archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
3.2 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/admin/wmi/wbem/providers/win32provider/common/securekernelobj.cpp

378 lines
8.4 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*****************************************************************************/
  3. /* Copyright (c) 2000-2001 Microsoft Corporation, All Rights Reserved /
  4. /*****************************************************************************/
  7. /*
  8. * SecurityDescriptor.cpp - implementation file for CSecureKernelObj class.
  9. *
  10. * Created: 11-27-00 by Kevin Hughes
  11. */
  13. #include "precomp.h"
  15. #include "AccessEntry.h" // CAccessEntry class
  16. #include "AccessEntryList.h"
  17. #include "aclapi.h"
  18. #include "DACL.h" // CDACL class
  19. #include "SACL.h" // CSACL class
  22. #include "SecurityDescriptor.h"
  23. #include "securefile.h"
  24. #include "tokenprivilege.h"
  25. #include "ImpLogonUser.h"
  26. #include "AdvApi32Api.h"
  27. #include "smartptr.h"
  28. #include "SecureKernelObj.h"
  31. ///////////////////////////////////////////////////////////////////
  32. //
  33. // Function: CSecureKernelObj::CSecureKernelObj
  34. //
  35. // Default class constructor.
  36. //
  37. // Inputs:
  38. // None.
  39. //
  40. // Outputs:
  41. // None.
  42. //
  43. // Returns:
  44. // None.
  45. //
  46. // Comments:
  47. //
  48. ///////////////////////////////////////////////////////////////////
  50. CSecureKernelObj::CSecureKernelObj()
  51. : CSecurityDescriptor()
  52. {
  53. }
  55. ///////////////////////////////////////////////////////////////////
  56. //
  57. // Function: CSecureKernelObj::CSecureKernelObj
  58. //
  59. // Alternate Class CTOR
  60. //
  61. // Inputs:
  62. // LPCWSTR wszObjName - The kernel object to handle
  63. // security for.
  64. // BOOL fGetSACL - Should we get the SACL?
  65. //
  66. // Outputs:
  67. // None.
  68. //
  69. // Returns:
  70. // None.
  71. //
  72. // Comments:
  73. //
  74. ///////////////////////////////////////////////////////////////////
  76. CSecureKernelObj::CSecureKernelObj(
  77. HANDLE hObject,
  78. BOOL fGetSACL /*= TRUE*/ )
  79. : CSecurityDescriptor()
  80. {
  81. SetObject(hObject, fGetSACL);
  82. }
  86. ///////////////////////////////////////////////////////////////////
  87. //
  88. // Function: CSecureKernelObj::CSecureKernelObj
  89. //
  90. // Alternate Class CTOR
  91. //
  92. // Inputs:
  93. // LPCWSTR wszObjName - The object name to handle
  94. // security for.
  95. //
  96. // PSECURITY_DESCRIPTOR pSD - The Security Descriptor to associate with this object
  97. //
  98. // Outputs:
  99. // None.
  100. //
  101. // Returns:
  102. // None.
  103. //
  104. // Comments:
  105. //
  106. ///////////////////////////////////////////////////////////////////
  108. CSecureKernelObj::CSecureKernelObj(
  109. HANDLE hObject,
  110. PSECURITY_DESCRIPTOR pSD)
  111. : CSecurityDescriptor()
  112. {
  113. if(InitSecurity(pSD))
  114. {
  115. // we just get a copy - we don't take ownership.
  116. m_hObject = hObject;
  117. }
  118. }
  121. ///////////////////////////////////////////////////////////////////
  122. //
  123. // Function: CSecureKernelObj::~CSecureKernelObj
  124. //
  125. // Class Destructor.
  126. //
  127. // Inputs:
  128. // None.
  129. //
  130. // Outputs:
  131. // None.
  132. //
  133. // Returns:
  134. // None.
  135. //
  136. // Comments:
  137. //
  138. ///////////////////////////////////////////////////////////////////
  140. CSecureKernelObj::~CSecureKernelObj(void)
  141. {
  142. }
  144. ///////////////////////////////////////////////////////////////////
  145. //
  146. // Function: CSecureKernelObj::SetObject
  147. //
  148. // Public Entry point to set which object this instance
  149. // of the class is to supply security for.
  150. //
  151. // Inputs:
  152. // HANDLE hObject - The object to handle
  153. // security for.
  154. // BOOL fGetSACL - Should we get the SACL?
  155. //
  156. // Outputs:
  157. // None.
  158. //
  159. // Returns:
  160. // DWORD ERROR_SUCCESS if successful
  161. //
  162. // Comments:
  163. //
  164. // This will clear any previously set filenames and/or security
  165. // information.
  166. //
  167. ///////////////////////////////////////////////////////////////////
  169. DWORD CSecureKernelObj::SetObject(
  170. HANDLE hObject,
  171. BOOL fGetSACL /*= TRUE*/ )
  172. {
  173. DWORD dwError = ERROR_SUCCESS;
  174. SECURITY_INFORMATION siFlags = OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION;
  177. // We must have the security privilege enabled in order to access the object's SACL
  178. CTokenPrivilege securityPrivilege( SE_SECURITY_NAME );
  179. BOOL fDisablePrivilege = FALSE;
  181. if ( fGetSACL )
  182. {
  183. fDisablePrivilege = (securityPrivilege.Enable() == ERROR_SUCCESS);
  184. siFlags |= SACL_SECURITY_INFORMATION;
  185. }
  188. // Determine the length needed for self-relative SD
  189. DWORD dwLengthNeeded = 0;
  191. BOOL fSuccess = ::GetKernelObjectSecurity(
  192. hObject,
  193. siFlags,
  194. NULL,
  195. 0,
  196. &dwLengthNeeded);
  198. dwError = ::GetLastError();
  200. // It is possible that the user lacked the permissions required to obtain the SACL,
  201. // even though we set the token's SE_SECURITY_NAME privilege. So if we obtained an
  202. // access denied error, try it again, this time without requesting the SACL.
  203. if(dwError == ERROR_ACCESS_DENIED || dwError == ERROR_PRIVILEGE_NOT_HELD)
  204. {
  205. siFlags = OWNER_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION;
  206. fSuccess = ::GetKernelObjectSecurity(
  207. hObject,
  208. siFlags,
  209. NULL,
  210. 0,
  211. &dwLengthNeeded);
  213. dwError = ::GetLastError();
  214. }
  216. // The only expected error at this point is insuficient buffer
  217. if(!fSuccess && ERROR_INSUFFICIENT_BUFFER == dwError)
  218. {
  219. PSECURITY_DESCRIPTOR pSD = NULL;
  220. try
  221. {
  222. pSD = new BYTE[dwLengthNeeded];
  223. if(pSD)
  224. {
  225. // Now obtain security descriptor
  226. if(::GetKernelObjectSecurity(
  227. hObject,
  228. siFlags,
  229. pSD,
  230. dwLengthNeeded,
  231. &dwLengthNeeded))
  232. {
  234. dwError = ERROR_SUCCESS;
  236. if(InitSecurity(pSD))
  237. {
  238. m_hObject = hObject;
  239. }
  240. else
  241. {
  242. dwError = ERROR_INVALID_PARAMETER;
  243. }
  244. }
  245. else
  246. {
  247. dwError = ::GetLastError();
  248. }
  250. // free up the security descriptor
  251. delete pSD;
  252. }
  253. }
  254. catch(...)
  255. {
  256. delete pSD;
  257. throw;
  258. }
  260. }
  262. // Cleanup the Name Privilege as necessary.
  263. if(fDisablePrivilege)
  264. {
  265. securityPrivilege.Enable(FALSE);
  266. }
  268. return dwError;
  270. }
  272. ///////////////////////////////////////////////////////////////////
  273. //
  274. // Function: CSecureKernelObj::WriteAcls
  275. //
  276. // Protected entry point called by CSecurityDescriptor when
  277. // a user Applies Security and wants to apply security for
  278. // the DACL and/or SACL.
  279. //
  280. // Inputs:
  281. // PSECURITY_DESCRIPTOR pAbsoluteSD - Security
  282. // descriptor to apply to
  283. // the object.
  284. // SECURITY_INFORMATION securityinfo - Flags
  285. // indicating which ACL(s)
  286. // to set.
  287. //
  288. // Outputs:
  289. // None.
  290. //
  291. // Returns:
  292. // DWORD ERROR_SUCCESS if successful
  293. //
  294. // Comments:
  295. //
  296. ///////////////////////////////////////////////////////////////////
  298. DWORD CSecureKernelObj::WriteAcls(
  299. PSECURITY_DESCRIPTOR pAbsoluteSD,
  300. SECURITY_INFORMATION securityinfo)
  301. {
  302. DWORD dwError = ERROR_SUCCESS;
  304. // We must have the security privilege enabled in order to access the object's SACL
  305. CTokenPrivilege securityPrivilege( SE_SECURITY_NAME );
  306. BOOL fDisablePrivilege = FALSE;
  308. if(securityinfo & SACL_SECURITY_INFORMATION ||
  309. securityinfo & PROTECTED_SACL_SECURITY_INFORMATION ||
  310. securityinfo & UNPROTECTED_SACL_SECURITY_INFORMATION)
  311. {
  312. fDisablePrivilege = (securityPrivilege.Enable() == ERROR_SUCCESS);
  313. }
  315. if(!::SetKernelObjectSecurity(
  316. m_hObject,
  317. securityinfo,
  318. pAbsoluteSD))
  319. {
  320. dwError = ::GetLastError();
  321. }
  324. // Cleanup the Name Privilege as necessary.
  325. if(fDisablePrivilege)
  326. {
  327. securityPrivilege.Enable(FALSE);
  328. }
  330. return dwError;
  331. }
  333. ///////////////////////////////////////////////////////////////////
  334. //
  335. // Function: CSecureKernelObj::WriteOwner
  336. //
  337. // Protected entry point called by CSecurityDescriptor when
  338. // a user Applies Security and wants to apply security for
  339. // the owner.
  340. //
  341. // Inputs:
  342. // PSECURITY_DESCRIPTOR pAbsoluteSD - Security
  343. // descriptor to apply to
  344. // the object.
  345. //
  346. // Outputs:
  347. // None.
  348. //
  349. // Returns:
  350. // DWORD ERROR_SUCCESS if successful
  351. //
  352. // Comments:
  353. //
  354. ///////////////////////////////////////////////////////////////////
  356. DWORD CSecureKernelObj::WriteOwner(PSECURITY_DESCRIPTOR pAbsoluteSD)
  357. {
  358. DWORD dwError = ERROR_SUCCESS;
  360. // Open with the appropriate access, set the security and leave
  361. if(!::SetKernelObjectSecurity(
  362. m_hObject,
  363. OWNER_SECURITY_INFORMATION,
  364. pAbsoluteSD))
  365. {
  366. dwError = ::GetLastError();
  367. }
  369. return dwError;
  370. }
  374. DWORD CSecureKernelObj::AllAccessMask(void)
  375. {
  376. // File specific All Access Mask
  377. return TOKEN_ALL_ACCESS;
  378. }