archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/dsrole/server/secure.c

649 lines
17 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1997 Microsoft Corporation
  5. Module Name:
  7. secure.c
  9. Abstract:
  11. Security related routines
  13. Author:
  15. Colin Brace (ColinBr)
  17. Environment:
  19. User Mode
  21. Revision History:
  23. --*/
  24. #include <setpch.h>
  25. #include <dssetp.h>
  27. #include "secure.h"
  28. #include <ntsam.h>
  29. #include <samrpc.h>
  30. #include <samisrv.h>
  32. //
  33. // Data global to this module only
  34. //
  35. SECURITY_DESCRIPTOR DsRolepPromoteSD;
  36. SECURITY_DESCRIPTOR DsRolepDemoteSD;
  37. SECURITY_DESCRIPTOR DsRolepCallDsRoleInterfaceSD;
  40. //
  41. // Unlocalized string descriptors for promotion/demotion audits to use
  42. // when unable to load localized resources for some reason.
  43. //
  44. #define DSROLE_AUDIT_PROMOTE_DESC L"Domain Controller Promotion"
  45. #define DSROLE_AUDIT_DEMOTE_DESC L"Domain Controller Demotion"
  46. #define DSROLE_AUDIT_INTERFACE_DESC L"DsRole Interface"
  49. //
  50. // Used to audit anyone attempting server role change operations
  51. //
  52. SID WORLD_SID = {SID_REVISION,
  53. 1,
  54. SECURITY_WORLD_SID_AUTHORITY,
  55. SECURITY_WORLD_RID};
  58. //
  59. // DsRole related access masks
  60. //
  61. #define DSROLE_ROLE_CHANGE_ACCESS 0x00000001
  63. #define DSROLE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | \
  64. DSROLE_ROLE_CHANGE_ACCESS )
  66. GENERIC_MAPPING DsRolepInfoMapping =
  67. {
  68. STANDARD_RIGHTS_READ, // Generic read
  69. STANDARD_RIGHTS_WRITE, // Generic write
  70. STANDARD_RIGHTS_EXECUTE, // Generic execute
  71. DSROLE_ALL_ACCESS // Generic all
  72. };
  74. //
  75. // Function definitions
  76. //
  78. BOOLEAN
  79. DsRolepMakeSecurityDescriptor(
  80. PSECURITY_DESCRIPTOR psd,
  81. PSID psid,
  82. PACL pacl,
  83. PACL psacl
  84. )
  85. /*++
  87. Routine Description:
  89. This routine creates the Security Descriptor
  91. Arguments:
  93. PSECURITY_DESCRIPTOR psd - a pointer to a SECURITY_DESCRIPTOR which will be constucted
  95. PSID psid - The Sid for the SECURITY_DESCRIPTOR
  97. PACL pacl - The Acl to place on the security Descriptor
  99. Returns:
  101. TRUE if successful; FALSE otherwise
  104. --*/
  105. {
  106. BOOLEAN fSuccess = TRUE;
  108. if ( !InitializeSecurityDescriptor( psd,
  109. SECURITY_DESCRIPTOR_REVISION ) ) {
  110. fSuccess = FALSE;
  111. goto Cleanup;
  112. }
  113. if ( !SetSecurityDescriptorOwner( psd,
  114. psid,
  115. FALSE ) ) { // not defaulted
  116. fSuccess = FALSE;
  117. goto Cleanup;
  118. }
  119. if ( !SetSecurityDescriptorGroup( psd,
  120. psid,
  121. FALSE ) ) { // not defaulted
  122. fSuccess = FALSE;
  123. goto Cleanup;
  124. }
  125. if ( !SetSecurityDescriptorDacl( psd,
  126. TRUE, // DACL is present
  127. pacl,
  128. FALSE ) ) { // not defaulted
  129. fSuccess = FALSE;
  130. goto Cleanup;
  131. }
  132. if ( !SetSecurityDescriptorSacl( psd,
  133. psacl != NULL ? TRUE : FALSE,
  134. psacl,
  135. FALSE ) ) { // not defaulted
  136. fSuccess = FALSE;
  137. goto Cleanup;
  138. }
  140. Cleanup:
  142. return fSuccess;
  144. }
  146. BOOLEAN
  147. DsRolepCreateInterfaceSDs(
  148. VOID
  149. )
  150. /*++
  152. Routine Description:
  154. This routine creates the in memory access control lists that
  155. are used to perform security checks on callers of the DsRoler
  156. API's.
  158. The model is as follows:
  160. Promote: the caller must have the builtin admin SID
  162. Demote: the caller must have the builtin admin SID
  164. CalltheDsRoleInterface: the caller must have the builtin admin SID
  167. Arguments:
  169. None.
  171. Returns:
  173. TRUE if successful; FALSE otherwise
  176. --*/
  177. {
  178. NTSTATUS Status;
  179. BOOLEAN fSuccess = TRUE;
  180. SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
  181. ULONG AclLength = 0;
  182. ULONG SaclLength = 0;
  183. PSID BuiltinAdminsSid = NULL;
  184. PSID *AllowedSids [] =
  185. {
  186. &BuiltinAdminsSid
  187. };
  188. ULONG cAllowedSids = sizeof(AllowedSids) / sizeof(AllowedSids[0]);
  189. ULONG i;
  190. PACL DsRolepPromoteAcl = NULL;
  191. PACL DsRolepDemoteAcl = NULL;
  192. PACL DsRolepCallDsRoleInterfaceAcl = NULL;
  193. PACL DsRolepSacl = NULL;
  196. //
  197. // Build the builtin administrators sid
  198. //
  199. Status = RtlAllocateAndInitializeSid(
  200. &NtAuthority,
  201. 2,
  202. SECURITY_BUILTIN_DOMAIN_RID,
  203. DOMAIN_ALIAS_RID_ADMINS,
  204. 0, 0, 0, 0, 0, 0,
  205. &BuiltinAdminsSid
  206. );
  207. if ( !NT_SUCCESS( Status ) ) {
  208. fSuccess = FALSE;
  209. goto Cleanup;
  210. }
  212. //
  213. // Determine the required size of the SACL
  214. //
  215. SaclLength = sizeof( ACL ) +
  216. sizeof( SYSTEM_AUDIT_ACE ) +
  217. GetLengthSid( &WORLD_SID );
  219. //
  220. // Make the SACL for auditing role change operation attempts
  221. //
  222. DsRolepSacl = LocalAlloc( 0, SaclLength );
  223. if ( !DsRolepSacl ) {
  224. fSuccess = FALSE;
  225. goto Cleanup;
  226. }
  228. if ( !InitializeAcl( DsRolepSacl, SaclLength, ACL_REVISION ) ) {
  229. fSuccess = FALSE;
  230. goto Cleanup;
  231. }
  233. Status = AddAuditAccessAce(
  234. DsRolepSacl,
  235. ACL_REVISION,
  236. DSROLE_ROLE_CHANGE_ACCESS,
  237. &WORLD_SID,
  238. TRUE,
  239. TRUE
  240. );
  242. if ( !NT_SUCCESS(Status) ) {
  243. fSuccess = FALSE;
  244. goto Cleanup;
  245. }
  247. //
  248. // Calculate how much space we'll need for the ACL
  249. //
  250. AclLength = sizeof( ACL );
  251. for ( i = 0; i < cAllowedSids; i++ ) {
  253. AclLength += (sizeof( ACCESS_ALLOWED_ACE )
  254. - sizeof(DWORD)
  255. + GetLengthSid((*AllowedSids[i])) );
  256. }
  258. DsRolepPromoteAcl = LocalAlloc( 0, AclLength );
  259. if ( !DsRolepPromoteAcl ) {
  260. fSuccess = FALSE;
  261. goto Cleanup;
  262. }
  264. if ( !InitializeAcl( DsRolepPromoteAcl, AclLength, ACL_REVISION ) ) {
  265. fSuccess = FALSE;
  266. goto Cleanup;
  267. }
  269. for ( i = 0; i < cAllowedSids; i++ ) {
  271. if ( !AddAccessAllowedAce( DsRolepPromoteAcl,
  272. ACL_REVISION,
  273. DSROLE_ALL_ACCESS,
  274. *(AllowedSids[i]) ) ) {
  275. fSuccess = FALSE;
  276. goto Cleanup;
  277. }
  279. }
  281. //
  282. // Now make the security descriptor
  283. //
  284. fSuccess = DsRolepMakeSecurityDescriptor(&DsRolepPromoteSD,
  285. BuiltinAdminsSid,
  286. DsRolepPromoteAcl,
  287. DsRolepSacl);
  288. if (!fSuccess) {
  290. goto Cleanup;
  292. }
  294. //
  295. // Make the demote access check the same
  296. //
  297. DsRolepDemoteAcl = LocalAlloc( 0, AclLength );
  298. if ( !DsRolepDemoteAcl ) {
  299. fSuccess = FALSE;
  300. goto Cleanup;
  301. }
  302. RtlCopyMemory( DsRolepDemoteAcl, DsRolepPromoteAcl, AclLength );
  304. //
  305. // Now make the security descriptor
  306. //
  307. fSuccess = DsRolepMakeSecurityDescriptor(&DsRolepDemoteSD,
  308. BuiltinAdminsSid,
  309. DsRolepDemoteAcl,
  310. DsRolepSacl);
  311. if (!fSuccess) {
  313. goto Cleanup;
  315. }
  317. //
  318. // Make the Call interface access check the same
  319. //
  320. DsRolepCallDsRoleInterfaceAcl = LocalAlloc( 0, AclLength );
  321. if ( !DsRolepCallDsRoleInterfaceAcl ) {
  322. fSuccess = FALSE;
  323. goto Cleanup;
  324. }
  325. RtlCopyMemory( DsRolepCallDsRoleInterfaceAcl, DsRolepPromoteAcl, AclLength );
  327. //
  328. // Now make the security descriptor
  329. //
  330. fSuccess = DsRolepMakeSecurityDescriptor(&DsRolepCallDsRoleInterfaceSD,
  331. BuiltinAdminsSid,
  332. DsRolepCallDsRoleInterfaceAcl,
  333. NULL);
  334. if (!fSuccess) {
  336. goto Cleanup;
  338. }
  341. Cleanup:
  343. if ( !fSuccess ) {
  345. for ( i = 0; i < cAllowedSids; i++ ) {
  346. if ( *(AllowedSids[i]) ) {
  347. RtlFreeHeap( RtlProcessHeap(), 0, *(AllowedSids[i]) );
  348. }
  349. }
  350. if ( DsRolepPromoteAcl ) {
  351. LocalFree( DsRolepPromoteAcl );
  352. }
  353. if ( DsRolepDemoteAcl ) {
  354. LocalFree( DsRolepDemoteAcl );
  355. }
  356. if ( DsRolepCallDsRoleInterfaceAcl ) {
  357. LocalFree( DsRolepCallDsRoleInterfaceAcl );
  358. }
  359. if ( DsRolepSacl ) {
  360. LocalFree( DsRolepSacl );
  361. }
  362. }
  364. return fSuccess;
  365. }
  368. DWORD
  369. DsRolepCheckClientAccess(
  370. PSECURITY_DESCRIPTOR pSD,
  371. DWORD DesiredAccess,
  372. BOOLEAN PerformAudit
  373. )
  374. /*++
  376. Routine Description:
  378. This routine grabs a copy of the client's token and then performs
  379. an access to make the client has the privlege found in pSD
  381. Arguments:
  383. pSD: a valid security descriptor
  385. DesiredAccess: the access mask the client is asking for
  387. PerformAudit: Indicates if system object access audits should occur. If
  388. TRUE then DnsDomainName must point to a null terminated
  389. string.
  391. Returns:
  393. ERROR_SUCCESS, ERROR_ACCESS_DENIED, or system error
  395. --*/
  396. {
  398. DWORD WinError = ERROR_SUCCESS;
  399. BOOL fStatus = FALSE;
  400. BOOL fAccessAllowed = FALSE;
  401. HANDLE ClientToken = 0;
  402. DWORD AccessGranted = 0;
  403. BYTE Buffer[500];
  404. PRIVILEGE_SET *PrivilegeSet = (PRIVILEGE_SET*)Buffer;
  405. DWORD PrivilegeSetSize = sizeof(Buffer);
  406. BOOL fGenerateOnClose = FALSE;
  407. RPC_STATUS rpcStatus = RPC_S_OK;
  408. DWORD MessageId;
  409. PWSTR ObjectNameString = NULL;
  410. PWSTR ObjectTypeString = NULL;
  411. ULONG len = 0;
  413. WinError = DsRolepGetImpersonationToken( &ClientToken );
  415. if ( ERROR_SUCCESS == WinError ) {
  417. //
  418. // For promotion/demote we must perform an object access audit
  419. //
  420. if (PerformAudit) {
  422. //
  423. // Load the ObjectName string
  424. //
  425. WinError = DsRolepFormatOperationString(
  426. DSROLEEVT_AUDIT_INTERFACE_DESC,
  427. &ObjectTypeString
  428. );
  430. if ( ERROR_SUCCESS != WinError ) {
  431. //
  432. // Fallback to an unlocalized string on error.
  433. //
  434. ObjectTypeString = DSROLE_AUDIT_INTERFACE_DESC;
  436. } else {
  437. //
  438. // Strip the \r\n DsRolepFormatOperationString adds.
  439. //
  440. ObjectTypeString[wcslen(ObjectTypeString) -2] = '\0';
  441. }
  443. //
  444. // Load the ObjectType string for this operation
  445. //
  446. MessageId = (pSD == &DsRolepPromoteSD) ?
  447. DSROLEEVT_AUDIT_PROMOTE_DESC :
  448. DSROLEEVT_AUDIT_DEMOTE_DESC;
  450. WinError = DsRolepFormatOperationString(
  451. MessageId,
  452. &ObjectNameString
  453. );
  455. if ( ERROR_SUCCESS != WinError ) {
  456. //
  457. // Fallback to an unlocalized string on error.
  458. //
  459. ObjectNameString = (pSD == &DsRolepPromoteSD) ?
  460. DSROLE_AUDIT_PROMOTE_DESC :
  461. DSROLE_AUDIT_DEMOTE_DESC;
  462. } else {
  463. //
  464. // Strip the \r\n DsRolepFormatOperationString adds.
  465. //
  466. ObjectNameString[wcslen(ObjectNameString) -2] = '\0';
  467. }
  469. //
  470. // Impersonate the caller as required by AccessCheckAndAuditAlarmW
  471. //
  472. WinError = RpcImpersonateClient( 0 );
  474. if ( WinError == ERROR_SUCCESS ) {
  476. fStatus = AccessCheckAndAuditAlarmW(
  477. SAMP_SAM_COMPONENT_NAME,
  478. NULL,
  479. ObjectTypeString,
  480. ObjectNameString,
  481. pSD,
  482. DesiredAccess,
  483. &DsRolepInfoMapping,
  484. FALSE,
  485. &AccessGranted,
  486. &fAccessAllowed,
  487. &fGenerateOnClose );
  489. rpcStatus = RpcRevertToSelf( );
  490. ASSERT(!rpcStatus);
  491. }
  493. } else {
  495. fStatus = AccessCheck(
  496. pSD,
  497. ClientToken,
  498. DesiredAccess,
  499. &DsRolepInfoMapping,
  500. PrivilegeSet,
  501. &PrivilegeSetSize,
  502. &AccessGranted,
  503. &fAccessAllowed );
  504. }
  506. if ( !fStatus ) {
  508. WinError = GetLastError();
  510. } else {
  512. if ( !fAccessAllowed ) {
  514. WinError = ERROR_ACCESS_DENIED;
  516. }
  517. }
  518. }
  520. if ( ClientToken ) {
  522. NtClose( ClientToken );
  524. }
  526. //
  527. // Free resource strings
  528. //
  529. if ( ObjectNameString ) {
  531. MIDL_user_free( ObjectNameString );
  532. }
  534. if ( ObjectTypeString ) {
  536. MIDL_user_free( ObjectTypeString );
  537. }
  539. return WinError;
  541. }
  544. DWORD
  545. DsRolepCheckPromoteAccess(
  546. BOOLEAN PerformAudit
  547. )
  548. {
  549. return DsRolepCheckClientAccess( &DsRolepPromoteSD,
  550. DSROLE_ROLE_CHANGE_ACCESS,
  551. PerformAudit );
  552. }
  554. DWORD
  555. DsRolepCheckDemoteAccess(
  556. BOOLEAN PerformAudit
  557. )
  558. {
  559. return DsRolepCheckClientAccess( &DsRolepDemoteSD,
  560. DSROLE_ROLE_CHANGE_ACCESS,
  561. PerformAudit );
  562. }
  564. DWORD
  565. DsRolepCheckCallDsRoleInterfaceAccess(
  566. VOID
  567. )
  568. {
  569. return DsRolepCheckClientAccess( &DsRolepCallDsRoleInterfaceSD,
  570. DSROLE_ROLE_CHANGE_ACCESS,
  571. FALSE );
  572. }
  575. DWORD
  576. DsRolepGetImpersonationToken(
  577. OUT HANDLE *ImpersonationToken
  578. )
  579. /*++
  581. Routine Description:
  583. This function will impersonate the invoker of this call and then duplicate their token
  585. Arguments:
  587. ImpersonationToken - Where the duplicated token is returned
  589. Returns:
  591. ERROR_SUCCESS - Success
  594. --*/
  595. {
  596. DWORD Win32Err = ERROR_SUCCESS;
  597. NTSTATUS Status;
  598. OBJECT_ATTRIBUTES ObjAttrs;
  599. SECURITY_QUALITY_OF_SERVICE SecurityQofS;
  600. HANDLE ClientToken;
  601. RPC_STATUS rpcStatus = RPC_S_OK;
  603. //
  604. // Impersonate the caller
  605. //
  606. Win32Err = RpcImpersonateClient( 0 );
  608. if ( Win32Err == ERROR_SUCCESS ) {
  610. Status = NtOpenThreadToken( NtCurrentThread(),
  611. TOKEN_QUERY | TOKEN_DUPLICATE,
  612. TRUE,
  613. &ClientToken );
  615. rpcStatus = RpcRevertToSelf( );
  616. ASSERT(!rpcStatus);
  618. if ( NT_SUCCESS( Status ) ) {
  620. //
  621. // Duplicate the token
  622. //
  623. InitializeObjectAttributes( &ObjAttrs, NULL, 0L, NULL, NULL );
  624. SecurityQofS.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
  625. SecurityQofS.ImpersonationLevel = SecurityImpersonation;
  626. SecurityQofS.ContextTrackingMode = FALSE; // Snapshot client context
  627. SecurityQofS.EffectiveOnly = FALSE;
  628. ObjAttrs.SecurityQualityOfService = &SecurityQofS;
  629. Status = NtDuplicateToken( ClientToken,
  630. TOKEN_QUERY | TOKEN_IMPERSONATE | TOKEN_ADJUST_PRIVILEGES | TOKEN_DUPLICATE,
  631. &ObjAttrs,
  632. FALSE,
  633. TokenImpersonation,
  634. ImpersonationToken );
  637. NtClose( ClientToken );
  638. }
  640. if ( !NT_SUCCESS( Status ) ) {
  642. Win32Err = RtlNtStatusToDosError( Status );
  643. }
  645. }
  647. return( Win32Err );
  649. }