archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/admin/wmi/wbem/providers/win32provider/common/accessrights.cpp

458 lines
13 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*****************************************************************************/
  5. /* Copyright (c) 1999-2001 Microsoft Corporation, All Rights Reserved /
  7. /*****************************************************************************/
  13. //=================================================================
  15. //
  17. // AccessRights.CPP -- Base class for obtaining effective access
  19. // rights.
  21. //
  23. // Copyright (c) 1999-2001 Microsoft Corporation, All Rights Reserved
  24. //
  25. // Revisions: 6/11/99 a-kevhu Created
  26. //
  27. //=================================================================
  30. #include "precomp.h"
  33. #ifdef NTONLY
  36. #include <assertbreak.h>
  37. #include "AdvApi32Api.h"
  38. #include "accctrl.h"
  39. #include "sid.h"
  40. #include "AccessEntryList.h"
  41. #include "AccessRights.h"
  43. //==============================================================================
  44. // CONSTRUCTORS AND DESTRUCTORS
  45. //==============================================================================
  46. // Default initialization...
  47. CAccessRights::CAccessRights(bool fUseCurThrTok /* = false */)
  48. : m_dwError(ERROR_SUCCESS)
  49. {
  50. if(fUseCurThrTok)
  51. {
  52. // Initialize using the current thread token...
  53. InitTrustee(true);
  54. }
  55. }
  57. // Initialization specifying user only. Sid domain/account
  58. // not resolved. ACL uninitialized.
  59. CAccessRights::CAccessRights(const USER user, USER_SPECIFIER usp)
  60. : m_dwError(ERROR_SUCCESS)
  61. {
  62. if(usp == USER_IS_PSID)
  63. {
  64. m_csid = CSid((PSID)user, NULL, false);
  65. InitTrustee(false);
  66. }
  67. else if(usp == USER_IS_HANDLE)
  68. {
  69. ASSERT_BREAK(user != NULL);
  70. InitTrustee(false, (HANDLE)user);
  71. }
  72. }
  74. // Initialization of user and acl. Sid domain/account
  75. // not resolved. ACL initialized.
  76. CAccessRights::CAccessRights(const USER user, const PACL pacl, USER_SPECIFIER usp)
  77. : m_ael(pacl, false),
  78. m_dwError(ERROR_SUCCESS)
  79. {
  80. if(usp == USER_IS_PSID)
  81. {
  82. m_csid = CSid((PSID)user, NULL, false);
  83. InitTrustee(false);
  84. }
  85. else if(usp == USER_IS_HANDLE)
  86. {
  87. ASSERT_BREAK(user != NULL);
  88. InitTrustee(false, (HANDLE)user);
  89. }
  90. }
  93. // Initialization of acl only. ACL Sids not resolved.
  94. CAccessRights::CAccessRights(const PACL pacl, bool fUseCurThrTok /* = false */)
  95. : m_ael(pacl, false),
  96. m_dwError(ERROR_SUCCESS)
  97. {
  98. if(fUseCurThrTok)
  99. {
  100. // Initialize using the current thread token...
  101. InitTrustee(true);
  102. }
  103. }
  105. // Copy constructor
  106. /* Not complete yet
  107. CAccessRights::CAccessRights(const CAccessRights &RAccessRights)
  108. {
  109. // Copy members. We may or may not have either.
  110. if(RAccessRights.m_csid.IsValid() && RAccessRights.m_csid.IsOK())
  111. {
  112. m_csid = RAccessRights.m_csid;
  113. }
  114. m_ael.Clear();
  115. if(!RAccessRights.m_ael.IsEmpty())
  116. {
  117. // The best way to do this, to guarentee that the sids are not
  118. // resolved into domain/name, is to gat a PACL, then reinitialize
  119. // ourselves from it.
  120. PACL paclNew = NULL;
  121. try
  122. {
  123. if(RAccessRights.FillEmptyPACL(paclNew))
  124. {
  125. if(paclNew != NULL)
  126. {
  127. if(!m_ael.InitFromWin32ACL(paclNew, ALL_ACE_TYPES, false))
  128. {
  129. // If something went wrong, clean
  130. // up after ourselves.
  131. m_ael.Clear();
  132. }
  133. delete paclNew;
  134. paclNew = NULL;
  135. }
  136. }
  137. }
  138. catch(...)
  139. {
  140. if(paclNew != NULL)
  141. {
  142. delete paclNew;
  143. paclNew = NULL;
  144. }
  145. throw;
  146. }
  147. }
  148. }
  149. */
  151. // Destructor - members destruct themselves.
  152. CAccessRights::~CAccessRights()
  153. {
  154. }
  157. //==============================================================================
  158. // UTILITY FUNCTIONS
  159. //==============================================================================
  161. AR_RET_CODE CAccessRights::GetEffectiveAccessRights(PACCESS_MASK pAccessMask)
  162. {
  163. DWORD dwRet = AR_GENERIC_FAILURE;
  164. CAdvApi32Api *pAdvApi32 = NULL;
  165. PACL pacl = NULL;
  166. try
  167. {
  168. pAdvApi32 = (CAdvApi32Api*) CResourceManager::sm_TheResourceManager.GetResource(g_guidAdvApi32Api, NULL);
  169. if(pAdvApi32 != NULL)
  170. {
  171. if((dwRet = FillEmptyPACL(&pacl)) == ERROR_SUCCESS)
  172. {
  173. ASSERT_BREAK(pacl != NULL);
  175. if(pacl != NULL)
  176. {
  177. if(m_csid.IsValid() && m_csid.IsOK())
  178. {
  179. pAdvApi32->GetEffectiveRightsFromAclW(pacl,
  180. &m_trustee,
  181. pAccessMask,
  182. &dwRet);
  183. }
  184. else
  185. {
  186. dwRet = AR_BAD_SID;
  187. }
  188. delete pacl;
  189. pacl = NULL;
  190. }
  191. }
  192. CResourceManager::sm_TheResourceManager.ReleaseResource(g_guidAdvApi32Api, pAdvApi32);
  193. pAdvApi32 = NULL;
  194. }
  195. }
  196. catch(...)
  197. {
  198. if(pacl != NULL)
  199. {
  200. delete pacl;
  201. pacl = NULL;
  202. }
  203. if(pAdvApi32 != NULL)
  204. {
  205. CResourceManager::sm_TheResourceManager.ReleaseResource(g_guidAdvApi32Api, pAdvApi32);
  206. pAdvApi32 = NULL;
  207. }
  208. throw;
  209. }
  210. return dwRet;
  211. }
  213. bool CAccessRights::InitTrustee(bool fInitFromCurrentThread, const HANDLE hToken)
  214. {
  215. bool fRet = false;
  217. // The main thing done here is a sid is obtained and the TRUSTEE struct
  218. // filled in.
  220. if(fInitFromCurrentThread)
  221. {
  222. // Get the sid of the user/group of the current thread...
  223. SmartCloseHandle hThreadToken;
  224. if(::OpenThreadToken(::GetCurrentThread(), TOKEN_READ, FALSE, &hThreadToken))
  225. {
  226. InitSidFromToken(hThreadToken);
  227. }
  228. }
  229. else
  230. {
  231. // If we were given a hToken, use it instead...
  232. if(hToken != NULL)
  233. {
  234. InitSidFromToken(hToken);
  235. }
  236. }
  238. // We should now have a valid sid in our member CSid (either from the
  239. // InitSidFromToken calls or from construction).
  240. // Now we need to initialize the TRUSTEE object. Check again that our sid
  241. // is in good standing...
  242. if(m_csid.IsValid() && m_csid.IsOK())
  243. {
  244. m_trustee.pMultipleTrustee = NULL;
  245. m_trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
  246. m_trustee.TrusteeForm = TRUSTEE_IS_SID;
  247. m_trustee.TrusteeType = TRUSTEE_IS_UNKNOWN; // we could be operating
  248. // on behalf of a user,
  249. // group, well-known-group,
  250. // who knows.
  252. m_trustee.ptstrName = (LPWSTR)m_csid.GetPSid();
  253. fRet = true;
  254. }
  255. else
  256. {
  257. m_dwError = AR_BAD_SID;
  258. }
  259. return fRet;
  260. }
  263. bool CAccessRights::InitSidFromToken(const HANDLE hThreadToken)
  264. {
  265. bool fRet = false;
  267. if(hThreadToken != NULL)
  268. {
  269. DWORD dwLength = 0L;
  270. DWORD dwReqLength = 0L;
  271. PSID psid = NULL;
  272. LPVOID pBuff = NULL;
  273. if(!::GetTokenInformation(hThreadToken, TokenUser, NULL, 0, &dwReqLength))
  274. {
  275. if(::GetLastError() == ERROR_INSUFFICIENT_BUFFER)
  276. {
  277. // Allocate a buffer to hold the token info...
  278. try
  279. {
  280. pBuff = new BYTE[dwReqLength];
  281. if(pBuff != NULL)
  282. {
  283. dwLength = dwReqLength;
  284. // Now that we have the right size buffer, call again...
  285. if(::GetTokenInformation(hThreadToken,
  286. TokenUser,
  287. pBuff,
  288. dwLength,
  289. &dwReqLength))
  290. {
  291. if(pBuff != NULL)
  292. {
  293. TOKEN_USER *pTokUsr = (TOKEN_USER*)pBuff;
  294. psid = pTokUsr->User.Sid;
  296. ASSERT_BREAK((psid != NULL) && ::IsValidSid(psid));
  298. if((psid != NULL) && ::IsValidSid(psid))
  299. {
  300. m_csid = CSid(psid, NULL, false);
  301. fRet = true;
  302. }
  303. else
  304. {
  305. m_dwError = AR_BAD_SID;
  306. }
  307. }
  308. }
  309. delete pBuff;
  310. pBuff = NULL;
  311. }
  312. }
  313. catch(...)
  314. {
  315. if(pBuff != NULL)
  316. {
  317. delete pBuff;
  318. pBuff = NULL;
  319. }
  320. throw;
  321. }
  322. }
  323. }
  324. }
  325. return fRet;
  326. }
  329. // Resets the user to the user to whom the current thread token belongs.
  330. bool CAccessRights::SetUserToThisThread()
  331. {
  332. return InitTrustee(true, NULL);
  333. }
  335. // Resets the user to the user specified by psid or handle
  336. bool CAccessRights::SetUser(const USER user, USER_SPECIFIER usp)
  337. {
  338. bool fRet = false;
  339. if(usp == USER_IS_PSID)
  340. {
  341. CSid csidTemp((PSID)user);
  342. if(csidTemp.IsValid() && csidTemp.IsOK())
  343. {
  344. m_csid = csidTemp;
  345. fRet = true;
  346. }
  347. }
  348. else if(usp == USER_IS_HANDLE)
  349. {
  350. fRet = InitSidFromToken((HANDLE)user);
  351. }
  352. return fRet;
  353. }
  356. // Resets the acl to the passed in PACL
  357. bool CAccessRights::SetAcl(const PACL pacl)
  358. {
  359. bool fRet = false;
  360. if(pacl != NULL)
  361. {
  362. m_ael.Clear();
  363. if(m_ael.InitFromWin32ACL(pacl, ALL_ACE_TYPES, false) == ERROR_SUCCESS)
  364. {
  365. fRet = true;
  366. }
  367. }
  368. return fRet;
  369. }
  371. // Gets us a filled out PACL, which must be freed by the caller, using delete.
  372. AR_RET_CODE CAccessRights::FillEmptyPACL(PACL *paclOut)
  373. {
  374. DWORD dwRet = AR_GENERIC_FAILURE;
  375. if(paclOut != NULL)
  376. {
  377. // The best way to do this, to guarentee that the sids are not
  378. // resolved into domain/name, is to get a PACL, then reinitialize
  379. // ourselves from it.
  380. DWORD dwAclSize = 0L;
  381. if(m_ael.NumEntries() > 0)
  382. {
  383. if(m_ael.CalculateWin32ACLSize(&dwAclSize))
  384. {
  385. if(dwAclSize > sizeof(ACL))
  386. {
  387. PACL paclTemp = NULL;
  388. try
  389. {
  390. paclTemp = (PACL) new BYTE[dwAclSize];
  391. if(paclTemp != NULL)
  392. {
  393. ::InitializeAcl(paclTemp, dwAclSize, ACL_REVISION);
  394. if((dwRet = m_ael.FillWin32ACL(paclTemp)) == ERROR_SUCCESS)
  395. {
  396. *paclOut = paclTemp;
  397. dwRet = ERROR_SUCCESS;
  398. }
  399. }
  400. }
  401. catch(...)
  402. {
  403. if(paclTemp != NULL)
  404. {
  405. delete paclTemp;
  406. paclTemp = NULL;
  407. }
  408. throw;
  409. }
  410. }
  411. else
  412. {
  413. dwRet = AR_ACL_EMPTY;
  414. }
  415. }
  416. else
  417. {
  418. dwRet = AR_BAD_ACL;
  419. }
  420. }
  421. else
  422. {
  423. dwRet = AR_ACL_EMPTY;
  424. }
  425. }
  426. return dwRet;
  427. }
  430. bool CAccessRights::GetCSid(CSid &csid, bool fResolve)
  431. {
  432. bool fRet = false;
  433. if(m_dwError == ERROR_SUCCESS)
  434. {
  435. if(m_csid.IsValid() && m_csid.IsOK())
  436. {
  437. if(fResolve)
  438. {
  439. // Need to create a new one since ours doesn't
  440. // have account or domain name resolved.
  441. CSid csidTemp(m_csid.GetPSid());
  442. if(csidTemp.IsValid() && csidTemp.IsOK())
  443. {
  444. csid = csidTemp;
  445. fRet = true;
  446. }
  447. }
  448. else
  449. {
  450. csid = m_csid;
  451. fRet = true;
  452. }
  453. }
  454. }
  455. return fRet;
  456. }
  459. #endif