archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/shell/osshell/security/dssec/exnc.cpp

186 lines
5.3 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (C) Microsoft Corporation, 1999 - 1999
  6. //
  7. // File: exnc.cpp
  8. //
  9. // Specific Non-Canonical Test
  10. //
  11. // Test if a Security Descriptor contains an ACL with non-Canonical ACEs
  12. //
  13. // Created by: Marcelo Calbucci (MCalbu)
  14. // June 23rd, 1999.
  15. //
  16. //--------------------------------------------------------------------------
  18. #include "pch.h"
  19. extern "C" {
  20. #include <seopaque.h> // RtlObjectAceSid, etc.
  21. }
  22. #include "exnc.h"
  24. static const GUID guidMember = NT_RIGHT_MEMBER;
  27. //
  28. // ENCCompareSids
  29. // Compare if pSid is the same SID inside pAce.
  30. //
  31. BOOL ENCCompareSids(PSID pSid, PACE_HEADER pAce)
  32. {
  33. if (!pAce)
  34. return FALSE;
  36. PSID pSid2 = NULL;
  38. switch (pAce->AceType)
  39. {
  40. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  41. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  42. pSid2 = RtlObjectAceSid(pAce);
  43. break;
  45. case ACCESS_ALLOWED_ACE_TYPE:
  46. case ACCESS_DENIED_ACE_TYPE:
  47. pSid2 = (PSID)&((PKNOWN_ACE)pAce)->SidStart;
  48. break;
  50. default:
  51. return FALSE;
  52. }
  54. return (pSid && pSid2 && EqualSid(pSid, pSid2));
  55. }
  58. //
  59. // IsSpecificNonCanonicalSD
  60. // This function verifies if the Security Descriptor (*pSD) it is or not in the
  61. // specific non-canonical format.
  62. // Parameters:
  63. // pSD: The Security Descriptor to be analyzed
  64. // Result:
  65. // ENC_RESULT_NOT_PRESENT: This is not a Specific Non-Canonical SD.
  66. // (It still can be a Canonical SD)
  67. // ENC_RESULT_HIDEMEMBER : We have the Non-Canonical part referent to HideMembership
  68. // ENC_RESULT_HIDEOBJECT : We have the Non-Canonical part referent to HideFromAB
  69. // ENC_RESULT_ALL : We have both Non-Canonical parts, HideMembership and HideFromAB
  70. //
  71. DWORD IsSpecificNonCanonicalSD(PSECURITY_DESCRIPTOR pSD)
  72. {
  73. // Check the Security Descriptor
  74. if(pSD==NULL)
  75. return FALSE;
  76. if(!IsValidSecurityDescriptor(pSD))
  77. return FALSE;
  79. // Get and Check the DACL
  80. PACL pDacl = NULL;
  81. BOOL fDaclPresent, fDaclDefaulted;
  82. if(!GetSecurityDescriptorDacl(pSD, &fDaclPresent, &pDacl, &fDaclDefaulted))
  83. return FALSE;
  84. if(!fDaclPresent)
  85. return FALSE;
  86. if(!pDacl)
  87. return FALSE;
  89. // Do a lazy evaluation:
  90. // If we have less than 4 ACEs, this is not a Specific Non-Canonical ACL
  91. if (pDacl->AceCount < 4)
  92. return FALSE;
  94. //
  95. // Check if the "member" or "list object" are in the Non-Canonical format
  96. //
  98. // Info (flags): Count how many alloweds we have
  99. DWORD dwInfoMember = 0;
  100. DWORD dwInfoListObject = 0;
  102. // Get the Sids...
  103. SID sidEveryone; // SID contains 1 subauthority, which is enough
  105. // -1 = Unknown
  106. // 0 = Not Present
  107. // 1 = Present
  108. int iMemberResult = -1;
  109. int iListObjectResult = -1;
  111. // # Everyone
  112. SID_IDENTIFIER_AUTHORITY siaNtAuthority1 = SECURITY_WORLD_SID_AUTHORITY;
  113. InitializeSid(&sidEveryone, &siaNtAuthority1, 1);
  114. *(GetSidSubAuthority(&sidEveryone, 0)) = SECURITY_WORLD_RID;
  116. DWORD dwCurAce;
  117. PACE_HEADER pAce;
  119. for (dwCurAce = 0, pAce = (PACE_HEADER)FirstAce(pDacl);
  120. dwCurAce < pDacl->AceCount;
  121. dwCurAce++, pAce = (PACE_HEADER)NextAce(pAce))
  122. {
  123. // Test the "member"
  124. if (-1 == iMemberResult && IsObjectAceType(pAce))
  125. {
  126. const GUID *pObjectType = RtlObjectAceObjectType(pAce);
  127. if (pObjectType && (guidMember == *pObjectType))
  128. {
  129. switch(pAce->AceType)
  130. {
  131. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  132. dwInfoMember++;
  133. break;
  135. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  136. if (ENCCompareSids(&sidEveryone, pAce))
  137. {
  138. if (dwInfoMember >= ENC_MINIMUM_ALLOWED)
  139. iMemberResult = 1;
  140. else
  141. iMemberResult = 0;
  143. if (-1 != iListObjectResult)
  144. dwCurAce = pDacl->AceCount; // Quit the loop
  145. }
  146. break;
  147. }
  148. }
  149. }
  151. // Test the "list object"
  152. if (-1 == iListObjectResult &&
  153. ACTRL_DS_LIST_OBJECT == ((PKNOWN_ACE)pAce)->Mask)
  154. {
  155. switch(pAce->AceType)
  156. {
  157. case ACCESS_ALLOWED_ACE_TYPE:
  158. dwInfoListObject++;
  159. break;
  161. case ACCESS_DENIED_ACE_TYPE:
  162. if (ENCCompareSids(&sidEveryone, pAce))
  163. {
  164. if (dwInfoListObject >= ENC_MINIMUM_ALLOWED)
  165. iListObjectResult = 1;
  166. else
  167. iListObjectResult = 0;
  169. if (-1 != iMemberResult)
  170. dwCurAce = pDacl->AceCount; // Quit the loop
  171. }
  172. break;
  173. }
  174. }
  175. }
  177. DWORD dwResult = 0;
  179. if (iMemberResult == 1)
  180. dwResult |= ENC_RESULT_HIDEMEMBER;
  182. if (iListObjectResult == 1)
  183. dwResult |= ENC_RESULT_HIDEOBJECT;
  185. return dwResult;
  186. }