archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/shell/osshell/security/aclui/ace.cpp

502 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1997 - 1999
  6. //
  7. // File: ace.cpp
  8. //
  9. // This file contains the implementation of the CAce class
  10. //
  11. //--------------------------------------------------------------------------
  13. #include "aclpriv.h"
  14. #include "sddl.h" // ConvertSidToStringSid
  17. CAce::CAce(PACE_HEADER pAce):pszInheritSourceName(NULL),
  18. iInheritSourceLevel(0)
  19. {
  20. ULONG nSidLength = 0;
  21. ULONG nAceLength = SIZEOF(KNOWN_ACE) - SIZEOF(ULONG);
  23. ZeroMemory(this, SIZEOF(CAce));
  24. sidType = SidTypeInvalid;
  26. InheritedObjectType = GUID_NULL;
  28. if (pAce != NULL)
  29. {
  30. PSID psidT;
  32. // Copy the header and mask
  33. *(PACE_HEADER)this = *pAce;
  34. Mask = ((PKNOWN_ACE)pAce)->Mask;
  36. // Is this an object ACE?
  37. if (IsObjectAceType(pAce))
  38. {
  39. GUID *pGuid;
  41. nAceLength = SIZEOF(KNOWN_OBJECT_ACE) - SIZEOF(ULONG);
  43. // Copy the object type guid if present
  44. pGuid = RtlObjectAceObjectType(pAce);
  45. if (pGuid)
  46. {
  47. Flags |= ACE_OBJECT_TYPE_PRESENT;
  48. ObjectType = *pGuid;
  49. nAceLength += SIZEOF(GUID);
  50. }
  52. //
  53. //ACE_INHERITED_OBJECT_TYPE_PRESENT is invalid without
  54. //either of container inherit or object inherit flags.
  55. //NTRAID#NTBUG9-287737-2001/01/23-hiteshr
  56. //
  57. if (pAce->AceFlags & ACE_INHERIT_ALL)
  58. {
  60. //Copy the inherit type guid if present
  61. pGuid = RtlObjectAceInheritedObjectType(pAce);
  62. if (pGuid)
  63. {
  64. Flags |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
  65. InheritedObjectType = *pGuid;
  66. nAceLength += SIZEOF(GUID);
  67. }
  68. }
  69. }
  71. // Copy the SID
  72. psidT = GetAceSid(pAce);
  73. nSidLength = GetLengthSid(psidT);
  75. psid = (PSID)LocalAlloc(LPTR, nSidLength);
  76. if (psid)
  77. CopyMemory(psid, psidT, nSidLength);
  78. }
  80. AceSize = (USHORT)(nAceLength + nSidLength);
  81. }
  84. CAce::~CAce()
  85. {
  86. if (psid != NULL)
  87. LocalFree(psid);
  88. LocalFreeString(&pszName);
  89. LocalFreeString(&pszType);
  90. LocalFreeString(&pszAccessType);
  91. LocalFreeString(&pszInheritType);
  92. LocalFreeString(&pszInheritSourceName);
  93. }
  95. void
  96. CAce::SetInheritSourceInfo(LPCTSTR psz, INT level)
  97. {
  98. #define MAX_BUFFER 1000
  99. iInheritSourceLevel = level;
  100. if(psz != NULL)
  101. {
  102. SetString(&pszInheritSourceName,psz);
  103. }
  104. else
  105. {
  106. WCHAR Buffer[MAX_BUFFER];
  107. if(IsInheritedAce())
  108. {
  109. LoadString(::hModule, IDS_FROM_PARENT, Buffer, ARRAYSIZE(Buffer));
  110. SetString(&pszInheritSourceName,Buffer);
  111. iInheritSourceLevel = -1;
  112. }
  113. else
  114. {
  115. LoadString(::hModule, IDS_NOT_INHERITED, Buffer, ARRAYSIZE(Buffer));
  116. SetString(&pszInheritSourceName,Buffer);
  117. iInheritSourceLevel = 0;
  118. }
  119. }
  120. }
  122. LPTSTR
  123. CAce::LookupName(LPCTSTR pszServer, LPSECURITYINFO2 psi2)
  124. {
  125. if (SidTypeInvalid == sidType)
  126. {
  127. PUSER_LIST pUserList = NULL;
  128. LPCTSTR pszN = NULL;
  129. LPCTSTR pszL = NULL;
  131. sidType = SidTypeUnknown;
  133. if (LookupSid(psid, pszServer, psi2, &pUserList))
  134. {
  135. sidType = pUserList->rgUsers[0].SidType;
  136. pszN = pUserList->rgUsers[0].pszName;
  137. pszL = pUserList->rgUsers[0].pszLogonName;
  138. }
  140. SetName(pszN, pszL);
  142. if (pUserList)
  143. LocalFree(pUserList);
  144. }
  146. return pszName;
  147. }
  150. void
  151. CAce::SetName(LPCTSTR pszN, LPCTSTR pszL)
  152. {
  153. LocalFreeString(&pszName);
  154. if (!BuildUserDisplayName(&pszName, pszN, pszL) && psid)
  155. ConvertSidToStringSid(psid, &pszName);
  156. }
  159. void
  160. CAce::SetSid(PSID p, LPCTSTR pszName, LPCTSTR pszLogonName, SID_NAME_USE type)
  161. {
  162. ULONG nSidLength = 0;
  163. ULONG nAceLength = SIZEOF(KNOWN_ACE) - SIZEOF(ULONG);
  165. if (psid != NULL)
  166. {
  167. LocalFree(psid);
  168. psid = NULL;
  169. }
  171. if (p != NULL)
  172. {
  173. nSidLength = GetLengthSid(p);
  175. psid = (PSID)LocalAlloc(LPTR, nSidLength);
  176. if (psid)
  177. CopyMemory(psid, p, nSidLength);
  178. }
  180. if (Flags != 0)
  181. {
  182. nAceLength = SIZEOF(KNOWN_OBJECT_ACE) - SIZEOF(ULONG);
  184. if (Flags & ACE_OBJECT_TYPE_PRESENT)
  185. nAceLength += SIZEOF(GUID);
  187. if (Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)
  188. nAceLength += SIZEOF(GUID);
  189. }
  191. AceSize = (USHORT)(nAceLength + nSidLength);
  193. sidType = type;
  194. SetName(pszName, pszLogonName);
  195. }
  198. void
  199. CAce::SetString(LPTSTR *ppszDest, LPCTSTR pszSrc)
  200. {
  201. LocalFreeString(ppszDest);
  202. if (NULL != pszSrc)
  203. LocalAllocString(ppszDest, pszSrc);
  204. }
  207. PACE_HEADER
  208. CAce::Copy() const
  209. {
  210. PACE_HEADER pAceCopy = (PACE_HEADER)LocalAlloc(LPTR, AceSize);
  211. CopyTo(pAceCopy);
  212. return pAceCopy;
  213. }
  216. void
  217. CAce::CopyTo(PACE_HEADER pAceDest) const
  218. {
  219. if (pAceDest)
  220. {
  221. ULONG nAceLength = SIZEOF(KNOWN_ACE) - SIZEOF(ULONG);
  222. ULONG nSidLength;
  224. // Copy the header and mask
  225. *pAceDest = *(PACE_HEADER)this;
  226. ((PKNOWN_ACE)pAceDest)->Mask = Mask;
  228. // Is this an object ACE?
  229. if (IsObjectAceType(this))
  230. {
  231. GUID *pGuid;
  233. nAceLength = SIZEOF(KNOWN_OBJECT_ACE) - SIZEOF(ULONG);
  235. // Copy the object flags
  236. ((PKNOWN_OBJECT_ACE)pAceDest)->Flags = Flags;
  238. // Copy the object type guid if present
  239. pGuid = RtlObjectAceObjectType(pAceDest);
  240. if (pGuid)
  241. {
  242. *pGuid = ObjectType;
  243. nAceLength += SIZEOF(GUID);
  244. }
  246. // Copy the inherit type guid if present
  247. pGuid = RtlObjectAceInheritedObjectType(pAceDest);
  248. if (pGuid)
  249. {
  250. *pGuid = InheritedObjectType;
  251. nAceLength += SIZEOF(GUID);
  252. }
  253. }
  255. // Copy the SID
  256. nSidLength = GetLengthSid(psid);
  257. CopyMemory(GetAceSid(pAceDest), psid, nSidLength);
  259. // The size should already be correct, but set it here to be sure.
  260. pAceDest->AceSize = (USHORT)(nAceLength + nSidLength);
  261. }
  262. }
  265. int
  266. CAce::CompareType(const CAce *pAceCompare) const
  267. {
  268. //
  269. // Determine which ACE preceeds the other in canonical ordering.
  270. //
  271. // Return negative if this ACE preceeds pAceCompare, positive if
  272. // pAceCompare preceeds this ACE, and 0 if they are equivalent in
  273. // canonical ordering.
  274. //
  275. BOOL b1;
  276. BOOL b2;
  278. //
  279. // First check inheritance. Inherited ACEs follow non-inherited ACEs.
  280. //
  281. b1 = AceFlags & INHERITED_ACE;
  282. b2 = pAceCompare->AceFlags & INHERITED_ACE;
  284. if (b1 != b2)
  285. {
  286. // One (and only one) of the ACEs is inherited.
  287. return (b1 ? 1 : -1);
  288. }
  290. //
  291. // Next, Allow ACEs follow Deny ACEs.
  292. // Note that allow/deny has no effect on the ordering of Audit ACEs.
  293. //
  294. b1 = (AceType == ACCESS_ALLOWED_ACE_TYPE ||
  295. AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE);
  296. b2 = (pAceCompare->AceType == ACCESS_ALLOWED_ACE_TYPE ||
  297. pAceCompare->AceType == ACCESS_ALLOWED_OBJECT_ACE_TYPE);
  299. if (b1 != b2)
  300. {
  301. // One of the ACEs is an Allow ACE.
  302. return (b1 ? 1 : -1);
  303. }
  305. //
  306. // Next, Object ACEs follow non-object ACEs.
  307. //
  308. b1 = (AceType >= ACCESS_MIN_MS_OBJECT_ACE_TYPE &&
  309. AceType <= ACCESS_MAX_MS_OBJECT_ACE_TYPE);
  310. b2 = (pAceCompare->AceType >= ACCESS_MIN_MS_OBJECT_ACE_TYPE &&
  311. pAceCompare->AceType <= ACCESS_MAX_MS_OBJECT_ACE_TYPE);
  313. if (b1 != b2)
  314. {
  315. // One of the ACEs is an Object ACE.
  316. return (b1 ? 1 : -1);
  317. }
  319. return 0;
  320. }
  323. DWORD
  324. CAce::Merge(const CAce *pAce2)
  325. {
  326. DWORD dwStatus;
  327. DWORD dwMergeFlags = 0;
  328. DWORD dwResult;
  330. if (pAce2 == NULL)
  331. return MERGE_FAIL;
  333. //if either of the ace is inherited and they are not from the same parent
  334. if( GetInheritSourceLevel() != pAce2->GetInheritSourceLevel() )
  335. return MERGE_FAIL;
  337. //
  338. // The ACEs have to be the same basic type and have the same SID or
  339. // there's no hope.
  340. //
  341. if (!IsEqualACEType(AceType, pAce2->AceType) ||
  342. !EqualSid(psid, pAce2->psid))
  343. return MERGE_FAIL;
  345. if (!IsEqualGUID(InheritedObjectType, pAce2->InheritedObjectType))
  346. return MERGE_FAIL; // incompatible inherit object types
  348. if (Flags & ACE_OBJECT_TYPE_PRESENT)
  349. dwMergeFlags |= MF_OBJECT_TYPE_1_PRESENT;
  351. if (pAce2->Flags & ACE_OBJECT_TYPE_PRESENT)
  352. dwMergeFlags |= MF_OBJECT_TYPE_2_PRESENT;
  354. if (IsEqualGUID(ObjectType, pAce2->ObjectType))
  355. dwMergeFlags |= MF_OBJECT_TYPE_EQUAL;
  357. if (IsAuditAlarmACE(AceType))
  358. dwMergeFlags |= MF_AUDIT_ACE_TYPE;
  360. dwStatus = MergeAceHelper(AceFlags,
  361. Mask,
  362. pAce2->AceFlags,
  363. pAce2->Mask,
  364. dwMergeFlags,
  365. &dwResult);
  367. switch (dwStatus)
  368. {
  369. case MERGE_MODIFIED_FLAGS:
  370. AceFlags = (UCHAR)dwResult;
  371. break;
  373. case MERGE_MODIFIED_MASK:
  374. Mask = dwResult;
  375. break;
  376. }
  378. return dwStatus;
  379. }
  382. BOOL
  383. IsEqualACEType(DWORD dwType1, DWORD dwType2)
  384. {
  385. if (dwType1 >= ACCESS_MIN_MS_OBJECT_ACE_TYPE &&
  386. dwType1 <= ACCESS_MAX_MS_OBJECT_ACE_TYPE)
  387. dwType1 -= (ACCESS_ALLOWED_OBJECT_ACE_TYPE - ACCESS_ALLOWED_ACE_TYPE);
  389. if (dwType2 >= ACCESS_MIN_MS_OBJECT_ACE_TYPE &&
  390. dwType2 <= ACCESS_MAX_MS_OBJECT_ACE_TYPE)
  391. dwType2 -= (ACCESS_ALLOWED_OBJECT_ACE_TYPE - ACCESS_ALLOWED_ACE_TYPE);
  393. return (dwType1 == dwType2);
  394. }
  397. DWORD
  398. MergeAceHelper(DWORD dwAceFlags1,
  399. DWORD dwMask1,
  400. DWORD dwAceFlags2,
  401. DWORD dwMask2,
  402. DWORD dwMergeFlags,
  403. LPDWORD pdwResult)
  404. {
  405. // Assumptions:
  406. // The ACEs are the same basic type.
  407. // The SIDs are the same for both.
  408. // The Inherit object type is the same for both.
  410. if (pdwResult == NULL)
  411. return MERGE_FAIL;
  413. *pdwResult = 0;
  415. if (dwMergeFlags & MF_OBJECT_TYPE_EQUAL)
  416. {
  417. if (dwAceFlags1 == dwAceFlags2)
  418. {
  419. //
  420. // Everything matches except maybe the mask, which
  421. // can be combined here.
  422. //
  423. if (AllFlagsOn(dwMask1, dwMask2))
  424. return MERGE_OK_1;
  425. else if (AllFlagsOn(dwMask2, dwMask1))
  426. return MERGE_OK_2;
  428. *pdwResult = dwMask1 | dwMask2;
  429. return MERGE_MODIFIED_MASK;
  430. }
  431. else if ((dwAceFlags1 & VALID_INHERIT_FLAGS) == (dwAceFlags2 & VALID_INHERIT_FLAGS) &&
  432. dwMask1 == dwMask2)
  433. {
  434. // If 2 audit aces are identical except for the audit
  435. // type (success/fail), the flags can be combined.
  436. if (dwMergeFlags & MF_AUDIT_ACE_TYPE)
  437. {
  438. *pdwResult = dwAceFlags1 | dwAceFlags2;
  439. return MERGE_MODIFIED_FLAGS;
  440. }
  441. }
  442. else if ((dwAceFlags1 & (NO_PROPAGATE_INHERIT_ACE | INHERITED_ACE | FAILED_ACCESS_ACE_FLAG | SUCCESSFUL_ACCESS_ACE_FLAG))
  443. == (dwAceFlags2 & (NO_PROPAGATE_INHERIT_ACE | INHERITED_ACE | FAILED_ACCESS_ACE_FLAG | SUCCESSFUL_ACCESS_ACE_FLAG)))
  444. {
  445. // The NO_PROPAGATE_INHERIT_ACE bit is the same for both
  446. if (dwMask1 == dwMask2)
  447. {
  448. // The masks are the same, so we can combine inherit flags
  449. *pdwResult = dwAceFlags1;
  451. // INHERIT_ONLY_ACE should be turned on only if it is
  452. // already on in both ACEs, otherwise leave it off.
  453. if (!(dwAceFlags2 & INHERIT_ONLY_ACE))
  454. *pdwResult &= ~INHERIT_ONLY_ACE;
  456. // Combine the remaining inherit flags and return
  457. *pdwResult |= dwAceFlags2 & (OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE);
  458. return MERGE_MODIFIED_FLAGS;
  459. }
  460. else if (AllFlagsOn(dwMask1, dwMask2))
  461. {
  462. // mask1 contains mask2. If Ace1 is inherited onto all of the
  463. // same things that Ace2 is, then Ace2 is redundant.
  464. if ((!(dwAceFlags1 & INHERIT_ONLY_ACE) || (dwAceFlags2 & INHERIT_ONLY_ACE))
  465. && AllFlagsOn(dwAceFlags1 & ACE_INHERIT_ALL, dwAceFlags2 & ACE_INHERIT_ALL))
  466. return MERGE_OK_1;
  467. }
  468. else if (AllFlagsOn(dwMask2, dwMask1))
  469. {
  470. // Same as above, reversed.
  471. if ((!(dwAceFlags2 & INHERIT_ONLY_ACE) || (dwAceFlags1 & INHERIT_ONLY_ACE))
  472. && AllFlagsOn(dwAceFlags2 & ACE_INHERIT_ALL, dwAceFlags1 & ACE_INHERIT_ALL))
  473. return MERGE_OK_2;
  474. }
  475. }
  476. }
  477. else if (dwAceFlags1 == dwAceFlags2)
  478. {
  479. if (!(dwMergeFlags & MF_OBJECT_TYPE_1_PRESENT) &&
  480. AllFlagsOn(dwMask1, dwMask2))
  481. {
  482. //
  483. // The other ACE has a non-NULL object type but this ACE has no object
  484. // type and a mask that includes all of the bits in the other one.
  485. // I.e. This ACE implies the other ACE.
  486. //
  487. return MERGE_OK_1;
  488. }
  489. else if (!(dwMergeFlags & MF_OBJECT_TYPE_2_PRESENT) &&
  490. AllFlagsOn(dwMask2, dwMask1))
  491. {
  492. //
  493. // This ACE has a non-NULL object type but the other ACE has no object
  494. // type and a mask that includes all of the bits in this one.
  495. // I.e. The other ACE implies this ACE.
  496. //
  497. return MERGE_OK_2;
  498. }
  499. }
  501. return MERGE_FAIL;
  502. }