Context Navigation

source: trunk/include/helpers/xwpsecty.h@ 241

Visit:

Last change on this file since 241 was 241, checked in by umoeller, 23 years ago
Misc fixes.
Property svn:eol-style set to `CRLF` Property svn:keywords set to `Author Date Id Revision`
File size: 46.0 KB

Line
1
2	/*
3	*@@sourcefile xwpsecty.h:
4	* public declarations which are shared between the various ring-3
5	* parts of XWorkplace Security (XWPSec).
6	*
7	* XWPSec consists of the following modules:
8	*
9	* 1) XWPSHELL.EXE, which is to be installed through RUNWORKPLACE
10	* in CONFIG.SYS and functions as both a WPS starter and a
11	* daemon for managing the security driver;
12	*
13	* 2) XWPSEC32.SYS, which is a ring-0 driver performing
14	* authentification for OS/2 APIs like DosOpen, DosMove etc.
15	* through SES callouts.
16	*
17	* Note that Security Enabling Services (SES) is NOT used
18	* for user logon and authentication. In other words, this
19	* program serves neither as an SES System Logon Authority
20	* (SLA) nor a User Identification Authority (UIA). I have
21	* found SES Logon Shell Services (LSS) too buggy to be useful,
22	* but maybe I was too dumb to find out how to use them. But
23	* then again, these APIs are too complicated and error-prone
24	* to be used by ordinary humans.
25	*
26	* So instead, I have rewritten the LSS functionality for
27	* XWPShell. SES is only used for kernel interfaces (KPIs)
28	* in XWPSEC32.SYS. As a result, the SECURE.SYS text file
29	* in \OS2\SECURITY\SESDB is not used either.
30	*
31	*
32	* <B>Concepts:</B>
33	*
34	* To implement XWPSec, I have reviewed the concepts of Linux,
35	* SES, and OS/2 LAN Server (Warp Server for e-Business).
36	* See subjects.c, users.c, and userdb.c for a discussion of
37	* security concepts which came out of this review.
38	*
39	* As a summary, XWPSec follows the SES security models, with a
40	* few simplifications. To make processing more efficient, user
41	* IDs and group IDs have been added (like Linux uid and gid) to
42	* allow looking up data based on numbers instead of names.
43	*
44	* <B>Recommended reading:</B>
45	*
46	* -- "SES Developer's Guide" (IBM SG244668 redbook). This
47	* sucks, but it's the only source for SES information.
48	*
49	* -- "Network Administrator Tasks" (BOOKS\A3AA3MST.INF
50	* on a WSeB installation). A very good book.
51	*
52	* -- Linux manpages for group(5) and passwd(5); Linux info
53	* page for chmod (follow the "File permissions" node).
54	*
55	*
56	* <b>XWPSec Authentication Model</b>
57	*
58	* Basically, there are two competing models of access permissions
59	* in the computing world, the POSIX model and the Windows/OS/2
60	* model. Since the POSIX model can be implemented as a subset of
61	* the OS/2 model, XWPSec follows the OS/2 model, with very
62	* fine-grained access permissions and different ACLs per resource.
63	*
64	* XWPSec implements the usual stuff like users, groups, and
65	* privileged processes with increased access rights. As opposed
66	* to the POSIX model, group membership is an M:N relation, meaning
67	* that any user can be a member of an infinite number of groups.
68	* Also, while the POSIX model only allows controlling permissions
69	* for the owner, group, and "world" (rwxrwxrwx model), XWPSec has
70	* real ACLs which are unlimited in size per resource.
71	*
72	* To implement this efficiently, XWPSec uses "subject handles", which
73	* is a concept borrowed from SES. However, XWPSec does not use the
74	* SES APIs for creating and managing those, but implements this
75	* functionality itself.
76	*
77	* For authorizing events, XWPSec uses the XWPSUBJECTINFO and
78	* XWPSECURITYCONTEXT structures, plus an array of RESOURCEACL
79	* structs which forms the global system ACL table shared with
80	* the ring-0 device driver.
81	*
82	*
83	* <b>Logon</b>
84	*
85	* XWPShell maintains a list of users that are currently
86	* logged on. There can be an infinite number of logged-on
87	* users. However, one user logon is special and is called
88	* the "local" logon: that user owns the shell, most
89	* importantly the Workplace Shell, and processes started
90	* via the shell run on behalf of that user.
91	*
92	* When a user logs on, XWPShell authenticates the credentials
93	* (normally, via user name and password), and creates one
94	* subject handle for that user plus one subject handle for
95	* every group that the user belongs to. XWPShell then rebuilds
96	* the system ACL table and sends it to the driver so it can
97	* perform authentication.
98	*
99	* Logon can thus happen in two situations. Most frequently,
100	* the local user logs on via the logon dialog when XWPShell
101	* starts up together with the system. However, XWPShell also
102	* allows any application to change its own security context
103	* be re-logging on with different credentials.
104	*
105	* This is the typical sequence of events when XWPShell is running:
106	*
107	* 1) When XWPShell starts up, it scans the process list to figure
108	* out all processes that are already running because of system
109	* startup. It then contacts the ring-0 driver, passing it an
110	* array of these PIDs, and thus enables local security. The
111	* driver then creates root security contexts for those processes.
112	*
113	* From that point on, all system events are authenticated until
114	* the system is shut down.
115	*
116	* (Before that, the driver does not deny access in order not to
117	* hickup the startup sequence.)
118	*
119	* 2) XWPShell displays the logon dialog.
120	*
121	* 3) After the user has entered his user name and password,
122	* XWPShell authenticates the user against the user database.
123	*
124	* 4) If the user was authenticated, XWPSec creates subjects
125	* for the user and his groups. With each subject creation,
126	* XWPShell rebuilds the system ACL list with the subject
127	* handles and sends them down to ring 0 so that the driver
128	* can perform authorization (see RESOURCEACL for details).
129	*
130	* 5) XWPShell sets the security context of itself (XWPSHELL.EXE)
131	* to contain these subject handles by calling a ring-0 driver
132	* API. Whoever owns XWPSHELL.EXE is, by definition, the "local"
133	* user.
134	*
135	* 6) XWPShell then changes the user profile (OS2.INI) via PrfReset,
136	* builds an environment for the Workplace Shell, and starts
137	* PMSHELL.EXE so that the WPS starts up with the user's Desktop.
138	* The WPS is started as a child of XWPSHELL.EXE and thus
139	* inherits its security context. Since the WPS uses WinStartApp
140	* to start applications, those will inherit the local user's
141	* security context as well.
142	*
143	* The following environment variables are set:
144	*
145	* -- USER is set to the user name;
146	* -- USERID is set to the user ID (uid);
147	* -- HOME is set to the user's home directory;
148	* -- OS2_INI is set to the user's OS2.INI file. This
149	* does not affect the profile (which has been
150	* changed using PrfReset before), but is still
151	* changed in case any program references this
152	* variable.
153	*
154	* All processes started by the WPS will inherit this
155	* environment since the WPS always copies its environment
156	* to child processes.
157	*
158	* 7) From then on, all system events will be authorized against
159	* the local user's security context, which contains the subject
160	* handles of the local user and his groups. For example, when
161	* an application opens a file, the driver will authorize this
162	* event against the ACLs stored in the user's subject infos
163	* and permit the operation or deny access.
164	*
165	* 8) When the user logs off via the new menu item in the Desktop's
166	* context menu (implemented by XWorkplace), XWorkplace will then
167	* terminate all processes running on behalf of this user and
168	* terminate the WPS process via DosExit. It sets a special flag
169	* in shared memory to indicate to XWPShell that this was not
170	* just a WPS restart (or trap), but a logoff event to prevent
171	* XWPShell from restarting the WPS immediately.
172	*
173	* 9) When XWPShell then realizes that the WPS has terminated and
174	* finds this flag, it logs off the user. Logging off implies
175	* again checking that no processes are running on behalf of
176	* the local user any more, changing the security context of
177	* XWPSHELL.EXE back to "noone", and deleting the subject
178	* handles that were created in (4.). Go back to (2.).
179	*
180	* Note: Version numbering in this file relates to XWorkplace version
181	* numbering.
182	*
183	*@@include #define INCL_DOSSEMAPHORES
184	*@@include #include <os2.h>
185	*@@include #include "helpers\xwpsecty.h"
186	*/
187
188	/*
189	* Copyright (C) 2000-2002 Ulrich Mller.
190	* This program is free software; you can redistribute it and/or modify
191	* it under the terms of the GNU General Public License as published by
192	* the Free Software Foundation, in version 2 as it comes in the COPYING
193	* file of the XWorkplace main distribution.
194	* This program is distributed in the hope that it will be useful,
195	* but WITHOUT ANY WARRANTY; without even the implied warranty of
196	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
197	* GNU General Public License for more details.
198	*/
199
200	#if __cplusplus
201	extern "C" {
202	#endif
203
204	#ifndef XWPSECTY_HEADER_INCLUDED
205	#define XWPSECTY_HEADER_INCLUDED
206
207	/* ******************************************************************
208	*
209	* Global constants
210	*
211	********************************************************************/
212
213	#define XWPSEC_NAMELEN 32
214	#define XWPSEC_FULLNAMELEN 80
215
216	/* ******************************************************************
217	*
218	* Subjects and security contexts
219	*
220	********************************************************************/
221
222	typedef unsigned long HXSUBJECT;
223
224	typedef unsigned long XWPSECID;
225
226	/*
227	*@@ XWPSUBJECTINFO:
228	* describes a subject.
229	*
230	* A subject represents either a user, a group, or a
231	* trusted process associated with an access control
232	* list.
233	*
234	* Subject handles allow for reusing ACLs efficiently
235	* when multiple users are logged on and also isolate
236	* the ring-0 driver from user and group management.
237	*
238	* Subject handle 0 is special and means "no restrictions".
239	* Only the superuser ("root") will have a subject handle
240	* of 0, regardless of the groups he's a member of. All
241	* other users will have nonzero subject handles.
242	*
243	* When a user logs on, subject handles get created
244	* that represent the access permissions of that user.
245	* Every running process has a list of subject handles
246	* associated with it (the security context), the sum
247	* of which allow for authorizing events. The driver
248	* only sees subject handles, not users or groups.
249	* However, the user and group IDs are listed in the
250	* subject info structure to allow the driver to audit
251	* events.
252	*
253	* Subject handles are created by XWPShell (ring 3)
254	* when users log on and then sent down to the ring-0
255	* driver together with a new system ACL list for future
256	* use.
257	*
258	* Comparison with other concepts:
259	*
260	* -- The concept of a "subject" has been taken from
261	* SES. However, with SES, a subject is much more
262	* complicated and not really well explained. The
263	* SES documentation sucks anyway.
264	*
265	* -- Warp (LAN) Server bases ACL entries on users and
266	* groups also, however without calling them "subjects".
267	* However, if I understood that right, LAN server can
268	* define an infinite number of ACL entries for each
269	* resource.
270	*
271	* -- Linux does not have the notion of a subject.
272	* Instead, all access rights are determined from
273	* the user id (uid) and group id (gid), apparently.
274	*
275	* -- Java seems to have something similar; it bases
276	* ACL entries on "principals", where a principal
277	* can either be a user or a group. See the API
278	* docs for java.security.acl.Acl.
279	*
280	*@@added V0.9.5 (2000-09-23) [umoeller]
281	*/
282
283	typedef struct _XWPSUBJECTINFO
284	{
285	HXSUBJECT hSubject;
286	// handle of this subject (unique),
287	// simply raised with each subject creation
288	XWPSECID id;
289	// ID related to this subject;
290	// -- for a user subject: the user id (uid); 0 if root
291	// -- for a group subject: the group id (gid)
292	// -- for a process subject: the process id (pid)
293	BYTE bType;
294	// one of:
295	#define SUBJ_USER 1
296	#define SUBJ_GROUP 2
297	#define SUBJ_PROCESS 3
298
299	ULONG cUsage;
300	// usage count (to allow for reuse)
301
302	} XWPSUBJECTINFO, *PXWPSUBJECTINFO;
303
304	/*
305	*@@ XWPSECURITYCONTEXT:
306	* describes the security context for a process.
307	*
308	* For each process on the system, one security context
309	* defines its permissions via subject handles. Security
310	* contexts are created in ring 0 in the following
311	* situations:
312	*
313	* -- Via the DosExecPgm callout, when a new process is
314	* started. The driver then creates a security context
315	* with the same subject handles as the new process's
316	* parent process. This way process permissions inherit
317	* from each other.
318	*
319	* -- Via a ring-0 API that gets called by XWPShell to
320	* create security contexts for processes that are
321	* already running at startup, including XWPShell
322	* itself.
323	*
324	* Each subject handle in the context represents either a user,
325	* a group, or a trusted process. A subject handle of "0" is
326	* special and indicates root access. If such a subject handle
327	* is found, the driver grants full access and does not reject
328	* anything.
329	*
330	* As a result, the following are typical security contexts:
331	*
332	* -- A process running on behalf of a certain user will
333	* usually contain at least two subject handles, one
334	* for the user (if any ACLs were defined for that user
335	* at all), and one for each group that the user belongs
336	* to.
337	*
338	* -- Processes running on behalf of the superuser (root)
339	* will only have a single "0" subject handle.
340	*
341	* -- A trusted process that was defined by an adnimistrator
342	* will contain an additional subject handle with the access
343	* permissions defined for it. For example, if the program
344	* "C:\MASTER\MASTER.EXE" is given specific permissions,
345	* there would be one subject handle representing the
346	* ACLs for that in addition to those of the user running
347	* it.
348	*
349	* -- For processes that were started during system startup,
350	* the driver creates security contexts with a single "0"
351	* (root) subject handle when XWPShell passes a list of
352	* PIDs to the driver with the "initialization" ring-0 API.
353	* As a result, all processes started through CONFIG.SYS
354	* are considered trusted processes.
355	*/
356
357	typedef struct _XWPSECURITYCONTEXT
358	{
359	ULONG cbStruct;
360	ULONG ulPID; // process ID
361
362	ULONG cSubjects; // no. of subject handles in this context
363
364	HXSUBJECT aSubjects[1]; // array of cSubjects subject handles,
365	// determining the permissions of this
366	// process
367
368	} XWPSECURITYCONTEXT, *PXWPSECURITYCONTEXT;
369
370	/* ******************************************************************
371	*
372	* Access control
373	*
374	********************************************************************/
375
376	/*
377	* The following global permissions exist:
378	*
379	*/
380
381	#define XWPPERM_CREATEUSER 0x00000100
382	// permission to create new users
383
384	#define XWPPERM_CHANGEUSER 0x00000200
385	// permission to change user information
386
387	#define XWPPERM_CHANGEUSERPERM 0x00000400
388	// permission to change permissions for a
389	// given user
390
391	#define XWPPERM_DELETEUSER 0x00000800
392	// permission to delete existing users
393
394	#define XWPPERM_CREATEGROUP 0x00001000
395	// permission to create new groups
396
397	#define XWPPERM_CHANGEGROUP 0x00002000
398	// permission to change group information
399
400	#define XWPPERM_CHANGEGROUPERM 0x00000400
401	// permission to change permissions for a
402	// given group
403
404	#define XWPPERM_DELETEGROUP 0x00008000
405	// permission to delete existing groups
406
407	#define XWPPERM_QUERYUSERINFO 0x00010000
408	// permission to retrieve global user, group, and membership info
409
410	/*
411	* The following permissions are defined per resource:
412	*
413	*/
414
415	#define XWPACCESS_READ 0x01 // "R"
416	// For files: Permission to read data from a file and
417	// copy the file.
418	// For directories: Permission to view the directory's
419	// contents.
420	// For copying a file, both the file and its directory
421	// need "Read" permission.
422	#define XWPACCESS_WRITE 0x02 // "W"
423	// For files: Permission to write data to a file.
424	// For directories: Permission to write to files
425	// in the directory, but not create files ("Create"
426	// is required for that).
427	// Should be used together with "Read", because
428	// "Write" alone doesn't make much sense.
429	// Besides, "Attrib" permission will also be
430	// required.
431	#define XWPACCESS_CREATE 0x04 // "C"
432	// Permission to create subdirectories and files
433	// in a directory. "Create" alone allows creation
434	// of the file only, but once it's closed, it
435	// cannot be changed any more.
436	#define XWPACCESS_EXEC 0x08 // "X"
437	// Permission to run (not copy) an executable
438	// or command file.
439	// Note: For .CMD and .BAT files, "Read" permission
440	// is also required.
441	// -- for directories: XWPSec defines this as
442	// with Unix, to change to a directory.
443	#define XWPACCESS_DELETE 0x10 // "D"
444	// Permission to delete subdirectories and files.
445	#define XWPACCESS_ATRIB 0x20 // "A"
446	// Permission to modify the attributes of a
447	// resource (read-only, hidden, system, and
448	// the date and time a file was last modified).
449	#define XWPACCESS_PERM 0x40
450	// Permission to modify the permissions (read,
451	// write, create, execute, and delete) assigned
452	// to a resource for a user or application.
453	// This gives the user limited administration
454	// authority for a given resource.
455	#define XWPACCESS_ALL 0x7F
456	// Permission to read, write, create, execute,
457	// or delete a resource, or to modify attributes
458	// or permissions.
459
460	/*
461	*@@ XWPSECSTATUS:
462	*
463	*@@added V1.0.1 (2003-01-10) [umoeller]
464	*/
465
466	typedef struct _XWPSECSTATUS
467	{
468	BOOL fLocalSecurity; // TRUE if XWPSEC32.SYS is active
469
470	// the following fields are only set if fLocalSecurity is TRUE
471
472	ULONG cbAllocated; // fixed memory currently allocated in ring 0
473	ULONG cAllocations, // no. of allocations made since startup
474	cFrees; // no. of frees made since startup
475	USHORT cLogBufs, // current 64K log buffers in use
476	cMaxLogBufs; // max 64K log buffers that were ever in use
477	ULONG cLogged; // no. of syscalls that were logged
478	ULONG cGranted, // no. of syscalls where access was granted
479	cDenied; // ... and denied
480	} XWPSECSTATUS, *PXWPSECSTATUS;
481
482
483	/* ******************************************************************
484	*
485	* User Database
486	*
487	********************************************************************/
488
489	/*
490	*@@ XWPGROUPDBENTRY:
491	* group entry in the user database.
492	* See userdb.c for details.
493	*/
494
495	typedef struct _XWPGROUPDBENTRY
496	{
497	XWPSECID gid; // group ID
498	CHAR szGroupName[XWPSEC_NAMELEN]; // group name
499	} XWPGROUPDBENTRY, *PXWPGROUPDBENTRY;
500
501	/*
502	*@@ XWPUSERINFO:
503	* description of a user in the user database.
504	* See userdb.c for details.
505	*/
506
507	typedef struct _XWPUSERINFO
508	{
509	XWPSECID uid; // user's ID (unique); 0 for root
510	CHAR szUserName[XWPSEC_NAMELEN];
511	CHAR szFullName[XWPSEC_FULLNAMELEN]; // user's clear name
512	} XWPUSERINFO, *PXWPUSERINFO;
513
514	/*
515	*@@ XWPMEMBERSHIP:
516	*
517	*@@added V1.0.1 (2003-01-05) [umoeller]
518	*/
519
520	typedef struct _XWPMEMBERSHIP
521	{
522	ULONG cGroups;
523	XWPSECID aGIDs[1];
524	} XWPMEMBERSHIP, *PXWPMEMBERSHIP;
525
526	/*
527	*@@ XWPUSERDBENTRY:
528	*
529	*@@added V1.0.1 (2003-01-05) [umoeller]
530	*/
531
532	typedef struct _XWPUSERDBENTRY
533	{
534	ULONG cbStruct;
535	XWPUSERINFO User;
536	CHAR szPassword[XWPSEC_NAMELEN];
537	XWPMEMBERSHIP Membership;
538	} XWPUSERDBENTRY, *PXWPUSERDBENTRY;
539
540	/* ******************************************************************
541	*
542	* Logons
543	*
544	********************************************************************/
545
546	/*
547	*@@ XWPLOGGEDON:
548	* describes a current user (i.e. a user
549	* which is in the user database and is
550	* currently logged on, either locally
551	* or via network).
552	*/
553
554	typedef struct _XWPLOGGEDON
555	{
556	ULONG cbStruct; // size of entire structure
557	XWPSECID uid; // user's ID
558	CHAR szUserName[XWPSEC_NAMELEN];
559	ULONG cSubjects; // no. of entries in aSubjects array
560	HXSUBJECT aSubjects[1]; // array of subject handles of this user; one "0" entry if root
561	} XWPLOGGEDON, *PXWPLOGGEDON;
562
563	/* ******************************************************************
564	*
565	* Errors
566	*
567	********************************************************************/
568
569	#define ERROR_XWPSEC_FIRST 31000
570
571	#define XWPSEC_INTEGRITY (ERROR_XWPSEC_FIRST)
572	#define XWPSEC_STRUCT_MISMATCH (ERROR_XWPSEC_FIRST + 1) // V1.0.1 (2003-01-05) [umoeller]
573	// sizeof XWPSHELLQUEUEDATA does not match (different versions?)
574	#define XWPSEC_INVALID_DATA (ERROR_XWPSEC_FIRST + 2)
575	#define XWPSEC_CANNOT_GET_MUTEX (ERROR_XWPSEC_FIRST + 3)
576	#define XWPSEC_CANNOT_START_DAEMON (ERROR_XWPSEC_FIRST + 4)
577
578	#define XWPSEC_INSUFFICIENT_AUTHORITY (ERROR_XWPSEC_FIRST + 5)
579
580	#define XWPSEC_HSUBJECT_EXISTS (ERROR_XWPSEC_FIRST + 6)
581	#define XWPSEC_INVALID_HSUBJECT (ERROR_XWPSEC_FIRST + 7)
582
583	#define XWPSEC_INVALID_PID (ERROR_XWPSEC_FIRST + 10)
584	#define XWPSEC_NO_CONTEXTS (ERROR_XWPSEC_FIRST + 11)
585
586	#define XWPSEC_USER_EXISTS (ERROR_XWPSEC_FIRST + 20)
587	#define XWPSEC_NO_USERS (ERROR_XWPSEC_FIRST + 21)
588	#define XWPSEC_NO_GROUPS (ERROR_XWPSEC_FIRST + 22)
589	#define XWPSEC_INVALID_ID (ERROR_XWPSEC_FIRST + 23)
590	// invalid user or group ID
591
592	#define XWPSEC_NOT_AUTHENTICATED (ERROR_XWPSEC_FIRST + 30)
593	#define XWPSEC_NO_USER_PROFILE (ERROR_XWPSEC_FIRST + 31) // V0.9.19 (2002-04-02) [umoeller]
594	#define XWPSEC_CANNOT_START_SHELL (ERROR_XWPSEC_FIRST + 32)
595	#define XWPSEC_INVALID_PROFILE (ERROR_XWPSEC_FIRST + 33)
596	#define XWPSEC_NO_LOGON (ERROR_XWPSEC_FIRST + 34)
597
598	#define XWPSEC_DB_GROUP_SYNTAX (ERROR_XWPSEC_FIRST + 35)
599	#define XWPSEC_DB_USER_SYNTAX (ERROR_XWPSEC_FIRST + 36)
600	#define XWPSEC_DB_INVALID_GROUPID (ERROR_XWPSEC_FIRST + 37)
601
602	#define XWPSEC_DB_ACL_SYNTAX (ERROR_XWPSEC_FIRST + 40)
603	#define XWPSEC_DB_ACL_DUPRES (ERROR_XWPSEC_FIRST + 41)
604	// more than one line for the same resource in ACL DB
605
606	#define XWPSEC_RING0_NOT_FOUND (ERROR_XWPSEC_FIRST + 50)
607
608	#define XWPSEC_QUEUE_INVALID_CMD (ERROR_XWPSEC_FIRST + 51)
609
610	#define ERROR_XWPSEC_LAST (ERROR_XWPSEC_FIRST + 51)
611
612	/* ******************************************************************
613	*
614	* XWPShell Shared Memory
615	*
616	********************************************************************/
617
618	#define SHMEM_XWPSHELL "\\SHAREMEM\\XWORKPLC\\XWPSHELL.DAT"
619	// shared memory name of XWPSHELLSHARED structure
620
621	/*
622	*@@ XWPSHELLSHARED:
623	* shared memory structure allocated by XWPShell
624	* when it starts up. This can be requested by
625	* any process to receive more information and
626	* is also checked by XWorkplace at WPS startup
627	* to determine whether XWPShell is running or
628	* the WPS should be running in single-user
629	* mode.
630	*/
631
632	typedef struct _XWPSHELLSHARED
633	{
634	BOOL fNoLogonButRestart;
635	// when the shell process terminates, it
636	// can set this flag to TRUE to prevent
637	// the logon prompt from appearing; instead,
638	// the shell should be restarted with the
639	// same user
640	} XWPSHELLSHARED, *PXWPSHELLSHARED;
641
642	/* ******************************************************************
643	*
644	* XWPShell Queue (Ring 3 API)
645	*
646	********************************************************************/
647
648	/*
649	* Ring-3 APIs are implemented via a regular OS/2 Control
650	* Program queue. Programs can call these APIs by allocating
651	* a chunk of shared memory, writing the pointer to that
652	* with a command code into this queue, and blocking on an
653	* event semaphore, which gets posted by XWPShell when the
654	* command has been processed. XWPShell then writes a
655	* result code (NO_ERROR or an error code) and possibly
656	* result data back into that shared memory.
657	*
658	* Since OS/2 reports the PID of the queue writer with the
659	* queue APIs, XWPShell can validate whether the writing
660	* process is authorized to perform a certain event. For
661	* example, when a process issues the "create new user"
662	* command, the queue thread in XWPShell will check the
663	* writer's PID and validate the security context of that
664	* process for whether the subjects of that process include
665	* sufficient permission for that command.
666	*
667	* The following commands are necessary:
668	*
669	* -- Query security context for a PID (no permissions required)
670	*
671	* -- Create user (admin permission required)
672	*
673	* -- Create group (admin permission required)
674	*
675	* -- Set User membership in groups
676	*
677	* -- Query user info
678	*
679	* -- Query group info
680	*
681	* -- Query permissions for a resource
682	*
683	* -- Set permissions for a resource
684	*
685	*/
686
687	#define QUEUE_XWPSHELL "\\QUEUES\\XWORKPLC\\XWPSHELL.QUE"
688	// queue name of the master XWPShell queue
689
690	/*
691	*@@ QUEUEUNION:
692	*
693	*@@added V0.9.11 (2001-04-22) [umoeller]
694	*/
695
696	typedef union _QUEUEUNION
697	{
698	#define QUECMD_QUERYSTATUS 1
699
700	XWPSECSTATUS Status;
701
702	#define QUECMD_QUERYLOCALUSER 2
703	// return data for user that is
704	// currently logged on locally.
705	// Required authority: None.
706	// If NO_ERROR is returned, pLocalUser has been
707	// set to single XWPUSERDBENTRY structure
708	// in shared memory given to the caller.
709	// The caller must issue DosFreeMem.
710	// Note that the szPassword field is always
711	// nulled out.
712	// Possible error codes: see slogQueryLocalUser.
713	PXWPUSERDBENTRY pLocalUser;
714
715	#define QUECMD_QUERYUSERS 3
716	// return info for all users that
717	// are defined in the userdb.
718	// Required authority: administrator.
719	// Possible error codes: see sudbQueryUsers.
720	// If NO_ERROR is returned, paUsers has been
721	// set to an array of cUsers XWPUSERDBENTRY
722	// structures as shared memory given to the
723	// caller. The caller must issue DosFreeMem.
724	// Note that the szPassword field for each
725	// user is always nulled out.
726	struct
727	{
728	ULONG cUsers;
729	PXWPUSERDBENTRY paUsers;
730	} QueryUsers;
731
732	#define QUECMD_QUERYGROUPS 4
733	// return info for all groups that
734	// are defined in the userdb.
735	// Required authority: administrator.
736	// Possible error codes: see sudbQueryGroups.
737	// If NO_ERROR is returned, paGroups has been
738	// set to an array of cGroups XWPGROUPDBENTRY
739	// structures as shared memory given to the
740	// caller. The caller must issue DosFreeMem.
741	struct
742	{
743	ULONG cGroups;
744	PXWPGROUPDBENTRY paGroups;
745	} QueryGroups;
746
747	#define QUECMD_QUERYPROCESSOWNER 5
748	// return the uid of the user who owns
749	// the given process.
750	// Required authority: administrator.
751	struct
752	{
753	ULONG ulPID; // in: PID to query
754	XWPSECID uid; // out: uid of owner, if NO_ERROR is returned
755	} QueryProcessOwner;
756
757	#define QUECMD_CREATEUSER 6
758
759	struct
760	{
761	CHAR szUserName[XWPSEC_NAMELEN]; // user name
762	CHAR szFullName[XWPSEC_FULLNAMELEN]; // user's clear name
763	CHAR szPassword[XWPSEC_NAMELEN]; // password
764	XWPSECID uidCreated; // out: uid of new user
765	} CreateUser;
766
767	#define QUECMD_SETUSERDATA 7
768
769	XWPUSERINFO SetUserData;
770
771	#define QUECMD_DELETEUSER 8
772
773	XWPSECID uidDelete;
774
775	#define QUECMD_QUERYPERMISSIONS 9
776
777	struct
778	{
779	CHAR szResource[CCHMAXPATH]; // in: resource to query
780	ULONG flAccess; // out: XWPACCESS_* flags
781	} QueryPermissions;
782
783	} QUEUEUNION, *PQUEUEUNION;
784
785	/*
786	*@@ XWPSHELLQUEUEDATA:
787	* structure used in shared memory to communicate
788	* with XWPShell.
789	*
790	* A client process must use the following procedure
791	* to communicate with XWPShell:
792	*
793	* 1) Open the public XWPShell queue.
794	*
795	* 2) Allocate a giveable shared XWPSHELLQUEUEDATA
796	* and give it to XWPShell as read/write.
797	*
798	* 3) Create a shared event semaphore in
799	* XWPSHELLQUEUEDATA.hev.
800	*
801	* 4) Set XWPSHELLQUEUEDATA.ulCommand to one of the
802	* QUECMD_* flags, specifying the data to be queried.
803	*
804	* 5) Write the XWPSHELLQUEUEDATA pointer to the
805	* queue.
806	*
807	* 6) Block on XWPSHELLQUEUEDATA.hevData, which gets
808	* posted by XWPShell when the data has been filled.
809	*
810	* 7) Check XWPSHELLQUEUEDATA.arc. If NO_ERROR,
811	* XWPSHELLQUEUEDATA.Data union has been filled
812	* with data according to ulCommand.
813	*
814	* 8) Close the event sem and free the shared memory.
815	*
816	*@@added V0.9.11 (2001-04-22) [umoeller]
817	*/
818
819	typedef struct _XWPSHELLQUEUEDATA
820	{
821	ULONG cbStruct; // size of XWPSHELLQUEUEDATA struct (for safety)
822
823	ULONG ulCommand; // in: one of the QUECMD_* values
824
825	HEV hevData; // in: event semaphore posted
826	// when XWPShell has produced
827	// the data
828
829	APIRET arc; // out: error code set by XWPShell;
830	// if NO_ERROR, the following is valid
831
832	QUEUEUNION Data; // out: data, format depends on ulCommand
833
834	} XWPSHELLQUEUEDATA, *PXWPSHELLQUEUEDATA;
835
836	/* ******************************************************************
837	*
838	* Ring-0 (driver) APIs
839	*
840	********************************************************************/
841
842	/*
843	* Ring 0 interfaces required to be called from XWPShell:
844	*
845	* -- Initialization: to be called exactly once when
846	* XWPShell starts up. This call enables local security
847	* and switches the driver into authorization mode:
848	* from then on, all system events are authenticated
849	* via the KPI callouts.
850	*
851	* With this call, XWPShell must pass down an array of
852	* PIDs that were already running when XWPShell was
853	* started, including XWPShell itself. For these
854	* processes, the driver will create security contexts
855	* as trusted processes.
856	*
857	* In addition, XWPShell sends down an array with all
858	* definitions of trusted processes so that the driver
859	* can create special security contexts for those.
860	*
861	* -- Query security context: XWPShell needs to be able
862	* to retrieve the security context of a given PID
863	* from the driver to be able to authorize ring-3 API
864	* calls such as "create user" or changing permissions.
865	*
866	* -- Set security context: changes the security context
867	* of an existing process. This is used by XWPShell
868	* to change its own context when the local user logs
869	* on. In addition, XWPShell will call this when a
870	* third party process has requested to change its
871	* context and this request was authenticated.
872	*
873	* -- ACL table: Whenever subject handles are created or
874	* deleted, XWPShell needs to rebuild the system ACL
875	* table to contain the fresh subject handles and
876	* pass them all down to the driver.
877	*
878	* -- Refresh process list: XWPShell needs to periodically
879	* call into the driver to pass it a list of processes
880	* that are currently running. Since there is no callout
881	* for when a process has terminated, the driver will
882	* end up with plenty of zombie PIDs after a while. This
883	* call will also be necessary before a user logs off
884	* after his processes have been terminated to make
885	* sure that subject handles are no longer in use.
886	*/
887
888	/*
889	*@@ ACCESS:
890	*
891	*@@added V1.0.1 (2003-01-05) [umoeller]
892	*/
893
894	typedef struct _ACCESS
895	{
896	HXSUBJECT hSubject; // subject handle; this is -1 if an entry
897	// exists for this resource but the user or
898	// group is not currently in use (because no
899	// such user is logged on)
900	BYTE fbAccess; // XWPACCESS_* flags
901	} ACCESS, *PACCESS;
902
903	/*
904	*@@ RESOURCEACL:
905	* definition of a resource entry in the system access control
906	* list (ACL).
907	*
908	* At ring 0, the driver has a list of all RESOURCEACL entries
909	* defined for the system. Each entry in turn has an array of
910	* ACCESS structs listing the subject handles for the resource,
911	* for example, defining that subject handle 1 (which could be
912	* representing a user) may read and write this resource, subject
913	* handle 2 (representing one of the groups the user belongs to)
914	* may execute, and so on.
915	*
916	* There will only be one entry for any resource per subject.
917	* As a result, if the permissions for a resource are changed,
918	* the existing entry must be found and refreshed to avoid
919	* duplicates.
920	*
921	* The global ACL table is build by XWPShell whenever it needs
922	* updating and passed down to the driver for future use. It
923	* will need rebuilding whenever a subject handle gets created
924	* or when access permissions are changed by an administrator.
925	*
926	* The table will be build as follows by XWPShell:
927	*
928	* 1) XWPShell loads the file defining the ACLs for the entire
929	* system.
930	*
931	* For each definition in the file, it builds a RESOURCEACL
932	* entry. It checks the permissions defined for the resource
933	* in the file and sets up the array of ACCESS structures for
934	* the resource. If a permission was defined for a user for
935	* which a subject handle already exists (because the user
936	* is already logged on), that subject handle is stored.
937	* If a definition exists but none of the permissions apply
938	* to any of the current users (because those users are not
939	* logged on, or the groups are not in use yet), a dummy
940	* entry with a -1 subject handle is created to block access
941	* to the resource (see the algorithm description below).
942	*
943	* 2) XWPShell then sends the system ACL list down to the driver.
944	*
945	* During authorization, for any event, the driver first checks
946	* if a null ("root") subject handle exists in the process's
947	* security context. If so, access is granted unconditionally.
948	*
949	* Otherwise, ACLs apply to all subdirectories too, unless a more
950	* specific ACL entry is encountered. In other words,
951	* the driver authorizes events bottom-up in the following order:
952	*
953	* 1) It checks for whether an ACL entry for the given resource
954	* exists in the ACL table.
955	*
956	* If any ACL entry was found for the resource, access is
957	* granted if any ACL entry allowed access for one of the
958	* subjects in the process's security context. Access is denied
959	* if ACL entries existed for the resource but none allowed access,
960	* which includes the "blocker" -1 entry described above.
961	*
962	* In any case, the search stops if an ACL entry was found
963	* in the table, and access is either granted or denied.
964	*
965	* 2) Only if no entry was found for the resource in any of the
966	* subject infos, we climb up to the parent directory and
967	* search all subject infos again. Go back to (1).
968	*
969	* 3) After the root directory has been processed and still no
970	* entry exists, access is denied.
971	*
972	* Examples:
973	*
974	* User "dumbo" belongs to the groups "users" and "admins".
975	* The following ACLs are defined:
976	*
977	* -- "users" may read "C:\DIR",
978	*
979	* -- "admins" may read and write "C:\",
980	*
981	* -- "admins" may create directories in "C:\DIR",
982	*
983	* -- "otheruser" may read "C:\OTHERDIR".
984	*
985	* Assuming that only "dumbo" is logged on presently and the following
986	* subject handles have thus been created:
987	*
988	* -- 1 for user "dumbo",
989	*
990	* -- 2 for group "users",
991	*
992	* -- 3 for group "admins",
993	*
994	* the system ACL table will contain the following entries:
995	*
996	* -- "C:\": 3 (group "admins") may read and write;
997	*
998	* -- "C:\DIR": 2 (group "users") may read, 3 (group "admins) may
999	* create directories;
1000	*
1001	* -- "C:\OTHERDIR": this will have a dummy -1 entry with no permissions
1002	* because the only ACL defined is that user "otheruser" may read, and
1003	* that user is not logged on.
1004	*
1005	* 1) Assume a process running on behalf of "dumbo" wants to open
1006	* C:\DIR\SUBDIR\TEXT.DOC for reading.
1007	* Since the security context of "dumbo" has the three subject
1008	* handles for user "dumbo" (1) and the groups "users" (2) and
1009	* "admins" (3), the following happens:
1010	*
1011	* a) We check the system ACL table for "C:\DIR\SUBDIR\TEXT.DOC"
1012	* and find no ACL entry.
1013	*
1014	* b) So we take the parent directory, "C:\DIR\SUBDIR",
1015	* and again we find nothing.
1016	*
1017	* c) Taking the next parent, "C:\DIR\", we find the above two
1018	* subject handles: since "users" (2) may read, and that is
1019	* part of the security context, we grant access.
1020	*
1021	* 2) Now assume that the same process wants to write the file back:
1022	*
1023	* a) Again, we find no ACL entries for "C:\DIR\SUBDIR\TEXT.DOC"
1024	* or "C:\DIR\SUBDIR".
1025	*
1026	* b) Searching for "C:\DIR", we find that "users" (2) may only read,
1027	+ but not write. Also, "admins" (3) may create directories under
1028	* "C:\DIR", which is not sufficient either. Since no other entries
1029	* exist for "C:\DIR" that would permit write, we deny access.
1030	* That "admins" may write to "C:\" does not help since more
1031	* specific entries exist for "C:\DIR".
1032	*
1033	* 3) Now assume that the same process wants to create a new directory
1034	* under "C:\DIR\SUBDIR".
1035	*
1036	* a) Again, we find no ACL entries for "C:\DIR\SUBDIR".
1037	*
1038	* b) Searching for "C:\DIR", we find that "users" may only read,
1039	* which does not help. However, "admins" may create directories,
1040	* so we grant access.
1041	*
1042	* 4) Assume now that the process wants to create a new directory under
1043	* "C:\OTHERDIR".
1044	*
1045	* We find the ACL entry for "C:\OTHERDIR" and see only the -1
1046	* subject handle (for user "otheruser", who's not logged on),
1047	* and since no other permissions are set for us, we deny access.
1048	*
1049	*@@added V1.0.1 (2003-01-05) [umoeller]
1050	*/
1051
1052	typedef struct _RESOURCEACL
1053	{
1054	ULONG cbStruct; // size of entire structure; this is
1055	// sizeof(RESOURCEACL)
1056	// + cbName - 1
1057	// + cAccesses * sizeof(ACCESS)
1058	USHORT cAccesses; // no. of entries in array of ACCESS structs;
1059	// this comes right after szName, so its address
1060	// is szName + cbName
1061	USHORT cbName; // offset of array of ACCESS structs after szName
1062	// (includes null terminator and DWORD alignment
1063	// filler bytes)
1064	CHAR szName[1]; // fully qualified filename of this resource
1065	// (zero-terminated)
1066	} RESOURCEACL, *PRESOURCEACL;
1067
1068	/*
1069	*@@ RING0BUF:
1070	*
1071	*@@added V1.0.1 (2003-01-05) [umoeller]
1072	*/
1073
1074	typedef struct _RING0BUF
1075	{
1076	ULONG cbTotal;
1077	ULONG cSubjectInfos; // no. of subject infos (directly after this struct)
1078	ULONG cACLs; // no. of RESOURCEACL structs (after subject infos)
1079	ULONG ofsACLs; // ofs of first RESOURCEACL struct from beginning of
1080	// RING0BUF
1081	} RING0BUF, *PRING0BUF;
1082
1083	#endif
1084
1085	#if __cplusplus
1086	}
1087	#endif
1088

Note: See TracBrowser for help on using the repository browser.

Download in other formats: