usedprivs) );
1058 reply->has_privileges = token_check_privileges( token, req->all_required, get_req_data(), count, usedprivs );
1059 }
1060 else
1061 set_error( STATUS_BUFFER_OVERFLOW );
1062 release_object( token );
1063 }
1064 }
1065
1066 /* checks that a user represented by a token is allowed to access an object
1067 * represented by a security descriptor */
1068 DECL_HANDLER(access_check)
1069 {
1070 size_t sd_size = get_req_data_size();
1071 const struct security_descriptor *sd = get_req_data();
1072 struct token *token;
1073
1074 if (!sd_is_valid( sd, sd_size ))
1075 {
1076 set_error( STATUS_ACCESS_VIOLATION );
1077 return;
1078 }
1079
1080 if ((token = (struct token *)get_handle_obj( current->process, req->handle,
1081 TOKEN_QUERY,
1082 &token_ops )))
1083 {
1084 GENERIC_MAPPING mapping;
1085 unsigned int status;
1086 LUID_AND_ATTRIBUTES priv;
1087 unsigned int priv_count = 1;
1088
1089 memset(&priv, 0, sizeof(priv));
1090
1091 /* only impersonation tokens may be used with this function */
1092 if (token->primary)
1093 {
1094 set_error( STATUS_NO_IMPERSONATION_TOKEN );
1095 release_object( token );
1096 return;
1097 }
1098
1099 mapping.GenericRead = req->mapping_read;
1100 mapping.GenericWrite = req->mapping_write;
1101 mapping.GenericExecute = req->mapping_execute;
1102 mapping.GenericAll = req->mapping_all;
1103
1104 reply->access_status = token_access_check(
1105 token, sd, req->desired_access, &priv, &priv_count, &mapping,
1106 &reply->access_granted, &status );
1107
1108 reply->privileges_len = priv_count*sizeof(LUID_AND_ATTRIBUTES);
1109
1110 if ((priv_count > 0) && (reply->privileges_len <= get_reply_max_size()))
1111 {
1112 LUID_AND_ATTRIBUTES *privs = set_reply_data_size( priv_count * sizeof(*privs) );
1113 memcpy( privs, &priv, sizeof(priv) );
1114 }
1115
1116 if (status != STATUS_SUCCESS)
1117 set_error( status );
1118
1119 release_object( token );
1120 }
1121 }
1122
1123 /* */
1124 DECL_HANDLER(get_token_user)
1125 {
1126 struct token *token;
1127
1128 reply->user_len = 0;
1129
1130 if ((token = (struct token *)get_handle_obj( current->process, req->handle,
1131 TOKEN_QUERY,
1132 &token_ops )))
1133 {
1134 const SID *user = token->user;
1135
1136 reply->user_len = FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]);
1137 if (reply->user_len <= get_reply_max_size())
1138 {
1139 SID *user_reply = set_reply_data_size( reply->user_len );
1140 if (user_reply)
1141 memcpy( user_reply, user, reply->user_len );
1142 }
1143 else set_error( STATUS_BUFFER_TOO_SMALL );
1144
1145 release_object( token );
1146 }
1147 }
Work in progress by Kai Blin