Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1135 lines
29 KiB

/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
Seassign.c
Abstract:
This Module implements the SeAssignSecurity procedure. For a description
of the pool allocation strategy please see the comments in semethod.c
Author:
Gary Kimura (GaryKi) 9-Nov-1989
Environment:
Kernel Mode
Revision History:
Richard Ward (RichardW) 14-April-92
Robert Reichel (RobertRe) 28-February-95
Added Compound ACEs
--*/
#include "pch.h"
#pragma hdrstop
//
// Local macros and procedures
//
NTSTATUS
SepInheritAcl (
IN PACL Acl,
IN BOOLEAN IsDirectoryObject,
IN PSID OwnerSid,
IN PSID GroupSid,
IN PSID ServerSid OPTIONAL,
IN PSID ClientSid OPTIONAL,
IN PGENERIC_MAPPING GenericMapping,
IN POOL_TYPE PoolType,
OUT PACL *NewAcl
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,SeAssignSecurity)
#pragma alloc_text(PAGE,SeAssignSecurityEx)
#pragma alloc_text(PAGE,SeDeassignSecurity)
#pragma alloc_text(PAGE,SepInheritAcl)
#pragma alloc_text(PAGE,SeAssignWorldSecurityDescriptor)
#if DBG
#pragma alloc_text(PAGE,SepDumpSecurityDescriptor)
#pragma alloc_text(PAGE,SepPrintAcl)
#pragma alloc_text(PAGE,SepPrintSid)
#pragma alloc_text(PAGE,SepDumpTokenInfo)
#pragma alloc_text(PAGE,SepSidTranslation)
#endif //DBG
#endif
//
// These variables control whether security descriptors and token
// information are dumped by their dump routines. This allows
// selective turning on and off of debugging output by both program
// control and via the kernel debugger.
//
#if DBG
BOOLEAN SepDumpSD = FALSE;
BOOLEAN SepDumpToken = FALSE;
#endif
NTSTATUS
SeAssignSecurity (
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
OUT PSECURITY_DESCRIPTOR *NewDescriptor,
IN BOOLEAN IsDirectoryObject,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
IN PGENERIC_MAPPING GenericMapping,
IN POOL_TYPE PoolType
)
/*++
Routine Description:
This routine assumes privilege checking HAS NOT yet been performed
and so will be performed by this routine.
This procedure is used to build a security descriptor for a new object
given the security descriptor of its parent directory and any originally
requested security for the object. The final security descriptor
returned to the caller may contain a mix of information, some explicitly
provided other from the new object's parent.
See RtlpNewSecurityObject for a descriptor of how the NewDescriptor is
built.
Arguments:
ParentDescriptor - Optionally supplies the security descriptor of the
parent directory under which this new object is being created.
ExplicitDescriptor - Supplies the address of a pointer to the security
descriptor as specified by the user that is to be applied to
the new object.
NewDescriptor - Returns the actual security descriptor for the new
object that has been modified according to above rules.
IsDirectoryObject - Specifies if the new object is itself a directory
object. A value of TRUE indicates the object is a container of other
objects.
SubjectContext - Supplies the security context of the subject creating the
object. This is used to retrieve default security information for the
new object, such as default owner, primary group, and discretionary
access control.
GenericMapping - Supplies a pointer to an array of access mask values
denoting the mapping between each generic right to non-generic rights.
PoolType - Specifies the pool type to use to when allocating a new
security descriptor.
Return Value:
STATUS_SUCCESS - indicates the operation was successful.
STATUS_INVALID_OWNER - The owner SID provided as the owner of the
target security descriptor is not one the caller is authorized
to assign as the owner of an object.
STATUS_PRIVILEGE_NOT_HELD - The caller does not have the privilege
necessary to explicitly assign the specified system ACL.
SeSecurityPrivilege privilege is needed to explicitly assign
system ACLs to objects.
--*/
{
NTSTATUS Status;
ULONG AutoInherit = 0;
PAGED_CODE();
#if DBG
if ( ARGUMENT_PRESENT( ExplicitDescriptor) ) {
SepDumpSecurityDescriptor( ExplicitDescriptor,
"\nSeAssignSecurity: Input security descriptor = \n"
);
}
if (ARGUMENT_PRESENT( ParentDescriptor )) {
SepDumpSecurityDescriptor( ParentDescriptor,
"\nSeAssignSecurity: Parent security descriptor = \n"
);
}
#endif // DBG
//
// If the Parent SD was created via AutoInheritance,
// and this object is being created with no explicit descriptor,
// then we can safely create this object as AutoInherit.
//
if ( ParentDescriptor != NULL ) {
if ( (ExplicitDescriptor == NULL ||
(((PISECURITY_DESCRIPTOR)ExplicitDescriptor)->Control & SE_DACL_PRESENT) == 0 ) &&
(((PISECURITY_DESCRIPTOR)ParentDescriptor)->Control & SE_DACL_AUTO_INHERITED) != 0 ) {
AutoInherit |= SEF_DACL_AUTO_INHERIT;
}
if ( (ExplicitDescriptor == NULL ||
(((PISECURITY_DESCRIPTOR)ExplicitDescriptor)->Control & SE_SACL_PRESENT) == 0 ) &&
(((PISECURITY_DESCRIPTOR)ParentDescriptor)->Control & SE_SACL_AUTO_INHERITED) != 0 ) {
AutoInherit |= SEF_SACL_AUTO_INHERIT;
}
}
Status = RtlpNewSecurityObject (
ParentDescriptor OPTIONAL,
ExplicitDescriptor OPTIONAL,
NewDescriptor,
NULL, // No object type
0,
IsDirectoryObject,
AutoInherit,
(HANDLE) SubjectContext,
GenericMapping );
#if DBG
if ( NT_SUCCESS(Status)) {
SepDumpSecurityDescriptor( *NewDescriptor,
"SeAssignSecurity: Final security descriptor = \n"
);
}
#endif
return Status;
// RtlpNewSecurityObject always uses PagedPool.
UNREFERENCED_PARAMETER( PoolType );
}
NTSTATUS
SeAssignSecurityEx (
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
IN PSECURITY_DESCRIPTOR ExplicitDescriptor OPTIONAL,
OUT PSECURITY_DESCRIPTOR *NewDescriptor,
IN GUID *ObjectType OPTIONAL,
IN BOOLEAN IsDirectoryObject,
IN ULONG AutoInheritFlags,
IN PSECURITY_SUBJECT_CONTEXT SubjectContext,
IN PGENERIC_MAPPING GenericMapping,
IN POOL_TYPE PoolType
)
/*++
Routine Description:
This routine assumes privilege checking HAS NOT yet been performed
and so will be performed by this routine.
This procedure is used to build a security descriptor for a new object
given the security descriptor of its parent directory and any originally
requested security for the object. The final security descriptor
returned to the caller may contain a mix of information, some explicitly
provided other from the new object's parent.
See RtlpNewSecurityObject for a descriptor of how the NewDescriptor is
built.
Arguments:
ParentDescriptor - Optionally supplies the security descriptor of the
parent directory under which this new object is being created.
ExplicitDescriptor - Supplies the address of a pointer to the security
descriptor as specified by the user that is to be applied to
the new object.
NewDescriptor - Returns the actual security descriptor for the new
object that has been modified according to above rules.
ObjectType - GUID of the object type being created. If the object being
created has no GUID associated with it, then this argument is
specified as NULL.
IsDirectoryObject - Specifies if the new object is itself a directory
object. A value of TRUE indicates the object is a container of other
objects.
AutoInheritFlags - Controls automatic inheritance of ACES from the Parent
Descriptor. Valid values are a bits mask of the logical OR of
one or more of the following bits:
SEF_DACL_AUTO_INHERIT - If set, inherit ACEs from the
DACL ParentDescriptor are inherited to NewDescriptor in addition
to any explicit ACEs specified by the CreatorDescriptor.
SEF_SACL_AUTO_INHERIT - If set, inherit ACEs from the
SACL ParentDescriptor are inherited to NewDescriptor in addition
to any explicit ACEs specified by the CreatorDescriptor.
SEF_DEFAULT_DESCRIPTOR_FOR_OBJECT - If set, the CreatorDescriptor
is the default descriptor for ObjectType. As such, the
CreatorDescriptor will be ignored if any ObjectType specific
ACEs are inherited from the parent. If no such ACEs are inherited,
the CreatorDescriptor is handled as though this flag were not
specified.
SEF_AVOID_PRIVILEGE_CHECK - If set, no privilege checking is done by this
routine. This flag is useful while implementing automatic inheritance
to avoid checking privileges on each child updated.
SubjectContext - Supplies the security context of the subject creating the
object. This is used to retrieve default security information for the
new object, such as default owner, primary group, and discretionary
access control.
GenericMapping - Supplies a pointer to an array of access mask values
denoting the mapping between each generic right to non-generic rights.
PoolType - Specifies the pool type to use to when allocating a new
security descriptor.
Return Value:
STATUS_SUCCESS - indicates the operation was successful.
STATUS_INVALID_OWNER - The owner SID provided as the owner of the
target security descriptor is not one the caller is authorized
to assign as the owner of an object.
STATUS_PRIVILEGE_NOT_HELD - The caller does not have the privilege
necessary to explicitly assign the specified system ACL.
SeSecurityPrivilege privilege is needed to explicitly assign
system ACLs to objects.
--*/
{
NTSTATUS Status;
PAGED_CODE();
#if DBG
if ( ARGUMENT_PRESENT( ExplicitDescriptor) ) {
SepDumpSecurityDescriptor( ExplicitDescriptor,
"\nSeAssignSecurityEx: Input security descriptor = \n"
);
}
if (ARGUMENT_PRESENT( ParentDescriptor )) {
SepDumpSecurityDescriptor( ParentDescriptor,
"\nSeAssignSecurityEx: Parent security descriptor = \n"
);
}
#endif // DBG
Status = RtlpNewSecurityObject (
ParentDescriptor OPTIONAL,
ExplicitDescriptor OPTIONAL,
NewDescriptor,
ObjectType ? &ObjectType : NULL,
ObjectType ? 1 : 0,
IsDirectoryObject,
AutoInheritFlags,
(HANDLE) SubjectContext,
GenericMapping );
#if DBG
if ( NT_SUCCESS(Status)) {
SepDumpSecurityDescriptor( *NewDescriptor,
"SeAssignSecurityEx: Final security descriptor = \n"
);
}
#endif
return Status;
// RtlpNewSecurityObject always uses PagedPool.
UNREFERENCED_PARAMETER( PoolType );
}
NTSTATUS
SeDeassignSecurity (
IN OUT PSECURITY_DESCRIPTOR *SecurityDescriptor
)
/*++
Routine Description:
This routine deallocates the memory associated with a security descriptor
that was assigned using SeAssignSecurity.
Arguments:
SecurityDescriptor - Supplies the address of a pointer to the security
descriptor being deleted.
Return Value:
STATUS_SUCCESS - The deallocation was successful.
--*/
{
PAGED_CODE();
if ((*SecurityDescriptor) != NULL) {
ExFreePool( (*SecurityDescriptor) );
}
//
// And zero out the pointer to it for safety sake
//
(*SecurityDescriptor) = NULL;
return( STATUS_SUCCESS );
}
NTSTATUS
SepInheritAcl (
IN PACL Acl,
IN BOOLEAN IsDirectoryObject,
IN PSID ClientOwnerSid,
IN PSID ClientGroupSid,
IN PSID ServerOwnerSid OPTIONAL,
IN PSID ServerGroupSid OPTIONAL,
IN PGENERIC_MAPPING GenericMapping,
IN POOL_TYPE PoolType,
OUT PACL *NewAcl
)
/*++
Routine Description:
This is a private routine that produces an inherited acl from
a parent acl according to the rules of inheritance
Arguments:
Acl - Supplies the acl being inherited.
IsDirectoryObject - Specifies if the new acl is for a directory.
OwnerSid - Specifies the owner Sid to use.
GroupSid - Specifies the group SID to use.
ServerSid - Specifies the Server SID to use.
ClientSid - Specifies the Client SID to use.
GenericMapping - Specifies the generic mapping to use.
PoolType - Specifies the pool type for the new acl.
NewAcl - Receives a pointer to the new (inherited) acl.
Return Value:
STATUS_SUCCESS - An inheritable ACL was successfully generated.
STATUS_NO_INHERITANCE - An inheritable ACL was not successfully generated.
This is a warning completion status.
STATUS_BAD_INHERITANCE_ACL - Indicates the acl built was not a valid ACL.
This can becaused by a number of things. One of the more probable
causes is the replacement of a CreatorId with an SID that didn't fit
into the ACE or ACL.
STATUS_UNKNOWN_REVISION - Indicates the source ACL is a revision that
is unknown to this routine.
--*/
{
//////////////////////////////////////////////////////////////////////////////
// //
// The logic in the ACL inheritance code must mirror the code for //
// inheritance in the user mode runtime (in sertl.c). Do not make changes //
// here without also making changes in that module. //
// //
//////////////////////////////////////////////////////////////////////////////
NTSTATUS Status;
ULONG NewAclLength;
BOOLEAN NewAclExplicitlyAssigned;
ULONG NewGenericControl;
PAGED_CODE();
ASSERT( PoolType == PagedPool ); // RtlpInheritAcl assumes paged pool
//
// First check if the acl is null
//
if (Acl == NULL) {
return STATUS_NO_INHERITANCE;
}
//
// Generating an inheritable ACL.
//
// Pass all parameters as though there is no auto inheritance.
//
Status = RtlpInheritAcl(
Acl,
NULL, // No child ACL since no auto inheritance
0, // No child control since no auto inheritance
IsDirectoryObject,
FALSE, // Not AutoInherit since no auto inheritance
FALSE, // Not DefaultDescriptor since no auto inheritance
ClientOwnerSid,
ClientGroupSid,
ServerOwnerSid,
ServerGroupSid,
GenericMapping,
FALSE, // Isn't a SACL
NULL, // No object GUID
0,
NewAcl,
&NewAclExplicitlyAssigned,
&NewGenericControl );
return Status;
}
NTSTATUS
SeAssignWorldSecurityDescriptor(
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN OUT PULONG Length,
IN PSECURITY_INFORMATION SecurityInformation
)
/*++
Routine Description:
This routine is called by the I/O system to properly initialize a
security descriptor for a FAT file. It will take a pointer to a
buffer containing an emptry security descriptor, and create in the
buffer a self-relative security descriptor with
Owner = WorldSid,
Group = WorldSid.
Thus, a FAT file is accessable to all.
Arguments:
SecurityDescriptor - Supplies a pointer to a buffer in which will be
created a self-relative security descriptor as described above.
Length - The length in bytes of the buffer. If the length is too
small, it will contain the minimum size required upon exit.
Return Value:
STATUS_BUFFER_TOO_SMALL - The buffer was not big enough to contain
the requested information.
--*/
{
PCHAR Field;
PCHAR Base;
ULONG WorldSidLength;
PISECURITY_DESCRIPTOR_RELATIVE ISecurityDescriptor;
ULONG MinSize;
NTSTATUS Status;
PAGED_CODE();
if ( !ARGUMENT_PRESENT( SecurityInformation )) {
return( STATUS_ACCESS_DENIED );
}
WorldSidLength = SeLengthSid( SeWorldSid );
MinSize = sizeof( SECURITY_DESCRIPTOR_RELATIVE ) + 2 * WorldSidLength;
if ( *Length < MinSize ) {
*Length = MinSize;
return( STATUS_BUFFER_TOO_SMALL );
}
*Length = MinSize;
ISecurityDescriptor = (SECURITY_DESCRIPTOR_RELATIVE *)SecurityDescriptor;
Status = RtlCreateSecurityDescriptorRelative( ISecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION );
if (!NT_SUCCESS( Status )) {
return( Status );
}
Base = (PCHAR)(ISecurityDescriptor);
Field = Base + sizeof(SECURITY_DESCRIPTOR_RELATIVE);
if ( *SecurityInformation & OWNER_SECURITY_INFORMATION ) {
RtlCopyMemory( Field, SeWorldSid, WorldSidLength );
ISecurityDescriptor->Owner = RtlPointerToOffset(Base,Field);
Field += WorldSidLength;
}
if ( *SecurityInformation & GROUP_SECURITY_INFORMATION ) {
RtlCopyMemory( Field, SeWorldSid, WorldSidLength );
ISecurityDescriptor->Group = RtlPointerToOffset(Base,Field);
}
if ( *SecurityInformation & DACL_SECURITY_INFORMATION ) {
RtlpSetControlBits( ISecurityDescriptor, SE_DACL_PRESENT );
}
if ( *SecurityInformation & SACL_SECURITY_INFORMATION ) {
RtlpSetControlBits( ISecurityDescriptor, SE_SACL_PRESENT );
}
RtlpSetControlBits( ISecurityDescriptor, SE_SELF_RELATIVE );
return( STATUS_SUCCESS );
}
#if DBG
VOID
SepDumpSecurityDescriptor(
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN PSZ TitleString
)
/*++
Routine Description:
Private routine to dump a security descriptor to the debug
screen.
Arguments:
SecurityDescriptor - Supplies the security descriptor to be dumped.
TitleString - A null terminated string to print before dumping
the security descriptor.
Return Value:
None.
--*/
{
PISECURITY_DESCRIPTOR ISecurityDescriptor;
UCHAR Revision;
SECURITY_DESCRIPTOR_CONTROL Control;
PSID Owner;
PSID Group;
PACL Sacl;
PACL Dacl;
PAGED_CODE();
if (!SepDumpSD) {
return;
}
if (!ARGUMENT_PRESENT( SecurityDescriptor )) {
return;
}
DbgPrint(TitleString);
ISecurityDescriptor = ( PISECURITY_DESCRIPTOR )SecurityDescriptor;
Revision = ISecurityDescriptor->Revision;
Control = ISecurityDescriptor->Control;
Owner = RtlpOwnerAddrSecurityDescriptor( ISecurityDescriptor );
Group = RtlpGroupAddrSecurityDescriptor( ISecurityDescriptor );
Sacl = RtlpSaclAddrSecurityDescriptor( ISecurityDescriptor );
Dacl = RtlpDaclAddrSecurityDescriptor( ISecurityDescriptor );
DbgPrint("\nSECURITY DESCRIPTOR\n");
DbgPrint("Revision = %d\n",Revision);
//
// Print control info
//
if (Control & SE_OWNER_DEFAULTED) {
DbgPrint("Owner defaulted\n");
}
if (Control & SE_GROUP_DEFAULTED) {
DbgPrint("Group defaulted\n");
}
if (Control & SE_DACL_PRESENT) {
DbgPrint("Dacl present\n");
}
if (Control & SE_DACL_DEFAULTED) {
DbgPrint("Dacl defaulted\n");
}
if (Control & SE_SACL_PRESENT) {
DbgPrint("Sacl present\n");
}
if (Control & SE_SACL_DEFAULTED) {
DbgPrint("Sacl defaulted\n");
}
if (Control & SE_SELF_RELATIVE) {
DbgPrint("Self relative\n");
}
if (Control & SE_DACL_UNTRUSTED) {
DbgPrint("Dacl untrusted\n");
}
if (Control & SE_SERVER_SECURITY) {
DbgPrint("Server security\n");
}
DbgPrint("Owner ");
SepPrintSid( Owner );
DbgPrint("Group ");
SepPrintSid( Group );
DbgPrint("Sacl");
SepPrintAcl( Sacl );
DbgPrint("Dacl");
SepPrintAcl( Dacl );
}
VOID
SepPrintAcl (
IN PACL Acl
)
/*++
Routine Description:
This routine dumps via (DbgPrint) an Acl for debug purposes. It is
specialized to dump standard aces.
Arguments:
Acl - Supplies the Acl to dump
Return Value:
None
--*/
{
ULONG i;
PKNOWN_ACE Ace;
BOOLEAN KnownType;
PAGED_CODE();
DbgPrint("@ %8lx\n", Acl);
//
// Check if the Acl is null
//
if (Acl == NULL) {
return;
}
//
// Dump the Acl header
//
DbgPrint(" Revision: %02x", Acl->AclRevision);
DbgPrint(" Size: %04x", Acl->AclSize);
DbgPrint(" AceCount: %04x\n", Acl->AceCount);
//
// Now for each Ace we want do dump it
//
for (i = 0, Ace = FirstAce(Acl);
i < Acl->AceCount;
i++, Ace = NextAce(Ace) ) {
//
// print out the ace header
//
DbgPrint("\n AceHeader: %08lx ", *(PULONG)Ace);
//
// special case on the standard ace types
//
if ((Ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) ||
(Ace->Header.AceType == ACCESS_DENIED_ACE_TYPE) ||
(Ace->Header.AceType == SYSTEM_AUDIT_ACE_TYPE) ||
(Ace->Header.AceType == SYSTEM_ALARM_ACE_TYPE) ||
(Ace->Header.AceType == ACCESS_ALLOWED_COMPOUND_ACE_TYPE)) {
//
// The following array is indexed by ace types and must
// follow the allowed, denied, audit, alarm seqeuence
//
PCHAR AceTypes[] = { "Access Allowed",
"Access Denied ",
"System Audit ",
"System Alarm ",
"Compound Grant",
};
DbgPrint(AceTypes[Ace->Header.AceType]);
DbgPrint("\n Access Mask: %08lx ", Ace->Mask);
KnownType = TRUE;
} else {
DbgPrint(" Unknown Ace Type\n");
KnownType = FALSE;
}
DbgPrint("\n");
DbgPrint(" AceSize = %d\n",Ace->Header.AceSize);
DbgPrint(" Ace Flags = ");
if (Ace->Header.AceFlags & OBJECT_INHERIT_ACE) {
DbgPrint("OBJECT_INHERIT_ACE\n");
DbgPrint(" ");
}
if (Ace->Header.AceFlags & CONTAINER_INHERIT_ACE) {
DbgPrint("CONTAINER_INHERIT_ACE\n");
DbgPrint(" ");
}
if (Ace->Header.AceFlags & NO_PROPAGATE_INHERIT_ACE) {
DbgPrint("NO_PROPAGATE_INHERIT_ACE\n");
DbgPrint(" ");
}
if (Ace->Header.AceFlags & INHERIT_ONLY_ACE) {
DbgPrint("INHERIT_ONLY_ACE\n");
DbgPrint(" ");
}
if (Ace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG) {
DbgPrint("SUCCESSFUL_ACCESS_ACE_FLAG\n");
DbgPrint(" ");
}
if (Ace->Header.AceFlags & FAILED_ACCESS_ACE_FLAG) {
DbgPrint("FAILED_ACCESS_ACE_FLAG\n");
DbgPrint(" ");
}
DbgPrint("\n");
if (KnownType != TRUE) {
continue;
}
if (Ace->Header.AceType != ACCESS_ALLOWED_COMPOUND_ACE_TYPE) {
DbgPrint(" Sid = ");
SepPrintSid(&Ace->SidStart);
} else {
DbgPrint(" Server Sid = ");
SepPrintSid(RtlCompoundAceServerSid(Ace));
DbgPrint("\n Client Sid = ");
SepPrintSid(RtlCompoundAceClientSid( Ace ));
}
}
}
VOID
SepPrintSid(
IN PSID Sid
)
/*++
Routine Description:
Prints a formatted Sid
Arguments:
Sid - Provides a pointer to the sid to be printed.
Return Value:
None.
--*/
{
UCHAR i;
ULONG Tmp;
PISID ISid;
STRING AccountName;
UCHAR Buffer[128];
PAGED_CODE();
if (Sid == NULL) {
DbgPrint("Sid is NULL\n");
return;
}
Buffer[0] = 0;
AccountName.MaximumLength = 127;
AccountName.Length = 0;
AccountName.Buffer = (PVOID)&Buffer[0];
if (SepSidTranslation( Sid, &AccountName )) {
DbgPrint("%s ", AccountName.Buffer );
}
ISid = (PISID)Sid;
DbgPrint("S-%lu-", (USHORT)ISid->Revision );
if ( (ISid->IdentifierAuthority.Value[0] != 0) ||
(ISid->IdentifierAuthority.Value[1] != 0) ){
DbgPrint("0x%02hx%02hx%02hx%02hx%02hx%02hx",
(USHORT)ISid->IdentifierAuthority.Value[0],
(USHORT)ISid->IdentifierAuthority.Value[1],
(USHORT)ISid->IdentifierAuthority.Value[2],
(USHORT)ISid->IdentifierAuthority.Value[3],
(USHORT)ISid->IdentifierAuthority.Value[4],
(USHORT)ISid->IdentifierAuthority.Value[5] );
} else {
Tmp = (ULONG)ISid->IdentifierAuthority.Value[5] +
(ULONG)(ISid->IdentifierAuthority.Value[4] << 8) +
(ULONG)(ISid->IdentifierAuthority.Value[3] << 16) +
(ULONG)(ISid->IdentifierAuthority.Value[2] << 24);
DbgPrint("%lu", Tmp);
}
for (i=0;i<ISid->SubAuthorityCount ;i++ ) {
DbgPrint("-%lu", ISid->SubAuthority[i]);
}
DbgPrint("\n");
}
VOID
SepDumpTokenInfo(
IN PACCESS_TOKEN Token
)
/*++
Routine Description:
Prints interesting information in a token.
Arguments:
Token - Provides the token to be examined.
Return Value:
None.
--*/
{
ULONG UserAndGroupCount;
PSID_AND_ATTRIBUTES TokenSid;
ULONG i;
PTOKEN IToken;
PAGED_CODE();
if (!SepDumpToken) {
return;
}
IToken = (TOKEN *)Token;
UserAndGroupCount = IToken->UserAndGroupCount;
DbgPrint("\n\nToken Address=%lx\n",IToken);
DbgPrint("Token User and Groups Array:\n\n");
for ( i = 0 , TokenSid = IToken->UserAndGroups;
i < UserAndGroupCount ;
i++, TokenSid++
) {
SepPrintSid( TokenSid->Sid );
}
if ( IToken->RestrictedSids ) {
UserAndGroupCount = IToken->RestrictedSidCount;
DbgPrint("Restricted Sids Array:\n\n");
for ( i = 0 , TokenSid = IToken->RestrictedSids;
i < UserAndGroupCount ;
i++, TokenSid++
) {
SepPrintSid( TokenSid->Sid );
}
}
}
BOOLEAN
SepSidTranslation(
PSID Sid,
PSTRING AccountName
)
/*++
Routine Description:
This routine translates well-known SIDs into English names.
Arguments:
Sid - Provides the sid to be examined.
AccountName - Provides a string buffer in which to place the
translated name.
Return Value:
None
--*/
// AccountName is expected to have a large maximum length
{
PAGED_CODE();
if (RtlEqualSid(Sid, SeWorldSid)) {
RtlInitString( AccountName, "WORLD ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeLocalSid)) {
RtlInitString( AccountName, "LOCAL ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeNetworkSid)) {
RtlInitString( AccountName, "NETWORK ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeBatchSid)) {
RtlInitString( AccountName, "BATCH ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeInteractiveSid)) {
RtlInitString( AccountName, "INTERACTIVE ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeLocalSystemSid)) {
RtlInitString( AccountName, "SYSTEM ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeCreatorOwnerSid)) {
RtlInitString( AccountName, "CREATOR_OWNER ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeCreatorGroupSid)) {
RtlInitString( AccountName, "CREATOR_GROUP ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeCreatorOwnerServerSid)) {
RtlInitString( AccountName, "CREATOR_OWNER_SERVER ");
return(TRUE);
}
if (RtlEqualSid(Sid, SeCreatorGroupServerSid)) {
RtlInitString( AccountName, "CREATOR_GROUP_SERVER ");
return(TRUE);
}
return(FALSE);
}
//
// End debug only routines
//
#endif //DBG