static
NTSTATUS
RegSrvIpcCheckPermissions(
LWMsgSecurityToken* token,
uid_t* puid,
gid_t* pgid
)
{
NTSTATUS status = 0;
uid_t euid;
gid_t egid;
if (strcmp(lwmsg_security_token_get_type(token), "local"))
{
REG_LOG_WARNING("Unsupported authentication type");
status = STATUS_UNHANDLED_EXCEPTION;
BAIL_ON_NT_STATUS(status);
}
status = MAP_LWMSG_ERROR(lwmsg_local_token_get_eid(token, &euid, &egid));
BAIL_ON_NT_STATUS(status);
REG_LOG_VERBOSE("Permission granted for (uid = %i, gid = %i) to open RegIpcServer",
(int) euid,
(int) egid);
*puid = euid;
*pgid = egid;
error:
return status;
}
LWMsgStatus
LwmEvtSrvConstructSession(
LWMsgSecurityToken* pToken,
void* pData,
void** ppSessionData
)
{
DWORD dwError = 0;
PLWMSG_LW_EVENTLOG_CONNECTION pConn = NULL;
uid_t uid = 0;
gid_t gid = 0;
if (strcmp(lwmsg_security_token_get_type(pToken), "local"))
{
EVT_LOG_WARNING("Unsupported authentication type");
dwError = ERROR_NOT_SUPPORTED;
BAIL_ON_EVT_ERROR(dwError);
}
dwError = LwAllocateMemory(
sizeof(*pConn),
(PVOID*)&pConn);
BAIL_ON_EVT_ERROR(dwError);
dwError = MAP_LWMSG_ERROR(lwmsg_local_token_get_eid(
pToken,
&uid,
&gid));
BAIL_ON_EVT_ERROR(dwError);
pConn->Uid = uid;
pConn->Gid = gid;
*ppSessionData = pConn;
cleanup:
return MAP_LW_ERROR_IPC(dwError);
error:
LW_SAFE_FREE_MEMORY(pConn);
*ppSessionData = NULL;
goto cleanup;
}
static
int
fserv_check_permissions(LWMsgSession* session, const char* path, OpenMode mode)
{
LWMsgStatus status = LWMSG_STATUS_SUCCESS;
int ret = 0;
LWMsgSecurityToken* token = NULL;
uid_t euid;
gid_t egid;
struct stat statbuf;
/* Extract security token */
token = lwmsg_session_get_peer_security_token(session);
/* Check that session is authenticated and that the token type is correct */
if (token == NULL || strcmp(lwmsg_security_token_get_type(token), "local"))
{
LOG("Unsupported authentication type on session %p\n", session);
ret = -1;
goto error;
}
/* Extract uid and gid of the caller */
status = lwmsg_local_token_get_eid(token, &euid, &egid);
if (status)
{
ret = -1;
goto error;
}
if (stat(path, &statbuf) == -1)
{
ret = errno;
goto error;
}
if ((mode & OPEN_MODE_READ))
{
int can_read =
((statbuf.st_uid == euid && statbuf.st_mode & S_IRUSR) ||
(statbuf.st_gid == egid && statbuf.st_mode & S_IRGRP) ||
(statbuf.st_mode & S_IROTH));
if (!can_read)
{
LOG("Permission denied for (uid = %i, gid = %i) to read %s\n",
(int) euid,
(int) egid,
path);
ret = EPERM;
goto error;
}
}
if ((mode & OPEN_MODE_WRITE))
{
int can_write =
((statbuf.st_uid == euid && statbuf.st_mode & S_IWUSR) ||
(statbuf.st_gid == egid && statbuf.st_mode & S_IWGRP) ||
(statbuf.st_mode & S_IWOTH));
if (!can_write)
{
LOG("Permission denied for (uid = %i, gid = %i) to write %s\n",
(int) euid,
(int) egid,
path);
ret = EPERM;
goto error;
}
}
LOG("Permission granted for (uid = %i, gid = %i) to open %s\n",
(int) euid,
(int) egid,
path);
error:
return ret;
}
