archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/termsrv/syslib/security.c

1167 lines
33 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*************************************************************************
  2. *
  3. * security.c
  4. *
  5. * NT Security routines
  6. *
  7. * copyright notice: Copyright 1997, Microsoft
  8. *
  9. *************************************************************************/
  11. #include <nt.h>
  12. #include <ntrtl.h>
  13. #include <nturtl.h>
  14. #include <ntexapi.h>
  15. #include <ntseapi.h>
  16. #include <stdlib.h>
  17. #include <stdio.h>
  18. #include <malloc.h>
  19. #include <windows.h>
  20. #include <string.h>
  21. #include <wcstr.h>
  22. #include "seopaque.h"
  23. #include "sertlp.h"
  25. #include <process.h>
  27. #include <winsta.h>
  28. #include <syslib.h>
  29. #include <lmcons.h> // for DNLEN KLB 09-18-96
  31. #include "security.h"
  33. #if DBG
  34. ULONG
  35. DbgPrint(
  36. PCH Format,
  37. ...
  38. );
  39. #define DBGPRINT(x) DbgPrint x
  40. #if DBGTRACE
  41. #define TRACE0(x) DbgPrint x
  42. #define TRACE1(x) DbgPrint x
  43. #else
  44. #define TRACE0(x)
  45. #define TRACE1(x)
  46. #endif
  47. #else
  48. #define DBGPRINT(x)
  49. #define TRACE0(x)
  50. #define TRACE1(x)
  51. #endif
  53. typedef struct _SIDLIST {
  54. struct _SIDLIST *Next;
  55. USHORT SidCrc;
  56. PWCHAR pAccountName;
  57. PWCHAR pDomainName;
  58. } SIDLIST, *PSIDLIST;
  60. static PSIDLIST SidCache = NULL;
  62. // Computer Name
  63. WCHAR ComputerName[MAX_COMPUTERNAME_LENGTH+1];
  65. // Admins only ACL
  66. PACL pAdminsOnlyAcl = NULL;
  67. DWORD AdminsOnlyAclSize = 0;
  69. //
  70. // Universal well known SIDs
  71. //
  73. PSID SeNullSid;
  74. PSID SeWorldSid;
  75. PSID SeLocalSid;
  76. PSID SeCreatorOwnerSid;
  77. PSID SeCreatorGroupSid;
  79. //
  80. // Sids defined by NT
  81. //
  83. PSID SeNtAuthoritySid;
  84. PSID SeDialupSid;
  85. PSID SeNetworkSid;
  86. PSID SeBatchSid;
  87. PSID SeInteractiveSid;
  88. PSID SeServiceSid;
  89. PSID SeLocalGuestSid;
  90. PSID SeLocalSystemSid;
  91. PSID SeLocalAdminSid;
  92. PSID SeLocalManagerSid;
  93. PSID SeAliasAdminsSid;
  94. PSID SeAliasUsersSid;
  95. PSID SeAliasGuestsSid;
  96. PSID SeAliasPowerUsersSid;
  97. PSID SeAliasAccountOpsSid;
  98. PSID SeAliasSystemOpsSid;
  99. PSID SeAliasPrintOpsSid;
  100. PSID SeAliasBackupOpsSid;
  101. PSID SeAliasReplicatorSid;
  103. static SID_IDENTIFIER_AUTHORITY SepNullSidAuthority = SECURITY_NULL_SID_AUTHORITY;
  104. static SID_IDENTIFIER_AUTHORITY SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
  105. static SID_IDENTIFIER_AUTHORITY SepLocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;
  106. static SID_IDENTIFIER_AUTHORITY SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
  107. static SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY;
  109. //
  110. // Sid of primary domain, and admin account in that domain
  111. //
  113. PSID SepPrimaryDomainSid;
  114. PSID SepPrimaryDomainAdminSid;
  117. // External data
  118. extern ADMIN_ACCOUNTS AllowAccounts[];
  119. extern DWORD AllowAccountEntries;
  120. extern ACCESS_MASK AllowAccess;
  122. extern ADMIN_ACCOUNTS DenyAccounts[];
  123. extern DWORD DenyAccountEntries;
  124. extern ACCESS_MASK DeniedAccess;
  127. // Forward and external references
  129. BOOLEAN
  130. InitializeBuiltinSids();
  132. BOOL
  133. LoadAccountSids();
  135. BOOL
  136. BuildSecureAcl();
  138. BOOL
  139. xxxLookupBuiltinAccount(
  140. PWCHAR pSystemName,
  141. PWCHAR pAccountName,
  142. PSID *ppSid
  143. );
  145. BOOL
  146. GetCurrentUserSid( PSID *ppSid );
  149. /*****************************************************************************
  150. *
  151. * InitSecurity
  152. *
  153. * Initialize the security package
  154. *
  155. * ENTRY:
  156. * Param1 (input/output)
  157. * Comments
  158. *
  159. * EXIT:
  160. * TRUE - no error
  161. * FALSE - error
  162. *
  163. ****************************************************************************/
  165. BOOL
  166. InitSecurity(
  167. )
  168. {
  169. BOOL rc;
  170. DWORD Size = sizeof(ComputerName)/sizeof(WCHAR);
  172. rc = GetComputerNameW( ComputerName, &Size );
  173. if( !rc ) {
  174. DBGPRINT(("***ERROR*** %d Could not get computer name\n",GetLastError() ));
  175. return( FALSE );
  176. }
  178. rc = InitializeBuiltinSids();
  179. if( !rc ) {
  180. DBGPRINT(("***ERROR*** Some built-in accounts not loaded\n"));
  181. return( FALSE );
  182. }
  184. rc = LoadAccountSids();
  185. if( !rc ) {
  186. DBGPRINT(("***ERROR*** Some accounts not loaded\n"));
  187. return( FALSE );
  188. }
  190. rc = BuildSecureAcl();
  191. if( !rc ) {
  192. DBGPRINT(("***ERROR*** Could not build ACL\n"));
  193. return( FALSE );
  194. }
  196. return( TRUE );
  197. }
  199. /*****************************************************************************
  200. *
  201. * LoadAccountSids
  202. *
  203. * Load the list of account access SIDS.
  204. *
  205. *
  206. * ENTRY:
  207. * Param1 (input/output)
  208. * Comments
  209. *
  210. * EXIT:
  211. * STATUS_SUCCESS - no error
  212. *
  213. ****************************************************************************/
  215. BOOL
  216. LoadAccountSids()
  217. {
  218. BOOL rc, Final;
  219. NTSTATUS Status;
  220. SID_IDENTIFIER_AUTHORITY gSystemSidAuthority = SECURITY_NT_AUTHORITY;
  222. Final = TRUE;
  224. //
  225. // Get the SID's for all of the allow accounts
  226. //
  228. //
  229. // Get the SID of the built-in Administrators group
  230. //
  232. Status = RtlAllocateAndInitializeSid(
  233. &gSystemSidAuthority,
  234. 2,
  235. SECURITY_BUILTIN_DOMAIN_RID,
  236. DOMAIN_ALIAS_RID_ADMINS,
  237. 0,0,0,0,0,0,
  238. &(AllowAccounts[ADMIN_ACCOUNT].pSid));
  239. if (!NT_SUCCESS(Status)) {
  240. DBGPRINT(("SYSLIB: Couldn't allocate Administrators SID (0x%x)\n", Status ));
  241. Final = FALSE;
  242. }
  244. //
  245. // SYSTEM
  246. //
  248. Status = RtlAllocateAndInitializeSid(
  249. &gSystemSidAuthority,
  250. 1,
  251. SECURITY_LOCAL_SYSTEM_RID,
  252. 0,0,0,0,0,0,0,
  253. &(AllowAccounts[SYSTEM_ACCOUNT].pSid));
  254. if (!NT_SUCCESS(Status)) {
  255. DBGPRINT(("SYSLIB: Couldn't allocate SYSTEM SID (0x%x)\n", Status ));
  256. Final = FALSE;
  257. }
  259. //
  260. // Get the current user's Sid
  261. //
  262. //First, see if we run in SYSTEM context.
  263. //If we do, get current user SID from TERMSRV, otherwise use a user SID from process token.
  264. Final = FALSE;
  266. {
  267. HANDLE hToken;
  268. PTOKEN_USER pTokenUser = NULL;
  269. DWORD dwInfoLength = 0;
  271. if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken))
  272. {
  273. GetTokenInformation(hToken,TokenUser,pTokenUser,dwInfoLength,&dwInfoLength);
  275. if(dwInfoLength)
  276. {
  277. pTokenUser = (PTOKEN_USER)LocalAlloc(LPTR,dwInfoLength);
  278. if(pTokenUser)
  279. {
  280. if(GetTokenInformation(hToken,TokenUser,pTokenUser,dwInfoLength,&dwInfoLength))
  281. {
  282. if(EqualSid(AllowAccounts[SYSTEM_ACCOUNT].pSid,pTokenUser->User.Sid))
  283. {
  284. rc = xxxLookupAccountName(
  285. ComputerName,
  286. CURRENT_USER,
  287. &(AllowAccounts[USER_ACCOUNT].pSid)
  288. );
  290. if ( !rc )
  291. {
  292. // It might be a special builtin account
  293. rc = xxxLookupBuiltinAccount(
  294. ComputerName,
  295. CURRENT_USER,
  296. &(AllowAccounts[USER_ACCOUNT].pSid)
  297. );
  299. if( !rc )
  300. {
  301. DBGPRINT(("***WARNING*** Could not find SID for current user account, Error %d\n", GetLastError() ));
  302. }
  303. }
  304. if( rc )
  305. {
  306. Final = TRUE;
  307. }
  308. }
  309. else
  310. {
  311. DWORD dwSidLength = GetLengthSid(pTokenUser->User.Sid);
  312. AllowAccounts[USER_ACCOUNT].pSid = (PSID)LocalAlloc(LPTR,dwSidLength);
  313. if(AllowAccounts[USER_ACCOUNT].pSid)
  314. {
  315. CopyMemory(AllowAccounts[USER_ACCOUNT].pSid,pTokenUser->User.Sid,dwSidLength);
  316. Final = TRUE;
  317. }
  319. }
  320. }
  321. LocalFree(pTokenUser);
  322. }
  323. }
  325. CloseHandle(hToken);
  326. }
  327. }
  329. #ifdef notdef
  330. //
  331. // Lookup the SID's for all of the deny accounts
  332. //
  334. for( Index = 0; Index < DenyAccountEntries; Index++ ) {
  336. p = &DenyAccounts[Index];
  338. rc = xxxLookupAccountName(
  339. ComputerName,
  340. p->Name,
  341. &p->pSid
  342. );
  344. if( !rc ) {
  345. // It might be a special builtin account
  346. rc = xxxLookupBuiltinAccount(
  347. ComputerName,
  348. p->Name,
  349. &p->pSid
  350. );
  352. if( !rc ) {
  353. DBGPRINT(("***WARNING*** Could not find SID for account %ws Error %d\n",p->Name,GetLastError() ));
  354. Final = FALSE;
  355. }
  356. }
  357. }
  358. #endif
  360. // Lower level function outputs if any accounts are invalid
  362. return( Final );
  363. }
  365. /*****************************************************************************
  366. *
  367. * IsAllowSid
  368. *
  369. * Returns whether the supplied SID is in the allow group
  370. *
  371. *
  372. * ENTRY:
  373. * Param1 (input/output)
  374. * Comments
  375. *
  376. * EXIT:
  377. * STATUS_SUCCESS - no error
  378. *
  379. ****************************************************************************/
  381. BOOL
  382. IsAllowSid(
  383. PSID pSid
  384. )
  385. {
  386. DWORD Index;
  387. PADMIN_ACCOUNTS p;
  388. BOOL AllowSid = FALSE;
  390. for( Index = 0; Index < AllowAccountEntries; Index++ ) {
  392. p = &AllowAccounts[Index];
  394. if( p->pSid && EqualSid( pSid, p->pSid ) ) {
  395. // The Sid is for an allowed account
  396. AllowSid = TRUE;
  397. break;
  398. }
  399. }
  401. return( AllowSid );
  402. }
  405. /*****************************************************************************
  406. *
  407. * xxxLookupAccountName
  408. *
  409. * Wrapper to lookup the SID for a given account name
  410. *
  411. * Returns a pointer to the SID in newly allocated memory
  412. *
  413. * ENTRY:
  414. * Param1 (input/output)
  415. * Comments
  416. *
  417. * EXIT:
  418. * STATUS_SUCCESS - no error
  419. *
  420. ****************************************************************************/
  422. BOOL
  423. xxxLookupAccountName(
  424. PWCHAR pSystemName,
  425. PWCHAR pAccountName,
  426. PSID *ppSid
  427. )
  428. {
  429. BOOL rc;
  430. DWORD Size, DomainSize, Error;
  431. SID_NAME_USE Type;
  432. PWCHAR pDomain = NULL;
  433. PSID pSid = NULL;
  434. WCHAR Buf;
  435. WCHAR pCurrentUser[MAX_ACCOUNT_NAME]; // KLB 09-16-96
  436. DWORD dwCurrentUser = MAX_ACCOUNT_NAME; // KLB 09-16-96
  437. WCHAR pAccountToLookup[MAX_ACCOUNT_NAME+DNLEN+1]; // KLB 09-18-96
  438. LPWSTR pLogon32DomainName = NULL; // KLB 09-19-96
  439. WINSTATIONINFORMATION WinInfo; // KLB 09-30-96
  440. ULONG ReturnLength; // KLB 09-30-96
  442. Size = 0;
  443. DomainSize = 0;
  445. /*
  446. * Open the WinStation and Query its information.
  447. */
  448. memset( &WinInfo, 0, sizeof(WINSTATIONINFORMATION) );
  449. rc = WinStationQueryInformation( SERVERNAME_CURRENT,
  450. LOGONID_CURRENT,
  451. WinStationInformation,
  452. (PVOID)&WinInfo,
  453. sizeof(WINSTATIONINFORMATION),
  454. &ReturnLength );
  455. if ( !rc ) {
  456. DBGPRINT(("error querying winstation information %d.\n", GetLastError() ));
  457. return( FALSE );
  458. }
  459. if( ReturnLength != sizeof(WINSTATIONINFORMATION) ) {
  460. DBGPRINT(("winstation info version mismatch!\n"));
  461. return( FALSE );
  462. }
  464. if (lstrcmpi(pAccountName,CURRENT_USER) == 0) {
  465. lstrcpy( pAccountToLookup, WinInfo.Domain );
  466. lstrcat( pAccountToLookup, L"\\" );
  467. lstrcat( pAccountToLookup, WinInfo.UserName );
  468. } else {
  469. lstrcpy( pAccountToLookup, pAccountName );
  470. }
  471. DBGPRINT(( "looking up account %ws\n", pAccountToLookup ));
  473. rc = LookupAccountNameW(
  474. pSystemName,
  475. pAccountToLookup, // KLB 09-16-96
  476. &Buf, // pSid
  477. &Size,
  478. &Buf, // pDomain
  479. &DomainSize,
  480. &Type
  481. );
  483. if( rc ) {
  484. DBGPRINT(("Internal error on account name %ws\n",pAccountToLookup));
  485. return( FALSE );
  486. }
  487. else {
  488. Error = GetLastError();
  489. if( Error != ERROR_INSUFFICIENT_BUFFER ) {
  490. DBGPRINT(("***ERROR*** %d looking up SID for account name %ws skipped without processing!\n",Error,pAccountToLookup));
  491. return( FALSE );
  492. }
  494. pSid = LocalAlloc( LMEM_FIXED, Size );
  495. if( pSid == NULL ) {
  496. DBGPRINT(("***ERROR*** Out of memory, skipped account %ws without processing!\n",pAccountToLookup));
  497. return( FALSE );
  498. }
  500. pDomain = LocalAlloc( LMEM_FIXED, DomainSize*sizeof(WCHAR) );
  501. if( pDomain == NULL ) {
  502. DBGPRINT(("***ERROR*** Out of memory, skipped account %ws without processing!\n",pAccountToLookup));
  503. LocalFree( pSid );
  504. return( FALSE );
  505. }
  507. rc = LookupAccountNameW(
  508. pSystemName,
  509. pAccountToLookup,
  510. pSid,
  511. &Size,
  512. pDomain,
  513. &DomainSize,
  514. &Type
  515. );
  517. if( !rc ) {
  518. DBGPRINT(("***ERROR*** %d looking up SID for account name %ws skipped without processing!\n",Error,pAccountToLookup));
  519. LocalFree( pSid );
  520. LocalFree( pDomain );
  521. return( FALSE );
  522. }
  524. *ppSid = pSid;
  526. LocalFree( pDomain );
  527. DBGPRINT(( "leaving xxxLookupAccountName(); pSid is okay, returning TRUE.\n" ));
  528. return( TRUE );
  529. }
  530. }
  532. /*****************************************************************************
  533. *
  534. * InitializeBuiltinSids
  535. *
  536. * Initialize the built in SIDS
  537. *
  538. * ENTRY:
  539. * Param1 (input/output)
  540. * Comments
  541. *
  542. * EXIT:
  543. * STATUS_SUCCESS - no error
  544. *
  545. ****************************************************************************/
  547. BOOLEAN
  548. InitializeBuiltinSids()
  549. {
  551. ULONG SidWithZeroSubAuthorities;
  552. ULONG SidWithOneSubAuthority;
  553. ULONG SidWithTwoSubAuthorities;
  554. ULONG SidWithThreeSubAuthorities;
  556. SID_IDENTIFIER_AUTHORITY NullSidAuthority;
  557. SID_IDENTIFIER_AUTHORITY WorldSidAuthority;
  558. SID_IDENTIFIER_AUTHORITY LocalSidAuthority;
  559. SID_IDENTIFIER_AUTHORITY CreatorSidAuthority;
  560. SID_IDENTIFIER_AUTHORITY SeNtAuthority;
  562. NullSidAuthority = SepNullSidAuthority;
  563. WorldSidAuthority = SepWorldSidAuthority;
  564. LocalSidAuthority = SepLocalSidAuthority;
  565. CreatorSidAuthority = SepCreatorSidAuthority;
  566. SeNtAuthority = SepNtAuthority;
  568. //
  569. // The following SID sizes need to be allocated
  570. //
  572. SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 );
  573. SidWithOneSubAuthority = RtlLengthRequiredSid( 1 );
  574. SidWithTwoSubAuthorities = RtlLengthRequiredSid( 2 );
  575. SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 );
  577. //
  578. // Allocate and initialize the universal SIDs
  579. //
  581. SeNullSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  582. SeWorldSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  583. SeLocalSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  584. SeCreatorOwnerSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  585. SeCreatorGroupSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  587. //
  588. // Fail initialization if we didn't get enough memory for the universal
  589. // SIDs.
  590. //
  592. if ( (SeNullSid == NULL) ||
  593. (SeWorldSid == NULL) ||
  594. (SeLocalSid == NULL) ||
  595. (SeCreatorOwnerSid == NULL) ||
  596. (SeCreatorGroupSid == NULL)
  597. ) {
  599. return( FALSE );
  600. }
  602. RtlInitializeSid( SeNullSid, &NullSidAuthority, 1 );
  603. RtlInitializeSid( SeWorldSid, &WorldSidAuthority, 1 );
  604. RtlInitializeSid( SeLocalSid, &LocalSidAuthority, 1 );
  605. RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 );
  606. RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 );
  608. *(RtlSubAuthoritySid( SeNullSid, 0 )) = SECURITY_NULL_RID;
  609. *(RtlSubAuthoritySid( SeWorldSid, 0 )) = SECURITY_WORLD_RID;
  610. *(RtlSubAuthoritySid( SeLocalSid, 0 )) = SECURITY_LOCAL_RID;
  611. *(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
  612. *(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID;
  614. //
  615. // Allocate and initialize the NT defined SIDs
  616. //
  618. SeNtAuthoritySid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithZeroSubAuthorities);
  619. SeDialupSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  620. SeNetworkSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  621. SeBatchSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  622. SeInteractiveSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  623. SeServiceSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  624. SeLocalGuestSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  625. SeLocalSystemSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  626. SeLocalAdminSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  627. SeLocalManagerSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
  629. SeAliasAdminsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  630. SeAliasUsersSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  631. SeAliasGuestsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  632. SeAliasPowerUsersSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  633. SeAliasAccountOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  634. SeAliasSystemOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  635. SeAliasPrintOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  636. SeAliasBackupOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  637. SeAliasReplicatorSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
  640. //
  641. // Fail initialization if we didn't get enough memory for the NT SIDs.
  642. //
  644. if ( (SeNtAuthoritySid == NULL) ||
  645. (SeDialupSid == NULL) ||
  646. (SeNetworkSid == NULL) ||
  647. (SeBatchSid == NULL) ||
  648. (SeInteractiveSid == NULL) ||
  649. (SeServiceSid == NULL) ||
  650. (SeLocalGuestSid == NULL) ||
  651. (SeLocalSystemSid == NULL) ||
  652. (SeLocalAdminSid == NULL) ||
  653. (SeLocalManagerSid == NULL) ||
  654. (SeAliasAdminsSid == NULL) ||
  655. (SeAliasUsersSid == NULL) ||
  656. (SeAliasGuestsSid == NULL) ||
  657. (SeAliasPowerUsersSid == NULL) ||
  658. (SeAliasAccountOpsSid == NULL) ||
  659. (SeAliasSystemOpsSid == NULL) ||
  660. (SeAliasReplicatorSid == NULL) ||
  661. (SeAliasPrintOpsSid == NULL) ||
  662. (SeAliasBackupOpsSid == NULL)
  663. ) {
  665. return( FALSE );
  666. }
  668. RtlInitializeSid( SeNtAuthoritySid, &SeNtAuthority, 0 );
  669. RtlInitializeSid( SeDialupSid, &SeNtAuthority, 1 );
  670. RtlInitializeSid( SeNetworkSid, &SeNtAuthority, 1 );
  671. RtlInitializeSid( SeBatchSid, &SeNtAuthority, 1 );
  672. RtlInitializeSid( SeInteractiveSid, &SeNtAuthority, 1 );
  673. RtlInitializeSid( SeServiceSid, &SeNtAuthority, 1 );
  674. RtlInitializeSid( SeLocalGuestSid, &SeNtAuthority, 1 );
  675. RtlInitializeSid( SeLocalSystemSid, &SeNtAuthority, 1 );
  676. RtlInitializeSid( SeLocalAdminSid, &SeNtAuthority, 1 );
  677. RtlInitializeSid( SeLocalManagerSid, &SeNtAuthority, 1 );
  679. RtlInitializeSid( SeAliasAdminsSid, &SeNtAuthority, 2);
  680. RtlInitializeSid( SeAliasUsersSid, &SeNtAuthority, 2);
  681. RtlInitializeSid( SeAliasGuestsSid, &SeNtAuthority, 2);
  682. RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2);
  683. RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2);
  684. RtlInitializeSid( SeAliasSystemOpsSid, &SeNtAuthority, 2);
  685. RtlInitializeSid( SeAliasPrintOpsSid, &SeNtAuthority, 2);
  686. RtlInitializeSid( SeAliasBackupOpsSid, &SeNtAuthority, 2);
  687. RtlInitializeSid( SeAliasReplicatorSid, &SeNtAuthority, 2);
  690. *(RtlSubAuthoritySid( SeDialupSid, 0 )) = SECURITY_DIALUP_RID;
  691. *(RtlSubAuthoritySid( SeNetworkSid, 0 )) = SECURITY_NETWORK_RID;
  692. *(RtlSubAuthoritySid( SeBatchSid, 0 )) = SECURITY_BATCH_RID;
  693. *(RtlSubAuthoritySid( SeInteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID;
  694. *(RtlSubAuthoritySid( SeServiceSid, 0 )) = SECURITY_SERVICE_RID;
  695. // *(RtlSubAuthoritySid( SeLocalGuestSid, 0 )) = SECURITY_LOCAL_GUESTS_RID;
  696. *(RtlSubAuthoritySid( SeLocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
  697. // *(RtlSubAuthoritySid( SeLocalAdminSid, 0 )) = SECURITY_LOCAL_ADMIN_RID;
  698. // *(RtlSubAuthoritySid( SeLocalManagerSid, 0 )) = SECURITY_LOCAL_MANAGER_RID;
  701. *(RtlSubAuthoritySid( SeAliasAdminsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  702. *(RtlSubAuthoritySid( SeAliasUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  703. *(RtlSubAuthoritySid( SeAliasGuestsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  704. *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  705. *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  706. *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  707. *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  708. *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  709. *(RtlSubAuthoritySid( SeAliasReplicatorSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
  711. *(RtlSubAuthoritySid( SeAliasAdminsSid, 1 )) = DOMAIN_ALIAS_RID_ADMINS;
  712. *(RtlSubAuthoritySid( SeAliasUsersSid, 1 )) = DOMAIN_ALIAS_RID_USERS;
  713. *(RtlSubAuthoritySid( SeAliasGuestsSid, 1 )) = DOMAIN_ALIAS_RID_GUESTS;
  714. *(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS;
  715. *(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
  716. *(RtlSubAuthoritySid( SeAliasSystemOpsSid, 1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS;
  717. *(RtlSubAuthoritySid( SeAliasPrintOpsSid, 1 )) = DOMAIN_ALIAS_RID_PRINT_OPS;
  718. *(RtlSubAuthoritySid( SeAliasBackupOpsSid, 1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS;
  719. *(RtlSubAuthoritySid( SeAliasReplicatorSid, 1 )) = DOMAIN_ALIAS_RID_REPLICATOR;
  721. return( TRUE );
  722. }
  725. /*****************************************************************************
  726. *
  727. * xxxLookupBuiltinAccount
  728. *
  729. * Wrapper to lookup the SID for a given built in account name
  730. *
  731. * Returns a pointer to the SID in newly allocated memory
  732. *
  733. * ENTRY:
  734. * Param1 (input/output)
  735. * Comments
  736. *
  737. * EXIT:
  738. * STATUS_SUCCESS - no error
  739. *
  740. ****************************************************************************/
  742. BOOL
  743. xxxLookupBuiltinAccount(
  744. PWCHAR pSystemName,
  745. PWCHAR pAccountName,
  746. PSID *ppSid
  747. )
  748. {
  749. USHORT SidLen;
  750. SID_NAME_USE Type;
  751. PSID pSid = NULL;
  753. if( _wcsicmp( L"NULL_SID", pAccountName ) == 0 ) {
  754. pSid = SeNullSid;
  755. Type = SidTypeInvalid;
  756. }
  758. if( pSid == NULL ) {
  759. SetLastError( ERROR_NONE_MAPPED );
  760. return( FALSE );
  761. }
  763. SidLen = (USHORT)GetLengthSid( pSid );
  764. *ppSid = LocalAlloc(LMEM_FIXED, SidLen );
  765. if( *ppSid == NULL ) {
  766. SetLastError( ERROR_INSUFFICIENT_BUFFER );
  767. return( FALSE );
  768. }
  770. RtlMoveMemory( *ppSid, pSid, SidLen );
  772. return( TRUE );
  774. #ifdef notdef
  776. if( EqualSid( SeNullSid, pSid ) ) {
  777. pName = L"NULL_SID";
  778. Type = SidTypeInvalid;
  779. }
  781. if( EqualSid( SeWorldSid, pSid ) ) {
  782. pName = L"WORLD";
  783. Type = SidTypeWellKnownGroup;
  784. }
  786. if( EqualSid( SeLocalSid, pSid ) ) {
  787. pName = L"LOCAL_ACCOUNT";
  788. Type = SidTypeWellKnownGroup;
  789. }
  791. if( EqualSid( SeCreatorOwnerSid, pSid ) ) {
  792. pName = L"CREATOR_OWNER";
  793. Type = SidTypeWellKnownGroup;
  794. }
  796. if( EqualSid( SeCreatorGroupSid, pSid ) ) {
  797. pName = L"CREATOR_GROUP";
  798. Type = SidTypeWellKnownGroup;
  799. }
  801. //
  802. // Look at the NT SIDS
  803. //
  805. if( EqualSid( SeNtAuthoritySid, pSid ) ) {
  806. pName = L"NTAUTHORITY";
  807. Type = SidTypeWellKnownGroup;
  808. }
  810. if( EqualSid( SeDialupSid, pSid ) ) {
  811. pName = L"DIALUP";
  812. Type = SidTypeWellKnownGroup;
  813. }
  815. if( EqualSid( SeNetworkSid, pSid ) ) {
  816. pName = L"NETWORK";
  817. Type = SidTypeWellKnownGroup;
  818. }
  820. if( EqualSid( SeBatchSid, pSid ) ) {
  821. pName = L"BATCH";
  822. Type = SidTypeWellKnownGroup;
  823. }
  825. if( EqualSid( SeInteractiveSid, pSid ) ) {
  826. pName = L"INTERACTIVE";
  827. Type = SidTypeWellKnownGroup;
  828. }
  830. if( EqualSid( SeServiceSid, pSid ) ) {
  831. pName = L"SERVICE";
  832. Type = SidTypeWellKnownGroup;
  833. }
  835. if( EqualSid( SeLocalGuestSid, pSid ) ) {
  836. pName = L"LOCALGUEST";
  837. Type = SidTypeWellKnownGroup;
  838. }
  840. if( EqualSid( SeLocalSystemSid, pSid ) ) {
  841. pName = L"LOCALSYSTEM";
  842. Type = SidTypeWellKnownGroup;
  843. }
  845. if( EqualSid( SeLocalAdminSid, pSid ) ) {
  846. pName = L"LOCALADMIN";
  847. Type = SidTypeWellKnownGroup;
  848. }
  850. if( EqualSid( SeLocalManagerSid, pSid ) ) {
  851. pName = L"LOCALMANAGER";
  852. Type = SidTypeWellKnownGroup;
  853. }
  855. if( EqualSid( SeAliasAdminsSid, pSid ) ) {
  856. pName = L"ALIAS_ADMINS";
  857. Type = SidTypeAlias;
  858. }
  860. if( EqualSid( SeAliasUsersSid, pSid ) ) {
  861. pName = L"ALIAS_USERS";
  862. Type = SidTypeAlias;
  863. }
  865. if( EqualSid( SeAliasGuestsSid, pSid ) ) {
  866. pName = L"ALIAS_GUESTS";
  867. Type = SidTypeAlias;
  868. }
  870. if( EqualSid( SeAliasPowerUsersSid, pSid ) ) {
  871. pName = L"ALIAS_POWERUSERS";
  872. Type = SidTypeAlias;
  873. }
  875. if( EqualSid( SeAliasAccountOpsSid, pSid ) ) {
  876. pName = L"ALIAS_ACCOUNT_OPS";
  877. Type = SidTypeAlias;
  878. }
  880. if( EqualSid( SeAliasSystemOpsSid, pSid ) ) {
  881. pName = L"ALIAS_SYSTEM_OPS";
  882. Type = SidTypeAlias;
  883. }
  885. if( EqualSid( SeAliasPrintOpsSid, pSid ) ) {
  886. pName = L"ALIAS_PRINT_OPS";
  887. Type = SidTypeAlias;
  888. }
  890. if( EqualSid( SeAliasBackupOpsSid, pSid ) ) {
  891. pName = L"ALIAS_BACKUP_OPS";
  892. Type = SidTypeAlias;
  893. }
  895. if( EqualSid( SeAliasReplicatorSid, pSid ) ) {
  896. pName = L"ALIAS_REPLICATOR";
  897. Type = SidTypeAlias;
  898. }
  899. #endif
  900. }
  902. /*****************************************************************************
  903. *
  904. * GetSecureAcl
  905. *
  906. * Comment
  907. *
  908. * ENTRY:
  909. * Param1 (input/output)
  910. * Comments
  911. *
  912. * EXIT:
  913. * STATUS_SUCCESS - no error
  914. *
  915. ****************************************************************************/
  917. PACL
  918. GetSecureAcl()
  919. {
  920. return( pAdminsOnlyAcl );
  921. }
  923. /*****************************************************************************
  924. *
  925. * BuildSecureAcl
  926. *
  927. * Comment
  928. *
  929. * ENTRY:
  930. * Param1 (input/output)
  931. * Comments
  932. *
  933. * EXIT:
  934. * STATUS_SUCCESS - no error
  935. *
  936. ****************************************************************************/
  938. BOOL
  939. BuildSecureAcl()
  940. {
  941. BOOL rc;
  942. DWORD Index, Error;
  943. PADMIN_ACCOUNTS p;
  944. DWORD AclSize;
  945. PACL pAcl = NULL;
  946. PACCESS_ALLOWED_ACE pAce = NULL;
  948. /*
  949. * Calculate the ACL size
  950. */
  951. AclSize = sizeof(ACL);
  953. //
  954. // Reserve memory for the deny ACE's
  955. //
  956. for( Index = 0; Index < DenyAccountEntries; Index++ ) {
  958. p = &DenyAccounts[Index];
  960. if( p->pSid ) {
  961. AclSize += sizeof(ACCESS_DENIED_ACE);
  962. AclSize += (GetLengthSid( p->pSid ) - sizeof(DWORD));
  963. }
  964. }
  966. //
  967. // Reserve memory for the allowed ACE's
  968. //
  969. for( Index = 0; Index < AllowAccountEntries; Index++ ) {
  971. p = &AllowAccounts[Index];
  973. if( p->pSid ) {
  974. AclSize += sizeof(ACCESS_ALLOWED_ACE);
  975. AclSize += (GetLengthSid( p->pSid ) - sizeof(DWORD));
  976. }
  977. }
  979. pAcl = LocalAlloc( LMEM_FIXED, AclSize );
  980. if( pAcl == NULL ) {
  981. DBGPRINT(("Could not allocate memory\n"));
  982. return( FALSE );
  983. }
  985. rc = InitializeAcl(
  986. pAcl,
  987. AclSize,
  988. ACL_REVISION
  989. );
  991. if( !rc ) {
  992. DBGPRINT(("Error %d InitializeAcl\n",GetLastError()));
  993. LocalFree( pAcl );
  994. return( FALSE );
  995. }
  997. /*
  998. * Add a deny all ACE for each account in the deny list
  999. */
  1000. for( Index = 0; Index < DenyAccountEntries; Index++ ) {
  1002. p = &DenyAccounts[Index];
  1004. rc = AddAccessDeniedAce(
  1005. pAcl,
  1006. ACL_REVISION,
  1007. FILE_ALL_ACCESS,
  1008. p->pSid
  1009. );
  1011. if( !rc ) {
  1012. Error = GetLastError();
  1013. DBGPRINT(("***ERROR*** adding deny ACE %d for account %ws\n",Error,p->Name));
  1014. }
  1015. }
  1017. /*
  1018. * Add an allow all ACE for each account in the allow list
  1019. */
  1020. for( Index = 0; Index < AllowAccountEntries; Index++ ) {
  1022. p = &AllowAccounts[Index];
  1024. rc = AddAccessAllowedAce(
  1025. pAcl,
  1026. ACL_REVISION,
  1027. FILE_ALL_ACCESS,
  1028. p->pSid
  1029. );
  1031. if( !rc ) {
  1032. Error = GetLastError();
  1033. DBGPRINT(("***ERROR*** adding allow ACE %d for account %ws\n",Error,p->Name));
  1034. }
  1035. }
  1037. pAdminsOnlyAcl = pAcl;
  1038. AdminsOnlyAclSize = AclSize;
  1040. //
  1041. // Put the inherit flags on the ACE's
  1042. //
  1043. for( Index=0; Index < pAcl->AceCount; Index++ ) {
  1045. rc = GetAce( pAcl, Index, (PVOID)&pAce );
  1046. if( !rc ) {
  1047. continue;
  1048. }
  1050. pAce->Header.AceFlags |= (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
  1051. }
  1053. return( TRUE );
  1054. }
  1056. /*****************************************************************************
  1057. *
  1058. * GetLocalAdminSid
  1059. *
  1060. * Comment
  1061. *
  1062. * ENTRY:
  1063. * Param1 (input/output)
  1064. * Comments
  1065. *
  1066. * EXIT:
  1067. * STATUS_SUCCESS - no error
  1068. *
  1069. ****************************************************************************/
  1071. PSID
  1072. GetLocalAdminSid()
  1073. {
  1074. return( SeLocalAdminSid );
  1075. }
  1077. /*****************************************************************************
  1078. *
  1079. * GetAdminSid
  1080. *
  1081. * Comment
  1082. *
  1083. * ENTRY:
  1084. * Param1 (input/output)
  1085. * Comments
  1086. *
  1087. * EXIT:
  1088. *
  1089. ****************************************************************************/
  1091. PSID
  1092. GetAdminSid()
  1093. {
  1094. return( AllowAccounts[ADMIN_ACCOUNT].pSid );
  1095. }
  1097. /*****************************************************************************
  1098. *
  1099. * GetLocalAdminGroupSid
  1100. *
  1101. * Comment
  1102. *
  1103. * ENTRY:
  1104. * Param1 (input/output)
  1105. * Comments
  1106. *
  1107. * EXIT:
  1108. * STATUS_SUCCESS - no error
  1109. *
  1110. ****************************************************************************/
  1112. PSID
  1113. GetLocalAdminGroupSid()
  1114. {
  1115. return( SeAliasAdminsSid );
  1116. }
  1119. /*****************************************************************************
  1120. *
  1121. * GetLocalAdminGroupSid
  1122. *
  1123. * Comment
  1124. *
  1125. * ENTRY:
  1126. * Param1 (input/output)
  1127. * Comments
  1128. *
  1129. * EXIT:
  1130. * STATUS_SUCCESS - no error
  1131. *
  1132. ****************************************************************************/
  1134. BOOL CheckUserSid()
  1135. {
  1136. BOOL rc;
  1137. PSID pSid;
  1138. PSID pPrevSid;
  1140. rc = xxxLookupAccountName(
  1141. ComputerName,
  1142. AllowAccounts[USER_ACCOUNT].Name,
  1143. &pSid
  1144. );
  1146. if( !rc ) {
  1147. // It might be a special builtin account
  1148. rc = xxxLookupBuiltinAccount(
  1149. ComputerName,
  1150. AllowAccounts[USER_ACCOUNT].Name,
  1151. &pSid
  1152. );
  1153. }
  1155. pPrevSid = AllowAccounts[USER_ACCOUNT].pSid;
  1156. if (rc && (!pPrevSid || !EqualSid( pSid, pPrevSid ))) {
  1157. AllowAccounts[USER_ACCOUNT].pSid = pSid;
  1158. if (pAdminsOnlyAcl) {
  1159. LocalFree( pAdminsOnlyAcl );
  1160. pAdminsOnlyAcl = NULL;
  1161. AdminsOnlyAclSize = 0;
  1162. }
  1163. rc = BuildSecureAcl();
  1164. }
  1166. return(rc);
  1167. }