archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/services/ca/certlib/officer.cpp

740 lines
19 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. //+--------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1996 - 1999
  5. //
  6. // File: officer.cpp
  7. //
  8. // Contents: officer rights implementation
  9. //
  10. //---------------------------------------------------------------------------
  12. #include <pch.cpp>
  14. #pragma hdrstop
  16. #include <certsd.h>
  17. #include <certacl.h>
  18. #include <sid.h>
  20. #define __dwFILE__ __dwFILE_CERTLIB_OFFICER_CPP__
  23. using namespace CertSrv;
  25. HRESULT
  26. COfficerRightsSD::Merge(
  27. PSECURITY_DESCRIPTOR pOfficerSD,
  28. PSECURITY_DESCRIPTOR pCASD)
  29. {
  31. HRESULT hr;
  32. PACL pCAAcl; // no free
  33. PACL pOfficerAcl; // no free
  34. PACL pNewOfficerAcl = NULL;
  35. ACL_SIZE_INFORMATION CAAclInfo, OfficerAclInfo;
  36. PBOOL pCAFound = NULL, pOfficerFound = NULL;
  37. DWORD cCAAce, cOfficerAce;
  38. PACCESS_ALLOWED_ACE pCAAce;
  39. PACCESS_ALLOWED_CALLBACK_ACE pOfficerAce;
  40. PACCESS_ALLOWED_CALLBACK_ACE pNewAce = NULL;
  41. DWORD dwNewAclSize = sizeof(ACL);
  42. PSID pSidEveryone = NULL, pSidBuiltinAdministrators = NULL;
  43. DWORD dwSidEveryoneSize, dwAceSize, dwSidSize;
  44. PSID_LIST pSidList;
  45. PSECURITY_DESCRIPTOR pNewOfficerSD = NULL;
  46. ACL EmptyAcl;
  47. SECURITY_DESCRIPTOR EmptySD;
  49. CSASSERT(NULL==pOfficerSD || IsValidSecurityDescriptor(pOfficerSD));
  50. CSASSERT(IsValidSecurityDescriptor(pCASD));
  52. // allow NULL officer SD, in that case build an empty SD and use it
  53. if(NULL==pOfficerSD)
  54. {
  55. if(!InitializeAcl(&EmptyAcl, sizeof(ACL), ACL_REVISION))
  56. {
  57. hr = myHLastError();
  58. _JumpError(hr, error, "InitializeAcl");
  59. }
  61. if (!InitializeSecurityDescriptor(&EmptySD, SECURITY_DESCRIPTOR_REVISION))
  62. {
  63. hr = myHLastError();
  64. _JumpError(hr, error, "InitializeSecurityDescriptor");
  65. }
  67. if(!SetSecurityDescriptorDacl(
  68. &EmptySD,
  69. TRUE, // DACL present
  70. &EmptyAcl,
  71. FALSE)) // DACL defaulted
  72. {
  73. hr = myHLastError();
  74. _JumpError(hr, error, "SetSecurityDescriptorControl");
  75. }
  77. pOfficerSD = &EmptySD;
  78. }
  80. hr = myGetSecurityDescriptorDacl(pCASD, &pCAAcl);
  81. _JumpIfError(hr, error, "myGetSecurityDescriptorDacl");
  83. hr = myGetSecurityDescriptorDacl(pOfficerSD, &pOfficerAcl);
  84. _JumpIfError(hr, error, "myGetSecurityDescriptorDacl");
  86. // allocate a bool array for each DACL
  88. if(!GetAclInformation(pCAAcl,
  89. &CAAclInfo,
  90. sizeof(CAAclInfo),
  91. AclSizeInformation))
  92. {
  93. hr = myHLastError();
  94. _JumpError(hr, error, "GetAclInformation");
  95. }
  96. if(!GetAclInformation(pOfficerAcl,
  97. &OfficerAclInfo,
  98. sizeof(OfficerAclInfo),
  99. AclSizeInformation))
  100. {
  101. hr = myHLastError();
  102. _JumpError(hr, error, "GetAclInformation");
  103. }
  105. pCAFound = (PBOOL)LocalAlloc(LMEM_FIXED, sizeof(BOOL)*CAAclInfo.AceCount);
  106. if(!pCAFound)
  107. {
  108. hr = E_OUTOFMEMORY;
  109. _JumpError(hr, error, "LocalAlloc");
  110. }
  111. ZeroMemory(pCAFound, sizeof(BOOL)*CAAclInfo.AceCount);
  113. pOfficerFound = (PBOOL)LocalAlloc(LMEM_FIXED, sizeof(BOOL)*OfficerAclInfo.AceCount);
  114. if(!pOfficerFound)
  115. {
  116. hr = E_OUTOFMEMORY;
  117. _JumpError(hr, error, "LocalAlloc");
  118. }
  119. ZeroMemory(pOfficerFound, sizeof(BOOL)*OfficerAclInfo.AceCount);
  121. hr = GetEveryoneSID(&pSidEveryone);
  122. _JumpIfError(hr, error, "GetEveryoneSID");
  124. dwSidEveryoneSize = GetLengthSid(pSidEveryone);
  126. // mark in the bool arrays each ace whose SID is found in both DACLs;
  127. // also mark CA ACEs we are not interested in (denied ACEs and
  128. // non-officer ACEs)
  130. for(cCAAce=0; cCAAce<CAAclInfo.AceCount; cCAAce++)
  131. {
  132. if(!GetAce(pCAAcl, cCAAce, (PVOID*)&pCAAce))
  133. {
  134. hr = myHLastError();
  135. _JumpError(hr, error, "GetAce");
  136. }
  138. // process only officer allow aces
  139. if(0==(pCAAce->Mask & CA_ACCESS_OFFICER))
  140. {
  141. pCAFound[cCAAce] = TRUE;
  142. continue;
  143. }
  145. // compare SIDs in each officer ace with current CA ace and mark
  146. // corresponding bool in arrays if equal
  147. for(cOfficerAce=0; cOfficerAce<OfficerAclInfo.AceCount; cOfficerAce++)
  148. {
  149. if(!GetAce(pOfficerAcl, cOfficerAce, (PVOID*)&pOfficerAce))
  150. {
  151. hr = myHLastError();
  152. _JumpError(hr, error, "GetAce");
  153. }
  154. if(EqualSid((PSID)&pOfficerAce->SidStart,
  155. (PSID)&pCAAce->SidStart))
  156. {
  157. pCAFound[cCAAce] = TRUE;
  158. pOfficerFound[cOfficerAce] = TRUE;
  159. }
  160. }
  162. // if the officer is found in the CA ACL but not in the officer ACL,
  163. // we will add a new ACE allowing him to manage certs for Everyone
  164. if(!pCAFound[cCAAce])
  165. {
  166. dwNewAclSize += sizeof(ACCESS_ALLOWED_CALLBACK_ACE)+
  167. GetLengthSid((PSID)&pCAAce->SidStart)+
  168. dwSidEveryoneSize;
  169. }
  170. }
  172. // Calculate the size of the new officer ACL; we already added in the header
  173. // size and the size of the new ACEs to be added. Now we add the ACEs to be
  174. // copied over from the old ACL
  175. for(cOfficerAce=0; cOfficerAce<OfficerAclInfo.AceCount; cOfficerAce++)
  176. {
  177. if(pOfficerFound[cOfficerAce])
  178. {
  179. if(!GetAce(pOfficerAcl, cOfficerAce, (PVOID*)&pOfficerAce))
  180. {
  181. hr = myHLastError();
  182. _JumpError(hr, error, "GetAce");
  183. }
  184. dwNewAclSize += pOfficerAce->Header.AceSize;
  185. }
  186. }
  188. // allocate a new DACL
  190. pNewOfficerAcl = (PACL)LocalAlloc(LMEM_FIXED, dwNewAclSize);
  191. if(!pNewOfficerAcl)
  192. {
  193. hr = E_OUTOFMEMORY;
  194. _JumpError(hr, error, "LocalAlloc");
  195. }
  197. #ifdef _DEBUG
  198. ZeroMemory(pNewOfficerAcl, dwNewAclSize);
  199. #endif
  201. if(!InitializeAcl(pNewOfficerAcl, dwNewAclSize, ACL_REVISION))
  202. {
  203. hr = myHLastError();
  204. _JumpError(hr, error, "InitializeAcl");
  205. }
  207. // build the new DACL
  209. // traverse officer DACL and add only marked ACEs (whose SID was found
  210. // in the CA DACL, ie principal is an officer)
  211. for(cOfficerAce=0; cOfficerAce<OfficerAclInfo.AceCount; cOfficerAce++)
  212. {
  213. if(pOfficerFound[cOfficerAce])
  214. {
  215. if(!GetAce(pOfficerAcl, cOfficerAce, (PVOID*)&pOfficerAce))
  216. {
  217. hr = myHLastError();
  218. _JumpError(hr, error, "GetAce");
  219. }
  221. if(!AddAce(
  222. pNewOfficerAcl,
  223. ACL_REVISION,
  224. MAXDWORD,
  225. pOfficerAce,
  226. pOfficerAce->Header.AceSize))
  227. {
  228. hr = myHLastError();
  229. _JumpError(hr, error, "GetAce");
  230. }
  231. }
  232. }
  234. CSASSERT(IsValidAcl(pNewOfficerAcl));
  236. hr = GetBuiltinAdministratorsSID(&pSidBuiltinAdministrators);
  237. _JumpIfError(hr, error, "GetBuiltinAdministratorsSID");
  239. // traverse the CA DACL and add a new officer to list, allowed to manage
  240. // Everyone
  241. for(cCAAce=0; cCAAce<CAAclInfo.AceCount; cCAAce++)
  242. {
  243. if(pCAFound[cCAAce])
  244. continue;
  246. if(!GetAce(pCAAcl, cCAAce, (PVOID*)&pCAAce))
  247. {
  248. hr = myHLastError();
  249. _JumpError(hr, error, "GetAce");
  250. }
  252. // create a new ACE
  253. dwSidSize = GetLengthSid((PSID)&pCAAce->SidStart);
  255. dwAceSize = sizeof(ACCESS_ALLOWED_CALLBACK_ACE)+
  256. dwSidEveryoneSize+dwSidSize;
  258. pNewAce = (ACCESS_ALLOWED_CALLBACK_ACE*) LocalAlloc(LMEM_FIXED, dwAceSize);
  259. if(!pNewAce)
  260. {
  261. hr = E_OUTOFMEMORY;
  262. _JumpError(hr, error, "LocalAlloc");
  263. }
  264. #ifdef _DEBUG
  265. ZeroMemory(pNewAce, dwAceSize);
  266. #endif
  268. pNewAce->Header.AceType = ACCESS_ALLOWED_CALLBACK_ACE_TYPE;
  269. pNewAce->Header.AceFlags= 0;
  270. pNewAce->Header.AceSize = (USHORT)dwAceSize;
  271. pNewAce->Mask = DELETE;
  272. CopySid(dwSidSize,
  273. (PSID)&pNewAce->SidStart,
  274. (PSID)&pCAAce->SidStart);
  275. pSidList = (PSID_LIST)(((BYTE*)&pNewAce->SidStart)+dwSidSize);
  276. pSidList->dwSidCount = 1;
  278. CopySid(dwSidEveryoneSize,
  279. (PSID)&pSidList->SidListStart,
  280. pSidEveryone);
  282. CSASSERT(IsValidSid((PSID)&pNewAce->SidStart));
  284. if(!AddAce(
  285. pNewOfficerAcl,
  286. ACL_REVISION,
  287. MAXDWORD,
  288. pNewAce,
  289. dwAceSize))
  290. {
  291. hr = myHLastError();
  292. _JumpError(hr, error, "AddAce");
  293. }
  295. LocalFree(pNewAce);
  296. pNewAce = NULL;
  297. }
  299. CSASSERT(IsValidAcl(pNewOfficerAcl));
  301. // setup the new security descriptor
  303. pNewOfficerSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED,
  304. SECURITY_DESCRIPTOR_MIN_LENGTH);
  305. if (pNewOfficerSD == NULL)
  306. {
  307. hr = E_OUTOFMEMORY;
  308. _JumpError(hr, error, "LocalAlloc");
  309. }
  310. #ifdef _DEBUG
  311. ZeroMemory(pNewOfficerSD, SECURITY_DESCRIPTOR_MIN_LENGTH);
  312. #endif
  314. if (!InitializeSecurityDescriptor(pNewOfficerSD, SECURITY_DESCRIPTOR_REVISION))
  315. {
  316. hr = myHLastError();
  317. _JumpError(hr, error, "InitializeSecurityDescriptor");
  318. }
  320. if(!SetSecurityDescriptorOwner(
  321. pNewOfficerSD,
  322. pSidBuiltinAdministrators,
  323. FALSE))
  324. {
  325. hr = myHLastError();
  326. _JumpError(hr, error, "SetSecurityDescriptorControl");
  327. }
  329. if(!SetSecurityDescriptorDacl(
  330. pNewOfficerSD,
  331. TRUE, // DACL present
  332. pNewOfficerAcl,
  333. FALSE)) // DACL defaulted
  334. {
  335. hr = myHLastError();
  336. _JumpError(hr, error, "SetSecurityDescriptorDacl");
  337. }
  339. CSASSERT(IsValidSecurityDescriptor(pNewOfficerSD));
  341. hr = Set(pNewOfficerSD);
  342. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Set");
  344. error:
  345. if(pNewAce)
  346. {
  347. LocalFree(pNewAce);
  348. }
  350. if(pSidEveryone)
  351. {
  352. FreeSid(pSidEveryone);
  353. }
  355. if(pSidBuiltinAdministrators)
  356. {
  357. FreeSid(pSidBuiltinAdministrators);
  358. }
  360. if(pNewOfficerAcl)
  361. {
  362. LocalFree(pNewOfficerAcl);
  363. }
  365. if(pNewOfficerSD)
  366. {
  367. LocalFree(pNewOfficerSD);
  368. }
  370. return hr;
  371. }
  373. HRESULT
  374. COfficerRightsSD::Adjust(PSECURITY_DESCRIPTOR pCASD)
  375. {
  376. return Merge(Get(), pCASD);
  377. }
  379. HRESULT
  380. COfficerRightsSD::InitializeEmpty()
  381. {
  382. HRESULT hr = S_OK;
  383. ACL Acl;
  384. SECURITY_DESCRIPTOR SD;
  386. hr = Init(NULL);
  387. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Init");
  389. if(!InitializeAcl(&Acl, sizeof(ACL), ACL_REVISION))
  390. {
  391. hr = myHLastError();
  392. _JumpError(hr, error, "InitializeAcl");
  393. }
  395. if (!InitializeSecurityDescriptor(&SD, SECURITY_DESCRIPTOR_REVISION))
  396. {
  397. hr = myHLastError();
  398. _JumpError(hr, error, "InitializeSecurityDescriptor");
  399. }
  401. if(!SetSecurityDescriptorDacl(
  402. &SD,
  403. TRUE, // DACL present
  404. &Acl,
  405. FALSE)) // DACL defaulted
  406. {
  407. hr = myHLastError();
  408. _JumpError(hr, error, "SetSecurityDescriptorControl");
  409. }
  411. m_fInitialized = true;
  413. hr = Set(&SD);
  414. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Set");
  416. error:
  417. return hr;
  418. }
  420. HRESULT COfficerRightsSD::Save()
  421. {
  422. HRESULT hr = S_OK;
  424. if(IsEnabled())
  425. {
  426. hr = CProtectedSecurityDescriptor::Save();
  427. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Save");
  428. }
  429. else
  430. {
  431. hr = CProtectedSecurityDescriptor::Delete();
  432. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Delete");
  433. }
  435. error:
  436. return hr;
  437. }
  439. HRESULT COfficerRightsSD::Load()
  440. {
  441. HRESULT hr;
  443. hr = CProtectedSecurityDescriptor::Load();
  444. if(S_OK==hr || HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND)==hr)
  445. {
  446. SetEnable(S_OK==hr);
  447. hr = S_OK;
  448. }
  449. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Save");
  451. error:
  452. return hr;
  453. }
  455. HRESULT COfficerRightsSD::Initialize(LPCWSTR pwszSanitizedName)
  456. {
  457. HRESULT hr;
  459. hr = CProtectedSecurityDescriptor::Initialize(pwszSanitizedName);
  460. _JumpIfError(hr, error, "CProtectedSecurityDescriptor::Save");
  462. SetEnable(NULL!=m_pSD);
  464. error:
  465. return hr;
  466. }
  468. HRESULT COfficerRightsSD::ConvertToString(
  469. IN PSECURITY_DESCRIPTOR pSD,
  470. OUT LPWSTR& rpwszSD)
  471. {
  472. HRESULT hr = S_OK;
  473. LPCWSTR pcwszHeader = L"\n"; // start with a new line
  474. DWORD dwBufSize = sizeof(WCHAR)*(wcslen(pcwszHeader)+1);
  475. ACL_SIZE_INFORMATION AclInfo;
  476. DWORD dwIndex;
  477. PACCESS_ALLOWED_CALLBACK_ACE pAce; // no free
  478. PACL pDacl; // no free
  479. LPWSTR pwszAce; // no free
  481. CSASSERT(IsValidSecurityDescriptor(pSD));
  483. rpwszSD = NULL;
  485. // get acl
  486. hr = myGetSecurityDescriptorDacl(
  487. pSD,
  488. &pDacl);
  489. _JumpIfError(hr, error, "myGetDaclFromInfoSecurityDescriptor");
  491. if(!GetAclInformation(pDacl,
  492. &AclInfo,
  493. sizeof(ACL_SIZE_INFORMATION),
  494. AclSizeInformation))
  495. {
  496. hr = myHLastError();
  497. _JumpError(hr, error, "GetAclInformation");
  498. }
  501. // calculate text size
  503. for(dwIndex = 0; dwIndex < AclInfo.AceCount; dwIndex++)
  504. {
  505. DWORD dwAceSize;
  506. if(!GetAce(pDacl, dwIndex, (LPVOID*)&pAce))
  507. {
  508. hr = myHLastError();
  509. _JumpError(hr, error, "GetAce");
  510. }
  512. hr = ConvertAceToString(
  513. pAce,
  514. &dwAceSize,
  515. NULL);
  516. _JumpIfError(hr, error, "ConvertAceToString");
  518. dwBufSize += dwAceSize;
  519. }
  521. rpwszSD = (LPWSTR)LocalAlloc(LMEM_FIXED, dwBufSize);
  522. _JumpIfAllocFailed(rpwszSD, error);
  524. // build the output string
  525. wcscpy(rpwszSD, pcwszHeader);
  527. pwszAce = rpwszSD + wcslen(pcwszHeader);
  529. for(dwIndex = 0; dwIndex < AclInfo.AceCount; dwIndex++)
  530. {
  531. DWORD dwAceSize;
  532. if(!GetAce(pDacl, dwIndex, (LPVOID*)&pAce))
  533. {
  534. hr = myHLastError();
  535. _JumpError(hr, error, "GetAce");
  536. }
  538. hr = ConvertAceToString(
  539. pAce,
  540. &dwAceSize,
  541. pwszAce);
  542. _JumpIfError(hr, error, "ConvertAceToString");
  544. pwszAce += dwAceSize/sizeof(WCHAR);
  545. }
  547. error:
  548. return hr;
  549. }
  551. // Returned string has the following format:
  552. //
  553. // [Allow|Deny]\t[OfficerName|SID]\n
  554. // \t[Client1Name|SID]\n
  555. // \t[Client2Name|SID]\n
  556. // ...
  557. //
  558. // Example:
  559. //
  560. // Allow OfficerGroup1
  561. // ClientGroup1
  562. // ClientGroup2
  563. //
  564. // If SID cannot be converted to friendly name it is displayed
  565. // as a string SID
  566. //
  567. HRESULT COfficerRightsSD::ConvertAceToString(
  568. IN PACCESS_ALLOWED_CALLBACK_ACE pAce,
  569. OUT OPTIONAL PDWORD pdwSize,
  570. IN OUT OPTIONAL LPWSTR pwszSD)
  571. {
  572. HRESULT hr = S_OK;
  573. DWORD dwSize = 1; // trailing '\0'
  574. CSid sid((PSID)(&pAce->SidStart));
  575. PSID_LIST pSidList = (PSID_LIST) (((BYTE*)&pAce->SidStart)+
  576. GetLengthSid(&pAce->SidStart));
  577. PSID pSid;
  578. DWORD cSids;
  580. LPCWSTR pcwszAllow = m_pcwszResources[0];
  581. LPCWSTR pcwszDeny = m_pcwszResources[1];
  583. LPCWSTR pcwszPermissionType =
  584. (ACCESS_ALLOWED_CALLBACK_ACE_TYPE==pAce->Header.AceType)?
  585. pcwszAllow:pcwszDeny;
  586. LPCWSTR pcwszSid; // no free
  588. // asked for size and/or ace string
  589. CSASSERT(pdwSize || pwszSD);
  591. if(pAce->Header.AceType != ACCESS_ALLOWED_CALLBACK_ACE_TYPE &&
  592. pAce->Header.AceType != ACCESS_DENIED_CALLBACK_ACE_TYPE)
  593. {
  594. return E_INVALIDARG;
  595. }
  597. pcwszSid = sid.GetName();
  598. if(!pcwszSid)
  599. {
  600. return E_OUTOFMEMORY;
  601. }
  603. dwSize = wcslen(pcwszSid);
  605. dwSize += wcslen(pcwszPermissionType);
  607. dwSize += 2; // '\t' between sid an permission and a '\n' after
  609. if(pwszSD)
  610. {
  611. wcscat(pwszSD, pcwszPermissionType);
  612. wcscat(pwszSD, L"\t");
  613. wcscat(pwszSD, pcwszSid);
  614. wcscat(pwszSD, L"\n");
  615. }
  617. for(pSid=(PSID)&pSidList->SidListStart, cSids=0; cSids<pSidList->dwSidCount;
  618. cSids++, pSid = (PSID)(((BYTE*)pSid)+GetLengthSid(pSid)))
  619. {
  620. CSASSERT(IsValidSid(pSid));
  622. CSid sidClient(pSid);
  623. LPCWSTR pcwszSidClient;
  625. pcwszSidClient = sidClient.GetName();
  626. if(!pcwszSidClient)
  627. {
  628. return E_OUTOFMEMORY;
  629. }
  631. dwSize += wcslen(pcwszSidClient) + 2; // \tClientNameOrSid\n
  633. if(pwszSD)
  634. {
  635. wcscat(pwszSD, L"\t");
  636. wcscat(pwszSD, pcwszSidClient);
  637. wcscat(pwszSD, L"\n");
  638. }
  639. }
  641. dwSize *= sizeof(WCHAR);
  643. if(pdwSize)
  644. {
  645. *pdwSize = dwSize;
  646. }
  648. return hr;
  649. }
  651. HRESULT
  652. CertSrv::GetWellKnownSID(
  653. PSID *ppSid,
  654. SID_IDENTIFIER_AUTHORITY *pAuth,
  655. BYTE SubauthorityCount,
  656. DWORD SubAuthority1,
  657. DWORD SubAuthority2,
  658. DWORD SubAuthority3,
  659. DWORD SubAuthority4,
  660. DWORD SubAuthority5,
  661. DWORD SubAuthority6,
  662. DWORD SubAuthority7,
  663. DWORD SubAuthority8)
  664. {
  665. HRESULT hr = S_OK;
  667. // build Everyone SID
  668. if(!AllocateAndInitializeSid(
  669. pAuth,
  670. SubauthorityCount,
  671. SubAuthority1,
  672. SubAuthority2,
  673. SubAuthority3,
  674. SubAuthority4,
  675. SubAuthority5,
  676. SubAuthority6,
  677. SubAuthority7,
  678. SubAuthority8,
  679. ppSid))
  680. {
  681. hr = myHLastError();
  682. _JumpError(hr, error, "AllocateAndInitializeSid");
  683. }
  685. error:
  686. return hr;
  687. }
  689. // caller is responsible for LocalFree'ing PSID
  690. HRESULT CertSrv::GetEveryoneSID(PSID *ppSid)
  691. {
  692. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_WORLD_SID_AUTHORITY;
  693. return GetWellKnownSID(
  694. ppSid,
  695. &SIDAuth,
  696. 1,
  697. SECURITY_WORLD_RID);
  698. }
  699. // caller is responsible for LocalFree'ing PSID
  700. HRESULT CertSrv::GetLocalSystemSID(PSID *ppSid)
  701. {
  702. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
  703. return GetWellKnownSID(
  704. ppSid,
  705. &SIDAuth,
  706. 1,
  707. SECURITY_LOCAL_SYSTEM_RID);
  708. }
  710. // caller is responsible for LocalFree'ing PSID
  711. HRESULT CertSrv::GetBuiltinAdministratorsSID(PSID *ppSid)
  712. {
  713. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
  714. return GetWellKnownSID(
  715. ppSid,
  716. &SIDAuth,
  717. 2,
  718. SECURITY_BUILTIN_DOMAIN_RID,
  719. DOMAIN_ALIAS_RID_ADMINS);
  720. }
  722. HRESULT CertSrv::GetLocalSID(PSID *ppSid)
  723. {
  724. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_LOCAL_SID_AUTHORITY;
  725. return GetWellKnownSID(
  726. ppSid,
  727. &SIDAuth,
  728. 1,
  729. SECURITY_LOCAL_RID);
  730. }
  732. HRESULT CertSrv::GetNetworkSID(PSID *ppSid)
  733. {
  734. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
  735. return GetWellKnownSID(
  736. ppSid,
  737. &SIDAuth,
  738. 1,
  739. SECURITY_NETWORK_RID);
  740. }