archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/inetsrv/query/cifrmwrk/dll/secutil.cxx

347 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1998 - 1999.
  5. //
  6. // File: secutil.cxx
  7. //
  8. // Contents: security utility routines
  9. //
  10. // History: 10-April-98 dlee Created from 4 other copies in NT
  11. //
  12. //--------------------------------------------------------------------------
  14. #include <pch.cxx>
  15. #pragma hdrstop
  18. #include "secutil.hxx"
  20. //+-------------------------------------------------------------------------
  21. //
  22. // Function: InitAllowedAce
  23. //
  24. // Synopsis: Assignes the ACE values into the allowed ACE
  25. //
  26. // Arguments: [pAllowedAce] - Supplies a pointer to the ACE that is
  27. // initialized.
  28. // [AceSize] - Supplies the size of the ACE in bytes.
  29. // [InheritFlags] - Supplies ACE inherit flags.
  30. // [AceFlags] - Supplies ACE type specific control flags.
  31. // [Mask] - Supplies the allowed access masks.
  32. // [pAllowedSid] - Supplies the pointer to the SID of user/
  33. // group which is allowed the specified access.
  34. //
  35. // History: 10-April-98 dlee Stole from 4 other places in NT
  36. //
  37. //--------------------------------------------------------------------------
  39. void InitAllowedAce(
  40. ACCESS_ALLOWED_ACE * pAllowedAce,
  41. USHORT AceSize,
  42. BYTE InheritFlags,
  43. BYTE AceFlags,
  44. ACCESS_MASK Mask,
  45. SID * pAllowedSid )
  46. {
  47. pAllowedAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
  48. pAllowedAce->Header.AceSize = AceSize;
  49. pAllowedAce->Header.AceFlags = AceFlags | InheritFlags;
  50. pAllowedAce->Mask = Mask;
  52. if ( !CopySid( GetLengthSid( pAllowedSid ),
  53. &(pAllowedAce->SidStart),
  54. pAllowedSid ) )
  55. THROW( CException() );
  56. } //InitAllowedAce
  58. //+-------------------------------------------------------------------------
  59. //
  60. // Function: InitDeniedAce
  61. //
  62. // Synopsis: Assignes the ACE values into the denied ACE
  63. //
  64. // Arguments: [pDeniedAce] - Supplies a pointer to the ACE that is
  65. // initialized.
  66. // [AceSize] - Supplies the size of the ACE in bytes.
  67. // [InheritFlags] - Supplies ACE inherit flags.
  68. // [AceFlags] - Supplies ACE type specific control flags.
  69. // [Mask] - Supplies the allowed access masks.
  70. // [pDeniedSid] - Supplies the pointer to the SID of user/
  71. // group which is denied the specified access.
  72. //
  73. // History: 10-April-98 dlee Stole from 4 other places in NT
  74. //
  75. //--------------------------------------------------------------------------
  77. void InitDeniedAce(
  78. ACCESS_DENIED_ACE * pDeniedAce,
  79. USHORT AceSize,
  80. BYTE InheritFlags,
  81. BYTE AceFlags,
  82. ACCESS_MASK Mask,
  83. SID * pDeniedSid )
  84. {
  85. pDeniedAce->Header.AceType = ACCESS_DENIED_ACE_TYPE;
  86. pDeniedAce->Header.AceSize = AceSize;
  87. pDeniedAce->Header.AceFlags = AceFlags | InheritFlags;
  88. pDeniedAce->Mask = Mask;
  90. if( !CopySid( GetLengthSid( pDeniedSid ),
  91. &(pDeniedAce->SidStart),
  92. pDeniedSid ) )
  93. THROW( CException() );
  94. } //InitDeniedAce
  96. //+-------------------------------------------------------------------------
  97. //
  98. // Function: InitAuditAce
  99. //
  100. // Synopsis: Assignes the ACE values into the audit ACE
  101. //
  102. // Arguments: [pAuditAce] - Supplies a pointer to the ACE that is
  103. // initialized.
  104. // [AceSize] - Supplies the size of the ACE in bytes.
  105. // [InheritFlags] - Supplies ACE inherit flags.
  106. // [AceFlags] - Supplies ACE type specific control flags.
  107. // [Mask] - Supplies the allowed access masks.
  108. // [pAuditSid] - Supplies the pointer to the SID of user/
  109. // group which is audited
  110. //
  111. // History: 10-April-98 dlee Stole from 4 other places in NT
  112. //
  113. //--------------------------------------------------------------------------
  115. void InitAuditAce(
  116. ACCESS_ALLOWED_ACE * pAuditAce,
  117. USHORT AceSize,
  118. BYTE InheritFlags,
  119. BYTE AceFlags,
  120. ACCESS_MASK Mask,
  121. SID * pAuditSid )
  122. {
  123. pAuditAce->Header.AceType = SYSTEM_AUDIT_ACE_TYPE;
  124. pAuditAce->Header.AceSize = AceSize;
  125. pAuditAce->Header.AceFlags = AceFlags | InheritFlags;
  126. pAuditAce->Mask = Mask;
  128. if ( !CopySid( GetLengthSid( pAuditSid ),
  129. &(pAuditAce->SidStart),
  130. pAuditSid ) )
  131. THROW( CException() );
  132. } //InitAuditAce
  134. //+-------------------------------------------------------------------------
  135. //
  136. // Function: CiCreateSecurityDescriptor
  137. //
  138. // Synopsis: Creates a security descriptor from input data
  139. //
  140. // Arguments: [pAceData] - Array of input data
  141. // [cAces] - Count of items in pAceData
  142. // [OwnerSid] - 0 or the owner of the descriptor
  143. // [GroupSid] - 0 or group of the descriptor
  144. // [xAcls] - Resulting absolute SECURITY_DESCRIPTOR,
  145. // allocated to the required size.
  146. //
  147. // History: 10-April-98 dlee Stole from 4 other places in NT
  148. //
  149. //--------------------------------------------------------------------------
  151. void CiCreateSecurityDescriptor( ACE_DATA const * const pAceData,
  152. ULONG cAces,
  153. SID * pOwnerSid,
  154. SID * pGroupSid,
  155. XArray<BYTE> & xAcls )
  156. {
  157. //
  158. // This function returns a pointer to memory dynamically allocated to
  159. // hold the absolute security descriptor, the DACL, the SACL, and all
  160. // the ACEs:
  161. //
  162. // +---------------------------------------------------------------+
  163. // | Security Descriptor |
  164. // +-------------------------------+-------+---------------+-------+
  165. // | DACL | ACE 1 | . . . | ACE n |
  166. // +-------------------------------+-------+---------------+-------+
  167. // | SACL | ACE 1 | . . . | ACE n |
  168. // +-------------------------------+-------+---------------+-------+
  169. //
  171. DWORD cbDacl = sizeof ACL;
  172. DWORD cbSacl = sizeof ACL;
  173. DWORD cbMaxAce = 0;
  175. //
  176. // Compute the total size of the DACL and SACL ACEs and the maximum
  177. // size of any ACE.
  178. //
  180. for ( DWORD i = 0; i < cAces; i++ )
  181. {
  182. DWORD cbAce = GetLengthSid( pAceData[i].pSid );
  184. switch (pAceData[i].AceType)
  185. {
  186. case ACCESS_ALLOWED_ACE_TYPE:
  187. cbAce += sizeof ACCESS_ALLOWED_ACE;
  188. cbDacl += cbAce;
  189. break;
  191. case ACCESS_DENIED_ACE_TYPE:
  192. cbAce += sizeof ACCESS_DENIED_ACE;
  193. cbDacl += cbAce;
  194. break;
  196. case SYSTEM_AUDIT_ACE_TYPE:
  197. cbAce += sizeof SYSTEM_AUDIT_ACE;
  198. cbSacl += cbAce;
  199. break;
  201. default:
  202. Win4Assert( FALSE );
  203. }
  205. cbMaxAce = __max( cbMaxAce, cbAce );
  206. }
  208. //
  209. // Allocate a chunk of memory large enough the security descriptor
  210. // the DACL, the SACL and all ACEs.
  211. // A security descriptor is of opaque data type but
  212. // SECURITY_DESCRIPTOR_MIN_LENGTH is the right size.
  213. //
  215. DWORD cbTotal = SECURITY_DESCRIPTOR_MIN_LENGTH;
  217. if ( cbDacl != sizeof ACL )
  218. cbTotal += cbDacl;
  220. if ( cbSacl != sizeof ACL )
  221. cbTotal += cbSacl;
  223. xAcls.Init( cbTotal );
  224. SECURITY_DESCRIPTOR *pAbsoluteSd = (SECURITY_DESCRIPTOR *) xAcls.Get();
  226. //
  227. // Initialize the Dacl and Sacl
  228. //
  230. BYTE *pbCurrent = (BYTE *) pAbsoluteSd + SECURITY_DESCRIPTOR_MIN_LENGTH;
  231. ACL *pDacl = 0; // Pointer to the DACL portion of above buffer
  232. ACL *pSacl = 0; // Pointer to the SACL portion of above buffer
  234. if ( sizeof ACL != cbDacl )
  235. {
  236. pDacl = (ACL *) pbCurrent;
  237. pbCurrent += cbDacl;
  239. if( !InitializeAcl( pDacl, cbDacl, ACL_REVISION ) )
  240. THROW( CException() );
  241. }
  243. if ( sizeof ACL != cbSacl )
  244. {
  245. pSacl = (ACL *) pbCurrent;
  246. pbCurrent += cbSacl;
  248. if ( !InitializeAcl( pSacl, cbSacl, ACL_REVISION ) )
  249. THROW( CException() );
  250. }
  252. //
  253. // Allocate a temporary buffer big enough for the biggest ACE.
  254. // This is usually pretty small
  255. //
  257. XGrowable<BYTE> xMaxAce( cbMaxAce );
  259. //
  260. // Initialize each ACE, and append it into the end of the DACL or SACL.
  261. //
  263. for ( i = 0; i < cAces; i++ )
  264. {
  265. DWORD cbAce = GetLengthSid( pAceData[i].pSid );
  266. ACL *pCurrentAcl;
  268. switch (pAceData[i].AceType)
  269. {
  270. case ACCESS_ALLOWED_ACE_TYPE:
  271. cbAce += sizeof ACCESS_ALLOWED_ACE;
  272. pCurrentAcl = pDacl;
  273. InitAllowedAce( (ACCESS_ALLOWED_ACE *) xMaxAce.Get(),
  274. (USHORT) cbAce,
  275. pAceData[i].InheritFlags,
  276. pAceData[i].AceFlags,
  277. pAceData[i].Mask,
  278. pAceData[i].pSid );
  279. break;
  281. case ACCESS_DENIED_ACE_TYPE:
  282. cbAce += sizeof ACCESS_DENIED_ACE;
  283. pCurrentAcl = pDacl;
  284. InitDeniedAce( (ACCESS_DENIED_ACE *) xMaxAce.Get(),
  285. (USHORT) cbAce,
  286. pAceData[i].InheritFlags,
  287. pAceData[i].AceFlags,
  288. pAceData[i].Mask,
  289. pAceData[i].pSid );
  290. break;
  292. case SYSTEM_AUDIT_ACE_TYPE:
  293. cbAce += sizeof SYSTEM_AUDIT_ACE;
  294. pCurrentAcl = pSacl;
  296. // Audit uses ACCESS_ALLOWED_ACE
  298. InitAuditAce( (ACCESS_ALLOWED_ACE *) xMaxAce.Get(),
  299. (USHORT) cbAce,
  300. pAceData[i].InheritFlags,
  301. pAceData[i].AceFlags,
  302. pAceData[i].Mask,
  303. pAceData[i].pSid );
  304. break;
  305. }
  307. //
  308. // Append the initialized ACE to the end of DACL or SACL
  309. //
  311. if ( !AddAce( pCurrentAcl,
  312. ACL_REVISION,
  313. MAXULONG,
  314. xMaxAce.Get(),
  315. cbAce ) )
  316. THROW( CException() );
  317. }
  319. //
  320. // Create the security descriptor with absolute pointers to SIDs
  321. // and ACLs.
  322. //
  323. // Owner = pOwnerSid
  324. // Group = pGroupSid
  325. // Dacl = Dacl
  326. // Sacl = Sacl
  327. //
  329. if ( !InitializeSecurityDescriptor( pAbsoluteSd,
  330. SECURITY_DESCRIPTOR_REVISION ) ||
  331. !SetSecurityDescriptorOwner( pAbsoluteSd,
  332. pOwnerSid,
  333. FALSE ) ||
  334. !SetSecurityDescriptorGroup( pAbsoluteSd,
  335. pGroupSid,
  336. FALSE ) ||
  337. !SetSecurityDescriptorDacl( pAbsoluteSd,
  338. TRUE,
  339. pDacl,
  340. FALSE ) ||
  341. !SetSecurityDescriptorSacl( pAbsoluteSd,
  342. FALSE,
  343. pSacl,
  344. FALSE ) )
  345. THROW( CException() );
  346. } //CiCreateSecurityDescriptor