From e3aa436cc8b1eab7ef67f15ec17aa4bf8310dca7 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Mon, 24 Jul 2006 06:58:23 +0000 Subject: Windows Integrated Login Fixes for KFW 3.1 KFW integrated login was failing when the user is not a power user or administrator. This was occurring because the temporary file ccache was being created in a directory the user could not read. While fixing this it was noticed that the ACLs on the ccache were too broad. Instead of applying a fix to the FILE: krb5_ccache implementation it was decided that simply applying a new set of ACLs (SYSTEM and "user" with no inheritance) to the file immediately after the krb5_cc_initialize() call would close the broadest security issues. The file is initially created in the SYSTEM %TEMP% directory with "SYSTEM" ACL only. Then it is moved to the user's %TEMP% directory with "SYSTEM" and "user" ACLs. Finally, after copying the credentials to the API: ccache, the file is deleted. ticket: new tags: pullup component: windows git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18379 dc483132-0cff-0310-8789-dd5450dbe970 --- src/windows/kfwlogon/kfwcommon.c | 131 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 127 insertions(+), 4 deletions(-) (limited to 'src/windows/kfwlogon/kfwcommon.c') diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c index 251e1436b7..a4263c8382 100644 --- a/src/windows/kfwlogon/kfwcommon.c +++ b/src/windows/kfwlogon/kfwcommon.c @@ -24,6 +24,9 @@ SOFTWARE. #include "kfwlogon.h" #include +#include +#include +#include #include #include @@ -758,6 +761,107 @@ KFW_get_cred( char * username, return(code); } +int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken) +{ + // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY; + PSID pSystemSID = NULL; + DWORD SystemSIDlength, UserSIDlength; + PACL ccacheACL = NULL; + DWORD ccacheACLlength; + PTOKEN_USER pTokenUser = NULL; + DWORD retLen; + int ret = 0; + + /* Get System SID */ + ConvertStringSidToSid(SDDL_LOCAL_SYSTEM, &pSystemSID); + + /* Create ACL */ + SystemSIDlength = GetLengthSid(pSystemSID); + ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + + SystemSIDlength - sizeof(DWORD); + + if (hUserToken) { + if (!GetTokenInformation(hUserToken, TokenUser, NULL, 0, &retLen)) + { + if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER ) { + pTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, retLen); + + if (!GetTokenInformation(hUserToken, TokenUser, pTokenUser, retLen, &retLen)) + { + DebugEvent("GetTokenInformation failed: GLE = %lX", GetLastError()); + } + } + } + + if (pTokenUser) { + UserSIDlength = GetLengthSid(pTokenUser->User.Sid); + + ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength + - sizeof(DWORD); + } + } + + ccacheACL = GlobalAlloc(GMEM_FIXED, ccacheACLlength); + InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION); + AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0, + STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, + pSystemSID); + if (pTokenUser) { + AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0, + STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, + pTokenUser->User.Sid); + if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT, + DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, + NULL, + NULL, + ccacheACL, + NULL)) { + DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", GetLastError()); + ret = 1; + } + if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION, + pTokenUser->User.Sid, + NULL, + NULL, + NULL)) { + DebugEvent("SetNamedSecurityInfo Owner failed: GLE = 0x%lX", GetLastError()); + ret = 1; + } + } else { + if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT, + DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION, + NULL, + NULL, + ccacheACL, + NULL)) { + DebugEvent("SetNamedSecurityInfo failed: GLE = 0x%lX", GetLastError()); + ret = 1; + } + } + + if (pSystemSID) + LocalFree(pSystemSID); + if (pTokenUser) + LocalFree(pTokenUser); + if (ccacheACL) + GlobalFree(ccacheACL); + return ret; +} + +int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size) +{ + int retval = 0; + DWORD dwSize = size-1; /* leave room for nul */ + + *newfilename = '\0'; + + if ( !ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, size) && + !ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, size)) + return 1; + return 0; +} + void KFW_copy_cache_to_system_file(char * user, char * szLogonId) { @@ -769,7 +873,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId) krb5_principal princ = 0; krb5_ccache cc = 0; krb5_ccache ncc = 0; - + PSECURITY_ATTRIBUTES pSA = NULL; + if (!pkrb5_init_context) return; @@ -789,6 +894,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId) strcat(cachename, filename); + DebugEvent("KFW_Logon_Event - ccache %s", cachename); + DeleteFile(filename); code = pkrb5_init_context(&ctx); @@ -806,6 +913,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId) code = pkrb5_cc_initialize(ctx, ncc, princ); if (code) goto cleanup; + KFW_set_ccache_dacl(filename, NULL); + code = pkrb5_cc_copy_creds(ctx,cc,ncc); cleanup: @@ -827,7 +936,7 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId) } int -KFW_copy_system_file_to_default_cache(char * filename) +KFW_copy_file_cache_to_default_cache(char * filename) { char cachename[264] = "FILE:"; krb5_context ctx = 0; @@ -849,17 +958,31 @@ KFW_copy_system_file_to_default_cache(char * filename) if (code) ctx = 0; code = pkrb5_cc_resolve(ctx, cachename, &cc); - if (code) goto cleanup; + if (code) { + DebugEvent0("kfwcpcc krb5_cc_resolve failed"); + goto cleanup; + } code = pkrb5_cc_get_principal(ctx, cc, &princ); - if (code) goto cleanup; + if (code) { + DebugEvent0("kfwcpcc krb5_cc_get_principal failed"); + goto cleanup; + } code = pkrb5_cc_default(ctx, &ncc); + if (code) { + DebugEvent0("kfwcpcc krb5_cc_default failed"); + goto cleanup; + } if (!code) { code = pkrb5_cc_initialize(ctx, ncc, princ); if (!code) code = pkrb5_cc_copy_creds(ctx,cc,ncc); + if (code) { + DebugEvent0("kfwcpcc krb5_cc_copy_creds failed"); + goto cleanup; + } } if ( ncc ) { pkrb5_cc_close(ctx, ncc); -- cgit