archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/admin/wmi/wbem/winmgmt/esscli/groupsforuser.cpp

569 lines
13 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //****************************************************************************
  2. //
  3. // Copyright (C) 1999 Microsoft Corporation
  4. //
  5. // GROUPSFORUSER.CPP
  6. //
  7. //****************************************************************************
  9. // This is done in the sources file: WIN32_WIN32_WINNT=0x0400
  10. //#define _WIN32_WINNT 0x0400
  12. #include "precomp.h"
  13. #include <wbemcomn.h>
  14. #include "wmiauthz.h"
  15. #include "GroupsForUser.h"
  18. //
  19. // Store the error status of CWmiAuthzWrapper and CAdminSID class initialization.
  20. // They are set to ERROR_INVALID_ACCESS error status initially.
  21. //
  23. static DWORD g_dwWmiAuthzError = ERROR_INVALID_ACCESS;
  24. static DWORD g_dwAdminSIDError = ERROR_INVALID_ACCESS;
  27. //
  28. // Class definition of CWmiAuthzWrapper class.
  29. // This class wraps CWmiAuthz class:
  30. // - It creates an instance of CWmiAuthz class in its
  31. // constructor and deletes it in descrutor.
  32. // - Sets g_dwWmiAuthzError global in case of error otherwise
  33. // sets it to 0 ( ERROR_SUCCESS )
  34. //
  36. class CWmiAuthzWrapper
  37. {
  38. // Private member variables
  39. CWmiAuthz *m_pWmiAuthz;
  41. public:
  42. // Constructor
  43. CWmiAuthzWrapper( )
  44. {
  45. m_pWmiAuthz = new CWmiAuthz( NULL );
  46. if ( NULL == m_pWmiAuthz )
  47. {
  48. g_dwWmiAuthzError = ERROR_OUTOFMEMORY;
  49. }
  50. else
  51. {
  52. m_pWmiAuthz->AddRef( );
  53. g_dwWmiAuthzError = ERROR_SUCCESS;
  54. }
  55. }
  57. // Destructor
  58. ~CWmiAuthzWrapper( )
  59. {
  60. if ( m_pWmiAuthz )
  61. {
  62. m_pWmiAuthz->Release( );
  63. }
  64. }
  66. // Accessor method to CWmiClass instance
  67. CWmiAuthz * GetWmiAuthz( ) const
  68. {
  69. return m_pWmiAuthz;
  70. }
  72. };
  75. //
  76. // Class definition of CAdminSID class.
  77. // - Allocates Admin SID in its constructor and
  78. // frees it in destructor.
  79. // - Sets g_dwAdminSIDError global in case of error otherwise
  80. // sets it to 0 ( ERROR_SUCCESS )
  81. //
  83. class CAdminSID
  84. {
  85. PSID m_pSIDAdmin;
  87. public:
  88. // Constructor
  89. CAdminSID( )
  90. {
  91. //
  92. // Create a System Identifier for the Admin group.
  93. //
  95. SID_IDENTIFIER_AUTHORITY SystemSidAuthority = SECURITY_NT_AUTHORITY;
  97. if ( FALSE == AllocateAndInitializeSid ( &SystemSidAuthority,
  98. 2,
  99. SECURITY_BUILTIN_DOMAIN_RID,
  100. DOMAIN_ALIAS_RID_ADMINS,
  101. 0, 0, 0, 0, 0, 0,
  102. &m_pSIDAdmin ) )
  103. {
  104. g_dwAdminSIDError = GetLastError( );
  105. ERRORTRACE( ( LOG_ESS, "AllocateAndInitializeSid failed, error 0x%X\n", g_dwAdminSIDError ) );
  106. m_pSIDAdmin = NULL;
  107. }
  108. else
  109. {
  110. g_dwAdminSIDError = ERROR_SUCCESS;
  111. }
  112. }
  114. // Destructor
  115. ~CAdminSID( )
  116. {
  117. if ( m_pSIDAdmin )
  118. {
  119. FreeSid ( m_pSIDAdmin );
  120. }
  121. }
  123. // Accessor method to Admin SID
  124. PSID GetAdminSID( ) const
  125. {
  126. return m_pSIDAdmin;
  127. }
  128. };
  131. //
  132. // Static glabal declaration of CWmiAuthsWrapper class.
  133. //
  135. static CWmiAuthzWrapper g_wmiAuthzWrapper;
  138. //
  139. // Static glabal declaration of CAdminSID class.
  140. //
  142. static CAdminSID g_adminSID;
  145. //
  146. // Returns SD and DACL with a given Access Mask and SID
  147. //
  149. DWORD GetSDAndACLFromSID( DWORD dwAccessMask, PSID pSID,
  150. BYTE **ppNewDACL,
  151. BYTE **ppNewSD )
  152. {
  153. DWORD dwError = 0,
  154. dwDACLLength = sizeof ( ACL ) +
  155. sizeof ( ACCESS_ALLOWED_ACE ) -
  156. sizeof ( DWORD ) +
  157. GetLengthSid ( pSID );
  158. //
  159. // Get memory needed for new DACL
  160. //
  162. *ppNewDACL = new BYTE[ dwDACLLength ];
  163. if ( !*ppNewDACL )
  164. {
  165. *ppNewSD = NULL;
  166. return E_OUTOFMEMORY;
  167. }
  169. //
  170. // Get memory for new SD
  171. //
  173. *ppNewSD = new BYTE[ sizeof( SECURITY_DESCRIPTOR ) ];
  174. if ( !*ppNewSD )
  175. {
  176. delete[] *ppNewDACL;
  177. *ppNewDACL = NULL;
  178. return E_OUTOFMEMORY;
  179. }
  181. do
  182. {
  183. //
  184. // Initialize new SD
  185. //
  187. if ( FALSE == InitializeSecurityDescriptor ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  188. SECURITY_DESCRIPTOR_REVISION ) )
  189. {
  190. dwError = GetLastError( );
  191. break;
  192. }
  194. //
  195. // Initialize new DACL
  196. //
  198. if ( FALSE == InitializeAcl ( ( PACL )*ppNewDACL,
  199. dwDACLLength,
  200. ACL_REVISION ) )
  201. {
  202. dwError = GetLastError( );
  203. break;
  204. }
  206. //
  207. // Get DACL using Access Mask and SID
  208. //
  210. if ( FALSE == AddAccessAllowedAce ( ( PACL )*ppNewDACL,
  211. ACL_REVISION,
  212. dwAccessMask,
  213. pSID ) )
  214. {
  215. dwError = GetLastError( );
  216. break;
  217. }
  219. //
  220. // Check if everything went OK
  221. //
  223. if ( FALSE == IsValidAcl ( ( PACL )*ppNewDACL ) )
  224. {
  225. dwError = GetLastError( );
  226. break;
  227. }
  229. //
  230. // Set DACL to the SD
  231. //
  233. if ( FALSE == SetSecurityDescriptorDacl ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  234. TRUE, ( PACL )*ppNewDACL,
  235. FALSE ) )
  236. {
  237. dwError = GetLastError( );
  238. break;
  239. }
  241. //
  242. // Set Group to the SD
  243. //
  245. if ( FALSE == SetSecurityDescriptorGroup ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  246. pSID,
  247. TRUE ) )
  248. {
  249. dwError = GetLastError( );
  250. break;
  251. }
  253. //
  254. // Set Owner to the SD
  255. //
  257. if ( FALSE == SetSecurityDescriptorOwner ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  258. pSID,
  259. TRUE ) )
  260. {
  261. dwError = GetLastError( );
  262. break;
  263. }
  265. //
  266. // Check if everything went OK
  267. //
  269. if ( FALSE == IsValidSecurityDescriptor ( ( PSECURITY_DESCRIPTOR )*ppNewSD ) )
  270. {
  271. dwError = GetLastError( );
  272. break;
  273. }
  274. }
  275. while( FALSE );
  277. //
  278. // Delete the stuff in case of error
  279. //
  281. if ( dwError )
  282. {
  283. delete[] *ppNewDACL;
  284. delete[] *ppNewSD;
  285. *ppNewDACL = NULL;
  286. *ppNewSD = NULL;
  287. }
  289. return dwError;
  290. }
  293. //
  294. // Returns SD with a given DACL
  295. //
  297. DWORD GetSDFromACL( PACL pNewDACL, BYTE **ppNewSD )
  298. {
  299. //
  300. // Return if error occured during initialization of Admin SID
  301. // in CAdminSID static global class declaration;
  302. //
  304. _DBG_ASSERT( !g_dwAdminSIDError );
  306. if ( g_dwAdminSIDError )
  307. {
  308. *ppNewSD = NULL;
  309. return g_dwAdminSIDError;
  310. }
  312. //
  313. // Get memory for new SD
  314. //
  316. *ppNewSD = new BYTE[ sizeof( SECURITY_DESCRIPTOR ) ];
  317. if ( !*ppNewSD )
  318. {
  319. return E_OUTOFMEMORY;
  320. }
  322. DWORD dwError = 0;
  324. do
  325. {
  326. //
  327. // Initialize new SD
  328. //
  330. if ( FALSE == InitializeSecurityDescriptor ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  331. SECURITY_DESCRIPTOR_REVISION ) )
  332. {
  333. dwError = GetLastError( );
  334. break;
  335. }
  337. //
  338. // Set DACL to the SD
  339. //
  341. if ( FALSE == SetSecurityDescriptorDacl ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  342. TRUE, pNewDACL, FALSE ) )
  343. {
  344. dwError = GetLastError( );
  345. break;
  346. }
  348. //
  349. // Set Group to the SD with Admin SID
  350. //
  352. if ( FALSE == SetSecurityDescriptorGroup ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  353. g_adminSID.GetAdminSID( ),
  354. TRUE ) )
  355. {
  356. dwError = GetLastError( );
  357. break;
  358. }
  360. //
  361. // Set Owner to the SD
  362. //
  364. if ( FALSE == SetSecurityDescriptorOwner ( ( PSECURITY_DESCRIPTOR )*ppNewSD,
  365. g_adminSID.GetAdminSID( ),
  366. TRUE ) )
  367. {
  368. dwError = GetLastError( );
  369. break;
  370. }
  372. //
  373. // Check if everything went OK
  374. //
  376. if ( FALSE == IsValidSecurityDescriptor ( ( PSECURITY_DESCRIPTOR )*ppNewSD ) )
  377. {
  378. dwError = GetLastError( );
  379. break;
  380. }
  381. }
  382. while( FALSE );
  384. //
  385. // Delete the security descriptor in case of error
  386. //
  388. if ( dwError )
  389. {
  390. delete[] *ppNewSD;
  391. *ppNewSD = NULL;
  392. }
  394. return dwError;
  395. }
  397. //
  398. // Returns STATUS_SUCCESS if user is in group
  399. // STATUS_ACCESS_DENIED if not
  400. // some error code or other on error
  401. //
  403. NTSTATUS IsUserInGroup( PSID pSidUser, PSID pSidGroup )
  404. {
  405. _DBG_ASSERT( IsValidSid( pSidUser ) );
  406. _DBG_ASSERT( IsValidSid( pSidGroup ) );
  408. //
  409. // Return if error occured during creation of CWmiAuthz class
  410. // in static global CWmiAuthzWrapper class declaration.
  411. //
  413. _DBG_ASSERT( !g_dwWmiAuthzError );
  415. if ( g_dwWmiAuthzError )
  416. {
  417. return g_dwWmiAuthzError;
  418. }
  420. IWbemToken *pToken = NULL;
  421. HRESULT hr = g_wmiAuthzWrapper.GetWmiAuthz( )->GetToken( ( BYTE * )pSidUser, &pToken );
  423. if ( FAILED( hr ) )
  424. {
  425. return hr;
  426. }
  428. BYTE *pDACL = NULL;
  429. BYTE *pSD = NULL;
  430. DWORD dwAccess = 0;
  431. NTSTATUS stat = GetSDAndACLFromSID( STANDARD_RIGHTS_EXECUTE,
  432. pSidGroup,
  433. &pDACL,
  434. &pSD );
  436. if ( stat )
  437. {
  438. pToken->Release( );
  439. return stat;
  440. }
  442. hr = pToken->AccessCheck( STANDARD_RIGHTS_EXECUTE, pSD, &dwAccess );
  444. pToken->Release( );
  446. //
  447. // Delete allocated memory in GetSDAndACLFromSID
  448. //
  450. delete[] pSD;
  451. delete[] pDACL;
  453. if ( FAILED( hr ) )
  454. {
  455. return hr;
  456. }
  458. if ( STANDARD_RIGHTS_EXECUTE & dwAccess )
  459. {
  460. return STATUS_SUCCESS;
  461. }
  463. return STATUS_ACCESS_DENIED;
  464. }
  467. //
  468. // Returns STATUS_SUCCESS if user is in admin group
  469. // STATUS_ACCESS_DENIED if not
  470. // some error code or other on error
  471. //
  473. NTSTATUS IsUserAdministrator( PSID pSidUser )
  474. {
  475. _DBG_ASSERT( IsValidSid( pSidUser ) );
  477. //
  478. // Return if error occured during initialization of Admin SID
  479. // in CAdminSID static global class declaration;
  480. //
  482. _DBG_ASSERT( !g_dwAdminSIDError );
  484. if ( g_dwAdminSIDError )
  485. {
  486. return g_dwAdminSIDError;
  487. }
  489. //
  490. // Call IsUserInGroup with Administrators group SID
  491. //
  493. return IsUserInGroup( pSidUser, g_adminSID.GetAdminSID( ) );
  494. }
  497. //
  498. // Retireves access mask corresponding to permissions granted
  499. // by dacl to account denoted in pSid
  500. // only deals with the ACCESS_ALLOWED/DENIED type aces
  501. // including the ACCESS_ALLOWED/DENIED_OBJECT_ACEs
  502. // - will error out if it finds a SYSTEM_AUDIT or unrecognized type.
  503. //
  505. NTSTATUS GetAccessMask( PSID pSid, PACL pDacl, DWORD *pdwAccessMask )
  506. {
  507. if ( NULL == pDacl )
  508. {
  509. *pdwAccessMask = 0xFFFFFFFF;
  510. return STATUS_SUCCESS;
  511. }
  513. _DBG_ASSERT( IsValidSid( pSid ) );
  514. _DBG_ASSERT( IsValidAcl( pDacl ) );
  516. *pdwAccessMask = NULL;
  518. //
  519. // Return if error occured during creation of CWmiAuthz class
  520. // in static global CWmiAuthzWrapper class declaration.
  521. //
  523. _DBG_ASSERT( !g_dwWmiAuthzError );
  525. if ( g_dwWmiAuthzError )
  526. {
  527. return g_dwWmiAuthzError;
  528. }
  530. IWbemToken *pToken = NULL;
  531. HRESULT hr = g_wmiAuthzWrapper.GetWmiAuthz( )->GetToken( ( BYTE * )pSid, &pToken );
  533. if ( FAILED( hr ) )
  534. {
  535. return hr;
  536. }
  538. BYTE *pSD = NULL;
  539. NTSTATUS stat = GetSDFromACL( pDacl, &pSD );
  541. if ( stat )
  542. {
  543. pToken->Release( );
  544. return stat;
  545. }
  547. //
  548. // Requested DesiredAccessMask should be MAXIMUM_ALLOWED
  549. // to be able to retrieve all the accesses with replied
  550. // access mask
  551. //
  553. hr = pToken->AccessCheck( MAXIMUM_ALLOWED, pSD, pdwAccessMask );
  555. pToken->Release( );
  557. //
  558. // Delete allocated memory in GetSDFromACL
  559. //
  561. delete[] pSD;
  563. if ( FAILED( hr ) )
  564. {
  565. return hr;
  566. }
  568. return STATUS_SUCCESS;
  569. }