archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
3.2 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/admin/services/sched/svc_core/desktop.cxx

600 lines
17 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1996.
  5. //
  6. // File: desktop.cxx
  7. //
  8. // Contents: Creation/initialization of the Scheduling Agent windowstation
  9. // and its desktop, "SAWinSta\SADesktop". This windowstation
  10. // needs to exist to run tasks when no user is logged on, or the
  11. // logged on user is different than the task-specific account.
  12. //
  13. // Classes: None.
  14. //
  15. // Functions: None.
  16. //
  17. // History: 26-Jun-96 MarkBl Created
  18. //
  19. //----------------------------------------------------------------------------
  21. #include "..\pch\headers.hxx"
  22. #pragma hdrstop
  23. #include "debug.hxx"
  24. #include "..\inc\security.hxx"
  26. #define SA_WINDOW_STATION L"SAWinSta"
  27. #define SA_DESKTOP L"SADesktop"
  29. //
  30. // Define all access to windows objects
  31. //
  32. // From windows\gina\winlogon\secutil.c
  33. //
  35. #define DESKTOP_ALL (DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW | \
  36. DESKTOP_CREATEMENU | DESKTOP_HOOKCONTROL | \
  37. DESKTOP_JOURNALRECORD | DESKTOP_JOURNALPLAYBACK | \
  38. DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \
  39. DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED)
  41. #define WINSTA_ALL (WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES | \
  42. WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | \
  43. WINSTA_WRITEATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | \
  44. WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | \
  45. WINSTA_READSCREEN | \
  46. STANDARD_RIGHTS_REQUIRED)
  48. #define WINSTA_ATOMS (WINSTA_ACCESSGLOBALATOMS | \
  49. WINSTA_ACCESSCLIPBOARD )
  51. HDESK CreateSADesktop(HWINSTA hWinSta);
  52. HWINSTA CreateSAWindowStation(void);
  53. PSID GetProcessSid(void);
  54. BOOL InitializeSAWindow(void);
  55. BOOL SetSADesktopSecurity(
  56. HDESK hDesktop,
  57. PSID pSchedAgentSid,
  58. PSID pBatchSid);
  59. BOOL SetSAWindowStationSecurity(
  60. HWINSTA hWinSta,
  61. PSID pSchedAgentSid,
  62. PSID pBatchSid);
  63. void UninitializeSAWindow(void);
  65. // Globals used in this module exclusively.
  66. // Initialized in InitializeSAWindow, closed in UnitializeSAWindow.
  67. //
  68. HWINSTA ghSAWinsta = NULL; // Handle to window station, "SAWinSta".
  69. HDESK ghSADesktop = NULL; // Handle to desktop, "SADesktop"
  71. //+---------------------------------------------------------------------------
  72. //
  73. // Function: InitializeSAWindow
  74. //
  75. // Synopsis: Create and set security info on the windowstation\desktop,
  76. // "SAWinSta\SADesktop". This desktop exists for tasks which
  77. // run under an account different than the currently logged
  78. // on user, or when no user is logged on. Note, these tasks will
  79. // never appear on the interactive desktop.
  80. //
  81. // Arguments: None.
  82. //
  83. // Returns: TRUE -- Everything succeeded.
  84. // FALSE -- Encountered an error.
  85. //
  86. // Notes: None.
  87. //
  88. //----------------------------------------------------------------------------
  89. BOOL
  90. InitializeSAWindow(void)
  91. {
  92. BOOL fRet = TRUE;
  93. PSID pBatchSid;
  94. PSID pSchedAgentSid;
  95. HWINSTA hWinSta = NULL;
  96. HWINSTA hServiceWinSta = NULL;
  97. HDESK hDesktop = NULL;
  98. BOOL fChangedWinSta = FALSE;
  100. //
  101. // Retrieve local system and batch account SIDs.
  102. //
  104. SID_IDENTIFIER_AUTHORITY SidAuth = SECURITY_NT_AUTHORITY;
  105. if (!AllocateAndInitializeSid(&SidAuth,
  106. 1,
  107. SECURITY_BATCH_RID,
  108. 0, 0, 0, 0, 0, 0, 0,
  109. &pBatchSid))
  110. {
  111. schDebugOut((DEB_ERROR,
  112. "InitializeSAWindow, AllocateAndInitializeSid failed, " \
  113. "status = 0x%lx\n",
  114. GetLastError()));
  115. return(FALSE);
  116. }
  118. if ((pSchedAgentSid = GetProcessSid()) == NULL)
  119. {
  120. fRet = FALSE;
  121. goto CleanExit;
  122. }
  124. //
  125. // Get current service window station.
  126. //
  128. hServiceWinSta = GetProcessWindowStation();
  130. if (hServiceWinSta == NULL) {
  131. fRet = FALSE;
  132. goto CleanExit;
  133. }
  135. //
  136. // Create the window station & desktop.
  137. //
  139. if ((hWinSta = CreateSAWindowStation()) == NULL)
  140. {
  141. fRet = FALSE;
  142. goto CleanExit;
  143. }
  145. if (!SetProcessWindowStation(hWinSta))
  146. {
  147. schDebugOut((DEB_ERROR,
  148. "InitializeSAWindow, SetProcessWindowStation failed, " \
  149. "status = 0x%lx\n",
  150. GetLastError()));
  151. fRet = FALSE;
  152. goto CleanExit;
  153. }
  155. fChangedWinSta = TRUE;
  157. if ((hDesktop = CreateSADesktop(hWinSta)) == NULL)
  158. {
  159. fRet = FALSE;
  160. goto CleanExit;
  161. }
  163. //
  164. // Set security on the window station & desktop.
  165. //
  167. if (!SetSAWindowStationSecurity(hWinSta, pSchedAgentSid, pBatchSid))
  168. {
  169. fRet = FALSE;
  170. goto CleanExit;
  171. }
  173. if (!SetSADesktopSecurity(hDesktop, pSchedAgentSid, pBatchSid))
  174. {
  175. fRet = FALSE;
  176. goto CleanExit;
  177. }
  179. CleanExit:
  181. //
  182. // If we have changed the window station, switch back to service window
  183. // station.
  184. //
  186. if (fChangedWinSta) {
  187. schAssert(hServiceWinSta);
  188. if (!SetProcessWindowStation(hServiceWinSta))
  189. {
  190. schDebugOut((DEB_ERROR,
  191. "InitializeSAWindow, SetProcessWindowStation failed, status = 0x%lx\n",
  192. GetLastError()));
  193. fRet = FALSE;
  194. }
  195. }
  197. if (pBatchSid != NULL) FreeSid(pBatchSid);
  198. if (pSchedAgentSid != NULL) LocalFree(pSchedAgentSid);
  199. if (fRet)
  200. {
  201. ghSAWinsta = hWinSta;
  202. ghSADesktop = hDesktop;
  203. }
  204. else
  205. {
  206. if (hWinSta != NULL) CloseHandle(hWinSta);
  207. if (hDesktop != NULL) CloseHandle(hDesktop);
  209. //
  210. // even though the initial NULL values should still be untouched,
  211. // we'll be extra paranoid here and pretend that gremlins may have fiddled with them
  212. //
  213. ghSAWinsta = NULL;
  214. ghSADesktop = NULL;
  215. }
  217. return(fRet);
  218. }
  220. //+---------------------------------------------------------------------------
  221. //
  222. // Function: UninitializeSAWindow
  223. //
  224. // Synopsis: Close the global window station & desktop handles.
  225. //
  226. // Arguments: None.
  227. //
  228. // Returns: None.
  229. //
  230. // Notes: None.
  231. //
  232. //----------------------------------------------------------------------------
  233. void
  234. UninitializeSAWindow(void)
  235. {
  236. if (ghSADesktop != NULL)
  237. {
  238. CloseDesktop(ghSADesktop);
  239. ghSADesktop = NULL;
  240. }
  241. if (ghSAWinsta != NULL)
  242. {
  243. CloseWindowStation(ghSAWinsta);
  244. ghSAWinsta = NULL;
  245. }
  246. }
  248. //+---------------------------------------------------------------------------
  249. //
  250. // Function: GetProcessSid
  251. //
  252. // Synopsis: Obtain the SID of this process.
  253. //
  254. // Arguments: None.
  255. //
  256. // Returns: This process' sid.
  257. // NULL on failure.
  258. //
  259. // Notes: None.
  260. //
  261. //----------------------------------------------------------------------------
  262. PSID
  263. GetProcessSid(void)
  264. {
  265. PSECURITY_DESCRIPTOR psdProcessSD = NULL;
  266. PSID pProcessSid = NULL;
  267. PSID pProcessSidTmp;
  268. DWORD cbSize;
  269. HANDLE hProcess;
  270. BOOL fOwnerDefaulted;
  272. hProcess = GetCurrentProcess();
  274. if (hProcess == NULL)
  275. {
  276. schDebugOut((DEB_ERROR,
  277. "GetProcessSid, GetCurrentProcess failed, status = 0x%lx\n",
  278. GetLastError()));
  279. return(NULL);
  280. }
  282. //
  283. // Retrieve the buffer size necessary to retrieve this process' SD.
  284. //
  286. if (!GetKernelObjectSecurity(hProcess,
  287. OWNER_SECURITY_INFORMATION,
  288. NULL,
  289. 0,
  290. &cbSize) &&
  291. GetLastError() == ERROR_INSUFFICIENT_BUFFER)
  292. {
  293. psdProcessSD = LocalAlloc(LMEM_FIXED, cbSize);
  295. if (psdProcessSD == NULL)
  296. {
  297. schDebugOut((DEB_ERROR,
  298. "GetProcessSid, process security descriptor allocation " \
  299. "failure\n"));
  300. return(NULL);
  301. }
  303. //
  304. // Actually retrieve this process' SD.
  305. //
  307. if (!GetKernelObjectSecurity(hProcess,
  308. OWNER_SECURITY_INFORMATION,
  309. psdProcessSD,
  310. cbSize,
  311. &cbSize))
  312. {
  313. schDebugOut((DEB_ERROR,
  314. "GetProcessSid, GetKernelObjectSecurity failed, " \
  315. "status = 0x%lx\n",
  316. GetLastError()));
  317. goto ErrorExit;
  318. }
  319. }
  320. else
  321. {
  322. schAssert(0 && "GetKernelObjectSecurity() succeeded!");
  323. return(NULL);
  324. }
  326. //
  327. // Retrieve the owner SID from the SD.
  328. //
  330. if (!GetSecurityDescriptorOwner(psdProcessSD,
  331. &pProcessSidTmp,
  332. &fOwnerDefaulted))
  333. {
  334. schDebugOut((DEB_ERROR,
  335. "GetProcessSid, GetSecurityDescriptorOwner failed, " \
  336. "status = 0x%lx\n",
  337. GetLastError()));
  338. goto ErrorExit;
  339. }
  341. //
  342. // An unnecessary check, maybe, but safe.
  343. //
  345. if (!IsValidSid(pProcessSidTmp))
  346. {
  347. schDebugOut((DEB_ERROR,
  348. "GetProcessSid, IsValidSid failed, status = 0x%lx\n",
  349. GetLastError()));
  350. goto ErrorExit;
  351. }
  353. //
  354. // Make a copy of the SID since that returned from GetSecuritySD refers
  355. // within the security descriptor allocated above.
  356. //
  358. cbSize = GetLengthSid(pProcessSidTmp);
  360. pProcessSid = LocalAlloc(LMEM_FIXED, cbSize);
  362. if (pProcessSid == NULL)
  363. {
  364. schDebugOut((DEB_ERROR,
  365. "GetProcessSid, process SID allocation failure\n"));
  366. goto ErrorExit;
  367. }
  369. if (!CopySid(cbSize, pProcessSid, pProcessSidTmp))
  370. {
  371. LocalFree(pProcessSid);
  372. pProcessSid = NULL;
  373. schDebugOut((DEB_ERROR,
  374. "GetProcessSid, CopySid failed, status = 0x%lx\n",
  375. GetLastError()));
  376. }
  378. ErrorExit:
  379. if (psdProcessSD != NULL) LocalFree(psdProcessSD);
  381. return(pProcessSid);
  382. }
  384. //+---------------------------------------------------------------------------
  385. //
  386. // Function: CreateSAWindowStation
  387. //
  388. // Synopsis: Create the window station named "SAWinSta".
  389. //
  390. // Arguments: None.
  391. //
  392. // Returns: Window station handle on success.
  393. // NULL on failure.
  394. //
  395. // Notes: None.
  396. //
  397. //----------------------------------------------------------------------------
  398. HWINSTA
  399. CreateSAWindowStation(void)
  400. {
  401. HWINSTA hWinSta;
  403. if ((hWinSta = CreateWindowStation(SA_WINDOW_STATION,
  404. NULL,
  405. MAXIMUM_ALLOWED,
  406. NULL)) == NULL)
  407. {
  408. schDebugOut((DEB_ERROR,
  409. "CreateSAWindowStation, CreateWindowStation failed, " \
  410. "status = 0x%lx\n",
  411. GetLastError()));
  412. return(NULL);
  413. }
  415. return(hWinSta);
  416. }
  418. //+---------------------------------------------------------------------------
  419. //
  420. // Function: CreateSADesktop
  421. //
  422. // Synopsis: Create the desktop, "SADesktop", on the window station
  423. // indicated.
  424. //
  425. // Arguments: [hWinSta] -- Window station.
  426. //
  427. // Returns: Desktop handle on success.
  428. // NULL on failure.
  429. //
  430. // Notes: None.
  431. //
  432. //----------------------------------------------------------------------------
  433. HDESK
  434. CreateSADesktop(HWINSTA hWinSta)
  435. {
  436. HDESK hDesktop;
  438. if ((hDesktop = CreateDesktop(SA_DESKTOP,
  439. NULL,
  440. NULL,
  441. 0,
  442. MAXIMUM_ALLOWED,
  443. NULL)) == NULL)
  444. {
  445. schDebugOut((DEB_ERROR,
  446. "CreateSADesktop, CreateDesktop failed, status = 0x%lx\n",
  447. GetLastError()));
  448. return(NULL);
  449. }
  451. return(hDesktop);
  452. }
  454. //+---------------------------------------------------------------------------
  455. //
  456. // Function: SetSAWindowStationSecurity
  457. //
  458. // Synopsis: Set permissions on the scheduling agent window station for
  459. // this process and batch users.
  460. //
  461. // Arguments: [hWinSta] -- Window station.
  462. // [pSchedAgentSid] -- Scheduling Agent process SID.
  463. // [pBatchSid] -- Batch SID.
  464. //
  465. // Returns: TRUE -- Function succeeded,
  466. // FALSE -- Otherwise.
  467. //
  468. // Notes: None.
  469. //
  470. //----------------------------------------------------------------------------
  471. BOOL
  472. SetSAWindowStationSecurity(
  473. HWINSTA hWinSta,
  474. PSID pSchedAgentSid,
  475. PSID pBatchSid)
  476. {
  477. #define WS_ACE_COUNT 4
  479. PACCESS_ALLOWED_ACE rgAce[WS_ACE_COUNT] = {
  480. NULL, NULL, NULL, NULL }; // Supply this to CreateSD so we
  481. // don't have to allocate memory.
  482. MYACE rgMyAce[WS_ACE_COUNT] = {
  483. { WINSTA_ALL, // Acess mask.
  484. NO_PROPAGATE_INHERIT_ACE, // Inherit flags.
  485. pSchedAgentSid }, // SID.
  486. { GENERIC_ALL,
  487. OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE,
  488. pSchedAgentSid },
  489. { WINSTA_ALL & ~(DELETE | WRITE_DAC | WRITE_OWNER), // need to leave READ_CONTROL in this or jobs can't run
  490. NO_PROPAGATE_INHERIT_ACE,
  491. pBatchSid },
  492. { GENERIC_READ | GENERIC_EXECUTE,
  493. INHERIT_ONLY_ACE,
  494. pBatchSid }
  495. };
  497. schAssert(WS_ACE_COUNT == (sizeof(rgAce)/sizeof(PACCESS_ALLOWED_ACE)) &&
  498. WS_ACE_COUNT == (sizeof(rgMyAce) / sizeof(MYACE)));
  500. PSECURITY_DESCRIPTOR pSecurityDescriptor;
  501. SECURITY_INFORMATION si;
  502. DWORD Status = 0;
  504. if ((pSecurityDescriptor = CreateSecurityDescriptor(WS_ACE_COUNT,
  505. rgMyAce,
  506. rgAce)) == NULL)
  507. {
  508. return(FALSE);
  509. }
  511. si = DACL_SECURITY_INFORMATION;
  512. if (!SetUserObjectSecurity(hWinSta, &si, pSecurityDescriptor))
  513. {
  514. Status = GetLastError();
  515. }
  517. DeleteSecurityDescriptor(pSecurityDescriptor);
  519. if (Status)
  520. {
  521. schDebugOut((DEB_ERROR,
  522. "SetSASetWindowStationSecurity, SetUserObjectSecurity failed, " \
  523. "status = 0x%lx\n",
  524. Status));
  525. return(FALSE);
  526. }
  528. return(TRUE);
  529. }
  531. //+---------------------------------------------------------------------------
  532. //
  533. // Function: SetSADesktopSecurity
  534. //
  535. // Synopsis: Set permissions on the scheduling agent desktop for this
  536. // process and batch users.
  537. //
  538. // Arguments: [hDesktop] -- Desktop.
  539. // [pSchedAgentSid] -- Scheduling Agent process SID.
  540. // [pBatchSid] -- Batch SID.
  541. //
  542. // Returns: TRUE -- Function succeeded,
  543. // FALSE -- Otherwise.
  544. //
  545. // Notes: None.
  546. //
  547. //----------------------------------------------------------------------------
  548. BOOL
  549. SetSADesktopSecurity(
  550. HDESK hDesktop,
  551. PSID pSchedAgentSid,
  552. PSID pBatchSid)
  553. {
  554. #define DT_ACE_COUNT 2
  556. PACCESS_ALLOWED_ACE rgAce[DT_ACE_COUNT] = {
  557. NULL, NULL }; // Supply this to CreateSD so we
  558. // don't have to allocate memory.
  559. MYACE rgMyAce[DT_ACE_COUNT] = {
  560. { DESKTOP_ALL, // Acess mask.
  561. 0, // Inherit flags.
  562. pSchedAgentSid }, // SID.
  563. { DESKTOP_ALL & ~STANDARD_RIGHTS_REQUIRED,
  564. 0,
  565. pBatchSid }
  566. };
  568. schAssert(DT_ACE_COUNT == (sizeof(rgAce)/sizeof(PACCESS_ALLOWED_ACE)) &&
  569. DT_ACE_COUNT == (sizeof(rgMyAce) / sizeof(MYACE)));
  571. PSECURITY_DESCRIPTOR pSecurityDescriptor;
  572. SECURITY_INFORMATION si;
  573. DWORD Status = 0;
  575. if ((pSecurityDescriptor = CreateSecurityDescriptor(DT_ACE_COUNT,
  576. rgMyAce,
  577. rgAce)) == NULL)
  578. {
  579. return(FALSE);
  580. }
  582. si = DACL_SECURITY_INFORMATION;
  583. if (!SetUserObjectSecurity(hDesktop, &si, pSecurityDescriptor))
  584. {
  585. Status = GetLastError();
  586. }
  588. DeleteSecurityDescriptor(pSecurityDescriptor);
  590. if (Status)
  591. {
  592. schDebugOut((DEB_ERROR,
  593. "SetSADesktopSecurity, SetUserObjectSecurity failed, " \
  594. "status = 0x%lx\n",
  595. Status));
  596. return(FALSE);
  597. }
  599. return(TRUE);
  600. }