archive
/
windows-nt-4.0
mirror of https://github.com/lianthony/NT4.0
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Windows NT 4.0 source code leak
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
184 MiB
Tree: b4a8d373d8
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b4a8d373d8'
${ noResults }
windows-nt-4.0/private/sdktools/secmgr/global.c

527 lines
12 KiB
Raw Normal View History

initial commit
4 years ago
  2. /*++
  4. Copyright (c) 1994 Microsoft Corporation
  6. Module Name:
  8. Global.c
  10. Abstract:
  12. This module contains global variables available throughout
  13. SecMgr. It also contains a routine to initialize those
  14. variables.
  17. Author:
  19. Jim Kelly (JimK) 22-Sep-1994
  21. Revision History:
  23. --*/
  25. #include "secmgrp.h"
  28. ///////////////////////////////////////////////////////////////////////
  29. // //
  30. // Global Variables //
  31. // //
  32. ///////////////////////////////////////////////////////////////////////
  35. //
  36. // This variable indicates whether or not the invoking user
  37. // is an administrator.
  38. //
  40. BOOL
  41. SecMgrpAdminUser = TRUE;
  44. //
  45. // Type of product installed and running on this machine
  46. //
  48. NT_PRODUCT_TYPE
  49. SecMgrpProductType;
  52. //
  53. // This boolean will be set to TRUE if any changes have been
  54. // made to the security settings.
  55. //
  57. BOOLEAN
  58. SecMgrpChangesMade = FALSE;
  60. //
  61. // These variables contain the security level that was
  62. // in force when the utility was activated, and what the
  63. // current applied level is (according to the radio buttons).
  64. // These are used to grey and ungrey the [Apply] and [Check]
  65. // buttons. In dialoges that check and apply, CurrentLevel
  66. // is the level being checked or applied.
  67. //
  69. ULONG
  70. SecMgrpCurrentLevel,
  71. SecMgrpOriginalLevel;
  74. //
  75. // Some changes don't take effect until a re-boot has been
  76. // performed. If any of these changes are made while applying
  77. // a change, then this variable will be set to TRUE. This will
  78. // then be used to decide whether to display a message to the
  79. // user upon utility exit.
  80. //
  82. BOOLEAN
  83. SecMgrpRebootRequired = FALSE;
  86. //
  87. // Handle to our own module
  88. //
  90. HINSTANCE
  91. SecMgrphInstance = NULL;
  94. //
  95. // Name of our application
  96. // (localization must live within 100 bytes)
  97. //
  99. TCHAR
  100. SecMgrpApplicationName[100];
  104. //
  105. // Well known sids that we use
  106. //
  108. PSID
  109. SecMgrpWorldSid,
  110. SecMgrpAccountOpsSid,
  111. SecMgrpBackupOpsSid,
  112. SecMgrpPrintOpsSid,
  113. SecMgrpServerOpsSid,
  114. SecMgrpAdminsSid;
  117. //
  118. // Grouping of well-known sids by type
  119. //
  121. SECMGRP_ACCOUNTS
  122. SecMgrpAnyoneSids,
  123. SecMgrpOperatorSids,
  124. SecMgrpOpersAndAdminsSids,
  125. SecMgrpAdminsSids;
  130. ///////////////////////////////////////////////////////////////////////
  131. // //
  132. // Module-Private Prototypes //
  133. // //
  134. ///////////////////////////////////////////////////////////////////////
  136. BOOL
  137. TestTokenForAdmin( HANDLE Token );
  139. BOOL
  140. SecMgrpIsUserAdmin( VOID );
  148. ///////////////////////////////////////////////////////////////////////
  149. // //
  150. // Externally callable routines //
  151. // //
  152. ///////////////////////////////////////////////////////////////////////
  154. VOID
  155. SecMgrpInitializeGlobals(
  156. HINSTANCE hInstance
  157. )
  159. /*++
  161. Routine Description:
  163. Initialize global variables.
  166. Arguments
  168. hInstance - the HINSTANCE of our app.
  171. Return Values:
  173. None.
  175. --*/
  176. {
  177. NTSTATUS
  178. NtStatus;
  180. ULONG
  181. Index;
  183. BOOLEAN
  184. IgnoreBoolean;
  186. SID_IDENTIFIER_AUTHORITY
  187. WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY,
  188. NtAuthority = SECURITY_NT_AUTHORITY;
  190. //
  191. // Save away our hInstance
  192. //
  194. SecMgrphInstance = hInstance;
  196. //
  197. // Get our application's name
  198. //
  200. LoadString( SecMgrphInstance,
  201. SECMGRP_STRING_SECURITY_MANAGER,
  202. &SecMgrpApplicationName[0],
  203. 100
  204. );
  208. //
  209. // Initialize the sids
  210. //
  213. NtStatus = RtlAllocateAndInitializeSid(
  214. &WorldSidAuthority,
  215. 1,
  216. SECURITY_WORLD_RID,
  217. 0, 0, 0, 0, 0, 0, 0,
  218. &SecMgrpWorldSid
  219. );
  220. if (!NT_SUCCESS(NtStatus)) {
  221. KdPrint(("SecMgr: Failed to initialize world sid, status = 0x%lx", NtStatus));
  222. return;
  223. }
  226. NtStatus = RtlAllocateAndInitializeSid(
  227. &NtAuthority,
  228. 2,
  229. SECURITY_BUILTIN_DOMAIN_RID,
  230. DOMAIN_ALIAS_RID_ACCOUNT_OPS,
  231. 0, 0, 0, 0, 0, 0,
  232. &SecMgrpAccountOpsSid
  233. );
  234. if (!NT_SUCCESS(NtStatus)) {
  235. KdPrint(("SecMgr: Failed to initialize admin AcountOps sid, status = 0x%lx", NtStatus));
  236. return;
  237. }
  239. NtStatus = RtlAllocateAndInitializeSid(
  240. &NtAuthority,
  241. 2,
  242. SECURITY_BUILTIN_DOMAIN_RID,
  243. DOMAIN_ALIAS_RID_SYSTEM_OPS,
  244. 0, 0, 0, 0, 0, 0,
  245. &SecMgrpServerOpsSid
  246. );
  247. if (!NT_SUCCESS(NtStatus)) {
  248. KdPrint(("SecMgr: Failed to initialize admin ServerOps sid, status = 0x%lx", NtStatus));
  249. return;
  250. }
  252. NtStatus = RtlAllocateAndInitializeSid(
  253. &NtAuthority,
  254. 2,
  255. SECURITY_BUILTIN_DOMAIN_RID,
  256. DOMAIN_ALIAS_RID_PRINT_OPS,
  257. 0, 0, 0, 0, 0, 0,
  258. &SecMgrpPrintOpsSid
  259. );
  260. if (!NT_SUCCESS(NtStatus)) {
  261. KdPrint(("SecMgr: Failed to initialize admin PrintOps sid, status = 0x%lx", NtStatus));
  262. return;
  263. }
  265. NtStatus = RtlAllocateAndInitializeSid(
  266. &NtAuthority,
  267. 2,
  268. SECURITY_BUILTIN_DOMAIN_RID,
  269. DOMAIN_ALIAS_RID_BACKUP_OPS,
  270. 0, 0, 0, 0, 0, 0,
  271. &SecMgrpBackupOpsSid
  272. );
  273. if (!NT_SUCCESS(NtStatus)) {
  274. KdPrint(("SecMgr: Failed to initialize admin BackupOps sid, status = 0x%lx", NtStatus));
  275. return;
  276. }
  278. NtStatus = RtlAllocateAndInitializeSid(
  279. &NtAuthority,
  280. 2,
  281. SECURITY_BUILTIN_DOMAIN_RID,
  282. DOMAIN_ALIAS_RID_ADMINS,
  283. 0, 0, 0, 0, 0, 0,
  284. &SecMgrpAdminsSid
  285. );
  286. if (!NT_SUCCESS(NtStatus)) {
  287. KdPrint(("SecMgr: Failed to initialize admin alias sid, status = 0x%lx", NtStatus));
  288. return;
  289. }
  292. //
  293. // Group the sids by type
  294. //
  296. Index=0;
  297. SecMgrpAnyoneSids.Sid[Index++] = SecMgrpWorldSid;
  298. SecMgrpAnyoneSids.Accounts = Index;
  299. ASSERT(Index < SECMGRP_MAX_WELL_KNOWN_ACCOUNTS);
  301. Index=0;
  302. SecMgrpOperatorSids.Sid[Index++] = SecMgrpAccountOpsSid;
  303. SecMgrpOperatorSids.Sid[Index++] = SecMgrpBackupOpsSid;
  304. SecMgrpOperatorSids.Sid[Index++] = SecMgrpPrintOpsSid;
  305. SecMgrpOperatorSids.Sid[Index++] = SecMgrpServerOpsSid;
  306. SecMgrpOperatorSids.Accounts = Index;
  307. ASSERT(Index < SECMGRP_MAX_WELL_KNOWN_ACCOUNTS);
  309. Index=0;
  310. SecMgrpOpersAndAdminsSids.Sid[Index++] = SecMgrpAccountOpsSid;
  311. SecMgrpOpersAndAdminsSids.Sid[Index++] = SecMgrpBackupOpsSid;
  312. SecMgrpOpersAndAdminsSids.Sid[Index++] = SecMgrpPrintOpsSid;
  313. SecMgrpOpersAndAdminsSids.Sid[Index++] = SecMgrpServerOpsSid;
  314. SecMgrpOpersAndAdminsSids.Sid[Index++] = SecMgrpAdminsSid;
  315. SecMgrpOpersAndAdminsSids.Accounts = Index;
  316. ASSERT(Index < SECMGRP_MAX_WELL_KNOWN_ACCOUNTS);
  318. Index=0;
  319. SecMgrpAdminsSids.Sid[Index++] = SecMgrpAdminsSid;
  320. SecMgrpAdminsSids.Accounts = Index;
  321. ASSERT(Index < SECMGRP_MAX_WELL_KNOWN_ACCOUNTS);
  326. //
  327. // Make sure we are an admin
  328. //
  330. if (!SecMgrpIsUserAdmin()) {
  332. //
  333. // The invoking user is not an admin.
  334. // This utility is only for use by administrators.
  335. //
  337. SecMgrpAdminUser = FALSE;
  338. }
  341. //
  342. // Get the product type
  343. //
  345. IgnoreBoolean = RtlGetNtProductType( &SecMgrpProductType );
  346. ASSERT(IgnoreBoolean == TRUE);
  349. //
  350. // We don't yet know our security level, so set it to zero.
  351. //
  353. SecMgrpCurrentLevel = 0;
  354. SecMgrpOriginalLevel = 0;
  357. }
  363. ///////////////////////////////////////////////////////////////////////
  364. // //
  365. // Module-Private Functions //
  366. // //
  367. ///////////////////////////////////////////////////////////////////////
  371. BOOL
  372. SecMgrpIsUserAdmin( VOID )
  373. /*++
  375. Routine Description:
  377. Checks to see if the current process has administrator
  378. capabilities.
  381. Arguments
  383. None.
  386. Return Values:
  388. TRUE - The process has and administrator capabilities.
  390. FALSE - The process does NOT have administrator capabilities.
  392. --*/
  393. {
  394. NTSTATUS
  395. NtStatus;
  397. HANDLE
  398. Token;
  400. BOOL
  401. IsAdmin;
  403. NtStatus = NtOpenProcessToken( NtCurrentProcess(),
  404. TOKEN_QUERY,
  405. &Token
  406. );
  407. if (!NT_SUCCESS(NtStatus)) {
  408. return(FALSE);
  409. }
  411. IsAdmin = TestTokenForAdmin( Token );
  413. NtStatus = NtClose( Token );
  415. return( IsAdmin );
  417. }
  421. BOOL
  422. TestTokenForAdmin(
  423. HANDLE Token
  424. )
  425. /*++
  427. Routine Description:
  429. Checks to see if the passed token is an administrator's token
  430. or not. A token is an administrator's token if it contains
  431. the Administrators local group.
  434. Arguments
  436. Token - Handle to token to test for admin.
  439. Return Values:
  441. TRUE - The token IS and administrator's.
  443. FALSE - The token is NOT an administrator's
  445. --*/
  446. {
  447. NTSTATUS
  448. NtStatus;
  450. ULONG
  451. InfoLength;
  453. PTOKEN_GROUPS
  454. TokenGroupList;
  456. ULONG
  457. GroupIndex;
  459. BOOL
  460. FoundAdmin;
  465. //
  466. // Get a list of groups in the token
  467. //
  469. NtStatus = NtQueryInformationToken(
  470. Token, // Handle
  471. TokenGroups, // TokenInformationClass
  472. NULL, // TokenInformation
  473. 0, // TokenInformationLength
  474. &InfoLength // ReturnLength
  475. );
  477. if ((NtStatus != STATUS_SUCCESS) && (NtStatus != STATUS_BUFFER_TOO_SMALL)) {
  479. KdPrint(("SecMgr: failed to get group info for admin token, status = 0x%lx", NtStatus));
  480. return(FALSE);
  481. }
  484. TokenGroupList = LocalAlloc( LPTR, InfoLength);
  486. if (TokenGroupList == NULL) {
  487. KdPrint(("SecMgr: unable to allocate memory for token groups"));
  488. return(FALSE);
  489. }
  491. NtStatus = NtQueryInformationToken(
  492. Token, // Handle
  493. TokenGroups, // TokenInformationClass
  494. TokenGroupList, // TokenInformation
  495. InfoLength, // TokenInformationLength
  496. &InfoLength // ReturnLength
  497. );
  499. if (!NT_SUCCESS(NtStatus)) {
  500. KdPrint(("SecMgr: failed to query groups for admin token, status = 0x%lx", NtStatus));
  501. LocalFree(TokenGroupList);
  502. return(FALSE);
  503. }
  506. //
  507. // Search group list for admin alias
  508. //
  510. FoundAdmin = FALSE;
  512. for (GroupIndex=0; GroupIndex < TokenGroupList->GroupCount; GroupIndex++ ) {
  514. if (RtlEqualSid(TokenGroupList->Groups[GroupIndex].Sid, SecMgrpAdminsSid)) {
  515. FoundAdmin = TRUE;
  516. break;
  517. }
  518. }
  520. //
  521. // Tidy up
  522. //
  524. LocalFree(TokenGroupList);
  526. return(FoundAdmin);
  527. }