Mercurial > trustbridge
annotate common/util.c @ 648:e41a2537b84d
Implement root installation
We now iterate over all users that do not obviously have their
login shell disabled and look for NSS directories in their home
directory, dropping our privileges to do so.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Wed, 25 Jun 2014 12:44:47 +0200 |
| parents | c7a35fa302ec |
| children | 175370634226 |
| rev | line source |
|---|---|
| 404 | 1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
| 2 * Software engineering by Intevation GmbH | |
| 3 * | |
| 4 * This file is Free Software under the GNU GPL (v>=2) | |
| 5 * and comes with ABSOLUTELY NO WARRANTY! | |
| 6 * See LICENSE.txt for details. | |
| 7 */ | |
|
321
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 #include "util.h" |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
9 #include "logging.h" |
|
644
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
10 #include "strhelp.h" |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
11 |
|
323
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
12 #ifndef _WIN32 |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
13 #include <unistd.h> |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
14 #include <sys/types.h> |
|
644
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
15 #include <pwd.h> |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
16 #include <grp.h> |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
17 #include <string.h> |
|
323
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
18 #else |
|
321
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
19 #include <windows.h> |
|
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
20 #endif |
|
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
21 |
|
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
22 bool |
|
323
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
23 is_elevated() |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
24 { |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
25 bool ret = false; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
26 #ifndef _WIN32 |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
27 ret = (geteuid() == 0); |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
28 #else |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
29 HANDLE hToken = NULL; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
30 if (OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &hToken)) |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
31 { |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
32 DWORD elevation; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
33 DWORD cbSize = sizeof (DWORD); |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
34 if (GetTokenInformation (hToken, TokenElevation, &elevation, |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
35 sizeof (TokenElevation), &cbSize)) |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
36 { |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
37 ret = elevation; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
38 } |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
39 } |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
40 if (hToken) |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
41 CloseHandle (hToken); |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
42 #endif |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
43 return ret; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
44 } |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
45 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
46 bool is_admin() |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
47 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
48 #ifndef _WIN32 |
|
644
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
49 struct passwd *current_user = getpwuid (geteuid()); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
50 int ngroups = 0, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
51 ret = 0, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
52 i = 0; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
53 gid_t * groups = NULL; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
54 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
55 if (current_user == NULL) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
56 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
57 ERRORPRINTF ("Failed to obtain user information."); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
58 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
59 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
60 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
61 ret = getgrouplist (current_user->pw_name, current_user->pw_gid, NULL, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
62 &ngroups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
63 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
64 if (ret != -1 || ngroups <= 0) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
65 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
66 ERRORPRINTF ("Unknown error in getgrouplist call"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
67 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
68 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
69 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
70 groups = xmalloc (((unsigned int)ngroups) * sizeof (gid_t)); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
71 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
72 ret = getgrouplist (current_user->pw_name, current_user->pw_gid, groups, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
73 &ngroups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
74 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
75 if (ret != ngroups) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
76 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
77 ERRORPRINTF ("Group length mismatch."); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
78 xfree (groups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
79 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
80 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
81 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
82 for (i = 0; i < ngroups; i++) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
83 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
84 struct group *gr = getgrgid (groups[i]); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
85 if (gr == NULL) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
86 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
87 ERRORPRINTF ("Error in group enumeration"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
88 xfree (groups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
89 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
90 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
91 if (strcmp("sudo", gr->gr_name) == 0) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
92 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
93 DEBUGPRINTF ("User is in sudo group \n"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
94 xfree (groups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
95 return true; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
96 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
97 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
98 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
99 DEBUGPRINTF ("User is not in sudo group"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
100 |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
101 return false; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
102 #else |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
103 bool retval = false; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
104 BOOL in_admin_group = FALSE; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
105 HANDLE hToken = NULL; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
106 HANDLE hTokenToCheck = NULL; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
107 DWORD cbSize = 0; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
108 TOKEN_ELEVATION_TYPE elevation; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
109 BYTE admin_id[SECURITY_MAX_SID_SIZE]; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
110 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
111 if (!OpenProcessToken(GetCurrentProcess(), |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
112 TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
113 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
114 PRINTLASTERROR ("Failed to duplicate process token.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
115 return false; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
116 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
117 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
118 if (!GetTokenInformation(hToken, TokenElevationType, &elevation, |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
119 sizeof(elevation), &cbSize)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
120 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
121 PRINTLASTERROR ("Failed to get token information.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
122 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
123 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
124 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
125 /* If limited check the the linked token instead */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
126 if (TokenElevationTypeLimited == elevation) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
127 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
128 if (!GetTokenInformation(hToken, TokenLinkedToken, &hTokenToCheck, |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
129 sizeof(hTokenToCheck), &cbSize)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
130 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
131 PRINTLASTERROR ("Failed to get the linked token.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
132 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
133 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
134 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
135 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
136 if (!hTokenToCheck) /* The linked token is already of the correct type */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
137 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
138 if (!DuplicateToken(hToken, SecurityIdentification, &hTokenToCheck)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
139 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
140 PRINTLASTERROR ("Failed to duplicate token for identification.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
141 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
142 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
143 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
144 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
145 /* Do the sid dance for the adminSID */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
146 cbSize = sizeof(admin_id); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
147 if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &admin_id, |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
148 &cbSize)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
149 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
150 PRINTLASTERROR ("Failed to get admin sid.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
151 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
152 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
153 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
154 /* The actual check */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
155 if (!CheckTokenMembership(hTokenToCheck, &admin_id, &in_admin_group)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
156 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
157 PRINTLASTERROR ("Failed to check token membership.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
158 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
159 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
160 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
161 if (in_admin_group) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
162 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
163 /* Winbool to standard bool */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
164 retval = true; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
165 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
166 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
167 done: |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
168 if (hToken) CloseHandle(hToken); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
169 if (hTokenToCheck) CloseHandle(hTokenToCheck); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
170 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
171 return retval; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
172 #endif |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
173 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
174 |