|
|
/*++
Copyright (c) 1998 Microsoft Corporation
Module Name:
FixUp.c
Abstract:
This module contains common security routines for NT Clusters rolling upgrade and backward compatibility.
Author:
Galen Barbee (galenb) 31-Mar-1998
--*/
#include "clusrtlp.h"
PSECURITY_DESCRIPTORClRtlConvertClusterSDToNT4Format( IN PSECURITY_DESCRIPTOR psd )
/*++
Routine Description:
Convert the SD from nt 5 to nt 4 format. This means enforcing the following rules:
1. Convert denied ACE to allowed ACE. Convert "Full Control" access mask to CLUAPI_NO_ACCESS.
Arguments:
psd [IN] Security descriptor.
Return Value:
The new SD in self-Relative format
--*/
{ PACL pacl; BOOL bHasDACL; BOOL bDACLDefaulted; PSECURITY_DESCRIPTOR psec = NULL;
if (NULL == psd) { return NULL; }
psec = ClRtlCopySecurityDescriptor(psd);
if ( psec == NULL ) { return NULL; }
if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) && ( bHasDACL != FALSE ) ) {
ACL_SIZE_INFORMATION asiAclSize; DWORD dwBufLength;
dwBufLength = sizeof(asiAclSize);
if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {
ACCESS_DENIED_ACE * pAce; DWORD dwIndex;
for (dwIndex = 0; dwIndex < asiAclSize.AceCount; dwIndex++) {
if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {
if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) {
if (pAce->Mask & SPECIFIC_RIGHTS_ALL) { pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; pAce->Mask = CLUSAPI_NO_ACCESS; }
} // end if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
} // end if (GetAce())
} // end for
} // end if (GetAclInformation())
} // end if (HrGetSecurityDescriptorDacl()) and DACL is present
ASSERT(IsValidSecurityDescriptor(psec));
return psec;
} //*** ClRtlConvertClusterSDToNT4Format()
PSECURITY_DESCRIPTORClRtlConvertClusterSDToNT5Format( IN PSECURITY_DESCRIPTOR psd )
/*++
Routine Description:
Convert the SD from nt 5 to nt 4 format. This means enforcing the following rules:
1. Convert allowed ACE with mask CLUAPI_NO_ACCESS to denied ACE mask full control.
Arguments:
psd [IN] Security descriptor.
Return Value:
The new SD in self-Relative format
--*/
{ PACL pacl; BOOL bHasDACL; BOOL bDACLDefaulted; PSECURITY_DESCRIPTOR psec = NULL;
if (NULL == psd) { return NULL; }
psec = ClRtlCopySecurityDescriptor(psd);
if ( psec == NULL ) { return NULL; }
if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) && ( bHasDACL != FALSE ) ) {
ACL_SIZE_INFORMATION asiAclSize; DWORD dwBufLength;
dwBufLength = sizeof(asiAclSize);
if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {
ACCESS_DENIED_ACE * pAce; DWORD dwIndex;
for (dwIndex = 0; dwIndex < asiAclSize.AceCount; dwIndex++) {
if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {
if (pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) {
if (pAce->Mask & CLUSAPI_NO_ACCESS) { pAce->Header.AceType = ACCESS_DENIED_ACE_TYPE; pAce->Mask = SPECIFIC_RIGHTS_ALL; }
} // end if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
} // end if (GetAce())
} // end for
} // end if (GetAclInformation())
} // end if (HrGetSecurityDescriptorDacl()) and DACL is present
ASSERT(IsValidSecurityDescriptor(psec));
return psec;
} //*** ClRtlConvertClusterSDToNT5Format()
static GENERIC_MAPPING gmFileShareMap ={ FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_ALL_ACCESS};
#define SPECIFIC_CHANGE (DELETE | FILE_GENERIC_WRITE)
#define SPECIFIC_READ (FILE_GENERIC_READ | FILE_LIST_DIRECTORY | FILE_EXECUTE)
#define GENERIC_CHANGE (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE)
PSECURITY_DESCRIPTORClRtlConvertFileShareSDToNT4Format( IN PSECURITY_DESCRIPTOR psd )
/*++
Routine Description:
Convert the SD from nt 5 to nt 4 format. This means enforcing the following rules:
Arguments:
psd [IN] Security descriptor.
Return Value:
The new SD in self-Relative format
--*/
{ PACL pacl; BOOL bHasDACL; BOOL bDACLDefaulted; PSECURITY_DESCRIPTOR psec = NULL;
if (NULL == psd) { return NULL; }
psec = ClRtlCopySecurityDescriptor(psd);
if ( psec == NULL ) { return NULL; }
if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) && ( bHasDACL != FALSE ) ) {
ACL_SIZE_INFORMATION asiAclSize; DWORD dwBufLength; ACCESS_MASK amTemp1; ACCESS_MASK amTemp2;
dwBufLength = sizeof(asiAclSize);
if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {
ACCESS_DENIED_ACE * pAce; DWORD dwSid; DWORD dwIndex;
for (dwIndex = 0; dwIndex < asiAclSize.AceCount; dwIndex++) {
amTemp1 = 0; amTemp2 = 0;
if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {
// delete deny read ACEs since they don't mean anything to AclEdit
if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) && (pAce->Mask == SPECIFIC_READ)) {
dwSid = pAce->SidStart;
if (DeleteAce(pacl, dwIndex)) { asiAclSize.AceCount -= 1; dwIndex -= 1; } else { ClRtlDbgPrint(LOG_UNUSUAL, "[ClRtl] DeteteAce failed removing ACE #%1!d! due to error %2!d!\n", dwIndex, GetLastError()); }
continue; }
// convert deny change deny read ACEs to deny all ACEs
if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) && (pAce->Mask == (SPECIFIC_CHANGE | SPECIFIC_READ))) { pAce->Mask = GENERIC_ALL; continue; }
// convert deny change ACEs to allow read (read only) ACEs
if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) && (pAce->Mask == SPECIFIC_CHANGE)) { pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; pAce->Mask = GENERIC_READ | GENERIC_EXECUTE; continue; }
// convert specific allow change to generic allow change
if ((pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) && (pAce->Mask == SPECIFIC_CHANGE)) { pAce->Mask = GENERIC_CHANGE; continue; }
// convert specific all to generic all
if ((pAce->Mask & gmFileShareMap.GenericAll) == gmFileShareMap.GenericAll) { amTemp1 |= GENERIC_ALL; amTemp2 |= gmFileShareMap.GenericAll; } else {
// convert specific read to generic read
if ((pAce->Mask & gmFileShareMap.GenericRead) == gmFileShareMap.GenericRead) { amTemp1 |= GENERIC_READ; amTemp2 |= gmFileShareMap.GenericRead; }
// convert specific write to generic write which includes delete
if ((pAce->Mask & gmFileShareMap.GenericWrite) == gmFileShareMap.GenericWrite) { amTemp1 |= (GENERIC_WRITE | DELETE); amTemp2 |= gmFileShareMap.GenericWrite; }
// convert specific execute to generic execute
if ((pAce->Mask & gmFileShareMap.GenericExecute) == gmFileShareMap.GenericExecute) { amTemp1 |= GENERIC_EXECUTE; amTemp2 |= gmFileShareMap.GenericExecute; } }
pAce->Mask &= ~amTemp2; // turn off specific bits
pAce->Mask |= amTemp1; // turn on generic bits
} // end if (GetAce())
} // end for
} // end if (GetAclInformation())
} // end if (HrGetSecurityDescriptorDacl()) and DACL is present
ASSERT(IsValidSecurityDescriptor(psec));
return psec;
} //*** ClRtlConvertFileShareSDToNT4Format()
|
