|
|
// --------------------------------------------------------------------------
// Module Name: Access.cpp
//
// Copyright (c) 1999, Microsoft Corporation
//
// This file contains a few classes that assist with ACL manipulation on
// objects to which a handle has already been opened. This handle must have
// (obvisouly) have WRITE_DAC access.
//
// History: 1999-10-05 vtan created
// 2000-02-01 vtan moved from Neptune to Whistler
// --------------------------------------------------------------------------
#include "StandardHeader.h"
#include "Access.h"
#include "StatusCode.h"
// --------------------------------------------------------------------------
// CSecurityDescriptor::CSecurityDescriptor
//
// Arguments: iCount = Count of ACCESS_CONTROLS passed in.
// pAccessControl = Pointer to ACCESS_CONTROLS.
//
// Returns: <none>
//
// Purpose: Allocates and assigns the PSECURITY_DESCRIPTOR that
// corresponds to the description given by the parameters. The
// caller must release the memory allocated via LocalFree.
//
// History: 2000-10-05 vtan created
// --------------------------------------------------------------------------
PSECURITY_DESCRIPTOR CSecurityDescriptor::Create (int iCount, const ACCESS_CONTROL *pAccessControl)
{ PSECURITY_DESCRIPTOR pSecurityDescriptor; PSID *pSIDs;
pSecurityDescriptor = NULL;
// Allocate an array of PSIDs required to hold all the SIDs to add.
pSIDs = reinterpret_cast<PSID*>(LocalAlloc(LPTR, iCount * sizeof(PSID))); if (pSIDs != NULL) { bool fSuccessfulAllocate; int i; const ACCESS_CONTROL *pAC;
for (fSuccessfulAllocate = true, pAC = pAccessControl, i = 0; fSuccessfulAllocate && (i < iCount); ++pAC, ++i) { fSuccessfulAllocate = (AllocateAndInitializeSid(pAC->pSIDAuthority, static_cast<BYTE>(pAC->iSubAuthorityCount), pAC->dwSubAuthority0, pAC->dwSubAuthority1, pAC->dwSubAuthority2, pAC->dwSubAuthority3, pAC->dwSubAuthority4, pAC->dwSubAuthority5, pAC->dwSubAuthority6, pAC->dwSubAuthority7, &pSIDs[i]) != FALSE); } if (fSuccessfulAllocate) { DWORD dwACLSize; unsigned char *pBuffer;
// Calculate the size of the ACL required by totalling the ACL header
// struct and the 2 ACCESS_ALLOWED_ACE structs with the SID sizes.
// Add the SECURITY_DESCRIPTOR struct size as well.
dwACLSize = sizeof(ACL) + ((sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)) * 3); for (i = 0; i < iCount; ++i) { dwACLSize += GetLengthSid(pSIDs[i]); }
// Allocate the buffer for everything and portion off the buffer to
// the right place.
pBuffer = static_cast<unsigned char*>(LocalAlloc(LMEM_FIXED, sizeof(SECURITY_DESCRIPTOR) + dwACLSize)); if (pBuffer != NULL) { PSECURITY_DESCRIPTOR pSD; PACL pACL;
pSD = reinterpret_cast<PSECURITY_DESCRIPTOR>(pBuffer); pACL = reinterpret_cast<PACL>(pBuffer + sizeof(SECURITY_DESCRIPTOR));
// Initialize the ACL. Fill in the ACL.
// Initialize the SECURITY_DESCRIPTOR. Set the security descriptor.
if ((InitializeAcl(pACL, dwACLSize, ACL_REVISION) != FALSE) && AddAces(pACL, pSIDs, iCount, pAccessControl) && (InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION) != FALSE) && (SetSecurityDescriptorDacl(pSD, TRUE, pACL, FALSE) != FALSE)) { pSecurityDescriptor = pSD; } else { (HLOCAL)LocalFree(pBuffer); } } } for (i = iCount - 1; i >= 0; --i) { if (pSIDs[i] != NULL) { (void*)FreeSid(pSIDs[i]); } } (HLOCAL)LocalFree(pSIDs); } return(pSecurityDescriptor);}
// --------------------------------------------------------------------------
// CSecurityDescriptor::AddAces
//
// Arguments: pACL = PACL to add ACEs to.
// pSIDs = Pointer to SIDs.
// iCount = Count of ACCESS_CONTROLS passed in.
// pAccessControl = Pointer to ACCESS_CONTROLS.
//
// Returns: bool
//
// Purpose: Adds access allowed ACEs to the given ACL.
//
// History: 2000-10-05 vtan created
// --------------------------------------------------------------------------
bool CSecurityDescriptor::AddAces (PACL pACL, PSID *pSIDs, int iCount, const ACCESS_CONTROL *pAC)
{ bool fResult; int i;
for (fResult = true, i = 0; fResult && (i < iCount); ++pSIDs, ++pAC, ++i) { fResult = (AddAccessAllowedAce(pACL, ACL_REVISION, pAC->dwAccessMask, *pSIDs) != FALSE); } return(fResult);}
// --------------------------------------------------------------------------
// CAccessControlList::CAccessControlList
//
// Arguments: <none>
//
// Returns: <none>
//
// Purpose: Initializes the CAccessControlList object.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
CAccessControlList::CAccessControlList (void) : _pACL(NULL)
{}
// --------------------------------------------------------------------------
// CAccessControlList::~CAccessControlList
//
// Arguments: <none>
//
// Returns: <none>
//
// Purpose: Releases resources used by the CAccessControlList object.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
CAccessControlList::~CAccessControlList (void)
{ ReleaseMemory(_pACL);}
// --------------------------------------------------------------------------
// CAccessControlList::operator PACL
//
// Arguments: <none>
//
// Returns: PACL
//
// Purpose: If the ACL has been constructed returns that value. If not
// then the ACL is constructed from the ACEs and then returned.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
CAccessControlList::operator PACL (void)
{ PACL pACL;
if (_pACL == NULL) { int i; DWORD dwACLSize, dwSizeOfAllACEs;
pACL = NULL; dwSizeOfAllACEs = 0;
// Walk thru all the ACEs to calculate the total size
// required for the ACL.
for (i = _ACEArray.GetCount() - 1; i >= 0; --i) { ACCESS_ALLOWED_ACE *pACE;
pACE = static_cast<ACCESS_ALLOWED_ACE*>(_ACEArray.Get(i)); dwSizeOfAllACEs += pACE->Header.AceSize; } dwACLSize = sizeof(ACL) + dwSizeOfAllACEs; _pACL = pACL = static_cast<ACL*>(LocalAlloc(LMEM_FIXED, dwACLSize)); if (pACL != NULL) { TBOOL(InitializeAcl(pACL, dwACLSize, ACL_REVISION));
// Construct the ACL in reverse order of the ACEs. This
// allows CAccessControlList::Add to actually insert the
// granted access at the head of the list which is usually
// the desired result. The order of the ACEs is important!
for (i = _ACEArray.GetCount() - 1; i >= 0; --i) { ACCESS_ALLOWED_ACE *pACE;
pACE = static_cast<ACCESS_ALLOWED_ACE*>(_ACEArray.Get(i)); TBOOL(AddAccessAllowedAceEx(pACL, ACL_REVISION, pACE->Header.AceFlags, pACE->Mask, reinterpret_cast<PSID>(&pACE->SidStart))); } } } else { pACL = _pACL; } return(pACL);}
// --------------------------------------------------------------------------
// CAccessControlList::Add
//
// Arguments: pSID = SID to grant access to.
// dwMask = Level of access to grant.
// ucInheritence = Type of inheritence for this access.
//
// Returns: NTSTATUS
//
// Purpose: Adds the given SID, access and inheritence type as an ACE to
// the list of ACEs to build into an ACL. The ACE array is
// allocated in blocks of 16 pointers to reduce repeated calls
// to allocate memory if many ACEs are added.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
NTSTATUS CAccessControlList::Add (PSID pSID, ACCESS_MASK dwMask, UCHAR ucInheritence)
{ NTSTATUS status; DWORD dwSIDLength, dwACESize; ACCESS_ALLOWED_ACE *pACE;
dwSIDLength = GetLengthSid(pSID); dwACESize = sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + dwSIDLength; pACE = static_cast<ACCESS_ALLOWED_ACE*>(LocalAlloc(LMEM_FIXED, dwACESize)); if (pACE != NULL) { pACE->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; pACE->Header.AceFlags = ucInheritence; pACE->Header.AceSize = static_cast<USHORT>(dwACESize); pACE->Mask = dwMask; CopyMemory(&pACE->SidStart, pSID, dwSIDLength); status = _ACEArray.Add(pACE); if (STATUS_NO_MEMORY == status) { (HLOCAL)LocalFree(pACE); } } else { status = STATUS_NO_MEMORY; } return(status);}
// --------------------------------------------------------------------------
// CAccessControlList::Remove
//
// Arguments: pSID = SID to revoke access from.
//
// Returns: NTSTATUS
//
// Purpose: Removes all references to the given SID from the ACE list.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
NTSTATUS CAccessControlList::Remove (PSID pSID)
{ NTSTATUS status;
// Set up for an iteration of the array.
_searchSID = pSID; _iFoundIndex = -1; status = _ACEArray.Iterate(this); while (NT_SUCCESS(status) && (_iFoundIndex >= 0)) {
// When the SIDs are found to match remove this entry.
// ALL matching SID entries are removed!
status = _ACEArray.Remove(_iFoundIndex); if (NT_SUCCESS(status)) { _iFoundIndex = -1; status = _ACEArray.Iterate(this); } } return(status);}
// --------------------------------------------------------------------------
// CAccessControlList::Callback
//
// Arguments: pvData = Pointer to the array index data.
// iElementIndex = Index into the array.
//
// Returns: NTSTATUS
//
// Purpose: Callback from the CDynamicArray::Iterate function. This
// method can be used to process the array contents by index or
// by content when iterating thru the array. Return an error
// status to stop the iteration and have that value returned to
// the caller of CDynamicArray::Iterate.
//
// Converts the pointer into a pointer to an ACCESS_ALLOWED_ACE.
// The compares the SID in that ACE to the desired search SID.
// Saves the index if found.
//
// History: 1999-11-15 vtan created
// --------------------------------------------------------------------------
NTSTATUS CAccessControlList::Callback (const void *pvData, int iElementIndex)
{ const ACCESS_ALLOWED_ACE *pACE;
pACE = *reinterpret_cast<const ACCESS_ALLOWED_ACE* const*>(pvData); if (EqualSid(reinterpret_cast<PSID>(const_cast<unsigned long*>((&pACE->SidStart))), _searchSID) != FALSE) { _iFoundIndex = iElementIndex; } return(STATUS_SUCCESS);}
// --------------------------------------------------------------------------
// CSecuredObject::CSecuredObject
//
// Arguments: hObject = Optional HANDLE to the object to secure.
// seObjectType = Type of object specified in handle.
//
// Returns: <none>
//
// Purpose: Sets the optionally given HANDLE into the member variables.
// The HANDLE is duplicated so the caller must release their
// HANDLE.
//
// In order for this class to work the handle you pass it MUST
// have DUPLICATE access as well as READ_CONTROL and WRITE_DAC.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
CSecuredObject::CSecuredObject (HANDLE hObject, SE_OBJECT_TYPE seObjectType) : _hObject(hObject), _seObjectType(seObjectType)
{}
// --------------------------------------------------------------------------
// CSecuredObject::~CSecuredObject
//
// Arguments: <none>
//
// Returns: <none>
//
// Purpose: Release our HANDLE reference.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
CSecuredObject::~CSecuredObject (void)
{}
// --------------------------------------------------------------------------
// CSecuredObject::Allow
//
// Arguments: pSID = SID to grant access to.
// dwMask = Level of access to grant.
// ucInheritence = Type of inheritence for this access.
//
// Returns: NTSTATUS
//
// Purpose: Get the DACL for the object. Add the desired access. Set the
// DACL for the object.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
NTSTATUS CSecuredObject::Allow (PSID pSID, ACCESS_MASK dwMask, UCHAR ucInheritence) const
{ NTSTATUS status; CAccessControlList accessControlList;
status = GetDACL(accessControlList); if (NT_SUCCESS(status)) { status = accessControlList.Add(pSID, dwMask, ucInheritence); if (NT_SUCCESS(status)) { status = SetDACL(accessControlList); } } return(status);}
// --------------------------------------------------------------------------
// CSecuredObject::Remove
//
// Arguments: pSID = SID to revoke access from.
//
// Returns: NTSTATUS
//
// Purpose: Get the DACL for the object. Remove the desired access. Set
// the DACL for the object.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
NTSTATUS CSecuredObject::Remove (PSID pSID) const
{ NTSTATUS status; CAccessControlList accessControlList;
status = GetDACL(accessControlList); if (NT_SUCCESS(status)) { status = accessControlList.Remove(pSID); if (NT_SUCCESS(status)) { status = SetDACL(accessControlList); } } return(status);}
// --------------------------------------------------------------------------
// CSecuredObject::GetDACL
//
// Arguments: accessControlList = CAccessControlList that gets the
// decomposed DACL into ACEs.
//
// Returns: NTSTATUS
//
// Purpose: Gets the object's DACL and walk the individual ACEs and add
// this access to the CAccessControlList object given. The access
// is walked backward to allow CAccessControlList::Add to add to
// end of the list but actually add to the head of the list.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
NTSTATUS CSecuredObject::GetDACL (CAccessControlList& accessControlList) const
{ NTSTATUS status; DWORD dwResult; PACL pDACL; PSECURITY_DESCRIPTOR pSD;
status = STATUS_SUCCESS; pSD = NULL; pDACL = NULL; dwResult = GetSecurityInfo(_hObject, _seObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &pSD); if ((ERROR_SUCCESS == dwResult) && (pDACL != NULL)) { int i; ACCESS_ALLOWED_ACE *pAce;
for (i = pDACL->AceCount - 1; NT_SUCCESS(status) && (i >= 0); --i) { if (GetAce(pDACL, i, reinterpret_cast<void**>(&pAce)) != FALSE) { ASSERTMSG(pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE, "Expect only access allowed ACEs in CSecuredObject::MakeIndividualACEs"); status = accessControlList.Add(reinterpret_cast<PSID>(&pAce->SidStart), pAce->Mask, pAce->Header.AceFlags); } } } ReleaseMemory(pSD); return(status);}
// --------------------------------------------------------------------------
// CSecuredObject::SetDACL
//
// Arguments: accessControlList = CAccessControlList that contains all
// ACEs to build into an ACL.
//
// Returns: NTSTATUS
//
// Purpose: Builds the ACL for the given ACE list and sets the DACL into
// the object handle.
//
// History: 1999-10-05 vtan created
// --------------------------------------------------------------------------
NTSTATUS CSecuredObject::SetDACL (CAccessControlList& accessControlList) const
{ NTSTATUS status; DWORD dwResult;
dwResult = SetSecurityInfo(_hObject, _seObjectType, DACL_SECURITY_INFORMATION, NULL, NULL, accessControlList, NULL); if (ERROR_SUCCESS == dwResult) { status = STATUS_SUCCESS; } else { status = CStatusCode::StatusCodeOfErrorCode(dwResult); } return(status);}
|
