archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/services/ca/certlib/acl.cpp

482 lines
13 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+--------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1996 - 1999
  5. //
  6. // File: acl.cpp
  7. //
  8. // Contents: Access Control helpers for certsrv
  9. //
  10. // History: 11-16-98 petesk created
  11. // 10/99 xtan, major changes
  12. //
  13. //---------------------------------------------------------------------------
  15. #include <pch.cpp>
  16. #pragma hdrstop
  17. #include <ntdsapi.h>
  18. #define SECURITY_WIN32
  20. #include <security.h>
  21. #include <sddl.h>
  22. #include <aclapi.h>
  24. #include "certca.h"
  25. #include "cscsp.h"
  26. #include "certacl.h"
  27. #include "certsd.h"
  29. #define __dwFILE__ __dwFILE_CERTLIB_ACL_CPP__
  32. // defines
  34. const GUID GUID_APPRV_REQ = { /* 0e10c966-78fb-11d2-90d4-00c04f79dc55 */
  35. 0x0e10c966,
  36. 0x78fb,
  37. 0x11d2,
  38. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  40. const GUID GUID_REVOKE= { /* 0e10c967-78fb-11d2-90d4-00c04f79dc55 */
  41. 0x0e10c967,
  42. 0x78fb,
  43. 0x11d2,
  44. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  46. // Important, keep enroll GUID in sync with string define in certacl.h
  47. const GUID GUID_ENROLL = { /* 0e10c968-78fb-11d2-90d4-00c04f79dc55 */
  48. 0x0e10c968,
  49. 0x78fb,
  50. 0x11d2,
  51. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  53. const GUID GUID_AUTOENROLL = { /* a05b8cc2-17bc-4802-a710-e7c15ab866a2 */
  54. 0xa05b8cc2,
  55. 0x17bc,
  56. 0x4802,
  57. {0xa7, 0x10, 0xe7, 0xc1, 0x5a, 0xb8, 0x66, 0xa2} };
  59. const GUID GUID_READ_DB = { /* 0e10c969-78fb-11d2-90d4-00c04f79dc55 */
  60. 0x0e10c969,
  61. 0x78fb,
  62. 0x11d2,
  63. {0x90, 0xd4, 0x00, 0xc0, 0x4f, 0x79, 0xdc, 0x55} };
  65. HRESULT
  66. myGetSDFromTemplate(
  67. IN WCHAR const *pwszStringSD,
  68. IN OPTIONAL WCHAR const *pwszReplace,
  69. OUT PSECURITY_DESCRIPTOR *ppSD)
  70. {
  71. HRESULT hr;
  72. WCHAR *pwszReplaceSD = NULL;
  73. WCHAR const *pwszFinalSD = pwszStringSD;
  75. CSASSERT(NULL != ppSD);
  77. if (NULL == ppSD)
  78. {
  79. hr = E_POINTER;
  80. _JumpError(hr, error, "null SD pointer");
  81. }
  83. if (NULL != pwszReplace)
  84. {
  85. // replace the token
  87. CSASSERT(NULL != wcsstr(pwszStringSD, L"%ws"));
  89. pwszReplaceSD = (WCHAR*)LocalAlloc(LMEM_FIXED,
  90. (wcslen(pwszStringSD) +
  91. wcslen(pwszReplace) + 1) * sizeof(WCHAR) );
  92. if (NULL == pwszReplaceSD)
  93. {
  94. hr = E_OUTOFMEMORY;
  95. _JumpError(hr, error, "LocalAlloc");
  96. }
  97. wsprintf(pwszReplaceSD, pwszStringSD, pwszReplace);
  98. pwszFinalSD = pwszReplaceSD;
  99. }
  101. // build the security descriptor including the local machine.
  102. if (!myConvertStringSecurityDescriptorToSecurityDescriptor(
  103. pwszFinalSD,
  104. SDDL_REVISION,
  105. ppSD,
  106. NULL))
  107. {
  108. hr = myHLastError();
  109. _JumpErrorStr(
  110. hr,
  111. error,
  112. "myConvertStringSecurityDescriptorToSecurityDescriptor",pwszFinalSD);
  113. }
  115. DBGPRINT((DBG_SS_CERTLIBI, "security descriptor:%ws\n", pwszFinalSD));
  117. hr = S_OK;
  118. error:
  119. if (NULL != pwszReplaceSD)
  120. {
  121. LocalFree(pwszReplaceSD);
  122. }
  123. return hr;
  124. }
  126. HRESULT
  127. myGetSecurityDescriptorDacl(
  128. IN PSECURITY_DESCRIPTOR pSD,
  129. OUT PACL *ppDacl) // no free
  130. {
  131. HRESULT hr;
  132. PACL pDacl = NULL; //no free
  133. BOOL bDaclPresent = FALSE;
  134. BOOL bDaclDefaulted = FALSE;
  136. CSASSERT(NULL != ppDacl);
  138. //init
  139. *ppDacl = NULL;
  141. // get dacl pointers
  142. if (!GetSecurityDescriptorDacl(pSD,
  143. &bDaclPresent,
  144. &pDacl,
  145. &bDaclDefaulted))
  146. {
  147. hr = myHLastError();
  148. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  149. }
  150. if(!bDaclPresent || (pDacl == NULL))
  151. {
  152. hr = E_UNEXPECTED;
  153. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  154. }
  156. *ppDacl = pDacl;
  158. hr = S_OK;
  159. error:
  160. return hr;
  161. }
  163. HRESULT
  164. myGetSecurityDescriptorSacl(
  165. IN PSECURITY_DESCRIPTOR pSD,
  166. OUT PACL *ppSacl) // no free
  167. {
  168. HRESULT hr;
  169. PACL pSacl = NULL; //no free
  170. BOOL bSaclPresent = FALSE;
  171. BOOL bSaclDefaulted = FALSE;
  173. CSASSERT(NULL != ppSacl);
  175. //init
  176. *ppSacl = NULL;
  178. // get dacl pointers
  179. if (!GetSecurityDescriptorSacl(pSD,
  180. &bSaclPresent,
  181. &pSacl,
  182. &bSaclDefaulted))
  183. {
  184. hr = myHLastError();
  185. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  186. }
  187. if(!bSaclPresent || (pSacl == NULL))
  188. {
  189. hr = E_UNEXPECTED;
  190. _JumpError(hr, error, "GetSecurityDescriptorDacl");
  191. }
  193. *ppSacl = pSacl;
  195. hr = S_OK;
  196. error:
  197. return hr;
  198. }
  200. #define CERTSRV_DACL_CONTROL_MASK SE_DACL_AUTO_INHERIT_REQ | \
  201. SE_DACL_AUTO_INHERITED | \
  202. SE_DACL_PROTECTED
  203. #define CERTSRV_SACL_CONTROL_MASK SE_SACL_AUTO_INHERIT_REQ | \
  204. SE_SACL_AUTO_INHERITED | \
  205. SE_SACL_PROTECTED
  208. // Merge parts of a new SD with an old SD based on the SI flags:
  209. // DACL_SECURITY_INFORMATION - use new SD DACL
  210. // SACL_SECURITY_INFORMATION - use new SD SACL
  211. // OWNER_SECURITY_INFORMATION - use new SD owner
  212. // GROUP_SECURITY_INFORMATION - use new SD group
  214. HRESULT
  215. myMergeSD(
  216. IN PSECURITY_DESCRIPTOR pSDOld,
  217. IN PSECURITY_DESCRIPTOR pSDMerge,
  218. IN SECURITY_INFORMATION si,
  219. OUT PSECURITY_DESCRIPTOR *ppSDNew)
  220. {
  221. HRESULT hr;
  222. PSECURITY_DESCRIPTOR pSDDaclSource =
  223. si & DACL_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  224. PSECURITY_DESCRIPTOR pSDSaclSource =
  225. si & SACL_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  226. PSECURITY_DESCRIPTOR pSDOwnerSource =
  227. si & OWNER_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  228. PSECURITY_DESCRIPTOR pSDGroupSource =
  229. si & GROUP_SECURITY_INFORMATION ? pSDMerge : pSDOld;
  230. PSECURITY_DESCRIPTOR pSDNew = NULL;
  231. PSECURITY_DESCRIPTOR pSDNewRelative = NULL;
  232. SECURITY_DESCRIPTOR_CONTROL sdc;
  233. PACL pDacl = NULL; //no free
  234. PSID pGroupSid = NULL; //no free
  235. BOOL fGroupDefaulted = FALSE;
  236. PSID pOwnerSid = NULL; //no free
  237. BOOL fOwnerDefaulted = FALSE;
  238. DWORD dwSize;
  239. BOOL fSaclPresent = FALSE;
  240. BOOL fSaclDefaulted = FALSE;
  241. PACL pSacl = NULL; //no free
  242. DWORD dwRevision;
  244. CSASSERT(NULL != pSDOld);
  245. CSASSERT(NULL != pSDMerge);
  246. CSASSERT(NULL != ppSDNew);
  248. *ppSDNew = NULL;
  250. pSDNew = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED,
  251. SECURITY_DESCRIPTOR_MIN_LENGTH);
  252. if (pSDNew == NULL)
  253. {
  254. hr = E_OUTOFMEMORY;
  255. _JumpError(hr, error, "LocalAlloc");
  256. }
  258. if (!InitializeSecurityDescriptor(pSDNew, SECURITY_DESCRIPTOR_REVISION))
  259. {
  260. hr = myHLastError();
  261. _JumpError(hr, error, "InitializeSecurityDescriptor");
  262. }
  264. // set SD control
  265. if (!GetSecurityDescriptorControl(pSDOld, &sdc, &dwRevision))
  266. {
  267. hr = myHLastError();
  268. _JumpError(hr, error, "GetSecurityDescriptorControl");
  269. }
  271. if (!SetSecurityDescriptorControl(
  272. pSDNew,
  273. CERTSRV_DACL_CONTROL_MASK|
  274. CERTSRV_SACL_CONTROL_MASK,
  275. sdc &
  276. (CERTSRV_DACL_CONTROL_MASK|
  277. CERTSRV_SACL_CONTROL_MASK)))
  278. {
  279. hr = myHLastError();
  280. _JumpError(hr, error, "SetSecurityDescriptorControl");
  281. }
  283. // get CA security acl info
  284. hr = myGetSecurityDescriptorDacl(
  285. pSDDaclSource,
  286. &pDacl);
  287. _JumpIfError(hr, error, "myGetDaclFromInfoSecurityDescriptor");
  289. // set new SD dacl
  290. if(!SetSecurityDescriptorDacl(pSDNew,
  291. TRUE,
  292. pDacl,
  293. FALSE))
  294. {
  295. hr = myHLastError();
  296. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  297. }
  299. // set new SD group
  300. if(!GetSecurityDescriptorGroup(pSDGroupSource, &pGroupSid, &fGroupDefaulted))
  301. {
  302. hr = myHLastError();
  303. _JumpError(hr, error, "GetSecurityDescriptorGroup");
  304. }
  305. if(!SetSecurityDescriptorGroup(pSDNew, pGroupSid, fGroupDefaulted))
  306. {
  307. hr = myHLastError();
  308. _JumpError(hr, error, "SetSecurityDescriptorGroup");
  309. }
  311. // set new SD owner
  312. if(!GetSecurityDescriptorOwner(pSDOwnerSource, &pOwnerSid, &fOwnerDefaulted))
  313. {
  314. hr = myHLastError();
  315. _JumpError(hr, error, "GetSecurityDescriptorGroup");
  316. }
  317. if(!SetSecurityDescriptorOwner(pSDNew, pOwnerSid, fOwnerDefaulted))
  318. {
  319. hr = myHLastError();
  320. _JumpError(hr, error, "SetSecurityDescriptorGroup");
  321. }
  323. // set new SD sacl
  324. if(!GetSecurityDescriptorSacl(pSDSaclSource, &fSaclPresent, &pSacl, &fSaclDefaulted))
  325. {
  326. hr = myHLastError();
  327. _JumpError(hr, error, "GetSecurityDescriptorSacl");
  328. }
  329. if(!SetSecurityDescriptorSacl(pSDNew, fSaclPresent, pSacl, fSaclDefaulted))
  330. {
  331. hr = myHLastError();
  332. _JumpError(hr, error, "SetSecurityDescriptorSacl");
  333. }
  335. if (!IsValidSecurityDescriptor(pSDNew))
  336. {
  337. hr = myHLastError();
  338. _JumpError(hr, error, "IsValidSecurityDescriptor");
  339. }
  341. dwSize = GetSecurityDescriptorLength(pSDNew);
  342. pSDNewRelative = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, dwSize);
  343. if(pSDNewRelative == NULL)
  344. {
  345. hr = E_OUTOFMEMORY;
  346. _JumpError(hr, error, "LocalAlloc");
  347. }
  349. if(!MakeSelfRelativeSD(pSDNew, pSDNewRelative, &dwSize))
  350. {
  351. hr = myHLastError();
  352. _JumpError(hr, error, "LocalAlloc");
  353. }
  355. if (!IsValidSecurityDescriptor(pSDNewRelative))
  356. {
  357. hr = myHLastError();
  358. _JumpError(hr, error, "IsValidSecurityDescriptor");
  359. }
  361. *ppSDNew = pSDNewRelative;
  362. pSDNewRelative = NULL;
  363. hr = S_OK;
  364. error:
  365. if(pSDNew)
  366. {
  367. LocalFree(pSDNew);
  368. }
  369. if(pSDNewRelative)
  370. {
  371. LocalFree(pSDNewRelative);
  372. }
  373. return hr;
  374. }
  377. HRESULT
  378. UpdateServiceSacl(bool fTurnOnAuditing)
  379. {
  380. HRESULT hr = S_OK;
  381. PSECURITY_DESCRIPTOR pSaclSD = NULL;
  382. PACL pSacl = NULL; // no free
  383. bool fPrivilegeEnabled = false;
  385. hr = myGetSDFromTemplate(
  386. fTurnOnAuditing?
  387. CERTSRV_SERVICE_SACL_ON:
  388. CERTSRV_SERVICE_SACL_OFF,
  389. NULL, // no insertion string
  390. &pSaclSD);
  391. _JumpIfError(hr, error, "myGetSDFromTemplate");
  393. hr = myGetSecurityDescriptorSacl(
  394. pSaclSD,
  395. &pSacl);
  396. _JumpIfError(hr, error, "myGet");
  399. hr = myEnablePrivilege(SE_SECURITY_NAME, TRUE);
  400. _JumpIfError(hr, error, "myEnablePrivilege");
  402. fPrivilegeEnabled = true;
  404. hr = SetNamedSecurityInfo(
  405. wszSERVICE_NAME,
  406. SE_SERVICE,
  407. SACL_SECURITY_INFORMATION,
  408. NULL,
  409. NULL,
  410. NULL,
  411. pSacl);
  412. if(ERROR_SUCCESS != hr)
  413. {
  414. hr = myHError(hr);
  415. _JumpError(hr, error, "SetNamedSecurityInfo");
  416. }
  418. error:
  420. if(fPrivilegeEnabled)
  421. {
  422. myEnablePrivilege(SE_SECURITY_NAME, FALSE);
  423. }
  424. LOCAL_FREE(pSaclSD);
  425. return hr;
  426. }
  428. HRESULT
  429. SetFolderDacl(LPCWSTR pcwszFolderPath, LPCWSTR pcwszSDDL)
  430. {
  431. HRESULT hr = S_OK;
  432. PSECURITY_DESCRIPTOR pSD = NULL;
  434. hr = myGetSDFromTemplate(pcwszSDDL, NULL, &pSD);
  435. _JumpIfErrorStr(hr, error, "myGetSDFromTemplate", pcwszSDDL);
  437. if (!SetFileSecurity(
  438. pcwszFolderPath,
  439. DACL_SECURITY_INFORMATION,
  440. pSD))
  441. {
  442. hr = myHLastError();
  443. _JumpError(hr, error, "SetFileSecurity");
  444. }
  446. error:
  448. LOCAL_FREE(pSD);
  450. return hr;
  451. }
  454. HRESULT
  455. mySetKeyContainerSecurity(
  456. IN HCRYPTPROV hProv)
  457. {
  458. HRESULT hr;
  459. PSECURITY_DESCRIPTOR pSD = NULL;
  461. hr = myGetSDFromTemplate(WSZ_DEFAULT_KEYCONTAINER_SECURITY, NULL, &pSD);
  462. _JumpIfError(hr, error, "myGetSDFromTemplate");
  464. // apply the security descriptor to the key container
  465. if (!CryptSetProvParam(
  466. hProv,
  467. PP_KEYSET_SEC_DESCR,
  468. (BYTE *) pSD,
  469. (DWORD) DACL_SECURITY_INFORMATION))
  470. {
  471. hr = myHLastError();
  472. _JumpError(hr, error, "CryptSetProvParam");
  473. }
  474. hr = S_OK;
  476. error:
  477. if (NULL != pSD)
  478. {
  479. LocalFree(pSD);
  480. }
  481. return(hr);
  482. }