/*********************************************************
- * Copyright (c) 2007-2024 Broadcom. All Rights Reserved.
+ * Copyright (c) 2007-2025 Broadcom. All Rights Reserved.
* The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
*
* This program is free software; you can redistribute it and/or modify it
#define USE_REMOTE_THREAD_PROCESS_COMMAND_LINE_DEFAULT FALSE
#define USE_WMI_PROCESS_COMMAND_LINE_DEFAULT FALSE
+
+/*
+ * For extra security, a tools.conf setting can be set to require that guest
+ * ops requests that gain access to the system through a network logon require
+ * that the requesting user have RDP access. By default this is not required.
+ *
+ * Note RDP access is never required for a guest ops request that gains access
+ * via a batch or interactive logon.
+ */
+#define VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON \
+ "requireRDPAccessWithNetworkLogon"
+
+#define VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON_DEFAULT FALSE
+
#endif
/*
* the GuestAuth library.
*
* Results:
- * VIX_OK if successful.Other VixError code otherwise.
+ * VIX_OK if successful, otherwise some other VixError code.
*
* Side effects:
* Current process impersonates.
VGAuthExtraParams extraParams[1];
Bool impersonated = FALSE;
- extraParams[0].name = VGAUTH_PARAM_LOAD_USER_PROFILE;
- extraParams[0].value = loadUserProfile ? VGAUTH_PARAM_VALUE_TRUE :
- VGAUTH_PARAM_VALUE_FALSE;
-
err = VixMsg_DeObfuscateNamePassword(obfuscatedNamePassword,
&username,
&password);
goto done;
}
+#if defined(_WIN32)
+ extraParams[0].name = VGAUTH_PARAM_REQUIRE_RDP_ACCESS_WITH_NETWORK_LOGON;
+ extraParams[0].value =
+ VMTools_ConfigGetBoolean(gConfDictRef,
+ VIX_TOOLS_CONFIG_API_GROUPNAME,
+ VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON,
+ VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON_DEFAULT) ?
+ VGAUTH_PARAM_VALUE_TRUE : VGAUTH_PARAM_VALUE_FALSE;
+
+#endif
+
vgErr = VGAuth_ValidateUsernamePassword(ctx, username, password,
+#if defined(_WIN32)
+ (int)ARRAYSIZE(extraParams),
+ extraParams,
+#else
0, NULL,
+#endif
&newHandle);
if (VGAUTH_FAILED(vgErr)) {
err = VixToolsTranslateVGAuthError(vgErr);
goto done;
}
+ extraParams[0].name = VGAUTH_PARAM_LOAD_USER_PROFILE;
+ extraParams[0].value = loadUserProfile ? VGAUTH_PARAM_VALUE_TRUE :
+ VGAUTH_PARAM_VALUE_FALSE;
+
vgErr = VGAuth_Impersonate(ctx, newHandle,
(int)ARRAYSIZE(extraParams),
extraParams);
* the GuestAuth library.
*
* Results:
- * VIX_OK if successful. Other VixError code otherwise.
+ * VIX_OK if successful, otherwise some other VixError code.
*
* Side effects:
* Current process impersonates.
# Whether to use vgauth for guest op authentication
#useVGAuth=true
+# On Windows guests, specifies whether Remote Desktop access is required
+# to perform guest operations when a user account has network access but
+# not local or batch job log on permissions. Defaults to false.
+#requireRDPAccessWithNetworkLogon=false
+
[autoupgrade]
# The "allow-upgrade" option controls whether automatic upgrades (or reinstalls)
/*********************************************************
- * Copyright (c) 2011-2017,2023 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
VGAuthError VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx,
const char *userName,
const char *password,
+ const int numExtraParams,
+ const VGAuthExtraParams
+ *extraParams,
VGAuthUserHandle **handle);
#ifdef UNITTEST
/*********************************************************
- * Copyright (c) 2011-2017,2023 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
* @param[in] password The password to be validated.
* @param[in] numExtraParams The number of elements in extraParams.
* @param[in] extraParams Any optional, additional paramaters to the
- * function. Currently none are supported, so this
- * must be NULL.
+ * function.
* @param[out] handle The resulting handle representing the user
* associated with @a userName.
* Must be freed with VGAuth_UserHandleFree().
VGAuth_ValidateUsernamePassword(VGAuthContext *ctx,
const char *userName,
const char *password,
- int numExtraParams,
+ const int numExtraParams,
const VGAuthExtraParams *extraParams,
VGAuthUserHandle **handle)
{
return VGAUTH_E_INVALID_ARGUMENT;
}
- err = VGAuthValidateExtraParams(numExtraParams, extraParams);
- if (VGAUTH_E_OK != err) {
- return err;
- }
-
+ /*
+ * numExtraParams and extraParams need to be validated before use. No need
+ * to validate them here since they're just passed through.
+ */
err = VGAuthValidateUsernamePasswordImpl(ctx,
userName,
password,
+ numExtraParams,
+ extraParams,
handle);
if (VGAUTH_E_OK == err) {
/*********************************************************
- * Copyright (C) 2011-2017, 2019, 2021 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
*
* Validates a username/password.
*
- * @param[in] ctx The VGAuthContext.
- * @param[in] userName The username to be validated.
- * @param[in] password The password to be validated.
- * @param[out] handle The resulting handle representing the user
- * associated with the username.
+ * @param[in] ctx The VGAuthContext.
+ * @param[in] userName The username to be validated.
+ * @param[in] password The password to be validated.
+ * @param[in] numExtraParams The number of elements in extraParams.
+ * @param[in] extraParams Any optional, additional paramaters to the
+ * function. Currently none are supported, so this
+ * must be NULL.
+ * @param[out] handle The resulting handle representing the user
+ * associated with the username.
*
* @return VGAUTH_E_OK on success, VGAuthError on failure
*
VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx,
const char *userName,
const char *password,
+ const int numExtraParams,
+ const VGAuthExtraParams *extraParams,
VGAuthUserHandle **handle)
{
#ifdef USE_PAM
struct passwd *pwd;
#endif
+ err = VGAuthValidateExtraParams(numExtraParams, extraParams);
+ if (VGAUTH_E_OK != err) {
+ return err;
+ }
+
#ifdef USE_PAM
if (!AuthLoadPAM()) {
return VGAUTH_E_FAIL;
/*********************************************************
- * Copyright (c) 2011-2019,2023 VMware, Inc. All rights reserved.
+ * Copyright (c) 2011-2025 Broadcom. All Rights Reserved.
+ * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as published
/* Name/Password authentication APIs */
+#define VGAUTH_PARAM_REQUIRE_RDP_ACCESS_WITH_NETWORK_LOGON \
+ "requireRDPAccessWithNetworkLogon"
+
/*
* If the password is valid for userName, returns a VGAuthUserHandle.
*/
projects / thirdparty / open-vm-tools.git / commitdiff
