archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/admin/dscmd/secutil.cpp

562 lines
15 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 2000
  5. //
  6. // File: SecUtil.cpp
  7. //
  8. // Contents: Utility functions for working with security APIs
  9. //
  10. // History: 15-Sep-2000 JeffJon Created
  11. //
  12. //
  13. //--------------------------------------------------------------------------
  15. #include "pch.h"
  17. #include "secutil.h"
  19. extern const GUID GUID_CONTROL_UserChangePassword =
  20. { 0xab721a53, 0x1e2f, 0x11d0, { 0x98, 0x19, 0x00, 0xaa, 0x00, 0x40, 0x52, 0x9b}};
  22. //+--------------------------------------------------------------------------
  23. //
  24. // Member: CSimpleSecurityDescriptorHolder::CSimpleSecurityDescriptorHolder
  25. //
  26. // Synopsis: Constructor for the smart security descriptor
  27. //
  28. // Arguments:
  29. //
  30. // Returns:
  31. //
  32. // History: 15-Sep-2000 JeffJon Created
  33. //
  34. //---------------------------------------------------------------------------
  35. CSimpleSecurityDescriptorHolder::CSimpleSecurityDescriptorHolder()
  36. {
  37. m_pSD = NULL;
  38. }
  40. //+--------------------------------------------------------------------------
  41. //
  42. // Member: CSimpleSecurityDescriptorHolder::~CSimpleSecurityDescriptorHolder
  43. //
  44. // Synopsis: Destructor for the smart security descriptor
  45. //
  46. // Arguments:
  47. //
  48. // Returns:
  49. //
  50. // History: 15-Sep-2000 JeffJon Created
  51. //
  52. //---------------------------------------------------------------------------
  53. CSimpleSecurityDescriptorHolder::~CSimpleSecurityDescriptorHolder()
  54. {
  55. if (m_pSD != NULL)
  56. {
  57. ::LocalFree(m_pSD);
  58. m_pSD = NULL;
  59. }
  60. }
  63. ////////////////////////////////////////////////////////////////////////////////
  65. //+--------------------------------------------------------------------------
  66. //
  67. // Member: CSidHolder::CSidHolder
  68. //
  69. // Synopsis: Constructor : initializes the member data
  70. //
  71. // Arguments:
  72. //
  73. // Returns:
  74. //
  75. // History: 15-Sep-2000 JeffJon Created
  76. //
  77. //---------------------------------------------------------------------------
  78. CSidHolder::CSidHolder()
  79. {
  80. _Init();
  81. }
  83. //+--------------------------------------------------------------------------
  84. //
  85. // Member: CSidHolder::~CSidHolder
  86. //
  87. // Synopsis: Destructor : Frees all data associated with the wrapped SID
  88. //
  89. // Arguments:
  90. //
  91. // Returns:
  92. //
  93. // History: 15-Sep-2000 JeffJon Created
  94. //
  95. //---------------------------------------------------------------------------
  96. CSidHolder::~CSidHolder()
  97. {
  98. _Free();
  99. }
  101. //+--------------------------------------------------------------------------
  102. //
  103. // Member: CSidHolder::Get
  104. //
  105. // Synopsis: Public accessor to the SID being wrapped
  106. //
  107. // Arguments:
  108. //
  109. // Returns: PSID : pointer to the SID being wrapped. NULL if the class
  110. // is not currently wrapping a SID
  111. //
  112. // History: 15-Sep-2000 JeffJon Created
  113. //
  114. //---------------------------------------------------------------------------
  115. PSID CSidHolder::Get()
  116. {
  117. return m_pSID;
  118. }
  120. //+--------------------------------------------------------------------------
  121. //
  122. // Member: CSidHolder::Copy
  123. //
  124. // Synopsis: Frees the memory associated with the currently wrapped SID
  125. // and then copies the new SID
  126. //
  127. // Arguments: [p - IN] : SID to be copied
  128. //
  129. // Returns: bool : true if the copy was successful, false otherwise
  130. //
  131. // History: 15-Sep-2000 JeffJon Created
  132. //
  133. //---------------------------------------------------------------------------
  134. bool CSidHolder::Copy(PSID p)
  135. {
  136. _Free();
  137. return _Copy(p);
  138. }
  140. //+--------------------------------------------------------------------------
  141. //
  142. // Member: CSidHolder::Attach
  143. //
  144. // Synopsis: Attaches the SID to the wrapper
  145. //
  146. // Arguments: [p - IN] : SID to be wrapped by this class
  147. // [bLocalAlloc - OUT] : tells whether the SID should be freed
  148. // with LocalFree
  149. //
  150. // Returns:
  151. //
  152. // History: 15-Sep-2000 JeffJon Created
  153. //
  154. //---------------------------------------------------------------------------
  155. void CSidHolder::Attach(PSID p, bool bLocalAlloc)
  156. {
  157. _Free();
  158. m_pSID = p;
  159. m_bLocalAlloc = bLocalAlloc;
  160. }
  162. //+--------------------------------------------------------------------------
  163. //
  164. // Member: CSidHolder::Clear
  165. //
  166. // Synopsis: Frees the memory associated with the SID being wrapped
  167. //
  168. // Arguments:
  169. //
  170. // Returns:
  171. //
  172. // History: 15-Sep-2000 JeffJon Created
  173. //
  174. //---------------------------------------------------------------------------
  175. void CSidHolder::Clear()
  176. {
  177. _Free();
  178. }
  181. //+--------------------------------------------------------------------------
  182. //
  183. // Member: CSidHolder::_Init
  184. //
  185. // Synopsis: Initializes the member data to default values
  186. //
  187. // Arguments:
  188. //
  189. // Returns:
  190. //
  191. // History: 15-Sep-2000 JeffJon Created
  192. //
  193. //---------------------------------------------------------------------------
  194. void CSidHolder::_Init()
  195. {
  196. m_pSID = NULL;
  197. m_bLocalAlloc = TRUE;
  198. }
  200. //+--------------------------------------------------------------------------
  201. //
  202. // Member: CSidHolder::_Free
  203. //
  204. // Synopsis: Frees the memory associated with the SID being wrapped
  205. //
  206. // Arguments:
  207. //
  208. // Returns:
  209. //
  210. // History: 15-Sep-2000 JeffJon Created
  211. //
  212. //---------------------------------------------------------------------------
  213. void CSidHolder::_Free()
  214. {
  215. if (m_pSID != NULL)
  216. {
  217. if (m_bLocalAlloc)
  218. {
  219. ::LocalFree(m_pSID);
  220. }
  221. else
  222. {
  223. ::FreeSid(m_pSID);
  224. _Init();
  225. }
  226. }
  227. }
  229. //+--------------------------------------------------------------------------
  230. //
  231. // Member: CSidHolder::_Copy
  232. //
  233. // Synopsis: Makes a copy of the SID being wrapped
  234. //
  235. // Arguments: [p - OUT] : destination of the SID being copied
  236. //
  237. // Returns: bool : true if SID was copied successfully
  238. // false if there was a failure
  239. //
  240. // History: 15-Sep-2000 JeffJon Created
  241. //
  242. //---------------------------------------------------------------------------
  243. bool CSidHolder::_Copy(PSID p)
  244. {
  245. if ( (p == NULL) || !::IsValidSid(p) )
  246. {
  247. return false;
  248. }
  250. DWORD dwLen = ::GetLengthSid(p);
  251. PSID pNew = ::LocalAlloc(LPTR, dwLen);
  252. if (pNew == NULL)
  253. {
  254. return false;
  255. }
  257. //Security Review:This is fine. Buffer is correctly allocated.
  258. if (!::CopySid(dwLen, pNew, p))
  259. {
  260. ::LocalFree(pNew);
  261. return false;
  262. }
  263. m_bLocalAlloc = TRUE;
  264. m_pSID = pNew;
  266. ASSERT(dwLen == ::GetLengthSid(m_pSID));
  267. ASSERT(memcmp(p, m_pSID, dwLen) == 0);
  268. return true;
  269. }
  272. //+---------------------------------------------------------------------------
  273. //
  274. // Function: SetSecurityInfoMask
  275. //
  276. // Synopsis: Reads the security descriptor from the specied DS object
  277. //
  278. // Arguments: [IN punk] -- IUnknown from IDirectoryObject
  279. // [IN si] -- SecurityInformation
  280. //// History: 25-Dec-2000 -- Hiteshr Created
  281. //----------------------------------------------------------------------------
  282. HRESULT
  283. SetSecurityInfoMask(LPUNKNOWN punk, SECURITY_INFORMATION si)
  284. {
  285. HRESULT hr = E_INVALIDARG;
  286. if (punk)
  287. {
  288. IADsObjectOptions *pOptions;
  289. hr = punk->QueryInterface(IID_IADsObjectOptions, (void**)&pOptions);
  290. if (SUCCEEDED(hr))
  291. {
  292. VARIANT var;
  293. VariantInit(&var);
  294. V_VT(&var) = VT_I4;
  295. V_I4(&var) = si;
  296. hr = pOptions->SetOption(ADS_OPTION_SECURITY_MASK, var);
  297. pOptions->Release();
  298. }
  299. }
  300. return hr;
  301. }
  303. WCHAR const c_szSDProperty[] = L"nTSecurityDescriptor";
  306. //+---------------------------------------------------------------------------
  307. //
  308. // Function: DSReadObjectSecurity
  309. //
  310. // Synopsis: Reads the Dacl from the specied DS object
  311. //
  312. // Arguments: [in pDsObject] -- IDirettoryObject for dsobject
  313. // [psdControl] -- Control Setting for SD
  314. // They can be returned when calling
  315. // DSWriteObjectSecurity
  316. // [OUT ppDacl] -- DACL returned here
  317. //
  318. //
  319. // History 25-Oct-2000 -- hiteshr created
  320. //
  321. // Notes: If Object Doesn't have DACL, function will succeed but *ppDacl will
  322. // be NULL.
  323. // Caller must free *ppDacl, if not NULL, by calling LocalFree
  324. //
  325. //----------------------------------------------------------------------------
  326. HRESULT
  327. DSReadObjectSecurity(IN IDirectoryObject *pDsObject,
  328. OUT SECURITY_DESCRIPTOR_CONTROL * psdControl,
  329. OUT PACL *ppDacl)
  330. {
  331. ENTER_FUNCTION_HR(LEVEL5_LOGGING, DSReadObjectSecurity, hr);
  333. PADS_ATTR_INFO pSDAttributeInfo = NULL;
  335. do // false loop
  336. {
  337. LPWSTR pszSDProperty = (LPWSTR)c_szSDProperty;
  338. DWORD dwAttributesReturned;
  339. PSECURITY_DESCRIPTOR pSD = NULL;
  340. PACL pAcl = NULL;
  342. if(!pDsObject || !ppDacl)
  343. {
  344. ASSERT(FALSE);
  345. hr = E_INVALIDARG;
  346. break;
  347. }
  349. *ppDacl = NULL;
  351. // Set the SECURITY_INFORMATION mask
  352. hr = SetSecurityInfoMask(pDsObject, DACL_SECURITY_INFORMATION);
  353. if(FAILED(hr))
  354. {
  355. break;
  356. }
  358. //
  359. // Read the security descriptor
  360. //
  361. hr = pDsObject->GetObjectAttributes(&pszSDProperty,
  362. 1,
  363. &pSDAttributeInfo,
  364. &dwAttributesReturned);
  365. if (SUCCEEDED(hr) && !pSDAttributeInfo)
  366. hr = E_ACCESSDENIED; // This happens for SACL if no SecurityPrivilege
  368. if(FAILED(hr))
  369. {
  370. break;
  371. }
  373. ASSERT(ADSTYPE_NT_SECURITY_DESCRIPTOR == pSDAttributeInfo->dwADsType);
  374. ASSERT(ADSTYPE_NT_SECURITY_DESCRIPTOR == pSDAttributeInfo->pADsValues->dwType);
  376. pSD = (PSECURITY_DESCRIPTOR)pSDAttributeInfo->pADsValues->SecurityDescriptor.lpValue;
  378. ASSERT(IsValidSecurityDescriptor(pSD));
  381. //
  382. //Get the security descriptor control
  383. //
  384. if(psdControl)
  385. {
  386. DWORD dwRevision;
  387. if(!GetSecurityDescriptorControl(pSD, psdControl, &dwRevision))
  388. {
  389. DWORD _dwErr = GetLastError();
  390. hr = HRESULT_FROM_WIN32( _dwErr );
  391. break;
  392. }
  393. }
  395. //
  396. //Get pointer to DACL
  397. //
  398. BOOL bDaclPresent, bDaclDefaulted;
  399. if(!GetSecurityDescriptorDacl(pSD,
  400. &bDaclPresent,
  401. &pAcl,
  402. &bDaclDefaulted))
  403. {
  404. DWORD _dwErr = GetLastError();
  405. hr = HRESULT_FROM_WIN32( _dwErr );
  406. break;
  407. }
  409. if(!bDaclPresent ||
  410. !pAcl)
  411. {
  412. break;
  413. }
  415. ASSERT(IsValidAcl(pAcl));
  417. //
  418. //Make a copy of the DACL
  419. //
  420. *ppDacl = (PACL)LocalAlloc(LPTR,pAcl->AclSize);
  421. if(!*ppDacl)
  422. {
  423. hr = E_OUTOFMEMORY;
  424. break;
  425. }
  426. //Security Review:This is fine. Memory is correctly allocted above.
  427. CopyMemory(*ppDacl,pAcl,pAcl->AclSize);
  429. }while(0);
  432. if (pSDAttributeInfo)
  433. FreeADsMem(pSDAttributeInfo);
  435. return hr;
  436. }
  438. //+---------------------------------------------------------------------------
  439. //
  440. // Function: DSWriteObjectSecurity
  441. //
  442. // Synopsis: Writes the Dacl to the specied DS object
  443. //
  444. // Arguments: [in pDsObject] -- IDirettoryObject for dsobject
  445. // [sdControl] -- control for security descriptor
  446. // [IN pDacl] -- The DACL to be written
  447. //
  448. // History 25-Oct-2000 -- hiteshr created
  449. //----------------------------------------------------------------------------
  450. HRESULT
  451. DSWriteObjectSecurity(IN IDirectoryObject *pDsObject,
  452. IN SECURITY_DESCRIPTOR_CONTROL sdControl,
  453. PACL pDacl)
  454. {
  455. ENTER_FUNCTION_HR(LEVEL5_LOGGING, DSWriteObjectSecurity, hr);
  457. PISECURITY_DESCRIPTOR pSD = NULL;
  458. PSECURITY_DESCRIPTOR psd = NULL;
  460. do // false loop
  461. {
  462. ADSVALUE attributeValue;
  463. ADS_ATTR_INFO attributeInfo;
  464. DWORD dwAttributesModified;
  465. DWORD dwSDLength;
  467. if(!pDsObject || !pDacl)
  468. {
  469. ASSERT(FALSE);
  470. hr = E_INVALIDARG;
  471. break;
  472. }
  474. ASSERT(IsValidAcl(pDacl));
  476. // Set the SECURITY_INFORMATION mask
  477. hr = SetSecurityInfoMask(pDsObject, DACL_SECURITY_INFORMATION);
  478. if(FAILED(hr))
  479. {
  480. DEBUG_OUTPUT(MINIMAL_LOGGING,
  481. L"SetSecurityInfoMask failed: hr = 0x%x",
  482. hr);
  483. break;
  484. }
  487. //
  488. //Build the Security Descriptor
  489. //
  490. pSD = (PISECURITY_DESCRIPTOR)LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
  491. if (pSD == NULL)
  492. {
  493. DEBUG_OUTPUT(MINIMAL_LOGGING,
  494. L"Failed to allocate memory for Security Descriptor");
  495. hr = E_OUTOFMEMORY;
  496. break;
  497. }
  499. //Security Review:This is fine.
  500. InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION);
  502. //
  503. // Finally, build the security descriptor
  504. //
  505. pSD->Control |= SE_DACL_PRESENT | SE_DACL_AUTO_INHERIT_REQ
  506. | (sdControl & (SE_DACL_PROTECTED | SE_DACL_AUTO_INHERITED));
  508. if(pDacl->AclSize)
  509. {
  510. pSD->Dacl = pDacl;
  511. }
  513. //
  514. // Need the total size
  515. //
  516. dwSDLength = GetSecurityDescriptorLength(pSD);
  518. //
  519. // If necessary, make a self-relative copy of the security descriptor
  520. //
  521. psd = (PSECURITY_DESCRIPTOR)LocalAlloc(LPTR, dwSDLength);
  523. if (psd == NULL ||
  524. !MakeSelfRelativeSD(pSD, psd, &dwSDLength))
  525. {
  526. DWORD _dwErr = GetLastError();
  527. hr = HRESULT_FROM_WIN32( _dwErr );
  528. DEBUG_OUTPUT(MINIMAL_LOGGING,
  529. L"MakeSelfRelativeSD failed: hr = 0x%x",
  530. hr);
  531. break;
  532. }
  535. attributeValue.dwType = ADSTYPE_NT_SECURITY_DESCRIPTOR;
  536. attributeValue.SecurityDescriptor.dwLength = dwSDLength;
  537. attributeValue.SecurityDescriptor.lpValue = (LPBYTE)psd;
  539. attributeInfo.pszAttrName = (LPWSTR)c_szSDProperty;
  540. attributeInfo.dwControlCode = ADS_ATTR_UPDATE;
  541. attributeInfo.dwADsType = ADSTYPE_NT_SECURITY_DESCRIPTOR;
  542. attributeInfo.pADsValues = &attributeValue;
  543. attributeInfo.dwNumValues = 1;
  545. // Write the security descriptor
  546. hr = pDsObject->SetObjectAttributes(&attributeInfo,
  547. 1,
  548. &dwAttributesModified);
  549. } while (false);
  551. if (psd != NULL)
  552. {
  553. LocalFree(psd);
  554. }
  556. if(pSD != NULL)
  557. {
  558. LocalFree(pSD);
  559. }
  561. return hr;
  562. }