From cb124c9b1281a15a8c776b65a1cb309490b4c9b6 Mon Sep 17 00:00:00 2001 From: Rob Shearman Date: Wed, 3 Oct 2007 20:19:05 +0100 Subject: [PATCH] server: Add primitive support for setting and getting the security descriptor of files based on their Unix permissions. --- server/file.c | 251 +++++++++++++++++++++++++++++++++++++++++++++++++++++- server/security.h | 13 +++ server/token.c | 15 +--- 3 files changed, 264 insertions(+), 15 deletions(-) diff --git a/server/file.c b/server/file.c index 11fa0050463..3023f770362 100644 --- a/server/file.c +++ b/server/file.c @@ -52,6 +52,8 @@ #include "handle.h" #include "thread.h" #include "request.h" +#include "process.h" +#include "security.h" struct file { @@ -59,12 +61,15 @@ struct file struct fd *fd; /* file descriptor for this file */ unsigned int access; /* file access (FILE_READ_DATA etc.) */ mode_t mode; /* file stat.st_mode */ + uid_t uid; /* file stat.st_uid */ }; static unsigned int generic_file_map_access( unsigned int access ); static void file_dump( struct object *obj, int verbose ); static struct fd *file_get_fd( struct object *obj ); +static struct security_descriptor *file_get_sd( struct object *obj ); +static int file_set_sd( struct object *obj, const struct security_descriptor *sd, unsigned int set_info ); static void file_destroy( struct object *obj ); static int file_get_poll_events( struct fd *fd ); @@ -82,8 +87,8 @@ static const struct object_ops file_ops = no_signal, /* signal */ file_get_fd, /* get_fd */ default_fd_map_access, /* map_access */ - default_get_sd, /* get_sd */ - default_set_sd, /* set_sd */ + file_get_sd, /* get_sd */ + file_set_sd, /* set_sd */ no_lookup_name, /* lookup_name */ no_open_file, /* open_file */ fd_close_handle, /* close_handle */ @@ -269,6 +274,248 @@ static unsigned int generic_file_map_access( unsigned int access ) return access & ~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL); } +static struct security_descriptor *file_get_sd( struct object *obj ) +{ + struct file *file = (struct file *)obj; + struct stat st; + int unix_fd; + struct security_descriptor *sd; + const SID *user; + const SID *group; + size_t dacl_size; + ACCESS_ALLOWED_ACE *aaa; + ACL *dacl; + SID *sid; + char *ptr; + const SID *world_sid = security_world_sid; + const SID *local_system_sid = security_local_system_sid; + + assert( obj->ops == &file_ops ); + + unix_fd = get_file_unix_fd( file ); + + if (unix_fd == -1) return obj->sd; + + if (fstat( unix_fd, &st ) == -1) + return obj->sd; + + /* mode and uid the same? if so, no need to re-generate security descriptor */ + if (obj->sd && (st.st_mode & (S_IRWXU|S_IRWXO)) == (file->mode & (S_IRWXU|S_IRWXO)) && + (st.st_uid == file->uid)) + return obj->sd; + + user = security_unix_uid_to_sid( st.st_uid ); + group = token_get_primary_group( current->process->token ); + + dacl_size = sizeof(ACL) + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + + FIELD_OFFSET(SID, SubAuthority[local_system_sid->SubAuthorityCount]); + if (st.st_mode & S_IRWXU) + dacl_size += FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + + FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]); + if (st.st_mode & S_IRWXO) + dacl_size += FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + + FIELD_OFFSET(SID, SubAuthority[world_sid->SubAuthorityCount]); + + sd = mem_alloc( sizeof(struct security_descriptor) + + FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]) + + FIELD_OFFSET(SID, SubAuthority[group->SubAuthorityCount]) + + dacl_size ); + if (!sd) return obj->sd; + + sd->control = SE_DACL_PRESENT; + sd->owner_len = FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]); + sd->group_len = FIELD_OFFSET(SID, SubAuthority[group->SubAuthorityCount]); + sd->sacl_len = 0; + sd->dacl_len = dacl_size; + + ptr = (char *)(sd + 1); + memcpy( ptr, user, sd->owner_len ); + ptr += sd->owner_len; + memcpy( ptr, group, sd->group_len ); + ptr += sd->group_len; + + dacl = (ACL *)ptr; + dacl->AclRevision = ACL_REVISION; + dacl->Sbz1 = 0; + dacl->AclSize = dacl_size; + dacl->AceCount = 1 + (st.st_mode & S_IRWXU ? 1 : 0) + (st.st_mode & S_IRWXO ? 1 : 0); + dacl->Sbz2 = 0; + + /* always give FILE_ALL_ACCESS for Local System */ + aaa = (ACCESS_ALLOWED_ACE *)(dacl + 1); + aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + aaa->Header.AceFlags = 0; + aaa->Header.AceSize = FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + + FIELD_OFFSET(SID, SubAuthority[local_system_sid->SubAuthorityCount]); + aaa->Mask = FILE_ALL_ACCESS; + sid = (SID *)&aaa->SidStart; + memcpy( sid, local_system_sid, FIELD_OFFSET(SID, SubAuthority[local_system_sid->SubAuthorityCount]) ); + + if (st.st_mode & S_IRWXU) + { + /* appropriate access rights for the user */ + aaa = (ACCESS_ALLOWED_ACE *)ace_next( &aaa->Header ); + aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + aaa->Header.AceFlags = 0; + aaa->Header.AceSize = FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + + FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]); + aaa->Mask = WRITE_DAC | WRITE_OWNER; + if (st.st_mode & S_IRUSR) + aaa->Mask |= FILE_GENERIC_READ; + if (st.st_mode & S_IWUSR) + aaa->Mask |= FILE_GENERIC_WRITE | DELETE; + if (st.st_mode & S_IXUSR) + aaa->Mask |= FILE_GENERIC_EXECUTE; + sid = (SID *)&aaa->SidStart; + memcpy( sid, user, FIELD_OFFSET(SID, SubAuthority[user->SubAuthorityCount]) ); + } + if (st.st_mode & S_IRWXO) + { + /* appropriate access rights for Everyone */ + aaa = (ACCESS_ALLOWED_ACE *)ace_next( &aaa->Header ); + aaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + aaa->Header.AceFlags = 0; + aaa->Header.AceSize = FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + + FIELD_OFFSET(SID, SubAuthority[world_sid->SubAuthorityCount]); + aaa->Mask = 0; + if (st.st_mode & S_IROTH) + aaa->Mask |= FILE_GENERIC_READ; + if (st.st_mode & S_IWOTH) + aaa->Mask |= FILE_GENERIC_WRITE | DELETE; + if (st.st_mode & S_IXOTH) + aaa->Mask |= FILE_GENERIC_EXECUTE; + sid = (SID *)&aaa->SidStart; + memcpy( sid, world_sid, FIELD_OFFSET(SID, SubAuthority[world_sid->SubAuthorityCount]) ); + } + + file->mode = st.st_mode; + file->uid = st.st_uid; + free( obj->sd ); + obj->sd = sd; + return sd; +} + +static int file_set_sd( struct object *obj, const struct security_descriptor *sd, + unsigned int set_info ) +{ + struct file *file = (struct file *)obj; + mode_t new_mode; + mode_t denied_mode = 0; + const SID *owner; + int unix_fd; + + assert( obj->ops == &file_ops ); + + /* only DACL translation is currently supported */ + if (!(set_info & DACL_SECURITY_INFORMATION)) + return 1; + + unix_fd = get_file_unix_fd( file ); + + if (unix_fd == -1) return 1; + + if (set_info & OWNER_SECURITY_INFORMATION) + { + owner = sd_get_owner( sd ); + if (!owner) + { + set_error( STATUS_INVALID_SECURITY_DESCR ); + return 0; + } + if (!obj->sd || !security_equal_sid( owner, sd_get_owner( obj->sd ) )) + { + /* FIXME: get Unix uid and call fchown */ + } + } + else if (obj->sd) + owner = sd_get_owner( obj->sd ); + else + owner = token_get_user( current->process->token ); + + /* keep the bits that we don't map to access rights in the ACL */ + new_mode = file->mode & (S_ISUID|S_ISGID|S_ISVTX|S_IRWXG); + + if (set_info & DACL_SECURITY_INFORMATION) + { + if (sd->control & SE_DACL_PRESENT) + { + const ACL *dacl = (const ACL *)((char *)sd + sd->owner_len + sd->group_len + sd->sacl_len); + const ACE_HEADER *ace = (const ACE_HEADER *)(dacl + 1); + ULONG i; + for (i = 0; i < dacl->AceCount; i++) + { + const ACCESS_ALLOWED_ACE *aa_ace; + const ACCESS_DENIED_ACE *ad_ace; + const SID *sid; + switch (ace->AceType) + { + case ACCESS_DENIED_ACE_TYPE: + ad_ace = (const ACCESS_DENIED_ACE *)ace; + sid = (const SID *)&ad_ace->SidStart; + if (security_equal_sid( sid, security_world_sid )) + { + unsigned int access = generic_file_map_access( ad_ace->Mask ); + if (access & FILE_READ_DATA) + denied_mode |= S_IROTH; + if (access & FILE_WRITE_DATA) + denied_mode |= S_IWOTH; + if (access & FILE_EXECUTE) + denied_mode |= S_IXOTH; + } + else if (security_equal_sid( sid, owner )) + { + unsigned int access = generic_file_map_access( ad_ace->Mask ); + if (access & FILE_READ_DATA) + denied_mode |= S_IRUSR; + if (access & FILE_WRITE_DATA) + denied_mode |= S_IWUSR; + if (access & FILE_EXECUTE) + denied_mode |= S_IXUSR; + } + break; + case ACCESS_ALLOWED_ACE_TYPE: + aa_ace = (const ACCESS_ALLOWED_ACE *)ace; + sid = (const SID *)&aa_ace->SidStart; + if (security_equal_sid( sid, security_world_sid )) + { + unsigned int access = generic_file_map_access( aa_ace->Mask ); + if (access & FILE_READ_DATA) + new_mode |= S_IROTH; + if (access & FILE_WRITE_DATA) + new_mode |= S_IWOTH; + if (access & FILE_EXECUTE) + new_mode |= S_IXOTH; + } + else if (security_equal_sid( sid, owner )) + { + unsigned int access = generic_file_map_access( aa_ace->Mask ); + if (access & FILE_READ_DATA) + new_mode |= S_IRUSR; + if (access & FILE_WRITE_DATA) + new_mode |= S_IWUSR; + if (access & FILE_EXECUTE) + new_mode |= S_IXUSR; + } + break; + } + ace = ace_next( ace ); + } + } + else + /* no ACL means full access rights to anyone */ + new_mode |= S_IRWXU | S_IRWXO; + + if (fchmod( unix_fd, new_mode & ~denied_mode ) == -1) + { + file_set_error(); + return 0; + } + + file->mode = new_mode & ~denied_mode; + } + return 1; +} + static void file_destroy( struct object *obj ) { struct file *file = (struct file *)obj; diff --git a/server/security.h b/server/security.h index 74ff2bbeab2..5df58873655 100644 --- a/server/security.h +++ b/server/security.h @@ -39,7 +39,9 @@ extern const LUID SeManageVolumePrivilege; extern const LUID SeImpersonatePrivilege; extern const LUID SeCreateGlobalPrivilege; +extern const PSID security_world_sid; extern const PSID security_interactive_sid; +extern const PSID security_local_system_sid; /* token functions */ @@ -54,6 +56,17 @@ extern const ACL *token_get_default_dacl( struct token *token ); extern const SID *token_get_user( struct token *token ); extern const SID *token_get_primary_group( struct token *token ); +static inline const ACE_HEADER *ace_next( const ACE_HEADER *ace ) +{ + return (const ACE_HEADER *)((const char *)ace + ace->AceSize); +} + +static inline int security_equal_sid( const SID *sid1, const SID *sid2 ) +{ + return ((sid1->SubAuthorityCount == sid2->SubAuthorityCount) && + !memcmp( sid1, sid2, FIELD_OFFSET(SID, SubAuthority[sid1->SubAuthorityCount]) )); +} + extern void security_set_thread_token( struct thread *thread, obj_handle_t handle ); extern const SID *security_unix_uid_to_sid( uid_t uid ); extern int check_object_access( struct object *obj, unsigned int *access ); diff --git a/server/token.c b/server/token.c index 3a713e58567..bbb293a8799 100644 --- a/server/token.c +++ b/server/token.c @@ -70,11 +70,11 @@ static const SID interactive_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, static const SID anonymous_logon_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_ANONYMOUS_LOGON_RID } }; static const SID authenticated_user_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } }; static const SID local_system_sid = { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } }; -static const PSID security_world_sid = (PSID)&world_sid; +const PSID security_world_sid = (PSID)&world_sid; static const PSID security_local_sid = (PSID)&local_sid; const PSID security_interactive_sid = (PSID)&interactive_sid; static const PSID security_authenticated_user_sid = (PSID)&authenticated_user_sid; -static const PSID security_local_system_sid = (PSID)&local_system_sid; +const PSID security_local_system_sid = (PSID)&local_system_sid; static luid_t prev_luid_value = { 1000, 0 }; @@ -166,12 +166,6 @@ static SID *security_sid_alloc( const SID_IDENTIFIER_AUTHORITY *idauthority, int return sid; } -static inline int security_equal_sid( const SID *sid1, const SID *sid2 ) -{ - return ((sid1->SubAuthorityCount == sid2->SubAuthorityCount) && - !memcmp( sid1, sid2, FIELD_OFFSET(SID, SubAuthority[sid1->SubAuthorityCount]) )); -} - void security_set_thread_token( struct thread *thread, obj_handle_t handle ) { if (!handle) @@ -195,11 +189,6 @@ void security_set_thread_token( struct thread *thread, obj_handle_t handle ) } } -static const ACE_HEADER *ace_next( const ACE_HEADER *ace ) -{ - return (const ACE_HEADER *)((const char *)ace + ace->AceSize); -} - const SID *security_unix_uid_to_sid( uid_t uid ) { /* very simple mapping: either the current user or not the current user */ -- 2.11.4.GIT