Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
W
wine-cw
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
wine
wine-cw
Commits
9b82644d
Commit
9b82644d
authored
Jun 09, 2005
by
Robert Shearman
Committed by
Alexandre Julliard
Jun 09, 2005
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
- Avoid evil signed bitfields.
- Fix bug with using wrong revision in security_sid_alloc. - Add all builtin groups present in the Administrator token on Windows to the default token.
parent
9c01e427
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
75 additions
and
22 deletions
+75
-22
token.c
server/token.c
+75
-22
No files found.
server/token.c
View file @
9b82644d
...
...
@@ -57,6 +57,16 @@ const LUID SeManageVolumePrivilege = { 28, 0 };
const
LUID
SeImpersonatePrivilege
=
{
29
,
0
};
const
LUID
SeCreateGlobalPrivilege
=
{
30
,
0
};
static
const
SID
world_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_WORLD_SID_AUTHORITY
},
{
SECURITY_WORLD_RID
}
};
static
const
SID
local_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_LOCAL_SID_AUTHORITY
},
{
SECURITY_LOCAL_RID
}
};
static
const
SID
interactive_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_NT_AUTHORITY
},
{
SECURITY_INTERACTIVE_RID
}
};
static
const
SID
authenticated_user_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_NT_AUTHORITY
},
{
SECURITY_AUTHENTICATED_USER_RID
}
};
static
const
SID
local_system_sid
=
{
SID_REVISION
,
1
,
{
SECURITY_NT_AUTHORITY
},
{
SECURITY_LOCAL_SYSTEM_RID
}
};
static
PSID
security_world_sid
=
(
PSID
)
&
world_sid
;
static
PSID
security_local_sid
=
(
PSID
)
&
local_sid
;
static
PSID
security_interactive_sid
=
(
PSID
)
&
interactive_sid
;
static
PSID
security_authenticated_user_sid
=
(
PSID
)
&
authenticated_user_sid
;
struct
token
{
struct
object
obj
;
/* object header */
...
...
@@ -76,13 +86,13 @@ struct privilege
struct
sid_and_attributes
{
struct
list
entry
;
int
enabled
:
1
;
/* is the sid currently enabled? */
int
def
:
1
;
/* is the sid enabled by default? */
int
logon
:
1
;
/* is this a logon sid? */
int
mandatory
:
1
;
/* is this sid always enabled? */
int
owner
:
1
;
/* can this sid be an owner of an object? */
int
resource
:
1
;
/* is this a domain-local group? */
int
deny_only
:
1
;
/* is this a sid that should be use for denying only? */
unsigned
enabled
:
1
;
/* is the sid currently enabled? */
unsigned
def
:
1
;
/* is the sid enabled by default? */
unsigned
logon
:
1
;
/* is this a logon sid? */
unsigned
mandatory
:
1
;
/* is this sid always enabled? */
unsigned
owner
:
1
;
/* can this sid be an owner of an object? */
unsigned
resource
:
1
;
/* is this a domain-local group? */
unsigned
deny_only
:
1
;
/* is this a sid that should be use for denying only? */
SID
sid
;
};
...
...
@@ -114,7 +124,7 @@ static SID *security_sid_alloc( const SID_IDENTIFIER_AUTHORITY *idauthority, int
int
i
;
SID
*
sid
=
mem_alloc
(
FIELD_OFFSET
(
SID
,
SubAuthority
[
subauthcount
])
);
if
(
!
sid
)
return
NULL
;
sid
->
Revision
=
MAX_ACL
_REVISION
;
sid
->
Revision
=
SID
_REVISION
;
sid
->
SubAuthorityCount
=
subauthcount
;
sid
->
IdentifierAuthority
=
*
idauthority
;
for
(
i
=
0
;
i
<
subauthcount
;
i
++
)
...
...
@@ -342,7 +352,9 @@ static void token_destroy( struct object *obj )
}
}
static
struct
token
*
create_token
(
const
SID
*
user
,
const
LUID_AND_ATTRIBUTES
*
privs
,
unsigned
int
priv_count
)
static
struct
token
*
create_token
(
const
SID
*
user
,
const
SID_AND_ATTRIBUTES
*
groups
,
unsigned
int
group_count
,
const
LUID_AND_ATTRIBUTES
*
privs
,
unsigned
int
priv_count
)
{
struct
token
*
token
=
alloc_object
(
&
token_ops
);
if
(
token
)
...
...
@@ -358,7 +370,21 @@ static struct token *create_token( const SID *user, const LUID_AND_ATTRIBUTES *p
return
NULL
;
}
/* FIXME: copy groups */
/* copy groups */
for
(
i
=
0
;
i
<
group_count
;
i
++
)
{
size_t
size
=
FIELD_OFFSET
(
struct
sid_and_attributes
,
sid
.
SubAuthority
[((
const
SID
*
)
groups
[
i
].
Sid
)
->
SubAuthorityCount
]
);
struct
sid_and_attributes
*
group
=
mem_alloc
(
size
);
memcpy
(
&
group
->
sid
,
groups
[
i
].
Sid
,
FIELD_OFFSET
(
SID
,
SubAuthority
[((
const
SID
*
)
groups
[
i
].
Sid
)
->
SubAuthorityCount
]
)
);
group
->
enabled
=
TRUE
;
group
->
def
=
TRUE
;
group
->
logon
=
FALSE
;
group
->
mandatory
=
(
groups
[
i
].
Attributes
&
SE_GROUP_MANDATORY
)
?
TRUE
:
FALSE
;
group
->
owner
=
FALSE
;
group
->
resource
=
FALSE
;
group
->
deny_only
=
FALSE
;
list_add_tail
(
&
token
->
groups
,
&
group
->
entry
);
}
/* copy privileges */
for
(
i
=
0
;
i
<
priv_count
;
i
++
)
...
...
@@ -385,7 +411,20 @@ struct sid_data
struct
token
*
token_create_admin
(
void
)
{
struct
token
*
token
;
struct
token
*
token
=
NULL
;
static
const
SID_IDENTIFIER_AUTHORITY
nt_authority
=
{
SECURITY_NT_AUTHORITY
};
static
const
unsigned
int
alias_admins_subauth
[]
=
{
SECURITY_BUILTIN_DOMAIN_RID
,
DOMAIN_ALIAS_RID_ADMINS
};
static
const
unsigned
int
alias_users_subauth
[]
=
{
SECURITY_BUILTIN_DOMAIN_RID
,
DOMAIN_ALIAS_RID_USERS
};
PSID
alias_admins_sid
;
PSID
alias_users_sid
;
alias_admins_sid
=
security_sid_alloc
(
&
nt_authority
,
sizeof
(
alias_admins_subauth
)
/
sizeof
(
alias_admins_subauth
[
0
]),
alias_admins_subauth
);
alias_users_sid
=
security_sid_alloc
(
&
nt_authority
,
sizeof
(
alias_users_subauth
)
/
sizeof
(
alias_users_subauth
[
0
]),
alias_users_subauth
);
if
(
alias_admins_sid
&&
alias_users_sid
)
{
const
LUID_AND_ATTRIBUTES
admin_privs
[]
=
{
{
SeChangeNotifyPrivilege
,
SE_PRIVILEGE_ENABLED
},
...
...
@@ -409,17 +448,29 @@ struct token *token_create_admin( void )
{
SeImpersonatePrivilege
,
SE_PRIVILEGE_ENABLED
},
{
SeCreateGlobalPrivilege
,
SE_PRIVILEGE_ENABLED
},
};
static
const
struct
sid_data
well_known_sid_data
[]
=
{
{
{
SECURITY_NT_AUTHORITY
},
1
,
{
SECURITY_LOCAL_SYSTEM_RID
}
},
/* LOCAL_SYSTEM */
/* note: we don't include non-builtin groups here for the user -
* telling us these is the job of a client-side program */
const
SID_AND_ATTRIBUTES
admin_groups
[]
=
{
{
security_world_sid
,
SE_GROUP_ENABLED
|
SE_GROUP_ENABLED_BY_DEFAULT
|
SE_GROUP_MANDATORY
},
{
security_local_sid
,
SE_GROUP_ENABLED
|
SE_GROUP_ENABLED_BY_DEFAULT
|
SE_GROUP_MANDATORY
},
{
security_interactive_sid
,
SE_GROUP_ENABLED
|
SE_GROUP_ENABLED_BY_DEFAULT
|
SE_GROUP_MANDATORY
},
{
security_authenticated_user_sid
,
SE_GROUP_ENABLED
|
SE_GROUP_ENABLED_BY_DEFAULT
|
SE_GROUP_MANDATORY
},
{
alias_admins_sid
,
SE_GROUP_ENABLED
|
SE_GROUP_ENABLED_BY_DEFAULT
|
SE_GROUP_MANDATORY
},
{
alias_users_sid
,
SE_GROUP_ENABLED
|
SE_GROUP_ENABLED_BY_DEFAULT
|
SE_GROUP_MANDATORY
},
};
SID
*
local_system_sid
=
security_sid_alloc
(
&
well_known_sid_data
[
0
].
idauth
,
well_known_sid_data
[
0
].
count
,
well_known_sid_data
[
0
].
subauth
);
if
(
!
local_system_sid
)
return
NULL
;
token
=
create_token
(
local_system_sid
,
admin_privs
,
sizeof
(
admin_privs
)
/
sizeof
(
admin_privs
[
0
])
);
free
(
local_system_sid
);
/* note: we just set the user sid to be the local system builtin sid -
* telling us what this should be is the job of a client-side program */
token
=
create_token
(
&
local_system_sid
,
admin_groups
,
sizeof
(
admin_groups
)
/
sizeof
(
admin_groups
[
0
]),
admin_privs
,
sizeof
(
admin_privs
)
/
sizeof
(
admin_privs
[
0
])
);
}
if
(
alias_admins_sid
)
free
(
alias_admins_sid
);
if
(
alias_users_sid
)
free
(
alias_users_sid
);
return
token
;
}
...
...
@@ -828,12 +879,14 @@ DECL_HANDLER(duplicate_token)
&
token_ops
)))
{
/* FIXME: use req->primary and req->impersonation_level */
struct
token
*
token
=
create_token
(
src_token
->
user
,
NULL
,
0
);
struct
token
*
token
=
create_token
(
src_token
->
user
,
NULL
,
0
,
NULL
,
0
);
if
(
token
)
{
struct
privilege
*
privilege
;
unsigned
int
access
;
/* FIXME: copy groups */
LIST_FOR_EACH_ENTRY
(
privilege
,
&
src_token
->
privileges
,
struct
privilege
,
entry
)
privilege_add
(
token
,
&
privilege
->
luid
,
privilege
->
enabled
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment