mirror of https://github.com/BOINC/boinc.git
555 lines
16 KiB
C
555 lines
16 KiB
C
/*
|
|
Copyright (c) 1990-2007 Info-ZIP. All rights reserved.
|
|
|
|
See the accompanying file LICENSE, version 2000-Apr-09 or later
|
|
(the contents of which are also included in unzip.h) for terms of use.
|
|
If, for some reason, all these files are missing, the Info-ZIP license
|
|
also may be found at: ftp://ftp.info-zip.org/pub/infozip/license.html
|
|
*/
|
|
/*
|
|
|
|
Copyright (c) 1996 Scott Field (dedicated to Info-Zip group)
|
|
|
|
Module Name:
|
|
|
|
nt.c
|
|
|
|
Abstract:
|
|
|
|
This module implements WinNT security descriptor operations for the
|
|
Win32 Info-ZIP project. Operation such as setting file security,
|
|
using/querying local and remote privileges, and queuing of operations
|
|
is performed here. The contents of this module are only relevant
|
|
when the code is running on Windows NT, and the target volume supports
|
|
persistent Acl storage.
|
|
|
|
User privileges that allow accessing certain privileged aspects of the
|
|
security descriptor (such as the Sacl) are only used if the user specified
|
|
to do so.
|
|
|
|
Author:
|
|
|
|
Scott Field (sfield@microsoft.com)
|
|
|
|
Last revised: 18 Jan 97
|
|
|
|
*/
|
|
|
|
#define WIN32_LEAN_AND_MEAN
|
|
#define UNZIP_INTERNAL
|
|
#include "../unzip.h"
|
|
#include <windows.h>
|
|
#ifdef __RSXNT__
|
|
# include "../win32/rsxntwin.h"
|
|
#endif
|
|
#include "../win32/nt.h"
|
|
|
|
|
|
#ifdef NTSD_EAS /* This file is only needed for NTSD handling */
|
|
|
|
/* Borland C++ does not define FILE_SHARE_DELETE. Others also? */
|
|
#ifndef FILE_SHARE_DELETE
|
|
# define FILE_SHARE_DELETE 0x00000004
|
|
#endif
|
|
|
|
/* This macro definition is missing in old versions of MS' winbase.h. */
|
|
#ifndef InterlockedExchangePointer
|
|
# define InterlockedExchangePointer(Target, Value) \
|
|
(PVOID)InterlockedExchange((PLONG)(Target), (LONG)(Value))
|
|
#endif
|
|
|
|
|
|
/* private prototypes */
|
|
|
|
static BOOL Initialize(VOID);
|
|
static VOID GetRemotePrivilegesSet(CHAR *FileName, PDWORD dwRemotePrivileges);
|
|
static VOID InitLocalPrivileges(VOID);
|
|
|
|
|
|
volatile BOOL bInitialized = FALSE; /* module level stuff initialized? */
|
|
HANDLE hInitMutex = NULL; /* prevent multiple initialization */
|
|
|
|
BOOL g_bRestorePrivilege = FALSE; /* for local set file security override */
|
|
BOOL g_bSaclPrivilege = FALSE; /* for local set sacl operations, only when
|
|
restore privilege not present */
|
|
|
|
/* our single cached volume capabilities structure that describes the last
|
|
volume root we encountered. A single entry like this works well in the
|
|
zip/unzip scenario for a number of reasons:
|
|
1. typically one extraction path during unzip.
|
|
2. typically process one volume at a time during zip, and then move
|
|
on to the next.
|
|
3. no cleanup code required and no memory leaks.
|
|
4. simple code.
|
|
|
|
This approach should be reworked to a linked list approach if we expect to
|
|
be called by many threads which are processing a variety of input/output
|
|
volumes, since lock contention and stale data may become a bottleneck. */
|
|
|
|
VOLUMECAPS g_VolumeCaps;
|
|
CRITICAL_SECTION VolumeCapsLock;
|
|
|
|
|
|
static BOOL Initialize(VOID)
|
|
{
|
|
HANDLE hMutex;
|
|
HANDLE hOldMutex;
|
|
|
|
if (bInitialized) return TRUE;
|
|
|
|
hMutex = CreateMutex(NULL, TRUE, NULL);
|
|
if(hMutex == NULL) return FALSE;
|
|
|
|
hOldMutex = (HANDLE)InterlockedExchangePointer((void *)&hInitMutex,
|
|
hMutex);
|
|
|
|
if (hOldMutex != NULL) {
|
|
/* somebody setup the mutex already */
|
|
InterlockedExchangePointer((void *)&hInitMutex,
|
|
hOldMutex);
|
|
|
|
CloseHandle(hMutex); /* close new, un-needed mutex */
|
|
|
|
/* wait for initialization to complete and return status */
|
|
WaitForSingleObject(hOldMutex, INFINITE);
|
|
ReleaseMutex(hOldMutex);
|
|
|
|
return bInitialized;
|
|
}
|
|
|
|
if (!bInitialized) {
|
|
/* initialize module level resources */
|
|
|
|
InitializeCriticalSection( &VolumeCapsLock );
|
|
memset(&g_VolumeCaps, 0, sizeof(VOLUMECAPS));
|
|
|
|
InitLocalPrivileges();
|
|
|
|
bInitialized = TRUE;
|
|
}
|
|
|
|
InterlockedExchangePointer((void *)&hInitMutex,
|
|
NULL);
|
|
|
|
ReleaseMutex(hMutex); /* release correct mutex */
|
|
|
|
CloseHandle(hMutex); /* free the no longer needed handle resource */
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
BOOL ValidateSecurity(uch *securitydata)
|
|
{
|
|
PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)securitydata;
|
|
PACL pAcl;
|
|
PSID pSid;
|
|
BOOL bAclPresent;
|
|
BOOL bDefaulted;
|
|
|
|
if(!IsWinNT()) return TRUE; /* don't do anything if not on WinNT */
|
|
|
|
if(!IsValidSecurityDescriptor(sd)) return FALSE;
|
|
|
|
/* verify Dacl integrity */
|
|
|
|
if(!GetSecurityDescriptorDacl(sd, &bAclPresent, &pAcl, &bDefaulted))
|
|
return FALSE;
|
|
|
|
if(bAclPresent && pAcl!=NULL) {
|
|
if(!IsValidAcl(pAcl)) return FALSE;
|
|
}
|
|
|
|
/* verify Sacl integrity */
|
|
|
|
if(!GetSecurityDescriptorSacl(sd, &bAclPresent, &pAcl, &bDefaulted))
|
|
return FALSE;
|
|
|
|
if(bAclPresent && pAcl!=NULL) {
|
|
if(!IsValidAcl(pAcl)) return FALSE;
|
|
}
|
|
|
|
/* verify owner integrity */
|
|
|
|
if(!GetSecurityDescriptorOwner(sd, &pSid, &bDefaulted))
|
|
return FALSE;
|
|
|
|
if(pSid != NULL) {
|
|
if(!IsValidSid(pSid)) return FALSE;
|
|
}
|
|
|
|
/* verify group integrity */
|
|
|
|
if(!GetSecurityDescriptorGroup(sd, &pSid, &bDefaulted))
|
|
return FALSE;
|
|
|
|
if(pSid != NULL) {
|
|
if(!IsValidSid(pSid)) return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
static VOID GetRemotePrivilegesSet(char *FileName, PDWORD dwRemotePrivileges)
|
|
{
|
|
HANDLE hFile;
|
|
|
|
*dwRemotePrivileges = 0;
|
|
|
|
/* see if we have the SeRestorePrivilege */
|
|
|
|
hFile = CreateFileA(
|
|
FileName,
|
|
ACCESS_SYSTEM_SECURITY | WRITE_DAC | WRITE_OWNER | READ_CONTROL,
|
|
FILE_SHARE_READ | FILE_SHARE_DELETE, /* no sd updating allowed here */
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
FILE_FLAG_BACKUP_SEMANTICS,
|
|
NULL
|
|
);
|
|
|
|
if(hFile != INVALID_HANDLE_VALUE) {
|
|
/* no remote way to determine SeRestorePrivilege -- just try a
|
|
read/write to simulate it */
|
|
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION |
|
|
SACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION |
|
|
GROUP_SECURITY_INFORMATION;
|
|
PSECURITY_DESCRIPTOR sd;
|
|
DWORD cbBuf = 0;
|
|
|
|
GetKernelObjectSecurity(hFile, si, NULL, cbBuf, &cbBuf);
|
|
|
|
if(ERROR_INSUFFICIENT_BUFFER == GetLastError()) {
|
|
if((sd = HeapAlloc(GetProcessHeap(), 0, cbBuf)) != NULL) {
|
|
if(GetKernelObjectSecurity(hFile, si, sd, cbBuf, &cbBuf)) {
|
|
if(SetKernelObjectSecurity(hFile, si, sd))
|
|
*dwRemotePrivileges |= OVERRIDE_RESTORE;
|
|
}
|
|
HeapFree(GetProcessHeap(), 0, sd);
|
|
}
|
|
}
|
|
|
|
CloseHandle(hFile);
|
|
} else {
|
|
|
|
/* see if we have the SeSecurityPrivilege */
|
|
/* note we don't need this if we have SeRestorePrivilege */
|
|
|
|
hFile = CreateFileA(
|
|
FileName,
|
|
ACCESS_SYSTEM_SECURITY,
|
|
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, /* max */
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
0,
|
|
NULL
|
|
);
|
|
|
|
if(hFile != INVALID_HANDLE_VALUE) {
|
|
CloseHandle(hFile);
|
|
*dwRemotePrivileges |= OVERRIDE_SACL;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
BOOL GetVolumeCaps(
|
|
char *rootpath, /* filepath, or NULL */
|
|
char *name, /* filename associated with rootpath */
|
|
PVOLUMECAPS VolumeCaps /* result structure describing capabilities */
|
|
)
|
|
{
|
|
char TempRootPath[MAX_PATH + 1];
|
|
DWORD cchTempRootPath = 0;
|
|
BOOL bSuccess = TRUE; /* assume success until told otherwise */
|
|
|
|
if(!bInitialized) if(!Initialize()) return FALSE;
|
|
|
|
/* process the input path to produce a consistent path suitable for
|
|
compare operations and also suitable for certain picky Win32 API
|
|
that don't like forward slashes */
|
|
|
|
if(rootpath != NULL && rootpath[0] != '\0') {
|
|
DWORD i;
|
|
|
|
cchTempRootPath = lstrlenA(rootpath);
|
|
if(cchTempRootPath > MAX_PATH) return FALSE;
|
|
|
|
/* copy input, converting forward slashes to back slashes as we go */
|
|
|
|
for(i = 0 ; i <= cchTempRootPath ; i++) {
|
|
if(rootpath[i] == '/') TempRootPath[i] = '\\';
|
|
else TempRootPath[i] = rootpath[i];
|
|
}
|
|
|
|
/* check for UNC and Null terminate or append trailing \ as
|
|
appropriate */
|
|
|
|
/* possible valid UNCs we are passed follow:
|
|
\\machine\foo\bar (path is \\machine\foo\)
|
|
\\machine\foo (path is \\machine\foo\)
|
|
\\machine\foo\
|
|
\\.\c$\ (FIXFIX: Win32API doesn't like this - GetComputerName())
|
|
LATERLATER: handling mounted DFS drives in the future will require
|
|
slightly different logic which isn't available today.
|
|
This is required because directories can point at
|
|
different servers which have differing capabilities.
|
|
*/
|
|
|
|
if(TempRootPath[0] == '\\' && TempRootPath[1] == '\\') {
|
|
DWORD slash = 0;
|
|
|
|
for(i = 2 ; i < cchTempRootPath ; i++) {
|
|
if(TempRootPath[i] == '\\') {
|
|
slash++;
|
|
|
|
if(slash == 2) {
|
|
i++;
|
|
TempRootPath[i] = '\0';
|
|
cchTempRootPath = i;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
/* if there was only one slash found, just tack another onto the
|
|
end */
|
|
|
|
if(slash == 1 && TempRootPath[cchTempRootPath] != '\\') {
|
|
TempRootPath[cchTempRootPath] = TempRootPath[0]; /* '\\' */
|
|
TempRootPath[cchTempRootPath+1] = '\0';
|
|
cchTempRootPath++;
|
|
}
|
|
|
|
} else {
|
|
|
|
if(TempRootPath[1] == ':') {
|
|
|
|
/* drive letter specified, truncate to root */
|
|
TempRootPath[2] = '\\';
|
|
TempRootPath[3] = '\0';
|
|
cchTempRootPath = 3;
|
|
} else {
|
|
|
|
/* must be file on current drive */
|
|
TempRootPath[0] = '\0';
|
|
cchTempRootPath = 0;
|
|
}
|
|
|
|
}
|
|
|
|
} /* if path != NULL */
|
|
|
|
/* grab lock protecting cached entry */
|
|
EnterCriticalSection( &VolumeCapsLock );
|
|
|
|
if(!g_VolumeCaps.bValid ||
|
|
lstrcmpiA(g_VolumeCaps.RootPath, TempRootPath) != 0)
|
|
{
|
|
|
|
/* no match found, build up new entry */
|
|
|
|
DWORD dwFileSystemFlags;
|
|
DWORD dwRemotePrivileges = 0;
|
|
BOOL bRemote = FALSE;
|
|
|
|
/* release lock during expensive operations */
|
|
LeaveCriticalSection( &VolumeCapsLock );
|
|
|
|
bSuccess = GetVolumeInformationA(
|
|
(TempRootPath[0] == '\0') ? NULL : TempRootPath,
|
|
NULL, 0,
|
|
NULL, NULL,
|
|
&dwFileSystemFlags,
|
|
NULL, 0);
|
|
|
|
|
|
/* only if target volume supports Acls, and we were told to use
|
|
privileges do we need to go out and test for the remote case */
|
|
|
|
if(bSuccess && (dwFileSystemFlags & FS_PERSISTENT_ACLS) &&
|
|
VolumeCaps->bUsePrivileges)
|
|
{
|
|
if(GetDriveTypeA( (TempRootPath[0] == '\0') ? NULL : TempRootPath )
|
|
== DRIVE_REMOTE)
|
|
{
|
|
bRemote = TRUE;
|
|
|
|
/* make a determination about our remote capabilities */
|
|
|
|
GetRemotePrivilegesSet(name, &dwRemotePrivileges);
|
|
}
|
|
}
|
|
|
|
/* always take the lock again, since we release it below */
|
|
EnterCriticalSection( &VolumeCapsLock );
|
|
|
|
/* replace the existing data if successful */
|
|
if(bSuccess) {
|
|
|
|
lstrcpynA(g_VolumeCaps.RootPath, TempRootPath, cchTempRootPath+1);
|
|
g_VolumeCaps.dwFileSystemFlags = dwFileSystemFlags;
|
|
g_VolumeCaps.bRemote = bRemote;
|
|
g_VolumeCaps.dwRemotePrivileges = dwRemotePrivileges;
|
|
g_VolumeCaps.bValid = TRUE;
|
|
}
|
|
}
|
|
|
|
if(bSuccess) {
|
|
/* copy input elements */
|
|
g_VolumeCaps.bUsePrivileges = VolumeCaps->bUsePrivileges;
|
|
g_VolumeCaps.dwFileAttributes = VolumeCaps->dwFileAttributes;
|
|
|
|
/* give caller results */
|
|
memcpy(VolumeCaps, &g_VolumeCaps, sizeof(VOLUMECAPS));
|
|
} else {
|
|
g_VolumeCaps.bValid = FALSE;
|
|
}
|
|
|
|
LeaveCriticalSection( &VolumeCapsLock ); /* release lock */
|
|
|
|
return bSuccess;
|
|
}
|
|
|
|
|
|
BOOL SecuritySet(char *resource, PVOLUMECAPS VolumeCaps, uch *securitydata)
|
|
{
|
|
HANDLE hFile;
|
|
DWORD dwDesiredAccess = 0;
|
|
DWORD dwFlags = 0;
|
|
PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)securitydata;
|
|
SECURITY_DESCRIPTOR_CONTROL sdc;
|
|
SECURITY_INFORMATION RequestedInfo = 0;
|
|
DWORD dwRev;
|
|
BOOL bRestorePrivilege = FALSE;
|
|
BOOL bSaclPrivilege = FALSE;
|
|
BOOL bSuccess;
|
|
|
|
if(!bInitialized) if(!Initialize()) return FALSE;
|
|
|
|
/* defer directory processing */
|
|
|
|
if(VolumeCaps->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
|
|
/* opening a directory requires FILE_FLAG_BACKUP_SEMANTICS */
|
|
dwFlags |= FILE_FLAG_BACKUP_SEMANTICS;
|
|
}
|
|
|
|
/* evaluate the input security descriptor and act accordingly */
|
|
|
|
if(!IsValidSecurityDescriptor(sd))
|
|
return FALSE;
|
|
|
|
if(!GetSecurityDescriptorControl(sd, &sdc, &dwRev))
|
|
return FALSE;
|
|
|
|
/* setup privilege usage based on if told we can use privileges, and if so,
|
|
what privileges we have */
|
|
|
|
if(VolumeCaps->bUsePrivileges) {
|
|
if(VolumeCaps->bRemote) {
|
|
/* use remotely determined privileges */
|
|
if(VolumeCaps->dwRemotePrivileges & OVERRIDE_RESTORE)
|
|
bRestorePrivilege = TRUE;
|
|
|
|
if(VolumeCaps->dwRemotePrivileges & OVERRIDE_SACL)
|
|
bSaclPrivilege = TRUE;
|
|
|
|
} else {
|
|
/* use local privileges */
|
|
bRestorePrivilege = g_bRestorePrivilege;
|
|
bSaclPrivilege = g_bSaclPrivilege;
|
|
}
|
|
}
|
|
|
|
|
|
/* if a Dacl is present write Dacl out */
|
|
/* if we have SeRestorePrivilege, write owner and group info out */
|
|
|
|
if(sdc & SE_DACL_PRESENT) {
|
|
dwDesiredAccess |= WRITE_DAC;
|
|
RequestedInfo |= DACL_SECURITY_INFORMATION;
|
|
|
|
if(bRestorePrivilege) {
|
|
dwDesiredAccess |= WRITE_OWNER;
|
|
RequestedInfo |= (OWNER_SECURITY_INFORMATION |
|
|
GROUP_SECURITY_INFORMATION);
|
|
}
|
|
}
|
|
|
|
/* if a Sacl is present and we have either SeRestorePrivilege or
|
|
SeSystemSecurityPrivilege try to write Sacl out */
|
|
|
|
if((sdc & SE_SACL_PRESENT) && (bRestorePrivilege || bSaclPrivilege)) {
|
|
dwDesiredAccess |= ACCESS_SYSTEM_SECURITY;
|
|
RequestedInfo |= SACL_SECURITY_INFORMATION;
|
|
}
|
|
|
|
if(RequestedInfo == 0) /* nothing to do */
|
|
return FALSE;
|
|
|
|
if(bRestorePrivilege)
|
|
dwFlags |= FILE_FLAG_BACKUP_SEMANTICS;
|
|
|
|
hFile = CreateFileA(
|
|
resource,
|
|
dwDesiredAccess,
|
|
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,/* max sharing */
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
dwFlags,
|
|
NULL
|
|
);
|
|
|
|
if(hFile == INVALID_HANDLE_VALUE)
|
|
return FALSE;
|
|
|
|
bSuccess = SetKernelObjectSecurity(hFile, RequestedInfo, sd);
|
|
|
|
CloseHandle(hFile);
|
|
|
|
return bSuccess;
|
|
}
|
|
|
|
static VOID InitLocalPrivileges(VOID)
|
|
{
|
|
HANDLE hToken;
|
|
TOKEN_PRIVILEGES tp;
|
|
|
|
/* try to enable some interesting privileges that give us the ability
|
|
to get some security information that we normally cannot.
|
|
|
|
note that enabling privileges is only relevant on the local machine;
|
|
when accessing files that are on a remote machine, any privileges
|
|
that are present on the remote machine get enabled by default. */
|
|
|
|
if(!OpenProcessToken(GetCurrentProcess(),
|
|
TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
|
|
return;
|
|
|
|
tp.PrivilegeCount = 1;
|
|
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
|
|
|
if(LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &tp.Privileges[0].Luid)) {
|
|
|
|
/* try to enable SeRestorePrivilege; if this succeeds, we can write
|
|
all aspects of the security descriptor */
|
|
|
|
if(AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL) &&
|
|
GetLastError() == ERROR_SUCCESS) g_bRestorePrivilege = TRUE;
|
|
|
|
}
|
|
|
|
/* try to enable SeSystemSecurityPrivilege, if SeRestorePrivilege not
|
|
present; if this succeeds, we can write the Sacl */
|
|
|
|
if(!g_bRestorePrivilege &&
|
|
LookupPrivilegeValue(NULL, SE_SECURITY_NAME, &tp.Privileges[0].Luid)) {
|
|
|
|
if(AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL) &&
|
|
GetLastError() == ERROR_SUCCESS) g_bSaclPrivilege = TRUE;
|
|
}
|
|
|
|
CloseHandle(hToken);
|
|
}
|
|
#endif /* NTSD_EAS */
|