Skip to content

Commit

Permalink
ticket: 4048
Browse files Browse the repository at this point in the history 
version_fixed: 1.4.4

pull up r18382 from trunk

 r18382@cathode-dark-space:  jaltman | 2006-07-24 16:39:31 -0400
 ticket: 4048
 
     commit again without using patch to apply the diff
 
 



git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-4@18383 dc483132-0cff-0310-8789-dd5450dbe970
  • Loading branch information
tlyu committed Jul 24, 2006
1 parent 7323b11 commit 05b0f31
Show file tree
Hide file tree
Showing 5 changed files with 170 additions and 19 deletions.
2 changes: 1 addition & 1 deletion src/windows/kfwlogon/Makefile.in
View file
Expand Up @@ -12,7 +12,7 @@ LOCALINCLUDES = -I$(BUILDTOP) -I$(PISMERE)\athena\util\loadfuncs \
-I$(PISMERE)\athena\auth\leash\include
PROG_LIBPATH=-L$(TOPLIBD) -L$(KRB5_LIBDIR)

SYSLIBS = kernel32.lib user32.lib advapi32.lib wsock32.lib secur32.lib
SYSLIBS = kernel32.lib user32.lib advapi32.lib wsock32.lib secur32.lib userenv.lib
RFLAGS = $(LOCALINCLUDES)
RCFLAGS = $(RFLAGS) -D_WIN32

Expand Down
131 changes: 127 additions & 4 deletions src/windows/kfwlogon/kfwcommon.c
View file
Expand Up @@ -24,6 +24,9 @@ SOFTWARE.

#include "kfwlogon.h"
#include <winbase.h>
#include <Aclapi.h>
#include <userenv.h>
#include <Sddl.h>

#include <io.h>
#include <sys/stat.h>
Expand Down Expand Up @@ -758,6 +761,107 @@ KFW_get_cred( char * username,
return(code);
}

int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken)
{
// SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;
PSID pSystemSID = NULL;
DWORD SystemSIDlength, UserSIDlength;
PACL ccacheACL = NULL;
DWORD ccacheACLlength;
PTOKEN_USER pTokenUser = NULL;
DWORD retLen;
int ret = 0;

/* Get System SID */
ConvertStringSidToSid(SDDL_LOCAL_SYSTEM, &pSystemSID);

/* Create ACL */
SystemSIDlength = GetLengthSid(pSystemSID);
ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
+ SystemSIDlength - sizeof(DWORD);

if (hUserToken) {
if (!GetTokenInformation(hUserToken, TokenUser, NULL, 0, &retLen))
{
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER ) {
pTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, retLen);

if (!GetTokenInformation(hUserToken, TokenUser, pTokenUser, retLen, &retLen))
{
DebugEvent("GetTokenInformation failed: GLE = %lX", GetLastError());
}
}
}

if (pTokenUser) {
UserSIDlength = GetLengthSid(pTokenUser->User.Sid);

ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength
- sizeof(DWORD);
}
}

ccacheACL = GlobalAlloc(GMEM_FIXED, ccacheACLlength);
InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);
AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
pSystemSID);
if (pTokenUser) {
AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
pTokenUser->User.Sid);
if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
NULL,
NULL,
ccacheACL,
NULL)) {
DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", GetLastError());
ret = 1;
}
if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
OWNER_SECURITY_INFORMATION,
pTokenUser->User.Sid,
NULL,
NULL,
NULL)) {
DebugEvent("SetNamedSecurityInfo Owner failed: GLE = 0x%lX", GetLastError());
ret = 1;
}
} else {
if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
NULL,
NULL,
ccacheACL,
NULL)) {
DebugEvent("SetNamedSecurityInfo failed: GLE = 0x%lX", GetLastError());
ret = 1;
}
}

if (pSystemSID)
LocalFree(pSystemSID);
if (pTokenUser)
LocalFree(pTokenUser);
if (ccacheACL)
GlobalFree(ccacheACL);
return ret;
}

int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size)
{
int retval = 0;
DWORD dwSize = size-1; /* leave room for nul */

*newfilename = '\0';

if ( !ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, size) &&
!ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, size))
return 1;
return 0;
}

void
KFW_copy_cache_to_system_file(char * user, char * szLogonId)
{
Expand All @@ -769,7 +873,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
krb5_principal princ = 0;
krb5_ccache cc = 0;
krb5_ccache ncc = 0;

PSECURITY_ATTRIBUTES pSA = NULL;

if (!pkrb5_init_context)
return;

Expand All @@ -789,6 +894,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)

strcat(cachename, filename);

DebugEvent("KFW_Logon_Event - ccache %s", cachename);

DeleteFile(filename);

code = pkrb5_init_context(&ctx);
Expand All @@ -806,6 +913,8 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
code = pkrb5_cc_initialize(ctx, ncc, princ);
if (code) goto cleanup;

KFW_set_ccache_dacl(filename, NULL);

code = pkrb5_cc_copy_creds(ctx,cc,ncc);

cleanup:
Expand All @@ -827,7 +936,7 @@ KFW_copy_cache_to_system_file(char * user, char * szLogonId)
}

int
KFW_copy_system_file_to_default_cache(char * filename)
KFW_copy_file_cache_to_default_cache(char * filename)
{
char cachename[264] = "FILE:";
krb5_context ctx = 0;
Expand All @@ -849,17 +958,31 @@ KFW_copy_system_file_to_default_cache(char * filename)
if (code) ctx = 0;

code = pkrb5_cc_resolve(ctx, cachename, &cc);
if (code) goto cleanup;
if (code) {
DebugEvent0("kfwcpcc krb5_cc_resolve failed");
goto cleanup;
}

code = pkrb5_cc_get_principal(ctx, cc, &princ);
if (code) goto cleanup;
if (code) {
DebugEvent0("kfwcpcc krb5_cc_get_principal failed");
goto cleanup;
}

code = pkrb5_cc_default(ctx, &ncc);
if (code) {
DebugEvent0("kfwcpcc krb5_cc_default failed");
goto cleanup;
}
if (!code) {
code = pkrb5_cc_initialize(ctx, ncc, princ);

if (!code)
code = pkrb5_cc_copy_creds(ctx,cc,ncc);
if (code) {
DebugEvent0("kfwcpcc krb5_cc_copy_creds failed");
goto cleanup;
}
}
if ( ncc ) {
pkrb5_cc_close(ctx, ncc);
Expand Down
2 changes: 1 addition & 1 deletion src/windows/kfwlogon/kfwcpcc.c
View file
Expand Up @@ -33,7 +33,7 @@ int main(int argc, char *argv[])

KFW_initialize();

return KFW_copy_system_file_to_default_cache(argv[1]);
return KFW_copy_file_cache_to_default_cache(argv[1]);
}


50 changes: 38 additions & 12 deletions src/windows/kfwlogon/kfwlogon.c
View file
@@ -1,5 +1,5 @@
/*
Copyright 2005 by the Massachusetts Institute of Technology
Copyright 2005,2006 by the Massachusetts Institute of Technology
All rights reserved.
Expand Down Expand Up @@ -292,6 +292,7 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
char szLogonId[128] = "";
DWORD count;
char filename[256];
char newfilename[256];
char commandline[512];
STARTUPINFO startupinfo;
PROCESS_INFORMATION procinfo;
Expand Down Expand Up @@ -321,14 +322,36 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
GetWindowsDirectory(filename, sizeof(filename));
}

if ( strlen(filename) + strlen(szLogonId) + 2 <= sizeof(filename) ) {
strcat(filename, "\\");
strcat(filename, szLogonId);
if ( strlen(filename) + strlen(szLogonId) + 2 > sizeof(filename) ) {
DebugEvent0("KFW_Logon_Event - filename too long");
return;
}

strcat(filename, "\\");
strcat(filename, szLogonId);

sprintf(commandline, "kfwcpcc.exe \"%s\"", filename);
KFW_set_ccache_dacl(filename, pInfo->hToken);

GetStartupInfo(&startupinfo);
if (CreateProcessAsUser( pInfo->hToken,
KFW_obtain_user_temp_directory(pInfo->hToken, newfilename, sizeof(newfilename));

if ( strlen(newfilename) + strlen(szLogonId) + 2 > sizeof(newfilename) ) {
DebugEvent0("KFW_Logon_Event - new filename too long");
return;
}

strcat(newfilename, "\\");
strcat(newfilename, szLogonId);

if (!MoveFileEx(filename, newfilename,
MOVEFILE_COPY_ALLOWED | MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH)) {
DebugEvent("KFW_Logon_Event - MoveFileEx failed GLE = 0x%x", GetLastError());
return;
}

sprintf(commandline, "kfwcpcc.exe \"%s\"", newfilename);

GetStartupInfo(&startupinfo);
if (CreateProcessAsUser( pInfo->hToken,
"kfwcpcc.exe",
commandline,
NULL,
Expand All @@ -339,12 +362,15 @@ VOID KFW_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
NULL,
&startupinfo,
&procinfo))
{
WaitForSingleObject(procinfo.hProcess, 30000);
{
DebugEvent("KFW_Logon_Event - CommandLine %s", commandline);

CloseHandle(procinfo.hThread);
CloseHandle(procinfo.hProcess);
}
WaitForSingleObject(procinfo.hProcess, 30000);

CloseHandle(procinfo.hThread);
CloseHandle(procinfo.hProcess);
} else {
DebugEvent0("KFW_Logon_Event - CreateProcessFailed");
}

DeleteFile(filename);
Expand Down
4 changes: 3 additions & 1 deletion src/windows/kfwlogon/kfwlogon.h
View file
@@ -1,6 +1,6 @@
/*
Copyright 2005 by the Massachusetts Institute of Technology
Copyright 2005,2006 by the Massachusetts Institute of Technology
All rights reserved.
Expand Down Expand Up @@ -194,6 +194,8 @@ int KFW_is_available(void);
int KFW_get_cred( char * username, char * password, int lifetime, char ** reasonP );
void KFW_copy_cache_to_system_file(char * user, char * szLogonId);
int KFW_destroy_tickets_for_principal(char * user);
int KFW_set_ccache_dacl(char *filename, HANDLE hUserToken);
int KFW_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size);

#ifdef __cplusplus
}
Expand Down

0 comments on commit 05b0f31

Please sign in to comment.