ole32.lib \
adsiid.lib \
activeds.lib \
- userenv.lib
+ user32.lib \
+ userenv.lib
$(LOGON_DLLFILE): $(LOGON_DLLOBJS) $(LOGON_DLLLIBS)
$(DLLGUILINK) $(LOGONLINKFLAGS) -def:afslogon.def $(LOGON_DLLSDKLIBS)
# afscpcc.exe
$(EXEDIR)\afscpcc.exe: $(OUT)\afscpcc.obj $(OUT)\afscpcc.res $(LOGON_DLLLIBS)
- $(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib
+ $(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib userenv.lib
$(_VC_MANIFEST_EMBED_EXE)
$(EXEPREP)
/*
- * Copyright 2005, Secure Endpoints Inc.
+ * Copyright 2005,2006 Secure Endpoints Inc.
* All Rights Reserved.
*
* This software has been released under the terms of the MIT License.
KFW_initialize();
- return KFW_AFS_copy_system_file_to_default_cache(argv[1]);
+ return KFW_AFS_copy_file_cache_to_default_cache(argv[1]);
}
/*
- * Copyright (c) 2003 SkyRope, LLC
+* Copyright (c) 2004, 2005, 2006 Secure Endpoints Inc.
+* Copyright (c) 2003 SkyRope, LLC
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
#define KRB5_DEFAULT_LIFE 60*60*10 /* 10 hours */
#define LSA_CCNAME "MSLSA:"
+#ifndef KTC_ERROR
#define KTC_ERROR 11862784L
#define KTC_TOOBIG 11862785L
#define KTC_INVAL 11862786L
#define KTC_NOPIOCTL 11862789L
#define KTC_NOCELL 11862790L
#define KTC_NOCM 11862791L
+#endif
/* User Query data structures and functions */
/*
- * Copyright (c) 2004, 2005 Secure Endpoints Inc.
+ * Copyright (c) 2004, 2005, 2006 Secure Endpoints Inc.
* Copyright (c) 2003 SkyRope, LLC
* All rights reserved.
*
#undef USE_KRB4
#include "afskfw-int.h"
#include "afskfw.h"
+#include <userenv.h>
+#include <Sddl.h>
+#include <Aclapi.h>
#include <osilog.h>
#include <afs/ptserver.h>
return success;
}
+int
+KFW_AFS_set_file_cache_dacl(char *filename, HANDLE hUserToken)
+{
+ // SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;
+ PSID pSystemSID = NULL;
+ DWORD SystemSIDlength, UserSIDlength;
+ PACL ccacheACL = NULL;
+ DWORD ccacheACLlength;
+ PTOKEN_USER pTokenUser = NULL;
+ DWORD retLen;
+ int ret = 0;
+
+ /* Get System SID */
+ ConvertStringSidToSid(SDDL_LOCAL_SYSTEM, &pSystemSID);
+
+ /* Create ACL */
+ SystemSIDlength = GetLengthSid(pSystemSID);
+ ccacheACLlength = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE)
+ + SystemSIDlength - sizeof(DWORD);
+
+ if (hUserToken) {
+ if (!GetTokenInformation(hUserToken, TokenUser, NULL, 0, &retLen))
+ {
+ if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER ) {
+ pTokenUser = (PTOKEN_USER) LocalAlloc(LPTR, retLen);
+
+ GetTokenInformation(hUserToken, TokenUser, pTokenUser, retLen, &retLen);
+ }
+ }
+
+ if (pTokenUser) {
+ UserSIDlength = GetLengthSid(pTokenUser->User.Sid);
+
+ ccacheACLlength += sizeof(ACCESS_ALLOWED_ACE) + UserSIDlength
+ - sizeof(DWORD);
+ }
+ }
+
+ ccacheACL = GlobalAlloc(GMEM_FIXED, ccacheACLlength);
+ InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);
+ AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ pSystemSID);
+ if (pTokenUser) {
+ AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ pTokenUser->User.Sid);
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+ NULL,
+ NULL,
+ ccacheACL,
+ NULL)) {
+ ret = 1;
+ }
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ OWNER_SECURITY_INFORMATION,
+ pTokenUser->User.Sid,
+ NULL,
+ NULL,
+ NULL)) {
+ ret = 1;
+ }
+ } else {
+ if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,
+ DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
+ NULL,
+ NULL,
+ ccacheACL,
+ NULL)) {
+ ret = 1;
+ }
+ }
+
+ if (pSystemSID)
+ LocalFree(pSystemSID);
+ if (pTokenUser)
+ LocalFree(pTokenUser);
+ if (ccacheACL)
+ GlobalFree(ccacheACL);
+ return ret;
+}
+
+int
+KFW_AFS_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size)
+{
+ int retval = 0;
+ DWORD dwSize = size-1; /* leave room for nul */
+
+ *newfilename = '\0';
+
+ if ( !ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, size) &&
+ !ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, size))
+ return 1;
+ return 0;
+}
+
void
KFW_AFS_copy_cache_to_system_file(char * user, char * szLogonId)
{
code = pkrb5_cc_initialize(ctx, ncc, princ);
if (code) goto cleanup;
+ KFW_AFS_set_file_cache_dacl(filename, NULL);
+
code = pkrb5_cc_copy_creds(ctx,cc,ncc);
cleanup:
}
int
-KFW_AFS_copy_system_file_to_default_cache(char * filename)
+KFW_AFS_copy_file_cache_to_default_cache(char * filename)
{
char cachename[264] = "FILE:";
krb5_context ctx = 0;
/*
- * Copyright (c) 2003 SkyRope, LLC
+* Copyright (c) 2004, 2005, 2006 Secure Endpoints Inc.
+* Copyright (c) 2003 SkyRope, LLC
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
int KFW_AFS_get_cellconfig(char *, struct afsconf_cell *, char *);
void KFW_import_windows_lsa(void);
BOOL KFW_AFS_get_lsa_principal(char *, DWORD *);
+int KFW_AFS_set_file_cache_dacl(char *filename, HANDLE hUserToken);
+int KFW_AFS_obtain_user_temp_directory(HANDLE hUserToken, char *newfilename, int size);
+int KFW_AFS_copy_file_cache_to_default_cache(char * filename);
+
/* These functions are only to be used in the afslogon.dll */
void KFW_AFS_copy_cache_to_system_file(char *, char *);
char szPath[MAX_PATH] = "";
char szLogonId[128] = "";
DWORD count;
- char filename[256];
- char commandline[512];
+ char filename[MAX_PATH];
+ char newfilename[MAX_PATH];
+ char commandline[MAX_PATH+256];
STARTUPINFO startupinfo;
PROCESS_INFORMATION procinfo;
GetWindowsDirectory(filename, sizeof(filename));
}
- if ( strlen(filename) + strlen(szLogonId) + 2 <= sizeof(filename) ) {
- strcat(filename, "\\");
- strcat(filename, szLogonId);
+ count = GetEnvironmentVariable("TEMP", filename, sizeof(filename));
+ if ( count > sizeof(filename) || count == 0 ) {
+ GetWindowsDirectory(filename, sizeof(filename));
+ }
+
+ if ( strlen(filename) + strlen(szLogonId) + 2 > sizeof(filename) ) {
+ DebugEvent0("KFW_Logon_Event - filename too long");
+ return;
+ }
+
+ strcat(filename, "\\");
+ strcat(filename, szLogonId);
+
+ KFW_AFS_set_file_cache_dacl(filename, pInfo->hToken);
- sprintf(commandline, "afscpcc.exe \"%s\"", filename);
+ KFW_AFS_obtain_user_temp_directory(pInfo->hToken, newfilename, sizeof(newfilename));
+
+ if ( strlen(newfilename) + strlen(szLogonId) + 2 > sizeof(newfilename) ) {
+ DebugEvent0("KFW_Logon_Event - new filename too long");
+ return;
+ }
- GetStartupInfo(&startupinfo);
- if (CreateProcessAsUser( pInfo->hToken,
+ strcat(newfilename, "\\");
+ strcat(newfilename, szLogonId);
+
+ if (!MoveFileEx(filename, newfilename,
+ MOVEFILE_COPY_ALLOWED | MOVEFILE_REPLACE_EXISTING | MOVEFILE_WRITE_THROUGH)) {
+ DebugEvent("KFW_Logon_Event - MoveFileEx failed GLE = 0x%x", GetLastError());
+ return;
+ }
+
+ sprintf(commandline, "afscpcc.exe \"%s\"", newfilename);
+
+ GetStartupInfo(&startupinfo);
+ if (CreateProcessAsUser( pInfo->hToken,
"afscpcc.exe",
commandline,
NULL,
NULL,
&startupinfo,
&procinfo))
- {
- WaitForSingleObject(procinfo.hProcess, 30000);
+ {
+ DebugEvent("KFW_Logon_Event - CommandLine %s", commandline);
- CloseHandle(procinfo.hThread);
- CloseHandle(procinfo.hProcess);
- }
+ WaitForSingleObject(procinfo.hProcess, 30000);
+
+ CloseHandle(procinfo.hThread);
+ CloseHandle(procinfo.hProcess);
+ } else {
+ DebugEvent0("KFW_Logon_Event - CreateProcessFailed");
}
DeleteFile(filename);
psa = GlobalAlloc(GMEM_FIXED, sizeof(SECURITY_ATTRIBUTES));
psa->nLength = sizeof(SECURITY_ATTRIBUTES);
psa->lpSecurityDescriptor = psd;
- psa->bInheritHandle = TRUE;
+ psa->bInheritHandle = FALSE;
return psa;
}
VCLIBS =\
comctl32.lib \
- shell32.lib
+ shell32.lib \
+ userenv.lib
EXELIBS = \
$(DESTDIR)\lib\afsauthent.lib \
$(OUT)\RegistrySupport.obj
VCLIBS =\
- iphlpapi.lib \
+ iphlpapi.lib \
comctl32.lib \
shell32.lib \
uuid.lib \
ole32.lib \
mpr.lib \
- netapi32.lib
+ userenv.lib \
+ netapi32.lib
EXELIBS = \
$(DESTDIR)\lib\afs\afspioctl.lib \