archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/shell/osshell/security/aclui/permset.cpp

490 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1996 - 1999
  6. //
  7. // File: permset.cpp
  8. //
  9. // This file contains the implementation for the CPermissionSet class
  10. //
  11. //--------------------------------------------------------------------------
  13. #include "aclpriv.h"
  14. #include "permset.h"
  17. void
  18. CPermissionSet::Reset()
  19. {
  20. TraceEnter(TRACE_PERMSET, "CPermissionSet::Reset");
  22. // Clear the lists
  24. if (m_hPermList != NULL)
  25. {
  26. DSA_Destroy(m_hPermList);
  27. m_hPermList = NULL;
  28. }
  30. DestroyDPA(m_hAdvPermList);
  31. m_hAdvPermList = NULL;
  33. m_fObjectAcesPresent = FALSE;
  35. TraceLeaveVoid();
  36. }
  38. void
  39. CPermissionSet::ResetAdvanced()
  40. {
  41. TraceEnter(TRACE_PERMSET, "CPermissionSet::ResetAdvanced");
  43. DestroyDPA(m_hAdvPermList);
  44. m_hAdvPermList = NULL;
  46. TraceLeaveVoid();
  47. }
  50. BOOL
  51. CPermissionSet::AddAce(LPCGUID pguid, ACCESS_MASK mask, DWORD dwFlags)
  52. {
  53. PERMISSION perm = { mask, dwFlags, 0 };
  55. if (pguid != NULL)
  56. perm.guid = *pguid;
  58. return AddPermission(&perm);
  59. }
  62. BOOL
  63. CPermissionSet::AddPermission(PPERMISSION pPerm)
  64. {
  65. BOOL bObjectTypePresent = FALSE;
  67. TraceEnter(TRACE_PERMSET, "CPermissionSet::AddAce");
  68. TraceAssert(pPerm != NULL);
  70. if (!IsEqualGUID(pPerm->guid, GUID_NULL))
  71. bObjectTypePresent = TRUE;
  73. if (m_hPermList == NULL)
  74. {
  75. m_hPermList = DSA_Create(SIZEOF(PERMISSION), 4);
  76. if (m_hPermList == NULL)
  77. TraceLeaveValue(FALSE);
  78. }
  79. else
  80. {
  81. //
  82. // Try to merge with an existing entry in the list.
  83. //
  84. UINT cItems = DSA_GetItemCount(m_hPermList);
  85. while (cItems > 0)
  86. {
  87. PPERMISSION pPermCompare;
  88. DWORD dwMergeFlags;
  89. DWORD dwMergeResult;
  90. DWORD dwMergeStatus;
  92. --cItems;
  93. pPermCompare = (PPERMISSION)DSA_GetItemPtr(m_hPermList, cItems);
  95. dwMergeFlags = 0;
  97. if (bObjectTypePresent)
  98. dwMergeFlags |= MF_OBJECT_TYPE_1_PRESENT;
  100. if (!IsEqualGUID(pPermCompare->guid, GUID_NULL))
  101. dwMergeFlags |= MF_OBJECT_TYPE_2_PRESENT;
  103. if (!(dwMergeFlags & (MF_OBJECT_TYPE_1_PRESENT | MF_OBJECT_TYPE_2_PRESENT)))
  104. {
  105. // Neither are present, so they are the same
  106. dwMergeFlags |= MF_OBJECT_TYPE_EQUAL;
  107. }
  108. else if (IsEqualGUID(pPermCompare->guid, pPerm->guid))
  109. dwMergeFlags |= MF_OBJECT_TYPE_EQUAL;
  111. dwMergeStatus = MergeAceHelper(pPerm->dwFlags, // #1
  112. pPerm->mask,
  113. pPermCompare->dwFlags, // #2
  114. pPermCompare->mask,
  115. dwMergeFlags,
  116. &dwMergeResult);
  118. if (dwMergeStatus == MERGE_MODIFIED_FLAGS)
  119. {
  120. pPerm->dwFlags = dwMergeResult;
  121. dwMergeStatus = MERGE_OK_1;
  122. }
  123. else if (dwMergeStatus == MERGE_MODIFIED_MASK)
  124. {
  125. pPerm->mask = dwMergeResult;
  126. dwMergeStatus = MERGE_OK_1;
  127. }
  129. if (dwMergeStatus == MERGE_OK_1)
  130. {
  131. //
  132. // The new permission implies the existing permission, so
  133. // the existing one can be removed.
  134. //
  135. DSA_DeleteItem(m_hPermList, cItems);
  136. //
  137. // Keep looking. Maybe we can remove some more entries
  138. // before adding the new one.
  139. //
  140. }
  141. else if (dwMergeStatus == MERGE_OK_2)
  142. {
  143. //
  144. // The existing permission implies the new permission, so
  145. // there is nothing to do here.
  146. //
  147. TraceLeaveValue(TRUE);
  148. }
  149. }
  150. }
  152. // Ok, add the new permission to the list.
  153. DSA_AppendItem(m_hPermList, pPerm);
  155. if (bObjectTypePresent)
  156. m_fObjectAcesPresent = TRUE;
  158. TraceLeaveValue(TRUE);
  159. }
  162. BOOL
  163. CPermissionSet::AddAdvancedAce(PACE_HEADER pAce)
  164. {
  165. TraceEnter(TRACE_PERMSET, "CPermissionSet::AddAdvancedAce");
  166. TraceAssert(pAce != NULL);
  168. // Create list if necessary
  169. if (m_hAdvPermList == NULL)
  170. {
  171. m_hAdvPermList = DPA_Create(4);
  172. if (m_hAdvPermList == NULL)
  173. {
  174. TraceMsg("DPA_Create failed");
  175. TraceLeaveValue(FALSE);
  176. }
  177. }
  179. // This is as big as we need, but sometimes incoming ACEs are extra big.
  180. UINT nAceLen = SIZEOF(KNOWN_OBJECT_ACE) + 2*SIZEOF(GUID) - SIZEOF(DWORD)
  181. + GetLengthSid(GetAceSid(pAce));
  183. // Use the incoming AceSize only if it's smaller
  184. if (pAce->AceSize < nAceLen)
  185. nAceLen = pAce->AceSize;
  187. // Copy the ACE and add it to the list.
  188. PACE_HEADER pAceCopy = (PACE_HEADER)LocalAlloc(LMEM_FIXED, nAceLen);
  189. if (pAceCopy == NULL)
  190. {
  191. TraceMsg("LocalAlloc failed");
  192. TraceLeaveValue(FALSE);
  193. }
  195. CopyMemory(pAceCopy, pAce, nAceLen);
  196. pAceCopy->AceSize = (USHORT)nAceLen;
  197. DPA_AppendPtr(m_hAdvPermList, pAceCopy);
  199. TraceLeaveValue(TRUE);
  200. }
  203. UINT
  204. CPermissionSet::GetPermCount(BOOL fIncludeAdvAces) const
  205. {
  206. ULONG cAces = 0;
  208. TraceEnter(TRACE_PERMSET, "CPermissionSet::GetPermCount");
  210. if (m_hPermList != NULL)
  211. cAces = DSA_GetItemCount(m_hPermList);
  213. if (fIncludeAdvAces && m_hAdvPermList != NULL)
  214. cAces += DPA_GetPtrCount(m_hAdvPermList);
  216. TraceLeaveValue(cAces);
  217. }
  220. ULONG
  221. CPermissionSet::GetAclLength(ULONG cbSid) const
  222. {
  223. // Return an estimate of the buffer size needed to hold the
  224. // requested ACEs. The size of the ACL header is NOT INCLUDED.
  226. ULONG nAclLength = 0;
  227. ULONG cAces;
  228. ULONG nAceSize = SIZEOF(KNOWN_ACE) - SIZEOF(DWORD) + cbSid;
  229. ULONG nObjectAceSize = SIZEOF(KNOWN_OBJECT_ACE) + SIZEOF(GUID) - SIZEOF(DWORD) + cbSid;
  231. TraceEnter(TRACE_PERMSET, "CPermissionSet::GetAclLength");
  233. if (m_hPermList != NULL)
  234. {
  235. cAces = DSA_GetItemCount(m_hPermList);
  236. if (m_fObjectAcesPresent)
  237. nAclLength += cAces * nObjectAceSize;
  238. else
  239. nAclLength += cAces * nAceSize;
  240. }
  242. if (m_hAdvPermList != NULL)
  243. {
  244. cAces = DPA_GetPtrCount(m_hAdvPermList);
  245. nAclLength += cAces * (nObjectAceSize + SIZEOF(GUID));
  246. }
  248. TraceLeaveValue(nAclLength);
  249. }
  252. BOOL
  253. CPermissionSet::AppendToAcl(PACL pAcl,
  254. PACE_HEADER *ppAcePos, // position to copy first ACE
  255. PSID pSid,
  256. BOOL fAllowAce,
  257. DWORD dwFlags) const
  258. {
  259. PACE_HEADER pAce;
  260. UINT cAces;
  261. DWORD dwSidSize;
  262. DWORD dwAceSize;
  263. PPERMISSION pPerm;
  264. UCHAR uAceType;
  265. PSID psidT;
  267. TraceEnter(TRACE_PERMSET, "CPermissionSet::AppendToAcl");
  268. TraceAssert(pAcl != NULL);
  269. TraceAssert(ppAcePos != NULL);
  270. TraceAssert(pSid != NULL);
  272. if (*ppAcePos == NULL || (ULONG_PTR)*ppAcePos < (ULONG_PTR)FirstAce(pAcl))
  273. *ppAcePos = (PACE_HEADER)FirstAce(pAcl);
  275. TraceAssert((ULONG_PTR)*ppAcePos >= (ULONG_PTR)FirstAce(pAcl) &&
  276. (ULONG_PTR)*ppAcePos <= (ULONG_PTR)ByteOffset(pAcl, pAcl->AclSize));
  278. dwSidSize = GetLengthSid(pSid);
  279. dwAceSize = SIZEOF(KNOWN_ACE) - SIZEOF(DWORD) + dwSidSize;
  280. uAceType = (UCHAR)(fAllowAce ? ACCESS_ALLOWED_ACE_TYPE : ACCESS_DENIED_ACE_TYPE);
  282. cAces = GetPermCount();
  283. while (cAces > 0)
  284. {
  285. BOOL bObjectAce;
  287. pPerm = (PPERMISSION)DSA_GetItemPtr(m_hPermList, --cAces);
  288. if (pPerm == NULL)
  289. continue;
  291. bObjectAce = !IsEqualGUID(pPerm->guid, GUID_NULL);
  293. if (bObjectAce && !(dwFlags & PS_OBJECT))
  294. continue;
  295. else if (!bObjectAce && !(dwFlags & PS_NONOBJECT))
  296. continue;
  298. pAce = *ppAcePos;
  300. // Make sure the buffer is large enough.
  301. if ((ULONG_PTR)ByteOffset(*ppAcePos, dwAceSize) > (ULONG_PTR)ByteOffset(pAcl, pAcl->AclSize))
  302. {
  303. TraceMsg("ACL buffer too small");
  304. TraceAssert(FALSE);
  305. TraceLeaveValue(FALSE);
  306. }
  307. TraceAssert(!IsBadWritePtr(*ppAcePos, dwAceSize));
  309. // Copy the header and mask
  310. pAce->AceType = uAceType;
  311. pAce->AceFlags = (UCHAR)pPerm->dwFlags;
  312. pAce->AceSize = (USHORT)dwAceSize;
  313. ((PKNOWN_ACE)pAce)->Mask = pPerm->mask;
  315. // Get the normal SID location
  316. psidT = &((PKNOWN_ACE)pAce)->SidStart;
  318. if (bObjectAce)
  319. {
  320. //
  321. // The Object ACEs that we deal with directly do not have an
  322. // Inherit GUID present. Those ACEs end up in m_hAdvPermList.
  323. //
  324. GUID *pGuid;
  326. // Adjust AceType and AceSize and set the object Flags
  327. pAce->AceType += ACCESS_ALLOWED_OBJECT_ACE_TYPE - ACCESS_ALLOWED_ACE_TYPE;
  328. pAce->AceSize += SIZEOF(KNOWN_OBJECT_ACE) - SIZEOF(KNOWN_ACE) + SIZEOF(GUID);
  329. ((PKNOWN_OBJECT_ACE)pAce)->Flags = ACE_OBJECT_TYPE_PRESENT;
  331. // Get the object type guid location
  332. pGuid = RtlObjectAceObjectType(pAce);
  334. // We just set the flag for this, so it can't be NULL
  335. TraceAssert(pGuid);
  337. // Make sure the buffer is large enough.
  338. if ((ULONG_PTR)ByteOffset(pAce, pAce->AceSize) > (ULONG_PTR)ByteOffset(pAcl, pAcl->AclSize))
  339. {
  340. TraceMsg("ACL buffer too small");
  341. TraceAssert(FALSE);
  342. TraceLeaveValue(FALSE);
  343. }
  344. TraceAssert(!IsBadWritePtr(pGuid, SIZEOF(GUID)));
  346. // Copy the object type guid
  347. *pGuid = pPerm->guid;
  349. // Get new SID location
  350. psidT = RtlObjectAceSid(pAce);
  352. // Adjust ACL revision
  353. if (pAcl->AclRevision < ACL_REVISION_DS)
  354. pAcl->AclRevision = ACL_REVISION_DS;
  355. }
  357. // Copy the SID
  358. TraceAssert(!IsBadWritePtr(psidT, dwSidSize));
  359. CopyMemory(psidT, pSid, dwSidSize);
  361. // Move to next ACE position
  362. pAcl->AceCount++;
  363. *ppAcePos = (PACE_HEADER)NextAce(pAce);
  364. }
  366. if ((dwFlags & PS_OBJECT) && m_hAdvPermList != NULL)
  367. {
  368. cAces = DPA_GetPtrCount(m_hAdvPermList);
  369. while (cAces > 0)
  370. {
  371. pAce = (PACE_HEADER)DPA_FastGetPtr(m_hAdvPermList, --cAces);
  372. if (pAce == NULL)
  373. continue;
  375. // Make sure the buffer is large enough.
  376. if ((ULONG_PTR)ByteOffset(*ppAcePos, pAce->AceSize) > (ULONG_PTR)ByteOffset(pAcl, pAcl->AclSize))
  377. {
  378. TraceMsg("ACL buffer too small");
  379. TraceAssert(FALSE);
  380. TraceLeaveValue(FALSE);
  381. }
  382. TraceAssert(!IsBadWritePtr(*ppAcePos, pAce->AceSize));
  384. // Copy the ACE
  385. CopyMemory(*ppAcePos, pAce, pAce->AceSize);
  387. // Adjust ACL revision
  388. if (IsObjectAceType(pAce) && pAcl->AclRevision < ACL_REVISION_DS)
  389. pAcl->AclRevision = ACL_REVISION_DS;
  391. // Move to next ACE position
  392. pAcl->AceCount++;
  393. *ppAcePos = (PACE_HEADER)NextAce(*ppAcePos);
  394. }
  395. }
  397. TraceLeaveValue(TRUE);
  398. }
  401. void
  402. CPermissionSet::ConvertInheritedAces(CPermissionSet &permInherited)
  403. {
  404. UINT cItems;
  406. TraceEnter(TRACE_PERMSET, "CPermissionSet::ConvertInheritedAces");
  408. if (permInherited.m_hPermList != NULL)
  409. {
  410. PPERMISSION pPerm;
  412. cItems = DSA_GetItemCount(permInherited.m_hPermList);
  413. while (cItems)
  414. {
  415. --cItems;
  416. pPerm = (PPERMISSION)DSA_GetItemPtr(permInherited.m_hPermList, cItems);
  417. if (pPerm != NULL)
  418. {
  419. pPerm->dwFlags &= ~INHERITED_ACE;
  420. AddPermission(pPerm);
  421. }
  422. }
  423. }
  425. if (permInherited.m_hAdvPermList != NULL)
  426. {
  427. PACE_HEADER pAceHeader;
  429. cItems = DPA_GetPtrCount(permInherited.m_hAdvPermList);
  430. while (cItems)
  431. {
  432. --cItems;
  433. pAceHeader = (PACE_HEADER)DPA_FastGetPtr(permInherited.m_hAdvPermList, cItems);
  434. if (pAceHeader != NULL)
  435. {
  436. pAceHeader->AceFlags &= ~INHERITED_ACE;
  437. AddAdvancedAce(pAceHeader);
  438. }
  439. }
  440. }
  442. permInherited.Reset();
  444. TraceLeaveVoid();
  445. }
  447. //Removes permission. If bInheritFlag, match inheritance flags before
  448. //removing permission
  449. void
  450. CPermissionSet::RemovePermission(PPERMISSION pPerm, BOOL bInheritFlag )
  451. {
  452. BOOL bObjectAcePresent = FALSE;
  454. TraceEnter(TRACE_PERMSET, "CPermissionSet::RemovePermission");
  455. TraceAssert(pPerm != NULL);
  457. if (m_hPermList)
  458. {
  459. BOOL bNullGuid = IsEqualGUID(pPerm->guid, GUID_NULL);
  460. UINT cItems = DSA_GetItemCount(m_hPermList);
  461. while (cItems > 0)
  462. {
  463. PPERMISSION pPermCompare;
  464. BOOL bNullGuidCompare;
  466. --cItems;
  467. pPermCompare = (PPERMISSION)DSA_GetItemPtr(m_hPermList, cItems);
  469. bNullGuidCompare = IsEqualGUID(pPermCompare->guid, GUID_NULL);
  471. if (bNullGuid || bNullGuidCompare || IsEqualGUID(pPermCompare->guid, pPerm->guid))
  472. {
  473. if( !bInheritFlag || ( (pPermCompare->dwFlags & VALID_INHERIT_FLAGS) == (pPerm->dwFlags & VALID_INHERIT_FLAGS) ) )
  474. {
  475. pPermCompare->mask &= ~pPerm->mask;
  476. if (0 == pPermCompare->mask)
  477. DSA_DeleteItem(m_hPermList, cItems);
  478. else if (!bNullGuidCompare)
  479. bObjectAcePresent = TRUE;
  480. }
  481. }
  482. else if (!bNullGuidCompare)
  483. bObjectAcePresent = TRUE;
  484. }
  485. }
  487. m_fObjectAcesPresent = bObjectAcePresent;
  489. TraceLeaveVoid();
  490. }