|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1996 - 1996.
//
// File: MARTABAS.CXX
//
// Contents: Implementation of the base MARTA funcitons
//
// History: 22-Jul-96 MacM Created
//
//----------------------------------------------------------------------------
#include <aclpch.hxx>
#pragma hdrstop
#include <ntprov.hxx>
#include <strings.h>
#include <ntdsguid.h>
CSList gWrkrList(NtProvFreeWorkerItem); // List of active worker threads
//+---------------------------------------------------------------------------
//
// Function: AccProvGetCapabilities
//
// Synopsis: Gets the provider capabilities
//
// Arguments: [IN fClass] -- Class of capabilities to request
// [OUT pulCaps] -- Provider capabilities
//
// Returns: VOID
//
// Notes:
//
//----------------------------------------------------------------------------
VOIDWINAPIAccProvGetCapabilities(IN ULONG fClass, OUT PULONG pulCaps){ acDebugOut((DEB_TRACE_API,"in.out AccProvGetCapabilities\n"));
if(fClass == ACTRL_CLASS_GENERAL) { *pulCaps = ACTRL_CAP_KNOWS_SIDS | ACTRL_CAP_SUPPORTS_HANDLES; } else { *pulCaps = ACTRL_CAP_NONE; }
return;}
//+---------------------------------------------------------------------------
//
// Function: AccProvIsObjectAccessible
//
// Synopsis: Determines if the given path is accessible or not
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
//
// Returns: ERROR_SUCCESS -- The path is recognized
// ERROR_PATH_NOT_FOUND -- The path was not recognized
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvIsObjectAccessible(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType){ acDebugOut((DEB_TRACE_API,"in AccProvIsObjectAccessible\n")); DWORD dwErr = ERROR_PATH_NOT_FOUND; PWSTR DsServerlessPath, OldServerPath = NULL;
static NTMARTA_ACCESS_CACHE rgAccessCache[MAX_ACCESS_ENTRIES]; static ULONG cCacheEntries = 0; static ULONG iCacheOldest = 0;
//
// First, check our cache. Maybe we can get out cheap. Note that
// we expect our result to be failure when we start.
//
ULONG dwObjLen = wcslen(pwszObjectPath); if(dwObjLen < MAX_PATH) { RtlAcquireResourceShared(&gCacheLock, TRUE); for(ULONG iIndex = 0; iIndex < cCacheEntries && dwErr == ERROR_PATH_NOT_FOUND; iIndex++) { //
// We'll have to do this base on object type...
//
switch(ObjectType) { case SE_SERVICE: case SE_PRINTER: case SE_REGISTRY_KEY: //
// See if it's a UNC name, in which case we'll compare
// the only the server\\share name.
//
if(dwObjLen > 1 && pwszObjectPath[1] == L'\\') { //
// It's a UNC name
//
if(_wcsnicmp(pwszObjectPath, rgAccessCache[iIndex].wszPath, rgAccessCache[iIndex].cLen) == 0 && (*(pwszObjectPath + rgAccessCache[iIndex].cLen) == L'\0' || *(pwszObjectPath + rgAccessCache[iIndex].cLen) == L'\\')) { dwErr = ERROR_SUCCESS; } } else { if(_wcsicmp(pwszObjectPath, rgAccessCache[iIndex].wszPath) == 0) { dwErr = ERROR_SUCCESS; } } break;
case SE_DS_OBJECT: case SE_DS_OBJECT_ALL: //
// These have to match exact. Handle the case where we were given a
// server name prefixed DS path
//
if(IS_UNC_PATH(pwszObjectPath, dwObjLen ) ) { DsServerlessPath = wcschr(pwszObjectPath+2, L'\\');
if(DsServerlessPath != NULL) { DsServerlessPath++; OldServerPath = ( PWSTR )pwszObjectPath; pwszObjectPath = DsServerlessPath; dwObjLen = wcslen(DsServerlessPath); } }
if(dwObjLen == rgAccessCache[iIndex].cLen && _wcsicmp(pwszObjectPath, rgAccessCache[iIndex].wszPath) == 0) { dwErr = ERROR_SUCCESS; }
break;
case SE_FILE_OBJECT: case SE_KERNEL_OBJECT: case SE_LMSHARE: case SE_WMIGUID_OBJECT:
if(dwObjLen == rgAccessCache[iIndex].cLen && _wcsicmp(pwszObjectPath, rgAccessCache[iIndex].wszPath) == 0) { dwErr = ERROR_SUCCESS; }
break; }
//
// Make sure our types match...
//
if(dwErr == ERROR_SUCCESS && ObjectType != rgAccessCache[iIndex].ObjectType) { dwErr = ERROR_PATH_NOT_FOUND; }#ifdef DBG
if(dwErr == ERROR_SUCCESS) { acDebugOut((DEB_TRACE_CACHE, "Object %ws [%lu] found in cache!\n", rgAccessCache[iIndex].wszPath, rgAccessCache[iIndex].ObjectType)); }#endif
}
RtlReleaseResource(&gCacheLock); }
//
// If we got a match, return
//
if(dwErr == ERROR_SUCCESS) { return(ERROR_SUCCESS); }
//
// Well, that didn't work, so we'll have to go check. Note that there
// is not a lock here, so there is a window whereby an entry could be added
// for the path that we are currently checking. If that happens, it only
// means that the same entry will be in the cache more than once. This
// is harmless.
//
HANDLE hHandle;
switch (ObjectType) { case SE_FILE_OBJECT: dwErr = IsFilePathLocalOrLM((PWSTR)pwszObjectPath); break;
case SE_SERVICE: dwErr = OpenServiceObject((PWSTR)pwszObjectPath, SERVICE_USER_DEFINED_CONTROL, (SC_HANDLE *)&hHandle); if(dwErr == ERROR_SUCCESS) { CloseServiceHandle((SC_HANDLE)hHandle); } else { if(dwErr == ERROR_SERVICE_DOES_NOT_EXIST || dwErr == ERROR_INVALID_NAME) { dwErr = ERROR_PATH_NOT_FOUND; } } break;
case SE_PRINTER: dwErr = OpenPrinterObject((PWSTR)pwszObjectPath, PRINTER_ACCESS_USE, &hHandle); if(dwErr == ERROR_SUCCESS) { ClosePrinter(hHandle); } else { if(dwErr == ERROR_INVALID_PRINTER_NAME) { dwErr = ERROR_PATH_NOT_FOUND; } } break;
case SE_REGISTRY_KEY: dwErr = OpenRegistryObject((PWSTR)pwszObjectPath, KEY_EXECUTE, &hHandle); if(dwErr == ERROR_SUCCESS) { RegCloseKey((HKEY)hHandle); } else { if(dwErr == ERROR_INVALID_PARAMETER || dwErr == ERROR_FILE_NOT_FOUND) { dwErr = ERROR_PATH_NOT_FOUND; }
}
break;
case SE_LMSHARE: //
// Note that this doesn't have to be a local share, just a lan man
// share
//
dwErr = PingLmShare(pwszObjectPath);
break;
case SE_KERNEL_OBJECT: // FALL THROUGH
case SE_WMIGUID_OBJECT:
//
// Can't have kernel objects outside of NT, so just return success
//
dwErr = ERROR_SUCCESS; break;
case SE_DS_OBJECT: // FALL THROUGH
case SE_DS_OBJECT_ALL: dwErr = PingDSObj(OldServerPath ? OldServerPath : pwszObjectPath); break;
default:
//
// Unknown object type. Pass it on.
//
dwErr = ERROR_PATH_NOT_FOUND; break; }
if(dwErr == ERROR_ACCESS_DENIED) {
dwErr = ERROR_SUCCESS; }
//
// Add it to the cache, if we succeeded
//
if(dwErr == ERROR_SUCCESS && (ObjectType != SE_KERNEL_OBJECT && ObjectType != SE_WMIGUID_OBJECT)) { //
// Lock the cache
//
RtlAcquireResourceExclusive(&gCacheLock, TRUE);
//
// For some items, we'll want to save the root of the path, since it
// is not possible to have linked services, registry keys, etc, while
// for files and shares, it can cause problems. If an entry is too
// long to be cached, we'll ignore it.
//
if(dwObjLen <= MAX_PATH) { //
// Save off the object type and path name. For those that
// need it, we'll go through and shorten them as requried.
//
rgAccessCache[iCacheOldest].ObjectType = ObjectType; wcscpy(rgAccessCache[iCacheOldest].wszPath, pwszObjectPath); rgAccessCache[iCacheOldest].cLen = dwObjLen;
PWSTR pwszLop = rgAccessCache[iCacheOldest].wszPath; switch (ObjectType) { case SE_SERVICE: case SE_PRINTER: case SE_REGISTRY_KEY: //
// See if it's a UNC name, in which case we'll lop
// it off
//
if(IS_UNC_PATH(pwszObjectPath, dwObjLen)) { //
// It's a UNC name, so lop it off
//
pwszLop = wcschr(pwszLop + 2, L'\\'); if(pwszLop != NULL) { pwszLop = wcschr(pwszLop + 1, '\\');
if(pwszLop != NULL) { *pwszLop = L'\0'; rgAccessCache[iCacheOldest].cLen = (DWORD)(pwszLop - rgAccessCache[iCacheOldest].wszPath); } } } break;
case SE_DS_OBJECT: case SE_DS_OBJECT_ALL: //
// Save off the domain name part
//
//
// Note that we'll get the object in RDN format, so
// it's a simple matter to lop it off if necessary
pwszLop = wcschr(pwszLop, L'\\'); if(pwszLop != NULL) { *pwszLop = L'\0'; rgAccessCache[iCacheOldest].cLen = (DWORD)(pwszLop - rgAccessCache[iCacheOldest].wszPath); } break; }
//
// Update our indexes and counts
//
if(cCacheEntries < MAX_ACCESS_ENTRIES) { cCacheEntries++; }
iCacheOldest++; if(iCacheOldest == MAX_ACCESS_ENTRIES) { iCacheOldest = 0; } }
RtlReleaseResource(&gCacheLock); }
if ( dwErr == ERROR_INVALID_NAME ) {
acDebugOut(( DEB_ERROR, "%ws returned ERROR_INVALID_NAME\n", pwszObjectPath )); ASSERT( FALSE );
} acDebugOut((DEB_TRACE_API,"out AccProvIsObjectAccessible: %lu\n", dwErr)); return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleIsObjectAccessible
//
// Synopsis: Determines if the given object is accessible or not given
// a handle to it
//
// Arguments: [IN hObject] -- Object handle
// [IN ObjectType] -- Type of the object
//
// Returns: ERROR_SUCCESS -- The path is recognized
// ERROR_PATH_NOT_FOUND -- The path was not recognized
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleIsObjectAccessible(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType){ acDebugOut((DEB_TRACE_API,"in AccProvHandleIsObjectAccessible\n"));
DWORD dwErr = ERROR_PATH_NOT_FOUND;
//
// Because a handle can get reused, we can't cache them like we did
// above...
//
switch (ObjectType) { case SE_FILE_OBJECT: { DWORD dwHigh; DWORD dwSize = GetFileSize(hObject, &dwHigh); if(dwSize == 0xFFFFFFFF) { dwErr = GetLastError(); } else { dwErr = ERROR_SUCCESS; } } break;
case SE_SERVICE: { SERVICE_STATUS SvcStatus;
if(QueryServiceStatus((SC_HANDLE)hObject, &SvcStatus) == FALSE) { dwErr = GetLastError(); } else { dwErr = ERROR_SUCCESS; } } break;
case SE_PRINTER: { dwErr = LoadDLLFuncTable(); if(dwErr == ERROR_SUCCESS) { ULONG cNeeded; if(DLLFuncs.PGetPrinter(hObject, 1, NULL, 0, &cNeeded) == FALSE) { dwErr = GetLastError(); if(dwErr == ERROR_INSUFFICIENT_BUFFER) { dwErr = ERROR_SUCCESS; } } } } break;
case SE_REGISTRY_KEY: dwErr = RegQueryInfoKey((HKEY)hObject, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL); break;
case SE_KERNEL_OBJECT: // FALL THROUGH
case SE_WINDOW_OBJECT: // FALL THROUGH
case SE_WMIGUID_OBJECT: //
// Can't have kernel/windows objects outside of NT, so just return
// success
//
dwErr = ERROR_SUCCESS; break;
case SE_LMSHARE: // FALL THROUGH
case SE_DS_OBJECT: // FALL THROUGH
case SE_DS_OBJECT_ALL: //
// Can't have handles to DS objects
//
dwErr = ERROR_PATH_NOT_FOUND; break;
default:
//
// Unknown object type. Pass it on.
//
dwErr = ERROR_PATH_NOT_FOUND; break; }
//
// Make sure the reason we failed isn't because of permissions
//
if(dwErr == ERROR_ACCESS_DENIED) { dwErr = ERROR_SUCCESS; }
acDebugOut((DEB_TRACE_API,"out AccProvIsObjectAccessible: %lu\n", dwErr)); return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvCancelOperation
//
// Synopsis: Cancels an ongoing operation.
//
// Arguments: [IN pOverlapped] -- Operation to cancel
//
// Returns: ERROR_SUCCESS -- Success
// ERROR_INVALID_PARAMETER -- A bad overlapped structure was
// given
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvCancelOperation(IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr = ERROR_SUCCESS;
//
// Ok, first, grab a read lock, so nobody inserts on us, and find the
// right node
//
PNTMARTA_WRKR_INFO pWrkrNode = NULL;
{ // RtlAcquireResourceShared(&gWrkrLock, TRUE);
RtlAcquireResourceExclusive(&gWrkrLock, TRUE);
pWrkrNode = (PNTMARTA_WRKR_INFO)gWrkrList.Find((PVOID)pOverlapped, NtProvFindWorkerItem); RtlReleaseResource(&gWrkrLock); }
if(pWrkrNode == NULL) { dwErr = ERROR_INVALID_PARAMETER; } else { //
// All right. We'll set our stop flag, and wait for it to return..
// It doesn't matter what we set the flag to, since all we need to do
// is set it non-0
//
pWrkrNode->fState++;
//
// Now, wait for the call to finish
//
WaitForSingleObject(pWrkrNode->hWorker, INFINITE); }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvGetOperationResults
//
// Synopsis: Gets the results of an operation
//
// Arguments: [IN pOverlapped] -- Operation to cancel
// [OUT dwResults] -- Where the results are returned
// [OUT pcProcessed] -- Number of items processed
//
// Returns: ERROR_SUCCESS -- Success
// ERROR_INVALID_PARAMETER -- A bad overlapped structure was
// given
// ERROR_IO_PENDING -- Operation hasn't completed yet
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvGetOperationResults(IN PACTRL_OVERLAPPED pOverlapped, OUT PDWORD dwResults, OUT PDWORD pcProcessed){ DWORD dwErr = ERROR_SUCCESS; PNTMARTA_WRKR_INFO pWrkrNode = NULL;
//
// Ok, first, grab a write lock. This will prevent anyone from
// reading and or writing to the list, until we get done updating
// our overlapped structure.
//
RtlAcquireResourceExclusive(&gWrkrLock, TRUE);
pWrkrNode = (PNTMARTA_WRKR_INFO)gWrkrList.Find((PVOID)pOverlapped, NtProvFindWorkerItem);
RtlReleaseResource(&gWrkrLock);
if(pWrkrNode == NULL) { //
// Now, the reason we may have not found the node is that somebody
// has removed it. If so, check our overlapped structure, since
// that will have been updated by the last call
//
if(pOverlapped->hEvent != NULL) { dwErr = ERROR_INVALID_PARAMETER; } else { *dwResults = pOverlapped->Reserved2; if(pcProcessed != NULL) { *pcProcessed = pOverlapped->Reserved1; } } } else { //
// See if the thread has stopped processing or not
//
if(WaitForSingleObject(pWrkrNode->hWorker, 0) == WAIT_TIMEOUT) { if(pcProcessed != NULL) { *pcProcessed = pWrkrNode->cProcessed; } dwErr = ERROR_IO_PENDING; } else { //
// Get the results of the thread exit first.
//
if(GetExitCodeThread(pWrkrNode->hWorker, dwResults) == FALSE) { dwErr = GetLastError(); } else { dwErr = ERROR_SUCCESS; CloseHandle(pWrkrNode->hWorker); pWrkrNode->hWorker = NULL;
//
// Save off the results. They go in Reserved2 parameter
//
pOverlapped->Reserved2 = *dwResults; pOverlapped->Reserved1 = pWrkrNode->cProcessed;
//
// Remove the node from our list, and do our updates. We
// need to do all of this before releasing our resource,
// to prevent some race conditions
//
RtlAcquireResourceExclusive(&gWrkrLock, TRUE);
gWrkrList.Remove((PVOID)pWrkrNode);
RtlReleaseResource(&gWrkrLock);
//
// Deallocate our memory
//
AccFree(pWrkrNode); } } }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvSetAccessRights
//
// Synopsis: Sets the access rights on the given object. It replaces any
// existing rights.
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
// [IN pAccessList] -- Optional. The list of access
// rights to set.
// [IN pAuditList] -- Optional. The list of access
// rights to set.
// [IN pOwner] -- Optional. Owner to set
// [IN pGroup] -- Optional. Group to set
// [IN pOverlapped] -- Overlapped structure to use for
// asynchronous control
//
// Returns: ERROR_SUCCESS -- Success
// ERROR_NOT_ENOUGH_MEMORY -- A memory allocation failed
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvSetAccessRights(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType, IN SECURITY_INFORMATION SecurityInfo, IN OPTIONAL PACTRL_ACCESS pAccessList, IN OPTIONAL PACTRL_AUDIT pAuditList, IN OPTIONAL PTRUSTEE pOwner, IN OPTIONAL PTRUSTEE pGroup, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr;
CAccessList *pAccList = new CAccessList; if(pAccList == NULL) { dwErr = ERROR_NOT_ENOUGH_MEMORY; } else { dwErr = pAccList->SetObjectType(ObjectType); if(dwErr == ERROR_SUCCESS) { if(FLAG_ON(SecurityInfo, DACL_SECURITY_INFORMATION)) { dwErr = pAccList->AddAccessLists(DACL_SECURITY_INFORMATION, pAccessList, FALSE); }
if(dwErr == ERROR_SUCCESS && FLAG_ON(SecurityInfo, SACL_SECURITY_INFORMATION)) { dwErr = pAccList->AddAccessLists(SACL_SECURITY_INFORMATION, pAuditList, FALSE); }
if(dwErr == ERROR_SUCCESS) { //
// Add the owner and group
//
dwErr = pAccList->AddOwnerGroup(SecurityInfo, pOwner, pGroup); } }
if(dwErr == ERROR_SUCCESS) { //
// Finally, if all that worked, we'll do the rest
//
dwErr = NtProvDoSet(pwszObjectPath, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete(pAccList); } }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleSetAccessRights
//
// Synopsis: Sets the access rights on the given object. It replaces any
// existing rights.
//
// Arguments: [IN hObject] -- Handle to the object
// [IN ObjectType] -- Type of the object
// [IN pAccessList] -- Optional. The list of access
// rights to set.
// [IN pAuditList] -- Optional. The list of access
// rights to set.
// [IN pOwner] -- Optional. Owner to set
// [IN pGroup] -- Optional. Group to set
// [IN pOverlapped] -- Overlapped structure to use for
// asynchronous control
//
// Returns: ERROR_SUCCESS -- Success
// ERROR_NOT_ENOUGH_MEMORY -- A memory allocation failed
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleSetAccessRights(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN SECURITY_INFORMATION SecurityInfo, IN PACTRL_ACCESS pAccessList OPTIONAL, IN PACTRL_AUDIT pAuditList OPTIONAL, IN PTRUSTEE pOwner OPTIONAL, IN PTRUSTEE pGroup OPTIONAL, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr;
CAccessList *pAccList = new CAccessList; if(pAccList == NULL) { dwErr = ERROR_NOT_ENOUGH_MEMORY; } else { dwErr = pAccList->SetObjectType(ObjectType); if(dwErr == ERROR_SUCCESS) { if(FLAG_ON(SecurityInfo, DACL_SECURITY_INFORMATION)) { dwErr = pAccList->AddAccessLists(DACL_SECURITY_INFORMATION, pAccessList, FALSE); }
if(dwErr == ERROR_SUCCESS && FLAG_ON(SecurityInfo, SACL_SECURITY_INFORMATION)) { dwErr = pAccList->AddAccessLists(SACL_SECURITY_INFORMATION, pAuditList, FALSE); }
if(dwErr == ERROR_SUCCESS) { //
// Add the owner and group
//
dwErr = pAccList->AddOwnerGroup(SecurityInfo, pOwner, pGroup); } }
if(dwErr == ERROR_SUCCESS) { //
// Finally, if all that worked, we'll do the rest
//
dwErr = NtProvDoHandleSet(hObject, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete pAccList; } }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvGrantAccessRights
//
// Synopsis: Grants the access rights on the given object. It merges the
// supplied rights with any existing rights.
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
// [IN pAccessList] -- Optional. The list of access
// rights to set.
// [IN pAuditList] -- Optional. The list of access
// rights to set.
//
// Returns: ERROR_SUCCESS -- The path is recognized
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvGrantAccessRights(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType, IN OPTIONAL PACTRL_ACCESS pAccessList, IN OPTIONAL PACTRL_AUDIT pAuditList, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr = ERROR_SUCCESS;
//
// First, read the relevant information. This will involve getting the
// access and audit lists for each property specified in the access and
// audit list.
//
PACTRL_RIGHTS_INFO pRightsList = NULL; ULONG cItems; dwErr = NtProvSetRightsList(pAccessList, pAuditList, &cItems, &pRightsList); if(dwErr == ERROR_SUCCESS) { //
// First, read all of the rights
//
CAccessList *pAccList = NULL;
//
// NtProvGetAccessListForObject modifies its first
// parameter, so we can't pass in a CONST string.
//
PWSTR pwszTmpObjectPath = (PWSTR)AccAlloc( (wcslen(pwszObjectPath) + 1) * sizeof( WCHAR ) );
if (pwszTmpObjectPath) { wcscpy( pwszTmpObjectPath, pwszObjectPath ); pwszTmpObjectPath[wcslen(pwszObjectPath)] = UNICODE_NULL;
dwErr = NtProvGetAccessListForObject( pwszTmpObjectPath, ObjectType, pRightsList, cItems, &pAccList);
//
// Now, process the input lists
//
if(dwErr == ERROR_SUCCESS) { //
// First, the access list
//
if(pAccessList != NULL) { dwErr = pAccList->AddAccessLists(DACL_SECURITY_INFORMATION, pAccessList, TRUE);
}
//
// Then, the audit list
//
if(dwErr == ERROR_SUCCESS && pAuditList != NULL) { dwErr = pAccList->AddAccessLists(SACL_SECURITY_INFORMATION, pAuditList, TRUE); } }
if(dwErr == ERROR_SUCCESS) { //
// Finally, if all that worked, we'll do the rest
//
dwErr = NtProvDoSet(pwszObjectPath, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete pAccList; }
AccFree( pwszTmpObjectPath ); } else { dwErr = ERROR_NOT_ENOUGH_MEMORY; }
AccFree(pRightsList); }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleGrantAccessRights
//
// Synopsis: Grants the access rights on the given object. It merges the
// supplied rights with any existing rights.
//
// Arguments: [IN hObject] -- Handle to the open object
// [IN ObjectType] -- Type of the object
// [IN pAccessList] -- Optional. The list of access
// rights to set.
// [IN pAuditList] -- Optional. The list of access
// rights to set.
//
// Returns: ERROR_SUCCESS -- The path is recognized
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleGrantAccessRights(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN OPTIONAL PACTRL_ACCESS pAccessList, IN OPTIONAL PACTRL_AUDIT pAuditList, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr = ERROR_SUCCESS;
//
// First, read the relevant information. This will involve getting the
// access and audit lists for each property specified in the access and
// audit list.
//
PACTRL_RIGHTS_INFO pRightsList = NULL; ULONG cItems; dwErr = NtProvSetRightsList(pAccessList, pAuditList, &cItems, &pRightsList); if(dwErr == ERROR_SUCCESS) { //
// First, read all of the rights
//
CAccessList *pAccList = NULL; dwErr = NtProvGetAccessListForHandle(hObject, ObjectType, pRightsList, cItems, &pAccList); //
// Don't need the rights list, so we might as well release it
//
AccFree(pRightsList);
//
// Now, process the input lists
//
if(dwErr == ERROR_SUCCESS) { //
// First, the access list
//
if(pAccessList != NULL) { dwErr = pAccList->AddAccessLists(DACL_SECURITY_INFORMATION, pAccessList, TRUE);
}
//
// Then, the audit list
//
if(dwErr == ERROR_SUCCESS && pAuditList != NULL) { dwErr = pAccList->AddAccessLists(SACL_SECURITY_INFORMATION, pAuditList, TRUE); } }
if(dwErr == ERROR_SUCCESS) { //
// Finally, if all that worked, we'll do the rest
//
dwErr = NtProvDoHandleSet(hObject, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete pAccList; } }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvRevokeAccessRights
//
// Synopsis: Revokes the access rights on the given object. It goes
// through and removes any explicit entries for the given
// trustees
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [IN cTrustees] -- Number of trustees in list
// [IN prgTrustees] -- List of trustees to revoke
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvRevokeAccessRights(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType, IN OPTIONAL LPCWSTR pwszProperty, IN ULONG cTrustees, IN PTRUSTEE prgTrustees, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr = ERROR_SUCCESS;
CAccessList *pAccList = NULL; //
// First, read the relevant information
//
if(dwErr == ERROR_SUCCESS) { ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = DACL_SECURITY_INFORMATION;
PWSTR pwszTmpObjectPath = (PWSTR)AccAlloc( (wcslen(pwszObjectPath) + 1) * sizeof( WCHAR ) );
if (pwszTmpObjectPath) { wcscpy( pwszTmpObjectPath, pwszObjectPath ); pwszTmpObjectPath[wcslen(pwszObjectPath)] = UNICODE_NULL;
dwErr = NtProvGetAccessListForObject(pwszTmpObjectPath, ObjectType, &RI, 1, &pAccList);
AccFree( pwszTmpObjectPath ); } else { dwErr = ERROR_NOT_ENOUGH_MEMORY; } }
for(DWORD iIndex = 0; iIndex < cTrustees && dwErr == ERROR_SUCCESS; iIndex++) { dwErr = pAccList->RemoveTrusteeFromAccess(DACL_SECURITY_INFORMATION, &(prgTrustees[iIndex]), (PWSTR)pwszProperty); }
//
// Then, do the set
//
if(dwErr == ERROR_SUCCESS) { dwErr = NtProvDoSet(pwszObjectPath, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete pAccList; }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleRevokeAccessRights
//
// Synopsis: Revokes the access rights on the given object. It goes
// through and removes any explicit entries for the given
// trustees
//
// Arguments: [IN hObject] -- Handle to the open object
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [IN cTrustees] -- Number of trustees in list
// [IN prgTrustees] -- List of trustees to revoke
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleRevokeAccessRights(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN OPTIONAL LPCWSTR pwszProperty, IN ULONG cTrustees, IN PTRUSTEE prgTrustees, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr = ERROR_SUCCESS;
CAccessList *pAccList = NULL;
//
// First, read the relevant information
//
if(dwErr == ERROR_SUCCESS) { ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = DACL_SECURITY_INFORMATION; dwErr = NtProvGetAccessListForHandle(hObject, ObjectType, &RI, 1, &pAccList); }
for(DWORD iIndex = 0; iIndex < cTrustees && dwErr == ERROR_SUCCESS; iIndex++) { dwErr = pAccList->RemoveTrusteeFromAccess(DACL_SECURITY_INFORMATION, &(prgTrustees[iIndex]), (PWSTR)pwszProperty); }
//
// Then, do the set
//
if(dwErr == ERROR_SUCCESS) { dwErr = NtProvDoHandleSet(hObject, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete pAccList; }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvRevokeAuditRights
//
// Synopsis: Revokes the audit rights on the given object. It goes
// through and removes any explicit entries for the given
// trustees
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [IN cTrustees] -- Number of trustees in list
// [IN prgTrustees] -- List of trustees to revoke
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvRevokeAuditRights(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType, IN OPTIONAL LPCWSTR pwszProperty, IN ULONG cTrustees, IN PTRUSTEE prgTrustees, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr = ERROR_SUCCESS;
CAccessList *pAccList = NULL; //
// First, read the relevant information
//
if(dwErr == ERROR_SUCCESS) { ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = SACL_SECURITY_INFORMATION;
PWSTR pwszTmpObjectPath = (PWSTR)AccAlloc( (wcslen(pwszObjectPath) + 1) * sizeof( WCHAR ) );
if (pwszTmpObjectPath) { wcscpy( pwszTmpObjectPath, pwszObjectPath ); pwszTmpObjectPath[wcslen(pwszObjectPath)] = UNICODE_NULL;
dwErr = NtProvGetAccessListForObject(pwszTmpObjectPath, ObjectType, &RI, 1, &pAccList); AccFree( pwszTmpObjectPath ); } else { dwErr = ERROR_NOT_ENOUGH_MEMORY; } }
for(DWORD iIndex = 0; iIndex < cTrustees && dwErr == ERROR_SUCCESS; iIndex++) { dwErr = pAccList->RemoveTrusteeFromAccess(SACL_SECURITY_INFORMATION, &(prgTrustees[iIndex]), (PWSTR)pwszProperty); }
//
// Then, do the set
//
if(dwErr == ERROR_SUCCESS) { dwErr = NtProvDoSet(pwszObjectPath, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete pAccList; }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleRevokeAuditRights
//
// Synopsis: Revokes the audit rights on the given object. It goes
// through and removes any explicit entries for the given
// trustees
//
// Arguments: [IN hObject] -- Handle to the open object
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [IN cTrustees] -- Number of trustees in list
// [IN prgTrustees] -- List of trustees to revoke
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleRevokeAuditRights(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN OPTIONAL LPCWSTR pwszProperty, IN ULONG cTrustees, IN PTRUSTEE prgTrustees, IN PACTRL_OVERLAPPED pOverlapped){ DWORD dwErr = ERROR_SUCCESS;
CAccessList *pAccList = NULL; //
// First, read the relevant information
//
if(dwErr == ERROR_SUCCESS) { ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = SACL_SECURITY_INFORMATION; dwErr = NtProvGetAccessListForHandle(hObject, ObjectType, &RI, 1, &pAccList); }
for(DWORD iIndex = 0; iIndex < cTrustees && dwErr == ERROR_SUCCESS; iIndex++) { dwErr = pAccList->RemoveTrusteeFromAccess(SACL_SECURITY_INFORMATION, &(prgTrustees[iIndex]), (PWSTR)pwszProperty); }
//
// Then, do the set
//
if(dwErr == ERROR_SUCCESS) { dwErr = NtProvDoHandleSet(hObject, ObjectType, pAccList, pOverlapped, NTMARTA_DELETE_ALIST); }
if(dwErr != ERROR_SUCCESS) { delete pAccList; }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvGetAllRights
//
// Synopsis: Gets the all the requested rights from the object. This
// includes the access rights, audit rights, and owner and group
// if supported.
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [OUT ppAccessList] -- Optional. Where to return the
// access list
// [OUT ppAuditList] -- Optional. Where to return the
// audit list.
// [OUT ppOwner] -- Number of trustees in list
// [OUT ppGroup] -- List of trustees to revoke
//
// Returns: ERROR_SUCCESS -- The operation succeeded
// ERROR_INVALID_PARAMETER -- An non-NULL property name was
// given on an object that doesn't
// support properties.
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvGetAllRights(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType, IN LPCWSTR pwszProperty, OUT OPTIONAL PACTRL_ACCESS *ppAccessList, OUT OPTIONAL PACTRL_AUDIT *ppAuditList, OUT OPTIONAL PTRUSTEE *ppOwner, OUT OPTIONAL PTRUSTEE *ppGroup){ acDebugOut((DEB_TRACE_API,"in AccProvGetAllRights\n")); DWORD dwErr = ERROR_SUCCESS;
//
// Do the simple parameter checks first...
//
if(pwszProperty != NULL && !(ObjectType == SE_DS_OBJECT_ALL || ObjectType == SE_DS_OBJECT)) { return(ERROR_INVALID_PARAMETER); }
SECURITY_INFORMATION SeInfo = 0;
//
// Determine what we need to read
//
if(ppAccessList != NULL) { SeInfo |= DACL_SECURITY_INFORMATION; *ppAccessList = NULL; }
if(ppAuditList != NULL) { SeInfo |= SACL_SECURITY_INFORMATION; *ppAuditList = NULL; }
if(ppOwner != NULL) { SeInfo |= OWNER_SECURITY_INFORMATION; *ppOwner = NULL; }
if(ppGroup != NULL) { SeInfo |= GROUP_SECURITY_INFORMATION; *ppGroup = NULL; }
//
// If nothing was requested, do nothing...
//
if(SeInfo == 0) { return(ERROR_SUCCESS); }
//
// Now, go ahead and do the read...
//
CAccessList *pAccList;
ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = SeInfo;
//
// NtProvGetAccessListForObject modifies its first
// parameter, so we can't pass in a CONST string.
//
PWSTR pwszTmpObjectPath = (PWSTR)AccAlloc( (wcslen(pwszObjectPath) + 1) * sizeof( WCHAR ) );
if (pwszTmpObjectPath) { wcscpy( pwszTmpObjectPath, pwszObjectPath ); pwszTmpObjectPath[wcslen(pwszObjectPath)] = UNICODE_NULL;
dwErr = NtProvGetAccessListForObject(pwszTmpObjectPath, ObjectType, &RI, 1, &pAccList);
//
// Now, get the data in the form we need
//
if(dwErr == ERROR_SUCCESS) { //
// Now, convert the stuff that we need to...
//
dwErr = pAccList->MarshalAccessLists(SeInfo, ppAccessList, ppAuditList);
if(dwErr == ERROR_SUCCESS && ppOwner != NULL) { dwErr = pAccList->GetSDSidAsTrustee(OWNER_SECURITY_INFORMATION, ppOwner); }
if(dwErr == ERROR_SUCCESS && ppGroup != NULL) { dwErr = pAccList->GetSDSidAsTrustee(GROUP_SECURITY_INFORMATION, ppGroup); }
//
// Ok, if anything failed, we'll do the cleanup
//
if(dwErr != ERROR_SUCCESS) { if((SeInfo & DACL_SECURITY_INFORMATION) != 0) { AccFree(*ppAccessList); }
if((SeInfo & SACL_SECURITY_INFORMATION) != 0) { AccFree(*ppAuditList); }
if((SeInfo & OWNER_SECURITY_INFORMATION) != 0) { AccFree(*ppOwner); }
if((SeInfo & GROUP_SECURITY_INFORMATION) != 0) { AccFree(*ppGroup); } }
delete pAccList; }
AccFree( pwszTmpObjectPath ); } else { dwErr = ERROR_NOT_ENOUGH_MEMORY; }
//
// The destruction of the CAclList class will clean up all of the
// memory we obtained
//
acDebugOut((DEB_TRACE_API,"out AccProvGetAllRights: %lu\n", dwErr)); return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleGetAllRights
//
// Synopsis: Gets the all the requested rights from the object. This
// includes the access rights, audit rights, and owner and group
// if supported.
//
// Arguments: [IN hObject] -- Handle to the open object
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [OUT ppAccessList] -- Optional. Where to return the
// access list
// [OUT ppAuditList] -- Optional. Where to return the
// audit list.
// [OUT ppOwner] -- Number of trustees in list
// [OUT ppGroup] -- List of trustees to revoke
//
// Returns: ERROR_SUCCESS -- The operation succeeded
// ERROR_INVALID_PARAMETER -- An non-NULL property name was
// given on an object that doesn't
// support properties.
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleGetAllRights(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN LPCWSTR pwszProperty, OUT OPTIONAL PACTRL_ACCESS *ppAccessList, OUT OPTIONAL PACTRL_AUDIT *ppAuditList, OUT OPTIONAL PTRUSTEE *ppOwner, OUT OPTIONAL PTRUSTEE *ppGroup){ acDebugOut((DEB_TRACE_API,"in AccProvHandleGetAllRights\n")); DWORD dwErr = ERROR_SUCCESS;
//
// Do the simple parameter checks first...
//
if(pwszProperty != NULL && (ObjectType != SE_DS_OBJECT_ALL && ObjectType != SE_DS_OBJECT)) { return(ERROR_INVALID_PARAMETER); }
SECURITY_INFORMATION SeInfo = 0;
//
// Determine what we need to read
//
if(ppAccessList != NULL) { SeInfo |= DACL_SECURITY_INFORMATION; *ppAccessList = NULL; }
if(ppAuditList != NULL) { SeInfo |= SACL_SECURITY_INFORMATION; *ppAuditList = NULL; }
if(ppOwner != NULL) { SeInfo |= OWNER_SECURITY_INFORMATION; *ppOwner = NULL; }
if(ppGroup != NULL) { SeInfo |= GROUP_SECURITY_INFORMATION; *ppGroup = NULL; }
//
// If nothing was requested, do nothing...
//
if(SeInfo == 0) { return(ERROR_SUCCESS); }
//
// Now, go ahead and do the read...
//
CAccessList *pAccList;
ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = SeInfo; dwErr = NtProvGetAccessListForHandle(hObject, ObjectType, &RI, 1, &pAccList);
//
// Now, get the data in the form we need
//
if(dwErr == ERROR_SUCCESS) { //
// Now, convert the stuff that we need to...
//
dwErr = pAccList->MarshalAccessLists(SeInfo, ppAccessList, ppAuditList);
if(dwErr == ERROR_SUCCESS && ppOwner != NULL) { dwErr = pAccList->GetSDSidAsTrustee(OWNER_SECURITY_INFORMATION, ppOwner); }
if(dwErr == ERROR_SUCCESS && ppGroup != NULL) { dwErr = pAccList->GetSDSidAsTrustee(GROUP_SECURITY_INFORMATION, ppGroup); }
//
// Ok, if anything failed, we'll do the cleanup
//
if(dwErr != ERROR_SUCCESS) { if((SeInfo & DACL_SECURITY_INFORMATION) != 0) { AccFree(*ppAccessList); }
if((SeInfo & SACL_SECURITY_INFORMATION) != 0) { AccFree(*ppAuditList); }
if((SeInfo & OWNER_SECURITY_INFORMATION) != 0) { AccFree(*ppOwner); }
if((SeInfo & GROUP_SECURITY_INFORMATION) != 0) { AccFree(*ppGroup); } }
delete pAccList; }
//
// The destruction of the CAclList class will clean up all of the
// memory we obtained
//
acDebugOut((DEB_TRACE_API,"out AccProvHandleGetAllRights: %lu\n", dwErr)); return(dwErr);}
DWORDAccProvpDoTrusteeAccessCalculations(IN CAccessList *pAccList, IN PTRUSTEE pTrustee, IN OUT PTRUSTEE_ACCESS pTrusteeAccess){ DWORD dwErr;
ULONG DeniedMask; ULONG AllowedMask; dwErr = pAccList->GetExplicitAccess(pTrustee, (PWSTR)pTrusteeAccess->lpProperty, &DeniedMask, &AllowedMask); if(dwErr == ERROR_SUCCESS) { //
// Process the entries
//
//
// It depends on what it is we're looking for...
//
pTrusteeAccess->fReturnedAccess = 0; if(pTrusteeAccess->fAccessFlags == TRUSTEE_ACCESS_EXPLICIT) { //
// Ok, we'll look for these explicit rights
//
//
// First, see if any of our denieds match...
//
if (pTrusteeAccess->Access == TRUSTEE_ACCESS_ALL) { pTrusteeAccess->fReturnedAccess = AllowedMask & ~DeniedMask; } else { if((pTrusteeAccess->Access & DeniedMask) == 0) { //
// Now, see if we're allowed
//
if((pTrusteeAccess->Access & AllowedMask) == pTrusteeAccess->Access) { pTrusteeAccess->fReturnedAccess = TRUSTEE_ACCESS_ALLOWED; } } } } else if(FLAG_ON(pTrusteeAccess->fAccessFlags, TRUSTEE_ACCESS_READ) || FLAG_ON(pTrusteeAccess->fAccessFlags, TRUSTEE_ACCESS_WRITE)) { //
// We're only looking for read/write access
//
ACCESS_RIGHTS Access[2]; ULONG fValue[2], i = 0;
if(FLAG_ON(pTrusteeAccess->fAccessFlags, TRUSTEE_ACCESS_READ)) { Access[i] = ACTRL_READ_CONTROL; fValue[i] = TRUSTEE_ACCESS_READ; i++; }
if(FLAG_ON(pTrusteeAccess->fAccessFlags, TRUSTEE_ACCESS_WRITE)) { Access[i] = ACTRL_CHANGE_ACCESS | ACTRL_CHANGE_OWNER; fValue[i] = TRUSTEE_ACCESS_WRITE; i++; }
for(ULONG iIndex = 0; iIndex < i; iIndex++) { if((Access[iIndex] & DeniedMask) == 0) { //
// Now, see if we're allowed
//
if((Access[iIndex] & AllowedMask) == Access[iIndex]) { pTrusteeAccess->fReturnedAccess |= fValue[iIndex]; } } } } else { dwErr = ERROR_INVALID_PARAMETER; }
//
// If we asked for read/write access, make sure we have them both
//
if(dwErr == ERROR_SUCCESS && pTrusteeAccess->fAccessFlags == TRUSTEE_ACCESS_READ_WRITE) { if( pTrusteeAccess->fReturnedAccess != TRUSTEE_ACCESS_READ_WRITE ) { pTrusteeAccess->fReturnedAccess = 0; } }
}
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvGetTrusteesAccess
//
// Synopsis: Determines whether the given trustee has the specified
// rights to the object
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
// [IN OUT pTrusteeAccess] -- Type of access to check for
// and where the access is returned
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvGetTrusteesAccess(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType, IN PTRUSTEE pTrustee, IN OUT PTRUSTEE_ACCESS pTrusteeAccess){ DWORD dwErr = ERROR_SUCCESS;
//
// Ok, first, we'll load all the objects entries that we need
//
CAccessList *pAccList; ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pTrusteeAccess->lpProperty; RI.SeInfo = DACL_SECURITY_INFORMATION;
PWSTR pwszTmpObjectPath = (PWSTR)AccAlloc( (wcslen(pwszObjectPath) + 1) * sizeof( WCHAR ) );
if (pwszTmpObjectPath) { wcscpy( pwszTmpObjectPath, pwszObjectPath ); pwszTmpObjectPath[wcslen(pwszObjectPath)] = UNICODE_NULL;
dwErr = NtProvGetAccessListForObject(pwszTmpObjectPath, ObjectType, &RI, 1, &pAccList); AccFree( pwszTmpObjectPath ); } else { dwErr = ERROR_NOT_ENOUGH_MEMORY; }
if(dwErr == ERROR_SUCCESS) { dwErr = AccProvpDoTrusteeAccessCalculations(pAccList, pTrustee, pTrusteeAccess); delete pAccList; }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleGetTrusteesAccess
//
// Synopsis: Determines whether the given trustee has the specified
// rights to the object
//
// Arguments: [IN hObject] -- Handle to the open object
// [IN ObjectType] -- Type of the object
// [IN OUT pTrusteeAccess] -- Type of access to check for
// and where the access is returned
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleGetTrusteesAccess(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN PTRUSTEE pTrustee, IN OUT PTRUSTEE_ACCESS pTrusteeAccess){ DWORD dwErr = ERROR_SUCCESS;
//
// Ok, first, we'll load all the objects entries that we need
//
CAccessList *pAccList; ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pTrusteeAccess->lpProperty; RI.SeInfo = DACL_SECURITY_INFORMATION;
dwErr = NtProvGetAccessListForHandle(hObject, ObjectType, &RI, 1, &pAccList); if(dwErr == ERROR_SUCCESS) { dwErr = AccProvpDoTrusteeAccessCalculations(pAccList, pTrustee, pTrusteeAccess);
delete pAccList; }
return(dwErr);}
DWORDAccProvpDoAccessAuditedCalculations(IN CAccessList *pAccList, IN LPCWSTR pwszProperty, IN PTRUSTEE pTrustee, IN ACCESS_RIGHTS ulAuditRights, OUT PBOOL pfAuditedSuccess, OUT PBOOL pfAuditedFailure){ ULONG SuccessMask; ULONG FailureMask; DWORD dwErr = pAccList->GetExplicitAudits(pTrustee, (PWSTR)pwszProperty, &SuccessMask, &FailureMask); if(dwErr == ERROR_SUCCESS) {
//
// Process the entries
//
*pfAuditedSuccess = FALSE; *pfAuditedFailure = FALSE; if((ulAuditRights & SuccessMask) == ulAuditRights) { *pfAuditedSuccess = TRUE; }
if((ulAuditRights & FailureMask) == ulAuditRights) { *pfAuditedFailure = TRUE; } }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvIsAccessAudited
//
// Synopsis: Determines whether the given trustee will envoke an audit
// entry by accessing the object
//
// Arguments: [IN pwszObjectPath] -- Path to the object in question
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [IN pTrustee] -- Trustee for which to check access
// [IN AuditRights] -- Type of audit we care about
// [OUT pfAccessAllowed] -- Where the results are returned.
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvIsAccessAudited(IN LPCWSTR pwszObjectPath, IN SE_OBJECT_TYPE ObjectType, IN LPCWSTR pwszProperty, IN PTRUSTEE pTrustee, IN ACCESS_RIGHTS AuditRights, OUT PBOOL pfAuditedSuccess, OUT PBOOL pfAuditedFailure){ DWORD dwErr = ERROR_SUCCESS;
//
// Ok, first, we'll load all the objects entries that we need
//
CAccessList *pAccList;
ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = SACL_SECURITY_INFORMATION;
PWSTR pwszTmpObjectPath = (PWSTR)AccAlloc( (wcslen(pwszObjectPath) + 1) * sizeof( WCHAR ) );
if (pwszTmpObjectPath) { wcscpy( pwszTmpObjectPath, pwszObjectPath ); pwszTmpObjectPath[wcslen(pwszObjectPath)] = UNICODE_NULL;
dwErr = NtProvGetAccessListForObject(pwszTmpObjectPath, ObjectType, &RI, 1, &pAccList); AccFree( pwszTmpObjectPath ); } else { dwErr = ERROR_NOT_ENOUGH_MEMORY; }
if(dwErr == ERROR_SUCCESS) { dwErr = AccProvpDoAccessAuditedCalculations(pAccList, pwszProperty, pTrustee, AuditRights, pfAuditedSuccess, pfAuditedFailure); delete pAccList; }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleIsAccessAudited
//
// Synopsis: Determines whether the given trustee will envoke an audit
// entry by accessing the object
//
// Arguments: [IN hObject] -- Handle to the open object
// [IN ObjectType] -- Type of the object
// [IN pwszProperty] -- Optional. The name of the
// property on the object to revoke
// for
// [IN pTrustee] -- Trustee for which to check access
// [IN ulAuditRights] -- Type of audit we care about
// [OUT pfAccessAllowed] -- Where the results are returned.
//
// Returns: ERROR_SUCCESS -- The operation succeeded
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleIsAccessAudited(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN LPCWSTR pwszProperty, IN PTRUSTEE pTrustee, IN ACCESS_RIGHTS AuditRights, OUT PBOOL pfAuditedSuccess, OUT PBOOL pfAuditedFailure){ DWORD dwErr = ERROR_SUCCESS;
//
// Ok, first, we'll load all the objects entries that we need
//
CAccessList *pAccList;
ACTRL_RIGHTS_INFO RI; RI.pwszProperty = (PWSTR)pwszProperty; RI.SeInfo = SACL_SECURITY_INFORMATION; dwErr = NtProvGetAccessListForHandle(hObject, ObjectType, &RI, 1, &pAccList); if(dwErr == ERROR_SUCCESS) { dwErr = AccProvpDoAccessAuditedCalculations(pAccList, pwszProperty, pTrustee, AuditRights, pfAuditedSuccess, pfAuditedFailure); delete pAccList; }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvpGetAccessInfoPerObjectType
//
// Synopsis: Returns the list of available access permissions for the
// specified object type
//
// Arguments: [IN ObjectType] -- Type of the object
// [IN DsObjType] -- If this is a DS object, the type
// of the object
// [IN pwszDsPath] -- Full path to the object
//
// [IN lpProperty] -- Optional. If present, the name of
// the property to get the access
// rights for.
// [IN fIsDir] -- If TRUE, the path is a directory
// [OUT pcEntries] -- Where the count of items is returned
// [OUT ppAccessInfo] -- Where the list of items is returned
// [OUT pcControlRights] -- Count of control rights are
// is returned here
// [OUT ppControlRights] -- Where the list of control rights
// is returned
// [OUT pfAccessFlags] -- Where the provider flags are
// returned.
//
// Returns: ERROR_SUCCESS -- The operation succeeded
// ERROR_INVALID_PARAMETER -- The operation failed
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvpGetAccessInfoPerObjectType(IN SE_OBJECT_TYPE ObjectType, IN BOOL fIsDir, IN PWSTR pwszDsPath, IN PWSTR lpProperty, OUT PULONG pcEntries, OUT PACTRL_ACCESS_INFO *ppAccessInfoList, OUT PULONG pcControlRights, OUT PACTRL_CONTROL_INFOW *ppControlRights, OUT PULONG pfAccessFlags){ DWORD dwErr = ERROR_SUCCESS; BOOL ControlRightsValid = FALSE; ULONG cStart = 0; ULONG cItems = 0;
#define LENGTH_OF_STR_GUID 37
#define LENGTH_OF_LONGEST_STRING 20
//
// DS control rights
//
*pfAccessFlags = ACTRL_ACCESS_NO_OPTIONS;
*ppControlRights = NULL; *pcControlRights = 0;
*ppAccessInfoList = 0; *pcEntries = 0;
//
// Do the right thing based on the object type
//
switch (ObjectType) { case SE_LMSHARE: // FALL THROUGH
case SE_FILE_OBJECT: if(fIsDir == TRUE) { cStart = ACCPROV_DIR_ACCESS; cItems = ACCPROV_NUM_DIR; } else { cStart = ACCPROV_FILE_ACCESS; cItems = ACCPROV_NUM_FILE; } break;
case SE_SERVICE: cStart = ACCPROV_SERVICE_ACCESS; cItems = ACCPROV_NUM_SERVICE; break;
case SE_PRINTER: cStart = ACCPROV_PRINT_ACCESS; cItems = ACCPROV_NUM_PRINT; break;
case SE_REGISTRY_KEY: cStart = ACCPROV_REGISTRY_ACCESS; cItems = ACCPROV_NUM_REGISTRY; break;
case SE_KERNEL_OBJECT: // FALL THROUGH
case SE_WMIGUID_OBJECT: cStart = ACCPROV_KERNEL_ACCESS; cItems = ACCPROV_NUM_KERNEL; break;
case SE_DS_OBJECT: // FALL THROUGH
case SE_DS_OBJECT_ALL: cStart = ACCPROV_DS_ACCESS; cItems = ACCPROV_NUM_DS; ControlRightsValid = TRUE; break;
case SE_WINDOW_OBJECT: cStart = ACCPROV_WIN_ACCESS; cItems = ACCPROV_NUM_WIN; break;
default: dwErr = ERROR_INVALID_PARAMETER; }
if(dwErr == ERROR_SUCCESS && ControlRightsValid == FALSE && lpProperty != NULL) { dwErr = ERROR_INVALID_PARAMETER; }
if(dwErr == ERROR_SUCCESS) { //
// Ok, we go through and size all of the strings that we need to add
//
ULONG cSize = 0; WCHAR wszBuff[ACCPROV_LONGEST_STRING + 1]; for(ULONG iIndex = 0; iIndex < cItems; iIndex++) { LoadString(ghDll, cStart + iIndex, wszBuff, ACCPROV_LONGEST_STRING);
cSize += SIZE_PWSTR(wszBuff); }
//
// Always return the standard rights, as well...
//
for(iIndex = 0; iIndex < ACCPROV_NUM_STD; iIndex++) { LoadString(ghDll, ACCPROV_STD_ACCESS + iIndex, wszBuff, ACCPROV_LONGEST_STRING); cSize += SIZE_PWSTR(wszBuff); }
//
// Make sure to return the proper count
//
*pcEntries = cItems + ACCPROV_NUM_STD;
//
// Ok, now we can allocate, and do the same thing again
//
*ppAccessInfoList = (PACTRL_ACCESS_INFO)AccAlloc( (cItems + ACCPROV_NUM_STD) * sizeof(ACTRL_ACCESS_INFO) + cSize); if(*ppAccessInfoList == NULL) { dwErr = ERROR_NOT_ENOUGH_MEMORY; }
if(*ppAccessInfoList == NULL) { dwErr = ERROR_NOT_ENOUGH_MEMORY; } else { PWSTR pwszStart = (PWSTR)((PBYTE)(*ppAccessInfoList) + (cItems + ACCPROV_NUM_STD) * sizeof(ACTRL_ACCESS_INFO)); //
// Start with the standard items
//
ULONG iLst = 0; for(iIndex = 0; iIndex < ACCPROV_NUM_STD; iIndex++) { LoadString(ghDll, ACCPROV_STD_ACCESS + iIndex, wszBuff, ACCPROV_LONGEST_STRING); cSize = SIZE_PWSTR(wszBuff);
memcpy(pwszStart, wszBuff, cSize);
//
// Handle STD_RIGTHS_ALL as a special case...
//
if(iIndex == ACCPROV_NUM_STD - 1) { (*ppAccessInfoList)[iLst].fAccessPermission = ACTRL_STD_RIGHTS_ALL; } else { (*ppAccessInfoList)[iLst].fAccessPermission = ACTRL_SYSTEM_ACCESS << iIndex; } (*ppAccessInfoList)[iLst].lpAccessPermissionName = pwszStart; pwszStart = (PWSTR)Add2Ptr(pwszStart,cSize); iLst++; }
for(ULONG iIndex = 0; iIndex < cItems; iIndex++) { LoadString(ghDll, cStart + iIndex, wszBuff, ACCPROV_LONGEST_STRING);
cSize = SIZE_PWSTR(wszBuff);
memcpy(pwszStart, wszBuff, cSize); (*ppAccessInfoList)[iLst].fAccessPermission = ACTRL_PERM_1 << iIndex; (*ppAccessInfoList)[iLst].lpAccessPermissionName = pwszStart; pwszStart = (PWSTR)Add2Ptr(pwszStart,cSize); iLst++; }
//
// Now, add extra control rights
//
if(ObjectType == SE_DS_OBJECT || ObjectType == SE_DS_OBJECT_ALL ) { dwErr = AccctrlLookupRightsByName( NULL, pwszDsPath, lpProperty, pcControlRights, ppControlRights);
//
// If we can't find the entry we want, return 0 items...
//
if(dwErr == ERROR_NOT_FOUND) { *pcControlRights = 0; *ppControlRights = NULL; dwErr = ERROR_SUCCESS; } } } }
if(dwErr == ERROR_SUCCESS) { *pcEntries = cItems + ACCPROV_NUM_STD;
} else { if(*ppAccessInfoList != NULL) { AccFree(*ppAccessInfoList); *pcEntries = 0; } }
return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvGetAccessInfoPerObjectType
//
// Synopsis: Returns the list of available access permissions for the
// specified object type
//
// Arguments: [IN lpObject] -- Full path to the object
// [IN ObjectType] -- Type of the object
// [IN lpProperty] -- Optional. If present, the name of
// the property to get the access
// rights for.
// [OUT pcEntries] -- Where the count of items is returned
// [OUT ppAccessInfo] -- Where the list of items is returned
// [OUT pfAccessFlags] -- Where the provider flags are
// returned.
//
// Returns: ERROR_SUCCESS -- The operation succeeded
// ERROR_INVALID_PARAMETER -- The operation failed
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvGetAccessInfoPerObjectType(IN LPCWSTR lpObject, IN SE_OBJECT_TYPE ObjectType, IN LPCWSTR lpProperty, OUT PULONG pcEntries, OUT PACTRL_ACCESS_INFO *ppAccessInfoList, OUT PULONG pcControlRights, OUT PACTRL_CONTROL_INFOW *ppControlRights, OUT PULONG pfAccessFlags){ DWORD dwErr = ERROR_SUCCESS; BOOL fIsDir = FALSE;
if(ObjectType == SE_LMSHARE || ObjectType == SE_FILE_OBJECT) { //
// Check to see whether this is a file or a directory...
//
ULONG ulAttribs = GetFileAttributes((PWSTR)lpObject); if(FLAG_ON(ulAttribs, FILE_ATTRIBUTE_DIRECTORY)) { fIsDir = TRUE; } }
if(dwErr == ERROR_SUCCESS) { dwErr = AccProvpGetAccessInfoPerObjectType(ObjectType, fIsDir, (LPWSTR)lpObject, (LPWSTR)lpProperty, pcEntries, ppAccessInfoList, pcControlRights, ppControlRights, pfAccessFlags); } return(dwErr);}
//+---------------------------------------------------------------------------
//
// Function: AccProvHandleGetAccessInfoPerObjectType
//
// Synopsis: Returns the list of available access permissions for the
// specified object type
//
// Arguments: [IN hObject] -- Handle to the open object
// [IN ObjectType] -- Type of the object
// [IN lpProperty] -- Optional. If present, the name of
// the property to get the access
// rights for.
// [OUT pcEntries] -- Where the count of items is returned
// [OUT ppAccessInfo] -- Where the list of items is returned
// [OUT pfAccessFlags] -- Where the provider flags are
// returned.
//
// Returns: ERROR_SUCCESS -- The operation succeeded
// ERROR_INVALID_PARAMETER -- The operation failed
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPIAccProvHandleGetAccessInfoPerObjectType(IN HANDLE hObject, IN SE_OBJECT_TYPE ObjectType, IN LPCWSTR lpProperty, OUT PULONG pcEntries, OUT PACTRL_ACCESS_INFO *ppAccessInfoList, OUT PULONG pcControlRights, OUT PACTRL_CONTROL_INFOW *ppControlRights, OUT PULONG pfAccessFlags){ DWORD dwErr = ERROR_SUCCESS; BOOL fIsDir = FALSE;
if(ObjectType == SE_LMSHARE || ObjectType == SE_FILE_OBJECT) { BY_HANDLE_FILE_INFORMATION BHFI; //
// Check to see whether this is a file or a directory...
//
if(GetFileInformationByHandle(hObject, &BHFI) == FALSE) { dwErr = GetLastError(); } else { if(FLAG_ON(BHFI.dwFileAttributes, FILE_ATTRIBUTE_DIRECTORY)) fIsDir = TRUE; } }
if(dwErr == ERROR_SUCCESS) { dwErr = AccProvpGetAccessInfoPerObjectType(ObjectType, fIsDir, NULL, (LPWSTR)lpProperty, pcEntries, ppAccessInfoList, pcControlRights, ppControlRights, pfAccessFlags); }
return(dwErr);}
|
