archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/com/ole32/dcomss/objex/token.cxx

819 lines
19 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1995 Microsoft Corporation
  5. Module Name:
  7. Token.cxx
  9. Abstract:
  11. Implementation for Windows NT security interfaces.
  13. Platform:
  15. Windows NT user mode.
  17. Notes:
  19. Not portable to non-Windows NT platforms.
  21. Author:
  23. Mario Goertzel [MarioGo]
  25. Revision History:
  27. MarioGo 12/21/1995 Bits 'n pieces
  29. --*/
  31. #include <or.hxx>
  32. #include <aclapi.h>
  33. #include <winsaferp.h>
  34. #include <access.hxx>
  36. CRITICAL_SECTION gcsTokenLock;
  39. ORSTATUS
  40. LookupOrCreateTokenFromHandle(
  41. IN HANDLE hClientToken,
  42. OUT CToken **ppToken
  43. )
  44. /*++
  46. Routine Description:
  48. Finds or allocates a new token object for the caller.
  50. Arguments:
  52. hCaller - RPC binding handle of the caller of RPCSS.
  54. pToken - Upon a successful return this will hold the token.
  55. It can be destroyed by calling Release();
  57. Return Value:
  60. OR_OK - success
  61. OR_NOMEM - Unable to allocate an object.
  63. --*/
  64. {
  65. ORSTATUS status;
  66. UINT type;
  67. LUID luid;
  68. PTOKEN_USER ptu;
  69. TOKEN_STATISTICS ts;
  70. BOOL fSuccess;
  71. DWORD needed;
  72. HANDLE hJobObject = NULL;
  73. LUID luidMod;
  75. needed = sizeof(ts);
  76. fSuccess = GetTokenInformation(hClientToken,
  77. TokenStatistics,
  78. &ts,
  79. sizeof(ts),
  80. &needed
  81. );
  82. if (!fSuccess)
  83. {
  84. KdPrintEx((DPFLTR_DCOMSS_ID,
  85. DPFLTR_WARNING_LEVEL,
  86. "OR: GetTokenInfo failed %d\n",
  87. GetLastError()));
  89. ASSERT(GetLastError() != ERROR_INSUFFICIENT_BUFFER);
  90. status = OR_NOMEM;
  91. goto Cleanup;
  92. }
  94. luid = ts.AuthenticationId;
  95. luidMod = ts.ModifiedId;
  96. //
  97. // Check if the token is already in the list
  98. //
  100. {
  101. CMutexLock lock(&gcsTokenLock);
  103. CListElement *ple;
  105. ple = gpTokenList->First();
  107. fSuccess = FALSE;
  108. while(ple)
  109. {
  110. CToken *pToken = CToken::ContainingRecord(ple);
  112. if (pToken->MatchLuid(luid) &&
  113. (pToken->MatchModifiedLuid(luidMod)) &&
  114. (S_OK == pToken->MatchToken(hClientToken, TRUE)))
  115. {
  116. pToken->AddRef();
  117. *ppToken = pToken;
  118. status = OR_OK;
  119. fSuccess = TRUE;
  120. break;
  121. }
  122. else
  123. {
  124. ple = ple->Next();
  125. }
  126. }
  127. }
  129. if (fSuccess)
  130. {
  131. status = OR_OK;
  132. CloseHandle(hClientToken);
  133. goto Cleanup;
  134. }
  136. //
  137. // New user, need to allocate a token object.
  138. //
  140. // Lookup the SID to store in the new token object.
  142. needed = DEBUG_MIN(1, 0x2c);
  144. do
  145. {
  146. ptu = (PTOKEN_USER)alloca(needed);
  147. ASSERT(ptu);
  149. fSuccess = GetTokenInformation(hClientToken,
  150. TokenUser,
  151. (PBYTE)ptu,
  152. needed,
  153. &needed);
  155. // If this assert is hit increase the 24 both here and above
  156. ASSERT(needed <= 0x2c);
  157. }
  158. while ( fSuccess == FALSE
  159. && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
  161. if (!fSuccess)
  162. {
  163. KdPrintEx((DPFLTR_DCOMSS_ID,
  164. DPFLTR_WARNING_LEVEL,
  165. "OR: GetTokenInfo (2) failed %d\n",
  166. GetLastError()));
  168. ASSERT(GetLastError() != ERROR_INSUFFICIENT_BUFFER);
  169. status = OR_NOMEM;
  170. goto Cleanup;
  171. }
  173. PSID psid;
  174. psid = ptu->User.Sid;
  175. ASSERT(IsValidSid(psid) == TRUE);
  177. // Allocate the token object
  179. needed = GetLengthSid(psid) - sizeof(SID);
  180. *ppToken = new(needed) CToken(hClientToken,
  181. hJobObject,
  182. luid,
  183. psid,
  184. needed + sizeof(SID));
  186. if (*ppToken)
  187. {
  188. CMutexLock lock(&gcsTokenLock);
  190. (*ppToken)->Insert();
  192. status = OR_OK;
  194. #if DBG_DETAIL
  195. {
  196. DWORD d = 50;
  197. WCHAR buffer[50];
  198. GetUserName(buffer, &d);
  199. KdPrintEx((DPFLTR_DCOMSS_ID,
  200. DPFLTR_WARNING_LEVEL,
  201. "OR: New user connected: %S (%p)\n",
  202. buffer,
  203. *ppToken));
  204. }
  205. #endif
  207. }
  208. else
  209. {
  210. status = OR_NOMEM;
  211. }
  213. Cleanup:
  215. if (OR_OK != status)
  216. {
  217. if (NULL != hJobObject)
  218. CloseHandle(hJobObject);
  219. }
  221. // status contains the result of the operation.
  223. return(status);
  224. }
  227. ORSTATUS
  228. LookupOrCreateTokenForRPCClient(
  229. IN handle_t hCaller,
  230. IN BOOL fAllowUnsecure,
  231. OUT CToken **ppToken,
  232. OUT BOOL* pfUnsecure
  233. )
  234. /*++
  236. Routine Description:
  238. Finds or allocates a new token object for the caller.
  240. Arguments:
  242. hCaller - RPC binding handle of the caller of RPCSS.
  244. fAllowUnsecure - whether to return a token for an unsecure
  245. caller, or an error instead.
  247. pToken - Upon a successful return this will hold the token.
  248. It can be destroyed by calling Release();
  250. pfUnsecure - Upon a successful return this will determine if
  251. the caller was unsecure or not.
  253. Return Value:
  255. OR_OK - success
  256. OR_NOACCESS - error occurred, or client was unsecure and !fAllowUnsecure
  257. OR_NOMEM - Unable to allocate an object.
  259. --*/
  260. {
  261. RPC_STATUS status = RPC_S_OK;
  262. HANDLE hClientToken = 0;
  263. BOOL fSuccess = FALSE;
  264. BOOL fUsedAnonymousToken = FALSE;
  266. if (pfUnsecure)
  267. *pfUnsecure = FALSE;
  269. status = RpcImpersonateClient(hCaller);
  270. if (status == RPC_S_CANNOT_SUPPORT)
  271. {
  272. // Check if the caller will accept an unsecure client
  273. if (!fAllowUnsecure)
  274. {
  275. return OR_NOACCESS;
  276. }
  278. //
  279. // Getting back RPC_S_CANNOT_SUPPORT from RpcImpClient
  280. // signifies that the client is _intentionally_ making an
  281. // unsecure call. Until .NET Server we had a lot of
  282. // custom code for handling this case in RPCSS. Now we map
  283. // such users to the Anonymous identity. This is a DCOM-specific
  284. // policy decision. The reasoning behind this is that it allows
  285. // COM servers (that care) to allow access to such clients access
  286. // in a programmatic way by granting access to Anonymous. See
  287. // comments in CheckForAccess in ole32\dcomss\olescm\security.cxx.
  288. //
  289. fSuccess = ImpersonateAnonymousToken(GetCurrentThread());
  290. if (!fSuccess)
  291. {
  292. return OR_NOACCESS;
  293. }
  294. fUsedAnonymousToken = TRUE;
  296. // This caller is considered "unsecure"
  297. if (pfUnsecure)
  298. *pfUnsecure = TRUE;
  299. }
  300. else if (status != RPC_S_OK)
  301. {
  302. return OR_NOACCESS;
  303. }
  305. fSuccess = OpenThreadToken(GetCurrentThread(),
  306. TOKEN_ALL_ACCESS,
  307. TRUE,
  308. &hClientToken);
  310. if (fSuccess)
  311. {
  312. status = LookupOrCreateTokenFromHandle(hClientToken, ppToken);
  313. if(OR_OK == status)
  314. {
  315. // The token object now controls the life of the token handle
  316. hClientToken = 0;
  317. }
  318. else
  319. {
  320. CloseHandle(hClientToken);
  321. hClientToken = 0;
  322. }
  323. }
  324. else
  325. {
  326. KdPrintEx((DPFLTR_DCOMSS_ID,
  327. DPFLTR_WARNING_LEVEL,
  328. "OR: OpenThreadToken failed %d\n",
  329. GetLastError()));
  331. status = OR_NOMEM;
  332. ASSERT(hClientToken == 0);
  333. goto Cleanup;
  334. }
  336. Cleanup:
  338. // status contains the result of the operation.
  339. if (fUsedAnonymousToken)
  340. {
  341. fSuccess = RevertToSelf();
  342. ASSERT(fSuccess);
  343. }
  344. else
  345. {
  346. RPC_STATUS t = RpcRevertToSelfEx(hCaller);
  347. ASSERT(t == RPC_S_OK);
  348. }
  350. return(status);
  351. }
  353. CToken::~CToken()
  354. {
  355. ASSERT(_lHKeyRefs == 0);
  356. ASSERT(_hHKCRKey == NULL);
  358. if (_hHKCRKey != NULL)
  359. {
  360. // Shouldn't happen...but close it anyway just in
  361. // case. Assert above will catch this if it occurs
  362. RegCloseKey(_hHKCRKey);
  363. }
  365. CloseHandle(_hImpersonationToken);
  367. if (NULL != _hJobObject)
  368. {
  369. TerminateJobObject(_hJobObject, 0);
  370. CloseHandle(_hJobObject);
  371. }
  372. }
  374. STDMETHODIMP CToken::QueryInterface(REFIID riid, LPVOID* ppv)
  375. {
  376. if (riid == IID_IUnknown || riid == IID_IUserToken)
  377. {
  378. *ppv = this;
  379. AddRef();
  380. return S_OK;
  381. }
  382. return E_NOINTERFACE;
  383. }
  385. STDMETHODIMP_(ULONG) CToken::AddRef()
  386. {
  387. return InterlockedIncrement(&_lRefs);
  388. }
  390. STDMETHODIMP_(ULONG) CToken::Release()
  391. {
  392. LONG lNewRefs;
  394. CMutexLock lock(&gcsTokenLock);
  396. lNewRefs = InterlockedDecrement(&_lRefs);
  397. if (lNewRefs == 0)
  398. {
  399. Remove();
  400. delete this;
  401. }
  403. return lNewRefs;
  404. }
  407. STDMETHODIMP
  408. CToken::GetUserClassesRootKey(HKEY* phKey)
  409. {
  410. CMutexLock lock(&gcsTokenLock);
  411. HRESULT hr = S_OK;
  413. if ( _lHKeyRefs++ == 0 )
  414. {
  415. ASSERT(_hHKCRKey == NULL);
  417. // The original IUserToken implementation allowed for not
  418. // having a token. That should never happen with a CToken.
  419. ASSERT(_hImpersonationToken);
  421. // Open per-user hive
  422. LONG lRet = RegOpenUserClassesRoot(_hImpersonationToken,
  423. 0,
  424. KEY_READ,
  425. &_hHKCRKey);
  426. if (lRet != ERROR_SUCCESS)
  427. {
  428. // Failed to open the user's HKCR. We're going to use
  429. // HKLM\Software\Classes.
  430. lRet = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
  431. L"Software\\Classes",
  432. 0,
  433. KEY_READ,
  434. &_hHKCRKey);
  435. if (lRet != ERROR_SUCCESS)
  436. {
  437. _hHKCRKey = NULL;
  438. --_lHKeyRefs;
  439. hr = HRESULT_FROM_WIN32(lRet);
  440. }
  441. }
  442. }
  443. *phKey = _hHKCRKey;
  444. return hr;
  445. }
  447. STDMETHODIMP
  448. CToken::ReleaseUserClassesRootKey()
  449. {
  450. CMutexLock lock(&gcsTokenLock);
  451. if (_hHKCRKey && (--_lHKeyRefs == 0) )
  452. {
  453. ASSERT(_hHKCRKey != HKEY_CLASSES_ROOT);
  454. RegCloseKey(_hHKCRKey);
  455. _hHKCRKey = NULL;
  456. }
  457. return S_OK;
  458. }
  460. STDMETHODIMP
  461. CToken::GetUserSid(BYTE **ppSid, USHORT *pcbSid)
  462. {
  463. // IUserToken interface assumes that sid lengths always
  464. // <= USHRT_MAX. Truncating here on purpose; assert is
  465. // to catch cases where this is a bad idea. GetLengthSid
  466. // is a very cheap call, so there's no need to cache it.
  467. DWORD dwSidLen = GetLengthSid(&_sid);
  468. ASSERT(dwSidLen <= USHRT_MAX);
  470. *pcbSid = (USHORT)dwSidLen;
  471. *ppSid = (BYTE*)&_sid;
  473. return S_OK;
  474. }
  476. STDMETHODIMP
  477. CToken::GetUserToken(HANDLE* phToken)
  478. {
  479. *phToken = _hImpersonationToken;
  480. return S_OK;
  481. }
  483. void
  484. CToken::Impersonate()
  485. {
  486. ASSERT(_hImpersonationToken);
  488. BOOL f = SetThreadToken(0, _hImpersonationToken);
  489. ASSERT(f);
  491. return;
  492. }
  494. void
  495. CToken::Revert()
  496. {
  497. BOOL f = SetThreadToken(0, 0);
  498. ASSERT(f);
  499. return;
  500. }
  502. ULONG GetSessionId2(
  503. HANDLE hToken)
  504. {
  505. BOOL Result;
  506. ULONG SessionId = 0;
  507. ULONG ReturnLength;
  509. //
  510. // Use the _HYDRA_ extension to GetTokenInformation to
  511. // return the SessionId from the token.
  512. //
  514. Result = GetTokenInformation(
  515. hToken,
  516. TokenSessionId,
  517. &SessionId,
  518. sizeof(SessionId),
  519. &ReturnLength
  520. );
  522. if( !Result ) {
  523. SessionId = 0; // Default to console
  524. }
  526. return SessionId;
  527. }
  529. ULONG CToken::GetSessionId()
  530. {
  531. return GetSessionId2(_hImpersonationToken);
  532. }
  534. BOOL CToken::MatchModifiedLuid(LUID luid)
  535. {
  536. ASSERT(_hImpersonationToken);
  538. TOKEN_STATISTICS ts;
  539. BOOL fSuccess;
  540. DWORD needed;
  541. LUID luidMod;
  542. needed = sizeof(ts);
  543. fSuccess = GetTokenInformation(_hImpersonationToken,
  544. TokenStatistics,
  545. &ts,
  546. sizeof(ts),
  547. &needed
  548. );
  549. if (!fSuccess)
  550. {
  551. KdPrintEx((DPFLTR_DCOMSS_ID,
  552. DPFLTR_WARNING_LEVEL,
  553. "OR: GetTokenInfo failed %d\n",
  554. GetLastError()));
  556. ASSERT(GetLastError() != ERROR_INSUFFICIENT_BUFFER);
  557. return FALSE;
  558. }
  559. luidMod = ts.ModifiedId;
  560. return( luidMod.LowPart == luid.LowPart
  561. && luidMod.HighPart == luid.HighPart);
  562. }
  564. HRESULT CompareRestrictedSids(
  565. HANDLE hToken1,
  566. HANDLE hToken2)
  567. {
  568. HRESULT hr = S_OK;
  569. PSID pRestrictedSid1 = NULL;
  570. PSID pRestrictedSid2 = NULL;
  572. #if(_WIN32_WINNT >= 0x0500)
  573. PTOKEN_GROUPS pSids1;
  574. PTOKEN_GROUPS pSids2;
  575. NTSTATUS error;
  576. ULONG needed;
  578. //Get restricted SIDs.
  579. needed = DEBUG_MIN(1, 300);
  580. do
  581. {
  582. pSids1 = (PTOKEN_GROUPS) alloca(needed);
  584. error = NtQueryInformationToken(hToken1,
  585. TokenRestrictedSids,
  586. pSids1,
  587. needed,
  588. &needed);
  590. }
  591. while (error == STATUS_BUFFER_TOO_SMALL);
  593. if(!error && pSids1->GroupCount > 0)
  594. {
  595. pRestrictedSid1 = pSids1->Groups[0].Sid;
  596. }
  598. //Get restricted SIDs.
  599. needed = DEBUG_MIN(1, 300);
  600. do
  601. {
  602. pSids2 = (PTOKEN_GROUPS) alloca(needed);
  604. error = NtQueryInformationToken(hToken2,
  605. TokenRestrictedSids,
  606. pSids2,
  607. needed,
  608. &needed);
  610. }
  611. while (error == STATUS_BUFFER_TOO_SMALL);
  613. if(!error && pSids2->GroupCount > 0)
  614. {
  615. pRestrictedSid2 = pSids2->Groups[0].Sid;
  616. }
  618. if(pRestrictedSid1 && pRestrictedSid2)
  619. {
  620. //We have two restricted tokens.
  621. //Compare the first restricted SID.
  622. if(EqualSid(pRestrictedSid1, pRestrictedSid2))
  623. {
  624. hr = S_OK;
  625. }
  626. else
  627. {
  628. hr = S_FALSE;
  629. }
  630. }
  631. else if(pRestrictedSid1 || pRestrictedSid2)
  632. {
  633. //We have one restricted token and one normal token.
  634. hr = S_FALSE;
  635. }
  636. else
  637. {
  638. //We have two normal tokens.
  639. hr = S_OK;
  640. }
  642. #endif //(_WIN32_WINNT >= 0x0500)
  643. return hr;
  644. }
  647. HRESULT
  648. CToken::MatchToken(
  649. IN HANDLE hToken,
  650. IN BOOL bMatchRestricted)
  651. {
  652. HRESULT hr;
  653. NTSTATUS error;
  654. PTOKEN_USER ptu;
  655. DWORD needed = DEBUG_MIN(1, 0x2c);
  657. //Get the user SID.
  658. do
  659. {
  660. ptu = (PTOKEN_USER)alloca(needed);
  662. error = NtQueryInformationToken(hToken,
  663. TokenUser,
  664. (PBYTE)ptu,
  665. needed,
  666. &needed);
  668. // If this assert is hit increase the 24 both here and above
  669. ASSERT(needed <= 0x2c);
  670. }
  671. while (error == STATUS_BUFFER_TOO_SMALL);
  673. if (error)
  674. {
  675. KdPrintEx((DPFLTR_DCOMSS_ID,
  676. DPFLTR_WARNING_LEVEL,
  677. "OR: GetTokenInfo (2) failed %d\n",
  678. error));
  680. return HRESULT_FROM_WIN32(error);
  681. }
  683. //Compare the user SID.
  684. if(!EqualSid(ptu->User.Sid, &_sid))
  685. return S_FALSE;
  687. //Compare the Hydra session ID.
  688. if(GetSessionId2(hToken) != GetSessionId())
  689. return S_FALSE;
  691. //Compare the restricted SID.
  692. if (bMatchRestricted)
  693. hr = CompareRestrictedSids(hToken, _hImpersonationToken);
  694. else
  695. hr = S_OK;
  697. return hr;
  698. }
  700. HRESULT
  701. CToken::MatchToken2(
  702. IN CToken *pToken,
  703. IN BOOL bMatchRestricted)
  704. {
  705. HRESULT hr;
  707. if(!pToken)
  708. return S_OK;
  710. //Compare the user SID.
  711. if(!EqualSid(&pToken->_sid, &_sid))
  712. return S_FALSE;
  714. //Compare the Hydra session id.
  715. if(GetSessionId2(pToken->_hImpersonationToken) != GetSessionId())
  716. return S_FALSE;
  718. //Compare the restricted SID.
  719. if (bMatchRestricted)
  720. hr = CompareRestrictedSids(pToken->_hImpersonationToken, _hImpersonationToken);
  721. else
  722. hr = S_OK;
  724. return hr;
  725. }
  727. HRESULT
  728. CToken::CompareSaferLevels(CToken *pToken)
  729. /*++
  731. Routine Description:
  733. Compare the safer trust level of the specified token with
  734. our own.
  736. Arguments:
  738. pToken - token to compare against
  740. Return Value:
  742. S_FALSE: This token is of lesser authorization than the
  743. other token.
  744. S_OK: This token is of greater or equal authorization
  745. than the other token.
  747. Anything else: An error occured.
  749. --*/
  750. {
  751. if (!pToken) return S_OK;
  753. return CompareSaferLevels(pToken->_hImpersonationToken);
  754. }
  756. HRESULT
  757. CToken::CompareSaferLevels(HANDLE hToken)
  758. /*++
  760. Routine Description:
  762. Compare the safer trust level of the specified token with
  763. our own.
  765. Arguments:
  767. hToken - token to compare against
  769. Return Value:
  771. S_FALSE: This token is of lesser authorization than the
  772. other token.
  773. S_OK: This token is of greater or equal authorization
  774. than the other token.
  776. Anything else: An error occured.
  778. --*/
  779. {
  780. HRESULT hr = S_OK;
  781. DWORD dwResult;
  782. BOOL bRet = SaferiCompareTokenLevels(_hImpersonationToken, hToken,
  783. &dwResult);
  784. if (bRet)
  785. {
  786. // -1 = Client's access token (_hImpersonationToken) is more authorized
  787. // than Server's (hToken).
  788. if ( ((LONG)dwResult) > 0 )
  789. hr = S_FALSE;
  790. }
  791. else
  792. hr = HRESULT_FROM_WIN32(GetLastError());
  794. return hr;
  795. }
  797. // NT #307301
  798. // Sometimes we just need to check the SessionID
  800. HRESULT
  801. CToken::MatchTokenSessionID(CToken *pToken)
  802. {
  803. //Compare the Hydra session id.
  804. if(GetSessionId2(pToken->_hImpersonationToken) != GetSessionId())
  805. return S_FALSE;
  807. return S_OK;
  808. }
  810. //
  811. // MatchTokenLUID
  812. //
  813. // Compares this token's LUID to that of the passed in token.
  814. // Returns S_OK on a match, S_FALSE on a mismatch.
  815. //
  816. HRESULT CToken::MatchTokenLuid(CToken* pToken)
  817. {
  818. return MatchLuid(pToken->_luid) ? S_OK : S_FALSE;
  819. }