/*\r
-Copyright 2005 by the Massachusetts Institute of Technology\r
+Copyright 2005,2006 by the Massachusetts Institute of Technology\r
\r
All rights reserved.\r
\r
{\r
// SID_IDENTIFIER_AUTHORITY authority = SECURITY_NT_SID_AUTHORITY;\r
PSID pSystemSID = NULL;\r
- DWORD SystemSIDlength, UserSIDlength;\r
+ DWORD SystemSIDlength = 0, UserSIDlength = 0;\r
PACL ccacheACL = NULL;\r
- DWORD ccacheACLlength;\r
+ DWORD ccacheACLlength = 0;\r
PTOKEN_USER pTokenUser = NULL;\r
DWORD retLen;\r
+ DWORD gle;\r
int ret = 0; \r
\r
+ if (!filename) {\r
+ DebugEvent0("KFW_set_ccache_dacl - invalid parms");\r
+ return 1;\r
+ }\r
+\r
/* Get System SID */\r
- ConvertStringSidToSid(SDDL_LOCAL_SYSTEM, &pSystemSID);\r
+ if (!ConvertStringSidToSid("S-1-5-18", &pSystemSID)) {\r
+ DebugEvent("KFW_set_ccache_dacl - ConvertStringSidToSid GLE = 0x%x", GetLastError());\r
+ ret = 1;\r
+ goto cleanup;\r
+ }\r
\r
/* Create ACL */\r
SystemSIDlength = GetLengthSid(pSystemSID);\r
}\r
}\r
\r
- ccacheACL = GlobalAlloc(GMEM_FIXED, ccacheACLlength);\r
+ ccacheACL = (PACL) LocalAlloc(LPTR, ccacheACLlength);\r
+ if (!ccacheACL) {\r
+ DebugEvent("KFW_set_ccache_dacl - LocalAlloc GLE = 0x%x", GetLastError());\r
+ ret = 1;\r
+ goto cleanup;\r
+ }\r
+\r
InitializeAcl(ccacheACL, ccacheACLlength, ACL_REVISION);\r
AddAccessAllowedAceEx(ccacheACL, ACL_REVISION, 0,\r
STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,\r
NULL, \r
ccacheACL,\r
NULL)) {\r
- DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", GetLastError());\r
- ret = 1;\r
+ gle = GetLastError();\r
+ DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);\r
+ if (gle != ERROR_NO_TOKEN)\r
+ ret = 1;\r
}\r
if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,\r
OWNER_SECURITY_INFORMATION,\r
NULL, \r
NULL,\r
NULL)) {\r
- DebugEvent("SetNamedSecurityInfo Owner failed: GLE = 0x%lX", GetLastError());\r
- ret = 1;\r
+ gle = GetLastError();\r
+ DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);\r
+ if (gle != ERROR_NO_TOKEN)\r
+ ret = 1;\r
}\r
} else {\r
if (!SetNamedSecurityInfo( filename, SE_FILE_OBJECT,\r
NULL, \r
ccacheACL,\r
NULL)) {\r
- DebugEvent("SetNamedSecurityInfo failed: GLE = 0x%lX", GetLastError());\r
- ret = 1;\r
+ gle = GetLastError();\r
+ DebugEvent("SetNamedSecurityInfo DACL failed: GLE = 0x%lX", gle);\r
+ if (gle != ERROR_NO_TOKEN)\r
+ ret = 1;\r
}\r
}\r
\r
+ cleanup:\r
if (pSystemSID)\r
LocalFree(pSystemSID);\r
if (pTokenUser)\r
LocalFree(pTokenUser);\r
if (ccacheACL)\r
- GlobalFree(ccacheACL);\r
+ LocalFree(ccacheACL);\r
return ret;\r
}\r
\r
{\r
int retval = 0;\r
DWORD dwSize = size-1; /* leave room for nul */\r
+ DWORD dwLen = 0;\r
+\r
+ if (!hUserToken || !newfilename || size <= 0)\r
+ return;\r
\r
*newfilename = '\0';\r
\r
- if ( !ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, size) &&\r
- !ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, size))\r
+ dwLen = ExpandEnvironmentStringsForUser(hUserToken, "%TEMP%", newfilename, dwSize);\r
+ if ( !dwLen || dwLen > dwSize )\r
+ dwLen = ExpandEnvironmentStringsForUser(hUserToken, "%TMP%", newfilename, dwSize);\r
+ if ( !dwLen || dwLen > dwSize )\r
return 1;\r
+\r
+ newfilename[dwSize] = '\0';\r
return 0;\r
}\r
\r
void\r
KFW_copy_cache_to_system_file(char * user, char * szLogonId)\r
{\r
- char filename[256];\r
+ char filename[MAX_PATH] = "";\r
DWORD count;\r
- char cachename[264] = "FILE:";\r
+ char cachename[MAX_PATH + 8] = "FILE:";\r
krb5_context ctx = 0;\r
krb5_error_code code;\r
krb5_principal princ = 0;\r
krb5_ccache ncc = 0;\r
PSECURITY_ATTRIBUTES pSA = NULL;\r
\r
- if (!pkrb5_init_context)\r
+ if (!pkrb5_init_context || !user || !szLogonId)\r
return;\r
\r
count = GetEnvironmentVariable("TEMP", filename, sizeof(filename));\r
code = pkrb5_cc_initialize(ctx, ncc, princ);\r
if (code) goto cleanup;\r
\r
- KFW_set_ccache_dacl(filename, NULL);\r
+ code = KFW_set_ccache_dacl(filename, NULL);\r
+ if (code) goto cleanup;\r
\r
code = pkrb5_cc_copy_creds(ctx,cc,ncc);\r
\r
int\r
KFW_copy_file_cache_to_default_cache(char * filename)\r
{\r
- char cachename[264] = "FILE:";\r
+ char cachename[MAX_PATH + 8] = "FILE:";\r
krb5_context ctx = 0;\r
krb5_error_code code;\r
krb5_principal princ = 0;\r
krb5_ccache ncc = 0;\r
int retval = 1;\r
\r
- if (!pkrb5_init_context)\r
+ if (!pkrb5_init_context || !filename)\r
return 1;\r
\r
- if ( strlen(filename) + 6 > sizeof(cachename) )\r
+ if ( strlen(filename) + sizeof("FILE:") > sizeof(cachename) )\r
return 1;\r
\r
strcat(cachename, filename);\r
lpszOutputString[min(uInputString.Length/2,nOutStringLen-1)] = '\0';\r
return TRUE;\r
}\r
- else\r
- lpszOutputString[0] = '\0';\r
+\r
+ lpszOutputString[0] = '\0';\r
return FALSE;\r
} // UnicodeStringToANSI\r
\r
/* Convert from Unicode to ANSI */\r
\r
/*TODO: Use SecureZeroMemory to erase passwords */\r
- UnicodeStringToANSI(IL->UserName, uname, MAX_USERNAME_LENGTH);\r
- UnicodeStringToANSI(IL->Password, password, MAX_PASSWORD_LENGTH);\r
- UnicodeStringToANSI(IL->LogonDomainName, logonDomain, MAX_DOMAIN_LENGTH);\r
+ if (!UnicodeStringToANSI(IL->UserName, uname, MAX_USERNAME_LENGTH) ||\r
+ !UnicodeStringToANSI(IL->Password, password, MAX_PASSWORD_LENGTH) ||\r
+ !UnicodeStringToANSI(IL->LogonDomainName, logonDomain, MAX_DOMAIN_LENGTH))\r
+ return 0;\r
\r
/* Make sure AD-DOMAINS sent from login that is sent to us is stripped */\r
ctemp = strchr(uname, '@');\r
char szPath[MAX_PATH] = "";\r
char szLogonId[128] = "";\r
DWORD count;\r
- char filename[256];\r
- char newfilename[256];\r
- char commandline[512];\r
+ char filename[MAX_PATH] = "";\r
+ char newfilename[MAX_PATH] = "";\r
+ char commandline[MAX_PATH+256] = "";\r
STARTUPINFO startupinfo;\r
PROCESS_INFORMATION procinfo;\r
+ HANDLE hf = NULL;\r
\r
LUID LogonId = {0, 0};\r
PSECURITY_LOGON_SESSION_DATA pLogonSessionData = NULL;\r
strcat(filename, "\\");\r
strcat(filename, szLogonId); \r
\r
- KFW_set_ccache_dacl(filename, pInfo->hToken);\r
+ hf = CreateFile(filename, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, \r
+ FILE_ATTRIBUTE_NORMAL, NULL);\r
+ if (hf == INVALID_HANDLE_VALUE) {\r
+ DebugEvent0("KFW_Logon_Event - file cannot be opened");\r
+ return;\r
+ }\r
+ CloseHandle(hf);\r
+\r
+ if (KFW_set_ccache_dacl(filename, pInfo->hToken)) {\r
+ DebugEvent0("KFW_Logon_Event - unable to set dacl");\r
+ DeleteFile(filename);\r
+ return;\r
+ }\r
\r
- KFW_obtain_user_temp_directory(pInfo->hToken, newfilename, sizeof(newfilename));\r
+ if (KFW_obtain_user_temp_directory(pInfo->hToken, newfilename, sizeof(newfilename))) {\r
+ DebugEvent0("KFW_Logon_Event - unable to obtain temp directory");\r
+ return;\r
+ }\r
\r
if ( strlen(newfilename) + strlen(szLogonId) + 2 > sizeof(newfilename) ) {\r
DebugEvent0("KFW_Logon_Event - new filename too long");\r