From: Kruti Pendharkar Date: Wed, 6 Aug 2025 06:34:17 +0000 (-0700) Subject: Change to common source files not applicable to open-vm-tools. X-Git-Tag: stable-13.1.0~90 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=4434134a5259ab8178172fc83aba7948fbbe500d;p=thirdparty%2Fopen-vm-tools.git Change to common source files not applicable to open-vm-tools. --- diff --git a/open-vm-tools/services/plugins/vix/vixTools.c b/open-vm-tools/services/plugins/vix/vixTools.c index 8b9465605..d704f0e9c 100644 --- a/open-vm-tools/services/plugins/vix/vixTools.c +++ b/open-vm-tools/services/plugins/vix/vixTools.c @@ -1,5 +1,5 @@ /********************************************************* - * Copyright (c) 2007-2024 Broadcom. All Rights Reserved. + * Copyright (c) 2007-2025 Broadcom. All Rights Reserved. * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. * * This program is free software; you can redistribute it and/or modify it @@ -222,6 +222,20 @@ static VGAuthUserHandle *currentUserHandle = NULL; #define USE_REMOTE_THREAD_PROCESS_COMMAND_LINE_DEFAULT FALSE #define USE_WMI_PROCESS_COMMAND_LINE_DEFAULT FALSE + +/* + * For extra security, a tools.conf setting can be set to require that guest + * ops requests that gain access to the system through a network logon require + * that the requesting user have RDP access. By default this is not required. + * + * Note RDP access is never required for a guest ops request that gains access + * via a batch or interactive logon. + */ +#define VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON \ + "requireRDPAccessWithNetworkLogon" + +#define VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON_DEFAULT FALSE + #endif /* @@ -11750,7 +11764,7 @@ GuestAuthEnabled(void) * the GuestAuth library. * * Results: - * VIX_OK if successful.Other VixError code otherwise. + * VIX_OK if successful, otherwise some other VixError code. * * Side effects: * Current process impersonates. @@ -11774,10 +11788,6 @@ GuestAuthPasswordAuthenticateImpersonate( VGAuthExtraParams extraParams[1]; Bool impersonated = FALSE; - extraParams[0].name = VGAUTH_PARAM_LOAD_USER_PROFILE; - extraParams[0].value = loadUserProfile ? VGAUTH_PARAM_VALUE_TRUE : - VGAUTH_PARAM_VALUE_FALSE; - err = VixMsg_DeObfuscateNamePassword(obfuscatedNamePassword, &username, &password); @@ -11793,14 +11803,34 @@ GuestAuthPasswordAuthenticateImpersonate( goto done; } +#if defined(_WIN32) + extraParams[0].name = VGAUTH_PARAM_REQUIRE_RDP_ACCESS_WITH_NETWORK_LOGON; + extraParams[0].value = + VMTools_ConfigGetBoolean(gConfDictRef, + VIX_TOOLS_CONFIG_API_GROUPNAME, + VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON, + VIXTOOLS_CONFIG_REQUIRE_RDP_WITH_NETWORK_LOGON_DEFAULT) ? + VGAUTH_PARAM_VALUE_TRUE : VGAUTH_PARAM_VALUE_FALSE; + +#endif + vgErr = VGAuth_ValidateUsernamePassword(ctx, username, password, +#if defined(_WIN32) + (int)ARRAYSIZE(extraParams), + extraParams, +#else 0, NULL, +#endif &newHandle); if (VGAUTH_FAILED(vgErr)) { err = VixToolsTranslateVGAuthError(vgErr); goto done; } + extraParams[0].name = VGAUTH_PARAM_LOAD_USER_PROFILE; + extraParams[0].value = loadUserProfile ? VGAUTH_PARAM_VALUE_TRUE : + VGAUTH_PARAM_VALUE_FALSE; + vgErr = VGAuth_Impersonate(ctx, newHandle, (int)ARRAYSIZE(extraParams), extraParams); @@ -11859,7 +11889,7 @@ done: * the GuestAuth library. * * Results: - * VIX_OK if successful. Other VixError code otherwise. + * VIX_OK if successful, otherwise some other VixError code. * * Side effects: * Current process impersonates. diff --git a/open-vm-tools/tools.conf b/open-vm-tools/tools.conf index 93ab4e41a..1a693cbeb 100644 --- a/open-vm-tools/tools.conf +++ b/open-vm-tools/tools.conf @@ -460,6 +460,11 @@ # Whether to use vgauth for guest op authentication #useVGAuth=true +# On Windows guests, specifies whether Remote Desktop access is required +# to perform guest operations when a user account has network access but +# not local or batch job log on permissions. Defaults to false. +#requireRDPAccessWithNetworkLogon=false + [autoupgrade] # The "allow-upgrade" option controls whether automatic upgrades (or reinstalls) diff --git a/open-vm-tools/vgauth/lib/VGAuthInt.h b/open-vm-tools/vgauth/lib/VGAuthInt.h index 49efa85f0..61affaf54 100644 --- a/open-vm-tools/vgauth/lib/VGAuthInt.h +++ b/open-vm-tools/vgauth/lib/VGAuthInt.h @@ -1,5 +1,6 @@ /********************************************************* - * Copyright (c) 2011-2017,2023 VMware, Inc. All rights reserved. + * Copyright (c) 2011-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -287,6 +288,9 @@ VGAuthError VGAuth_NetworkReadBytes(VGAuthContext *ctx, VGAuthError VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx, const char *userName, const char *password, + const int numExtraParams, + const VGAuthExtraParams + *extraParams, VGAuthUserHandle **handle); #ifdef UNITTEST diff --git a/open-vm-tools/vgauth/lib/auth.c b/open-vm-tools/vgauth/lib/auth.c index fd4a78539..fe868c24a 100644 --- a/open-vm-tools/vgauth/lib/auth.c +++ b/open-vm-tools/vgauth/lib/auth.c @@ -1,5 +1,6 @@ /********************************************************* - * Copyright (c) 2011-2017,2023 VMware, Inc. All rights reserved. + * Copyright (c) 2011-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -543,8 +544,7 @@ done: * @param[in] password The password to be validated. * @param[in] numExtraParams The number of elements in extraParams. * @param[in] extraParams Any optional, additional paramaters to the - * function. Currently none are supported, so this - * must be NULL. + * function. * @param[out] handle The resulting handle representing the user * associated with @a userName. * Must be freed with VGAuth_UserHandleFree(). @@ -560,7 +560,7 @@ VGAuthError VGAuth_ValidateUsernamePassword(VGAuthContext *ctx, const char *userName, const char *password, - int numExtraParams, + const int numExtraParams, const VGAuthExtraParams *extraParams, VGAuthUserHandle **handle) { @@ -587,14 +587,15 @@ VGAuth_ValidateUsernamePassword(VGAuthContext *ctx, return VGAUTH_E_INVALID_ARGUMENT; } - err = VGAuthValidateExtraParams(numExtraParams, extraParams); - if (VGAUTH_E_OK != err) { - return err; - } - + /* + * numExtraParams and extraParams need to be validated before use. No need + * to validate them here since they're just passed through. + */ err = VGAuthValidateUsernamePasswordImpl(ctx, userName, password, + numExtraParams, + extraParams, handle); if (VGAUTH_E_OK == err) { diff --git a/open-vm-tools/vgauth/lib/authPosix.c b/open-vm-tools/vgauth/lib/authPosix.c index c19491c19..1f22a2102 100644 --- a/open-vm-tools/vgauth/lib/authPosix.c +++ b/open-vm-tools/vgauth/lib/authPosix.c @@ -1,5 +1,6 @@ /********************************************************* - * Copyright (C) 2011-2017, 2019, 2021 VMware, Inc. All rights reserved. + * Copyright (c) 2011-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -240,11 +241,15 @@ static struct pam_conv PAM_conversation = { * * Validates a username/password. * - * @param[in] ctx The VGAuthContext. - * @param[in] userName The username to be validated. - * @param[in] password The password to be validated. - * @param[out] handle The resulting handle representing the user - * associated with the username. + * @param[in] ctx The VGAuthContext. + * @param[in] userName The username to be validated. + * @param[in] password The password to be validated. + * @param[in] numExtraParams The number of elements in extraParams. + * @param[in] extraParams Any optional, additional paramaters to the + * function. Currently none are supported, so this + * must be NULL. + * @param[out] handle The resulting handle representing the user + * associated with the username. * * @return VGAUTH_E_OK on success, VGAuthError on failure * @@ -255,6 +260,8 @@ VGAuthError VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx, const char *userName, const char *password, + const int numExtraParams, + const VGAuthExtraParams *extraParams, VGAuthUserHandle **handle) { #ifdef USE_PAM @@ -266,6 +273,11 @@ VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx, struct passwd *pwd; #endif + err = VGAuthValidateExtraParams(numExtraParams, extraParams); + if (VGAUTH_E_OK != err) { + return err; + } + #ifdef USE_PAM if (!AuthLoadPAM()) { return VGAUTH_E_FAIL; diff --git a/open-vm-tools/vgauth/public/VGAuthAuthentication.h b/open-vm-tools/vgauth/public/VGAuthAuthentication.h index e19fe4764..d0c5b776e 100644 --- a/open-vm-tools/vgauth/public/VGAuthAuthentication.h +++ b/open-vm-tools/vgauth/public/VGAuthAuthentication.h @@ -1,5 +1,6 @@ /********************************************************* - * Copyright (c) 2011-2019,2023 VMware, Inc. All rights reserved. + * Copyright (c) 2011-2025 Broadcom. All Rights Reserved. + * The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as published @@ -150,6 +151,9 @@ VGAuthError VGAuth_RevokeTicket(VGAuthContext *ctx, /* Name/Password authentication APIs */ +#define VGAUTH_PARAM_REQUIRE_RDP_ACCESS_WITH_NETWORK_LOGON \ + "requireRDPAccessWithNetworkLogon" + /* * If the password is valid for userName, returns a VGAuthUserHandle. */