* cygheap.h (init_cygheap::luid): Remove.

* mmap.cc (mlock): Accommodate parameter change in call to push_thread_privilege. (munlock): Ditto. * ntdll.h (STATUS_NOT_ALL_ASSIGNED): Define. (NtAdjustPrivilegesToken): Declare. * sec_helper.cc (cygpriv): Reorder to match numerical privilege order. (privilege_luid): Take job of privilege_luid_by_name, using new cygpriv. (privilege_luid_by_name): Remove. (privilege_name): Accommodate new cygpriv array. (set_privilege): Call NtAdjustPrivilegesToken to avoid using advapi32. Accommodate changes to privilege_name. (set_cygwin_privileges): Simplify. Don't try to set SE_CREATE_GLOBAL_PRIVILEGE on systems not supporting it. * security.cc (sys_privs): Reorder to match numerical privilege order. Use real privilege values as defined in security.h. (get_system_priv_list): Drop unused grp_list argument. Create list of privileges according to new wincapc::max_sys_priv value. (get_priv_list): Call privilege_luid instead of privilege_luid_by_name. Make priv a local value instead of a pointer. (create_token): Accommodate parameter change in call to push_self_privilege. (lsaauth): Ditto. (check_access): Use privilege values directly instead of calling privilege_luid. * security.h: Define real privilege values. (cygpriv_idx): Remove. (privilege_luid): Change declaration. (privilege_luid_by_name): Drop declaration. (set_privilege): Change declaration. (set_process_privilege): Drop definition. (_push_thread_privilege): Accomodate new set_privilege parameters. * wincap.h (wincapc::max_sys_priv): New element. * wincap.cc: Implement above element throughout. (wincap_2000sp4): New wincaps structure. (wincap_xpsp1): Ditto. (wincap_xpsp2): Ditto. (wincapc::init): Use new wincaps. (wincapc::max_sys_priv): New element.
author: Corinna Vinschen <corinna@vinschen.de> 2007-07-19 08:33:22 +0000
committer: Corinna Vinschen <corinna@vinschen.de> 2007-07-19 08:33:22 +0000
commit: cce28460fe93c21d30e227331dcbbdf1d29a96b9 (patch)
tree: bac0dce3ddd7b1ac74ea0048c8c40c66feaa3646 /winsup/cygwin/security.cc
parent: 5fbf573cd341316c716de930793088b0aa9be177 (diff)
download: cygnal-cce28460fe93c21d30e227331dcbbdf1d29a96b9.tar.gz
cygnal-cce28460fe93c21d30e227331dcbbdf1d29a96b9.tar.bz2
cygnal-cce28460fe93c21d30e227331dcbbdf1d29a96b9.zip
1 files changed, 58 insertions, 53 deletions
diff --git a/winsup/cygwin/security.cc b/winsup/cygwin/security.cc
index 2c3cb141c..d76bbb1d8 100644
--- a/winsup/cygwin/security.cc
+++ b/winsup/cygwin/security.cc
@@ -562,46 +562,50 @@ get_setgroups_sidlist (cygsidlist &tmp_list, PSID usersid, struct passwd *pw,
   tmp_list += groups.pgsid;
 }
 
-static const cygpriv_idx sys_privs[] = {
-  SE_TCB_PRIV,
-  SE_ASSIGNPRIMARYTOKEN_PRIV,
-  SE_CREATE_TOKEN_PRIV,
-  SE_CHANGE_NOTIFY_PRIV,
-  SE_SECURITY_PRIV,
-  SE_BACKUP_PRIV,
-  SE_RESTORE_PRIV,
-  SE_SYSTEMTIME_PRIV,
-  SE_SHUTDOWN_PRIV,
-  SE_REMOTE_SHUTDOWN_PRIV,
-  SE_TAKE_OWNERSHIP_PRIV,
-  SE_DEBUG_PRIV,
-  SE_SYSTEM_ENVIRONMENT_PRIV,
-  SE_SYSTEM_PROFILE_PRIV,
-  SE_PROF_SINGLE_PROCESS_PRIV,
-  SE_INC_BASE_PRIORITY_PRIV,
-  SE_LOAD_DRIVER_PRIV,
-  SE_CREATE_PAGEFILE_PRIV,
-  SE_INCREASE_QUOTA_PRIV,
-  SE_LOCK_MEMORY_PRIV,
-  SE_CREATE_PERMANENT_PRIV,
-  SE_AUDIT_PRIV,
-  SE_UNDOCK_PRIV,
-  SE_MANAGE_VOLUME_PRIV,
-  SE_IMPERSONATE_PRIV,
-  SE_CREATE_GLOBAL_PRIV,
-  SE_INCREASE_WORKING_SET_PRIV,
-  SE_TIME_ZONE_PRIV,
-  SE_CREATE_SYMBOLIC_LINK_PRIV
+static ULONG sys_privs[] = {
+  SE_CREATE_TOKEN_PRIVILEGE,
+  SE_ASSIGNPRIMARYTOKEN_PRIVILEGE,		
+  SE_LOCK_MEMORY_PRIVILEGE,		
+  SE_INCREASE_QUOTA_PRIVILEGE,		
+  SE_TCB_PRIVILEGE,		
+  SE_SECURITY_PRIVILEGE,		
+  SE_TAKE_OWNERSHIP_PRIVILEGE,		
+  SE_LOAD_DRIVER_PRIVILEGE,		
+  SE_SYSTEM_PROFILE_PRIVILEGE,		/* Vista ONLY */
+  SE_SYSTEMTIME_PRIVILEGE,		
+  SE_PROF_SINGLE_PROCESS_PRIVILEGE,		
+  SE_INC_BASE_PRIORITY_PRIVILEGE,		
+  SE_CREATE_PAGEFILE_PRIVILEGE,		
+  SE_CREATE_PERMANENT_PRIVILEGE,		
+  SE_BACKUP_PRIVILEGE,		
+  SE_RESTORE_PRIVILEGE,		
+  SE_SHUTDOWN_PRIVILEGE,		
+  SE_DEBUG_PRIVILEGE,		
+  SE_AUDIT_PRIVILEGE,		
+  SE_SYSTEM_ENVIRONMENT_PRIVILEGE,		
+  SE_CHANGE_NOTIFY_PRIVILEGE,		
+  SE_UNDOCK_PRIVILEGE,
+  SE_MANAGE_VOLUME_PRIVILEGE,
+  SE_IMPERSONATE_PRIVILEGE,
+  SE_CREATE_GLOBAL_PRIVILEGE,
+  SE_INCREASE_WORKING_SET_PRIVILEGE,
+  SE_TIME_ZONE_PRIVILEGE,
+  SE_CREATE_SYMBOLIC_LINK_PRIVILEGE
 };
 
 #define SYSTEM_PRIVILEGES_COUNT (sizeof sys_privs / sizeof *sys_privs)
 
 static PTOKEN_PRIVILEGES
-get_system_priv_list (cygsidlist &grp_list, size_t &size)
+get_system_priv_list (size_t &size)
 {
-  const LUID *priv;
-  size = sizeof (ULONG)
-	 + SYSTEM_PRIVILEGES_COUNT * sizeof (LUID_AND_ATTRIBUTES);
+  ULONG max_idx = 0;
+  while (max_idx < SYSTEM_PRIVILEGES_COUNT
+  	 && sys_privs[max_idx] != wincap.max_sys_priv ())
+    ++max_idx;
+  if (max_idx >= SYSTEM_PRIVILEGES_COUNT)
+    api_fatal ("Coding error: wincap privilege %u doesn't exist in sys_privs",
+	       wincap.max_sys_priv ());
+  size = sizeof (ULONG) + (max_idx + 1) * sizeof (LUID_AND_ATTRIBUTES);
   PTOKEN_PRIVILEGES privs = (PTOKEN_PRIVILEGES) malloc (size);
   if (!privs)
     {
@@ -609,15 +613,14 @@ get_system_priv_list (cygsidlist &grp_list, size_t &size)
       return NULL;
     }
   privs->PrivilegeCount = 0;
-
-  for (DWORD i = 0; i < SYSTEM_PRIVILEGES_COUNT; ++i)
-    if ((priv = privilege_luid (sys_privs[i])))
-      {
-	privs->Privileges[privs->PrivilegeCount].Luid = *priv;
-	privs->Privileges[privs->PrivilegeCount].Attributes =
-	  SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT;
-	++privs->PrivilegeCount;
-      }
+  for (ULONG i = 0; i <= max_idx; ++i)
+    {
+      privs->Privileges[privs->PrivilegeCount].Luid.HighPart = 0L;
+      privs->Privileges[privs->PrivilegeCount].Luid.LowPart = sys_privs[i];
+      privs->Privileges[privs->PrivilegeCount].Attributes =
+	SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT;
+      ++privs->PrivilegeCount;
+    }
   return privs;
 }
 
@@ -632,7 +635,7 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list,
   char buf[INTERNET_MAX_HOST_NAME_LENGTH + 1];
 
   if (usersid == well_known_system_sid)
-    return get_system_priv_list (grp_list, size);
+    return get_system_priv_list (size);
 
   for (int grp = -1; grp < grp_list.count (); ++grp)
     {
@@ -648,13 +651,13 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list,
 	continue;
       for (ULONG i = 0; i < cnt; ++i)
 	{
-	  const LUID *priv;
+	  LUID priv;
 	  PTOKEN_PRIVILEGES tmp;
 	  DWORD tmp_count;
 
 	  sys_wcstombs (buf, sizeof (buf),
 			privstrs[i].Buffer, privstrs[i].Length / 2);
-	  if (!(priv = privilege_luid_by_name (buf)))
+	  if (!privilege_luid (buf, &priv))
 	    continue;
 
 	  if (privs)
@@ -662,8 +665,8 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list,
 	      DWORD pcnt = privs->PrivilegeCount;
 	      LUID_AND_ATTRIBUTES *p = privs->Privileges;
 	      for (; pcnt > 0; --pcnt, ++p)
-		if (priv->HighPart == p->Luid.HighPart
-		    && priv->LowPart == p->Luid.LowPart)
+		if (priv.HighPart == p->Luid.HighPart
+		    && priv.LowPart == p->Luid.LowPart)
 		  goto next_account_right;
 	    }
 
@@ -681,7 +684,7 @@ get_priv_list (LSA_HANDLE lsa, cygsid &usersid, cygsidlist &grp_list,
 	    }
 	  tmp->PrivilegeCount = tmp_count;
 	  privs = tmp;
-	  privs->Privileges[privs->PrivilegeCount].Luid = *priv;
+	  privs->Privileges[privs->PrivilegeCount].Luid = priv;
 	  privs->Privileges[privs->PrivilegeCount].Attributes =
 	    SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT;
 	  ++privs->PrivilegeCount;
@@ -827,7 +830,7 @@ create_token (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
   size_t psize = 0;
 
   /* SE_CREATE_TOKEN_NAME privilege needed to call NtCreateToken. */
-  push_self_privilege (SE_CREATE_TOKEN_PRIV, true);
+  push_self_privilege (SE_CREATE_TOKEN_PRIVILEGE, true);
 
   /* Open policy object. */
   if ((lsa = open_local_policy ()) == INVALID_HANDLE_VALUE)
@@ -964,7 +967,7 @@ lsaauth (cygsid &usersid, user_groups &new_groups, struct passwd *pw)
 
   HANDLE user_token = NULL;
 
-  push_self_privilege (SE_TCB_PRIV, true);
+  push_self_privilege (SE_TCB_PRIVILEGE, true);
 
   /* Register as logon process. */
   str2lsa (name, "Cygwin");
@@ -1978,7 +1981,8 @@ check_access (security_descriptor &sd, GENERIC_MAPPING &mapping,
 	{
 	  pset->PrivilegeCount = 1;
 	  pset->Control = 0;
-	  pset->Privilege[0].Luid = *privilege_luid (SE_BACKUP_PRIV);
+	  pset->Privilege[0].Luid.HighPart = 0L;
+	  pset->Privilege[0].Luid.LowPart = SE_BACKUP_PRIVILEGE;
 	  pset->Privilege[0].Attributes = 0;
 	  if (PrivilegeCheck (tok, pset, &status) && status)
 	    granted_flags |= R_OK;
@@ -1987,7 +1991,8 @@ check_access (security_descriptor &sd, GENERIC_MAPPING &mapping,
 	{
 	  pset->PrivilegeCount = 1;
 	  pset->Control = 0;
-	  pset->Privilege[0].Luid = *privilege_luid (SE_RESTORE_PRIV);
+	  pset->Privilege[0].Luid.HighPart = 0L;
+	  pset->Privilege[0].Luid.LowPart = SE_RESTORE_PRIVILEGE;
 	  pset->Privilege[0].Attributes = 0;
 	  if (PrivilegeCheck (tok, pset, &status) && status)
 	    granted_flags |= W_OK;
author	Corinna Vinschen <corinna@vinschen.de>	2007-07-19 08:33:22 +0000
committer	Corinna Vinschen <corinna@vinschen.de>	2007-07-19 08:33:22 +0000
commit	cce28460fe93c21d30e227331dcbbdf1d29a96b9 (patch)
tree	bac0dce3ddd7b1ac74ea0048c8c40c66feaa3646 /winsup/cygwin/security.cc
parent	5fbf573cd341316c716de930793088b0aa9be177 (diff)
download	cygnal-cce28460fe93c21d30e227331dcbbdf1d29a96b9.tar.gz cygnal-cce28460fe93c21d30e227331dcbbdf1d29a96b9.tar.bz2 cygnal-cce28460fe93c21d30e227331dcbbdf1d29a96b9.zip