archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/net/rras/cps/pbserver/setacl.cpp

233 lines
6.2 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+----------------------------------------------------------------------------
  2. //
  3. // File: setacl.cpp
  4. //
  5. // Module: PBSERVER.DLL
  6. //
  7. // Synopsis: Security/SID/ACL stuff for CM
  8. //
  9. // Copyright (c) 1998-2000 Microsoft Corporation
  10. //
  11. // Author: 09-Mar-2000 SumitC Created
  12. //
  13. //+----------------------------------------------------------------------------
  15. #include <windows.h>
  17. //+----------------------------------------------------------------------------
  18. //
  19. // Func: SetAclPerms
  20. //
  21. // Desc: Sets appropriate permissions for CM/CPS's shared objects
  22. //
  23. // Args: [ppAcl] - location to return an allocated ACL
  24. //
  25. // Return: BOOL, TRUE for success, FALSE for failure
  26. //
  27. // Notes: fix for 30991: Security issue, don't use NULL DACLs.
  28. //
  29. // History: 09-Mar-2000 SumitC Created
  30. // 30-Jan-2002 SumitC added ACLs for other possible identities
  31. //
  32. //-----------------------------------------------------------------------------
  33. BOOL
  34. SetAclPerms(PACL * ppAcl)
  35. {
  36. DWORD dwError = 0;
  37. SID_IDENTIFIER_AUTHORITY siaWorld = SECURITY_WORLD_SID_AUTHORITY;
  38. SID_IDENTIFIER_AUTHORITY siaNtAuth = SECURITY_NT_AUTHORITY;
  39. PSID psidWorldSid = NULL;
  40. PSID psidLocalSystemSid = NULL;
  41. PSID psidLocalServiceSid = NULL;
  42. PSID psidNetworkServiceSid = NULL;
  43. int cbAcl;
  44. PACL pAcl = NULL;
  46. // Create a SID for all users
  47. if ( !AllocateAndInitializeSid(
  48. &siaWorld,
  49. 1,
  50. SECURITY_WORLD_RID,
  51. 0,
  52. 0,
  53. 0,
  54. 0,
  55. 0,
  56. 0,
  57. 0,
  58. &psidWorldSid))
  59. {
  60. dwError = GetLastError();
  61. goto Cleanup;
  62. }
  64. //
  65. // As an ISAPI, we can be run as LocalSystem, LocalService or NetworkService.
  66. //
  67. // The note below explains why we give permissions to ALL of these, instead
  68. // of just the identity we are currently running as.
  69. //
  70. // - perfmon accesses our shared memory object, and may hold a handle to the
  71. // object (thus keeping it alive) while PBS is recycled.
  72. // - when the user changes PBS's identity via the IIS UI, IIS recycles PBS.
  73. // - if the above 2 happened, and the shared memory object had been created
  74. // with only the ACL for the old permissions, the newly restarted PBS wouldn't
  75. // be able to access the shared memory object.
  76. //
  78. // Create a SID for Local System account
  79. if ( !AllocateAndInitializeSid(
  80. &siaNtAuth,
  81. 2,
  82. SECURITY_BUILTIN_DOMAIN_RID,
  83. DOMAIN_ALIAS_RID_ADMINS,
  84. 0,
  85. 0,
  86. 0,
  87. 0,
  88. 0,
  89. 0,
  90. &psidLocalSystemSid))
  91. {
  92. dwError = GetLastError();
  93. goto Cleanup;
  94. }
  96. // Create a SID for Local Service account
  97. if ( !AllocateAndInitializeSid(
  98. &siaNtAuth,
  99. 1,
  100. SECURITY_LOCAL_SERVICE_RID,
  101. 0,
  102. 0,
  103. 0,
  104. 0,
  105. 0,
  106. 0,
  107. 0,
  108. &psidLocalServiceSid))
  109. {
  110. dwError = GetLastError();
  111. goto Cleanup;
  112. }
  114. // Create a SID for Network Service account
  115. if ( !AllocateAndInitializeSid(
  116. &siaNtAuth,
  117. 1,
  118. SECURITY_NETWORK_SERVICE_RID,
  119. 0,
  120. 0,
  121. 0,
  122. 0,
  123. 0,
  124. 0,
  125. 0,
  126. &psidNetworkServiceSid))
  127. {
  128. dwError = GetLastError();
  129. goto Cleanup;
  130. }
  132. // Calculate the length of required ACL buffer
  133. // with 4 ACEs.
  134. cbAcl = sizeof(ACL)
  135. + 4 * sizeof(ACCESS_ALLOWED_ACE)
  136. + GetLengthSid(psidWorldSid)
  137. + GetLengthSid(psidLocalSystemSid)
  138. + GetLengthSid(psidLocalServiceSid)
  139. + GetLengthSid(psidNetworkServiceSid);
  141. pAcl = (PACL) LocalAlloc(0, cbAcl);
  142. if (NULL == pAcl)
  143. {
  144. dwError = ERROR_OUTOFMEMORY;
  145. goto Cleanup;
  146. }
  148. if ( ! InitializeAcl(pAcl, cbAcl, ACL_REVISION2))
  149. {
  150. dwError = GetLastError();
  151. goto Cleanup;
  152. }
  154. // Add ACE with EVENT_ALL_ACCESS for all users
  155. if ( ! AddAccessAllowedAce(pAcl,
  156. ACL_REVISION2,
  157. GENERIC_READ,
  158. psidWorldSid))
  159. {
  160. dwError = GetLastError();
  161. goto Cleanup;
  162. }
  164. // FUTURE-2002/03/11-SumitC Is there a way to tell IIS to disable this option (running as Local System) in the UI
  165. // Add ACE with EVENT_ALL_ACCESS for Local System
  166. if ( ! AddAccessAllowedAce(pAcl,
  167. ACL_REVISION2,
  168. GENERIC_WRITE,
  169. psidLocalSystemSid))
  170. {
  171. dwError = GetLastError();
  172. goto Cleanup;
  173. }
  175. // Add ACE with EVENT_ALL_ACCESS for Local Service
  176. if ( ! AddAccessAllowedAce(pAcl,
  177. ACL_REVISION2,
  178. GENERIC_WRITE,
  179. psidLocalServiceSid))
  180. {
  181. dwError = GetLastError();
  182. goto Cleanup;
  183. }
  185. // Add ACE with EVENT_ALL_ACCESS for Network Service
  186. if ( ! AddAccessAllowedAce(pAcl,
  187. ACL_REVISION2,
  188. GENERIC_WRITE,
  189. psidNetworkServiceSid))
  190. {
  191. dwError = GetLastError();
  192. goto Cleanup;
  193. }
  195. Cleanup:
  197. if (dwError)
  198. {
  199. if (pAcl)
  200. {
  201. LocalFree(pAcl);
  202. }
  203. }
  204. else
  205. {
  206. *ppAcl = pAcl;
  207. }
  209. if (psidWorldSid)
  210. {
  211. FreeSid(psidWorldSid);
  212. }
  214. if (psidLocalSystemSid)
  215. {
  216. FreeSid(psidLocalSystemSid);
  217. }
  219. if (psidLocalServiceSid)
  220. {
  221. FreeSid(psidLocalServiceSid);
  222. }
  224. if (psidNetworkServiceSid)
  225. {
  226. FreeSid(psidNetworkServiceSid);
  227. }
  229. return dwError ? FALSE : TRUE;
  231. }