Mercurial > trustbridge > trustbridge
annotate common/util.c @ 671:d4766b4922c9
Fix linux build
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Fri, 27 Jun 2014 11:01:14 +0200 |
| parents | 175370634226 |
| children | 4ad764bfb39c |
| rev | line source |
|---|---|
| 404 | 1 /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik |
| 2 * Software engineering by Intevation GmbH | |
| 3 * | |
| 4 * This file is Free Software under the GNU GPL (v>=2) | |
| 5 * and comes with ABSOLUTELY NO WARRANTY! | |
| 6 * See LICENSE.txt for details. | |
| 7 */ | |
|
321
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
8 #include "util.h" |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
9 #include "logging.h" |
|
644
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
10 #include "strhelp.h" |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
11 |
|
323
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
12 #ifndef _WIN32 |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
13 #include <unistd.h> |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
14 #include <sys/types.h> |
|
644
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
15 #include <pwd.h> |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
16 #include <grp.h> |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
17 #include <string.h> |
|
323
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
18 #else |
|
321
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
19 #include <windows.h> |
|
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
20 #endif |
|
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
21 |
|
671
d4766b4922c9
Fix linux build
Andre Heinecke <andre.heinecke@intevation.de>
parents:
670
diff
changeset
|
22 #ifdef WIN32 |
|
670
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
23 static PSID |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
24 copy_sid(PSID from) |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
25 { |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
26 if (!from) |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
27 { |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
28 return 0; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
29 } |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
30 |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
31 DWORD sidLength = GetLengthSid(from); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
32 PSID to = (PSID) xmalloc(sidLength); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
33 CopySid(sidLength, to, from); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
34 return to; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
35 } |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
36 |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
37 |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
38 PSID |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
39 get_process_owner(HANDLE hProcess) |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
40 { |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
41 HANDLE hToken = NULL; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
42 PSID sid; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
43 |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
44 if (hProcess == NULL) |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
45 { |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
46 ERRORPRINTF ("invalid call to get_process_owner"); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
47 return NULL; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
48 } |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
49 |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
50 OpenProcessToken(hProcess, TOKEN_READ, &hToken); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
51 if (hToken) |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
52 { |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
53 DWORD size = 0; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
54 PTOKEN_USER userStruct; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
55 |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
56 // check how much space is needed |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
57 GetTokenInformation(hToken, TokenUser, NULL, 0, &size); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
58 if (ERROR_INSUFFICIENT_BUFFER == GetLastError()) |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
59 { |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
60 userStruct = (PTOKEN_USER) xmalloc (size); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
61 GetTokenInformation(hToken, TokenUser, userStruct, size, &size); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
62 |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
63 sid = copy_sid(userStruct->User.Sid); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
64 CloseHandle(hToken); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
65 xfree (userStruct); |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
66 return sid; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
67 } |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
68 } |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
69 return NULL; |
|
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
70 } |
|
671
d4766b4922c9
Fix linux build
Andre Heinecke <andre.heinecke@intevation.de>
parents:
670
diff
changeset
|
71 #endif |
|
670
175370634226
Move getProcessOwner to util and use it to skip the current user in locate other hives
Andre Heinecke <andre.heinecke@intevation.de>
parents:
644
diff
changeset
|
72 |
|
321
824ef90a6721
Move is_elevated into common/util.c file for better reuse
Andre Heinecke <aheinecke@intevation.de>
parents:
diff
changeset
|
73 bool |
|
323
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
74 is_elevated() |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
75 { |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
76 bool ret = false; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
77 #ifndef _WIN32 |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
78 ret = (geteuid() == 0); |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
79 #else |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
80 HANDLE hToken = NULL; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
81 if (OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &hToken)) |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
82 { |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
83 DWORD elevation; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
84 DWORD cbSize = sizeof (DWORD); |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
85 if (GetTokenInformation (hToken, TokenElevation, &elevation, |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
86 sizeof (TokenElevation), &cbSize)) |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
87 { |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
88 ret = elevation; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
89 } |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
90 } |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
91 if (hToken) |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
92 CloseHandle (hToken); |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
93 #endif |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
94 return ret; |
|
31ba7ed4d50f
Made is_elevated portable.
Sascha Wilde <wilde@intevation.de>
parents:
321
diff
changeset
|
95 } |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
96 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
97 bool is_admin() |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
98 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
99 #ifndef _WIN32 |
|
644
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
100 struct passwd *current_user = getpwuid (geteuid()); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
101 int ngroups = 0, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
102 ret = 0, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
103 i = 0; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
104 gid_t * groups = NULL; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
105 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
106 if (current_user == NULL) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
107 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
108 ERRORPRINTF ("Failed to obtain user information."); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
109 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
110 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
111 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
112 ret = getgrouplist (current_user->pw_name, current_user->pw_gid, NULL, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
113 &ngroups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
114 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
115 if (ret != -1 || ngroups <= 0) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
116 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
117 ERRORPRINTF ("Unknown error in getgrouplist call"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
118 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
119 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
120 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
121 groups = xmalloc (((unsigned int)ngroups) * sizeof (gid_t)); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
122 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
123 ret = getgrouplist (current_user->pw_name, current_user->pw_gid, groups, |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
124 &ngroups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
125 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
126 if (ret != ngroups) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
127 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
128 ERRORPRINTF ("Group length mismatch."); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
129 xfree (groups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
130 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
131 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
132 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
133 for (i = 0; i < ngroups; i++) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
134 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
135 struct group *gr = getgrgid (groups[i]); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
136 if (gr == NULL) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
137 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
138 ERRORPRINTF ("Error in group enumeration"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
139 xfree (groups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
140 return false; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
141 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
142 if (strcmp("sudo", gr->gr_name) == 0) |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
143 { |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
144 DEBUGPRINTF ("User is in sudo group \n"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
145 xfree (groups); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
146 return true; |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
147 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
148 } |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
149 |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
150 DEBUGPRINTF ("User is not in sudo group"); |
|
c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
Andre Heinecke <andre.heinecke@intevation.de>
parents:
505
diff
changeset
|
151 |
|
505
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
152 return false; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
153 #else |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
154 bool retval = false; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
155 BOOL in_admin_group = FALSE; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
156 HANDLE hToken = NULL; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
157 HANDLE hTokenToCheck = NULL; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
158 DWORD cbSize = 0; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
159 TOKEN_ELEVATION_TYPE elevation; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
160 BYTE admin_id[SECURITY_MAX_SID_SIZE]; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
161 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
162 if (!OpenProcessToken(GetCurrentProcess(), |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
163 TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
164 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
165 PRINTLASTERROR ("Failed to duplicate process token.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
166 return false; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
167 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
168 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
169 if (!GetTokenInformation(hToken, TokenElevationType, &elevation, |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
170 sizeof(elevation), &cbSize)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
171 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
172 PRINTLASTERROR ("Failed to get token information.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
173 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
174 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
175 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
176 /* If limited check the the linked token instead */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
177 if (TokenElevationTypeLimited == elevation) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
178 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
179 if (!GetTokenInformation(hToken, TokenLinkedToken, &hTokenToCheck, |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
180 sizeof(hTokenToCheck), &cbSize)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
181 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
182 PRINTLASTERROR ("Failed to get the linked token.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
183 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
184 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
185 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
186 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
187 if (!hTokenToCheck) /* The linked token is already of the correct type */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
188 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
189 if (!DuplicateToken(hToken, SecurityIdentification, &hTokenToCheck)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
190 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
191 PRINTLASTERROR ("Failed to duplicate token for identification.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
192 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
193 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
194 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
195 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
196 /* Do the sid dance for the adminSID */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
197 cbSize = sizeof(admin_id); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
198 if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &admin_id, |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
199 &cbSize)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
200 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
201 PRINTLASTERROR ("Failed to get admin sid.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
202 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
203 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
204 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
205 /* The actual check */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
206 if (!CheckTokenMembership(hTokenToCheck, &admin_id, &in_admin_group)) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
207 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
208 PRINTLASTERROR ("Failed to check token membership.\n"); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
209 goto done; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
210 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
211 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
212 if (in_admin_group) |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
213 { |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
214 /* Winbool to standard bool */ |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
215 retval = true; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
216 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
217 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
218 done: |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
219 if (hToken) CloseHandle(hToken); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
220 if (hTokenToCheck) CloseHandle(hTokenToCheck); |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
221 |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
222 return retval; |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
223 #endif |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
224 } |
|
78959fd970b0
Add is_admin and implement it for windows
Andre Heinecke <aheinecke@intevation.de>
parents:
404
diff
changeset
|
225 |