archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/net/ndis/tunmp/sys/tunsd.c

437 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2002 Microsoft Corporation
  5. Module Name:
  7. tunsd.c
  9. Abstract:
  11. utility routines to handle setting security descriptor on tunmp device.
  13. Environment:
  15. Kernel mode only.
  17. Revision History:
  19. alid 5/17/2002
  21. --*/
  23. #include <ntosp.h>
  24. #include <ntrtl.h>
  26. #define TUN_ALLOC_TAG 'untN'
  28. PACL NetConfigAcl = NULL;
  29. PSID NetConfigOpsSid = NULL;
  30. CHAR NetConfigSecurityDescriptor[SECURITY_DESCRIPTOR_MIN_LENGTH];
  32. PACL
  33. TunCreateAcl(
  34. BOOLEAN Admins,
  35. BOOLEAN LocalSystem,
  36. BOOLEAN LocalService,
  37. BOOLEAN NetworkService,
  38. BOOLEAN NetConfigOps,
  39. BOOLEAN Users,
  40. ACCESS_MASK AccessMask
  41. );
  43. NTSTATUS
  44. TunCreateGenericSD(
  45. PACL Acl,
  46. PCHAR AccessSecurityDescriptor
  47. );
  50. PACL
  51. TunCreateAcl(
  52. BOOLEAN Admins,
  53. BOOLEAN LocalSystem,
  54. BOOLEAN LocalService,
  55. BOOLEAN NetworkService,
  56. BOOLEAN NetConfigOps,
  57. BOOLEAN Users,
  58. ACCESS_MASK AccessMask
  59. )
  60. {
  61. PACL AccessDacl = NULL, pAcl = NULL;
  62. ULONG AclLength = 0;
  63. ULONG NetConfigOpsSidSize;
  64. SID_IDENTIFIER_AUTHORITY NetConfigOpsSidAuth = SECURITY_NT_AUTHORITY;
  65. PISID ISid;
  66. NTSTATUS Status;
  69. do
  70. {
  71. if (Admins)
  72. {
  73. AclLength += sizeof(ACL) +
  74. FIELD_OFFSET (ACCESS_ALLOWED_ACE, SidStart) +
  75. RtlLengthSid(SeExports->SeAliasAdminsSid);
  77. }
  79. if (LocalSystem)
  80. {
  81. AclLength += sizeof(ACL) +
  82. FIELD_OFFSET (ACCESS_ALLOWED_ACE, SidStart) +
  83. RtlLengthSid(SeExports->SeLocalSystemSid);
  85. }
  87. if (LocalService)
  88. {
  89. AclLength += sizeof(ACL) +
  90. FIELD_OFFSET (ACCESS_ALLOWED_ACE, SidStart) +
  91. RtlLengthSid(SeExports->SeLocalServiceSid);
  93. }
  95. if (NetworkService)
  96. {
  97. AclLength += sizeof(ACL) +
  98. FIELD_OFFSET (ACCESS_ALLOWED_ACE, SidStart) +
  99. RtlLengthSid(SeExports->SeNetworkServiceSid);
  101. }
  103. if (NetConfigOps)
  104. {
  105. NetConfigOpsSidSize = RtlLengthRequiredSid(2);
  106. NetConfigOpsSid = (PSID)ExAllocatePoolWithTag(PagedPool, NetConfigOpsSidSize, TUN_ALLOC_TAG);
  107. if (NULL == NetConfigOpsSid)
  108. {
  109. Status = STATUS_INSUFFICIENT_RESOURCES;
  110. break;
  111. }
  113. Status = RtlInitializeSid(NetConfigOpsSid, &NetConfigOpsSidAuth, 2);
  114. if (Status != STATUS_SUCCESS)
  115. {
  116. Status = STATUS_INSUFFICIENT_RESOURCES;
  117. break;
  118. }
  120. ISid = (PISID)(NetConfigOpsSid);
  121. ISid->SubAuthority[0] = SECURITY_BUILTIN_DOMAIN_RID;
  122. ISid->SubAuthority[1] = DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS;
  124. AclLength += sizeof(ACL) +
  125. FIELD_OFFSET (ACCESS_ALLOWED_ACE, SidStart) +
  126. RtlLengthSid(NetConfigOpsSid);
  128. }
  130. if (Users)
  131. {
  132. AclLength += sizeof(ACL) +
  133. FIELD_OFFSET (ACCESS_ALLOWED_ACE, SidStart) +
  134. RtlLengthSid(SeExports->SeAliasUsersSid);
  136. }
  138. AccessDacl = (PACL)ExAllocatePoolWithTag(PagedPool,
  139. AclLength,
  140. TUN_ALLOC_TAG);
  142. if (AccessDacl == NULL)
  143. {
  144. Status = STATUS_INSUFFICIENT_RESOURCES;
  145. break;
  146. }
  148. Status = RtlCreateAcl(AccessDacl,
  149. AclLength,
  150. ACL_REVISION2);
  152. if (!NT_SUCCESS(Status))
  153. {
  154. #if DBG
  155. DbgPrint("RtlCreateAcl failed, Status %lx.\n", Status);
  156. #endif
  157. break;
  158. }
  161. if (Admins)
  162. {
  163. Status = RtlAddAccessAllowedAce(
  164. AccessDacl,
  165. ACL_REVISION2,
  166. (STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL),
  167. SeExports->SeAliasAdminsSid
  168. );
  169. if (!NT_SUCCESS(Status))
  170. {
  171. #if DBG
  172. DbgPrint("RtlAddAccessAllowedAce failed, Status %lx.\n", Status);
  173. #endif
  175. break;
  176. }
  177. }
  179. if (LocalSystem)
  180. {
  181. Status = RtlAddAccessAllowedAce(
  182. AccessDacl,
  183. ACL_REVISION2,
  184. (STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL),
  185. SeExports->SeLocalSystemSid
  186. );
  187. if (!NT_SUCCESS(Status))
  188. {
  189. #if DBG
  190. DbgPrint("RtlAddAccessAllowedAce failed, Status %lx.\n", Status);
  191. #endif
  192. break;
  193. }
  194. }
  196. if (LocalService)
  197. {
  198. Status = RtlAddAccessAllowedAce(
  199. AccessDacl,
  200. ACL_REVISION2,
  201. (STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL),
  202. SeExports->SeLocalServiceSid
  203. );
  204. if (!NT_SUCCESS(Status))
  205. {
  206. #if DBG
  207. DbgPrint("RtlAddAccessAllowedAce failed, Status %lx.\n", Status);
  208. #endif
  209. break;
  210. }
  212. }
  214. if (NetworkService)
  215. {
  216. Status = RtlAddAccessAllowedAce(
  217. AccessDacl,
  218. ACL_REVISION2,
  219. (STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL),
  220. SeExports->SeNetworkServiceSid
  221. );
  222. if (!NT_SUCCESS(Status))
  223. {
  224. #if DBG
  225. DbgPrint("RtlAddAccessAllowedAce failed, Status %lx.\n", Status);
  226. #endif
  227. break;
  228. }
  229. }
  231. if (NetConfigOps)
  232. {
  233. Status = RtlAddAccessAllowedAce(
  234. AccessDacl,
  235. ACL_REVISION2,
  236. (STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL),
  237. NetConfigOpsSid
  238. );
  239. if (!NT_SUCCESS(Status))
  240. {
  241. #if DBG
  242. DbgPrint("RtlAddAccessAllowedAce failed, Status %lx.\n", Status);
  243. #endif
  244. break;
  245. }
  247. }
  249. if (Users)
  250. {
  251. Status = RtlAddAccessAllowedAce(
  252. AccessDacl,
  253. ACL_REVISION2,
  254. AccessMask,
  255. SeExports->SeAliasUsersSid
  256. );
  257. if (!NT_SUCCESS(Status))
  258. {
  259. DbgPrint("RtlAddAccessAllowedAce failed, Status %lx.\n", Status);
  260. break;
  261. }
  262. }
  264. pAcl = AccessDacl;
  266. }while (FALSE);
  268. if (pAcl == NULL)
  269. {
  270. if (AccessDacl)
  271. ExFreePool(AccessDacl);
  272. if (NetConfigOpsSid)
  273. {
  274. ExFreePool(NetConfigOpsSid);
  275. NetConfigOpsSid = NULL;
  276. }
  277. }
  279. return pAcl;
  281. }
  285. NTSTATUS
  286. TunCreateGenericSD(
  287. PACL Acl,
  288. PCHAR AccessSecurityDescriptor
  289. )
  291. /*++
  293. Routine Description:
  295. Creates the SD responsible for giving access to different users.
  297. Arguments:
  299. None.
  301. Return Value:
  303. STATUS_SUCCESS or an appropriate error code.
  305. --*/
  307. {
  308. PSECURITY_DESCRIPTOR AccessSd;
  309. NTSTATUS Status;
  311. if (Acl == NULL)
  312. return STATUS_UNSUCCESSFUL;
  314. do
  315. {
  316. AccessSd = AccessSecurityDescriptor;
  317. Status = RtlCreateSecurityDescriptor(
  318. AccessSd,
  319. SECURITY_DESCRIPTOR_REVISION1
  320. );
  322. if (!NT_SUCCESS(Status))
  323. {
  324. DbgPrint("RtlCreateSecurityDescriptor failed, Status %lx.\n", Status);
  325. break;
  326. }
  328. Status = RtlSetDaclSecurityDescriptor(
  329. AccessSd,
  330. TRUE, // DaclPresent
  331. Acl,
  332. FALSE // DaclDefaulted
  333. );
  335. if (!NT_SUCCESS(Status))
  336. {
  337. DbgPrint("RtlSetDaclSecurityDescriptor failed, Status %lx.\n", Status);
  338. break;
  339. }
  341. Status = RtlSetOwnerSecurityDescriptor(AccessSd,
  342. SeExports->SeAliasAdminsSid,
  343. FALSE);
  344. if (!NT_SUCCESS(Status))
  345. {
  346. DbgPrint("RtlSetOwnerSecurityDescriptor failed, Status %lx.\n", Status);
  347. break;
  348. }
  350. Status = RtlSetGroupSecurityDescriptor(AccessSd,
  351. SeExports->SeAliasAdminsSid,
  352. FALSE);
  354. if (!NT_SUCCESS(Status))
  355. {
  356. DbgPrint("RtlSetGroupSecurityDescriptor failed, Status %lx.\n", Status);
  357. break;
  358. }
  360. }while (FALSE);
  362. return (Status);
  363. }
  365. NTSTATUS
  366. TunCreateSD(
  367. VOID
  368. )
  369. {
  370. NTSTATUS Status;
  372. //
  373. // create an ACL for admin types
  374. //
  375. NetConfigAcl = TunCreateAcl(TRUE, // Admins
  376. TRUE, //LocalSystem
  377. TRUE, //LocalService
  378. TRUE, //NetworkService
  379. TRUE, //NetConfigOps
  380. FALSE, //Users
  381. GENERIC_READ | GENERIC_WRITE
  382. );
  384. if (NetConfigAcl != NULL)
  385. {
  386. Status = TunCreateGenericSD(NetConfigAcl, NetConfigSecurityDescriptor);
  387. }
  388. else
  389. {
  390. Status = STATUS_UNSUCCESSFUL;
  391. }
  393. return Status;
  394. }
  396. NTSTATUS
  397. TunSetSecurity(
  398. IN PDEVICE_OBJECT DeviceObject
  399. )
  400. {
  401. NTSTATUS Status;
  402. SECURITY_INFORMATION secInfo = OWNER_SECURITY_INFORMATION |
  403. GROUP_SECURITY_INFORMATION |
  404. DACL_SECURITY_INFORMATION;
  407. Status = ObSetSecurityObjectByPointer(DeviceObject,
  408. secInfo,
  409. NetConfigSecurityDescriptor);
  411. ASSERT(NT_SUCCESS(Status));
  413. return Status;
  415. }
  418. VOID
  419. TunDeleteSD(
  420. VOID
  421. )
  422. /*
  423. delete NetConfigAcl
  424. */
  425. {
  426. if (NetConfigAcl != NULL)
  427. {
  428. ExFreePool(NetConfigAcl);
  429. NetConfigAcl = NULL;
  430. }
  431. if (NetConfigOpsSid != NULL)
  432. {
  433. ExFreePool(NetConfigOpsSid);
  434. NetConfigOpsSid = NULL;
  435. }
  436. }