Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

787 lines
27 KiB

  1. /*++
  2. Copyright (c) 1996 Microsoft Corporation
  3. Module Name:
  4. dumpsd.c
  5. Abstract:
  6. Dump security desc., ACLs, and access masks to the log. This is resource
  7. specific but otherwise identical to the routines in clusrtl\security.c
  8. Author:
  9. Charlie Wickham (charlwi) 12/05/00
  10. Revision History:
  11. --*/
  12. #define UNICODE 1
  13. #include "clusres.h"
  14. #include "clusrtl.h"
  15. #include "lm.h"
  16. #include "lmerr.h"
  17. #include "lmshare.h"
  18. #include <dfsfsctl.h>
  19. #include <srvfsctl.h>
  20. #include <lmdfs.h>
  21. #define g_LogEvent ClusResLogEvent
  22. static VOID
  23. SmbGetSidTypeDesc(
  24. SID_NAME_USE SidType,
  25. LPSTR pszSidType,
  26. size_t cchSidType
  27. )
  28. /*++
  29. Routine Description:
  30. Convert the SidType into a meaningful string.
  31. Arguments:
  32. SidType -
  33. pszSidType
  34. cchSidType
  35. Return Value:
  36. none
  37. --*/
  38. {
  39. if ((pszSidType != NULL) && (cchSidType > 0))
  40. {
  41. char szSidType [128];
  42. switch (SidType) {
  43. case SidTypeUser:
  44. lstrcpyA(szSidType, "has a user SID for");
  45. break;
  46. case SidTypeGroup:
  47. lstrcpyA(szSidType, "has a group SID for");
  48. break;
  49. case SidTypeDomain:
  50. lstrcpyA(szSidType, "has a domain SID for");
  51. break;
  52. case SidTypeAlias:
  53. lstrcpyA(szSidType, "has an alias SID for");
  54. break;
  55. case SidTypeWellKnownGroup:
  56. lstrcpyA(szSidType, "has a SID for a well-known group for");
  57. break;
  58. case SidTypeDeletedAccount:
  59. lstrcpyA(szSidType, "has a SID for a deleted account for");
  60. break;
  61. case SidTypeInvalid:
  62. lstrcpyA(szSidType, "has an invalid SID for");
  63. break;
  64. case SidTypeUnknown:
  65. lstrcpyA(szSidType, "has an unknown SID type:");
  66. break;
  67. default:
  68. szSidType [0] = '\0';
  69. break;
  70. } // switch: SidType
  71. strncpy(pszSidType, szSidType, cchSidType);
  72. } // if: buffer not null and has space allocated
  73. } //*** SmbGetSidTypeDesc()
  74. static VOID
  75. SmbExamineSid(
  76. RESOURCE_HANDLE ResourceHandle,
  77. PSID pSid,
  78. LPSTR lpszOldIndent
  79. )
  80. /*++
  81. Routine Description:
  82. Dump the SID.
  83. Arguments:
  84. pSid -
  85. lpzOldIndent -
  86. Return Value:
  87. none
  88. --*/
  89. {
  90. CHAR szUserName [128];
  91. CHAR szDomainName [128];
  92. DWORD cbUser = sizeof(szUserName);
  93. DWORD cbDomain = sizeof(szDomainName);
  94. SID_NAME_USE SidType;
  95. if ( LookupAccountSidA( NULL, pSid, szUserName, &cbUser, szDomainName, &cbDomain, &SidType ) )
  96. {
  97. char szSidType [128];
  98. SmbGetSidTypeDesc( SidType, szSidType, sizeof( szSidType ) );
  99. (g_LogEvent)(ResourceHandle,
  100. LOG_INFORMATION,
  101. L"%1!hs!%2!hs! %3!hs!\\%4!hs!\n",
  102. lpszOldIndent, szSidType, szDomainName, szUserName ) ;
  103. }
  104. } // *** SmbExamineSid()
  105. VOID
  106. SmbExamineMask(
  107. RESOURCE_HANDLE ResourceHandle,
  108. ACCESS_MASK amMask
  109. )
  110. /*++
  111. Routine Description:
  112. Dump the AccessMask context.
  113. Arguments:
  114. amMask -
  115. lpzOldIndent -
  116. Return Value:
  117. none
  118. --*/
  119. {
  120. #define STANDARD_RIGHTS_ALL_THE_BITS 0x00FF0000L
  121. #define GENERIC_RIGHTS_ALL_THE_BITS 0xF0000000L
  122. DWORD dwGenericBits;
  123. DWORD dwStandardBits;
  124. DWORD dwSpecificBits;
  125. DWORD dwAccessSystemSecurityBit;
  126. DWORD dwExtraBits;
  127. dwStandardBits = (amMask & STANDARD_RIGHTS_ALL_THE_BITS);
  128. dwSpecificBits = (amMask & SPECIFIC_RIGHTS_ALL );
  129. dwAccessSystemSecurityBit = (amMask & ACCESS_SYSTEM_SECURITY );
  130. dwGenericBits = (amMask & GENERIC_RIGHTS_ALL_THE_BITS );
  131. // **************************************************************************
  132. // *
  133. // * Print then decode the standard rights bits
  134. // *
  135. // **************************************************************************
  136. (g_LogEvent)(ResourceHandle,
  137. LOG_INFORMATION,
  138. L" Standard Rights == 0x%1!.8x!\n", dwStandardBits);
  139. if (dwStandardBits) {
  140. if ((dwStandardBits & DELETE) == DELETE) {
  141. (g_LogEvent)(ResourceHandle,
  142. LOG_INFORMATION,
  143. L" 0x%1!.8x! DELETE\n", DELETE);
  144. }
  145. if ((dwStandardBits & READ_CONTROL) == READ_CONTROL) {
  146. (g_LogEvent)(ResourceHandle,
  147. LOG_INFORMATION,
  148. L" 0x%1!.8x! READ_CONTROL\n", READ_CONTROL);
  149. }
  150. if ((dwStandardBits & STANDARD_RIGHTS_READ) == STANDARD_RIGHTS_READ) {
  151. (g_LogEvent)(ResourceHandle,
  152. LOG_INFORMATION,
  153. L" 0x%1!.8x! STANDARD_RIGHTS_READ\n", STANDARD_RIGHTS_READ);
  154. }
  155. if ((dwStandardBits & STANDARD_RIGHTS_WRITE) == STANDARD_RIGHTS_WRITE) {
  156. (g_LogEvent)(ResourceHandle,
  157. LOG_INFORMATION,
  158. L" 0x%1!.8x! STANDARD_RIGHTS_WRITE\n", STANDARD_RIGHTS_WRITE);
  159. }
  160. if ((dwStandardBits & STANDARD_RIGHTS_EXECUTE) == STANDARD_RIGHTS_EXECUTE) {
  161. (g_LogEvent)(ResourceHandle,
  162. LOG_INFORMATION,
  163. L" 0x%1!.8x! STANDARD_RIGHTS_EXECUTE\n", STANDARD_RIGHTS_EXECUTE);
  164. }
  165. if ((dwStandardBits & WRITE_DAC) == WRITE_DAC) {
  166. (g_LogEvent)(ResourceHandle,
  167. LOG_INFORMATION,
  168. L" 0x%1!.8x! WRITE_DAC\n", WRITE_DAC);
  169. }
  170. if ((dwStandardBits & WRITE_OWNER) == WRITE_OWNER) {
  171. (g_LogEvent)(ResourceHandle,
  172. LOG_INFORMATION,
  173. L" 0x%1!.8x! WRITE_OWNER\n", WRITE_OWNER);
  174. }
  175. if ((dwStandardBits & SYNCHRONIZE) == SYNCHRONIZE) {
  176. (g_LogEvent)(ResourceHandle,
  177. LOG_INFORMATION,
  178. L" 0x%1!.8x! SYNCHRONIZE\n", SYNCHRONIZE);
  179. }
  180. if ((dwStandardBits & STANDARD_RIGHTS_REQUIRED) == STANDARD_RIGHTS_REQUIRED) {
  181. (g_LogEvent)(ResourceHandle,
  182. LOG_INFORMATION,
  183. L" 0x%1!.8x! STANDARD_RIGHTS_REQUIRED\n", STANDARD_RIGHTS_REQUIRED);
  184. }
  185. if ((dwStandardBits & STANDARD_RIGHTS_ALL) == STANDARD_RIGHTS_ALL) {
  186. (g_LogEvent)(ResourceHandle,
  187. LOG_INFORMATION,
  188. L" 0x%1!.8x! STANDARD_RIGHTS_ALL\n", STANDARD_RIGHTS_ALL);
  189. }
  190. dwExtraBits = dwStandardBits & (~(DELETE
  191. | READ_CONTROL
  192. | STANDARD_RIGHTS_READ
  193. | STANDARD_RIGHTS_WRITE
  194. | STANDARD_RIGHTS_EXECUTE
  195. | WRITE_DAC
  196. | WRITE_OWNER
  197. | SYNCHRONIZE
  198. | STANDARD_RIGHTS_REQUIRED
  199. | STANDARD_RIGHTS_ALL));
  200. if (dwExtraBits) {
  201. (g_LogEvent)(ResourceHandle,
  202. LOG_INFORMATION,
  203. L" Extra standard bits == 0x%1!.8x! <-This is a problem, should be all 0s\n",
  204. dwExtraBits);
  205. }
  206. }
  207. (g_LogEvent)(ResourceHandle,
  208. LOG_INFORMATION,
  209. L" Specific Rights == 0x%1!.8x!\n", dwSpecificBits);
  210. // **************************************************************************
  211. // *
  212. // * Print then decode the ACCESS_SYSTEM_SECURITY bit
  213. // *
  214. // *************************************************************************
  215. (g_LogEvent)(ResourceHandle,
  216. LOG_INFORMATION,
  217. L" Access System Security == 0x%1!.8x!\n", dwAccessSystemSecurityBit);
  218. // **************************************************************************
  219. // *
  220. // * Print then decode the generic rights bits, which will rarely be on
  221. // *
  222. // * Generic bits are nearly always mapped by Windows NT before it tries to do
  223. // * anything with them. You can ignore the fact that generic bits are
  224. // * special in any way, although it helps to keep track of what the mappings
  225. // * are so that you don't have any surprises
  226. // *
  227. // * The only time the generic bits are not mapped immediately is if they are
  228. // * placed in an inheritable ACE in an ACL, or in an ACL that will be
  229. // * assigned by default (such as the default DACL in an access token). In
  230. // * that case they're mapped when the child object is created (or when the
  231. // * default DACL is used at object creation time)
  232. // *
  233. // **************************************************************************
  234. (g_LogEvent)(ResourceHandle,
  235. LOG_INFORMATION,
  236. L" Generic Rights == 0x%1!.8x!\n", dwGenericBits);
  237. if (dwGenericBits) {
  238. if ((dwGenericBits & GENERIC_READ) == GENERIC_READ) {
  239. (g_LogEvent)(ResourceHandle,
  240. LOG_INFORMATION,
  241. L" 0x%1!.8x! GENERIC_READ\n", GENERIC_READ);
  242. }
  243. if ((dwGenericBits & GENERIC_WRITE) == GENERIC_WRITE) {
  244. (g_LogEvent)(ResourceHandle,
  245. LOG_INFORMATION,
  246. L" 0x%1!.8x! GENERIC_WRITE\n", GENERIC_WRITE);
  247. }
  248. if ((dwGenericBits & GENERIC_EXECUTE) == GENERIC_EXECUTE) {
  249. (g_LogEvent)(ResourceHandle,
  250. LOG_INFORMATION,
  251. L" 0x%1!.8x! GENERIC_EXECUTE\n", GENERIC_EXECUTE);
  252. }
  253. if ((dwGenericBits & GENERIC_ALL) == GENERIC_ALL) {
  254. (g_LogEvent)(ResourceHandle,
  255. LOG_INFORMATION,
  256. L" 0x%1!.8x! GENERIC_ALL\n", GENERIC_ALL);
  257. }
  258. dwExtraBits = dwGenericBits & (~(GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | GENERIC_ALL));
  259. if (dwExtraBits) {
  260. (g_LogEvent)(ResourceHandle,
  261. LOG_INFORMATION,
  262. L" Extra generic bits == 0x%1!.8x! <-This is a problem, should be all 0s\n",
  263. dwExtraBits);
  264. }
  265. }
  266. } // *** SmbExamineMask()
  267. static BOOL
  268. SmbExamineACL(
  269. RESOURCE_HANDLE ResourceHandle,
  270. PACL paclACL
  271. )
  272. /*++
  273. Routine Description:
  274. Dump the Access Control List context.
  275. Return Value:
  276. none
  277. --*/
  278. {
  279. ACL_SIZE_INFORMATION asiAclSize;
  280. ACL_REVISION_INFORMATION ariAclRevision;
  281. DWORD dwBufLength;
  282. DWORD dwAcl_i;
  283. ACCESS_ALLOWED_ACE * paaAllowedAce;
  284. if (!IsValidAcl(paclACL)) {
  285. (g_LogEvent)(ResourceHandle,
  286. LOG_INFORMATION,
  287. L" SmbExamineACL() - IsValidAcl() failed.\n");
  288. return FALSE;
  289. }
  290. dwBufLength = sizeof(asiAclSize);
  291. if (!GetAclInformation(paclACL, &asiAclSize, dwBufLength, AclSizeInformation)) {
  292. (g_LogEvent)(ResourceHandle,
  293. LOG_INFORMATION,
  294. L" SmbExamineACL() - GetAclInformation failed.\n");
  295. return FALSE;
  296. }
  297. dwBufLength = sizeof(ariAclRevision);
  298. if (!GetAclInformation(paclACL, (LPVOID) &ariAclRevision, dwBufLength, AclRevisionInformation)) {
  299. (g_LogEvent)(ResourceHandle,
  300. LOG_INFORMATION,
  301. L" SmbExamineACL() - GetAclInformation failed\n");
  302. return FALSE;
  303. }
  304. (g_LogEvent)(ResourceHandle,
  305. LOG_INFORMATION,
  306. L" ACL has %1!d! ACE(s), %2!d! bytes used, %3!d! bytes free\n",
  307. asiAclSize.AceCount,
  308. asiAclSize.AclBytesInUse,
  309. asiAclSize.AclBytesFree);
  310. switch (ariAclRevision.AclRevision) {
  311. case ACL_REVISION1:
  312. (g_LogEvent)(ResourceHandle,
  313. LOG_INFORMATION,
  314. L" ACL revision is %1!d! == ACL_REVISION1\n", ariAclRevision.AclRevision);
  315. break;
  316. case ACL_REVISION2:
  317. (g_LogEvent)(ResourceHandle,
  318. LOG_INFORMATION,
  319. L" ACL revision is %1!d! == ACL_REVISION2\n", ariAclRevision.AclRevision);
  320. break;
  321. default:
  322. (g_LogEvent)(ResourceHandle,
  323. LOG_INFORMATION,
  324. L" ACL revision is %1!d! == Unrecognized ACL Revision.\n",
  325. ariAclRevision.AclRevision);
  326. return FALSE;
  327. break;
  328. }
  329. for (dwAcl_i = 0; dwAcl_i < asiAclSize.AceCount; dwAcl_i++) {
  330. if (!GetAce(paclACL, dwAcl_i, (LPVOID *) &paaAllowedAce)) {
  331. (g_LogEvent)(ResourceHandle,
  332. LOG_INFORMATION,
  333. L" SmbExamineACL() - GetAce failed.\n");
  334. return FALSE;
  335. }
  336. (g_LogEvent)(ResourceHandle,
  337. LOG_INFORMATION,
  338. L" ACE %1!d! size %2!d!\n", dwAcl_i, paaAllowedAce->Header.AceSize);
  339. {
  340. char szBuf [128];
  341. wsprintfA(szBuf, " ACE %d ", dwAcl_i);
  342. SmbExamineSid(ResourceHandle, &(paaAllowedAce->SidStart), szBuf );
  343. }
  344. {
  345. DWORD dwAceFlags = paaAllowedAce->Header.AceFlags;
  346. (g_LogEvent)(ResourceHandle,
  347. LOG_INFORMATION,
  348. L" ACE %1!d! flags 0x%2!.2x!\n", dwAcl_i, dwAceFlags);
  349. if (dwAceFlags) {
  350. DWORD dwExtraBits;
  351. if ((dwAceFlags & OBJECT_INHERIT_ACE) == OBJECT_INHERIT_ACE) {
  352. (g_LogEvent)(ResourceHandle,
  353. LOG_INFORMATION,
  354. L" 0x01 OBJECT_INHERIT_ACE\n");
  355. }
  356. if ((dwAceFlags & CONTAINER_INHERIT_ACE) == CONTAINER_INHERIT_ACE) {
  357. (g_LogEvent)(ResourceHandle,
  358. LOG_INFORMATION,
  359. L" 0x02 CONTAINER_INHERIT_ACE\n");
  360. }
  361. if ((dwAceFlags & NO_PROPAGATE_INHERIT_ACE) == NO_PROPAGATE_INHERIT_ACE) {
  362. (g_LogEvent)(ResourceHandle,
  363. LOG_INFORMATION,
  364. L" 0x04 NO_PROPAGATE_INHERIT_ACE\n");
  365. }
  366. if ((dwAceFlags & INHERIT_ONLY_ACE) == INHERIT_ONLY_ACE) {
  367. (g_LogEvent)(ResourceHandle,
  368. LOG_INFORMATION,
  369. L" 0x08 INHERIT_ONLY_ACE\n");
  370. }
  371. if ((dwAceFlags & VALID_INHERIT_FLAGS) == VALID_INHERIT_FLAGS) {
  372. (g_LogEvent)(ResourceHandle,
  373. LOG_INFORMATION,
  374. L" 0x0F VALID_INHERIT_FLAGS\n");
  375. }
  376. if ((dwAceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) == SUCCESSFUL_ACCESS_ACE_FLAG) {
  377. (g_LogEvent)(ResourceHandle,
  378. LOG_INFORMATION,
  379. L" 0x40 SUCCESSFUL_ACCESS_ACE_FLAG\n");
  380. }
  381. if ((dwAceFlags & FAILED_ACCESS_ACE_FLAG) == FAILED_ACCESS_ACE_FLAG) {
  382. (g_LogEvent)(ResourceHandle,
  383. LOG_INFORMATION,
  384. L" 0x80 FAILED_ACCESS_ACE_FLAG\n");
  385. }
  386. dwExtraBits = dwAceFlags & (~(OBJECT_INHERIT_ACE
  387. | CONTAINER_INHERIT_ACE
  388. | NO_PROPAGATE_INHERIT_ACE
  389. | INHERIT_ONLY_ACE
  390. | VALID_INHERIT_FLAGS
  391. | SUCCESSFUL_ACCESS_ACE_FLAG
  392. | FAILED_ACCESS_ACE_FLAG));
  393. if (dwExtraBits) {
  394. (g_LogEvent)(ResourceHandle,
  395. LOG_INFORMATION,
  396. L" Extra AceFlag bits == 0x%1!.8x! <-This is a problem, should be all 0s\n",
  397. dwExtraBits);
  398. }
  399. }
  400. }
  401. switch (paaAllowedAce->Header.AceType) {
  402. case ACCESS_ALLOWED_ACE_TYPE:
  403. (g_LogEvent)(ResourceHandle,
  404. LOG_INFORMATION,
  405. L" ACE %1!d! is an ACCESS_ALLOWED_ACE_TYPE\n", dwAcl_i);
  406. break;
  407. case ACCESS_DENIED_ACE_TYPE:
  408. (g_LogEvent)(ResourceHandle,
  409. LOG_INFORMATION,
  410. L" ACE %1!d! is an ACCESS_DENIED_ACE_TYPE\n", dwAcl_i);
  411. break;
  412. case SYSTEM_AUDIT_ACE_TYPE:
  413. (g_LogEvent)(ResourceHandle,
  414. LOG_INFORMATION,
  415. L" ACE %1!d! is a SYSTEM_AUDIT_ACE_TYPE\n", dwAcl_i);
  416. break;
  417. case SYSTEM_ALARM_ACE_TYPE:
  418. (g_LogEvent)(ResourceHandle,
  419. LOG_INFORMATION,
  420. L" ACE %1!d! is a SYSTEM_ALARM_ACE_TYPE\n", dwAcl_i);
  421. break;
  422. default :
  423. (g_LogEvent)(ResourceHandle,
  424. LOG_INFORMATION,
  425. L" ACE %1!d! is an IMPOSSIBLE ACE_TYPE!!! Run debugger, examine value!\n", dwAcl_i);
  426. return FALSE;
  427. }
  428. (g_LogEvent)(ResourceHandle,
  429. LOG_INFORMATION,
  430. L" ACE %1!d! mask == 0x%2!.8x!\n", dwAcl_i, paaAllowedAce->Mask);
  431. SmbExamineMask(ResourceHandle, paaAllowedAce->Mask);
  432. }
  433. return TRUE;
  434. } // *** SmbExamineACL()
  435. BOOL
  436. SmbExamineSD(
  437. RESOURCE_HANDLE ResourceHandle,
  438. PSECURITY_DESCRIPTOR psdSD
  439. )
  440. /*++
  441. Routine Description:
  442. Dump the Security descriptor context.
  443. Arguments:
  444. psdSD - the SD to dump
  445. Return Value:
  446. BOOL, TRUE for success, FALSE for failure
  447. --*/
  448. {
  449. PACL paclDACL;
  450. PACL paclSACL;
  451. BOOL bHasDACL = FALSE;
  452. BOOL bHasSACL = FALSE;
  453. BOOL bDaclDefaulted = FALSE;
  454. BOOL bSaclDefaulted = FALSE;
  455. BOOL bOwnerDefaulted = FALSE;
  456. BOOL bGroupDefaulted = FALSE;
  457. PSID psidOwner;
  458. PSID psidGroup;
  459. SECURITY_DESCRIPTOR_CONTROL sdcSDControl;
  460. DWORD dwSDRevision;
  461. DWORD dwSDLength;
  462. if (!IsValidSecurityDescriptor(psdSD)) {
  463. (g_LogEvent)(ResourceHandle,
  464. LOG_INFORMATION,
  465. L"SmbExamineSD() - IsValidSecurityDescriptor failed.\n");
  466. return FALSE;
  467. }
  468. dwSDLength = GetSecurityDescriptorLength(psdSD);
  469. if (!GetSecurityDescriptorDacl(psdSD, (LPBOOL) &bHasDACL, (PACL *) &paclDACL, (LPBOOL) &bDaclDefaulted)) {
  470. (g_LogEvent)(ResourceHandle,
  471. LOG_INFORMATION,
  472. L"SmbExamineSD() - GetSecurityDescriptorDacl failed.\n");
  473. return FALSE;
  474. }
  475. if (!GetSecurityDescriptorSacl(psdSD, (LPBOOL) &bHasSACL, (PACL *) &paclSACL, (LPBOOL) &bSaclDefaulted)) {
  476. (g_LogEvent)(ResourceHandle,
  477. LOG_INFORMATION,
  478. L"SmbExamineSD() - GetSecurityDescriptorSacl failed.\n");
  479. return FALSE;
  480. }
  481. if (!GetSecurityDescriptorOwner(psdSD, (PSID *)&psidOwner, (LPBOOL)&bOwnerDefaulted)) {
  482. (g_LogEvent)(ResourceHandle,
  483. LOG_INFORMATION,
  484. L"SmbExamineSD() - GetSecurityDescriptorOwner failed.\n");
  485. return FALSE;
  486. }
  487. if (!GetSecurityDescriptorGroup(psdSD, (PSID *) &psidGroup, (LPBOOL) &bGroupDefaulted)) {
  488. (g_LogEvent)(ResourceHandle,
  489. LOG_INFORMATION,
  490. L"SmbExamineSD() - GetSecurityDescriptorGroup failed.\n");
  491. return FALSE;
  492. }
  493. if (!GetSecurityDescriptorControl(
  494. psdSD,
  495. (PSECURITY_DESCRIPTOR_CONTROL) &sdcSDControl,
  496. (LPDWORD) &dwSDRevision))
  497. {
  498. (g_LogEvent)(ResourceHandle,
  499. LOG_INFORMATION,
  500. L"SmbExamineSD() - GetSecurityDescriptorControl failed.\n");
  501. return FALSE;
  502. }
  503. switch (dwSDRevision) {
  504. case SECURITY_DESCRIPTOR_REVISION1:
  505. (g_LogEvent)(ResourceHandle,
  506. LOG_INFORMATION,
  507. L"SD is valid. SD is %1!d! bytes long. SD revision is "
  508. L"%2!d! == SECURITY_DESCRIPTOR_REVISION1\n",
  509. dwSDLength, dwSDRevision);
  510. break;
  511. default :
  512. (g_LogEvent)(ResourceHandle,
  513. LOG_INFORMATION,
  514. L"SD is valid. SD is %1!d! bytes long. SD revision is "
  515. L"%2!d! == ! SD Revision is an IMPOSSIBLE SD revision!!! "
  516. L"Perhaps a new revision was added...\n",
  517. dwSDLength,
  518. dwSDRevision);
  519. return FALSE;
  520. }
  521. if (SE_SELF_RELATIVE & sdcSDControl) {
  522. (g_LogEvent)(ResourceHandle,
  523. LOG_INFORMATION,
  524. L"SD is in self-relative format (all SDs returned by the system are)\n");
  525. }
  526. if (NULL == psidOwner) {
  527. (g_LogEvent)(ResourceHandle,
  528. LOG_INFORMATION,
  529. L"SD's Owner is NULL, so SE_OWNER_DEFAULTED is ignored\n");
  530. }
  531. else {
  532. (g_LogEvent)(ResourceHandle,
  533. LOG_INFORMATION,
  534. L"SD's Owner is Not NULL\n");
  535. if (bOwnerDefaulted) {
  536. (g_LogEvent)(ResourceHandle,
  537. LOG_INFORMATION,
  538. L"SD's Owner-Defaulted flag is TRUE\n");
  539. }
  540. else {
  541. (g_LogEvent)(ResourceHandle,
  542. LOG_INFORMATION,
  543. L"SD's Owner-Defaulted flag is FALSE\n");
  544. }
  545. }
  546. // **************************************************************************
  547. // *
  548. // * The other use for psidGroup is for Macintosh client support
  549. // *
  550. // **************************************************************************
  551. if (NULL == psidGroup) {
  552. (g_LogEvent)(ResourceHandle,
  553. LOG_INFORMATION,
  554. L"SD's Group is NULL, so SE_GROUP_DEFAULTED is ignored. SD's Group "
  555. L"being NULL is typical, GROUP in SD(s) is mainly for POSIX compliance\n");
  556. }
  557. else {
  558. if (bGroupDefaulted) {
  559. (g_LogEvent)(ResourceHandle,
  560. LOG_INFORMATION,
  561. L"SD's Group-Defaulted flag is TRUE\n");
  562. }
  563. else {
  564. (g_LogEvent)(ResourceHandle,
  565. LOG_INFORMATION,
  566. L"SD's Group-Defaulted flag is FALSE\n");
  567. }
  568. }
  569. if (SE_DACL_PRESENT & sdcSDControl) {
  570. (g_LogEvent)(ResourceHandle,
  571. LOG_INFORMATION,
  572. L"SD's DACL is Present\n");
  573. if (bDaclDefaulted) {
  574. (g_LogEvent)(ResourceHandle,
  575. LOG_INFORMATION,
  576. L"SD's DACL-Defaulted flag is TRUE\n");
  577. } else {
  578. (g_LogEvent)(ResourceHandle,
  579. LOG_INFORMATION,
  580. L"SD's DACL-Defaulted flag is FALSE\n");
  581. }
  582. if (NULL == paclDACL) {
  583. (g_LogEvent)(ResourceHandle,
  584. LOG_INFORMATION,
  585. L"SD has a NULL DACL explicitly specified (allows all access to Everyone). "
  586. L"This does not apply to this SD, but for comparison, a non-NULL DACL pointer "
  587. L"to a 0-length ACL allows no access to anyone\n");
  588. }
  589. else if(!SmbExamineACL(ResourceHandle, paclDACL)) {
  590. (g_LogEvent)(ResourceHandle,
  591. LOG_INFORMATION,
  592. L"SmbExamineSD() - SmbExamineACL failed.\n");
  593. }
  594. }
  595. else {
  596. (g_LogEvent)(ResourceHandle,
  597. LOG_INFORMATION,
  598. L"SD's DACL is Not Present, so SE_DACL_DEFAULTED is ignored. SD has no "
  599. L"DACL at all (allows all access to Everyone)\n");
  600. }
  601. if (SE_SACL_PRESENT & sdcSDControl) {
  602. (g_LogEvent)(ResourceHandle,
  603. LOG_INFORMATION,
  604. L"SD's SACL is Present\n");
  605. if (bSaclDefaulted) {
  606. (g_LogEvent)(ResourceHandle,
  607. LOG_INFORMATION,
  608. L"SD's SACL-Defaulted flag is TRUE\n");
  609. }
  610. else {
  611. (g_LogEvent)(ResourceHandle,
  612. LOG_INFORMATION,
  613. L"SD's SACL-Defaulted flag is FALSE\n");
  614. }
  615. if (NULL == paclSACL) {
  616. (g_LogEvent)(ResourceHandle,
  617. LOG_INFORMATION,
  618. L"SD has a NULL SACL explicitly specified\n");
  619. }
  620. else if (!SmbExamineACL(ResourceHandle, paclSACL)) {
  621. (g_LogEvent)(ResourceHandle,
  622. LOG_INFORMATION,
  623. L"SmbExamineSD() - SmbExamineACL failed.\n");
  624. }
  625. }
  626. else {
  627. (g_LogEvent)(ResourceHandle,
  628. LOG_INFORMATION,
  629. L"SD's SACL is Not Present, so SE_SACL_DEFAULTED is ignored. SD has no "
  630. L"SACL at all (or we did not request to see it)\n");
  631. }
  632. return TRUE;
  633. } // *** SmbExamineSD()