Add user attribute to token objects.

This commit is contained in:
Robert Shearman 2005-05-16 17:52:46 +00:00 committed by Alexandre Julliard
parent e140d02a2b
commit 2a782c65bd
1 changed files with 55 additions and 4 deletions

View File

@ -34,6 +34,8 @@
#include "request.h"
#include "security.h"
#define MAX_SUBAUTH_COUNT 1
const LUID SeIncreaseQuotaPrivilege = { 5, 0 };
const LUID SeSecurityPrivilege = { 8, 0 };
const LUID SeTakeOwnershipPrivilege = { 9, 0 };
@ -59,6 +61,7 @@ struct token
{
struct object obj; /* object header */
struct list privileges; /* privileges available to the token */
SID *user; /* SID of user this token represents */
};
struct privilege
@ -91,6 +94,25 @@ static void token_dump( struct object *obj, int verbose )
fprintf( stderr, "Security token\n" );
}
static SID *security_sid_alloc( const SID_IDENTIFIER_AUTHORITY *idauthority, int subauthcount, const unsigned int subauth[] )
{
int i;
SID *sid = mem_alloc( FIELD_OFFSET(SID, SubAuthority[subauthcount]) );
if (!sid) return NULL;
sid->Revision = MAX_ACL_REVISION;
sid->SubAuthorityCount = subauthcount;
sid->IdentifierAuthority = *idauthority;
for (i = 0; i < subauthcount; i++)
sid->SubAuthority[i] = subauth[i];
return sid;
}
static inline int security_equal_sid( const SID *sid1, const SID *sid2 )
{
return ((sid1->SubAuthorityCount == sid2->SubAuthorityCount) &&
!memcmp( sid1, sid2, FIELD_OFFSET(SID, SubAuthority[sid1->SubAuthorityCount]) ));
}
static inline int is_equal_luid( const LUID *luid1, const LUID *luid2 )
{
return (luid1->LowPart == luid2->LowPart && luid1->HighPart == luid2->HighPart);
@ -116,7 +138,7 @@ static struct privilege *privilege_add( struct token *token, const LUID *luid, i
return privilege;
}
static void privilege_remove( struct privilege *privilege )
static inline void privilege_remove( struct privilege *privilege )
{
list_remove( &privilege->entry );
free( privilege );
@ -130,6 +152,8 @@ static void token_destroy( struct object *obj )
assert( obj->ops == &token_ops );
token = (struct token *)obj;
free( token->user );
LIST_FOR_EACH_SAFE( cursor, cursor_next, &token->privileges )
{
struct privilege *privilege = LIST_ENTRY( cursor, struct privilege, entry );
@ -137,13 +161,21 @@ static void token_destroy( struct object *obj )
}
}
static struct token *create_token( const LUID_AND_ATTRIBUTES *privs, unsigned int priv_count )
static struct token *create_token( const SID *user, const LUID_AND_ATTRIBUTES *privs, unsigned int priv_count )
{
struct token *token = alloc_object( &token_ops );
if (token)
{
int i;
list_init( &token->privileges );
/* copy user */
token->user = memdup( user, FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]) );
if (!token->user)
{
release_object( token );
return NULL;
}
/* copy privileges */
for (i = 0; i < priv_count; i++)
{
/* note: we don't check uniqueness: the caller must make sure
@ -159,8 +191,16 @@ static struct token *create_token( const LUID_AND_ATTRIBUTES *privs, unsigned in
return token;
}
struct sid_data
{
SID_IDENTIFIER_AUTHORITY idauth;
int count;
unsigned int subauth[MAX_SUBAUTH_COUNT];
};
struct token *token_create_admin( void )
{
struct token *token;
const LUID_AND_ATTRIBUTES admin_privs[] =
{
{ SeChangeNotifyPrivilege , SE_PRIVILEGE_ENABLED },
@ -184,7 +224,18 @@ struct token *token_create_admin( void )
{ SeImpersonatePrivilege , SE_PRIVILEGE_ENABLED },
{ SeCreateGlobalPrivilege , SE_PRIVILEGE_ENABLED },
};
return create_token( admin_privs, sizeof(admin_privs)/sizeof(admin_privs[0]) );
static const struct sid_data well_known_sid_data[] =
{
{ { SECURITY_NT_AUTHORITY }, 1, { SECURITY_LOCAL_SYSTEM_RID } }, /* LOCAL_SYSTEM */
};
SID *local_system_sid = security_sid_alloc(
&well_known_sid_data[0].idauth,
well_known_sid_data[0].count,
well_known_sid_data[0].subauth );
if (!local_system_sid) return NULL;
token = create_token( local_system_sid, admin_privs, sizeof(admin_privs)/sizeof(admin_privs[0]) );
free( local_system_sid );
return token;
}
static struct privilege *token_find_privilege( struct token *token, const LUID *luid, int enabled_only)
@ -396,7 +447,7 @@ DECL_HANDLER(duplicate_token)
&token_ops )))
{
/* FIXME: use req->primary and req->impersonation_level */
struct token *token = create_token( NULL, 0 );
struct token *token = create_token( src_token->user, NULL, 0 );
if (token)
{
struct privilege *privilege;