summaryrefslogtreecommitdiffstats
path: root/src/windows/kfwlogon/kfwcommon.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/windows/kfwlogon/kfwcommon.c')
-rw-r--r--src/windows/kfwlogon/kfwcommon.c131
1 files changed, 127 insertions, 4 deletions
diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c
index 251e1436b7..a4263c8382 100644
--- a/src/windows/kfwlogon/kfwcommon.c
+++ b/src/windows/kfwlogon/kfwcommon.c
@@ -24,6 +24,9 @@ SOFTWARE.
#include "kfwlogon.h"
#include <winbase.h>
+#include <Aclapi.h>
+#include <userenv.h>
+#include <Sddl.h>
#include <io.h>
#include <sys/stat.h>
@@ -758,6 +761,107 @@ KFW_get_cred( char * username,
return(code);
}
+int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
+{
+ // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;
+ PSID pSystemSID = NULL;
+ DWORD SystemSIDlength, UserSIDlength;
+ PACL ccacheACL = NULL;
+ DWORD ccacheACLlength;
+ PTOKEN_USER pTokenUser = NULL;
+ DWORD retLen;
+ int ret = 0;
+
+ /* Get System SID */
+ ConvertStringSidToSid(SDDL_LOCAL_SYSTEM, &pSystemSID);
+
+ /* Create ACL */
+ SystemSIDlength = GetLengthSid(pSystemSID);
+ ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
+ + SystemSIDlength - sizeof(DWORD);
+
+ if (hUserToken) {
+ if (!GetTokenInformation(hUserToken, TokenUser, NULL, 0, &retLen))
+ {
+ if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER ) {
+ pTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, retLen);
+
+ if (!GetTokenInformation(hUserToken, TokenUser, pTokenUser, retLen, &retLen))
+ {
+ DebugEvent("GetTokenInformation failed: GLE = %lX", GetLastError());
+ }
+ }
+ }
+
+ if (pTokenUser) {
+ UserSIDlength = GetLengthSid(pTokenUser->User.Sid);
+
+ ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength
+ - sizeof(DWORD);
+ }
+ }
+
+ ccacheACL = GlobalAlloc(GMEM_FIXED, ccacheACLlength);
+ InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);
+ AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ pSystemSID);
+ if (pTokenUser) {
+ AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ pTokenUser->User.Sid);
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+ NULL,
+ NULL,
+ ccacheACL,
+ NULL)) {
+ DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", GetLastError());
+ ret = 1;
+ }
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ OWNER_SECURITY_INFORMATION,
+ pTokenUser->User.Sid,
+ NULL,
+ NULL,
+ NULL)) {
+ DebugEvent("SetNamedSecurityInfo Owner failed: GLE = 0x%lX", GetLastError());
+ ret = 1;
+ }
+ } else {
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+ NULL,
+ NULL,
+ ccacheACL,
+ NULL)) {
+ DebugEvent("SetNamedSecurityInfo failed: GLE = 0x%lX", GetLastError());
+ ret = 1;
+ }
+ }
+
+ if (pSystemSID)
+ LocalFree(pSystemSID);
+ if (pTokenUser)
+ LocalFree(pTokenUser);
+ if (ccacheACL)
+ GlobalFree(ccacheACL);
+ return ret;
+}
+
+int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size)
+{
+ int retval = 0;
+ DWORD dwSize = size-1; /* leave room for nul */
+
+ *newfilename = '\0';
+
+ if ( !ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, size) &&
+ !ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, size))
+ return 1;
+ return 0;
+}
+
void
KFW_copy_cache_to_system_file(char * user, char * szLogonId)
{
@@ -769,7 +873,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
krb5_principal princ = 0;
krb5_ccache cc = 0;
krb5_ccache ncc = 0;
-
+ PSECURITY_ATTRIBUTES pSA = NULL;
+
if (!pkrb5_init_context)
return;
@@ -789,6 +894,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
strcat(cachename, filename);
+ DebugEvent("KFW_Logon_Event - ccache %s", cachename);
+
DeleteFile(filename);
code = pkrb5_init_context(&ctx);
@@ -806,6 +913,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
code = pkrb5_cc_initialize(ctx, ncc, princ);
if (code) goto cleanup;
+ KFW_set_ccache_dacl(filename, NULL);
+
code = pkrb5_cc_copy_creds(ctx,cc,ncc);
cleanup:
@@ -827,7 +936,7 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
}
int
-KFW_copy_system_file_to_default_cache(char * filename)
+KFW_copy_file_cache_to_default_cache(char * filename)
{
char cachename[264] = "FILE:";
krb5_context ctx = 0;
@@ -849,17 +958,31 @@ KFW_copy_system_file_to_default_cache(char * filename)
if (code) ctx = 0;
code = pkrb5_cc_resolve(ctx, cachename, &cc);
- if (code) goto cleanup;
+ if (code) {
+ DebugEvent0("kfwcpcc krb5_cc_resolve failed");
+ goto cleanup;
+ }
code = pkrb5_cc_get_principal(ctx, cc, &princ);
- if (code) goto cleanup;
+ if (code) {
+ DebugEvent0("kfwcpcc krb5_cc_get_principal failed");
+ goto cleanup;
+ }
code = pkrb5_cc_default(ctx, &ncc);
+ if (code) {
+ DebugEvent0("kfwcpcc krb5_cc_default failed");
+ goto cleanup;
+ }
if (!code) {
code = pkrb5_cc_initialize(ctx, ncc, princ);
if (!code)
code = pkrb5_cc_copy_creds(ctx,cc,ncc);
+ if (code) {
+ DebugEvent0("kfwcpcc krb5_cc_copy_creds failed");
+ goto cleanup;
+ }
}
if ( ncc ) {
pkrb5_cc_close(ctx, ncc);
generated by cgit (git 2.34.1) at 2024-06-20 20:36:05 +0000