commit again without using patch to apply the diff

ticket: 4048 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@18382 dc483132-0cff-0310-8789-dd5450dbe970
author: Jeffrey Altman <jaltman@secure-endpoints.com> 2006-07-24 20:39:31 +0000
committer: Jeffrey Altman <jaltman@secure-endpoints.com> 2006-07-24 20:39:31 +0000
commit: 71cd4b378a8f310cc336231d8c4a1782c64d9e15 (patch)
tree: b976438e02c3a8e2be7fb1b6d155e1ff1761f168
parent: b22afa7d6b255ec294c6ff98fcd336a92bdc118c (diff)
download: krb5-71cd4b378a8f310cc336231d8c4a1782c64d9e15.tar.gz
krb5-71cd4b378a8f310cc336231d8c4a1782c64d9e15.tar.xz
krb5-71cd4b378a8f310cc336231d8c4a1782c64d9e15.zip
5 files changed, 206 insertions, 55 deletions
diff --git a/src/windows/kfwlogon/Makefile.in b/src/windows/kfwlogon/Makefile.in
index 0b3879c59..03fc6e7e4 100644
--- a/src/windows/kfwlogon/Makefile.in
+++ b/src/windows/kfwlogon/Makefile.in
@@ -1,37 +1,37 @@
-# Makefile for the KFW Network Provider
-#
-
-thisconfigdir=./..
-myfulldir=windows/nplogon
-mydir=.
-BUILDTOP=$(REL)..$(S)..
-DEFINES = 
-LOCALINCLUDES = -I$(BUILDTOP) -I$(PISMERE)\athena\util\loadfuncs \
-	-I$(PISMERE)\athena\auth\krb5\src\include\kerberosIV \
-	-I$(PISMERE)\athena\auth\krb4\include \
-	-I$(PISMERE)\athena\auth\leash\include
-PROG_LIBPATH=-L$(TOPLIBD) -L$(KRB5_LIBDIR)
-
-SYSLIBS = kernel32.lib user32.lib advapi32.lib wsock32.lib secur32.lib
-RFLAGS = $(LOCALINCLUDES)
-RCFLAGS = $(RFLAGS) -D_WIN32
-
-all-windows:: $(OUTPRE)kfwlogon.dll $(OUTPRE)kfwcpcc.exe
-
-$(OUTPRE)kfwlogon.res: kfwlogon.rc ..\version.rc
-
-$(OUTPRE)kfwcpcc.res: kfwcpcc.rc ..\version.rc
-
-$(OUTPRE)kfwlogon.dll: $(OUTPRE)kfwlogon.obj $(OUTPRE)kfwcommon.obj $(OUTPRE)kfwlogon.res
-    link $(DLL_LINKOPTS) -out:$@ $(OUTPRE)kfwlogon.obj $(OUTPRE)kfwcommon.obj -entry:DllEntryPoint -def:kfwlogon.def $(SYSLIBS) $(KLIB) $(CLIB) $(SCLIB)
-
-$(OUTPRE)kfwcpcc.exe: $(OUTPRE)kfwcpcc.obj $(OUTPRE)kfwcommon.obj $(OUTPRE)kfwcpcc.res
-    link $(EXE_LINKOPTS) -out:$@ $(OUTPRE)kfwcpcc.obj $(OUTPRE)kfwcommon.obj $(SYSLIBS) $(KLIB) $(CLIB) $(SCLIB)
-
-install::
-        copy $(OUTPRE)kfwlogon.dll $(DESTDIR)
-        copy $(OUTPRE)kfwcpcc.exe  $(DESTDIR)
-
-clean::
-        $(RM) $(OUTPRE)*.exe $(OUTPRE)*.dll $(OUTPRE)*.res
-
+# Makefile for the KFW Network Provider
+#
+
+thisconfigdir=./..
+myfulldir=windows/nplogon
+mydir=.
+BUILDTOP=$(REL)..$(S)..
+DEFINES = 
+LOCALINCLUDES = -I$(BUILDTOP) -I$(PISMERE)\athena\util\loadfuncs \
+	-I$(PISMERE)\athena\auth\krb5\src\include\kerberosIV \
+	-I$(PISMERE)\athena\auth\krb4\include \
+	-I$(PISMERE)\athena\auth\leash\include
+PROG_LIBPATH=-L$(TOPLIBD) -L$(KRB5_LIBDIR)
+
+SYSLIBS = kernel32.lib user32.lib advapi32.lib wsock32.lib secur32.lib userenv.lib
+RFLAGS = $(LOCALINCLUDES)
+RCFLAGS = $(RFLAGS) -D_WIN32
+
+all-windows:: $(OUTPRE)kfwlogon.dll $(OUTPRE)kfwcpcc.exe
+
+$(OUTPRE)kfwlogon.res: kfwlogon.rc ..\version.rc
+
+$(OUTPRE)kfwcpcc.res: kfwcpcc.rc ..\version.rc
+
+$(OUTPRE)kfwlogon.dll: $(OUTPRE)kfwlogon.obj $(OUTPRE)kfwcommon.obj $(OUTPRE)kfwlogon.res
+    link $(DLL_LINKOPTS) -out:$@ $(OUTPRE)kfwlogon.obj $(OUTPRE)kfwcommon.obj -entry:DllEntryPoint -def:kfwlogon.def $(SYSLIBS) $(KLIB) $(CLIB)
+
+$(OUTPRE)kfwcpcc.exe: $(OUTPRE)kfwcpcc.obj $(OUTPRE)kfwcommon.obj $(OUTPRE)kfwcpcc.res
+    link $(EXE_LINKOPTS) -out:$@ $(OUTPRE)kfwcpcc.obj $(OUTPRE)kfwcommon.obj $(SYSLIBS) $(KLIB) $(CLIB)
+
+install::
+        copy $(OUTPRE)kfwlogon.dll $(DESTDIR)
+        copy $(OUTPRE)kfwcpcc.exe  $(DESTDIR)
+
+clean::
+        $(RM) $(OUTPRE)*.exe $(OUTPRE)*.dll $(OUTPRE)*.res
+
diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c
index 251e1436b..a4263c838 100644
--- a/src/windows/kfwlogon/kfwcommon.c
+++ b/src/windows/kfwlogon/kfwcommon.c
@@ -24,6 +24,9 @@ SOFTWARE.
 
 #include "kfwlogon.h"
 #include <winbase.h>
+#include <Aclapi.h>
+#include <userenv.h>
+#include <Sddl.h>
 
 #include <io.h>
 #include <sys/stat.h>
@@ -758,6 +761,107 @@ KFW_get_cred( char * username,
     return(code);
 }
 
+int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
+{
+    // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;
+    PSID pSystemSID = NULL;
+    DWORD SystemSIDlength, UserSIDlength;
+    PACL ccacheACL = NULL;
+    DWORD ccacheACLlength;
+    PTOKEN_USER pTokenUser = NULL;
+    DWORD retLen;
+    int ret = 0;  
+
+    /* Get System SID */
+    ConvertStringSidToSid(SDDL_LOCAL_SYSTEM, &pSystemSID);
+
+    /* Create ACL */
+    SystemSIDlength = GetLengthSid(pSystemSID);
+    ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
+        + SystemSIDlength - sizeof(DWORD);
+
+    if (hUserToken) {
+	if (!GetTokenInformation(hUserToken, TokenUser, NULL, 0, &retLen))
+	{
+	    if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER ) {
+		pTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, retLen);
+
+		if (!GetTokenInformation(hUserToken, TokenUser, pTokenUser, retLen, &retLen))
+		{
+		    DebugEvent("GetTokenInformation failed: GLE = %lX", GetLastError());
+		}
+	    }		 
+	}
+
+	if (pTokenUser) {
+	    UserSIDlength = GetLengthSid(pTokenUser->User.Sid);
+
+	    ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength 
+		- sizeof(DWORD);
+	}
+    }
+
+    ccacheACL = GlobalAlloc(GMEM_FIXED, ccacheACLlength);
+    InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);
+    AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+                         STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+                         pSystemSID);
+    if (pTokenUser) {
+	AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+			     STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+			     pTokenUser->User.Sid);
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+				   NULL,
+				   NULL, 
+				   ccacheACL,
+				   NULL)) {
+	    DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", GetLastError());
+	    ret = 1;
+	}
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   OWNER_SECURITY_INFORMATION,
+				   pTokenUser->User.Sid,
+				   NULL, 
+				   NULL,
+				   NULL)) {
+	    DebugEvent("SetNamedSecurityInfo Owner failed: GLE = 0x%lX", GetLastError());
+	    ret = 1;
+	}
+    } else {
+	if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+				   DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+				   NULL,
+				   NULL, 
+				   ccacheACL,
+				   NULL)) {
+	    DebugEvent("SetNamedSecurityInfo failed: GLE = 0x%lX", GetLastError());
+	    ret = 1;
+	}
+    }
+
+    if (pSystemSID)
+	LocalFree(pSystemSID);
+    if (pTokenUser)
+	LocalFree(pTokenUser);
+    if (ccacheACL)
+	GlobalFree(ccacheACL);
+    return ret;
+}
+
+int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size)
+{
+    int  retval = 0;
+    DWORD dwSize = size-1;	/* leave room for nul */
+
+    *newfilename = '\0';
+
+    if ( !ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, size) &&
+	 !ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, size))
+	return 1;
+    return 0;
+}
+
 void
 KFW_copy_cache_to_system_file(char * user, char * szLogonId)
 {
@@ -769,7 +873,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
     krb5_principal              princ = 0;
     krb5_ccache			cc  = 0;
     krb5_ccache                 ncc = 0;
-
+    PSECURITY_ATTRIBUTES        pSA = NULL;
+    
     if (!pkrb5_init_context)
         return;
 
@@ -789,6 +894,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
 
     strcat(cachename, filename);
 
+    DebugEvent("KFW_Logon_Event - ccache %s", cachename);
+
     DeleteFile(filename);
 
     code = pkrb5_init_context(&ctx);
@@ -806,6 +913,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
     code = pkrb5_cc_initialize(ctx, ncc, princ);
     if (code) goto cleanup;
 
+    KFW_set_ccache_dacl(filename, NULL);
+
     code = pkrb5_cc_copy_creds(ctx,cc,ncc);
 
   cleanup:
@@ -827,7 +936,7 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
 }
 
 int
-KFW_copy_system_file_to_default_cache(char * filename)
+KFW_copy_file_cache_to_default_cache(char * filename)
 {
     char cachename[264] = "FILE:";
     krb5_context		ctx = 0;
@@ -849,17 +958,31 @@ KFW_copy_system_file_to_default_cache(char * filename)
     if (code) ctx = 0;
 
     code = pkrb5_cc_resolve(ctx, cachename, &cc);
-    if (code) goto cleanup;
+    if (code) {
+	DebugEvent0("kfwcpcc krb5_cc_resolve failed");
+	goto cleanup;
+    }
     
     code = pkrb5_cc_get_principal(ctx, cc, &princ);
-    if (code) goto cleanup;
+    if (code) {
+	DebugEvent0("kfwcpcc krb5_cc_get_principal failed");
+	goto cleanup;
+    }
 
     code = pkrb5_cc_default(ctx, &ncc);
+    if (code) {
+	DebugEvent0("kfwcpcc krb5_cc_default failed");
+	goto cleanup;
+    }
     if (!code) {
         code = pkrb5_cc_initialize(ctx, ncc, princ);
 
         if (!code)
             code = pkrb5_cc_copy_creds(ctx,cc,ncc);
+	if (code) {
+	    DebugEvent0("kfwcpcc krb5_cc_copy_creds failed");
+	    goto cleanup;
+	}
     }
     if ( ncc ) {
         pkrb5_cc_close(ctx, ncc);
diff --git a/src/windows/kfwlogon/kfwcpcc.c b/src/windows/kfwlogon/kfwcpcc.c
index 4dbace969..c3485c02d 100644
--- a/src/windows/kfwlogon/kfwcpcc.c
+++ b/src/windows/kfwlogon/kfwcpcc.c
@@ -33,7 +33,7 @@ int main(int argc, char *argv[])
 
     KFW_initialize();
 
-    return KFW_copy_system_file_to_default_cache(argv[1]);
+    return KFW_copy_file_cache_to_default_cache(argv[1]);
 }
 
 
diff --git a/src/windows/kfwlogon/kfwlogon.c b/src/windows/kfwlogon/kfwlogon.c
index eddf27341..e815f73e0 100644
--- a/src/windows/kfwlogon/kfwlogon.c
+++ b/src/windows/kfwlogon/kfwlogon.c
@@ -1,5 +1,5 @@
 /*
-Copyright 2005 by the Massachusetts Institute of Technology
+Copyright 2005,2006 by the Massachusetts Institute of Technology
 
 All rights reserved.
 
@@ -292,6 +292,7 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
     char szLogonId[128] = "";
     DWORD count;
     char filename[256];
+    char newfilename[256];
     char commandline[512];
     STARTUPINFO startupinfo;
     PROCESS_INFORMATION procinfo;
@@ -321,14 +322,36 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
         GetWindowsDirectory(filename, sizeof(filename));
     }
 
-    if ( strlen(filename) + strlen(szLogonId) + 2 <= sizeof(filename) ) {
-        strcat(filename, "\\");
-        strcat(filename, szLogonId);    
+    if ( strlen(filename) + strlen(szLogonId) + 2 > sizeof(filename) ) {
+        DebugEvent0("KFW_Logon_Event - filename too long");
+	return;
+    }
+
+    strcat(filename, "\\");
+    strcat(filename, szLogonId);    
 
-        sprintf(commandline, "kfwcpcc.exe \"%s\"", filename);
+    KFW_set_ccache_dacl(filename, pInfo->hToken);
 
-        GetStartupInfo(&startupinfo);
-        if (CreateProcessAsUser( pInfo->hToken,
+    KFW_obtain_user_temp_directory(pInfo->hToken, newfilename, sizeof(newfilename));
+
+    if ( strlen(newfilename) + strlen(szLogonId) + 2 > sizeof(newfilename) ) {
+        DebugEvent0("KFW_Logon_Event - new filename too long");
+	return;
+    }
+
+    strcat(newfilename, "\\");
+    strcat(newfilename, szLogonId);    
+
+    if (!MoveFileEx(filename, newfilename, 
+		     MOVEFILE_COPY_ALLOWED | MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH)) {
+        DebugEvent("KFW_Logon_Event - MoveFileEx failed GLE = 0x%x", GetLastError());
+	return;
+    }
+
+    sprintf(commandline, "kfwcpcc.exe \"%s\"", newfilename);
+
+    GetStartupInfo(&startupinfo);
+    if (CreateProcessAsUser( pInfo->hToken,
                              "kfwcpcc.exe",
                              commandline,
                              NULL,
@@ -339,12 +362,15 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
                              NULL,
                              &startupinfo,
                              &procinfo)) 
-        {
-            WaitForSingleObject(procinfo.hProcess, 30000);
+    {
+	DebugEvent("KFW_Logon_Event - CommandLine %s", commandline);
 
-            CloseHandle(procinfo.hThread);
-            CloseHandle(procinfo.hProcess);
-        }
+	WaitForSingleObject(procinfo.hProcess, 30000);
+
+	CloseHandle(procinfo.hThread);
+	CloseHandle(procinfo.hProcess);
+    } else {
+	DebugEvent0("KFW_Logon_Event - CreateProcessFailed");
     }
 
     DeleteFile(filename);
diff --git a/src/windows/kfwlogon/kfwlogon.h b/src/windows/kfwlogon/kfwlogon.h
index 34c8cc70c..d3fa6709d 100644
--- a/src/windows/kfwlogon/kfwlogon.h
+++ b/src/windows/kfwlogon/kfwlogon.h
@@ -1,6 +1,6 @@
 /*
 
-Copyright 2005 by the Massachusetts Institute of Technology
+Copyright 2005,2006 by the Massachusetts Institute of Technology
 
 All rights reserved.
 
@@ -194,6 +194,8 @@ int KFW_is_available(void);
 int KFW_get_cred( char * username, char * password, int lifetime, char ** reasonP );
 void KFW_copy_cache_to_system_file(char * user, char * szLogonId);
 int KFW_destroy_tickets_for_principal(char * user);
+int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken);
+int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size);
 
 #ifdef __cplusplus
 }
author	Jeffrey Altman <jaltman@secure-endpoints.com>	2006-07-24 20:39:31 +0000
committer	Jeffrey Altman <jaltman@secure-endpoints.com>	2006-07-24 20:39:31 +0000
commit	71cd4b378a8f310cc336231d8c4a1782c64d9e15 (patch)
tree	b976438e02c3a8e2be7fb1b6d155e1ff1761f168
parent	b22afa7d6b255ec294c6ff98fcd336a92bdc118c (diff)
download	krb5-71cd4b378a8f310cc336231d8c4a1782c64d9e15.tar.gz krb5-71cd4b378a8f310cc336231d8c4a1782c64d9e15.tar.xz krb5-71cd4b378a8f310cc336231d8c4a1782c64d9e15.zip