public inbox for cygwin-cvs@sourceware.org
help / color / mirror / Atom feed
* [newlib-cygwin] Cygwin: remove unused lsaauth authentication function
@ 2021-10-29 19:03 Corinna Vinschen
0 siblings, 0 replies; only message in thread
From: Corinna Vinschen @ 2021-10-29 19:03 UTC (permalink / raw)
To: cygwin-cvs
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=045ce20177d64e14ae398a978687d56c35173365
commit 045ce20177d64e14ae398a978687d56c35173365
Author: Corinna Vinschen <corinna@vinschen.de>
Date: Fri Oct 29 21:03:07 2021 +0200
Cygwin: remove unused lsaauth authentication function
Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
Diff:
---
winsup/cygwin/sec_auth.cc | 244 +---------------------------------------------
winsup/cygwin/security.h | 18 ----
2 files changed, 1 insertion(+), 261 deletions(-)
diff --git a/winsup/cygwin/sec_auth.cc b/winsup/cygwin/sec_auth.cc
index ed03f9b48..121d55e05 100644
--- a/winsup/cygwin/sec_auth.cc
+++ b/winsup/cygwin/sec_auth.cc
@@ -971,7 +971,7 @@ create_token (cygsid &usersid, user_groups &new_groups)
SECURITY_QUALITY_OF_SERVICE sqos =
{ sizeof sqos, SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE };
OBJECT_ATTRIBUTES oa = { sizeof oa, 0, 0, 0, 0, &sqos };
- /* Up to Windows 7, when using a authwentication LUID other than "Anonymous",
+ /* Up to Windows 7, when using an authentication LUID other than "Anonymous",
Windows whoami prints the wrong username, the one from the login session,
not the one from the actual user token of the process. This is apparently
fixed in Windows 8. However, starting with Windows 8, access rights of
@@ -1114,248 +1114,6 @@ out:
return primary_token;
}
-#if 0 && S4U_RUNS_FINE
-HANDLE
-lsaauth (cygsid &usersid, user_groups &new_groups)
-{
- cygsidlist tmp_gsids (cygsidlist_auto, 12);
- cygpsid pgrpsid;
- LSA_STRING name;
- HANDLE lsa_hdl = NULL, lsa = NULL;
- LSA_OPERATIONAL_MODE sec_mode;
- NTSTATUS status, sub_status;
- ULONG package_id, size;
- struct {
- LSA_STRING str;
- CHAR buf[16];
- } origin;
- DWORD ulen = UNLEN + 1;
- DWORD dlen = MAX_DOMAIN_NAME_LEN + 1;
- SID_NAME_USE use;
- cyglsa_t *authinf = NULL;
- ULONG authinf_size;
- TOKEN_SOURCE ts;
- PCYG_TOKEN_GROUPS gsids = NULL;
- PTOKEN_PRIVILEGES privs = NULL;
- PACL dacl = NULL;
- PVOID profile = NULL;
- LUID luid;
- QUOTA_LIMITS quota;
- size_t psize = 0, gsize = 0, dsize = 0;
- OFFSET offset, sids_offset;
- int tmpidx, non_well_known_cnt;
-
- HANDLE user_token = NULL;
-
- push_self_privilege (SE_TCB_PRIVILEGE, true);
-
- /* Register as logon process. */
- RtlInitAnsiString (&name, "Cygwin");
- status = LsaRegisterLogonProcess (&name, &lsa_hdl, &sec_mode);
- if (status != STATUS_SUCCESS)
- {
- debug_printf ("LsaRegisterLogonProcess: %y", status);
- __seterrno_from_nt_status (status);
- goto out;
- }
- /* Get handle to our own LSA package. */
- RtlInitAnsiString (&name, CYG_LSA_PKGNAME);
- status = LsaLookupAuthenticationPackage (lsa_hdl, &name, &package_id);
- if (status != STATUS_SUCCESS)
- {
- debug_printf ("LsaLookupAuthenticationPackage: %y", status);
- __seterrno_from_nt_status (status);
- goto out;
- }
-
- /* Open policy object. */
- if (!(lsa = lsa_open_policy (NULL, POLICY_EXECUTE)))
- goto out;
-
- /* Create origin. */
- stpcpy (origin.buf, "Cygwin");
- RtlInitAnsiString (&origin.str, origin.buf);
- /* Create token source. */
- memcpy (ts.SourceName, "Cygwin.1", 8);
- ts.SourceIdentifier.HighPart = 0;
- ts.SourceIdentifier.LowPart = 0x0103;
-
- /* Create list of groups, the user is member in. */
- if (new_groups.issetgroups ())
- {
- if (!get_setgroups_sidlist (tmp_gsids, usersid, NULL, new_groups))
- goto out;
- }
- else if (!get_initgroups_sidlist (tmp_gsids, usersid, new_groups.pgsid,
- NULL))
- goto out;
-
- tmp_gsids.debug_print ("tmp_gsids");
-
- /* Evaluate size of TOKEN_GROUPS list */
- non_well_known_cnt = tmp_gsids.non_well_known_count ();
- gsize = sizeof (DWORD) + non_well_known_cnt * sizeof (SID_AND_ATTRIBUTES);
- tmpidx = -1;
- for (int i = 0; i < non_well_known_cnt; ++i)
- if ((tmpidx = tmp_gsids.next_non_well_known_sid (tmpidx)) >= 0)
- gsize += RtlLengthSid (tmp_gsids.sids[tmpidx]);
-
- /* Retrieve list of privileges of that user. The MIC SID is created by
- the LSA here. */
- if (!(privs = get_priv_list (lsa, usersid, tmp_gsids, psize, NULL)))
- goto out;
-
- /* Create DefaultDacl. */
- dsize = sizeof (ACL) + 3 * sizeof (ACCESS_ALLOWED_ACE)
- + RtlLengthSid (usersid)
- + RtlLengthSid (well_known_admins_sid)
- + RtlLengthSid (well_known_system_sid);
- dacl = (PACL) alloca (dsize);
- if (!NT_SUCCESS (RtlCreateAcl (dacl, dsize, ACL_REVISION)))
- goto out;
- if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
- usersid)))
- goto out;
- if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
- well_known_admins_sid)))
- goto out;
- if (!NT_SUCCESS (RtlAddAccessAllowedAce (dacl, ACL_REVISION, GENERIC_ALL,
- well_known_system_sid)))
- goto out;
-
- /* Evaluate authinf size and allocate authinf. */
- authinf_size = (authinf->data - (PBYTE) authinf);
- authinf_size += RtlLengthSid (usersid); /* User SID */
- authinf_size += gsize; /* Groups + Group SIDs */
- /* When trying to define the admins group as primary group on Vista,
- LsaLogonUser fails with error STATUS_INVALID_OWNER. As workaround
- we define "Local" as primary group here. Seteuid32 sets the primary
- group to the group set in /etc/passwd anyway. */
- if (new_groups.pgsid == well_known_admins_sid)
- pgrpsid = well_known_local_sid;
- else
- pgrpsid = new_groups.pgsid;
-
- authinf_size += RtlLengthSid (pgrpsid); /* Primary Group SID */
-
- authinf_size += psize; /* Privileges */
- authinf_size += 0; /* Owner SID */
- authinf_size += dsize; /* Default DACL */
-
- authinf = (cyglsa_t *) alloca (authinf_size);
- authinf->inf_size = authinf_size - ((PBYTE) &authinf->inf - (PBYTE) authinf);
-
- authinf->magic = CYG_LSA_MAGIC;
-
- if (!LookupAccountSidW (NULL, usersid, authinf->username, &ulen,
- authinf->domain, &dlen, &use))
- {
- __seterrno ();
- goto out;
- }
-
- /* Store stuff in authinf with offset relative to start of "inf" member,
- instead of using pointers. */
- offset = authinf->data - (PBYTE) &authinf->inf;
-
- authinf->inf.ExpirationTime.LowPart = 0xffffffffL;
- authinf->inf.ExpirationTime.HighPart = 0x7fffffffL;
- /* User SID */
- authinf->inf.User.User.Sid = offset;
- authinf->inf.User.User.Attributes = 0;
- RtlCopySid (RtlLengthSid (usersid), (PSID) ((PBYTE) &authinf->inf + offset),
- usersid);
- offset += RtlLengthSid (usersid);
- /* Groups */
- authinf->inf.Groups = offset;
- gsids = (PCYG_TOKEN_GROUPS) ((PBYTE) &authinf->inf + offset);
- sids_offset = offset + sizeof (ULONG) + non_well_known_cnt
- * sizeof (SID_AND_ATTRIBUTES);
- gsids->GroupCount = non_well_known_cnt;
- /* Group SIDs */
- tmpidx = -1;
- for (int i = 0; i < non_well_known_cnt; ++i)
- {
- if ((tmpidx = tmp_gsids.next_non_well_known_sid (tmpidx)) < 0)
- break;
- gsids->Groups[i].Sid = sids_offset;
- gsids->Groups[i].Attributes = SE_GROUP_MANDATORY
- | SE_GROUP_ENABLED_BY_DEFAULT
- | SE_GROUP_ENABLED;
- RtlCopySid (RtlLengthSid (tmp_gsids.sids[tmpidx]),
- (PSID) ((PBYTE) &authinf->inf + sids_offset),
- tmp_gsids.sids[tmpidx]);
- sids_offset += RtlLengthSid (tmp_gsids.sids[tmpidx]);
- }
- offset += gsize;
- /* Primary Group SID */
- authinf->inf.PrimaryGroup.PrimaryGroup = offset;
- RtlCopySid (RtlLengthSid (pgrpsid), (PSID) ((PBYTE) &authinf->inf + offset),
- pgrpsid);
- offset += RtlLengthSid (pgrpsid);
- /* Privileges */
- authinf->inf.Privileges = offset;
- memcpy ((PBYTE) &authinf->inf + offset, privs, psize);
- offset += psize;
- /* Owner */
- authinf->inf.Owner.Owner = 0;
- /* Default DACL */
- authinf->inf.DefaultDacl.DefaultDacl = offset;
- memcpy ((PBYTE) &authinf->inf + offset, dacl, dsize);
-
- authinf->checksum = CYG_LSA_MAGIC;
- PDWORD csp;
- PDWORD csp_end;
- csp = (PDWORD) &authinf->username;
- csp_end = (PDWORD) ((PBYTE) authinf + authinf_size);
- while (csp < csp_end)
- authinf->checksum += *csp++;
-
- /* Try to logon... */
- status = LsaLogonUser (lsa_hdl, (PLSA_STRING) &origin, Interactive,
- package_id, authinf, authinf_size, NULL, &ts,
- &profile, &size, &luid, &user_token, "a,
- &sub_status);
- if (status != STATUS_SUCCESS)
- {
- if (status == STATUS_ACCOUNT_RESTRICTION)
- debug_printf ("Cygwin LSA Auth LsaLogonUser failed: %y (%s)",
- status, account_restriction (sub_status));
- else
- debug_printf ("Cygwin LSA Auth LsaLogonUser failed: %y", status);
- __seterrno_from_nt_status (status);
- goto out;
- }
- if (profile)
- {
-#ifdef JUST_ANOTHER_NONWORKING_SOLUTION
- /* See ../lsaauth/cyglsa.c. */
- cygprf_t *prf = (cygprf_t *) profile;
- if (prf->magic_pre == MAGIC_PRE && prf->magic_post == MAGIC_POST
- && prf->token)
- {
- CloseHandle (user_token);
- user_token = prf->token;
- system_printf ("Got token through profile: %p", user_token);
- }
-#endif /* JUST_ANOTHER_NONWORKING_SOLUTION */
- LsaFreeReturnBuffer (profile);
- }
- user_token = get_full_privileged_inheritable_token (user_token);
-
-out:
- if (privs && privs != (PTOKEN_PRIVILEGES) &sys_privs)
- free (privs);
- lsa_close_policy (lsa);
- if (lsa_hdl)
- LsaDeregisterLogonProcess (lsa_hdl);
- pop_self_privilege ();
-
- debug_printf ("%p = lsaauth ()", user_token);
- return user_token;
-}
-#endif
-
#define SFU_LSA_KEY_SUFFIX L"_microsoft_sfu_utility"
HANDLE
diff --git a/winsup/cygwin/security.h b/winsup/cygwin/security.h
index ba787fcf9..3e6688cd9 100644
--- a/winsup/cygwin/security.h
+++ b/winsup/cygwin/security.h
@@ -300,15 +300,6 @@ public:
void count (int ncnt)
{ cnt = ncnt; }
int count () const { return cnt; }
- int non_well_known_count () const
- {
- int wcnt = 0;
- for (int i = 0; i < cnt; ++i)
- if (!sids[i].is_well_known_sid ())
- ++wcnt;
- return wcnt;
- }
-
int position (const PSID sid) const
{
for (int i = 0; i < cnt; ++i)
@@ -317,13 +308,6 @@ public:
return -1;
}
- int next_non_well_known_sid (int idx)
- {
- while (++idx < cnt)
- if (!sids[idx].is_well_known_sid ())
- return idx;
- return -1;
- }
BOOL contains (const PSID sid) const { return position (sid) >= 0; }
cygsid *alloc_sids (int n);
void free_sids ();
@@ -475,8 +459,6 @@ int setacl (HANDLE, path_conv &, int, struct acl *, bool &);
void set_imp_token (HANDLE token, int type);
/* Function creating a token by calling NtCreateToken. */
HANDLE create_token (cygsid &usersid, user_groups &groups);
-/* LSA authentication function. */
-HANDLE lsaauth (cygsid &, user_groups &);
/* LSA private key storage authentication, same as when using service logons. */
HANDLE lsaprivkeyauth (struct passwd *pw);
/* Kerberos or MsV1 S4U logon. */
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-10-29 19:03 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-29 19:03 [newlib-cygwin] Cygwin: remove unused lsaauth authentication function Corinna Vinschen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).