windows-server-2003/base/cluster/clusrtl/fixup.c

/*++

Copyright (c) 1998 Microsoft Corporation

Module Name:

    FixUp.c

Abstract:

    This module contains common security routines for
    NT Clusters rolling upgrade and backward compatibility.

Author:

    Galen Barbee (galenb) 31-Mar-1998

--*/

#include "clusrtlp.h"

PSECURITY_DESCRIPTOR
ClRtlConvertClusterSDToNT4Format(
	IN PSECURITY_DESCRIPTOR psd
	)

/*++

Routine Description:

		Convert the SD from nt 5 to nt 4 format.  This means enforcing the
		following rules:

		1. Convert denied ACE to allowed ACE.  Convert "Full Control" access
		mask to CLUAPI_NO_ACCESS.

Arguments:

		psd			[IN] Security descriptor.

Return Value:

		The new SD in self-Relative format

--*/

{
    PACL	                pacl;
    BOOL	                bHasDACL;
    BOOL	                bDACLDefaulted;
    PSECURITY_DESCRIPTOR	psec = NULL;

    if (NULL == psd) {
    	return NULL;
    }

    psec = ClRtlCopySecurityDescriptor(psd);

    if ( psec == NULL ) {
        return NULL;
    }

    if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) &&
         ( bHasDACL != FALSE ) ) {

	    ACL_SIZE_INFORMATION	asiAclSize;
	    DWORD					dwBufLength;

	    dwBufLength = sizeof(asiAclSize);

	    if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {

		    ACCESS_DENIED_ACE *	pAce;
            DWORD               dwIndex;

		    for (dwIndex = 0; dwIndex < asiAclSize.AceCount;  dwIndex++) {

		        if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {

					if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)	{

						if (pAce->Mask & SPECIFIC_RIGHTS_ALL) {
							pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
							pAce->Mask = CLUSAPI_NO_ACCESS;
						}

					} // end if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)

				} // end if (GetAce())

			} // end for

	    } // end if (GetAclInformation())

	} // end if (HrGetSecurityDescriptorDacl()) and DACL is present

	ASSERT(IsValidSecurityDescriptor(psec));

	return psec;

}  //*** ClRtlConvertClusterSDToNT4Format()

PSECURITY_DESCRIPTOR
ClRtlConvertClusterSDToNT5Format(
	IN PSECURITY_DESCRIPTOR psd
	)

/*++

Routine Description:

		Convert the SD from nt 5 to nt 4 format.  This means enforcing the
		following rules:

		1. Convert allowed ACE with mask CLUAPI_NO_ACCESS to denied ACE mask full control.

Arguments:

		psd			[IN] Security descriptor.

Return Value:

		The new SD in self-Relative format

--*/

{
    PACL	pacl;
    BOOL	bHasDACL;
    BOOL	bDACLDefaulted;
    PSECURITY_DESCRIPTOR	psec = NULL;

    if (NULL == psd) {
    	return NULL;
    }

    psec = ClRtlCopySecurityDescriptor(psd);

    if ( psec == NULL ) {
        return NULL;
    }

    if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) &&
         ( bHasDACL != FALSE ) ) {

	    ACL_SIZE_INFORMATION	asiAclSize;
	    DWORD					dwBufLength;

	    dwBufLength = sizeof(asiAclSize);

	    if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {

		    ACCESS_DENIED_ACE *	pAce;
            DWORD               dwIndex;

		    for (dwIndex = 0; dwIndex < asiAclSize.AceCount;  dwIndex++) {

		        if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {

					if (pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) {

						if (pAce->Mask & CLUSAPI_NO_ACCESS)	{
							pAce->Header.AceType = ACCESS_DENIED_ACE_TYPE;
							pAce->Mask = SPECIFIC_RIGHTS_ALL;
						}

					} // end if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)

				} // end if (GetAce())

			} // end for

	    } // end if (GetAclInformation())

	} // end if (HrGetSecurityDescriptorDacl()) and DACL is present

	ASSERT(IsValidSecurityDescriptor(psec));

	return psec;

}  //*** ClRtlConvertClusterSDToNT5Format()

static GENERIC_MAPPING gmFileShareMap =
{
	FILE_GENERIC_READ,
	FILE_GENERIC_WRITE,
	FILE_GENERIC_EXECUTE,
	FILE_ALL_ACCESS
};

#define SPECIFIC_CHANGE     (DELETE | FILE_GENERIC_WRITE)
#define SPECIFIC_READ       (FILE_GENERIC_READ | FILE_LIST_DIRECTORY | FILE_EXECUTE)
#define GENERIC_CHANGE      (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE)

PSECURITY_DESCRIPTOR
ClRtlConvertFileShareSDToNT4Format(
	IN PSECURITY_DESCRIPTOR psd
	)

/*++

Routine Description:

		Convert the SD from nt 5 to nt 4 format.  This means enforcing the
		following rules:

Arguments:

		psd			[IN] Security descriptor.

Return Value:

		The new SD in self-Relative format

--*/

{
    PACL	                pacl;
    BOOL	                bHasDACL;
    BOOL	                bDACLDefaulted;
    PSECURITY_DESCRIPTOR	psec = NULL;

    if (NULL == psd) {
    	return NULL;
    }

    psec = ClRtlCopySecurityDescriptor(psd);

    if ( psec == NULL ) {
        return NULL;
    }

    if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) &&
         ( bHasDACL != FALSE ) ) {

	    ACL_SIZE_INFORMATION	asiAclSize;
	    DWORD					dwBufLength;
        ACCESS_MASK             amTemp1;
        ACCESS_MASK             amTemp2;

	    dwBufLength = sizeof(asiAclSize);

	    if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {

		    ACCESS_DENIED_ACE *	pAce;
			DWORD				dwSid;
            DWORD               dwIndex;

		    for (dwIndex = 0; dwIndex < asiAclSize.AceCount;  dwIndex++) {

                amTemp1 = 0;
                amTemp2 = 0;

		        if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {

					// delete deny read ACEs since they don't mean anything to AclEdit
					if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) &&
					   (pAce->Mask == SPECIFIC_READ)) {

						dwSid = pAce->SidStart;

                        if (DeleteAce(pacl, dwIndex)) {
                            asiAclSize.AceCount -= 1;
                            dwIndex -= 1;
                        }
                        else {
                            ClRtlDbgPrint(LOG_UNUSUAL,
                                          "[ClRtl] DeteteAce failed removing ACE #%1!d! due to error %2!d!\n",
                                          dwIndex,
                                          GetLastError());
                        }

                        continue;
                    }

					// convert deny change deny read ACEs to deny all ACEs
					if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) &&
					   (pAce->Mask == (SPECIFIC_CHANGE | SPECIFIC_READ))) {
                        pAce->Mask = GENERIC_ALL;
                        continue;
                    }

					// convert deny change ACEs to allow read (read only) ACEs
					if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) &&
					   (pAce->Mask == SPECIFIC_CHANGE)) {
                        pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
                        pAce->Mask = GENERIC_READ | GENERIC_EXECUTE;
                        continue;
                    }

					// convert specific allow change to generic allow change
					if ((pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) &&
					   (pAce->Mask == SPECIFIC_CHANGE)) {
                        pAce->Mask = GENERIC_CHANGE;
                        continue;
                    }

					// convert specific all to generic all
                    if ((pAce->Mask & gmFileShareMap.GenericAll) == gmFileShareMap.GenericAll) {
                        amTemp1 |= GENERIC_ALL;
                        amTemp2 |= gmFileShareMap.GenericAll;
                    }
                    else {


						// convert specific read to generic read
                        if ((pAce->Mask & gmFileShareMap.GenericRead) == gmFileShareMap.GenericRead) {
                            amTemp1 |= GENERIC_READ;
                            amTemp2 |= gmFileShareMap.GenericRead;
                        }

						// convert specific write to generic write which includes delete
                        if ((pAce->Mask & gmFileShareMap.GenericWrite) == gmFileShareMap.GenericWrite) {
                            amTemp1 |= (GENERIC_WRITE | DELETE);
                            amTemp2 |= gmFileShareMap.GenericWrite;
                        }

						// convert specific execute to generic execute
                        if ((pAce->Mask & gmFileShareMap.GenericExecute) == gmFileShareMap.GenericExecute) {
                            amTemp1 |= GENERIC_EXECUTE;
                            amTemp2 |= gmFileShareMap.GenericExecute;
                        }
                    }

                    pAce->Mask &= ~amTemp2;   // turn off specific bits
                    pAce->Mask |= amTemp1;    // turn on generic bits
				} // end if (GetAce())

			} // end for

	    } // end if (GetAclInformation())

	} // end if (HrGetSecurityDescriptorDacl()) and DACL is present

	ASSERT(IsValidSecurityDescriptor(psec));

	return psec;

}  //*** ClRtlConvertFileShareSDToNT4Format()