aheinecke@404: /* Copyright (C) 2014 by Bundesamt für Sicherheit in der Informationstechnik aheinecke@404: * Software engineering by Intevation GmbH aheinecke@404: * aheinecke@404: * This file is Free Software under the GNU GPL (v>=2) aheinecke@404: * and comes with ABSOLUTELY NO WARRANTY! aheinecke@404: * See LICENSE.txt for details. aheinecke@404: */ aheinecke@321: #ifndef COMMON_UTIL_H aheinecke@321: #define COMMON_UTIL_H aheinecke@321: /* @file util.h aheinecke@321: * @brief The usual useful stuff that fit nowhere else aheinecke@321: */ aheinecke@321: #include aheinecke@321: andre@670: #ifdef WIN32 andre@670: #include andre@670: #include andre@670: #endif andre@670: aheinecke@505: #ifdef __cplusplus aheinecke@505: extern "C" { aheinecke@505: #endif aheinecke@505: andre@841: #ifndef WIN32 andre@841: /**@def Some value to use as equivalent as MAX_PATH on windows */ andre@841: #define MAX_PATH_LINUX 4000 andre@841: #endif andre@841: aheinecke@321: /**@brief Check if the current process is running with elevated privileges. aheinecke@321: * aheinecke@321: * Elevates the current process token to check if it is marked as elevated. wilde@323: * Uses TokenElevation on windows and checks effective UID on Linux. aheinecke@321: * aheinecke@321: * @returns true if the current process is elevated.*/ aheinecke@321: bool is_elevated(); wilde@323: andre@841: /**@brief Check if the Software is installed system wide andre@841: * andre@841: * On Windows this checks if a registry key under HKLM exists for andre@841: * trustbridge and that the installation path mentioned there matches andre@841: * the current module path. andre@841: * andre@841: * On linux this looks for the installation configuration in /etc andre@841: * and checks if the current process is inside the installation prefix. andre@841: * emanuel@1053: * The checked path is limited to MAX_PATH on Windows and \@MAX_PATH_LINUX on andre@841: * Linux. andre@841: */ andre@841: bool is_system_install(); andre@841: aheinecke@505: /**@brief Check if the user is in the administrators group. aheinecke@505: * aheinecke@505: * The function checks if the account that startet this process aheinecke@505: * belongs to a user that is a member of the Administrators group. aheinecke@505: * aheinecke@505: * @returns True if the user is in the admin group. False otherwise or on error. aheinecke@505: */ aheinecke@505: bool is_admin(); aheinecke@505: andre@841: /**@brief Get the directory in which the current process resides in andre@841: * andre@841: * Look up the directory in which the current process is placed. andre@841: * If the path is longer then MAX_PATH NULL is returned. andre@841: * andre@841: * Returns a utf-8 encoded string that has to be freed by the caller andre@841: * on linux the path is returned as is including the last /. andre@841: * andre@841: * @returns The directory of the current process andre@841: */ andre@841: char * get_install_dir(); andre@841: andre@1332: #ifndef WIN32 andre@1332: /**@brief Get the directory in which the process proc resides in andre@1332: * andre@1332: * Look up the directory in which the process proc is placed. andre@1332: * If the path is longer then MAX_PATH NULL is returned. andre@1332: * andre@1332: * Returns a utf-8 encoded string that has to be freed by the caller andre@1332: * on linux the path is returned as is including the last /. andre@1332: * andre@1332: * @param[in] A process id or special name from the proc file system. andre@1332: * andre@1332: * @returns The directory of the process andre@1332: */ andre@1332: char * get_proc_install_dir(const char *proc); andre@1332: #endif andre@1332: andre@670: #ifdef WIN32 andre@670: /**@brief Get a copy of the processes owner sid andre@670: * andre@670: * Copy the SID of the owner of the process hProcess. andre@670: * andre@670: * The returned sid structure has to be freed with free by the caller andre@670: * andre@670: * @param[in] hProcess A handle to the process whose user should be obtained. andre@670: * The process must have the PROCESS_QUERY_INFORMATION access permission. andre@670: * andre@670: * @returns A copy of the process owners sid or NULL on error. andre@670: */ andre@670: PSID get_process_owner(HANDLE hProcess); andre@675: andre@841: /**@brief Read (and expand if necessary) a registry string. andre@675: * andre@841: * Reads a registry string and calls ExpandEnvironmentString andre@841: * if necessary on it. Returns a newly allocated string array andre@841: * with the expanded registry value converted to UTF-8 andre@675: * andre@841: * Caller has to free return value with free. andre@841: * andre@841: * @param [in] root the root key (e.g. HKEY_LOCAL_MACHINE) andre@841: * @param [in] key the key andre@841: * @param [in] name the name of the value to read. andre@841: * andre@841: * @returns the expanded, null terminated utf-8 string of the value. andre@841: * or NULL on error. andre@675: */ andre@841: char * read_registry_string (const HKEY root, const wchar_t *key, andre@841: const wchar_t *name); andre@983: andre@983: /**@brief Get the utf-8 encoded path to the program files folder. andre@983: * andre@983: * Uses SHGetKnownFolderPath to look up the ProgramFiles folder. andre@983: * @returns a newly allocated string containing the value or NULL on andre@983: * error. andre@983: */ andre@983: char * get_program_files_folder (); andre@983: andre@983: /**@brief Get the path to the program data folder. andre@983: * andre@983: * Uses SHGetKnownFolderPath to look up the ProgramData folder. andre@983: * The return value should be freed with CoTaskMemFree andre@983: * @returns a reference containing the value or NULL on error. andre@983: */ andre@983: wchar_t * get_program_data_folder (); andre@983: andre@983: /**@brief Create a directory with restricted access rights andre@983: * andre@983: * This creates a security attributes structure that restricts andre@983: * write access to the Administrators group but allows everyone to read files andre@983: * in that directory. andre@983: * Basically a very complicated version of mkdir path -m 644 andre@983: * andre@1208: * If the directory exists and propagate_acl is set the permissions andre@1208: * of that directory are overwritten with the DACL that would have andre@1208: * been used to create the directory. andre@983: * andre@983: * Code based on msdn example: andre@983: * http://msdn.microsoft.com/en-us/library/windows/desktop/aa446595%28v=vs.85%29.aspx andre@983: * andre@983: * @param[in] path Path of the directory to create andre@1070: * @param[in] propagate_acl weather or not objects should inherit andre@1070: * the ACL of this directory. andre@1208: * @param[out] rACL optional pointer to an PACL pointer that should be andre@1208: * the returned value. If rACL is not NULL the caller needs to free the andre@1208: * returned pointer with LocalFree. andre@983: * andre@983: * @returns true on success of if the directory exists, false on error andre@983: */ andre@1208: bool create_restricted_directory (LPWSTR path, bool propagate_acl, PACL *rACL); andre@983: andre@1208: /**@brief Check the integrity level of the token andre@1029: * andre@1030: * Returns true if the token has at least SECURITY_MANADTORY_HIGH_RID or andre@1030: * higher. andre@1029: * andre@1029: * @param[in] hToken the Token to check andre@1029: * andre@1030: * @returns true if the token has at least high integrity. False on error andre@1030: * or otherwise. andre@1029: */ andre@1029: bool has_high_integrity(HANDLE hToken); andre@1029: andre@1010: /** @brief get a restricted access token to execute nss process andre@1010: * andre@1010: * This function uses the Software Restriction API to obtain the andre@1010: * access token for a process run als normal user. andre@1010: * andre@1010: * @returns A restricted handle or NULL on error. andre@1010: */ andre@1010: HANDLE get_restricted_token(); andre@1010: andre@1010: /** @brief get a normal user access token andre@1010: * andre@1010: * The trusted acces token is not elevated but has the normal user rights. andre@1010: * andre@1010: * @returns A normal user handle or NULL on error. andre@1010: */ andre@1010: HANDLE get_normal_token(); andre@1010: andre@670: #endif andre@670: aheinecke@505: #ifdef __cplusplus aheinecke@505: } aheinecke@505: #endif aheinecke@505: aheinecke@321: #endif // COMMON_UTIL_H