Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

963 lines
21 KiB

  1. /*++
  2. Copyright (c) 1996 Microsoft Corporation
  3. Module Name:
  4. applyacl.c
  5. Abstract:
  6. Routines to apply default ACLs to system files and directories
  7. during setup.
  8. Author:
  9. Ted Miller (tedm) 16-Feb-1996
  10. Revision History:
  11. --*/
  12. #include "setupp.h"
  13. #pragma hdrstop
  14. #define MAXULONG 0xffffffff
  15. //
  16. // Universal well known SIDs
  17. //
  18. PSID NullSid;
  19. PSID WorldSid;
  20. PSID LocalSid;
  21. PSID CreatorOwnerSid;
  22. PSID CreatorGroupSid;
  23. //
  24. // SIDs defined by NT
  25. //
  26. PSID DialupSid;
  27. PSID NetworkSid;
  28. PSID BatchSid;
  29. PSID InteractiveSid;
  30. PSID ServiceSid;
  31. PSID LocalSystemSid;
  32. PSID AliasAdminsSid;
  33. PSID AliasUsersSid;
  34. PSID AliasGuestsSid;
  35. PSID AliasPowerUsersSid;
  36. PSID AliasAccountOpsSid;
  37. PSID AliasSystemOpsSid;
  38. PSID AliasPrintOpsSid;
  39. PSID AliasBackupOpsSid;
  40. PSID AliasReplicatorSid;
  41. typedef struct _ACE_DATA {
  42. ACCESS_MASK AccessMask;
  43. PSID *Sid;
  44. UCHAR AceType;
  45. UCHAR AceFlags;
  46. } ACE_DATA, *PACE_DATA;
  47. //
  48. // This structure is valid for access allowed, access denied, audit,
  49. // and alarm ACEs.
  50. //
  51. typedef struct _ACE {
  52. ACE_HEADER Header;
  53. ACCESS_MASK Mask;
  54. //
  55. // The SID follows in the buffer
  56. //
  57. } ACE, *PACE;
  58. //
  59. // Number of ACEs currently defined for files and directories.
  60. //
  61. #define DIRS_AND_FILES_ACE_COUNT 19
  62. //
  63. // Table describing the data to put into each ACE.
  64. //
  65. // This table will be read during initialization and used to construct a
  66. // series of ACEs. The index of each ACE in the Aces array defined below
  67. // corresponds to the ordinals used in the ACL section of perms.inf
  68. //
  69. ACE_DATA AceDataTableForDirsAndFiles[DIRS_AND_FILES_ACE_COUNT] = {
  70. //
  71. // Index 0 is unused
  72. //
  73. { 0,NULL,0,0 },
  74. //
  75. // ACE 1
  76. // (for files and directories)
  77. //
  78. {
  79. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
  80. &AliasAccountOpsSid,
  81. ACCESS_ALLOWED_ACE_TYPE,
  82. CONTAINER_INHERIT_ACE
  83. },
  84. //
  85. // ACE 2
  86. // (for files and directories)
  87. //
  88. {
  89. GENERIC_ALL,
  90. &AliasAdminsSid,
  91. ACCESS_ALLOWED_ACE_TYPE,
  92. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  93. },
  94. //
  95. // ACE 3
  96. // (for files and directories)
  97. //
  98. {
  99. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
  100. &AliasAdminsSid,
  101. ACCESS_ALLOWED_ACE_TYPE,
  102. CONTAINER_INHERIT_ACE
  103. },
  104. //
  105. // ACE 4
  106. // (for files and directories)
  107. //
  108. {
  109. GENERIC_ALL,
  110. &CreatorOwnerSid,
  111. ACCESS_ALLOWED_ACE_TYPE,
  112. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  113. },
  114. //
  115. // ACE 5
  116. // (for files and directories)
  117. //
  118. {
  119. GENERIC_ALL,
  120. &NetworkSid,
  121. ACCESS_DENIED_ACE_TYPE,
  122. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  123. },
  124. //
  125. // ACE 6
  126. // (for files and directories)
  127. //
  128. {
  129. GENERIC_ALL,
  130. &AliasPrintOpsSid,
  131. ACCESS_ALLOWED_ACE_TYPE,
  132. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  133. },
  134. //
  135. // ACE 7
  136. // (for files and directories)
  137. //
  138. {
  139. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
  140. &AliasReplicatorSid,
  141. ACCESS_ALLOWED_ACE_TYPE,
  142. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  143. },
  144. //
  145. // ACE 8
  146. // (for files and directories)
  147. //
  148. {
  149. GENERIC_READ | GENERIC_EXECUTE,
  150. &AliasReplicatorSid,
  151. ACCESS_ALLOWED_ACE_TYPE,
  152. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  153. },
  154. //
  155. // ACE 9
  156. // (for files and directories)
  157. //
  158. {
  159. GENERIC_ALL,
  160. &AliasSystemOpsSid,
  161. ACCESS_ALLOWED_ACE_TYPE,
  162. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  163. },
  164. //
  165. // ACE 10
  166. // (for files and directories)
  167. //
  168. {
  169. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
  170. &AliasSystemOpsSid,
  171. ACCESS_ALLOWED_ACE_TYPE,
  172. OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
  173. },
  174. //
  175. // ACE 11
  176. // (for files and directories)
  177. //
  178. {
  179. GENERIC_ALL,
  180. &WorldSid,
  181. ACCESS_ALLOWED_ACE_TYPE,
  182. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  183. },
  184. //
  185. // ACE 12
  186. // (for files and directories)
  187. //
  188. {
  189. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
  190. &WorldSid,
  191. ACCESS_ALLOWED_ACE_TYPE,
  192. CONTAINER_INHERIT_ACE
  193. },
  194. //
  195. // ACE 13
  196. // (for files and directories)
  197. //
  198. {
  199. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
  200. &WorldSid,
  201. ACCESS_ALLOWED_ACE_TYPE,
  202. OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
  203. },
  204. //
  205. // ACE 14
  206. // (for files and directories)
  207. //
  208. {
  209. GENERIC_READ | GENERIC_EXECUTE,
  210. &WorldSid,
  211. ACCESS_ALLOWED_ACE_TYPE,
  212. CONTAINER_INHERIT_ACE
  213. },
  214. //
  215. // ACE 15
  216. // (for files and directories)
  217. //
  218. {
  219. GENERIC_READ | GENERIC_EXECUTE,
  220. &WorldSid,
  221. ACCESS_ALLOWED_ACE_TYPE,
  222. OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
  223. },
  224. //
  225. // ACE 16
  226. // (for files and directories)
  227. //
  228. {
  229. GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE,
  230. &WorldSid,
  231. ACCESS_ALLOWED_ACE_TYPE,
  232. OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
  233. },
  234. //
  235. // ACE 17
  236. // (for files and directories)
  237. //
  238. {
  239. GENERIC_ALL,
  240. &LocalSystemSid,
  241. ACCESS_ALLOWED_ACE_TYPE,
  242. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  243. },
  244. //
  245. // ACE 18
  246. // (for files and directories)
  247. //
  248. {
  249. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
  250. &AliasPowerUsersSid,
  251. ACCESS_ALLOWED_ACE_TYPE,
  252. CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
  253. }
  254. };
  255. //
  256. // Array of ACEs to be applied to the objects (files and directories).
  257. // They will be initialized during program startup based on the data in the
  258. // AceDataTable. The index of each element corresponds to the
  259. // ordinals used in the [ACL] section of perms.inf.
  260. //
  261. PACE AcesForDirsAndFiles[DIRS_AND_FILES_ACE_COUNT];
  262. //
  263. // Array that contains the size of each ACE in the
  264. // array AcesForDirsAndFiles. These sizes are needed
  265. // in order to allocate a buffer of the right size
  266. // when we build an ACL.
  267. //
  268. ULONG AceSizesForDirsAndFiles[DIRS_AND_FILES_ACE_COUNT];
  269. VOID
  270. TearDownAces(
  271. IN OUT PACE* AcesArray,
  272. IN ULONG ArrayCount
  273. );
  274. VOID
  275. TearDownSids(
  276. VOID
  277. );
  278. DWORD
  279. InitializeSids(
  280. VOID
  281. )
  282. /*++
  283. Routine Description:
  284. This function initializes the global variables used by and exposed
  285. by security.
  286. Arguments:
  287. None.
  288. Return Value:
  289. Win32 error indicating outcome.
  290. --*/
  291. {
  292. SID_IDENTIFIER_AUTHORITY NullSidAuthority = SECURITY_NULL_SID_AUTHORITY;
  293. SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
  294. SID_IDENTIFIER_AUTHORITY LocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;
  295. SID_IDENTIFIER_AUTHORITY CreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
  296. SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
  297. BOOL b = TRUE;
  298. //
  299. // Ensure the SIDs are in a well-known state
  300. //
  301. NullSid = NULL;
  302. WorldSid = NULL;
  303. LocalSid = NULL;
  304. CreatorOwnerSid = NULL;
  305. CreatorGroupSid = NULL;
  306. DialupSid = NULL;
  307. NetworkSid = NULL;
  308. BatchSid = NULL;
  309. InteractiveSid = NULL;
  310. ServiceSid = NULL;
  311. LocalSystemSid = NULL;
  312. AliasAdminsSid = NULL;
  313. AliasUsersSid = NULL;
  314. AliasGuestsSid = NULL;
  315. AliasPowerUsersSid = NULL;
  316. AliasAccountOpsSid = NULL;
  317. AliasSystemOpsSid = NULL;
  318. AliasPrintOpsSid = NULL;
  319. AliasBackupOpsSid = NULL;
  320. AliasReplicatorSid = NULL;
  321. //
  322. // Allocate and initialize the universal SIDs
  323. //
  324. b = b && AllocateAndInitializeSid(
  325. &NullSidAuthority,
  326. 1,
  327. SECURITY_NULL_RID,
  328. 0,0,0,0,0,0,0,
  329. &NullSid
  330. );
  331. b = b && AllocateAndInitializeSid(
  332. &WorldSidAuthority,
  333. 1,
  334. SECURITY_WORLD_RID,
  335. 0,0,0,0,0,0,0,
  336. &WorldSid
  337. );
  338. b = b && AllocateAndInitializeSid(
  339. &LocalSidAuthority,
  340. 1,
  341. SECURITY_LOCAL_RID,
  342. 0,0,0,0,0,0,0,
  343. &LocalSid
  344. );
  345. b = b && AllocateAndInitializeSid(
  346. &CreatorSidAuthority,
  347. 1,
  348. SECURITY_CREATOR_OWNER_RID,
  349. 0,0,0,0,0,0,0,
  350. &CreatorOwnerSid
  351. );
  352. b = b && AllocateAndInitializeSid(
  353. &CreatorSidAuthority,
  354. 1,
  355. SECURITY_CREATOR_GROUP_RID,
  356. 0,0,0,0,0,0,0,
  357. &CreatorGroupSid
  358. );
  359. //
  360. // Allocate and initialize the NT defined SIDs
  361. //
  362. b = b && AllocateAndInitializeSid(
  363. &NtAuthority,
  364. 1,
  365. SECURITY_DIALUP_RID,
  366. 0,0,0,0,0,0,0,
  367. &DialupSid
  368. );
  369. b = b && AllocateAndInitializeSid(
  370. &NtAuthority,
  371. 1,
  372. SECURITY_NETWORK_RID,
  373. 0,0,0,0,0,0,0,
  374. &NetworkSid
  375. );
  376. b = b && AllocateAndInitializeSid(
  377. &NtAuthority,
  378. 1,
  379. SECURITY_BATCH_RID,
  380. 0,0,0,0,0,0,0,
  381. &BatchSid
  382. );
  383. b = b && AllocateAndInitializeSid(
  384. &NtAuthority,
  385. 1,
  386. SECURITY_INTERACTIVE_RID,
  387. 0,0,0,0,0,0,0,
  388. &InteractiveSid
  389. );
  390. b = b && AllocateAndInitializeSid(
  391. &NtAuthority,
  392. 1,
  393. SECURITY_SERVICE_RID,
  394. 0,0,0,0,0,0,0,
  395. &ServiceSid
  396. );
  397. b = b && AllocateAndInitializeSid(
  398. &NtAuthority,
  399. 1,
  400. SECURITY_LOCAL_SYSTEM_RID,
  401. 0,0,0,0,0,0,0,
  402. &LocalSystemSid
  403. );
  404. b = b && AllocateAndInitializeSid(
  405. &NtAuthority,
  406. 2,
  407. SECURITY_BUILTIN_DOMAIN_RID,
  408. DOMAIN_ALIAS_RID_ADMINS,
  409. 0,0,0,0,0,0,
  410. &AliasAdminsSid
  411. );
  412. b = b && AllocateAndInitializeSid(
  413. &NtAuthority,
  414. 2,
  415. SECURITY_BUILTIN_DOMAIN_RID,
  416. DOMAIN_ALIAS_RID_USERS,
  417. 0,0,0,0,0,0,
  418. &AliasUsersSid
  419. );
  420. b = b && AllocateAndInitializeSid(
  421. &NtAuthority,
  422. 2,
  423. SECURITY_BUILTIN_DOMAIN_RID,
  424. DOMAIN_ALIAS_RID_GUESTS,
  425. 0,0,0,0,0,0,
  426. &AliasGuestsSid
  427. );
  428. b = b && AllocateAndInitializeSid(
  429. &NtAuthority,
  430. 2,
  431. SECURITY_BUILTIN_DOMAIN_RID,
  432. DOMAIN_ALIAS_RID_POWER_USERS,
  433. 0,0,0,0,0,0,
  434. &AliasPowerUsersSid
  435. );
  436. b = b && AllocateAndInitializeSid(
  437. &NtAuthority,
  438. 2,
  439. SECURITY_BUILTIN_DOMAIN_RID,
  440. DOMAIN_ALIAS_RID_ACCOUNT_OPS,
  441. 0,0,0,0,0,0,
  442. &AliasAccountOpsSid
  443. );
  444. b = b && AllocateAndInitializeSid(
  445. &NtAuthority,
  446. 2,
  447. SECURITY_BUILTIN_DOMAIN_RID,
  448. DOMAIN_ALIAS_RID_SYSTEM_OPS,
  449. 0,0,0,0,0,0,
  450. &AliasSystemOpsSid
  451. );
  452. b = b && AllocateAndInitializeSid(
  453. &NtAuthority,
  454. 2,
  455. SECURITY_BUILTIN_DOMAIN_RID,
  456. DOMAIN_ALIAS_RID_PRINT_OPS,
  457. 0,0,0,0,0,0,
  458. &AliasPrintOpsSid
  459. );
  460. b = b && AllocateAndInitializeSid(
  461. &NtAuthority,
  462. 2,
  463. SECURITY_BUILTIN_DOMAIN_RID,
  464. DOMAIN_ALIAS_RID_BACKUP_OPS,
  465. 0,0,0,0,0,0,
  466. &AliasBackupOpsSid
  467. );
  468. b = b && AllocateAndInitializeSid(
  469. &NtAuthority,
  470. 2,
  471. SECURITY_BUILTIN_DOMAIN_RID,
  472. DOMAIN_ALIAS_RID_REPLICATOR,
  473. 0,0,0,0,0,0,
  474. &AliasReplicatorSid
  475. );
  476. if(!b) {
  477. TearDownSids();
  478. }
  479. return(b ? NO_ERROR : GetLastError());
  480. }
  481. VOID
  482. TearDownSids(
  483. VOID
  484. )
  485. {
  486. if(NullSid) {
  487. FreeSid(NullSid);
  488. }
  489. if(WorldSid) {
  490. FreeSid(WorldSid);
  491. }
  492. if(LocalSid) {
  493. FreeSid(LocalSid);
  494. }
  495. if(CreatorOwnerSid) {
  496. FreeSid(CreatorOwnerSid);
  497. }
  498. if(CreatorGroupSid) {
  499. FreeSid(CreatorGroupSid);
  500. }
  501. if(DialupSid) {
  502. FreeSid(DialupSid);
  503. }
  504. if(NetworkSid) {
  505. FreeSid(NetworkSid);
  506. }
  507. if(BatchSid) {
  508. FreeSid(BatchSid);
  509. }
  510. if(InteractiveSid) {
  511. FreeSid(InteractiveSid);
  512. }
  513. if(ServiceSid) {
  514. FreeSid(ServiceSid);
  515. }
  516. if(LocalSystemSid) {
  517. FreeSid(LocalSystemSid);
  518. }
  519. if(AliasAdminsSid) {
  520. FreeSid(AliasAdminsSid);
  521. }
  522. if(AliasUsersSid) {
  523. FreeSid(AliasUsersSid);
  524. }
  525. if(AliasGuestsSid) {
  526. FreeSid(AliasGuestsSid);
  527. }
  528. if(AliasPowerUsersSid) {
  529. FreeSid(AliasPowerUsersSid);
  530. }
  531. if(AliasAccountOpsSid) {
  532. FreeSid(AliasAccountOpsSid);
  533. }
  534. if(AliasSystemOpsSid) {
  535. FreeSid(AliasSystemOpsSid);
  536. }
  537. if(AliasPrintOpsSid) {
  538. FreeSid(AliasPrintOpsSid);
  539. }
  540. if(AliasBackupOpsSid) {
  541. FreeSid(AliasBackupOpsSid);
  542. }
  543. if(AliasReplicatorSid) {
  544. FreeSid(AliasReplicatorSid);
  545. }
  546. }
  547. DWORD
  548. InitializeAces(
  549. IN OUT PACE_DATA DataTable,
  550. IN OUT PACE* AcesArray,
  551. IN OUT PULONG AceSizesArray,
  552. IN ULONG ArrayCount
  553. )
  554. /*++
  555. Routine Description:
  556. Initializes the array of ACEs as described in the DataTable
  557. Arguments:
  558. DataTable - Pointer to the array that contains the data
  559. describing each ACE.
  560. AcesArray - Array that will contain the ACEs.
  561. AceSizesArray - Array that contains the sizes for each ACE.
  562. ArrayCount - Number of elements in each array.
  563. Return Value:
  564. Win32 error code indicating outcome.
  565. --*/
  566. {
  567. unsigned u;
  568. DWORD Length;
  569. DWORD rc;
  570. BOOL b;
  571. DWORD SidLength;
  572. //
  573. // Initialize to a known state.
  574. //
  575. ZeroMemory(AcesArray,ArrayCount*sizeof(PACE));
  576. //
  577. // Create ACEs for each item in the data table.
  578. // This involves merging the ace data with the SID data, which
  579. // are initialized in an earlier step.
  580. //
  581. for(u=1; u<ArrayCount; u++) {
  582. SidLength = GetLengthSid(*(DataTable[u].Sid));
  583. Length = SidLength + sizeof(ACE) + sizeof(ACCESS_MASK)- sizeof(ULONG);
  584. AceSizesArray[u] = Length;
  585. AcesArray[u] = malloc(Length);
  586. if(!AcesArray[u]) {
  587. TearDownAces(AcesArray, ArrayCount);
  588. return(ERROR_NOT_ENOUGH_MEMORY);
  589. }
  590. AcesArray[u]->Header.AceType = DataTable[u].AceType;
  591. AcesArray[u]->Header.AceFlags = DataTable[u].AceFlags;
  592. AcesArray[u]->Header.AceSize = (WORD)Length;
  593. AcesArray[u]->Mask = DataTable[u].AccessMask;
  594. b = CopySid(
  595. SidLength, // Length - sizeof(ACE) + sizeof(ULONG),
  596. (PUCHAR)AcesArray[u] + sizeof(ACE),
  597. *(DataTable[u].Sid)
  598. );
  599. if(!b) {
  600. rc = GetLastError();
  601. TearDownAces(AcesArray, ArrayCount);
  602. return(rc);
  603. }
  604. }
  605. return(NO_ERROR);
  606. }
  607. VOID
  608. TearDownAces(
  609. IN OUT PACE* AcesArray,
  610. IN ULONG ArrayCount
  611. )
  612. /*++
  613. Routine Description:
  614. Destroys the array of ACEs as described in the DataTable
  615. Arguments:
  616. None
  617. Return Value:
  618. None
  619. --*/
  620. {
  621. unsigned u;
  622. for(u=1; u<ArrayCount; u++) {
  623. if(AcesArray[u]) {
  624. free(AcesArray[u]);
  625. }
  626. }
  627. }
  628. ULONG
  629. ApplyAclToDirOrFile(
  630. IN PCWSTR FullPath,
  631. IN PULONG AcesToApply,
  632. IN ULONG ArraySize
  633. )
  634. /*++
  635. Routine Description:
  636. Applies an ACL to a specified file or directory.
  637. Arguments:
  638. FullPath - supplies full win32 path to the file or directory
  639. to receive the ACL
  640. AcesIndexArray - Array that contains the index to the ACEs to be used in the ACL.
  641. ArraySize - Number of elements in the array.
  642. Return Value:
  643. --*/
  644. {
  645. DWORD AceCount;
  646. DWORD Ace;
  647. INT AceIndex;
  648. DWORD rc;
  649. SECURITY_DESCRIPTOR SecurityDescriptor;
  650. PACL Acl;
  651. UCHAR AclBuffer[2048];
  652. BOOL b;
  653. PCWSTR AclSection;
  654. ACL_SIZE_INFORMATION AclSizeInfo;
  655. //
  656. // Initialize a security descriptor and an ACL.
  657. // We use a large static buffer to contain the ACL.
  658. //
  659. Acl = (PACL)AclBuffer;
  660. if(!InitializeAcl(Acl,sizeof(AclBuffer),ACL_REVISION2)
  661. || !InitializeSecurityDescriptor(&SecurityDescriptor,SECURITY_DESCRIPTOR_REVISION)) {
  662. return(GetLastError());
  663. }
  664. //
  665. // Build up the DACL from the indices on the list we just looked up
  666. // in the ACL section.
  667. //
  668. rc = NO_ERROR;
  669. AceCount = ArraySize;
  670. for(Ace=0; Ace < AceCount; Ace++) {
  671. AceIndex = AcesToApply[ Ace ];
  672. if((AceIndex == 0) || (AceIndex >= DIRS_AND_FILES_ACE_COUNT)) {
  673. return(ERROR_INVALID_DATA);
  674. }
  675. b = AddAce(
  676. Acl,
  677. ACL_REVISION2,
  678. MAXULONG,
  679. AcesForDirsAndFiles[AceIndex],
  680. AcesForDirsAndFiles[AceIndex]->Header.AceSize
  681. );
  682. //
  683. // Track first error we encounter.
  684. //
  685. if(!b) {
  686. rc = GetLastError();
  687. }
  688. }
  689. if(rc != NO_ERROR) {
  690. return(rc);
  691. }
  692. //
  693. // Truncate the ACL, since only a fraction of the size we originally
  694. // allocated for it is likely to be in use.
  695. //
  696. if(!GetAclInformation(Acl,&AclSizeInfo,sizeof(ACL_SIZE_INFORMATION),AclSizeInformation)) {
  697. return(GetLastError());
  698. }
  699. Acl->AclSize = (WORD)AclSizeInfo.AclBytesInUse;
  700. //
  701. // Add the ACL to the security descriptor as the DACL
  702. //
  703. if(!SetSecurityDescriptorDacl(&SecurityDescriptor,TRUE,Acl,FALSE)) {
  704. return(GetLastError());
  705. }
  706. //
  707. // Finally, apply the security descriptor.
  708. //
  709. rc = SetFileSecurity(FullPath,DACL_SECURITY_INFORMATION,&SecurityDescriptor)
  710. ? NO_ERROR
  711. : GetLastError();
  712. return(rc);
  713. }
  714. DWORD
  715. ApplySecurityToRepairInfo(
  716. )
  717. /*++
  718. Routine Description:
  719. Arguments:
  720. Return Value:
  721. --*/
  722. {
  723. DWORD d, TempError;
  724. WCHAR Directory[MAX_PATH];
  725. BOOL SetAclsNt;
  726. DWORD FsFlags;
  727. DWORD Result;
  728. BOOL b;
  729. ULONG Count;
  730. PWSTR Files[] = {
  731. L"sam",
  732. L"security",
  733. L"software",
  734. L"system",
  735. L"default",
  736. L"ntuser.dat",
  737. L"sam._",
  738. L"security._",
  739. L"software._",
  740. L"system._",
  741. L"default._",
  742. L"ntuser.da_"
  743. };
  744. //
  745. // Get the file system of the system drive.
  746. // On x86 get the file system of the system partition.
  747. //
  748. d = NO_ERROR;
  749. SetAclsNt = FALSE;
  750. Result = GetWindowsDirectory(Directory,MAX_PATH);
  751. if(Result == 0) {
  752. MYASSERT(FALSE);
  753. return( GetLastError());
  754. }
  755. Directory[3] = 0;
  756. //
  757. // ApplySecurity to directories and files, if needed
  758. //
  759. b = GetVolumeInformation(Directory,NULL,0,NULL,NULL,&FsFlags,NULL,0);
  760. if(b && (FsFlags & FS_PERSISTENT_ACLS)) {
  761. SetAclsNt = TRUE;
  762. }
  763. if(SetAclsNt) {
  764. //
  765. // Initialize SIDs
  766. //
  767. d = InitializeSids();
  768. if(d != NO_ERROR) {
  769. return(d);
  770. }
  771. //
  772. // Initialize ACEs
  773. //
  774. d = InitializeAces(AceDataTableForDirsAndFiles, AcesForDirsAndFiles, AceSizesForDirsAndFiles, DIRS_AND_FILES_ACE_COUNT);
  775. if(d != NO_ERROR) {
  776. TearDownSids();
  777. return(d);
  778. }
  779. //
  780. // Go do the real work.
  781. //
  782. for( Count = 0; Count < sizeof( Files ) / sizeof( PWSTR ); Count++ ) {
  783. ULONG AcesToApply[] = { 2,
  784. 17
  785. };
  786. GetWindowsDirectory(Directory,MAX_PATH);
  787. wcscat( Directory, L"\\repair\\" );
  788. wcscat( Directory, Files[ Count ] );
  789. TempError = ApplyAclToDirOrFile( Directory, AcesToApply, sizeof( AcesToApply) / sizeof( ULONG ) );
  790. if( TempError != NO_ERROR ) {
  791. if( d == NO_ERROR ) {
  792. d = TempError;
  793. }
  794. }
  795. }
  796. //
  797. // Clean up.
  798. //
  799. TearDownAces(AcesForDirsAndFiles, DIRS_AND_FILES_ACE_COUNT);
  800. TearDownSids();
  801. }
  802. return(d);
  803. }