archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/ds/security/services/smartcrd/tools/logscp/csputils/ntacls.cpp

1113 lines
31 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (C) Microsoft Corporation, 1996 - 1999
  5. Module Name:
  7. NTacls
  9. Abstract:
  11. This module implements the CSecurityAttribute class. It's job is to
  12. encapsulate the NT security descriptors as needed by Calais.
  14. Author:
  16. Doug Barlow (dbarlow) 1/24/1997
  18. Environment:
  20. Windows NT, Win32, C++ w/ Exceptions
  22. Notes:
  24. ?Notes?
  26. --*/
  28. #ifndef WIN32_LEAN_AND_MEAN
  29. #define WIN32_LEAN_AND_MEAN
  30. #endif
  31. #include <windows.h>
  32. #include "cspUtils.h"
  35. const CSecurityDescriptor::SecurityId
  36. CSecurityDescriptor::SID_Null = { SECURITY_NULL_SID_AUTHORITY, 1, SECURITY_NULL_RID, 0 },
  37. CSecurityDescriptor::SID_World = { SECURITY_WORLD_SID_AUTHORITY, 1, SECURITY_WORLD_RID, 0 },
  38. CSecurityDescriptor::SID_Local = { SECURITY_LOCAL_SID_AUTHORITY, 1, SECURITY_LOCAL_RID, 0 },
  39. CSecurityDescriptor::SID_Owner = { SECURITY_CREATOR_SID_AUTHORITY, 1, SECURITY_CREATOR_OWNER_RID, 0 },
  40. CSecurityDescriptor::SID_Group = { SECURITY_CREATOR_SID_AUTHORITY, 1, SECURITY_CREATOR_GROUP_RID, 0 },
  41. CSecurityDescriptor::SID_Admins = { SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS },
  42. CSecurityDescriptor::SID_DialUp = { SECURITY_NT_AUTHORITY, 1, SECURITY_DIALUP_RID, 0 },
  43. CSecurityDescriptor::SID_Network = { SECURITY_NT_AUTHORITY, 1, SECURITY_NETWORK_RID, 0 },
  44. CSecurityDescriptor::SID_Batch = { SECURITY_NT_AUTHORITY, 1, SECURITY_BATCH_RID, 0 },
  45. CSecurityDescriptor::SID_Interactive = { SECURITY_NT_AUTHORITY, 1, SECURITY_INTERACTIVE_RID, 0 },
  46. CSecurityDescriptor::SID_Service = { SECURITY_NT_AUTHORITY, 1, SECURITY_SERVICE_RID, 0 },
  47. CSecurityDescriptor::SID_System = { SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SYSTEM_RID, 0 },
  48. CSecurityDescriptor::SID_SysDomain = { SECURITY_NT_AUTHORITY, 1, SECURITY_BUILTIN_DOMAIN_RID, 0 };
  50. CSecurityDescriptor::CSecurityDescriptor()
  51. {
  52. m_pSD = NULL;
  53. m_pOwner = NULL;
  54. m_pGroup = NULL;
  55. m_pDACL = NULL;
  56. m_pSACL= NULL;
  57. m_fInheritance = FALSE;
  58. }
  60. CSecurityDescriptor::~CSecurityDescriptor()
  61. {
  62. if (m_pSD)
  63. delete m_pSD;
  64. if (m_pOwner)
  65. delete[] (LPBYTE)m_pOwner;
  66. if (m_pGroup)
  67. delete[] (LPBYTE)m_pGroup;
  68. if (m_pDACL)
  69. delete[] (LPBYTE)m_pDACL;
  70. if (m_pSACL)
  71. delete[] (LPBYTE)m_pSACL;
  72. }
  74. HRESULT CSecurityDescriptor::Initialize()
  75. {
  76. if (m_pSD)
  77. {
  78. delete m_pSD;
  79. m_pSD = NULL;
  80. }
  81. if (m_pOwner)
  82. {
  83. delete[] (LPBYTE)(m_pOwner);
  84. m_pOwner = NULL;
  85. }
  86. if (m_pGroup)
  87. {
  88. delete[] (LPBYTE)(m_pGroup);
  89. m_pGroup = NULL;
  90. }
  91. if (m_pDACL)
  92. {
  93. delete[] (LPBYTE)(m_pDACL);
  94. m_pDACL = NULL;
  95. }
  96. if (m_pSACL)
  97. {
  98. delete[] (LPBYTE)(m_pSACL);
  99. m_pSACL = NULL;
  100. }
  102. m_pSD = new SECURITY_DESCRIPTOR;
  103. if (!m_pSD)
  104. return E_OUTOFMEMORY;
  105. if (!InitializeSecurityDescriptor(m_pSD, SECURITY_DESCRIPTOR_REVISION))
  106. {
  107. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  108. delete m_pSD;
  109. m_pSD = NULL;
  110. _ASSERTE(FALSE);
  111. return hr;
  112. }
  113. // Set the DACL to allow EVERYONE
  114. SetSecurityDescriptorDacl(m_pSD, TRUE, NULL, FALSE);
  115. return S_OK;
  116. }
  118. HRESULT CSecurityDescriptor::InitializeFromProcessToken(BOOL bDefaulted)
  119. {
  120. PSID pUserSid;
  121. PSID pGroupSid;
  122. HRESULT hr;
  124. Initialize();
  125. hr = GetProcessSids(&pUserSid, &pGroupSid);
  126. if (FAILED(hr))
  127. return hr;
  128. hr = SetOwner(pUserSid, bDefaulted);
  129. if (FAILED(hr))
  130. return hr;
  131. hr = SetGroup(pGroupSid, bDefaulted);
  132. if (FAILED(hr))
  133. return hr;
  134. return S_OK;
  135. }
  137. HRESULT CSecurityDescriptor::InitializeFromThreadToken(BOOL bDefaulted, BOOL bRevertToProcessToken)
  138. {
  139. PSID pUserSid;
  140. PSID pGroupSid;
  141. HRESULT hr;
  143. Initialize();
  144. hr = GetThreadSids(&pUserSid, &pGroupSid);
  145. if (HRESULT_CODE(hr) == ERROR_NO_TOKEN && bRevertToProcessToken)
  146. hr = GetProcessSids(&pUserSid, &pGroupSid);
  147. if (FAILED(hr))
  148. return hr;
  149. hr = SetOwner(pUserSid, bDefaulted);
  150. if (FAILED(hr))
  151. return hr;
  152. hr = SetGroup(pGroupSid, bDefaulted);
  153. if (FAILED(hr))
  154. return hr;
  155. return S_OK;
  156. }
  158. HRESULT CSecurityDescriptor::SetOwner(PSID pOwnerSid, BOOL bDefaulted)
  159. {
  160. _ASSERTE(m_pSD);
  162. // Mark the SD as having no owner
  163. if (!SetSecurityDescriptorOwner(m_pSD, NULL, bDefaulted))
  164. {
  165. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  166. _ASSERTE(FALSE);
  167. return hr;
  168. }
  170. if (m_pOwner)
  171. {
  172. delete[] (LPBYTE)(m_pOwner);
  173. m_pOwner = NULL;
  174. }
  176. // If they asked for no owner don't do the copy
  177. if (pOwnerSid == NULL)
  178. return S_OK;
  180. // Make a copy of the Sid for the return value
  181. DWORD dwSize = GetLengthSid(pOwnerSid);
  183. m_pOwner = (PSID) new BYTE[dwSize];
  184. if (!m_pOwner)
  185. {
  186. // Insufficient memory to allocate Sid
  187. _ASSERTE(FALSE);
  188. return E_OUTOFMEMORY;
  189. }
  190. if (!CopySid(dwSize, m_pOwner, pOwnerSid))
  191. {
  192. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  193. _ASSERTE(FALSE);
  194. delete[] (LPBYTE)(m_pOwner);
  195. m_pOwner = NULL;
  196. return hr;
  197. }
  199. _ASSERTE(IsValidSid(m_pOwner));
  201. if (!SetSecurityDescriptorOwner(m_pSD, m_pOwner, bDefaulted))
  202. {
  203. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  204. _ASSERTE(FALSE);
  205. delete[] (LPBYTE)(m_pOwner);
  206. m_pOwner = NULL;
  207. return hr;
  208. }
  210. return S_OK;
  211. }
  213. HRESULT CSecurityDescriptor::SetGroup(PSID pGroupSid, BOOL bDefaulted)
  214. {
  215. _ASSERTE(m_pSD);
  217. // Mark the SD as having no Group
  218. if (!SetSecurityDescriptorGroup(m_pSD, NULL, bDefaulted))
  219. {
  220. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  221. _ASSERTE(FALSE);
  222. return hr;
  223. }
  225. if (m_pGroup)
  226. {
  227. delete[] (LPBYTE)(m_pGroup);
  228. m_pGroup = NULL;
  229. }
  231. // If they asked for no Group don't do the copy
  232. if (pGroupSid == NULL)
  233. return S_OK;
  235. // Make a copy of the Sid for the return value
  236. DWORD dwSize = GetLengthSid(pGroupSid);
  238. m_pGroup = (PSID) new BYTE[dwSize];
  239. if (!m_pGroup)
  240. {
  241. // Insufficient memory to allocate Sid
  242. _ASSERTE(FALSE);
  243. return E_OUTOFMEMORY;
  244. }
  245. if (!CopySid(dwSize, m_pGroup, pGroupSid))
  246. {
  247. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  248. _ASSERTE(FALSE);
  249. delete[] (LPBYTE)(m_pGroup);
  250. m_pGroup = NULL;
  251. return hr;
  252. }
  254. _ASSERTE(IsValidSid(m_pGroup));
  256. if (!SetSecurityDescriptorGroup(m_pSD, m_pGroup, bDefaulted))
  257. {
  258. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  259. _ASSERTE(FALSE);
  260. delete[] (LPBYTE)(m_pGroup);
  261. m_pGroup = NULL;
  262. return hr;
  263. }
  265. return S_OK;
  266. }
  268. HRESULT CSecurityDescriptor::Allow(const SecurityId *psidPrincipal, DWORD dwAccessMask)
  269. {
  270. HRESULT hr = AddAccessAllowedACEToACL(&m_pDACL, psidPrincipal, dwAccessMask);
  271. if (SUCCEEDED(hr))
  272. {
  273. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  274. hr = HRESULT_FROM_WIN32(GetLastError());
  275. }
  276. return hr;
  277. }
  279. HRESULT CSecurityDescriptor::Allow(LPCTSTR pszPrincipal, DWORD dwAccessMask)
  280. {
  281. HRESULT hr = AddAccessAllowedACEToACL(&m_pDACL, pszPrincipal, dwAccessMask);
  282. if (SUCCEEDED(hr))
  283. {
  284. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  285. hr = HRESULT_FROM_WIN32(GetLastError());
  286. }
  287. return hr;
  288. }
  290. HRESULT CSecurityDescriptor::Deny(const SecurityId *psidPrincipal, DWORD dwAccessMask)
  291. {
  292. HRESULT hr = AddAccessDeniedACEToACL(&m_pDACL, psidPrincipal, dwAccessMask);
  293. if (SUCCEEDED(hr))
  294. {
  295. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  296. hr = HRESULT_FROM_WIN32(GetLastError());
  297. }
  298. return hr;
  299. }
  301. HRESULT CSecurityDescriptor::Deny(LPCTSTR pszPrincipal, DWORD dwAccessMask)
  302. {
  303. HRESULT hr = AddAccessDeniedACEToACL(&m_pDACL, pszPrincipal, dwAccessMask);
  304. if (SUCCEEDED(hr))
  305. {
  306. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  307. hr = HRESULT_FROM_WIN32(GetLastError());
  308. }
  309. return hr;
  310. }
  312. HRESULT CSecurityDescriptor::Revoke(LPCTSTR pszPrincipal)
  313. {
  314. HRESULT hr = RemovePrincipalFromACL(m_pDACL, pszPrincipal);
  315. if (SUCCEEDED(hr))
  316. {
  317. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  318. hr = HRESULT_FROM_WIN32(GetLastError());
  319. }
  320. return hr;
  321. }
  323. HRESULT CSecurityDescriptor::GetProcessSids(PSID* ppUserSid, PSID* ppGroupSid)
  324. {
  325. BOOL bRes;
  326. HRESULT hr;
  327. HANDLE hToken = NULL;
  328. if (ppUserSid)
  329. *ppUserSid = NULL;
  330. if (ppGroupSid)
  331. *ppGroupSid = NULL;
  332. bRes = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);
  333. if (!bRes)
  334. {
  335. // Couldn't open process token
  336. hr = HRESULT_FROM_WIN32(GetLastError());
  337. _ASSERTE(FALSE);
  338. return hr;
  339. }
  340. hr = GetTokenSids(hToken, ppUserSid, ppGroupSid);
  341. return hr;
  342. }
  344. HRESULT CSecurityDescriptor::GetThreadSids(PSID* ppUserSid, PSID* ppGroupSid, BOOL bOpenAsSelf)
  345. {
  346. BOOL bRes;
  347. HRESULT hr;
  348. HANDLE hToken = NULL;
  349. if (ppUserSid)
  350. *ppUserSid = NULL;
  351. if (ppGroupSid)
  352. *ppGroupSid = NULL;
  353. bRes = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, bOpenAsSelf, &hToken);
  354. if (!bRes)
  355. {
  356. // Couldn't open thread token
  357. hr = HRESULT_FROM_WIN32(GetLastError());
  358. return hr;
  359. }
  360. hr = GetTokenSids(hToken, ppUserSid, ppGroupSid);
  361. CloseHandle(hToken);
  362. return hr;
  363. }
  366. HRESULT CSecurityDescriptor::GetTokenSids(HANDLE hToken, PSID* ppUserSid, PSID* ppGroupSid)
  367. {
  368. DWORD dwSize;
  369. HRESULT hr;
  370. PTOKEN_USER ptkUser = NULL;
  371. PTOKEN_PRIMARY_GROUP ptkGroup = NULL;
  373. if (ppUserSid)
  374. *ppUserSid = NULL;
  375. if (ppGroupSid)
  376. *ppGroupSid = NULL;
  378. if (ppUserSid)
  379. {
  380. // Get length required for TokenUser by specifying buffer length of 0
  381. GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize);
  382. hr = GetLastError();
  383. if (hr != ERROR_INSUFFICIENT_BUFFER)
  384. {
  385. // Expected ERROR_INSUFFICIENT_BUFFER
  386. _ASSERTE(FALSE);
  387. hr = HRESULT_FROM_WIN32(hr);
  388. goto failed;
  389. }
  391. ptkUser = (TOKEN_USER*) new BYTE[dwSize];
  392. if (!ptkUser)
  393. {
  394. // Insufficient memory to allocate TOKEN_USER
  395. _ASSERTE(FALSE);
  396. hr = E_OUTOFMEMORY;
  397. goto failed;
  398. }
  399. // Get Sid of process token.
  400. if (!GetTokenInformation(hToken, TokenUser, ptkUser, dwSize, &dwSize))
  401. {
  402. // Couldn't get user info
  403. hr = HRESULT_FROM_WIN32(GetLastError());
  404. _ASSERTE(FALSE);
  405. goto failed;
  406. }
  408. // Make a copy of the Sid for the return value
  409. dwSize = GetLengthSid(ptkUser->User.Sid);
  411. PSID pSid = (PSID) new BYTE[dwSize];
  412. if (!pSid)
  413. {
  414. // Insufficient memory to allocate Sid
  415. _ASSERTE(FALSE);
  416. hr = E_OUTOFMEMORY;
  417. goto failed;
  418. }
  419. if (!CopySid(dwSize, pSid, ptkUser->User.Sid))
  420. {
  421. hr = HRESULT_FROM_WIN32(GetLastError());
  422. _ASSERTE(FALSE);
  423. goto failed;
  424. }
  426. _ASSERTE(IsValidSid(pSid));
  427. *ppUserSid = pSid;
  428. delete[] (LPBYTE)(ptkUser);
  429. ptkUser = NULL;
  430. }
  431. if (ppGroupSid)
  432. {
  433. // Get length required for TokenPrimaryGroup by specifying buffer length of 0
  434. GetTokenInformation(hToken, TokenPrimaryGroup, NULL, 0, &dwSize);
  435. hr = GetLastError();
  436. if (hr != ERROR_INSUFFICIENT_BUFFER)
  437. {
  438. // Expected ERROR_INSUFFICIENT_BUFFER
  439. _ASSERTE(FALSE);
  440. hr = HRESULT_FROM_WIN32(hr);
  441. goto failed;
  442. }
  444. ptkGroup = (TOKEN_PRIMARY_GROUP*) new BYTE[dwSize];
  445. if (!ptkGroup)
  446. {
  447. // Insufficient memory to allocate TOKEN_USER
  448. _ASSERTE(FALSE);
  449. hr = E_OUTOFMEMORY;
  450. goto failed;
  451. }
  452. // Get Sid of process token.
  453. if (!GetTokenInformation(hToken, TokenPrimaryGroup, ptkGroup, dwSize, &dwSize))
  454. {
  455. // Couldn't get user info
  456. hr = HRESULT_FROM_WIN32(GetLastError());
  457. _ASSERTE(FALSE);
  458. goto failed;
  459. }
  461. // Make a copy of the Sid for the return value
  462. dwSize = GetLengthSid(ptkGroup->PrimaryGroup);
  464. PSID pSid = (PSID) new BYTE[dwSize];
  465. if (!pSid)
  466. {
  467. // Insufficient memory to allocate Sid
  468. _ASSERTE(FALSE);
  469. hr = E_OUTOFMEMORY;
  470. goto failed;
  471. }
  472. if (!CopySid(dwSize, pSid, ptkGroup->PrimaryGroup))
  473. {
  474. hr = HRESULT_FROM_WIN32(GetLastError());
  475. _ASSERTE(FALSE);
  476. goto failed;
  477. }
  479. _ASSERTE(IsValidSid(pSid));
  481. *ppGroupSid = pSid;
  482. delete[] (LPBYTE)(ptkGroup);
  483. ptkGroup = NULL;
  484. }
  486. return S_OK;
  488. failed:
  489. if (ptkUser)
  490. delete[] (LPBYTE)(ptkUser);
  491. if (ptkGroup)
  492. delete[] (LPBYTE)(ptkGroup);
  493. return hr;
  494. }
  497. HRESULT CSecurityDescriptor::GetCurrentUserSID(PSID *ppSid)
  498. {
  499. HANDLE tkHandle;
  501. if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &tkHandle))
  502. {
  503. TOKEN_USER *tkUser;
  504. DWORD tkSize;
  505. DWORD sidLength;
  507. // Call to get size information for alloc
  508. GetTokenInformation(tkHandle, TokenUser, NULL, 0, &tkSize);
  509. tkUser = (TOKEN_USER *) new BYTE[tkSize];
  510. if (NULL == tkUser)
  511. {
  512. CloseHandle(tkHandle);
  513. return E_OUTOFMEMORY;
  514. }
  516. // Now make the real call
  517. if (GetTokenInformation(tkHandle, TokenUser, tkUser, tkSize, &tkSize))
  518. {
  519. sidLength = GetLengthSid(tkUser->User.Sid);
  520. *ppSid = (PSID) new BYTE[sidLength];
  521. if (NULL != *ppSid)
  522. {
  523. memcpy(*ppSid, tkUser->User.Sid, sidLength);
  524. CloseHandle(tkHandle);
  526. delete[] (LPBYTE)(tkUser);
  527. return S_OK;
  528. }
  529. else
  530. {
  531. CloseHandle(tkHandle);
  532. delete[] (LPBYTE)(tkUser);
  533. return E_OUTOFMEMORY;
  534. }
  535. }
  536. else
  537. {
  538. delete[] (LPBYTE)(tkUser);
  539. return HRESULT_FROM_WIN32(GetLastError());
  540. }
  541. }
  542. return HRESULT_FROM_WIN32(GetLastError());
  543. }
  546. HRESULT CSecurityDescriptor::GetPrincipalSID(LPCTSTR pszPrincipal, PSID *ppSid)
  547. {
  548. HRESULT hr;
  549. LPTSTR pszRefDomain = NULL;
  550. DWORD dwDomainSize = 0;
  551. DWORD dwSidSize = 0;
  552. SID_NAME_USE snu;
  554. // Call to get size info for alloc
  555. LookupAccountName(NULL, pszPrincipal, *ppSid, &dwSidSize, pszRefDomain, &dwDomainSize, &snu);
  557. hr = GetLastError();
  558. if (hr != ERROR_INSUFFICIENT_BUFFER)
  559. return HRESULT_FROM_WIN32(hr);
  561. pszRefDomain = new TCHAR[dwDomainSize];
  562. if (pszRefDomain == NULL)
  563. return E_OUTOFMEMORY;
  565. *ppSid = (PSID) new BYTE[dwSidSize];
  566. if (*ppSid != NULL)
  567. {
  568. if (!LookupAccountName(NULL, pszPrincipal, *ppSid, &dwSidSize, pszRefDomain, &dwDomainSize, &snu))
  569. {
  570. delete[] (LPBYTE)(*ppSid);
  571. *ppSid = NULL;
  572. delete[] pszRefDomain;
  573. return HRESULT_FROM_WIN32(GetLastError());
  574. }
  575. delete[] pszRefDomain;
  576. return S_OK;
  577. }
  578. delete[] pszRefDomain;
  579. return E_OUTOFMEMORY;
  580. }
  583. HRESULT CSecurityDescriptor::Attach(PSECURITY_DESCRIPTOR pSelfRelativeSD)
  584. {
  585. PACL pDACL = NULL;
  586. PACL pSACL = NULL;
  587. BOOL bDACLPresent, bSACLPresent;
  588. BOOL bDefaulted;
  589. PACL m_pDACL = NULL;
  590. ACCESS_ALLOWED_ACE* pACE;
  591. HRESULT hr;
  592. PSID pUserSid;
  593. PSID pGroupSid;
  595. hr = Initialize();
  596. if(FAILED(hr))
  597. return hr;
  599. // get the existing DACL.
  600. if (!GetSecurityDescriptorDacl(pSelfRelativeSD, &bDACLPresent, &pDACL, &bDefaulted))
  601. goto failed;
  603. if (bDACLPresent)
  604. {
  605. if (pDACL)
  606. {
  607. // allocate new DACL.
  608. if (NULL == (m_pDACL = (PACL) new BYTE[pDACL->AclSize]))
  609. goto failed;
  611. // initialize the DACL
  612. if (!InitializeAcl(m_pDACL, pDACL->AclSize, ACL_REVISION))
  613. goto failed;
  615. // copy the ACES
  616. for (int i = 0; i < pDACL->AceCount; i++)
  617. {
  618. if (!GetAce(pDACL, i, (void **)&pACE))
  619. goto failed;
  621. if (!AddAccessAllowedAce(m_pDACL, ACL_REVISION, pACE->Mask, (PSID)&(pACE->SidStart)))
  622. goto failed;
  623. }
  625. if (!IsValidAcl(m_pDACL))
  626. goto failed;
  627. }
  629. // set the DACL
  630. if (!SetSecurityDescriptorDacl(m_pSD, m_pDACL ? TRUE : FALSE, m_pDACL, bDefaulted))
  631. goto failed;
  632. }
  634. // get the existing SACL.
  635. if (!GetSecurityDescriptorSacl(pSelfRelativeSD, &bSACLPresent, &pSACL, &bDefaulted))
  636. goto failed;
  638. if (bSACLPresent)
  639. {
  640. if (pSACL)
  641. {
  642. // allocate new SACL.
  643. if (NULL == (m_pSACL = (PACL) new BYTE[pSACL->AclSize]))
  644. goto failed;
  646. // initialize the SACL
  647. if (!InitializeAcl(m_pSACL, pSACL->AclSize, ACL_REVISION))
  648. goto failed;
  650. // copy the ACES
  651. for (int i = 0; i < pSACL->AceCount; i++)
  652. {
  653. if (!GetAce(pSACL, i, (void **)&pACE))
  654. goto failed;
  656. if (!AddAccessAllowedAce(m_pSACL, ACL_REVISION, pACE->Mask, (PSID)&(pACE->SidStart)))
  657. goto failed;
  658. }
  660. if (!IsValidAcl(m_pSACL))
  661. goto failed;
  662. }
  664. // set the SACL
  665. if (!SetSecurityDescriptorSacl(m_pSD, m_pSACL ? TRUE : FALSE, m_pSACL, bDefaulted))
  666. goto failed;
  667. }
  669. if (!GetSecurityDescriptorOwner(m_pSD, &pUserSid, &bDefaulted))
  670. goto failed;
  672. if (FAILED(SetOwner(pUserSid, bDefaulted)))
  673. goto failed;
  675. if (!GetSecurityDescriptorGroup(m_pSD, &pGroupSid, &bDefaulted))
  676. goto failed;
  678. if (FAILED(SetGroup(pGroupSid, bDefaulted)))
  679. goto failed;
  681. if (!IsValidSecurityDescriptor(m_pSD))
  682. goto failed;
  684. return hr;
  686. failed:
  687. if (m_pDACL)
  688. delete[] (LPBYTE)(m_pDACL);
  689. if (m_pSD)
  690. delete[] (LPBYTE)(m_pSD);
  691. return E_UNEXPECTED;
  692. }
  694. HRESULT CSecurityDescriptor::AttachObject(HANDLE hObject)
  695. {
  696. HRESULT hr;
  697. DWORD dwSize = 0;
  698. PSECURITY_DESCRIPTOR pSD = NULL;
  700. GetKernelObjectSecurity(hObject, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
  701. DACL_SECURITY_INFORMATION, pSD, 0, &dwSize);
  703. hr = GetLastError();
  704. if (hr != ERROR_INSUFFICIENT_BUFFER)
  705. return HRESULT_FROM_WIN32(hr);
  707. pSD = (PSECURITY_DESCRIPTOR) new BYTE[dwSize];
  709. if (!GetKernelObjectSecurity(hObject, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
  710. DACL_SECURITY_INFORMATION, pSD, dwSize, &dwSize))
  711. {
  712. hr = HRESULT_FROM_WIN32(GetLastError());
  713. delete[] (LPBYTE)(pSD);
  714. return hr;
  715. }
  717. hr = Attach(pSD);
  718. delete[] (LPBYTE)(pSD);
  719. return hr;
  720. }
  723. HRESULT CSecurityDescriptor::CopyACL(PACL pDest, PACL pSrc)
  724. {
  725. ACL_SIZE_INFORMATION aclSizeInfo;
  726. LPVOID pAce;
  727. ACE_HEADER *aceHeader;
  729. if (pSrc == NULL)
  730. return S_OK;
  732. if (!GetAclInformation(pSrc, (LPVOID) &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation))
  733. return HRESULT_FROM_WIN32(GetLastError());
  735. // Copy all of the ACEs to the new ACL
  736. for (UINT i = 0; i < aclSizeInfo.AceCount; i++)
  737. {
  738. if (!GetAce(pSrc, i, &pAce))
  739. return HRESULT_FROM_WIN32(GetLastError());
  741. aceHeader = (ACE_HEADER *) pAce;
  743. if (!AddAce(pDest, ACL_REVISION, 0xffffffff, pAce, aceHeader->AceSize))
  744. return HRESULT_FROM_WIN32(GetLastError());
  745. }
  747. return S_OK;
  748. }
  750. HRESULT CSecurityDescriptor::AddAccessDeniedACEToACL(PACL *ppAcl, LPCTSTR pszPrincipal, DWORD dwAccessMask)
  751. {
  752. ACL_SIZE_INFORMATION aclSizeInfo;
  753. int aclSize;
  754. DWORD returnValue;
  755. PSID principalSID;
  756. PACL oldACL, newACL;
  758. oldACL = *ppAcl;
  760. returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
  761. if (FAILED(returnValue))
  762. return returnValue;
  764. aclSizeInfo.AclBytesInUse = 0;
  765. if (*ppAcl != NULL)
  766. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  768. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  770. newACL = (PACL) new BYTE[aclSize];
  772. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  773. {
  774. delete[] (LPBYTE)(principalSID);
  775. return HRESULT_FROM_WIN32(GetLastError());
  776. }
  778. if (!AddAccessDeniedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  779. {
  780. delete[] (LPBYTE)(principalSID);
  781. return HRESULT_FROM_WIN32(GetLastError());
  782. }
  784. returnValue = CopyACL(newACL, oldACL);
  785. if (FAILED(returnValue))
  786. {
  787. delete[] (LPBYTE)(principalSID);
  788. return returnValue;
  789. }
  791. *ppAcl = newACL;
  793. if (oldACL != NULL)
  794. delete[] (LPBYTE)(oldACL);
  795. delete[] (LPBYTE)(principalSID);
  796. return S_OK;
  797. }
  800. HRESULT CSecurityDescriptor::AddAccessDeniedACEToACL(PACL *ppAcl, const SecurityId *psidPrincipal, DWORD dwAccessMask)
  801. {
  802. ACL_SIZE_INFORMATION aclSizeInfo;
  803. int aclSize;
  804. DWORD returnValue;
  805. PSID principalSID;
  806. PACL oldACL, newACL;
  807. DWORD dwLen, dwIx;
  809. oldACL = *ppAcl;
  811. ASSERT(255 >= psidPrincipal->dwRidCount);
  812. dwLen = GetSidLengthRequired((UCHAR)psidPrincipal->dwRidCount);
  813. principalSID = (PSID)(new BYTE[dwLen]);
  814. if (!InitializeSid(
  815. principalSID,
  816. (PSID_IDENTIFIER_AUTHORITY)&psidPrincipal->sid,
  817. (UCHAR)psidPrincipal->dwRidCount))
  818. {
  819. delete[] (LPBYTE)principalSID;
  820. return HRESULT_FROM_WIN32(GetLastError());
  821. }
  822. for (dwIx = 0; dwIx < psidPrincipal->dwRidCount; dwIx += 1)
  823. *GetSidSubAuthority(principalSID, dwIx) = psidPrincipal->rgRids[dwIx];
  824. if (!IsValidSid(principalSID))
  825. {
  826. delete[] (LPBYTE)principalSID;
  827. return HRESULT_FROM_WIN32(GetLastError());
  828. }
  830. aclSizeInfo.AclBytesInUse = 0;
  831. if (*ppAcl != NULL)
  832. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  834. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  836. newACL = (PACL) new BYTE[aclSize];
  838. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  839. {
  840. delete[] (LPBYTE)(principalSID);
  841. return HRESULT_FROM_WIN32(GetLastError());
  842. }
  844. if (!AddAccessDeniedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  845. {
  846. delete[] (LPBYTE)(principalSID);
  847. return HRESULT_FROM_WIN32(GetLastError());
  848. }
  850. returnValue = CopyACL(newACL, oldACL);
  851. if (FAILED(returnValue))
  852. {
  853. delete[] (LPBYTE)(principalSID);
  854. return returnValue;
  855. }
  857. *ppAcl = newACL;
  859. if (oldACL != NULL)
  860. delete[] (LPBYTE)(oldACL);
  861. delete[] (LPBYTE)(principalSID);
  862. return S_OK;
  863. }
  866. HRESULT CSecurityDescriptor::AddAccessAllowedACEToACL(PACL *ppAcl, const SecurityId *psidPrincipal, DWORD dwAccessMask)
  867. {
  868. ACL_SIZE_INFORMATION aclSizeInfo;
  869. int aclSize;
  870. DWORD returnValue;
  871. PSID principalSID = NULL;
  872. PACL oldACL, newACL;
  873. DWORD dwLen, dwIx;
  875. oldACL = *ppAcl;
  877. ASSERT(255 >= psidPrincipal->dwRidCount);
  878. dwLen = GetSidLengthRequired((UCHAR)psidPrincipal->dwRidCount);
  879. principalSID = (PSID)(new BYTE[dwLen]);
  880. if (!InitializeSid(
  881. principalSID,
  882. (PSID_IDENTIFIER_AUTHORITY)&psidPrincipal->sid,
  883. (UCHAR)psidPrincipal->dwRidCount))
  884. {
  885. delete[] (LPBYTE)principalSID;
  886. return HRESULT_FROM_WIN32(GetLastError());
  887. }
  888. for (dwIx = 0; dwIx < psidPrincipal->dwRidCount; dwIx += 1)
  889. *GetSidSubAuthority(principalSID, dwIx) = psidPrincipal->rgRids[dwIx];
  890. if (!IsValidSid(principalSID))
  891. {
  892. delete[] (LPBYTE)principalSID;
  893. return HRESULT_FROM_WIN32(GetLastError());
  894. }
  896. aclSizeInfo.AclBytesInUse = 0;
  897. if (*ppAcl != NULL)
  898. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  900. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  902. newACL = (PACL) new BYTE[aclSize];
  904. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  905. {
  906. delete[] (LPBYTE)principalSID;
  907. return HRESULT_FROM_WIN32(GetLastError());
  908. }
  910. returnValue = CopyACL(newACL, oldACL);
  911. if (FAILED(returnValue))
  912. {
  913. delete[] (LPBYTE)principalSID;
  914. return returnValue;
  915. }
  917. if (!AddAccessAllowedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  918. {
  919. delete[] (LPBYTE)principalSID;
  920. return HRESULT_FROM_WIN32(GetLastError());
  921. }
  923. *ppAcl = newACL;
  925. if (oldACL != NULL)
  926. delete[] (LPBYTE)(oldACL);
  927. delete[] (LPBYTE)principalSID;
  928. return S_OK;
  929. }
  932. HRESULT CSecurityDescriptor::AddAccessAllowedACEToACL(PACL *ppAcl, LPCTSTR pszPrincipal, DWORD dwAccessMask)
  933. {
  934. ACL_SIZE_INFORMATION aclSizeInfo;
  935. int aclSize;
  936. DWORD returnValue;
  937. PSID principalSID;
  938. PACL oldACL, newACL;
  940. oldACL = *ppAcl;
  942. returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
  943. if (FAILED(returnValue))
  944. return returnValue;
  946. aclSizeInfo.AclBytesInUse = 0;
  947. if (*ppAcl != NULL)
  948. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  950. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  952. newACL = (PACL) new BYTE[aclSize];
  954. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  955. {
  956. delete[] (LPBYTE)(principalSID);
  957. return HRESULT_FROM_WIN32(GetLastError());
  958. }
  960. returnValue = CopyACL(newACL, oldACL);
  961. if (FAILED(returnValue))
  962. {
  963. delete[] (LPBYTE)(principalSID);
  964. return returnValue;
  965. }
  967. if (!AddAccessAllowedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  968. {
  969. delete[] (LPBYTE)(principalSID);
  970. return HRESULT_FROM_WIN32(GetLastError());
  971. }
  973. *ppAcl = newACL;
  975. if (oldACL != NULL)
  976. delete[] (LPBYTE)(oldACL);
  977. delete[] (LPBYTE)(principalSID);
  978. return S_OK;
  979. }
  982. HRESULT CSecurityDescriptor::RemovePrincipalFromACL(PACL pAcl, LPCTSTR pszPrincipal)
  983. {
  984. ACL_SIZE_INFORMATION aclSizeInfo;
  985. ULONG i;
  986. LPVOID ace;
  987. ACCESS_ALLOWED_ACE *accessAllowedAce;
  988. ACCESS_DENIED_ACE *accessDeniedAce;
  989. SYSTEM_AUDIT_ACE *systemAuditAce;
  990. PSID principalSID;
  991. DWORD returnValue;
  992. ACE_HEADER *aceHeader;
  994. returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
  995. if (FAILED(returnValue))
  996. return returnValue;
  998. GetAclInformation(pAcl, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  1000. for (i = 0; i < aclSizeInfo.AceCount; i++)
  1001. {
  1002. if (!GetAce(pAcl, i, &ace))
  1003. {
  1004. delete[] (LPBYTE)(principalSID);
  1005. return HRESULT_FROM_WIN32(GetLastError());
  1006. }
  1008. aceHeader = (ACE_HEADER *) ace;
  1010. if (aceHeader->AceType == ACCESS_ALLOWED_ACE_TYPE)
  1011. {
  1012. accessAllowedAce = (ACCESS_ALLOWED_ACE *) ace;
  1014. if (EqualSid(principalSID, (PSID) &accessAllowedAce->SidStart))
  1015. {
  1016. DeleteAce(pAcl, i);
  1017. delete[] (LPBYTE)(principalSID);
  1018. return S_OK;
  1019. }
  1020. } else
  1022. if (aceHeader->AceType == ACCESS_DENIED_ACE_TYPE)
  1023. {
  1024. accessDeniedAce = (ACCESS_DENIED_ACE *) ace;
  1026. if (EqualSid(principalSID, (PSID) &accessDeniedAce->SidStart))
  1027. {
  1028. DeleteAce(pAcl, i);
  1029. delete[] (LPBYTE)(principalSID);
  1030. return S_OK;
  1031. }
  1032. } else
  1034. if (aceHeader->AceType == SYSTEM_AUDIT_ACE_TYPE)
  1035. {
  1036. systemAuditAce = (SYSTEM_AUDIT_ACE *) ace;
  1038. if (EqualSid(principalSID, (PSID) &systemAuditAce->SidStart))
  1039. {
  1040. DeleteAce(pAcl, i);
  1041. delete[] (LPBYTE)(principalSID);
  1042. return S_OK;
  1043. }
  1044. }
  1045. }
  1046. delete[] (LPBYTE)(principalSID);
  1047. return S_OK;
  1048. }
  1051. HRESULT CSecurityDescriptor::SetPrivilege(LPCTSTR privilege, BOOL bEnable, HANDLE hToken)
  1052. {
  1053. HRESULT hr;
  1054. TOKEN_PRIVILEGES tpPrevious;
  1055. TOKEN_PRIVILEGES tp;
  1056. DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
  1057. LUID luid;
  1059. // if no token specified open process token
  1060. if (hToken == 0)
  1061. {
  1062. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
  1063. {
  1064. hr = HRESULT_FROM_WIN32(GetLastError());
  1065. _ASSERTE(FALSE);
  1066. return hr;
  1067. }
  1068. }
  1070. if (!LookupPrivilegeValue(NULL, privilege, &luid ))
  1071. {
  1072. hr = HRESULT_FROM_WIN32(GetLastError());
  1073. _ASSERTE(FALSE);
  1074. return hr;
  1075. }
  1077. tp.PrivilegeCount = 1;
  1078. tp.Privileges[0].Luid = luid;
  1079. tp.Privileges[0].Attributes = 0;
  1081. if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &tpPrevious, &cbPrevious))
  1082. {
  1083. hr = HRESULT_FROM_WIN32(GetLastError());
  1084. _ASSERTE(FALSE);
  1085. return hr;
  1086. }
  1088. tpPrevious.PrivilegeCount = 1;
  1089. tpPrevious.Privileges[0].Luid = luid;
  1091. if (bEnable)
  1092. tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
  1093. else
  1094. tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED & tpPrevious.Privileges[0].Attributes);
  1096. if (!AdjustTokenPrivileges(hToken, FALSE, &tpPrevious, cbPrevious, NULL, NULL))
  1097. {
  1098. hr = HRESULT_FROM_WIN32(GetLastError());
  1099. _ASSERTE(FALSE);
  1100. return hr;
  1101. }
  1102. return S_OK;
  1103. }
  1105. CSecurityDescriptor::operator LPSECURITY_ATTRIBUTES()
  1106. {
  1107. m_saAttrs.nLength = sizeof (m_saAttrs);
  1108. m_saAttrs.lpSecurityDescriptor = m_pSD;
  1109. m_saAttrs.bInheritHandle = m_fInheritance;
  1110. return (&m_saAttrs);
  1111. };