archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/admin/extens/acldiag/chkdeleg.cpp

609 lines
21 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1999.
  5. //
  6. // File: ChkDeleg.cpp
  7. //
  8. // Contents: CheckDelegation and support methods
  9. //
  10. //
  11. //----------------------------------------------------------------------------
  12. #include "stdafx.h"
  13. #include <conio.h>
  14. #include <aclapi.h>
  15. #include "adutils.h"
  16. #include <util.h>
  17. #include "ChkDeleg.h"
  18. #include <deltempl.h>
  19. #include <tempcore.h>
  20. #include "SecDesc.h"
  24. #include <sddl.h>
  25. #include <dscmn.h> // from the admin\display project (CrackName)
  27. #ifndef ARRAYSIZE
  28. #define ARRAYSIZE(a) (sizeof(a)/sizeof(a[0]))
  29. #endif
  31. #include <_util.cpp>
  32. #include <_tempcor.cpp>
  33. #include <_deltemp.cpp>
  38. class CTemplateAccessPermissionsHolderManagerVerify : public CTemplateAccessPermissionsHolderManager
  39. {
  40. public:
  42. HRESULT ProcessTemplates (); // for ACLDiag - process each template in turn
  43. HRESULT ProcessPermissions(
  44. const wstring& strObjectClass,
  45. CTemplate* pTemplate,
  46. PACL pAccessList,
  47. CPrincipalList& principalList);
  48. };
  53. HRESULT CheckDelegation ()
  54. {
  55. _TRACE (1, L"Entering CheckDelegation\n");
  56. HRESULT hr = S_OK;
  57. wstring str;
  60. if ( !_Module.DoTabDelimitedOutput () )
  61. {
  62. LoadFromResource (str, IDS_DELEGATION_TEMPLATE_DIAGNOSIS);
  63. MyWprintf (str.c_str ());
  64. }
  66. CTemplateAccessPermissionsHolderManagerVerify templateAccessPermissionsHolderManager;
  68. if ( templateAccessPermissionsHolderManager.LoadTemplates() )
  69. {
  70. hr = templateAccessPermissionsHolderManager.ProcessTemplates ();
  71. }
  72. else
  73. {
  74. LoadFromResource (str, IDS_FAILED_TO_LOAD_TEMPLATES);
  75. MyWprintf (str.c_str ());
  76. hr = E_FAIL;
  77. }
  79. _TRACE (-1, L"Leaving CheckDelegation: 0x%x\n", hr);
  80. return hr;
  81. }
  83. PTOKEN_USER EfspGetTokenUser ()
  84. {
  85. _TRACE (1, L"Entering EfspGetTokenUser\n");
  86. HANDLE hToken = 0;
  87. DWORD dwReturnLength = 0;
  88. PTOKEN_USER pTokenUser = NULL;
  90. BOOL bResult = ::OpenProcessToken (GetCurrentProcess (), TOKEN_QUERY, &hToken);
  91. if ( bResult )
  92. {
  93. bResult = ::GetTokenInformation (
  94. hToken,
  95. TokenUser,
  96. NULL,
  97. 0,
  98. &dwReturnLength
  99. );
  101. if ( !bResult && dwReturnLength > 0 )
  102. {
  103. pTokenUser = (PTOKEN_USER) malloc (dwReturnLength);
  105. if (pTokenUser)
  106. {
  107. bResult = GetTokenInformation (
  108. hToken,
  109. TokenUser,
  110. pTokenUser,
  111. dwReturnLength,
  112. &dwReturnLength
  113. );
  115. if ( !bResult)
  116. {
  117. DWORD dwErr = GetLastError ();
  118. _TRACE (0, L"GetTokenInformation () failed: 0x%x\n", dwErr);
  119. free (pTokenUser);
  120. pTokenUser = NULL;
  121. }
  122. }
  123. }
  124. else
  125. {
  126. DWORD dwErr = GetLastError ();
  127. _TRACE (0, L"GetTokenInformation () failed: 0x%x\n", dwErr);
  128. }
  130. ::CloseHandle (hToken);
  131. }
  132. else
  133. {
  134. DWORD dwErr = GetLastError ();
  135. _TRACE (0, L"OpenProcessToken () failed: 0x%x\n", dwErr);
  136. }
  138. _TRACE (-1, L"Leaving EfspGetTokenUser\n");
  139. return pTokenUser;
  140. }
  142. HRESULT CTemplateAccessPermissionsHolderManagerVerify::ProcessTemplates ()
  143. {
  144. HRESULT hr = S_OK;
  146. DWORD dwErr = 0;
  148. // the access list is read in, modified, written back
  149. // If /fixdeleg is on, this list will be populated from the DS,
  150. // will receive the permissions associated with selected templates is the
  151. // user chooses to fix delegation, and then will be written back to the DS.
  152. PACL pFixDACL = NULL;
  153. PSECURITY_DESCRIPTOR pSD = NULL;
  156. LPCWSTR lpszObjectLdapPath = _Module.m_adsiObject.GetLdapPath();
  158. // get the security info
  159. if ( _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  160. {
  161. _TRACE (0, L"calling GetSDForDsObjectPath(%s, ...)\n", lpszObjectLdapPath);
  162. HRESULT hr1 = ::GetSDForDsObjectPath ((LPWSTR) lpszObjectLdapPath, // name of the object
  163. &pFixDACL, // receives a pointer to the DACL
  164. &pSD);
  165. if (FAILED(hr1))
  166. {
  167. _TRACE (0, L"failed on GetSDForDsObjectPath(): hr1 = 0x%x\n", hr1);
  168. wstring str;
  169. LoadFromResource (str, IDS_DELEGWIZ_ERR_GET_SEC_INFO);
  170. MyWprintf (str.c_str ());
  171. _Module.TurnOffFixDelegation ();
  172. }
  173. }
  175. CPrincipal principal; // a dummy placeholder for us to get
  176. // the incremental rights associated
  177. // with each template
  179. // We will use the current logged-in user as a placeholder only.
  180. PTOKEN_USER pTokenUser = ::EfspGetTokenUser ();
  181. if ( pTokenUser )
  182. {
  183. hr = principal.Initialize (pTokenUser->User.Sid);
  184. free (pTokenUser);
  185. }
  187. if ( SUCCEEDED (hr) )
  188. {
  189. CTemplateList* pList = m_templateManager.GetTemplateList();
  190. for (CTemplateList::iterator itr = pList->begin(); itr != pList->end(); itr++)
  191. {
  192. CTemplate* pTemplate = *itr;
  193. ASSERT(pTemplate != NULL);
  195. // Select the templates one at a time to get the
  196. // permissions representing them
  197. pTemplate->m_bSelected = TRUE;
  199. if ( InitPermissionHoldersFromSelectedTemplates (
  200. &_Module.m_classInfoArray,
  201. &_Module.m_adsiObject) )
  202. {
  203. // This access list will contain only the access control values
  204. // associated with the selected template
  205. PACL pAccessList = 0; //(PACL) ::LocalAlloc (LMEM_ZEROINIT, sizeof (ACL));
  206. if ( 1 ) //pAccessList )
  207. {
  208. dwErr = UpdateAccessList (
  209. &principal,
  210. _Module.m_adsiObject.GetServerName(),
  211. _Module.m_adsiObject.GetPhysicalSchemaNamingContext(),
  212. &pAccessList
  213. );
  215. if ( 0 == dwErr )
  216. {
  217. CPrincipalList principalList;
  218. PSID pSid = principal.GetSid ();
  219. SID_NAME_USE sne = SidTypeUnknown;
  220. wstring strPrincipalName;
  222. hr = GetNameFromSid (pSid, strPrincipalName, 0, sne);
  223. if ( SUCCEEDED (hr) )
  224. {
  225. hr = ProcessPermissions (_Module.m_adsiObject.GetClass (),
  226. pTemplate, pAccessList, principalList);
  227. if ( SUCCEEDED (hr) && _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  228. {
  229. // loop thru all the principals and classes
  230. CPrincipalList::iterator i;
  231. for (i = principalList.begin(); i != principalList.end(); ++i)
  232. {
  233. CPrincipal* pCurrPrincipal = (*i);
  234. dwErr = UpdateAccessList(
  235. pCurrPrincipal,
  236. _Module.m_adsiObject.GetServerName(),
  237. _Module.m_adsiObject.GetPhysicalSchemaNamingContext(),
  238. &pFixDACL);
  239. if (dwErr != 0)
  240. break;
  241. } // for pCurrPrincipal
  242. }
  243. }
  244. }
  246. ::LocalFree (pAccessList);
  247. }
  248. else
  249. {
  250. hr = E_OUTOFMEMORY;
  251. break;
  252. }
  253. }
  254. pTemplate->m_bSelected = FALSE;
  255. }
  257. if ( _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  258. {
  259. // commit changes
  260. _TRACE (0, L"calling SetNamedSecurityInfo(%s, ...)\n", lpszObjectLdapPath);
  261. dwErr = ::SetNamedSecurityInfoW(
  262. (LPWSTR) lpszObjectLdapPath,
  263. SE_DS_OBJECT_ALL,
  264. DACL_SECURITY_INFORMATION,
  265. NULL,
  266. NULL,
  267. pFixDACL,
  268. 0);
  269. if (dwErr != ERROR_SUCCESS)
  270. {
  271. _TRACE (0, L"failed on SetNamedSecurityInfo(): dwErr = 0x%x\n", dwErr);
  272. wstring str;
  273. LoadFromResource (str, IDS_DELEGWIZ_ERR_SET_SEC_INFO);
  274. MyWprintf (str.c_str ());
  275. }
  276. }
  277. }
  280. if ( pSD )
  281. ::LocalFree (pSD);
  284. return hr;
  285. }
  288. class CTemplateStatus
  289. {
  290. public:
  291. CTemplateStatus () :
  292. m_nACECnt (1),
  293. m_bApplies (false),
  294. m_bInherited (false)
  295. {
  296. }
  298. ULONG m_nACECnt;
  299. bool m_bApplies;
  300. bool m_bInherited;
  301. wstring m_strObjName;
  302. PSID m_psid;
  303. };
  305. typedef list<CTemplateStatus*> CStatusList;
  307. HRESULT CTemplateAccessPermissionsHolderManagerVerify::ProcessPermissions(
  308. const wstring& strObjectClass,
  309. CTemplate* pTemplate,
  310. PACL pDacl,
  311. CPrincipalList& principalList)
  312. {
  313. if ( !pTemplate )
  314. return E_POINTER;
  316. HRESULT hr = S_OK;
  317. CStatusList statusList; // This list will contain 1 entry for each
  318. // SidStart/bInherited/bApplies triplet.
  319. // The counter for each item will incremented
  320. // each time an ACE is found that belongs to
  321. // the object pointed to by the SidStart.
  322. ULONG nExpectedCnt = 0;
  323. bool bApplies = pTemplate->AppliesToClass(strObjectClass.c_str ()) ? true : false;
  324. ACE_SAMNAME* pAceSAMName = 0;
  327. // Look in global DACL for each right
  328. PACCESS_ALLOWED_ACE pAllowedAce = 0;
  330. // iterate through the template ACES
  331. for (int i = 0; i < pDacl->AceCount; i++)
  332. {
  333. if ( GetAce (pDacl, i, (void **)&pAllowedAce) )
  334. {
  335. PSID AceSid = 0;
  336. if ( IsObjectAceType ( pAllowedAce ) )
  337. {
  338. AceSid = RtlObjectAceSid( pAllowedAce );
  339. }
  340. else
  341. {
  342. AceSid = &( ( PKNOWN_ACE )pAllowedAce )->SidStart;
  343. }
  344. ASSERT (IsValidSid (AceSid));
  346. if ( !IsValidSid (AceSid) )
  347. continue;
  349. // wstring strPrincipalName;
  350. // SID_NAME_USE sne = SidTypeUnknown;
  351. // hr = GetNameFromSid (AceSid, strPrincipalName, 0, sne);
  352. // if ( SUCCEEDED (hr) )
  353. {
  354. ACE_SAMNAME* pAceTemplate = new ACE_SAMNAME;
  355. if ( pAceTemplate )
  356. {
  357. pAceTemplate->m_AceType = pAllowedAce->Header.AceType;
  358. switch (pAceTemplate->m_AceType)
  359. {
  360. case ACCESS_ALLOWED_ACE_TYPE:
  361. pAceTemplate->m_pAllowedAce = pAllowedAce;
  362. break;
  364. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  365. pAceTemplate->m_pAllowedObjectAce =
  366. reinterpret_cast <PACCESS_ALLOWED_OBJECT_ACE> (pAllowedAce);
  367. break;
  369. case ACCESS_DENIED_ACE_TYPE:
  370. pAceTemplate->m_pDeniedAce =
  371. reinterpret_cast <PACCESS_DENIED_ACE> (pAllowedAce);
  372. break;
  374. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  375. pAceTemplate->m_pDeniedObjectAce =
  376. reinterpret_cast <PACCESS_DENIED_OBJECT_ACE> (pAllowedAce);
  377. break;
  379. default:
  380. break;
  381. }
  382. // pAceTemplate->m_SAMAccountName = strPrincipalName;
  383. pAceTemplate->DebugOut ();
  384. nExpectedCnt++;
  385. ACE_SAMNAME_LIST::iterator itr = _Module.m_DACLList.begin ();
  386. for (; itr != _Module.m_DACLList.end () && SUCCEEDED (hr); itr++)
  387. {
  388. pAceSAMName = *itr;
  390. // to neutralize Sid differences
  391. pAceTemplate->m_SAMAccountName = pAceSAMName->m_SAMAccountName;
  392. if ( *pAceSAMName == *pAceTemplate )
  393. {
  394. bool bFound = false;
  395. CTemplateStatus* pStatus = 0;
  396. CStatusList::iterator itr1 = statusList.begin ();
  397. wstring strObjName;
  398. PSID psid = 0;
  401. if ( ACCESS_ALLOWED_OBJECT_ACE_TYPE == pAceSAMName->m_AceType )
  402. {
  403. psid = RtlObjectAceSid (pAceSAMName->m_pAllowedObjectAce);
  404. }
  405. else
  406. {
  407. psid = &( ( PKNOWN_ACE )pAceSAMName->m_pAllowedAce )->SidStart;
  408. }
  410. SID_NAME_USE sne = SidTypeUnknown;
  411. hr = GetNameFromSid (psid, strObjName, 0, sne);
  412. if ( SUCCEEDED (hr) )
  413. {
  414. for (; itr1 != statusList.end (); itr1++)
  415. {
  416. pStatus = *itr1;
  417. if ( (pStatus->m_bApplies == bApplies) &&
  418. ( pStatus->m_bInherited == pAceSAMName->IsInherited () ) &&
  419. ( !_wcsicmp (
  420. pStatus->m_strObjName.c_str (),
  421. strObjName.c_str ())) )
  422. {
  423. bFound = true;
  424. break;
  425. }
  426. }
  428. if ( bFound )
  429. {
  430. pStatus->m_nACECnt++;
  431. }
  432. else
  433. {
  434. pStatus = new CTemplateStatus;
  435. if ( pStatus )
  436. {
  437. pStatus->m_strObjName = strObjName;
  438. pStatus->m_bApplies = bApplies;
  439. pStatus->m_bInherited = pAceSAMName->IsInherited ();
  440. pStatus->m_psid = psid;
  441. statusList.push_back (pStatus);
  442. }
  443. else
  444. {
  445. hr = E_OUTOFMEMORY;
  446. break;
  447. }
  448. }
  449. }
  450. }
  451. }
  452. }
  453. else
  454. {
  455. hr = E_OUTOFMEMORY;
  456. break;
  457. }
  458. }
  459. }
  460. }
  463. // Now, iterate thru status list and evaluate each item
  464. // If the list is empty, then this template is not present.
  465. // Otherwise, for each present item, if the class and attr count is less than the required count
  466. // the template is partial for the item.
  467. // Otherwise, it is OK.
  468. CStatusList::iterator itr = statusList.begin ();
  469. CTemplateStatus* pStatus = 0;
  470. wstring str;
  471. wstring strStatus;
  474. for (; itr != statusList.end () && SUCCEEDED (hr); itr++)
  475. {
  476. pStatus = *itr;
  478. // Print template description
  479. bool bMisconfigured = false;
  481. if ( _Module.DoTabDelimitedOutput () )
  482. {
  483. FormatMessage (str, IDS_DELEGATION_TITLE_CDO, pTemplate->GetDescription (),
  484. pStatus->m_strObjName.c_str ());
  485. }
  486. else
  487. {
  488. FormatMessage (str, IDS_DELEGATION_TITLE, pTemplate->GetDescription (),
  489. pStatus->m_strObjName.c_str ());
  490. }
  491. MyWprintf (str.c_str ());
  493. // Print "Status: OK/MISCONFIGURED"
  494. if ( pStatus->m_nACECnt < nExpectedCnt )
  495. {
  496. LoadFromResource (strStatus, IDS_MISCONFIGURED);
  497. bMisconfigured = true;
  498. }
  499. else
  500. LoadFromResource (strStatus, IDS_OK);
  502. if ( _Module.DoTabDelimitedOutput () )
  503. FormatMessage (str, IDS_DELTEMPL_STATUS_CDO, strStatus.c_str ());
  504. else
  505. FormatMessage (str, IDS_DELTEMPL_STATUS, strStatus.c_str ());
  506. MyWprintf (str.c_str ());
  508. // Print "Applies on this object: YES/NO"
  509. if ( pStatus->m_bApplies )
  510. {
  511. LoadFromResource (strStatus,
  512. _Module.DoTabDelimitedOutput () ? IDS_APPLIES : IDS_YES);
  513. }
  514. else
  515. {
  516. LoadFromResource (strStatus,
  517. _Module.DoTabDelimitedOutput () ? IDS_DOES_NOT_APPLY : IDS_NO);
  518. }
  520. if ( _Module.DoTabDelimitedOutput () )
  521. FormatMessage (str, IDS_APPLIES_ON_THIS_OBJECT_CDO, strStatus.c_str ());
  522. else
  523. FormatMessage (str, IDS_APPLIES_ON_THIS_OBJECT, strStatus.c_str ());
  524. MyWprintf (str.c_str ());
  526. // Print "Inherited from parent: YES/NO"
  527. if ( pStatus->m_bInherited )
  528. {
  529. LoadFromResource (strStatus,
  530. _Module.DoTabDelimitedOutput () ? IDS_INHERITED : IDS_YES);
  531. }
  532. else
  533. {
  534. LoadFromResource (strStatus,
  535. _Module.DoTabDelimitedOutput () ? IDS_EXPLICIT : IDS_NO);
  536. }
  538. if ( _Module.DoTabDelimitedOutput () )
  539. FormatMessage (str, IDS_INHERITED_FROM_PARENT_CDO, strStatus.c_str ());
  540. else
  541. FormatMessage (str, IDS_INHERITED_FROM_PARENT, strStatus.c_str ());
  542. MyWprintf (str.c_str ());
  544. if ( bMisconfigured && _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  545. {
  546. LoadFromResource (str, IDS_FIX_DELEGATION_QUERY);
  548. while (1)
  549. {
  550. MyWprintf (str.c_str ());
  552. int ch = _getche ();
  554. if ( 'y' == ch )
  555. {
  556. CPrincipal* pPrincipal = new CPrincipal;
  558. if ( pPrincipal )
  559. {
  560. if ( SUCCEEDED (pPrincipal->Initialize (pStatus->m_psid)) )
  561. principalList.push_back (pPrincipal);
  562. else
  563. delete pPrincipal;
  564. }
  565. else
  566. hr = E_OUTOFMEMORY;
  568. MyWprintf (L"\n\n");
  569. break;
  570. }
  571. else if ( 'n' == ch )
  572. {
  573. MyWprintf (L"\n\n");
  574. break;
  575. }
  576. else
  577. {
  578. MyWprintf (L"\n");
  579. continue;
  580. }
  581. }
  582. }
  583. }
  585. if ( !pStatus ) // None found
  586. {
  587. // Print template description
  588. if ( _Module.DoTabDelimitedOutput () )
  589. {
  590. FormatMessage (str, IDS_DELEGATION_NOT_FOUND_CDO,
  591. pTemplate->GetDescription ());
  592. MyWprintf (str.c_str ());
  593. }
  594. else
  595. {
  596. FormatMessage (str, L"\t%1\n\n", pTemplate->GetDescription ());
  597. MyWprintf (str.c_str ());
  599. LoadFromResource (strStatus, IDS_NOT_PRESENT);
  600. FormatMessage (str, IDS_DELTEMPL_STATUS, strStatus.c_str ());
  601. MyWprintf (str.c_str ());
  602. }
  603. }
  605. if ( !_Module.DoTabDelimitedOutput () )
  606. MyWprintf (L"\n");
  607. return hr;
  608. }