|
|
/*++
Copyright (c) 1999 Microsoft Corporation
Abstract:
@doc @module security.cxx | Implementation of IsAdministrator @end
Author:
Adi Oltean [aoltean] 07/09/1999
TBD: Add comments.
Revision History:
Name Date Comments aoltean 07/09/1999 Created aoltean 08/26/1999 Adding RegisterProvider aoltean 08/26/1999 Adding UnregisterProvider aoltean 08/27/1999 Adding IsAdministrator, Adding unique provider name test. aoltean 08/30/1999 Calling OnUnregister on un-registering Improving IsProviderNameAlreadyUsed. aoltean 09/09/1999 dss -> vss aoltean 09/21/1999 Adding a new header for the "ptr" class. aoltean 09/27/1999 Adding new headers aoltean 10/15/1999 Moving declaration in security.hxx aoltean 01/18/2000 Moved into a separate directory brianb 04/04/2000 Add IsBackupOperator brianb 04/27/2000 Change IsBackupOperator to check SE_BACKUP_NAME privilege brianb 05/03/2000 Added GetClientTokenOwner method brianb 05/10/2000 fix problem with uninitialized variable brianb 05/12/2000 handle in proc case for impersonation failures
--*/
/////////////////////////////////////////////////////////////////////////////
// Includes
#include "stdafx.hxx"
#include "vs_inc.hxx"
#include "vs_sec.hxx"
#include "vssmsg.h"
////////////////////////////////////////////////////////////////////////
// Standard foo for file name aliasing. This code block must be after
// all includes of VSS header files.
//
#ifdef VSS_FILE_ALIAS
#undef VSS_FILE_ALIAS
#endif
#define VSS_FILE_ALIAS "SECSECRC"
//
////////////////////////////////////////////////////////////////////////
BOOL DoImpersonate ( BOOL bImpersonate, HANDLE *phToken ) { CVssFunctionTracer ft(VSSDBG_GEN, L"DoImpersonate"); if (bImpersonate) { // Impersonate the client to get its identity access token.
// The client should not have RPC_C_IMP_LEVEL_ANONYMOUS otherwise an error will be returned
ft.hr = ::CoImpersonateClient(); if (ft.hr == RPC_E_CALL_COMPLETE) { // this means that the call came from the same thread
// do not do impersonation. Just use the process
// token
bImpersonate = false; ft.hr = S_OK; } else { BOOL bRes;
ft.CheckForError(VSSDBG_GEN, L"CoImpersonateClient");
// Get the Access Token of the client calling process in order to establish the client identity
CVssAutoWin32Handle hThread = ::GetCurrentThread(); // CloseHandle have no effect here
bRes = ::OpenThreadToken ( hThread, // IN HANDLE ThreadHandle,
TOKEN_QUERY, // IN DWORD DesiredAccess,
TRUE, // IN BOOL OpenAsSelf (TRUE means not the client calling thread's access token)
phToken // OUT PHANDLE TokenHandle
);
DWORD dwErr = GetLastError();
// Revert the thread's access token - finish the impersonation
ft.hr = ::CoRevertToSelf(); ft.CheckForError(VSSDBG_GEN, L"CoRevertToSelf");
if (!bRes) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(dwErr), L"OpenThreadToken" ); } }
// note that the previous if statement may change the value
// of bImpersonate. This is why we can't just put this in an
// else clause
if (!bImpersonate) { if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,phToken)) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"OpenProcessToken" ); }
return bImpersonate; }
bool IsInGroup(DWORD dwGroup, bool bImpersonate)
/*++
Routine Description:
Return TRUE if the current thread/process is running under the context of an administrator
Arguments:
none
Remarks:
The current impersonation thread is asked for the access token. After that we check if the specified group is between token groups.
Return Value:
true, if the caller thread is running under the context of the specified group false, otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ CVssFunctionTracer ft( VSSDBG_GEN, L"IsInGroup" );
BOOL bIsInGroup = FALSE; PSID psidGroup = NULL; BOOL bRes;
// Reset the error code
ft.hr = S_OK;
// Build the SID for the Administrators group
SID_IDENTIFIER_AUTHORITY SidAuth = SECURITY_NT_AUTHORITY; bRes = AllocateAndInitializeSid ( &SidAuth, // IN PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
2, // IN BYTE nSubAuthorityCount,
SECURITY_BUILTIN_DOMAIN_RID, // IN DWORD nSubAuthority0,
dwGroup, // IN DWORD nSubAuthority1,
0, // IN DWORD nSubAuthority2,
0, // IN DWORD nSubAuthority3,
0, // IN DWORD nSubAuthority4,
0, // IN DWORD nSubAuthority5,
0, // IN DWORD nSubAuthority6,
0, // IN DWORD nSubAuthority7,
&psidGroup // OUT PSID *pSid
);
if (!bRes) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"AllocateAndInitializeSid" );
try {
if (!bImpersonate) bRes = CheckTokenMembership(NULL, psidGroup, &bIsInGroup); else { CVssAutoWin32Handle hToken;
// impersonate client (or get process token)
if (DoImpersonate(true, hToken.ResetAndGetAddress())) // check token membership
bRes = CheckTokenMembership(hToken, psidGroup, &bIsInGroup); else // called from same thread
bRes = CheckTokenMembership(NULL, psidGroup, &bIsInGroup); }
if (!bRes) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"CheckTokenMembership" );
} VSS_STANDARD_CATCH(ft)
HRESULT hr = ft.hr;
// Catch possible AVs
try { // Free the previously allocated SID
if (psidGroup) ::FreeSid( psidGroup ); } VSS_STANDARD_CATCH(ft)
// Pass down the exception, if any
if (FAILED(hr)) throw(hr);
return bIsInGroup ? true : false; }
bool HasPrivilege(LPWSTR wszPriv, bool bImpersonate)
/*++
Routine Description:
Return TRUE if the current thread/process has a specific privilege
Arguments:
none
Remarks:
The current impersonation thread is asked for the access token. After that we check if the specified group is between token groups.
Return Value:
true, if the caller thread is running under the context of the specified group false, otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ CVssFunctionTracer ft( VSSDBG_GEN, L"HasPrivilege" );
BOOL bHasPrivilege = false; CVssAutoWin32Handle hToken;
LUID TokenValue; if (!LookupPrivilegeValue (NULL, wszPriv, &TokenValue)) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"LookupPrivilegeValue" );
DoImpersonate(bImpersonate, hToken.ResetAndGetAddress());
BYTE rgb[sizeof(LUID_AND_ATTRIBUTES) + sizeof(PRIVILEGE_SET)]; PRIVILEGE_SET *pSet = (PRIVILEGE_SET *) rgb;
pSet->PrivilegeCount = 1; pSet->Control = PRIVILEGE_SET_ALL_NECESSARY; pSet->Privilege[0].Luid = TokenValue; pSet->Privilege[0].Attributes = SE_PRIVILEGE_ENABLED; if (!PrivilegeCheck(hToken, pSet, &bHasPrivilege)) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"PrivilegeCheck" );
return bHasPrivilege ? true : false; }
TOKEN_OWNER *GetClientTokenOwner(BOOL bImpersonate)
/*++
Routine Description:
Return TOKEN_OWNER of client process
Arguments:
none
Remarks:
The current impersonation thread is asked for the access token. After that we return the client sid of that token
Return Value:
SID of client thread
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ CVssFunctionTracer ft( VSSDBG_GEN, L"GetClientTokenOwner" );
BOOL bRes;
CVssAutoWin32Handle hToken;
DoImpersonate(bImpersonate, hToken.ResetAndGetAddress());
DWORD cbSid; bRes = ::GetTokenInformation ( hToken, // IN HANDLE TokenHandle,
TokenOwner, // IN TOKEN_INFORMATION_CLASS TokenInformationClass,
NULL, // OUT LPVOID TokenInformation,
0, // IN DWORD TokenInformationLength,
&cbSid // OUT PDWORD ReturnLength
);
BS_ASSERT( bRes == FALSE );
DWORD dwError = GetLastError(); if ( dwError != ERROR_INSUFFICIENT_BUFFER ) { ft.LogError(VSS_ERROR_EXPECTED_INSUFFICENT_BUFFER, VSSDBG_GEN << (HRESULT) dwError); ft.Throw ( VSSDBG_GEN, E_UNEXPECTED, L"ERROR_INSUFFICIENT_BUFFER expected error . [0x%08lx]", dwError ); }
// Allocate the buffer needed to get the Token Groups information
TOKEN_OWNER *pToken = (TOKEN_OWNER*) new BYTE[cbSid]; if (pToken == NULL) ft.Throw(VSSDBG_GEN, E_OUTOFMEMORY, L"Memory allocation error.");
// Get the all Group SIDs in the token
DWORD cbTokenObtained; bRes = ::GetTokenInformation ( hToken, // IN HANDLE TokenHandle,
TokenOwner, // IN TOKEN_INFORMATION_CLASS TokenInformationClass,
pToken, // OUT LPVOID TokenInformation,
cbSid, // IN DWORD TokenInformationLength,
&cbTokenObtained // OUT PDWORD ReturnLength
);
if ( !bRes ) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"GetTokenInformation" );
if (cbTokenObtained != cbSid) { ft.LogError(VSS_ERROR_GET_TOKEN_INFORMATION_BUFFER_SIZE_MISMATCH, VSSDBG_GEN << (INT) cbTokenObtained << (INT) cbSid); ft.Throw ( VSSDBG_GEN, E_UNEXPECTED, L"Unexpected error. Final buffer size = %lu, original size was %lu", cbTokenObtained, cbSid ); }
return pToken; }
bool IsAdministrator()/*++
Routine Description:
Return TRUE if the current thread/process is running under the context of an administrator
Arguments:
none
Remarks:
The current impersonation thread is asked for the access token. After that we check if the Administrators group is between token groups.
Return Value:
true, if the caller thread is running under the context of an administrator false, otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ return IsInGroup(DOMAIN_ALIAS_RID_ADMINS, true); }
bool IsProcessAdministrator()/*++
Routine Description:
Return TRUE if the current process is running under the context of an administrator
Arguments:
none
Remarks: The current process is asked for the access token. After that we check if the Administrators group is between token groups.
Return Value:
true, if the process is running under the context of an administrator false, otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ return IsInGroup(DOMAIN_ALIAS_RID_ADMINS, false); }
bool IsBackupOperator()/*++
Routine Description:
Return TRUE if the current thread/process is running under the context of a backup operator
Arguments:
none
Remarks:
The current impersonation thread is asked for the access token. After that we check if the Administrators group is in the groups token or the backup privilege is enabled
Return Value:
true, if the caller thread is running under the context of an administrator false, otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ return HasPrivilege(SE_BACKUP_NAME, true) || IsAdministrator(); }
bool IsRestoreOperator()/*++
Routine Description:
Return TRUE if the current thread/process is running under the context of a restore operator
Arguments:
none
Remarks:
The current impersonation thread is asked for the access token. After that we check if the Administrators group is in the token groups or if the restore privilege is enabled.
Return Value:
true, if the caller thread is running under the context of an administrator false, otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ return HasPrivilege(SE_RESTORE_NAME, true) || IsAdministrator(); }
bool IsProcessBackupOperator()/*++
Routine Description:
Return TRUE if the current process is running under the context of a backup operator
Arguments:
none
Remarks:
Return Value:
true, if the process is running under the context of an administrator or has SE_BACKUP_NAME privilege enabled false, otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ return HasPrivilege(SE_BACKUP_NAME, false) || IsProcessAdministrator(); }
bool IsProcessRestoreOperator()/*++
Routine Description:
Return TRUE if the current process is running under the context of a restore operator
Arguments:
none
Remarks:
Return Value:
true, if the process is running under the context of an administrator or has the SE_RESTORE_NAME privilege; false otherwise
Thrown exceptions:
E_UNEXPECTED // Runtime error
E_OUTOFMEMORY // Memory allocation error
--*/
{ return HasPrivilege(SE_RESTORE_NAME, false) || IsProcessAdministrator(); }
// turn on a particular security privilege
HRESULT TurnOnSecurityPrivilege(LPCWSTR wszPriv)
/*++
Routine Description:
sets the specified privilege on the process token
Arguments:
none
Remarks:
Return Value: status code for operation
Thrown exceptions: none--*/
{ HANDLE hProcessToken = INVALID_HANDLE_VALUE; BOOL bProcessTokenValid = FALSE;
CVssFunctionTracer ft(VSSDBG_GEN, L"TurnOnSecurityPrivilege"); try { LUID TokenValue = {0, 0};
bProcessTokenValid = OpenProcessToken ( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hProcessToken );
if (!bProcessTokenValid) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"OpenProcessToken" );
if (!LookupPrivilegeValue (NULL, wszPriv, &TokenValue)) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"LookupPrivilegeValue" );
TOKEN_PRIVILEGES NewTokenPrivileges;
NewTokenPrivileges.PrivilegeCount = 1; NewTokenPrivileges.Privileges[0].Luid = TokenValue; NewTokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
// AdjustTokenPrivileges succeeds even the token isn't set
SetLastError(ERROR_SUCCESS);
AdjustTokenPrivileges ( hProcessToken, FALSE, &NewTokenPrivileges, sizeof (NewTokenPrivileges), NULL, NULL );
DWORD dwErr = GetLastError(); if (dwErr != ERROR_SUCCESS) ft.TranslateError ( VSSDBG_GEN, HRESULT_FROM_WIN32(GetLastError()), L"AdjustTokenPrivileges" ); } VSS_STANDARD_CATCH(ft)
if (bProcessTokenValid) CloseHandle (hProcessToken);
return ft.hr; }
// turn on backup security privilege
HRESULT TurnOnSecurityPrivilegeBackup() { return TurnOnSecurityPrivilege(SE_BACKUP_NAME); }
// turn on restore security privilege
HRESULT TurnOnSecurityPrivilegeRestore() { return TurnOnSecurityPrivilege(SE_RESTORE_NAME); }
// determine if the process is a local service
bool IsProcessLocalService() { CVssFunctionTracer ft(VSSDBG_GEN, L"IsProcessLocalService");
BYTE rgbSid[256]; DWORD cbSid = sizeof(rgbSid); TOKEN_OWNER *pOwner = GetClientTokenOwner(FALSE);
if (!CreateWellKnownSid(WinLocalServiceSid, NULL, (SID *) rgbSid, &cbSid)) { ft.hr = HRESULT_FROM_WIN32(GetLastError()); ft.CheckForError(VSSDBG_GEN, L"CreateWellKnownSid"); }
return EqualSid(pOwner->Owner, (SID *) rgbSid) ? true : false; }
// determine if the process is a local service
bool IsProcessNetworkService() { CVssFunctionTracer ft(VSSDBG_GEN, L"IsProcessNetworkService");
BYTE rgbSid[256]; TOKEN_OWNER *pOwner = GetClientTokenOwner(FALSE); DWORD cbSid = sizeof(rgbSid);
if (!CreateWellKnownSid(WinNetworkServiceSid, NULL, (SID *) rgbSid, &cbSid)) { ft.hr = HRESULT_FROM_WIN32(GetLastError()); ft.CheckForError(VSSDBG_GEN, L"CreateWellKnownSid"); }
return EqualSid(pOwner->Owner, (SID *) rgbSid) ? true : false; }
|
