Context Navigation

xwpsecty.h@ 456

Visit:

Last change on this file since 456 was 257, checked in by umoeller, 22 years ago
Fixes that have piled up in the last three months.
Property svn:eol-style set to `CRLF` Property svn:keywords set to `Author Date Id Revision`
File size: 37.2 KB

Line
1
2	/*
3	*@@sourcefile xwpsecty.h:
4	* public declarations which are shared between the various ring-3
5	* parts of XWorkplace Security (XWPSec).
6	*
7	* XWPSec consists of the following modules:
8	*
9	* 1) XWPSHELL.EXE, which is to be installed through RUNWORKPLACE
10	* in CONFIG.SYS and functions as both a WPS starter and a
11	* daemon for managing the security driver;
12	*
13	* 2) XWPSEC32.SYS, which is a ring-0 driver performing
14	* authentification for OS/2 APIs like DosOpen, DosMove etc.
15	* through SES callouts.
16	*
17	* Note that Security Enabling Services (SES) is NOT used
18	* for user logon and authentication. In other words, this
19	* program serves neither as an SES System Logon Authority
20	* (SLA) nor a User Identification Authority (UIA). I have
21	* found SES Logon Shell Services (LSS) too buggy to be useful,
22	* but maybe I was too dumb to find out how to use them. But
23	* then again, these APIs are too complicated and error-prone
24	* to be used by ordinary humans.
25	*
26	* So instead, I have rewritten the LSS functionality for
27	* XWPShell. SES is only used for kernel interfaces (KPIs)
28	* in XWPSEC32.SYS. As a result, the SECURE.SYS text file
29	* in \OS2\SECURITY\SESDB is not used either.
30	*
31	*
32	* <B>Concepts:</B>
33	*
34	* To implement XWPSec, I have reviewed the concepts of Linux,
35	* SES, and OS/2 LAN Server (Warp Server for e-Business).
36	* See subjects.c, users.c, and userdb.c for a discussion of
37	* security concepts which came out of this review.
38	*
39	* As a summary, XWPSec follows the SES security models, with a
40	* few simplifications. To make processing more efficient, user
41	* IDs and group IDs have been added (like Linux uid and gid) to
42	* allow looking up data based on numbers instead of names.
43	*
44	* <B>Recommended reading:</B>
45	*
46	* -- "SES Developer's Guide" (IBM SG244668 redbook). This
47	* sucks, but it's the only source for SES information.
48	*
49	* -- "Network Administrator Tasks" (BOOKS\A3AA3MST.INF
50	* on a WSeB installation). A very good book.
51	*
52	* -- Linux manpages for group(5) and passwd(5); Linux info
53	* page for chmod (follow the "File permissions" node).
54	*
55	*
56	* <b>XWPSec Authentication Model</b>
57	*
58	* Basically, there are two competing models of access permissions
59	* in the computing world, the POSIX model and the Windows/OS/2
60	* model. Since the POSIX model can be implemented as a subset of
61	* the OS/2 model, XWPSec follows the OS/2 model, with very
62	* fine-grained access permissions and different ACLs per resource.
63	*
64	* XWPSec implements the usual stuff like users, groups, and
65	* privileged processes with increased access rights. As opposed
66	* to the POSIX model, group membership is an M:N relation, meaning
67	* that any user can be a member of an infinite number of groups.
68	* Also, while the POSIX model only allows controlling permissions
69	* for the owner, group, and "world" (rwxrwxrwx model), XWPSec has
70	* real ACLs which are unlimited in size per resource.
71	*
72	* To implement this efficiently, XWPSec uses "subject handles",
73	* which is a concept borrowed from SES. However, XWPSec does not
74	* use the SES APIs for creating and managing those, but implements
75	* this functionality itself.
76	*
77	* For authorizing events, XWPSec uses the XWPSUBJECTINFO and
78	* XWPSECURITYCONTEXT structures, plus an array of RESOURCEACL
79	* structs that forms the global system ACL table shared with
80	* the ring-0 device driver.
81	*
82	*
83	* <b>Logon</b>
84	*
85	* XWPShell maintains a list of users that are currently
86	* logged on. There can be an infinite number of logged-on
87	* users. However, one user logon is special and is called
88	* the "local" logon: that user owns the shell, most
89	* importantly PM and the Workplace Shell, and processes
90	* started via the shell run on behalf of that user.
91	*
92	* When a user logs on, XWPShell authenticates the credentials
93	* (normally, via user name and password), and creates one
94	* subject handle for that user plus one subject handle for
95	* every group that the user belongs to. XWPShell then rebuilds
96	* the system ACL table and sends it to the driver so it can
97	* perform authentication.
98	*
99	* Logon can thus happen in two situations. Most frequently,
100	* the local user logs on via the logon dialog when XWPShell
101	* starts up together with the system. However, XWPShell also
102	* allows any application to change its own security context
103	* be re-logging on with different credentials.
104	*
105	* This is the typical sequence of events when XWPShell is running:
106	*
107	* 1) When XWPShell starts up, it scans the process list to figure
108	* out all processes that are already running because of system
109	* startup. It then contacts the ring-0 driver, passing it an
110	* array of these PIDs, and thus enables local security. The
111	* driver then creates root security contexts for those processes.
112	*
113	* From that point on, all system events are authenticated until
114	* the system is shut down.
115	*
116	* (Before that, the driver does not deny access in order not to
117	* hickup the startup sequence.)
118	*
119	* 2) XWPShell displays the logon dialog.
120	*
121	* 3) After the user has entered his user name and password,
122	* XWPShell authenticates the user against the user database.
123	*
124	* 4) If the user was authenticated, XWPSec creates subjects
125	* for the user and his groups. With each subject creation,
126	* XWPShell rebuilds the system ACL list with the subject
127	* handles and sends them down to ring 0 so that the driver
128	* can perform authorization (see RESOURCEACL for details).
129	*
130	* 5) XWPShell sets the security context of itself (XWPSHELL.EXE)
131	* to contain these subject handles by calling a ring-0 driver
132	* API. Whoever owns XWPSHELL.EXE is, by definition, the "local"
133	* user.
134	*
135	* 6) XWPShell then changes the user profile (OS2.INI) via PrfReset,
136	* builds an environment for the Workplace Shell, and starts
137	* PMSHELL.EXE so that the WPS starts up with the user's Desktop.
138	* The WPS is started as a child of XWPSHELL.EXE and thus
139	* inherits its security context. Since the WPS uses WinStartApp
140	* to start applications, those will inherit the local user's
141	* security context as well.
142	*
143	* The following environment variables are set:
144	*
145	* -- USER is set to the user name;
146	* -- USERID is set to the user ID (uid);
147	* -- HOME is set to the user's home directory;
148	* -- OS2_INI is set to the user's OS2.INI file. This
149	* does not affect the profile (which has been
150	* changed using PrfReset before), but is still
151	* changed in case any program references this
152	* variable.
153	*
154	* All processes started by the WPS will inherit this
155	* environment since the WPS always copies its environment
156	* to child processes.
157	*
158	* 7) From then on, all system events will be authorized against
159	* the local user's security context, which contains the subject
160	* handles of the local user and his groups. For example, when
161	* an application opens a file, the driver will authorize this
162	* event against the ACLs stored in the user's subject infos
163	* and permit the operation or deny access.
164	*
165	* 8) When the user logs off via the new menu item in the Desktop's
166	* context menu (implemented by XWorkplace), XWorkplace will then
167	* terminate all processes running on behalf of this user and
168	* terminate the WPS process via DosExit. It sets a special flag
169	* in shared memory to indicate to XWPShell that this was not
170	* just a WPS restart (or trap), but a logoff event to prevent
171	* XWPShell from restarting the WPS immediately.
172	*
173	* 9) When XWPShell then realizes that the WPS has terminated and
174	* finds this flag, it logs off the user. Logging off implies
175	* again checking that no processes are running on behalf of
176	* the local user any more, changing the security context of
177	* XWPSHELL.EXE back to "noone", and deleting the subject
178	* handles that were created in (4.). Go back to (2.).
179	*
180	* Note: Version numbering in this file relates to XWorkplace version
181	* numbering.
182	*
183	*@@include #define INCL_DOSSEMAPHORES
184	*@@include #include <os2.h>
185	*@@include #include "helpers\xwpsecty.h"
186	*/
187
188	/*
189	* Copyright (C) 2000-2002 Ulrich Mller.
190	* This program is free software; you can redistribute it and/or modify
191	* it under the terms of the GNU General Public License as published by
192	* the Free Software Foundation, in version 2 as it comes in the COPYING
193	* file of the XWorkplace main distribution.
194	* This program is distributed in the hope that it will be useful,
195	* but WITHOUT ANY WARRANTY; without even the implied warranty of
196	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
197	* GNU General Public License for more details.
198	*/
199
200	#if __cplusplus
201	extern "C" {
202	#endif
203
204	#ifndef XWPSECTY_HEADER_INCLUDED
205	#define XWPSECTY_HEADER_INCLUDED
206
207	/* ******************************************************************
208	*
209	* Global constants
210	*
211	********************************************************************/
212
213	#define XWPSEC_NAMELEN 32
214	#define XWPSEC_FULLNAMELEN 80
215
216	/* ******************************************************************
217	*
218	* Subjects and security contexts
219	*
220	********************************************************************/
221
222	typedef unsigned long HXSUBJECT;
223
224	typedef long XWPSECID;
225
226	/*
227	*@@ XWPSUBJECTINFO:
228	* describes a subject.
229	*
230	* A subject represents either a user, a group, or a
231	* trusted process associated with an access control
232	* list.
233	*
234	* Subject handles allow for reusing ACLs efficiently
235	* when multiple users are logged on and also isolate
236	* the ring-0 driver from user and group management.
237	*
238	* Subject handle 0 is special and means "no restrictions".
239	* Only the superuser ("root") will have a subject handle
240	* of 0, regardless of the groups he's a member of. All
241	* other users will have nonzero subject handles.
242	*
243	* When a user logs on, subject handles get created
244	* that represent the access permissions of that user.
245	* Every running process has a list of subject handles
246	* associated with it (the security context), the sum
247	* of which allow for authorizing events. The driver
248	* only sees subject handles, not users or groups.
249	* However, the user and group IDs are listed in the
250	* subject info structure to allow the driver to audit
251	* events.
252	*
253	* Subject handles are created by XWPShell (ring 3)
254	* when users log on and then sent down to the ring-0
255	* driver together with a new system ACL list for future
256	* use.
257	*
258	* Comparison with other concepts:
259	*
260	* -- The concept of a "subject" has been taken from
261	* SES. However, with SES, a subject is much more
262	* complicated and not really well explained. The
263	* SES documentation sucks anyway.
264	*
265	* -- Warp (LAN) Server bases ACL entries on users and
266	* groups also, however without calling them "subjects".
267	* However, if I understood that right, LAN server can
268	* define an infinite number of ACL entries for each
269	* resource.
270	*
271	* -- Linux does not have the notion of a subject.
272	* Instead, all access rights are determined from
273	* the user id (uid) and group id (gid), apparently.
274	*
275	* -- Java seems to have something similar; it bases
276	* ACL entries on "principals", where a principal
277	* can either be a user or a group. See the API
278	* docs for java.security.acl.Acl.
279	*
280	*@@added V0.9.5 (2000-09-23) [umoeller]
281	*/
282
283	typedef struct _XWPSUBJECTINFO
284	{
285	HXSUBJECT hSubject;
286	// handle of this subject (unique),
287	// simply raised with each subject creation
288	XWPSECID id;
289	// ID related to this subject;
290	// -- for a user subject: the user id (uid); 0 if root
291	// -- for a group subject: the group id (gid)
292	// -- for a process subject: the process id (pid)
293	BYTE bType;
294	// one of:
295	#define SUBJ_USER 1
296	#define SUBJ_GROUP 2
297	#define SUBJ_PROCESS 3
298
299	ULONG cUsage;
300	// usage count (to allow for reuse)
301
302	} XWPSUBJECTINFO, *PXWPSUBJECTINFO;
303
304	/*
305	*@@ XWPSECURITYCONTEXTCORE:
306	* describes the security context for a process.
307	*
308	* For each process on the system, one security context
309	* defines its permissions via subject handles. Security
310	* contexts are created in ring 0 in the following
311	* situations:
312	*
313	* -- Via the DosExecPgm callout, when a new process is
314	* started. The driver then creates a security context
315	* with the same subject handles as the new process's
316	* parent process. This way process permissions inherit
317	* from each other.
318	*
319	* -- Via a ring-0 API that gets called by XWPShell to
320	* create security contexts for processes that are
321	* already running at startup, including XWPShell
322	* itself.
323	*
324	* Each subject handle in the context represents either a user,
325	* a group, or a trusted process. A subject handle of "0" is
326	* special and indicates root access. If such a subject handle
327	* is found, the driver grants full access and does not reject
328	* anything.
329	*
330	* As a result, the following are typical security contexts:
331	*
332	* -- A process running on behalf of a certain user will
333	* usually contain at least two subject handles, one
334	* for the user (if any ACLs were defined for that user
335	* at all), and one for each group that the user belongs
336	* to.
337	*
338	* -- Processes running on behalf of the superuser (root)
339	* will only have a single "0" subject handle.
340	*
341	* -- A trusted process that was defined by an adnimistrator
342	* will contain an additional subject handle with the access
343	* permissions defined for it. For example, if the program
344	* "C:\MASTER\MASTER.EXE" is given specific permissions,
345	* there would be one subject handle representing the
346	* ACLs for that in addition to those of the user running
347	* it (if any).
348	*
349	* -- For processes that were started during system startup,
350	* the driver creates security contexts with a single "0"
351	* (root) subject handle when XWPShell passes a list of
352	* PIDs to the driver with the "initialization" ring-0 API.
353	* As a result, all processes started through CONFIG.SYS
354	* are presently considered trusted processes.
355	*/
356
357	typedef struct _XWPSECURITYCONTEXTCORE
358	{
359	USHORT pidParent; // ID of process parent
360
361	USHORT cSubjects; // no. of subject handles in this context
362
363	HXSUBJECT aSubjects[1]; // array of cSubjects subject handles,
364	// determining the permissions of this
365	// process
366
367	} XWPSECURITYCONTEXTCORE, *PXWPSECURITYCONTEXTCORE;
368
369	/* ******************************************************************
370	*
371	* Access control
372	*
373	********************************************************************/
374
375	/*
376	* The following global permissions exist:
377	*
378	*/
379
380	#define XWPPERM_CREATEUSER 0x00000100
381	// permission to create new users
382
383	#define XWPPERM_CHANGEUSER 0x00000200
384	// permission to change user information
385
386	#define XWPPERM_CHANGEUSERPERM 0x00000400
387	// permission to change permissions for a
388	// given user
389
390	#define XWPPERM_DELETEUSER 0x00000800
391	// permission to delete existing users
392
393	#define XWPPERM_CREATEGROUP 0x00001000
394	// permission to create new groups
395
396	#define XWPPERM_CHANGEGROUP 0x00002000
397	// permission to change group information
398
399	#define XWPPERM_CHANGEGROUPERM 0x00000400
400	// permission to change permissions for a
401	// given group
402
403	#define XWPPERM_DELETEGROUP 0x00008000
404	// permission to delete existing groups
405
406	#define XWPPERM_QUERYUSERINFO 0x00010000
407	// permission to retrieve global user, group, and membership info
408
409	/*
410	* The following permissions are defined per resource:
411	*
412	*/
413
414	#define XWPACCESS_READ 0x01 // "R"
415	// For files: Permission to read data from a file and
416	// copy the file.
417	// For directories: Permission to view the directory's
418	// contents.
419	// For copying a file, both the file and its directory
420	// need "Read" permission.
421	#define XWPACCESS_WRITE 0x02 // "W"
422	// For files: Permission to write data to a file.
423	// For directories: Permission to write to files
424	// in the directory, but not create files ("Create"
425	// is required for that).
426	// Should be used together with "Read", because
427	// "Write" alone is not terribly useful.
428	// Besides, "Attrib" permission will also be
429	// required.
430	#define XWPACCESS_CREATE 0x04 // "C"
431	// Permission to create subdirectories and files
432	// in a directory. "Create" alone allows creation
433	// of the file only, but once it's closed, it
434	// cannot be changed any more.
435	#define XWPACCESS_EXEC 0x08 // "X"
436	// Permission to run (not copy) an executable
437	// or command file.
438	// Note: For .CMD and .BAT files, "Read" permission
439	// is also required.
440	// -- for directories: XWPSec defines this as
441	// with Unix, to change to a directory.
442	#define XWPACCESS_DELETE 0x10 // "D"
443	// Permission to delete subdirectories and files.
444	#define XWPACCESS_ATRIB 0x20 // "A"
445	// Permission to modify the attributes of a
446	// resource (read-only, hidden, system, and
447	// the date and time a file was last modified).
448	#define XWPACCESS_PERM 0x40
449	// Permission to modify the permissions (read,
450	// write, create, execute, and delete) assigned
451	// to a resource for a user or application.
452	// This gives the user limited administration
453	// authority for a given resource.
454	#define XWPACCESS_ALL 0x7F
455	// Permission to read, write, create, execute,
456	// or delete a resource, or to modify attributes
457	// or permissions.
458
459	/*
460	*@@ XWPSECSTATUS:
461	* structure representing the current status of XWPSec.
462	* Used with QUECMD_QUERYSTATUS.
463	*
464	*@@added V1.0.1 (2003-01-10) [umoeller]
465	*/
466
467	typedef struct _XWPSECSTATUS
468	{
469	BOOL fLocalSecurity; // TRUE if XWPSEC32.SYS is active
470
471	// the following fields are only set if fLocalSecurity is TRUE
472
473	ULONG cbAllocated; // total fixed memory currently allocated in ring 0
474	ULONG cAllocations, // no. of allocations made since startup
475	cFrees; // no. of frees made since startup
476	USHORT cLogBufs, // current 64K log buffers in use
477	cMaxLogBufs; // max 64K log buffers that were ever in use
478	ULONG cLogged; // no. of syscalls that were logged
479	ULONG cGranted, // no. of syscalls where access was granted
480	cDenied; // ... and denied
481	LONG cContexts; // no. of currently allocated security contexts
482	// (always >= the no. of running processes)
483	ULONG cbACLs; // of cbAllocated, no. of bytes in use for ACLs
484	} XWPSECSTATUS, *PXWPSECSTATUS;
485
486	/* ******************************************************************
487	*
488	* User Database
489	*
490	********************************************************************/
491
492	/*
493	*@@ XWPGROUPDBENTRY:
494	* group entry in the user database.
495	* See userdb.c for details.
496	*/
497
498	typedef struct _XWPGROUPDBENTRY
499	{
500	XWPSECID gid; // group ID
501	CHAR szGroupName[XWPSEC_NAMELEN]; // group name
502	} XWPGROUPDBENTRY, *PXWPGROUPDBENTRY;
503
504	/*
505	*@@ XWPUSERINFO:
506	* description of a user in the user database.
507	* See userdb.c for details.
508	*/
509
510	typedef struct _XWPUSERINFO
511	{
512	XWPSECID uid; // user's ID (unique); 0 for root
513	CHAR szUserName[XWPSEC_NAMELEN];
514	CHAR szFullName[XWPSEC_FULLNAMELEN]; // user's clear name
515	CHAR szUserShell[CCHMAXPATH]; // user shell (normally "X:\OS2\PMSHELL.EXE")
516	} XWPUSERINFO, *PXWPUSERINFO;
517
518	/*
519	*@@ XWPMEMBERSHIP:
520	*
521	*@@added V1.0.1 (2003-01-05) [umoeller]
522	*/
523
524	typedef struct _XWPMEMBERSHIP
525	{
526	ULONG cGroups;
527	XWPSECID aGIDs[1];
528	} XWPMEMBERSHIP, *PXWPMEMBERSHIP;
529
530	/*
531	*@@ XWPUSERDBENTRY:
532	*
533	*@@added V1.0.1 (2003-01-05) [umoeller]
534	*/
535
536	typedef struct _XWPUSERDBENTRY
537	{
538	ULONG cbStruct;
539	XWPUSERINFO User;
540	CHAR szPassword[XWPSEC_NAMELEN];
541	XWPMEMBERSHIP Membership;
542	} XWPUSERDBENTRY, *PXWPUSERDBENTRY;
543
544	/* ******************************************************************
545	*
546	* Logons
547	*
548	********************************************************************/
549
550	/*
551	*@@ XWPLOGGEDON:
552	* describes a current user (i.e. a user
553	* which is in the user database and is
554	* currently logged on, either locally
555	* or via network).
556	*/
557
558	typedef struct _XWPLOGGEDON
559	{
560	ULONG cbStruct; // size of entire structure
561	XWPSECID uid; // user's ID
562	CHAR szUserName[XWPSEC_NAMELEN];
563	USHORT cSubjects; // no. of entries in aSubjects array
564	HXSUBJECT aSubjects[1]; // array of subject handles of this user; one "0" entry if root
565	} XWPLOGGEDON, *PXWPLOGGEDON;
566
567	/* ******************************************************************
568	*
569	* Errors
570	*
571	********************************************************************/
572
573	#define ERROR_XWPSEC_FIRST 31000
574
575	#define XWPSEC_INTEGRITY (ERROR_XWPSEC_FIRST)
576	#define XWPSEC_STRUCT_MISMATCH (ERROR_XWPSEC_FIRST + 1) // V1.0.1 (2003-01-05) [umoeller]
577	// sizeof XWPSHELLQUEUEDATA does not match (different versions?)
578	#define XWPSEC_INVALID_DATA (ERROR_XWPSEC_FIRST + 2)
579	#define XWPSEC_CANNOT_GET_MUTEX (ERROR_XWPSEC_FIRST + 3)
580	#define XWPSEC_CANNOT_START_DAEMON (ERROR_XWPSEC_FIRST + 4)
581
582	#define XWPSEC_INSUFFICIENT_AUTHORITY (ERROR_XWPSEC_FIRST + 5)
583
584	#define XWPSEC_HSUBJECT_EXISTS (ERROR_XWPSEC_FIRST + 6)
585	#define XWPSEC_INVALID_HSUBJECT (ERROR_XWPSEC_FIRST + 7)
586
587	#define XWPSEC_INVALID_PID (ERROR_XWPSEC_FIRST + 10)
588	#define XWPSEC_NO_CONTEXTS (ERROR_XWPSEC_FIRST + 11)
589
590	#define XWPSEC_USER_EXISTS (ERROR_XWPSEC_FIRST + 20)
591	#define XWPSEC_NO_USERS (ERROR_XWPSEC_FIRST + 21)
592	#define XWPSEC_NO_GROUPS (ERROR_XWPSEC_FIRST + 22)
593	#define XWPSEC_INVALID_ID (ERROR_XWPSEC_FIRST + 23)
594	// invalid user or group ID
595
596	#define XWPSEC_NOT_AUTHENTICATED (ERROR_XWPSEC_FIRST + 30)
597	#define XWPSEC_NO_USER_PROFILE (ERROR_XWPSEC_FIRST + 31) // V0.9.19 (2002-04-02) [umoeller]
598	#define XWPSEC_CANNOT_START_SHELL (ERROR_XWPSEC_FIRST + 32)
599	#define XWPSEC_INVALID_PROFILE (ERROR_XWPSEC_FIRST + 33)
600	#define XWPSEC_NO_LOGON (ERROR_XWPSEC_FIRST + 34)
601
602	#define XWPSEC_DB_GROUP_SYNTAX (ERROR_XWPSEC_FIRST + 35)
603	#define XWPSEC_DB_USER_SYNTAX (ERROR_XWPSEC_FIRST + 36)
604	#define XWPSEC_DB_INVALID_GROUPID (ERROR_XWPSEC_FIRST + 37)
605
606	#define XWPSEC_DB_ACL_SYNTAX (ERROR_XWPSEC_FIRST + 40)
607	#define XWPSEC_DB_ACL_INTEGRITY (ERROR_XWPSEC_FIRST + 41)
608	#define XWPSEC_DB_ACL_DUPRES (ERROR_XWPSEC_FIRST + 42)
609	// more than one line for the same resource in ACL DB
610
611	#define XWPSEC_RING0_NOT_FOUND (ERROR_XWPSEC_FIRST + 50)
612
613	#define XWPSEC_QUEUE_INVALID_CMD (ERROR_XWPSEC_FIRST + 51)
614
615	#define ERROR_XWPSEC_LAST (ERROR_XWPSEC_FIRST + 51)
616
617	/* ******************************************************************
618	*
619	* XWPShell Shared Memory
620	*
621	********************************************************************/
622
623	#define SHMEM_XWPSHELL "\\SHAREMEM\\XWORKPLC\\XWPSHELL.DAT"
624	// shared memory name of XWPSHELLSHARED structure
625
626	/*
627	*@@ XWPSHELLSHARED:
628	* shared memory structure allocated by XWPShell
629	* when it starts up. This can be requested by
630	* any process to receive more information and
631	* is also checked by XWorkplace at WPS startup
632	* to determine whether XWPShell is running or
633	* the WPS should be running in single-user
634	* mode.
635	*/
636
637	typedef struct _XWPSHELLSHARED
638	{
639	BOOL fNoLogonButRestart;
640	// when the shell process terminates, it
641	// can set this flag to TRUE to prevent
642	// the logon prompt from appearing; instead,
643	// the shell should be restarted with the
644	// same user
645	} XWPSHELLSHARED, *PXWPSHELLSHARED;
646
647	/* ******************************************************************
648	*
649	* XWPShell Queue (Ring 3 API)
650	*
651	********************************************************************/
652
653	/*
654	* Ring-3 APIs are implemented via a regular OS/2 Control
655	* Program queue. Programs can call these APIs by allocating
656	* a chunk of shared memory, writing the pointer to that
657	* with a command code into this queue, and blocking on an
658	* event semaphore, which gets posted by XWPShell when the
659	* command has been processed. XWPShell then writes a
660	* result code (NO_ERROR or an error code) and possibly
661	* result data back into that shared memory.
662	*
663	* Since OS/2 reports the PID of the queue writer with the
664	* queue APIs, XWPShell can validate whether the writing
665	* process is authorized to perform a certain event. For
666	* example, when a process issues the "create new user"
667	* command, the queue thread in XWPShell will check the
668	* writer's PID and validate the security context of that
669	* process for whether the subjects of that process include
670	* sufficient permission for that command.
671	*
672	* The following commands are necessary:
673	*
674	* -- Query security context for a PID (no permissions required)
675	*
676	* -- Create user (admin permission required)
677	*
678	* -- Create group (admin permission required)
679	*
680	* -- Set User membership in groups
681	*
682	* -- Query user info
683	*
684	* -- Query group info
685	*
686	* -- Query permissions for a resource
687	*
688	* -- Set permissions for a resource
689	*
690	*/
691
692	#define QUEUE_XWPSHELL "\\QUEUES\\XWORKPLC\\XWPSHELL.QUE"
693	// queue name of the master XWPShell queue
694
695	/*
696	*@@ QUEUEUNION:
697	*
698	*@@added V0.9.11 (2001-04-22) [umoeller]
699	*/
700
701	typedef union _QUEUEUNION
702	{
703	#define QUECMD_QUERYSTATUS 1
704
705	XWPSECSTATUS Status;
706
707	#define QUECMD_QUERYLOCALUSER 2
708	// return data for user that is
709	// currently logged on locally.
710	// Required authority: None.
711	// If NO_ERROR is returned, pLocalUser has been
712	// set to single XWPUSERDBENTRY structure
713	// in shared memory given to the caller.
714	// The caller must issue DosFreeMem.
715	// Note that the szPassword field is always
716	// nulled out.
717	// Possible error codes: see slogQueryLocalUser.
718	PXWPUSERDBENTRY pLocalUser;
719
720	#define QUECMD_QUERYUSERS 3
721	// return info for all users that
722	// are defined in the userdb.
723	// Required authority: administrator.
724	// Possible error codes: see sudbQueryUsers.
725	// If NO_ERROR is returned, paUsers has been
726	// set to an array of cUsers XWPUSERDBENTRY
727	// structures as shared memory given to the
728	// caller. The caller must issue DosFreeMem.
729	// Note that the szPassword field for each
730	// user is always nulled out.
731	struct
732	{
733	ULONG cUsers;
734	PXWPUSERDBENTRY paUsers;
735	} QueryUsers;
736
737	#define QUECMD_QUERYGROUPS 4
738	// return info for all groups that
739	// are defined in the userdb.
740	// Required authority: administrator.
741	// Possible error codes: see sudbQueryGroups.
742	// If NO_ERROR is returned, paGroups has been
743	// set to an array of cGroups XWPGROUPDBENTRY
744	// structures as shared memory given to the
745	// caller. The caller must issue DosFreeMem.
746	struct
747	{
748	ULONG cGroups;
749	PXWPGROUPDBENTRY paGroups;
750	} QueryGroups;
751
752	#define QUECMD_QUERYUSERNAME 5
753
754	struct
755	{
756	XWPSECID uid; // in: user ID
757	CHAR szUserName[XWPSEC_NAMELEN]; // out: user name
758	} QueryUserName;
759
760	#define QUECMD_QUERYPROCESSOWNER 6
761	// return the uid of the user who owns
762	// the given process.
763	// Required authority: XWPPERM_QUERYUSERINFO,
764	// unless the given process is owned by the
765	// same user who runs the query.
766	struct
767	{
768	USHORT pid; // in: PID to query (or 0 for calling process)
769	HXSUBJECT hsubj0; // out: hSubject of user (or privileged process)
770	XWPSECID uid; // out: uid of owner, if NO_ERROR is returned
771	} QueryProcessOwner;
772
773	#define QUECMD_CREATEUSER 7
774
775	struct
776	{
777	CHAR szUserName[XWPSEC_NAMELEN]; // user name
778	CHAR szFullName[XWPSEC_FULLNAMELEN]; // user's clear name
779	CHAR szPassword[XWPSEC_NAMELEN]; // password
780	XWPSECID uidCreated; // out: uid of new user
781	} CreateUser;
782
783	#define QUECMD_SETUSERDATA 8
784
785	XWPUSERINFO SetUserData;
786
787	#define QUECMD_DELETEUSER 9
788
789	XWPSECID uidDelete;
790
791	#define QUECMD_QUERYPERMISSIONS 10
792
793	struct
794	{
795	CHAR szResource[CCHMAXPATH]; // in: resource to query
796	ULONG flAccess; // out: XWPACCESS_* flags
797	} QueryPermissions;
798
799	#define QUECMD_SWITCHUSER 11
800	// change the credentials of the current process. This
801	// allows a process to run on behalf of a different user
802	// and can be used to implement a "su" command, since
803	// processes started by the current process will inherit
804	// those credentials.
805
806	struct
807	{
808	CHAR szUserName[XWPSEC_NAMELEN];
809	CHAR szPassword[XWPSEC_NAMELEN];
810	XWPSECID uid; // out: user id if NO_ERROR
811	} SwitchUser;
812
813	} QUEUEUNION, *PQUEUEUNION;
814
815	/*
816	*@@ XWPSHELLQUEUEDATA:
817	* structure used in shared memory to communicate
818	* with XWPShell.
819	*
820	* A client process must use the following procedure
821	* to communicate with XWPShell:
822	*
823	* 1) Open the public XWPShell queue.
824	*
825	* 2) Allocate a giveable shared XWPSHELLQUEUEDATA
826	* and give it to XWPShell as read/write.
827	*
828	* 3) Create a shared event semaphore in
829	* XWPSHELLQUEUEDATA.hev.
830	*
831	* 4) Set XWPSHELLQUEUEDATA.ulCommand to one of the
832	* QUECMD_* flags, specifying the data to be queried.
833	*
834	* 5) Write the XWPSHELLQUEUEDATA pointer to the
835	* queue.
836	*
837	* 6) Block on XWPSHELLQUEUEDATA.hevData, which gets
838	* posted by XWPShell when the data has been filled.
839	*
840	* 7) Check XWPSHELLQUEUEDATA.arc. If NO_ERROR,
841	* XWPSHELLQUEUEDATA.Data union has been filled
842	* with data according to ulCommand.
843	*
844	* 8) Close the event sem and free the shared memory.
845	*
846	*@@added V0.9.11 (2001-04-22) [umoeller]
847	*/
848
849	typedef struct _XWPSHELLQUEUEDATA
850	{
851	ULONG cbStruct; // size of XWPSHELLQUEUEDATA struct (for safety)
852
853	ULONG ulCommand; // in: one of the QUECMD_* values
854
855	HEV hevData; // in: event semaphore posted
856	// when XWPShell has produced
857	// the data
858
859	APIRET arc; // out: error code set by XWPShell;
860	// if NO_ERROR, the following is valid
861
862	QUEUEUNION Data; // out: data, format depends on ulCommand
863
864	} XWPSHELLQUEUEDATA, *PXWPSHELLQUEUEDATA;
865
866	/* ******************************************************************
867	*
868	* APIs for interfacing XWPShell
869	*
870	********************************************************************/
871
872	APIRET xsecQueryStatus(PXWPSECSTATUS pStatus);
873
874	APIRET xsecQueryLocalUser(PXWPUSERDBENTRY *ppLocalUser);
875
876	APIRET xsecQueryAllUsers(PULONG pcUsers,
877	PXWPUSERDBENTRY *ppaUsers);
878
879	APIRET xsecQueryGroups(PULONG pcGroups,
880	PXWPGROUPDBENTRY *ppaGroups);
881
882	APIRET xsecQueryUserName(XWPSECID uid,
883	PSZ pszUserName);
884
885	APIRET xsecQueryProcessOwner(USHORT pid,
886	XWPSECID *puid);
887
888	APIRET xsecCreateUser(PCSZ pcszUserName,
889	PCSZ pcszFullName,
890	PCSZ pcszPassword,
891	XWPSECID gid,
892	XWPSECID *puid);
893
894	APIRET xsecSetUserData(XWPSECID uid,
895	PCSZ pcszUserName,
896	PCSZ pcszFullName);
897
898	APIRET xsecDeleteUser(XWPSECID uid);
899
900	APIRET xsecQueryPermissions(PCSZ pcszFilename,
901	PULONG pflAccess);
902
903	#endif
904
905	#if __cplusplus
906	}
907	#endif
908

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/include/helpers/xwpsecty.h@ 456

Download in other formats: