namespace Authorization {
// default credential: invalid for everything, needed as a default session credential
-CredentialImpl::CredentialImpl() : mShared(false), mRight(false), mRightName(""), mGroupName(""), mUid(0), mUserName(""), mRealName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
+CredentialImpl::CredentialImpl() : mShared(false), mRight(false), mUid(0), mName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
{
}
// only for testing whether this credential is usable
-CredentialImpl::CredentialImpl(const uid_t uid, const string &username, const string &realname, const string &groupname, bool shared) : mShared(shared), mRight(false), mRightName(""), mGroupName(groupname), mUid(uid), mUserName(username), mRealName(realname), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
+CredentialImpl::CredentialImpl(const uid_t uid, const string &username, const string &realname, bool shared) : mShared(shared), mRight(false), mUid(uid), mName(username), mRealName(realname), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
{
}
-CredentialImpl::CredentialImpl(const string &username, const string &password, bool shared) : mShared(shared), mRight(false), mRightName(""), mGroupName(""), mUserName(username), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
+CredentialImpl::CredentialImpl(const string &username, const string &password, bool shared) : mShared(shared), mRight(false), mName(username), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(false)
{
Server::active().longTermActivity();
const char *user = username.c_str();
}
mUid = pw->pw_uid;
- mUserName = pw->pw_name;
+ mName = pw->pw_name;
mRealName = pw->pw_gecos;
const char *passwd = password.c_str();
// least-privilege
// @@@ arguably we don't care about the UID any more and should not
// require it in this ctor
-CredentialImpl::CredentialImpl(const string &right, const uid_t uid, bool shared) : mShared(shared), mRight(true), mRightName(right), mGroupName(""), mUid(uid), mUserName(""), mRealName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
+CredentialImpl::CredentialImpl(const string &right, bool shared) : mShared(shared), mRight(true), mUid(-2), mName(right), mRealName(""), mCreationTime(CFAbsoluteTimeGetCurrent()), mValid(true)
{
}
bool
CredentialImpl::operator < (const CredentialImpl &other) const
{
- // Desired ordering characteristics:
+ // all shared creds are placed into mSessionCreds
+ // all non shared creds are placed into AuthorizationToken
//
- // - unshared before shared
- // - least privilege before non-least privilege
- // - for least privilege credentials with the same sharing characteristics,
- // order on the basis of right strings
- // - orthographic order of group names
- //
- // UID used to be the primary distinguishing element, but it can't be
- // trusted--it's gathered as a side effect, potentially by an external
- // process.
- //
- // Nothing is sacred about this ordering; we just had to pick something.
+ // There are 2 types of credentials UID and Right
+ // UID = Authenticated Identity
+ // Right = Rights which were previously authenticated by a uid credential
+ // Right Credentials are only used during kAuthorizationFlagLeastPrivileged
+ // operations and should not have a valid uid set
+
+ // this allows shared and none shared co-exist in the same container
+ // used when processing multiple rights shared vs non-shared during evaluation
if (!mShared && other.mShared)
return true;
if (!other.mShared && mShared)
return false;
+
+ // this allows uids and rights co-exist in the same container
+ // used when holding onto Rights inside of the AuthorizationToken
if (mRight && !other.mRight)
return true;
if (!mRight && other.mRight)
return false;
- if (mRight && other.mRight)
- return mRightName < other.mRightName;
- else
- return mGroupName < other.mGroupName;
+
+ // this is the actual comparision
+ if (mRight) {
+ return mName < other.mName;
+ } else {
+ return mUid < other.mUid;
+ }
}
// Returns true if this CredentialImpl should be shared.
// try to ensure that the credentials are the same type
assert(mRight == other.mRight);
if (mRight)
- assert(mRightName == other.mRightName);
- else
- assert(mGroupName == other.mGroupName);
+ assert(mName == other.mName);
+ else
+ assert(mUid == other.mUid);
if (other.mValid && (!mValid || mCreationTime < other.mCreationTime))
{
{
}
-Credential::Credential(const uid_t uid, const string &username, const string &realname, const string &groupname, bool shared) :
-RefPointer<CredentialImpl>(new CredentialImpl(uid, username, realname, groupname, shared))
+Credential::Credential(const uid_t uid, const string &username, const string &realname, bool shared) :
+RefPointer<CredentialImpl>(new CredentialImpl(uid, username, realname, shared))
{
}
{
}
-Credential::Credential(const string &right, const uid_t uid, bool shared) : RefPointer<CredentialImpl>(new CredentialImpl(right, uid, shared))
+Credential::Credential(const string &right, bool shared) : RefPointer<CredentialImpl>(new CredentialImpl(right, shared))
{
}
projects / apple / securityd.git / blobdiff