archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/tools/cacls2/sacls/sacls.c

543 lines
15 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*--
  3. Copyright (c) 1996-1997 Microsoft Corporation
  5. Module Name:
  7. sacls.c
  9. Abstract:
  11. Extended version of cacls.exe
  13. Author:
  15. 14-Dec-1996 (macm)
  17. Environment:
  19. User mode only.
  20. Requires ANSI C extensions: slash-slash comments, long external names.
  22. Revision History:
  24. --*/
  26. #include <nt.h>
  27. #include <ntrtl.h>
  28. #include <nturtl.h>
  29. #include <seopaque.h>
  30. #include <windows.h>
  31. #include <caclscom.h>
  32. #include <dsysdbg.h>
  33. #include <stdio.h>
  34. #include <aclapi.h>
  36. #define CMD_PRESENT(index, list) ((list)[index].iIndex != -1)
  38. #define NO_INHERIT_ONLY
  40. //
  41. // Enumeration of command tags
  42. //
  43. typedef enum _CMD_TAGS {
  44. CmdTree = 0,
  45. CmdEdit,
  46. CmdContinue,
  47. CmdSuccess,
  48. CmdRevoke,
  49. CmdFail,
  50. CmdICont,
  51. CmdIObj,
  52. #ifndef NO_INHERIT_ONLY
  53. CmdIOnly,
  54. #endif
  55. CmdIProp
  56. } CMD_TAGS, *PCMD_TAGS;
  58. VOID
  59. Usage (
  60. IN PCACLS_STR_RIGHTS pStrRights,
  61. IN INT cStrRights,
  62. IN PCACLS_CMDLINE pCmdVals
  63. )
  64. /*++
  66. Routine Description:
  68. Displays the expected usage
  70. Arguments:
  72. Return Value:
  74. VOID
  76. --*/
  77. {
  78. INT i;
  80. printf("Displays or modifies audit control lists (ACLs) of files. You need \"Manage "
  81. "auditing and security log\" privilege to run this utility.\n\n" );
  83. printf("SACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]\n");
  84. printf(" [/P user:perm [...]] [/D user [...]]\n");
  85. printf(" filename Displays ACLs.\n");
  86. printf(" /%s Changes ACLs of specified files in\n", pCmdVals[CmdTree].pszSwitch);
  87. printf(" the current directory and all subdirectories.\n");
  88. printf(" /%s Edit ACL instead of replacing it.\n", pCmdVals[CmdEdit].pszSwitch);
  89. printf(" /%s Continue on access denied errors.\n",
  90. pCmdVals[CmdContinue].pszSwitch);
  91. printf(" /%s user:perms Add specified user successful access auditing\n",
  92. pCmdVals[CmdSuccess].pszSwitch);
  93. printf(" /%s user Revoke specified user's auditing rights (only valid with /E).\n",
  94. pCmdVals[CmdRevoke].pszSwitch);
  95. printf(" /%s user:perms Add specified user failed access auditing.\n",
  96. pCmdVals[CmdFail].pszSwitch);
  97. printf(" /%s Mark the ace as CONTAINER_INHERIT (directory inherit)\n",
  98. pCmdVals[CmdICont].pszSwitch);
  99. printf(" /%s Mark the ace as OBJECT_INHERIT\n", pCmdVals[CmdIObj].pszSwitch);
  100. #ifndef NO_INHERIT_ONLY
  101. printf(" /%s Mark the ace as INHERIT_ONLY\n", pCmdVals[CmdIOnly].pszSwitch);
  102. #endif
  103. printf(" /%s Mark the ace as INHERIT_NO_PROPAGATE\n",
  104. pCmdVals[CmdIProp].pszSwitch);
  105. printf("The list of supported perms for Success and Failure auditing are:\n");
  107. for (i = 0; i < cStrRights; i++) {
  109. printf(" %c%c %s\n",
  110. pStrRights[i].szRightsTag[0],
  111. pStrRights[i].szRightsTag[1],
  112. pStrRights[i].pszDisplayTag);
  113. }
  116. printf("\nMultiple perms can be specified per user\n");
  118. printf("Wildcards can be used to specify more that one file in a command.\n");
  119. printf("You can specify more than one user in a command.\n\n");
  121. printf("Example: SACLS c:\\temp /S user1:GRGW user2:SDRC /F user3:GF\n");
  122. }
  126. DWORD
  127. MergeAcls (
  128. IN PACL pOldAcl,
  129. IN PACL pNewAcl
  130. )
  131. /*++
  133. Routine Description:
  135. Merges the old acl into the new one, by combining any identical aces. It is assumed that
  136. the destintation acl is of sufficient size. No allocations will be done, but an error will
  137. be returned if it isn't
  139. Arguments:
  141. pOldAcl - The acl to be merged
  143. pNewAcl - The acl to be merged into
  145. Return Value:
  147. ERROR_SUCCESS -- Success
  149. --*/
  150. {
  151. DWORD dwErr = ERROR_SUCCESS;
  152. PACE_HEADER pNewAce, pOldAce;
  153. DWORD iNewAce, iOldAce;
  154. BOOL fFound;
  156. //
  157. // If the new acl is empty, simply copy the new one over
  158. //
  159. if (pNewAcl->AceCount == 0 ) {
  161. memcpy((PVOID)((PBYTE)pNewAcl + sizeof(ACL)), (PBYTE)pOldAcl + sizeof(ACL),
  162. pOldAcl->AclSize - sizeof(ACL));
  163. pNewAcl->AceCount = pOldAcl->AceCount;
  164. return(ERROR_SUCCESS);
  166. }
  168. pOldAce = (PACE_HEADER)FirstAce(pOldAcl);
  170. for ( iOldAce = 0;
  171. iOldAce < pOldAcl->AceCount && dwErr == ERROR_SUCCESS;
  172. iOldAce++, pOldAce = (PACE_HEADER)NextAce(pOldAce) ) {
  174. fFound = FALSE;
  176. //
  177. // We'll walk each of the existing acls, and try and compress the new
  178. // acls out of existance
  179. //
  180. pNewAce = (PACE_HEADER)FirstAce(pNewAcl);
  181. for ( iNewAce = 0;
  182. iNewAce < pOldAcl->AceCount && dwErr == ERROR_SUCCESS;
  183. iNewAce++, pNewAce = (PACE_HEADER)NextAce(pNewAce) ) {
  185. if ( EqualSid ( (PSID)(&((PSYSTEM_AUDIT_ACE)pNewAce)->SidStart),
  186. (PSID)(&((PSYSTEM_AUDIT_ACE)pOldAce)->SidStart) ) &&
  187. pNewAce->AceType == pOldAce->AceType &&
  188. (pNewAce->AceFlags & VALID_INHERIT_FLAGS) == 0 &&
  189. (pOldAce->AceFlags & VALID_INHERIT_FLAGS) == 0 &&
  190. ((PSYSTEM_AUDIT_ACE)pNewAce)->Mask == ((PSYSTEM_AUDIT_ACE)pOldAce)->Mask) {
  192. ((PSYSTEM_AUDIT_ACE)pNewAce)->Mask |=
  193. ((PSYSTEM_AUDIT_ACE)pOldAce)->Mask;
  194. pNewAce->AceFlags |= pOldAce->AceFlags;
  195. fFound = TRUE;
  197. break;
  199. }
  200. }
  202. if ( fFound != TRUE ) {
  204. //
  205. // We'll have to add it
  206. //
  207. if ( !AddAuditAccessAce (
  208. pNewAcl,
  209. ACL_REVISION2,
  210. ((PSYSTEM_AUDIT_ACE)pOldAce)->Mask,
  211. (PSID)(&((PSYSTEM_AUDIT_ACE)pOldAce)->SidStart),
  212. (pOldAce->AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG),
  213. (pOldAce->AceFlags & FAILED_ACCESS_ACE_FLAG) ) ) {
  215. dwErr = GetLastError();
  216. break;
  217. }
  218. }
  220. }
  223. return(dwErr);
  224. }
  228. INT
  229. __cdecl main (
  230. int argc,
  231. char *argv[])
  232. /*++
  234. Routine Description:
  236. The main the for this executable
  238. Arguments:
  240. argc - Count of arguments
  241. argv - List of arguments
  243. Return Value:
  245. VOID
  247. --*/
  248. {
  249. DWORD dwErr = 0;
  250. CACLS_STR_RIGHTS pStrRights[] = {
  251. "GR", GENERIC_READ, "Read",
  252. "GC", GENERIC_WRITE, "Change (write)",
  253. "GF", GENERIC_ALL, "Full rights",
  254. "SD", DELETE, "Delete",
  255. "RC", READ_CONTROL, "Read Control",
  256. "WP", WRITE_DAC, "Write DAC",
  257. "WO", WRITE_OWNER, "Write Owner",
  258. "RD", FILE_READ_DATA, "Read Data (on file) / List Directory (on Dir)",
  259. "WD", FILE_WRITE_DATA, "Write Data (on file) / Add File (on Dir)",
  260. "AD", FILE_APPEND_DATA, "Append Data (on file) / Add SubDir (on Dir)",
  261. "FE", FILE_EXECUTE, "Execute (on file) / Traverse (on Dir)",
  262. "DC", FILE_DELETE_CHILD, "Delete Child (on Dir only)",
  263. "RA", FILE_READ_ATTRIBUTES, "Read Attributes",
  264. "WA", FILE_WRITE_ATTRIBUTES, "Write Attributes",
  265. "RE", FILE_READ_EA, "Read Extended Attributes",
  266. "WE", FILE_WRITE_EA, "Write Extended Attributes"
  267. };
  268. INT cStrRights = sizeof(pStrRights) / sizeof(CACLS_STR_RIGHTS);
  269. CACLS_CMDLINE pCmdVals[] = {
  270. "T", -1, FALSE, 0, // CmdTree
  271. "E", -1, FALSE, 0, // CmdEdit
  272. "C", -1, FALSE, 0, // CmdContinue
  273. "S", -1, TRUE, 0, // CmdSuccess
  274. "R", -1, TRUE, 0, // CmdRevoke
  275. "F", -1, TRUE, 0, // CmdFail
  276. "D", -1, FALSE, 0, // CmdICont
  277. "O", -1, FALSE, 0, // CmdIObj
  278. #ifndef NO_INHERIT_ONLY
  279. "I", -1, FALSE, 0, // CmdIOnly
  280. #endif
  281. "N", -1, FALSE, 0, // CmdIProp
  282. };
  283. INT cCmdVals = sizeof(pCmdVals) / sizeof(CACLS_CMDLINE);
  284. INT i;
  285. PSECURITY_DESCRIPTOR pInitialSD = NULL, pFinalSD;
  286. PACL pOldAcl = NULL, pSuccessAcl = NULL, pFailAcl = NULL;
  287. DWORD fInherit = 0;
  288. HANDLE hProcessToken;
  291. if (argc < 2) {
  293. Usage( pStrRights, cStrRights, pCmdVals );
  294. return(1);
  296. } else if (argc == 2 && (strcmp(argv[1], "-?") == 0 || strcmp(argv[1], "/?") == 0)) {
  298. Usage( pStrRights, cStrRights, pCmdVals );
  299. return(0);
  301. }
  304. //
  305. // Parse the command line
  306. //
  307. dwErr = ParseCmdline(argv, argc, 2, pCmdVals, cCmdVals);
  309. if (dwErr != ERROR_SUCCESS) {
  311. Usage( pStrRights, cStrRights, pCmdVals );
  312. return(1);
  314. }
  316. //
  317. // Set our inheritance flags
  318. //
  319. if (CMD_PRESENT(CmdICont, pCmdVals)) {
  321. fInherit |= CONTAINER_INHERIT_ACE;
  322. }
  324. if (CMD_PRESENT(CmdIObj, pCmdVals)) {
  326. fInherit |= OBJECT_INHERIT_ACE;
  327. }
  329. #ifndef NO_INHERIT_ONLY
  330. if (CMD_PRESENT(CmdIOnly, pCmdVals)) {
  332. fInherit |= INHERIT_ONLY_ACE;
  333. }
  334. #endif
  336. if (CMD_PRESENT(CmdIProp, pCmdVals)) {
  338. fInherit |= NO_PROPAGATE_INHERIT_ACE;
  339. }
  342. //
  343. // Enable the read sacl privs
  344. //
  345. if ( OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &hProcessToken ) == FALSE) {
  347. dwErr = GetLastError();
  349. } else {
  351. TOKEN_PRIVILEGES EnableSeSecurity;
  352. TOKEN_PRIVILEGES Previous;
  353. DWORD PreviousSize;
  355. EnableSeSecurity.PrivilegeCount = 1;
  356. EnableSeSecurity.Privileges[0].Luid.LowPart = SE_SECURITY_PRIVILEGE;
  357. EnableSeSecurity.Privileges[0].Luid.HighPart = 0;
  358. EnableSeSecurity.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
  359. PreviousSize = sizeof(Previous);
  361. if (AdjustTokenPrivileges( hProcessToken, FALSE, &EnableSeSecurity,
  362. sizeof(EnableSeSecurity), &Previous,
  363. &PreviousSize ) == FALSE) {
  365. dwErr = GetLastError();
  366. }
  367. }
  371. //
  372. // Ok, see if we need to read the existing security
  373. //
  374. if ( dwErr == ERROR_SUCCESS && (CMD_PRESENT(CmdEdit, pCmdVals) || argc == 2 )) {
  376. dwErr = GetNamedSecurityInfoA( argv[1], SE_FILE_OBJECT, SACL_SECURITY_INFORMATION,
  377. NULL, NULL, NULL, &pOldAcl, &pInitialSD );
  378. if ( dwErr != ERROR_SUCCESS ) {
  380. fprintf(stderr, "Failed to read the security off of %s: %lu\n", argv[1], dwErr);
  381. }
  383. }
  385. //
  386. // Either display the existing access or do the sets as requested
  387. //
  388. if (dwErr == ERROR_SUCCESS && argc == 2) {
  390. dwErr = DisplayAcl ( argv[1], pOldAcl, pStrRights, cStrRights );
  392. } else {
  394. //
  395. // Ok, first we do the revokes
  396. //
  397. if (dwErr == ERROR_SUCCESS && CMD_PRESENT(CmdRevoke, pCmdVals)) {
  399. PACL pNewAcl;
  401. //
  402. // Make sure we've read it first...
  403. //
  404. if (CMD_PRESENT(CmdEdit, pCmdVals)) {
  406. dwErr = ProcessOperation( argv, &pCmdVals[CmdRevoke], REVOKE_ACCESS, pStrRights,
  407. cStrRights, fInherit, pOldAcl, &pNewAcl );
  409. if (dwErr == ERROR_SUCCESS) {
  411. LocalFree(pOldAcl);
  412. pOldAcl = pNewAcl;
  413. }
  415. } else {
  417. dwErr = ERROR_INVALID_PARAMETER;
  418. }
  420. }
  422. //
  423. // Then the audit failures
  424. //
  425. if (dwErr == ERROR_SUCCESS && CMD_PRESENT(CmdFail, pCmdVals)) {
  427. dwErr = ProcessOperation(argv, &pCmdVals[CmdFail], SET_AUDIT_FAILURE, pStrRights,
  428. cStrRights, 0, NULL, &pFailAcl);
  429. }
  431. //
  432. // Finally, the audit success
  433. //
  434. if (dwErr == ERROR_SUCCESS && CMD_PRESENT(CmdSuccess, pCmdVals)) {
  436. dwErr = ProcessOperation(argv, &pCmdVals[CmdSuccess], SET_AUDIT_SUCCESS, pStrRights,
  437. cStrRights, 0, NULL, &pSuccessAcl);
  439. }
  443. //
  444. // Finally, do the set
  445. //
  446. if (dwErr == ERROR_SUCCESS) {
  448. PACL pNewAcl;
  449. USHORT usSize = 0;
  451. //
  452. // In order to do this, we'll have to combine any of the up to 3 acls we created
  453. // above. The order will be:
  454. // FAILURE
  455. // SUCCESS
  456. // OLD SACL
  457. //
  458. if ( pOldAcl != NULL ) {
  460. usSize += pOldAcl->AclSize;
  461. }
  463. if ( pFailAcl != NULL ) {
  465. usSize += pFailAcl->AclSize;
  466. }
  468. if ( pSuccessAcl != NULL ) {
  470. usSize += pSuccessAcl->AclSize;
  471. }
  473. ASSERT(usSize != 0);
  475. pNewAcl = (PACL)LocalAlloc(LMEM_FIXED, sizeof(ACL) + usSize);
  477. if ( pNewAcl == NULL ) {
  479. dwErr = ERROR_NOT_ENOUGH_MEMORY;
  481. } else {
  483. pNewAcl->AclRevision = ACL_REVISION2;
  484. pNewAcl->Sbz1 = 0;
  485. pNewAcl->AclSize = usSize + sizeof(ACL);
  486. pNewAcl->AceCount = 0;
  487. pNewAcl->Sbz2 = 0;
  489. if( pFailAcl != NULL ) {
  491. dwErr = MergeAcls( pFailAcl, pNewAcl );
  493. }
  495. if( pSuccessAcl != NULL ) {
  497. dwErr = MergeAcls( pSuccessAcl, pNewAcl );
  499. }
  502. if( pOldAcl != NULL ) {
  504. dwErr = MergeAcls( pOldAcl, pNewAcl );
  505. }
  507. }
  509. if (dwErr == ERROR_SUCCESS ) {
  511. dwErr = SetAndPropagateFileRights(argv[1], pNewAcl, SACL_SECURITY_INFORMATION,
  512. CMD_PRESENT(CmdTree, pCmdVals),
  513. CMD_PRESENT(CmdContinue, pCmdVals), TRUE,
  514. fInherit);
  516. LocalFree(pNewAcl);
  517. }
  518. }
  520. if (dwErr == ERROR_INVALID_PARAMETER) {
  522. Usage( pStrRights, cStrRights, pCmdVals );
  523. }
  525. LocalFree(pInitialSD);
  526. }
  528. LocalFree(pOldAcl);
  529. LocalFree(pFailAcl);
  530. LocalFree(pSuccessAcl);
  532. if(dwErr == ERROR_SUCCESS) {
  534. printf("The command completed successfully\n");
  536. } else {
  538. printf("The command failed with an error %lu\n", dwErr);
  540. }
  542. return(dwErr == 0 ? 0 : 1);
  543. }