Mercurial > trustbridge > trustbridge
view common/util.c @ 644:c7a35fa302ec
Check sudo group membership if user to determine if he can elevate privileges
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Tue, 24 Jun 2014 18:10:10 +0200 |
| parents | 78959fd970b0 |
| children | 175370634226 |
line wrap: on
line source
/* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik * Software engineering by Intevation GmbH * * This file is Free Software under the GNU GPL (v>=2) * and comes with ABSOLUTELY NO WARRANTY! * See LICENSE.txt for details. */ #include "util.h" #include "logging.h" #include "strhelp.h" #ifndef _WIN32 #include <unistd.h> #include <sys/types.h> #include <pwd.h> #include <grp.h> #include <string.h> #else #include <windows.h> #endif bool is_elevated() { bool ret = false; #ifndef _WIN32 ret = (geteuid() == 0); #else HANDLE hToken = NULL; if (OpenProcessToken (GetCurrentProcess(), TOKEN_QUERY, &hToken)) { DWORD elevation; DWORD cbSize = sizeof (DWORD); if (GetTokenInformation (hToken, TokenElevation, &elevation, sizeof (TokenElevation), &cbSize)) { ret = elevation; } } if (hToken) CloseHandle (hToken); #endif return ret; } bool is_admin() { #ifndef _WIN32 struct passwd *current_user = getpwuid (geteuid()); int ngroups = 0, ret = 0, i = 0; gid_t * groups = NULL; if (current_user == NULL) { ERRORPRINTF ("Failed to obtain user information."); return false; } ret = getgrouplist (current_user->pw_name, current_user->pw_gid, NULL, &ngroups); if (ret != -1 || ngroups <= 0) { ERRORPRINTF ("Unknown error in getgrouplist call"); return false; } groups = xmalloc (((unsigned int)ngroups) * sizeof (gid_t)); ret = getgrouplist (current_user->pw_name, current_user->pw_gid, groups, &ngroups); if (ret != ngroups) { ERRORPRINTF ("Group length mismatch."); xfree (groups); return false; } for (i = 0; i < ngroups; i++) { struct group *gr = getgrgid (groups[i]); if (gr == NULL) { ERRORPRINTF ("Error in group enumeration"); xfree (groups); return false; } if (strcmp("sudo", gr->gr_name) == 0) { DEBUGPRINTF ("User is in sudo group \n"); xfree (groups); return true; } } DEBUGPRINTF ("User is not in sudo group"); return false; #else bool retval = false; BOOL in_admin_group = FALSE; HANDLE hToken = NULL; HANDLE hTokenToCheck = NULL; DWORD cbSize = 0; TOKEN_ELEVATION_TYPE elevation; BYTE admin_id[SECURITY_MAX_SID_SIZE]; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY | TOKEN_DUPLICATE, &hToken)) { PRINTLASTERROR ("Failed to duplicate process token.\n"); return false; } if (!GetTokenInformation(hToken, TokenElevationType, &elevation, sizeof(elevation), &cbSize)) { PRINTLASTERROR ("Failed to get token information.\n"); goto done; } /* If limited check the the linked token instead */ if (TokenElevationTypeLimited == elevation) { if (!GetTokenInformation(hToken, TokenLinkedToken, &hTokenToCheck, sizeof(hTokenToCheck), &cbSize)) { PRINTLASTERROR ("Failed to get the linked token.\n"); goto done; } } if (!hTokenToCheck) /* The linked token is already of the correct type */ { if (!DuplicateToken(hToken, SecurityIdentification, &hTokenToCheck)) { PRINTLASTERROR ("Failed to duplicate token for identification.\n"); goto done; } } /* Do the sid dance for the adminSID */ cbSize = sizeof(admin_id); if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, &admin_id, &cbSize)) { PRINTLASTERROR ("Failed to get admin sid.\n"); goto done; } /* The actual check */ if (!CheckTokenMembership(hTokenToCheck, &admin_id, &in_admin_group)) { PRINTLASTERROR ("Failed to check token membership.\n"); goto done; } if (in_admin_group) { /* Winbool to standard bool */ retval = true; } done: if (hToken) CloseHandle(hToken); if (hTokenToCheck) CloseHandle(hTokenToCheck); return retval; #endif }