static NTSTATUS RegSrvIpcCheckPermissions( LWMsgSecurityToken* token, uid_t* puid, gid_t* pgid ) { NTSTATUS status = 0; uid_t euid; gid_t egid; if (strcmp(lwmsg_security_token_get_type(token), "local")) { REG_LOG_WARNING("Unsupported authentication type"); status = STATUS_UNHANDLED_EXCEPTION; BAIL_ON_NT_STATUS(status); } status = MAP_LWMSG_ERROR(lwmsg_local_token_get_eid(token, &euid, &egid)); BAIL_ON_NT_STATUS(status); REG_LOG_VERBOSE("Permission granted for (uid = %i, gid = %i) to open RegIpcServer", (int) euid, (int) egid); *puid = euid; *pgid = egid; error: return status; }
LWMsgStatus LwmEvtSrvConstructSession( LWMsgSecurityToken* pToken, void* pData, void** ppSessionData ) { DWORD dwError = 0; PLWMSG_LW_EVENTLOG_CONNECTION pConn = NULL; uid_t uid = 0; gid_t gid = 0; if (strcmp(lwmsg_security_token_get_type(pToken), "local")) { EVT_LOG_WARNING("Unsupported authentication type"); dwError = ERROR_NOT_SUPPORTED; BAIL_ON_EVT_ERROR(dwError); } dwError = LwAllocateMemory( sizeof(*pConn), (PVOID*)&pConn); BAIL_ON_EVT_ERROR(dwError); dwError = MAP_LWMSG_ERROR(lwmsg_local_token_get_eid( pToken, &uid, &gid)); BAIL_ON_EVT_ERROR(dwError); pConn->Uid = uid; pConn->Gid = gid; *ppSessionData = pConn; cleanup: return MAP_LW_ERROR_IPC(dwError); error: LW_SAFE_FREE_MEMORY(pConn); *ppSessionData = NULL; goto cleanup; }
static int fserv_check_permissions(LWMsgSession* session, const char* path, OpenMode mode) { LWMsgStatus status = LWMSG_STATUS_SUCCESS; int ret = 0; LWMsgSecurityToken* token = NULL; uid_t euid; gid_t egid; struct stat statbuf; /* Extract security token */ token = lwmsg_session_get_peer_security_token(session); /* Check that session is authenticated and that the token type is correct */ if (token == NULL || strcmp(lwmsg_security_token_get_type(token), "local")) { LOG("Unsupported authentication type on session %p\n", session); ret = -1; goto error; } /* Extract uid and gid of the caller */ status = lwmsg_local_token_get_eid(token, &euid, &egid); if (status) { ret = -1; goto error; } if (stat(path, &statbuf) == -1) { ret = errno; goto error; } if ((mode & OPEN_MODE_READ)) { int can_read = ((statbuf.st_uid == euid && statbuf.st_mode & S_IRUSR) || (statbuf.st_gid == egid && statbuf.st_mode & S_IRGRP) || (statbuf.st_mode & S_IROTH)); if (!can_read) { LOG("Permission denied for (uid = %i, gid = %i) to read %s\n", (int) euid, (int) egid, path); ret = EPERM; goto error; } } if ((mode & OPEN_MODE_WRITE)) { int can_write = ((statbuf.st_uid == euid && statbuf.st_mode & S_IWUSR) || (statbuf.st_gid == egid && statbuf.st_mode & S_IWGRP) || (statbuf.st_mode & S_IWOTH)); if (!can_write) { LOG("Permission denied for (uid = %i, gid = %i) to write %s\n", (int) euid, (int) egid, path); ret = EPERM; goto error; } } LOG("Permission granted for (uid = %i, gid = %i) to open %s\n", (int) euid, (int) egid, path); error: return ret; }