Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

177 lines
4.9 KiB

  1. //____________________________________________________________________________
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1997 - 1999
  5. //
  6. // File: policy.cpp
  7. //
  8. // Contents: Helper class to determine policy for each snapin
  9. //
  10. // Classes: CPolicy
  11. //
  12. // Functions:
  13. //
  14. // History: 12/04/1998 AnandhaG Created
  15. //____________________________________________________________________________
  16. #include "stdafx.h"
  17. #include "policy.h"
  18. /*+-------------------------------------------------------------------------*
  19. *
  20. * CPolicy::ScInit
  21. *
  22. * PURPOSE: Initializes the policy object from registry.
  23. *
  24. * PARAMETERS:
  25. * None.
  26. *
  27. * RETURNS:
  28. * SC - Right now always returns success.
  29. *
  30. *+-------------------------------------------------------------------------*/
  31. SC CPolicy::ScInit()
  32. {
  33. DECLARE_SC (sc, _T("CPolicy::ScInit"));
  34. // Default NT4 configuration. Always allow author mode
  35. // and allow snapins not in permitted list.
  36. m_bRestrictAuthorMode = FALSE;
  37. m_bRestrictedToPermittedList = FALSE;
  38. // Check if the policy key exists. If not return success immediately.
  39. sc = m_rPolicyRootKey.ScOpen (HKEY_CURRENT_USER, POLICY_KEY, KEY_READ);
  40. if (sc)
  41. {
  42. if (sc = ScFromWin32 (ERROR_FILE_NOT_FOUND))
  43. {
  44. TRACE(_T("CPolicy::Policy does not exist\n"));
  45. sc.Clear();
  46. }
  47. return (sc);
  48. }
  49. bool bRestrictAuthorMode = false;
  50. bool bRestrictedToPermittedList = false;
  51. // Read the values of RestrictAuthorMode and whether
  52. // snapins not in the list are permitted or not.
  53. if (m_rPolicyRootKey.IsValuePresent(g_szRestrictAuthorMode))
  54. {
  55. DWORD dwValue;
  56. DWORD dwSize = sizeof(dwValue);
  57. DWORD dwType = REG_DWORD;
  58. sc = m_rPolicyRootKey.ScQueryValue (g_szRestrictAuthorMode, &dwType,
  59. &dwValue, &dwSize);
  60. if (sc)
  61. sc.Clear();
  62. else
  63. bRestrictAuthorMode = !!dwValue;
  64. }
  65. if (m_rPolicyRootKey.IsValuePresent(g_szRestrictToPermittedList))
  66. {
  67. DWORD dwValue = 0;
  68. DWORD dwSize = sizeof(dwValue);
  69. DWORD dwType = REG_DWORD;
  70. sc = m_rPolicyRootKey.ScQueryValue (g_szRestrictToPermittedList, &dwType,
  71. &dwValue, &dwSize);
  72. if (sc)
  73. sc.Clear();
  74. else
  75. bRestrictedToPermittedList = !!dwValue;
  76. }
  77. m_bRestrictAuthorMode = bRestrictAuthorMode;
  78. m_bRestrictedToPermittedList = bRestrictedToPermittedList;
  79. return sc;
  80. }
  81. /*+-------------------------------------------------------------------------*
  82. * CPolicy::IsPermittedSnapIn
  83. *
  84. * Determines if a snap-in is permitted according to this policy. The
  85. * real work happens in
  86. *
  87. * IsPermittedSnapIn (LPCWSTR);
  88. *--------------------------------------------------------------------------*/
  89. bool CPolicy::IsPermittedSnapIn(REFCLSID refSnapInCLSID)
  90. {
  91. CCoTaskMemPtr<WCHAR> spwzSnapinClsid;
  92. /*
  93. * Get the string representation of the CLSID. If that fails,
  94. * permit the snap-in.
  95. */
  96. if (FAILED (StringFromCLSID (refSnapInCLSID, &spwzSnapinClsid)))
  97. return TRUE;
  98. /*
  99. * forward to the real worker
  100. */
  101. return (IsPermittedSnapIn (spwzSnapinClsid));
  102. }
  103. /*+-------------------------------------------------------------------------*
  104. * CPolicy::IsPermittedSnapIn
  105. *
  106. * Determines if a snap-in is permitted according to this policy.
  107. *--------------------------------------------------------------------------*/
  108. bool CPolicy::IsPermittedSnapIn(LPCWSTR lpszCLSID)
  109. {
  110. /*
  111. * No CLSID? Allow it.
  112. */
  113. if (lpszCLSID == NULL)
  114. return (TRUE);
  115. /*
  116. * No policy key? Allow everything.
  117. */
  118. if (m_rPolicyRootKey == NULL)
  119. return (true);
  120. // See if this snapin policy is defined or not.
  121. bool bRestricted = FALSE;
  122. bool bSnapinFound = FALSE;
  123. USES_CONVERSION;
  124. CRegKeyEx regKeyTemp;
  125. bSnapinFound = !regKeyTemp.ScOpen (m_rPolicyRootKey, W2CT(lpszCLSID), KEY_READ).IsError();
  126. if (bSnapinFound && regKeyTemp.IsValuePresent(g_szRestrictRun))
  127. {
  128. // Read the value of Restrict_Run.
  129. DWORD dwValue = 0;
  130. DWORD dwSize = sizeof(DWORD);
  131. DWORD dwType = REG_DWORD;
  132. regKeyTemp.ScQueryValue (g_szRestrictRun, &dwType, &dwValue, &dwSize);
  133. bRestricted = !!dwValue;
  134. }
  135. // At this point we know policies root key exists. So if the
  136. // snapin key is not found, then we have to see if the administrator
  137. // allows snapins not in the permitted list (therefore snapin key
  138. // does not exist).
  139. if (! bSnapinFound)
  140. {
  141. if(m_bRestrictedToPermittedList)
  142. return false; // because if the snap-in is not on the list, and
  143. // restrictions are set, disallow by default
  144. else
  145. return true; // NT4 behavior - no restrictions set, and per-snap-in
  146. // entry not found, so allow by default.
  147. }
  148. // At this point snapin's Restrict_Run key was read so use it.
  149. return (!bRestricted);
  150. }