Windows Integrated Login Fixes for KFW 3.1

KFW integrated login was failing when the user is not a power user or administrator. This was occurring because the temporary file ccache was being created in a directory the user could not read. While fixing this it was noticed that the ACLs on the ccache were too broad. Instead of applying a fix to the FILE: krb5_ccache implementation it was decided that simply applying a new set of ACLs (SYSTEM and "user" with no inheritance) to the file immediately after the krb5_cc_initialize() call would close the broadest security issues. The file is initially created in the SYSTEM %TEMP% directory with "SYSTEM" ACL only. Then it is moved to the user's %TEMP% directory with "SYSTEM" and "user" ACLs. Finally, after copying the credentials to the API: ccache, the file is deleted. ticket: new tags: pullup component: windows git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18379 dc483132-0cff-0310-8789-dd5450dbe970
author: Jeffrey Altman <jaltman@secure-endpoints.com> 2006-07-24 06:58:23 +0000
committer: Jeffrey Altman <jaltman@secure-endpoints.com> 2006-07-24 06:58:23 +0000
commit: e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7 (patch)
tree: 3a4bf8fe2592b2737b9891e9f4b9c3feb38c7d79 /src/windows/kfwlogon/kfwcommon.c
parent: dedcfc188f4f9a30f136d4fe145b5bc545d220b9 (diff)
download: krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.tar.gz
krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.tar.xz
krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.zip
1 files changed, 127 insertions, 4 deletions
diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c
index 251e1436b7..a4263c8382 100644
--- a/src/windows/kfwlogon/kfwcommon.c
+++ b/src/windows/kfwlogon/kfwcommon.c
@@ -24,6 +24,9 @@ SOFTWARE.
 
 #include "kfwlogon.h"
 #include <winbase.h>
+#include <Aclapi.h>
+#include <userenv.h>
+#include <Sddl.h>
 
 #include <io.h>
 #include <sys/stat.h>
@@ -758,6 +761,107 @@ KFW_get_cred( char * username,
     return(code);
 }
 
+int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
+{
+    // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;
+    PSID pSystemSID = NULL;
+    DWORD SystemSIDlength, UserSIDlength;
+    PACL ccacheACL = NULL;
+    DWORD ccacheACLlength;
+    PTOKEN_USER pTokenUser = NULL;
+    DWORD retLen;
+    int ret = 0;  
+
+    /* Get System SID */
+    ConvertStringSidToSid(SDDL_LOCAL_SYSTEM, &pSystemSID);
+
+    /* Create ACL */
+    SystemSIDlength = GetLengthSid(pSystemSID);
+    ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
+        + SystemSIDlength - sizeof(DWORD);
+
+    if (hUserToken) {
+	if (!GetTokenInformation(hUserToken, TokenUser, NULL, 0, &retLen))
+	{
+	    if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER ) {
+		pTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, retLen);
+
+		if (!GetTokenInformation(hUserToken, TokenUser, pTokenUser, retLen, &retLen))
+		{
+		    DebugEvent("GetTokenInformation failed: GLE = %lX", GetLastError());
+		}
+	    }		 
+	}
+
+	if (pTokenUser) {
+	    UserSIDlength = GetLengthSid(pTokenUser->User.Sid);
+
+	    ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength 
+		- sizeof(DWORD);
+	}
+    }
+
+    ccacheACL = GlobalAlloc(GMEM_FIXED, ccacheACLlength);
+    InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);
+    AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+                         STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+                         pSystemSID);
+    if (pTokenUser) {
+	AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+			     STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+			     pTokenUser->User.Sid);
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+				   NULL,
+				   NULL, 
+				   ccacheACL,
+				   NULL)) {
+	    DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", GetLastError());
+	    ret = 1;
+	}
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   OWNER_SECURITY_INFORMATION,
+				   pTokenUser->User.Sid,
+				   NULL, 
+				   NULL,
+				   NULL)) {
+	    DebugEvent("SetNamedSecurityInfo Owner failed: GLE = 0x%lX", GetLastError());
+	    ret = 1;
+	}
+    } else {
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+				   NULL,
+				   NULL, 
+				   ccacheACL,
+				   NULL)) {
+	    DebugEvent("SetNamedSecurityInfo failed: GLE = 0x%lX", GetLastError());
+	    ret = 1;
+	}
+    }
+
+    if (pSystemSID)
+	LocalFree(pSystemSID);
+    if (pTokenUser)
+	LocalFree(pTokenUser);
+    if (ccacheACL)
+	GlobalFree(ccacheACL);
+    return ret;
+}
+
+int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size)
+{
+    int  retval = 0;
+    DWORD dwSize = size-1;	/* leave room for nul */
+
+    *newfilename = '\0';
+
+    if ( !ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, size) &&
+	 !ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, size))
+	return 1;
+    return 0;
+}
+
 void
 KFW_copy_cache_to_system_file(char * user, char * szLogonId)
 {
@@ -769,7 +873,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
     krb5_principal              princ = 0;
     krb5_ccache			cc  = 0;
     krb5_ccache                 ncc = 0;
-
+    PSECURITY_ATTRIBUTES        pSA = NULL;
+    
     if (!pkrb5_init_context)
         return;
 
@@ -789,6 +894,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
 
     strcat(cachename, filename);
 
+    DebugEvent("KFW_Logon_Event - ccache %s", cachename);
+
     DeleteFile(filename);
 
     code = pkrb5_init_context(&ctx);
@@ -806,6 +913,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
     code = pkrb5_cc_initialize(ctx, ncc, princ);
     if (code) goto cleanup;
 
+    KFW_set_ccache_dacl(filename, NULL);
+
     code = pkrb5_cc_copy_creds(ctx,cc,ncc);
 
   cleanup:
@@ -827,7 +936,7 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
 }
 
 int
-KFW_copy_system_file_to_default_cache(char * filename)
+KFW_copy_file_cache_to_default_cache(char * filename)
 {
     char cachename[264] = "FILE:";
     krb5_context		ctx = 0;
@@ -849,17 +958,31 @@ KFW_copy_system_file_to_default_cache(char * filename)
     if (code) ctx = 0;
 
     code = pkrb5_cc_resolve(ctx, cachename, &cc);
-    if (code) goto cleanup;
+    if (code) {
+	DebugEvent0("kfwcpcc krb5_cc_resolve failed");
+	goto cleanup;
+    }
     
     code = pkrb5_cc_get_principal(ctx, cc, &princ);
-    if (code) goto cleanup;
+    if (code) {
+	DebugEvent0("kfwcpcc krb5_cc_get_principal failed");
+	goto cleanup;
+    }
 
     code = pkrb5_cc_default(ctx, &ncc);
+    if (code) {
+	DebugEvent0("kfwcpcc krb5_cc_default failed");
+	goto cleanup;
+    }
     if (!code) {
         code = pkrb5_cc_initialize(ctx, ncc, princ);
 
         if (!code)
             code = pkrb5_cc_copy_creds(ctx,cc,ncc);
+	if (code) {
+	    DebugEvent0("kfwcpcc krb5_cc_copy_creds failed");
+	    goto cleanup;
+	}
     }
     if ( ncc ) {
         pkrb5_cc_close(ctx, ncc);
author	Jeffrey Altman <jaltman@secure-endpoints.com>	2006-07-24 06:58:23 +0000
committer	Jeffrey Altman <jaltman@secure-endpoints.com>	2006-07-24 06:58:23 +0000
commit	e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7 (patch)
tree	3a4bf8fe2592b2737b9891e9f4b9c3feb38c7d79 /src/windows/kfwlogon/kfwcommon.c
parent	dedcfc188f4f9a30f136d4fe145b5bc545d220b9 (diff)
download	krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.tar.gz krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.tar.xz krb5-e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7.zip