archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-server-2003/net/config/netoc/sfmsec.cpp

435 lines
16 KiB
Raw Permalink Normal View History

commiting as it is
4 years ago
  1. #include "pch.h"
  2. #pragma hdrstop
  4. #include "sfmsec.h"
  6. #define AFP_MIN_ACCESS (FILE_READ_ATTRIBUTES | READ_CONTROL)
  8. #define AFP_READ_ACCESS (READ_CONTROL | \
  9. FILE_READ_ATTRIBUTES | \
  10. FILE_TRAVERSE | \
  11. FILE_LIST_DIRECTORY | \
  12. FILE_READ_EA)
  14. #define AFP_WRITE_ACCESS (FILE_ADD_FILE | \
  15. FILE_ADD_SUBDIRECTORY| \
  16. FILE_WRITE_ATTRIBUTES| \
  17. FILE_WRITE_EA | \
  18. DELETE)
  20. #define AFP_OWNER_ACCESS (WRITE_DAC | \
  21. WRITE_OWNER)
  25. SID AfpSidWorld = { 1, 1, SECURITY_WORLD_SID_AUTHORITY, SECURITY_WORLD_RID };
  26. SID AfpSidNull = { 1, 1, SECURITY_NULL_SID_AUTHORITY, SECURITY_NULL_RID };
  27. SID AfpSidSystem = { 1, 1, SECURITY_NT_AUTHORITY, SECURITY_LOCAL_SYSTEM_RID };
  28. SID AfpSidCrtrOwner = { 1, 1, SECURITY_CREATOR_SID_AUTHORITY, SECURITY_CREATOR_OWNER_RID };
  29. SID AfpSidCrtrGroup = { 1, 1, SECURITY_CREATOR_SID_AUTHORITY, SECURITY_CREATOR_GROUP_RID };
  31. /*** afpAddAceToAcl
  32. *
  33. * Build an Ace corres. to the Sid(s) and mask and add these to the Acl. It is
  34. * assumed that the Acl has space for the Aces. If the Mask is 0 (i.e. no access)
  35. * the Ace added is a DENY Ace, else a ALLOWED ACE is added.
  36. */
  37. PACCESS_ALLOWED_ACE
  38. afpAddAceToAcl(
  39. IN PACL pAcl,
  40. IN PACCESS_ALLOWED_ACE pAce,
  41. IN ACCESS_MASK Mask,
  42. IN PSID pSid,
  43. IN PSID pSidInherit OPTIONAL
  44. )
  45. {
  46. NTSTATUS Status = STATUS_SUCCESS;
  48. // Add a vanilla ace
  49. pAcl->AceCount ++;
  50. pAce->Mask = Mask | SYNCHRONIZE | AFP_MIN_ACCESS;
  51. pAce->Header.AceFlags = 0;
  52. pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
  53. pAce->Header.AceSize = (USHORT)(sizeof(ACE_HEADER) + sizeof(ACCESS_MASK) +
  54. RtlLengthSid(pSid));
  55. Status = RtlCopySid(RtlLengthSid(pSid), (PSID)(&pAce->SidStart), pSid);
  56. if (!NT_SUCCESS(Status))
  57. {
  58. ASSERT(0);
  59. }
  61. // Now add an inherit ace
  62. //
  64. pAce = (PACCESS_ALLOWED_ACE)((PBYTE)pAce + pAce->Header.AceSize);
  65. pAcl->AceCount ++;
  66. pAce->Mask = Mask | SYNCHRONIZE | AFP_MIN_ACCESS;
  67. pAce->Header.AceFlags = CONTAINER_INHERIT_ACE |
  68. OBJECT_INHERIT_ACE |
  69. INHERIT_ONLY_ACE;
  70. pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
  71. pAce->Header.AceSize = (USHORT)(sizeof(ACE_HEADER) + sizeof(ACCESS_MASK) +
  72. RtlLengthSid(pSid));
  73. Status = RtlCopySid(RtlLengthSid(pSid), (PSID)(&pAce->SidStart), pSid);
  74. if (!NT_SUCCESS(Status))
  75. {
  76. ASSERT(0);
  77. }
  79. // Now add an inherit ace for the CreatorOwner/CreatorGroup
  80. if (ARGUMENT_PRESENT(pSidInherit))
  81. {
  82. pAce = (PACCESS_ALLOWED_ACE)((PBYTE)pAce + pAce->Header.AceSize);
  83. pAcl->AceCount ++;
  84. pAce->Mask = Mask | SYNCHRONIZE | AFP_MIN_ACCESS;
  85. pAce->Header.AceFlags = CONTAINER_INHERIT_ACE |
  86. OBJECT_INHERIT_ACE |
  87. INHERIT_ONLY_ACE;
  88. pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
  89. pAce->Header.AceSize = (USHORT)(sizeof(ACE_HEADER) + sizeof(ACCESS_MASK) +
  90. RtlLengthSid(pSidInherit));
  91. Status = RtlCopySid(RtlLengthSid(pSidInherit), (PSID)(&pAce->SidStart), pSidInherit);
  92. if (!NT_SUCCESS(Status))
  93. {
  94. ASSERT(0);
  95. }
  96. }
  98. return ((PACCESS_ALLOWED_ACE)((PBYTE)pAce + pAce->Header.AceSize));
  99. }
  101. /*** afpMoveAces
  102. *
  103. * Move a bunch of aces from the old security descriptor to the new security
  104. * descriptor.
  105. */
  106. PACCESS_ALLOWED_ACE
  107. afpMoveAces(
  108. IN PACL pOldDacl,
  109. IN PACCESS_ALLOWED_ACE pAceStart,
  110. IN PSID pSidOldOwner,
  111. IN PSID pSidNewOwner,
  112. IN PSID pSidOldGroup,
  113. IN PSID pSidNewGroup,
  114. IN BOOLEAN DenyAces,
  115. IN BOOLEAN InheritedAces,
  116. IN OUT PACL pNewDacl
  117. )
  118. {
  119. USHORT i;
  120. PACCESS_ALLOWED_ACE pAceOld;
  121. PSID pSidAce;
  123. for (i = 0, pAceOld = (PACCESS_ALLOWED_ACE)((PBYTE)pOldDacl + sizeof(ACL));
  124. i < pOldDacl->AceCount;
  125. i++, pAceOld = (PACCESS_ALLOWED_ACE)((PBYTE)pAceOld + pAceOld->Header.AceSize))
  126. {
  127. if (InheritedAces && ((pAceOld->Header.AceFlags & INHERITED_ACE) != INHERITED_ACE))
  128. continue;
  130. if ((!InheritedAces) && ((pAceOld->Header.AceFlags & INHERITED_ACE) == INHERITED_ACE))
  131. continue;
  133. // Note: All deny aces are ahead of the grant aces.
  134. if (DenyAces && (pAceOld->Header.AceType != ACCESS_DENIED_ACE_TYPE))
  135. break;
  137. if (!DenyAces && (pAceOld->Header.AceType == ACCESS_DENIED_ACE_TYPE))
  138. continue;
  140. pSidAce = (PSID)(&pAceOld->SidStart);
  141. if (!RtlEqualSid(pSidAce, &AfpSidWorld) &&
  142. !RtlEqualSid(pSidAce, &AfpSidCrtrOwner) &&
  143. !RtlEqualSid(pSidAce, &AfpSidCrtrGroup) &&
  144. !RtlEqualSid(pSidAce, pSidOldOwner) &&
  145. !RtlEqualSid(pSidAce, pSidNewOwner) &&
  146. !RtlEqualSid(pSidAce, pSidOldGroup) &&
  147. !RtlEqualSid(pSidAce, pSidNewGroup))
  148. {
  149. RtlCopyMemory(pAceStart, pAceOld, pAceOld->Header.AceSize);
  150. pNewDacl->AclSize += pAceOld->Header.AceSize;
  151. pNewDacl->AceCount ++;
  152. pAceStart = (PACCESS_ALLOWED_ACE)((PBYTE)pAceStart +
  153. pAceStart->Header.AceSize);
  154. }
  155. }
  156. return pAceStart;
  157. }
  160. /*** FSfmSetUamSecurity
  161. *
  162. * Set the permissions on this directory. Also optionally set the owner and
  163. * group ids. For setting the owner and group ids verify if the user has the
  164. * needed access. This access is however not good enough. We check for this
  165. * access but do the actual setting of the permissions in the special server
  166. * context (RESTORE privilege is needed).
  167. */
  168. HRESULT HrSecureSfmDirectory(PCWSTR wszPath)
  169. {
  170. HRESULT hr = S_OK;
  171. NTSTATUS Status;
  172. DWORD SizeNeeded;
  173. PBYTE pBuffer = NULL;
  174. PBYTE pAbsSecDesc = NULL;
  175. PISECURITY_DESCRIPTOR pSecDesc;
  176. SECURITY_INFORMATION SecInfo = DACL_SECURITY_INFORMATION;
  177. PACL pDaclNew = NULL;
  178. PACCESS_ALLOWED_ACE pAce;
  179. LONG SizeNewDacl;
  180. HANDLE DirHandle;
  181. PWSTR pDirPath = NULL;
  182. UNICODE_STRING DirectoryName;
  183. IO_STATUS_BLOCK IoStatusBlock;
  184. DWORD cbDirPath;
  185. OBJECT_ATTRIBUTES ObjectAttributes;
  186. UINT Size;
  188. //
  189. // Convert the DIR Path to UNICODE
  190. //
  192. pDirPath = (PWSTR)LocalAlloc(LPTR, (wcslen(wszPath) +
  193. wcslen(L"\\DOSDEVICES\\")+1) *
  194. sizeof(WCHAR));
  196. if (pDirPath == NULL)
  197. {
  198. hr = E_OUTOFMEMORY;
  199. goto err;
  200. }
  202. wcscpy(pDirPath, L"\\DOSDEVICES\\");
  203. wcscat(pDirPath, wszPath);
  205. RtlInitUnicodeString(&DirectoryName, pDirPath);
  207. InitializeObjectAttributes(&ObjectAttributes,
  208. &DirectoryName,
  209. OBJ_CASE_INSENSITIVE,
  210. NULL,
  211. NULL);
  213. Status = NtOpenFile(&DirHandle,
  214. WRITE_DAC | READ_CONTROL | SYNCHRONIZE,
  215. &ObjectAttributes,
  216. &IoStatusBlock,
  217. FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE ,
  218. FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT);
  220. LocalFree(pDirPath);
  222. if (!NT_SUCCESS(Status))
  223. {
  224. goto err;
  225. }
  227. do
  228. {
  229. //
  230. // Read the security descriptor for this directory
  231. //
  233. SizeNeeded = 256;
  235. do
  236. {
  237. if (pBuffer != NULL)
  238. LocalFree(pBuffer);
  240. if ((pBuffer = (PBYTE)LocalAlloc(LPTR,SizeNewDacl = SizeNeeded)) == NULL)
  241. {
  243. Status = STATUS_NO_MEMORY;
  244. break;
  245. }
  247. Status = NtQuerySecurityObject(DirHandle,
  248. OWNER_SECURITY_INFORMATION |
  249. GROUP_SECURITY_INFORMATION |
  250. DACL_SECURITY_INFORMATION,
  251. (PSECURITY_DESCRIPTOR)pBuffer,
  252. SizeNeeded, &SizeNeeded);
  254. } while ((Status != STATUS_SUCCESS) &&
  255. ((Status == STATUS_BUFFER_TOO_SMALL) ||
  256. (Status == STATUS_BUFFER_OVERFLOW) ||
  257. (Status == STATUS_MORE_ENTRIES)));
  259. if (!NT_SUCCESS(Status))
  260. {
  261. hr = E_FAIL;
  262. break;
  263. }
  265. pSecDesc = (PISECURITY_DESCRIPTOR)pBuffer;
  267. // If the security descriptor is in self-relative form, convert to absolute
  268. if (pSecDesc->Control & SE_SELF_RELATIVE)
  269. {
  270. DWORD AbsoluteSizeNeeded;
  272. //
  273. // An absolute SD is not necessarily the same size as a relative
  274. // SD, so an in-place conversion may not be possible.
  275. //
  277. AbsoluteSizeNeeded = SizeNeeded;
  278. Status = RtlSelfRelativeToAbsoluteSD2(pSecDesc, &AbsoluteSizeNeeded);
  279. if (Status == STATUS_BUFFER_TOO_SMALL) {
  281. //
  282. // Allocate a new buffer in which to store the absolute
  283. // security descriptor, copy the contents of the relative
  284. // descriptor in, and try again.
  285. //
  287. pAbsSecDesc = (PBYTE)LocalAlloc(LPTR,AbsoluteSizeNeeded);
  288. if (pAbsSecDesc == NULL) {
  289. Status = STATUS_NO_MEMORY;
  290. break;
  291. }
  293. RtlCopyMemory(pAbsSecDesc,pSecDesc,SizeNeeded);
  294. Status = RtlSelfRelativeToAbsoluteSD2(pAbsSecDesc,
  295. &AbsoluteSizeNeeded );
  296. if (NT_SUCCESS(Status)) {
  297. pSecDesc = (PISECURITY_DESCRIPTOR)pAbsSecDesc;
  298. }
  299. }
  300. }
  302. if (!NT_SUCCESS(Status))
  303. {
  304. break;
  305. }
  307. // Construct the new Dacl. This consists of Aces for World, Owner and Group
  308. // followed by Old Aces for everybody else, but with Aces for World, OldOwner
  309. // and OldGroup stripped out. First determine space for the new Dacl and
  310. // allocated space for the new Dacl. Lets be exteremely conservative. We
  311. // have two aces each for owner/group/world.
  313. SizeNewDacl +=
  314. (RtlLengthSid(pSecDesc->Owner) + sizeof(ACCESS_ALLOWED_ACE) +
  315. RtlLengthSid(pSecDesc->Group) + sizeof(ACCESS_ALLOWED_ACE) +
  316. RtlLengthSid(&AfpSidSystem) + sizeof(ACCESS_ALLOWED_ACE) +
  317. RtlLengthSid(&AfpSidWorld) + sizeof(ACCESS_ALLOWED_ACE)) * 3;
  319. if ((pDaclNew = (PACL)LocalAlloc(LPTR,SizeNewDacl)) == NULL)
  320. {
  322. Status = STATUS_NO_MEMORY;
  323. hr = E_OUTOFMEMORY;
  324. break;
  325. }
  327. Status = RtlCreateAcl(pDaclNew, SizeNewDacl, ACL_REVISION);
  328. if (!NT_SUCCESS(Status))
  329. {
  330. hr = E_FAIL;
  331. break;
  332. }
  334. pAce = (PACCESS_ALLOWED_ACE)((PBYTE)pDaclNew + sizeof(ACL));
  336. // At this time the Acl list is empty, i.e. no access for anybody
  337. // Start off by copying the the Explicit/Non-inherited Deny Aces
  338. // from the original Dacl list weeding out the Aces
  339. // for World, old and new owner, new and old
  340. // group, creator owner and creator group
  341. if (pSecDesc->Dacl != NULL)
  342. {
  343. pAce = afpMoveAces(pSecDesc->Dacl, pAce, pSecDesc->Owner,
  344. pSecDesc->Owner, pSecDesc->Group, pSecDesc->Group,
  345. TRUE, FALSE, pDaclNew);
  347. }
  349. // Now add Aces for System, World, Group & Owner - in that order
  350. pAce = afpAddAceToAcl(pDaclNew,
  351. pAce,
  352. AFP_READ_ACCESS,
  353. &AfpSidSystem,
  354. &AfpSidSystem);
  356. pAce = afpAddAceToAcl(pDaclNew,
  357. pAce,
  358. AFP_READ_ACCESS,
  359. &AfpSidWorld,
  360. NULL);
  362. pAce = afpAddAceToAcl(pDaclNew,
  363. pAce,
  364. AFP_READ_ACCESS ,
  365. pSecDesc->Group,
  366. &AfpSidCrtrGroup);
  368. pAce = afpAddAceToAcl(pDaclNew,
  369. pAce,
  370. AFP_READ_ACCESS | AFP_WRITE_ACCESS,
  371. pSecDesc->Owner,
  372. &AfpSidCrtrOwner);
  375. // Now add in the Explicit/Non-inherited Grant Aces from the
  376. // original Dacl list weeding out
  377. // the Aces for World, old and new owner, new and old group, creator
  378. // owner and creator group
  379. if (pSecDesc->Dacl != NULL)
  380. {
  381. pAce = afpMoveAces(pSecDesc->Dacl, pAce, pSecDesc->Owner,
  382. pSecDesc->Owner, pSecDesc->Group, pSecDesc->Group,
  383. FALSE, FALSE, pDaclNew);
  385. }
  387. // Now add in the Non-explicit/Inherited Deny Aces from
  388. // the original Dacl list
  389. // weeding out the Aces for World, old and new owner, new and old
  390. // group, creator owner and creator group
  391. if (pSecDesc->Dacl != NULL)
  392. {
  393. pAce = afpMoveAces(pSecDesc->Dacl, pAce, pSecDesc->Owner,
  394. pSecDesc->Owner, pSecDesc->Group, pSecDesc->Group,
  395. TRUE, TRUE, pDaclNew);
  397. }
  399. // Now add in the Non-explicit/Inherited Deny Aces from
  400. // the original Dacl list
  401. // weeding out the Aces for World, old and new owner, new and old
  402. // group, creator owner and creator group
  403. if (pSecDesc->Dacl != NULL)
  404. {
  405. pAce = afpMoveAces(pSecDesc->Dacl, pAce, pSecDesc->Owner,
  406. pSecDesc->Owner, pSecDesc->Group, pSecDesc->Group,
  407. FALSE, TRUE, pDaclNew);
  409. }
  411. // Now set the new security descriptor
  412. pSecDesc->Dacl = pDaclNew;
  414. Status = NtSetSecurityObject(DirHandle, SecInfo, pSecDesc);
  417. } while (FALSE);
  419. // Free the allocated buffers before we return
  420. if (pBuffer != NULL)
  421. LocalFree(pBuffer);
  422. if (pDaclNew != NULL)
  423. LocalFree(pDaclNew);
  424. if (pAbsSecDesc != NULL)
  425. LocalFree(pAbsSecDesc);
  427. if (!NT_SUCCESS(Status))
  428. {
  429. hr = E_FAIL;
  430. }
  432. err:
  433. TraceError("HrSfmSetUamSecurity", hr);
  434. return hr;
  435. }