|
|
/*Copyright (c) 1995-1998, Mission Critical Software, Inc. All rights reserved.
===============================================================================Module - SecureObject.cppSystem - Domain Consolidation Toolkit.Author - Christy BolesCreated - 97/06/27Description - Classes for objects that have security descriptors. TSecurableObject has a derived class for each type of object we will process security descriptors for. This class handles reading and writing the security descriptor. It contains a TSD object, which will handle manipulation of the SD while it is in memory.
The TSecurableObject class also contains functions to translate a security descriptor, given an account mapping cache. These routines are only included in the class if the preprocessor directive SDRESOLVE is #defined. This allows the TSecurableObject class to be used for generic security descriptor manipulation, where the rest of the ACL translation code is not needed.
Updates -===============================================================================*/
#ifdef USE_STDAFX
# include "stdafx.h"
#else
# include <windows.h>
# include <process.h>
#endif
#include <stdio.h>
#include <iostream.h>
#include <assert.h>
#include "common.hpp"
#include "ErrDct.hpp"
#include "Ustring.hpp"
#include "sd.hpp"
#include "SecObj.hpp"
#ifdef SDRESOLVE
#include "sidcache.hpp"
#include "enumvols.hpp"
#include "txtsid.h"
#endif
#define PRINT_BUFFER_SIZE 2000
extern TErrorDct err;
TSecurableObject::~TSecurableObject(){#ifdef SDRESOLVE
TStatNode *node; for ( node = (TStatNode *)changelog.Head() ; node ; node = (TStatNode * )changelog.Head() ) { changelog.Remove((TNode *)node); delete node; }#endif
if ( handle != INVALID_HANDLE_VALUE ) { CloseHandle(handle); handle = INVALID_HANDLE_VALUE; }
if ( m_sd ) { delete m_sd; }}
#ifdef SDRESOLVE
PACL // ret -pointer to Resolved ACL
TSecurableObject::ResolveACL( PACL oldacl, // in -acl to resolve
TAccountCache * cache, // in -cache to lookup sids
TSDResolveStats * stat, // in -stats object
bool * changes, // i/o-flag whether this SD has been modified
BOOL verbose, // in -flag whether to display lots of junk
int opType, // in - ADD_SECURITY, REPLACE_SECURITY, or REMOVE_SECURITY
objectType objType, // in - the type of the object
BOOL bUseMapFile // in - flag - whether we are using a sID mapping file
){ int nAces,curr; TRidNode * tnode; PSID ps; bool aclchanges = false; PACL acl = oldacl; void * pAce; DWORD dwResult;
nAces = m_sd->ACLGetNumAces(acl); for ( curr = 0 ; curr < nAces; ) { pAce = m_sd->ACLGetAce(acl,curr); if ( pAce ) { TACE ace(pAce); // in this case, the ace object does not take ownership of pAce
ps = ace.GetSid(); if (!bUseMapFile) tnode =(TRidNode *)cache->Lookup(ps); else tnode =(TRidNode *)((TSDRidCache*)cache)->LookupWODomain(ps); if ( ace.GetType() == SYSTEM_AUDIT_ACE_TYPE ) { if ( stat ) stat->IncrementSACEExamined(); } else { if ( stat) stat->IncrementDACEExamined(); }
if ( tnode == NULL ) { if ( ace.GetType() == SYSTEM_AUDIT_ACE_TYPE ) { if ( stat ) stat->IncrementSACENotSelected(this); } else { if ( stat) stat->IncrementDACENotSelected(this); } }
// if ( (int)tnode == -1 ) // from Totally unknown
if ( tnode == (TRidNode*)-1 ) // from Totally unknown
{ if ( ace.GetType() == SYSTEM_AUDIT_ACE_TYPE ) { if ( stat ) stat->IncrementSACEUnknown(this); } else { if ( stat) stat->IncrementDACEUnknown(this); } tnode = NULL; } if ( tnode && (tnode->IsValidOnTgt() || opType == REMOVE_SECURITY) ) { if ( verbose ) DisplaySid(ps,cache); if (!bUseMapFile) ps = cache->GetTgtSid(tnode); else ps = ((TSDRidCache*)cache)->GetTgtSidWODomain(tnode); bool bChanged = false; // we need to get ACE type here because it is possible that the following two logics make
// ace point to a freed block memory:
// 1. the later ACLAddAce creates a new ACL to fit in the added ACE (ADD_SECURITY case)
// 2. and after the ACLAddAce, there is the following code to free tempAcl which actually
// points to the acl where ace lives in
// if ( acl != tempAcl )
// {
// // we had to reallocate when we added the ace
// if ( tempAcl != oldacl )
// {
// // we had already reallocated once before -- free the intermediate acl
// free(tempAcl);
// }
// }
// then ace.GetType() will AV.
BYTE aceType = ace.GetType(); switch ( opType ) { case REPLACE_SECURITY: if (ps) { aclchanges = true; bChanged = true; dwResult = ace.SetSid(ps); if(dwResult == SET_SID_FAILED) { // we should not go on anymore since something really goes wrong, like out of memory
free(ps); return NULL; } else if(dwResult == SET_SID_NOTLARGEENOUGH) { // it means that the new ace is larger than the ace we have
TACE* pTempAce = new TACE(ace.GetType(), ace.GetFlags(), ace.GetMask(), ps); if(!pTempAce) { free(ps); return NULL; } // remove the old ace
m_sd->ACLDeleteAce(acl, curr); // add the new ace
m_sd->ACLAddAce(&acl, pTempAce, curr); // release the memory
delete pTempAce; } curr++; } break; case ADD_SECURITY: { if (ps) { TACE otherAce(ace.GetType(),ace.GetFlags(),ace.GetMask(),ps); PACL tempAcl = acl;
// check to make sure we're not adding duplicates
// check the next ace, to see if it matches the one we're about to add
// unfortunately, we have to go through all ACE's
BOOL bOkToAdd = TRUE; for (int index = 0; index < nAces; index++) { TACE oldAce(m_sd->ACLGetAce(acl, index)); // check ACE type, flag, mask and sid parts
// note: ignore the ace size part because it is not determining factor
if (EqualSid(otherAce.GetSid(), oldAce.GetSid()) && otherAce.GetType() == oldAce.GetType() && otherAce.GetFlags() == oldAce.GetFlags() && otherAce.GetMask() == oldAce.GetMask()) { bOkToAdd = FALSE; break; } }
if ( bOkToAdd ) { m_sd->ACLAddAce(&acl,&otherAce,curr); if (acl) { aclchanges = true; bChanged = true; curr += 2; nAces++; } else { // right now, if unable to add this particular ace, we simply skip this one
acl = tempAcl; // we need to restore acl otherwise it will AV
curr++; } } else { curr++; } if ( acl != tempAcl ) { // we had to reallocate when we added the ace
if ( tempAcl != oldacl ) { // we had already reallocated once before -- free the intermediate acl
free(tempAcl); } } } } break; case REMOVE_SECURITY: bChanged = true; aclchanges = true; m_sd->ACLDeleteAce(acl,curr); nAces--; break; }
if (bChanged) { if ( aceType == SYSTEM_AUDIT_ACE_TYPE ) { if ( stat ) stat->IncrementSACEChange(tnode,objType,this); } else { if ( stat) stat->IncrementDACEChange(tnode,objType,this); } }
if (ps) free(ps); } else { if ( ace.GetType() == SYSTEM_AUDIT_ACE_TYPE ) { if ( stat ) stat->IncrementSACENoTarget(this); } else { if ( stat) stat->IncrementDACENoTarget(this); } curr++; } } else { break; } } if ( ! aclchanges ) { acl = NULL; } if ( aclchanges ) { (*changes) = true; } return acl;}
bool TSecurableObject::ResolveSD( SecurityTranslatorArgs * args, // in -translation settings
TSDResolveStats * stat, // in -stats object to increment counters
objectType objType, // in -is this file, dir or share
TSecurableObject * Last // in -Last SD for cache comparison
){ bool changes; bool iWillBeNewLast; if ( ! m_sd->m_absSD ) // Couldn't get SD for this object (or it doesn't have one).
{ return false; } MCSASSERT( m_sd && m_sd->IsValid() );
if ( stat ) stat->IncrementExamined(objType);
if ( args->LogVerbose() ) err.MsgWrite(0,DCT_MSG_EXAMINED_S,pathname); if ( ! Last || m_sd != Last->m_sd ) { changes = ResolveSDInternal(args->Cache(),stat,args->LogVerbose(),args->TranslationMode(),objType,args->UsingMapFile()); if ( changes ) { if ( stat ) { stat->IncrementChanged(objType); } if ( args->LogFileDetails() ) err.MsgWrite(0,DCT_MSG_CHANGED_S,pathname); if ( args->LogMassive() ) { err.DbgMsgWrite(0,L"BEFORE:************Security Descriptor for %ls*************",pathname); PermsPrint(pathname,objType); } if ( ! args->NoChange() ) { if ( args->LogMassive() ) { err.DbgMsgWrite(0,L"IN MEMORY:*********************************************",pathname); PrintSD(m_sd->m_absSD,pathname); } WriteSD(); } if ( args->LogMassive() ) { err.DbgMsgWrite(0,L"AFTER:************Security Descriptor for %ls*************",pathname); PermsPrint(pathname,objType); } } else { if ( args->LogMassive() ) { err.DbgMsgWrite(0,L"UNCHANGED:************Security Descriptor for %ls*************",pathname); PermsPrint(pathname,objType); } } iWillBeNewLast = true; } else { // cache hit
if ( stat ) stat->IncrementLastFileChanges(Last,objType); iWillBeNewLast = false; if ( Last->Changed() ) { Last->CopyAccessData(this); if ( args->LogFileDetails() ) err.MsgWrite(0,DCT_MSG_CHANGED_S,pathname); if ( args->LogMassive() ) { err.DbgMsgWrite(0,L"BEFORE:************Security Descriptor for %ls*************",pathname); PermsPrint(pathname,objType); } if ( ! args->NoChange() ) Last->WriteSD();
if ( args->LogFileDetails() ) err.MsgWrite(0,DCT_MSG_CHANGED_S,pathname);
if ( args->LogMassive() ) { err.DbgMsgWrite(0,L"AFTER:************Security Descriptor for %ls*************",pathname); PermsPrint(pathname,objType); } } else { if ( args->LogMassive() ) { err.DbgMsgWrite(0,L"UNCHANGED:************Security Descriptor for %ls*************",pathname); PermsPrint(pathname,objType); } } if ( stat ) stat->IncrementCacheHit(objType); } return iWillBeNewLast;}
bool // ret -true if changes made, otherwise false
TSecurableObject::ResolveSDInternal( TAccountCache * cache, // in -cache to lookup sids
TSDResolveStats * stat, // in -stats object
BOOL verbose, // in -flag - whether to display stuff
int opType, // in -operation type Add, Replace, or Remove
objectType objType, // in - type of object
BOOL bUseMapFile // in - flag - whether we are using a sID mapping file
){ /* Examine each part of the SD, looking for SIDs in the cache */ PSID ps; TRidNode * acct; bool bIsSDChanged = false; PACL pacl; PACL newacl; PSID newsid; MCSVERIFY(m_sd); // Process owner part of SD
ps = m_sd->GetOwner(); if ( ps ) { if (!bUseMapFile) acct = (TRidNode *)cache->Lookup(ps); // See if owner SID is in the cache
else acct = (TRidNode *)((TSDRidCache*)cache)->LookupWODomain(ps); // See if owner SID is in the cache
if ( stat) stat->IncrementOwnerExamined(); if (acct == NULL ) { if ( stat ) stat->IncrementOwnerNotSelected(); }// else if ((int)acct == -1 )
else if (acct == (TRidNode*)-1 ) { if (stat) stat->IncrementOwnerUnknown(); unkown = true; acct = NULL; } BOOL bChanged = FALSE; if ( acct && acct->IsValidOnTgt() ) { if ( verbose ) { err.DbgMsgWrite(0,L"Owner: "); DisplaySid(ps,cache); } if (!bUseMapFile) newsid = cache->GetTgtSid(acct); else newsid = ((TSDRidCache*)cache)->GetTgtSidWODomain(acct); if (newsid) { m_sd->SetOwner(newsid); bChanged = TRUE; owner_changed = TRUE; bIsSDChanged = true; } //free(newsid);
} else stat->IncrementOwnerNoTarget(); if (bChanged && acct && stat ) { stat->IncrementOwnerChange(acct,objType,this); } } // Process primary group part of SD
ps = m_sd->GetGroup(); if ( ps ) { if (!bUseMapFile) acct = (TRidNode *)cache->Lookup(ps); else acct = (TRidNode *)((TSDRidCache*)cache)->LookupWODomain(ps); if ( stat) stat->IncrementGroupExamined(); if (acct == NULL ) { if ( stat ) stat->IncrementGroupNotSelected(); }// else if ((int)acct == -1 )
else if (acct == (TRidNode*)-1 ) { if (stat) stat->IncrementGroupUnknown(); acct = NULL; unkgrp = true; } BOOL bChanged = FALSE; if ( acct && acct->IsValidOnTgt() ) { if ( verbose ) { err.DbgMsgWrite(0,L"Group: "); DisplaySid(ps,cache); } if (!bUseMapFile) newsid = cache->GetTgtSid(acct); else newsid = ((TSDRidCache*)cache)->GetTgtSidWODomain(acct); if (newsid) { group_changed = true; m_sd->SetGroup(newsid); bChanged = TRUE; bIsSDChanged = TRUE; } //free(newsid);
} else stat->IncrementGroupNoTarget(); if ( bChanged && acct && stat ) { stat->IncrementGroupChange(acct,objType,this); } } pacl = m_sd->GetDacl(); if ( pacl && m_sd->IsDaclPresent() ) { if ( stat ) stat->IncrementDACLExamined(); if ( verbose ) err.DbgMsgWrite(0,L"DACL"); if (!bUseMapFile) newacl = ResolveACL(pacl,cache,stat,&bIsSDChanged,verbose,opType,objType, FALSE); else newacl = ResolveACL(pacl,cache,stat,&bIsSDChanged,verbose,opType,objType, TRUE); if ( newacl ) { m_sd->SetDacl(newacl,m_sd->IsDaclPresent()); dacl_changed = true; if ( stat ) stat->IncrementDACLChanged(); } } pacl = NULL; pacl = m_sd->GetSacl();
if ( pacl && m_sd->IsSaclPresent() ) { if ( stat ) stat->IncrementSACLExamined(); if ( verbose ) err.DbgMsgWrite(0,L"SACL"); if (!bUseMapFile) newacl = ResolveACL(pacl,cache,stat,&bIsSDChanged,verbose,opType,objType, FALSE); else newacl = ResolveACL(pacl,cache,stat,&bIsSDChanged,verbose,opType,objType, TRUE); if ( newacl ) { m_sd->SetSacl(newacl,m_sd->IsSaclPresent()); sacl_changed = true; if ( stat ) stat->IncrementSACLChanged(); } } return bIsSDChanged;}#else
WCHAR * // ret -machine-name prefix of pathname if pathname is a UNC path, otherwise returns NULL
GetMachineName( const LPWSTR pathname // in -pathname from which to extract machine name
){ int i; WCHAR * machinename = NULL; if ( pathname && pathname[0] == L'\\' && pathname[1] == L'\\' ) { for ( i = 2 ; pathname[i] && pathname[i] != L'\\' ; i++ ) ; machinename = new WCHAR[i+2]; if (machinename) { UStrCpy(machinename,pathname,i+1); machinename[i] = 0; } } return machinename;}
#endif
void TSecurableObject::CopyAccessData( TSecurableObject * sourceFSD // in - sd from which to copy name & handle
){ pathname[0] = 0; safecopy(pathname,sourceFSD->GetPathName()); if ( handle != INVALID_HANDLE_VALUE ) { CloseHandle(handle); } handle = sourceFSD->handle; sourceFSD->ResetHandle();}
/************************************************TFileSD Implementation*************************/ TFileSD::TFileSD( const LPWSTR path, // in -pathname for this SD
bool bSystemFile // in -whether the file is a system file or not
) : m_bSystemFile(bSystemFile){ daceNS = 0; saceNS = 0; daceEx = 0; saceEx = 0; daceU = 0; saceU = 0; daceNT = 0; saceNT = 0; unkown = false; unkgrp = false;
if ( path ) { safecopy(pathname,path); } else { path[0] = 0; } handle = INVALID_HANDLE_VALUE; ReadSD(path);}
TFileSD::~TFileSD(){ if ( handle != INVALID_HANDLE_VALUE ) { CloseHandle(handle); handle = INVALID_HANDLE_VALUE; } pathname[0]=0;}
// writes the Absolute SD to the file "pathname"
bool // ret -true iff successful
TFileSD::WriteSD(){// DWORD rc = 0;
bool error = false; SECURITY_DESCRIPTOR * sd = NULL; MCSVERIFY( m_sd && m_sd->IsValid() ); if ( handle == INVALID_HANDLE_VALUE ) { err.MsgWrite(ErrS,DCT_MSG_FST_WRITESD_INVALID); error = true; } SECURITY_INFORMATION si; if ( ! error ) { si = 0; if ( m_sd->IsOwnerChanged() ) si |= OWNER_SECURITY_INFORMATION; if ( m_sd->IsGroupChanged() ) si |= GROUP_SECURITY_INFORMATION; if ( m_sd->IsDACLChanged() ) si |= DACL_SECURITY_INFORMATION; if ( m_sd->IsSACLChanged() ) si |= SACL_SECURITY_INFORMATION;
sd = m_sd->MakeAbsSD(); if (!sd) return false; if ( ! SetKernelObjectSecurity(handle, si, sd ) ) { err.SysMsgWrite(ErrE,GetLastError(),DCT_MSG_FILE_WRITESD_FAILED_SD,pathname,GetLastError()); error = true; } m_sd->FreeAbsSD(sd); } return ! error;}
bool // ret -pointer to SD, (or NULL if failure)
TFileSD::ReadSD( const LPWSTR path // in -file to get SD from
){ DWORD req; DWORD rc;// void * r = NULL;
SECURITY_DESCRIPTOR * sd = NULL; bool error = false; WCHAR * longpath= NULL;
if ( handle != INVALID_HANDLE_VALUE) { CloseHandle(handle); handle = INVALID_HANDLE_VALUE; } owner_changed = 0; group_changed = 0; dacl_changed = 0; sacl_changed = 0;
if ( UStrLen(path) >= MAX_PATH && path[2] != L'?' ) { longpath = new WCHAR[UStrLen(path) + 10]; if (!longpath) return true; UStrCpy(longpath,L"\\\\?\\"); UStrCpy(longpath + UStrLen(longpath),path); } else { longpath = path; } handle = CreateFileW(longpath, READ_CONTROL | ACCESS_SYSTEM_SECURITY | WRITE_OWNER |WRITE_DAC , FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN | FILE_FLAG_BACKUP_SEMANTICS, 0); if ( handle == INVALID_HANDLE_VALUE ) { rc = GetLastError(); if ( rc == ERROR_SHARING_VIOLATION ) { //
// Only generate warning message if not a system file.
//
if (!m_bSystemFile) { err.MsgWrite(ErrW, DCT_MSG_FST_FILE_IN_USE_S, path); } } else { err.SysMsgWrite(ErrE, rc, DCT_MSG_FST_FILE_OPEN_FAILED_SD,longpath,rc); } error = true; } else { sd = (SECURITY_DESCRIPTOR *)malloc(SD_DEFAULT_SIZE); if (!sd) { if ( longpath != path ) delete [] longpath; return true; } req = 0; if ( ! GetKernelObjectSecurity(handle, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION , sd, SD_DEFAULT_SIZE, &req) ) { if ( req <= SD_DEFAULT_SIZE ) { err.SysMsgWrite(ErrE, GetLastError(), DCT_MSG_FST_GET_FILE_SECURITY_FAILED_SD, longpath, GetLastError()); error = true; } else { free(sd); sd = (SECURITY_DESCRIPTOR *)malloc(req); if (!sd) { if ( longpath != path ) delete [] longpath; return true; } if ( ! GetKernelObjectSecurity(handle,OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION , sd, req, &req) ) { err.SysMsgWrite(ErrE, GetLastError(), DCT_MSG_FST_GET_FILE_SECURITY_FAILED_SD, longpath, GetLastError()); error = true; } } } } if ( error && sd ) // free the space allocated
{ free(sd); sd = NULL; } if ( sd ) { m_sd = new TSD(sd,McsFileSD,TRUE); if (!m_sd) error = true; } else { m_sd = NULL; } if (! error ) { safecopy(pathname,longpath); } if ( longpath != path ) delete [] longpath;
return error;}
//////////////////////////TShareSD implementation///////////////////////////////////////////////////////////
TShareSD::TShareSD( const LPWSTR path // in -pathname for this SD
){ daceNS = 0; saceNS = 0; daceEx = 0; saceEx = 0; daceU = 0; saceU = 0; daceNT = 0; saceNT = 0; unkown = false; unkgrp = false; shareInfo = NULL;
if ( path ) { safecopy(pathname,path); } else { path[0] = 0; } handle = INVALID_HANDLE_VALUE; ReadSD(path); } bool // ret-error=true
TShareSD::ReadSD( const LPWSTR path // in -sharename
){ DWORD rc;// void * r = NULL;
SECURITY_DESCRIPTOR * sd = NULL; bool error = false; DWORD lenServerName = 0;
if ( m_sd ) { delete m_sd; }
owner_changed = 0; group_changed = 0; dacl_changed = 0; sacl_changed = 0;
serverName = GetMachineName(path);
if ( serverName ) lenServerName = UStrLen(serverName) + 1; safecopy(pathname,path + lenServerName);
rc = NetShareGetInfo(serverName, pathname, 502, (LPBYTE *)&shareInfo); if ( rc ) { err.SysMsgWrite(ErrE, rc, DCT_MSG_FST_GET_SHARE_SECURITY_FAILED_SD, path, rc); error = true; } else { sd = (SECURITY_DESCRIPTOR *)shareInfo->shi502_security_descriptor; if ( sd ) { m_sd = new TSD(sd,McsShareSD,FALSE); if (!m_sd) error = true; } else { m_sd = NULL; } } return error;}
//------------------------------------------------------------------------------
// SetSD Method
//
// Synopsis
// Sets a security descriptor to be assigned to the share. This is needed in
// the case where a security descriptor does not already exist on the share
// which is the case with a newly created share that was not assigned a
// security descriptor.
//
// Arguments
// IN sd - pointer to security descriptor class which defines the security
// descriptor to be assigned to the share
//
// Return
// The boolean return value is true if security descriptor is successfully
// set otherwise it is false.
//------------------------------------------------------------------------------
bool TShareSD::SetSD(TSD* sd){ if (m_sd) { delete m_sd; }
m_sd = new TSD(sd);
return (m_sd != NULL);}
bool // ret-error=true
TShareSD::WriteSD(){ bool error = false; DWORD rc = 0; DWORD parmErr = 0; SECURITY_DESCRIPTOR * pSD = NULL;
// Build an absolute SD
if ( m_sd ) { pSD = m_sd->MakeAbsSD(); if (!pSD) return false; shareInfo->shi502_security_descriptor = pSD; rc = NetShareSetInfo(serverName,pathname,502,(BYTE *)shareInfo,&parmErr); if ( rc ) { err.SysMsgWrite(ErrE,rc,DCT_MSG_FST_SHARE_WRITESD_FAILED_SD,pathname,rc); } free(pSD); } else { MCSASSERT(FALSE); // SD does not exist
} return error;}
TRegSD::TRegSD( const LPWSTR path, // in -pathname for this SD
HKEY hKey // in -handle for the registry key
){ daceNS = 0; saceNS = 0; daceEx = 0; saceEx = 0; daceU = 0; saceU = 0; daceNT = 0; saceNT = 0; unkown = false; unkgrp = false;
if ( path ) { safecopy(pathname,path); } else { path[0] = 0; } m_hKey = hKey; ReadSD(m_hKey); }
bool TRegSD::ReadSD(HKEY hKey){ DWORD rc = 0; DWORD lenBuffer = SD_DEFAULT_SIZE; SECURITY_DESCRIPTOR * sd = NULL;
m_hKey = hKey;
sd = (SECURITY_DESCRIPTOR *)malloc(SD_DEFAULT_SIZE); if (!sd) return false;
rc = RegGetKeySecurity(hKey,OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION, sd,&lenBuffer);
if ( rc == ERROR_INSUFFICIENT_BUFFER ) { free(sd); sd = (SECURITY_DESCRIPTOR *)malloc(lenBuffer); if (!sd) return false; rc = RegGetKeySecurity(hKey,OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION, sd,&lenBuffer); }
if ( rc ) { free(sd); } else { m_sd = new TSD(sd,McsRegistrySD,TRUE); if (!m_sd) rc = ERROR_NOT_ENOUGH_MEMORY; } return ( rc == 0 );}
bool TRegSD::WriteSD(){ DWORD rc = 0; SECURITY_DESCRIPTOR * sd = NULL; MCSVERIFY( m_sd && m_sd->IsValid() ); SECURITY_INFORMATION si; si = 0; if ( m_sd->IsOwnerChanged() ) si |= OWNER_SECURITY_INFORMATION; if ( m_sd->IsGroupChanged() ) si |= GROUP_SECURITY_INFORMATION; if ( m_sd->IsDACLChanged() ) si |= DACL_SECURITY_INFORMATION; if ( m_sd->IsSACLChanged() ) si |= SACL_SECURITY_INFORMATION;
sd = m_sd->MakeAbsSD(); if (!sd) return false; rc = RegSetKeySecurity(m_hKey,si,sd);
if ( rc ) { err.SysMsgWrite(ErrE,rc,DCT_MSG_REG_SD_WRITE_FAILED_SD,name,rc); } m_sd->FreeAbsSD(sd); return ( rc == 0 );}
//////////////////////////TPrintSD implementation///////////////////////////////////////////////////////////
TPrintSD::TPrintSD( const LPWSTR path // in -pathname for this SD
){ daceNS = 0; saceNS = 0; daceEx = 0; saceEx = 0; daceU = 0; saceU = 0; daceNT = 0; saceNT = 0; unkown = false; unkgrp = false; buffer = NULL; if ( path ) { safecopy(pathname,path); } else { path[0] = 0; } handle = INVALID_HANDLE_VALUE; ReadSD(path); } bool // ret-error=true
TPrintSD::ReadSD( const LPWSTR path // in -sharename
){ DWORD rc = 0; SECURITY_DESCRIPTOR * sd = NULL; if ( m_sd ) { delete m_sd; }
owner_changed = 0; group_changed = 0; dacl_changed = 0; sacl_changed = 0;
PRINTER_DEFAULTS defaults; DWORD needed = 0; PRINTER_INFO_3 * pInfo;
defaults.DesiredAccess = READ_CONTROL | PRINTER_ACCESS_ADMINISTER | WRITE_OWNER | WRITE_DAC | ACCESS_SYSTEM_SECURITY; defaults.pDatatype = NULL; defaults.pDevMode = NULL;
buffer = new BYTE[PRINT_BUFFER_SIZE]; if (!buffer) return false;
// Get the security descriptor for the printer
if(hPrinter != INVALID_HANDLE_VALUE) { // we need to release the handle
ClosePrinter(hPrinter); } if ( ! OpenPrinter(path,&hPrinter,&defaults) ) { // set the handle to default value
hPrinter = INVALID_HANDLE_VALUE; rc = GetLastError(); err.SysMsgWrite(ErrE,rc,DCT_MSG_OPEN_PRINTER_FAILED_SD,path,rc); } else { if ( ! GetPrinter(hPrinter,3,buffer,PRINT_BUFFER_SIZE,&needed) ) { rc = GetLastError(); if ( rc == ERROR_INSUFFICIENT_BUFFER ) { delete [] buffer; buffer = new BYTE[needed]; if (!buffer) rc = ERROR_NOT_ENOUGH_MEMORY; else if (! GetPrinter(hPrinter,3,buffer, needed, &needed ) ) { rc = GetLastError(); } } } if ( rc ) { err.SysMsgWrite(ErrE,rc,DCT_MSG_GET_PRINTER_FAILED_SD,path,rc); } else { pInfo = (PRINTER_INFO_3*)buffer; sd = (SECURITY_DESCRIPTOR *)pInfo->pSecurityDescriptor; if ( sd ) { m_sd = new TSD(sd,McsPrinterSD,FALSE); if (!m_sd) rc = ERROR_NOT_ENOUGH_MEMORY; } else { m_sd = NULL; } } } return (rc == 0);}
bool // ret-error=true
TPrintSD::WriteSD(){// bool error = false;
DWORD rc = 0; SECURITY_DESCRIPTOR * pSD = NULL; PRINTER_INFO_3 pInfo;
// Build an absolute SD
MCSVERIFY(hPrinter != INVALID_HANDLE_VALUE); if ( m_sd ) { pSD = m_sd->MakeAbsSD(); if (!pSD) return false; pInfo.pSecurityDescriptor = pSD; SetLastError(0); // Clear the primary group from the security descriptor, since in NT 4, setting a security descriptor
// with a non-NULL primary group sometimes doesn't work
SetSecurityDescriptorGroup(pSD,NULL,FALSE); if (! SetPrinter(hPrinter,3,(LPBYTE)&pInfo,0) ) { rc = GetLastError(); } if ( rc ) { err.SysMsgWrite(ErrE,rc,DCT_MSG_PRINTER_WRITESD_FAILED_SD,pathname,rc); } free(pSD); } else { MCSASSERT(FALSE); // SD does not exist
} return (rc == 0);}
#ifdef SDRESOLVE
/////////////////////////////////////////////////Utility routines to print security descriptors for debug logging
//#pragma title("PrintSD- Formats/prints security info")
// Author - Tom Bernhardt
// Created- 09/11/93
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <malloc.h>
#include <winbase.h>
#include <lm.h>
#include "common.hpp"
#include "err.hpp"
#include "Ustring.hpp"
#define SDBUFFSIZE (sizeof (SECURITY_DESCRIPTOR) + 10000)
static const char sidType[][16]= {"--0--" , "User" , "Group" , "Domain" , "Alias" , "WellKnownGroup", "Deleted", "Invalid" , "Unknown"};
class SidTree{public: SidTree * left; SidTree * right; SID_NAME_USE sidUse; USHORT lenSid; char buffer[1]; // contains sid, account name and domain
SidTree() {}; SidTree * // ret-found/created node
Find( SidTree ** sidTree ,// i/o-head of extension tree
PSID const pSid // in -file extension
);};
static char * AclType( BOOL isPresent ,// in -1 if present
BOOL isDefault // in -1 if default ACL
){ if ( !isPresent ) return "none"; if ( isDefault ) return "default"; return "present";}
//#pragma page()
// For each "on" bit in the bitmap, appends the corresponding char in
// mapStr to retStr, thus forming a recognizable form of the bit string.
staticint _stdcall // ret-legngth of string written
BitMapStr( DWORD bitmap ,// in -bits to map
char const * mapStr ,// in -map character array string
char * retStr // out-return selected map char string
){ char const * m; char * r = retStr;
for ( m = mapStr; *m; m++, bitmap >>= 1 ) if ( bitmap & 1 ) // if current permission on
*r++ = *m; // set output string to corresponding char
*r = '\0'; return (int)(r - retStr);}
//#pragma page()
// converts an ACE access mask to a semi-undertandable string
staticchar * _stdcall PermStr( DWORD access ,// in -access mask
char * retStr // out-return permissions string
){// static char const fileSpecific[] = "R W WaErEwX . ArAw";
// static char const dirSpecific[] = "L C M ErEwT D ArAw";
static char const specific[] = "RWbeEXDaA.......", standard[] = "DpPOs...", generic[] = "SM..AXWR"; char * o = retStr;
if ( (access & FILE_ALL_ACCESS) == FILE_ALL_ACCESS ) *o++ = '*'; else o += BitMapStr(access, specific, o);
access >>= 16; *o++ = '-'; if ( (access & (STANDARD_RIGHTS_ALL >> 16)) == (STANDARD_RIGHTS_ALL >> 16) ) *o++ = '*'; else o += BitMapStr(access, standard, o);
access >>= 8; if ( access ) { *o++ = '-'; o += BitMapStr(access, generic, o); } *o = '\0'; // null terminate string
return retStr;}
//#pragma page()
// Binary tree insertion/searching of Sids that obviates the constant
// use of LookupAccount and speeds execution by 100x!!!!!
SidTree * // ret-found/created node
SidTree::Find( SidTree ** sidTree ,// i/o-head of extension tree
PSID const pSid // in -file extension
){ SidTree * curr, ** prevNext = sidTree; // &forward-chain
int cmp; // compare result
DWORD lenSid; WCHAR name[60], domain[60]; DWORD lenName, lenDomain, rc; SID_NAME_USE sidUse; static int nUnknown = 0;
for ( curr = *prevNext; curr; curr = *prevNext ) { if ( (cmp = memcmp(pSid, curr->buffer, curr->lenSid)) < 0 ) prevNext = &curr->left; // go down left side
else if ( cmp > 0 ) prevNext = &curr->right; // go down right side
else return curr; // found it and return address
}
// not found in tree -- create it
lenName = DIM(name); lenDomain = DIM(domain); if ( !LookupAccountSid(NULL, pSid, name, &lenName, domain, &lenDomain, &sidUse) ) { rc = GetLastError(); if ( rc != ERROR_NONE_MAPPED ) err.DbgMsgWrite(0, L"LookupAccountSid()=%ld", rc); lenName = swprintf(name, L"**Unknown%d**", ++nUnknown); UStrCpy(domain, "-unknown-"); lenDomain = 9; sidUse = (_SID_NAME_USE)0; } lenSid = GetLengthSid(pSid); *prevNext = (SidTree *)malloc(sizeof **prevNext + lenSid + lenName + lenDomain + 1); if (!(*prevNext)) return NULL; memset(*prevNext, '\0', sizeof **prevNext); memcpy((*prevNext)->buffer, pSid, lenSid); (*prevNext)->lenSid = (USHORT)lenSid; (*prevNext)->sidUse = sidUse; UStrCpy((*prevNext)->buffer + lenSid, name, lenName + 1); UStrCpy((*prevNext)->buffer + lenSid + lenName + 1, domain, lenDomain + 1); return *prevNext;}
//#pragma page()
SidTree gSidTree;SidTree * sidHead = &gSidTree;SECURITY_DESCRIPTOR * sd = NULL;
// Formats and prints (to stdout) the contents of the argment ACL
staticvoid _stdcall PrintACL( const PACL acl ,// in -ACL (SACL or DACL)
WCHAR const * resource // in -resource name
){ ACCESS_ALLOWED_ACE * ace; DWORD nAce; static char const typeStr[] = "+-A*"; SidTree * sidTree; char permStr[33], inherStr[5]; WCHAR txtSid[200]; char sTxtSid[200]; DWORD txtSidLen = DIM(txtSid); err.DbgMsgWrite(0,L" T Fl Acc Mask Permissions Account name " L"Domain Acct Type");
for ( nAce = 0; nAce < acl->AceCount; nAce++ ) { if ( !GetAce(acl, nAce, (LPVOID *)&ace) ) { err.DbgMsgWrite(0,L"GetAclInformation()=%ld ", GetLastError()); return; } sidTree = sidHead->Find(&sidHead, &ace->SidStart); BitMapStr(ace->Header.AceFlags, "FDNI", inherStr); txtSid[0] = 0; txtSidLen = DIM(txtSid); GetTextualSid(&ace->SidStart,txtSid,&txtSidLen); safecopy(sTxtSid,txtSid); err.DbgMsgWrite(0,L" %c%-3S %08x %-16S %-16S %-14S %S", typeStr[ace->Header.AceType], inherStr, ace->Mask, PermStr(ace->Mask, permStr), (*(sidTree->buffer + sidTree->lenSid)) ? (sidTree->buffer + sidTree->lenSid) : sTxtSid, sidTree->buffer + sidTree->lenSid + strlen(sidTree->buffer + sidTree->lenSid) + 1, sidType[sidTree->sidUse]); }}
SECURITY_DESCRIPTOR *GetSD( WCHAR * path ){ //added by christy
//this does the same stuff as
// PermsPrint, but doesn't print
DWORD req = 0; HANDLE hSrc; DWORD rc = 0; // void * r = NULL;
// WIN32_STREAM_ID * s = (WIN32_STREAM_ID *)copyBuffer;
char static const * streamName[] = {"Err", "Data", "EA", "Security", "Alternate", "Link", "Err6"}; hSrc = CreateFile(path, GENERIC_READ |ACCESS_SYSTEM_SECURITY, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_SEQUENTIAL_SCAN | FILE_FLAG_BACKUP_SEMANTICS, 0); if ( hSrc == INVALID_HANDLE_VALUE ) { rc = GetLastError(); if ( rc == ERROR_SHARING_VIOLATION ) err.DbgMsgWrite(ErrE, L"Source file in use %S", path ); else err.DbgMsgWrite(ErrS,L"OpenR(%S) ", path); return NULL; }
if ( ! GetKernelObjectSecurity(hSrc, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION , sd, SDBUFFSIZE, &req) ) { err.DbgMsgWrite(0, L"GetKernelObjectSecurity(%S)=%ld req=%ld ", path, GetLastError(),req); return NULL; }
CloseHandle(hSrc);
return sd;}
//#pragma page()
// Gets the security descriptors for a resource (path), format the owner
// information, gets the ACL and SACL and prints them.
DWORD PermsPrint( WCHAR * path, // in -iterate directory paths
objectType objType // in -type of the object
){ TFileSD fsd(path); TShareSD ssd(path); TPrintSD psd(path); TRegSD rsd(path,NULL); SECURITY_DESCRIPTOR const* pSD = NULL;
switch ( objType ) { case file: case directory: fsd.ReadSD(path); if ( fsd.GetSecurity() ) { pSD = fsd.GetSecurity()->GetSD(); } break; case printer: psd.ReadSD(path); if ( psd.GetSecurity() ) { pSD = psd.GetSecurity()->GetSD(); } break; case share: ssd.ReadSD(path); if ( ssd.GetSecurity() ) { pSD = ssd.GetSecurity()->GetSD(); } break; case regkey: rsd.ReadSD(path); if ( rsd.GetSecurity() ) { pSD = rsd.GetSecurity()->GetSD(); } break; default: break; } if ( pSD ) { PrintSD(const_cast<SECURITY_DESCRIPTOR*>(pSD),path); } else { err.DbgMsgWrite(0,L"Couldn't load Security descriptor for %ls",path); } return 0;}
DWORD PrintSD(SECURITY_DESCRIPTOR * sd,WCHAR const * path){ BOOL isPresent, isDefault; PACL dacl; PACL sacl; PSID pSidOwner; SidTree * sidTree = &gSidTree;
// DWORD rc = 0;
if ( !GetSecurityDescriptorOwner(sd, &pSidOwner, &isDefault) ) { err.DbgMsgWrite(0,L"GetSecurityDescriptorOwner()=%ld ", GetLastError()); return 1; } err.DbgMsgWrite(0,L"%s",path); if ( pSidOwner ) { sidTree = sidHead->Find(&sidHead, pSidOwner); if (sidTree) { err.DbgMsgWrite(0,L"owner=%S\\%S, type=%S, ", //path,
sidTree->buffer + sidTree->lenSid + strlen(sidTree->buffer + sidTree->lenSid) + 1, sidTree->buffer + sidTree->lenSid, sidType[sidTree->sidUse]); } } else { err.DbgMsgWrite(0,L"owner=NULL"); } if ( !GetSecurityDescriptorDacl(sd, &isPresent, &dacl, &isDefault) ) { err.DbgMsgWrite(0, L"GetSecurityDescriptorDacl()=%ld ", GetLastError()); return 1; }
err.DbgMsgWrite(0,L" DACL=%S", AclType(isPresent, isDefault) ); if ( dacl ) PrintACL(dacl, path);
if ( !GetSecurityDescriptorSacl(sd, &isPresent, &sacl, &isDefault) ) { err.DbgMsgWrite(0, L"GetSecurityDescriptorSacl()=%ld ", GetLastError()); return 1; }
if ( isPresent ) { err.DbgMsgWrite(0,L" SACL %S", AclType(isPresent, isDefault) ); if (!sacl) { err.DbgMsgWrite(0,L"SACL is empty."); } else PrintACL(sacl, path); } return 0;}#endif
|
