archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
 
 
 
 
 
 
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/netapi/svcdlls/wkssvc/server/wssec.c

305 lines
8.0 KiB
Raw Blame History

/*++
Copyright (c) 1991 Microsoft Corporation
Module Name:
wssec.c
Abstract:
This module contains the Workstation service support routines
which create security objects and enforce security _access checking.
Author:
Rita Wong (ritaw) 19-Feb-1991
Revision History:
--*/
#include "wsutil.h"
#include "wsmain.h"
#include "wssec.h"
//-------------------------------------------------------------------//
// //
// Local function prototypes //
// //
//-------------------------------------------------------------------//
STATIC
NTSTATUS
WsCreateConfigInfoObject(
VOID
);
STATIC
NTSTATUS
WsCreateMessageSendObject(
VOID
);
//-------------------------------------------------------------------//
// //
// Global variables //
// //
//-------------------------------------------------------------------//
//
// Security descriptors of workstation objects to control user accesses
// to the workstation configuration information, sending messages, and the
// logon support functions.
//
PSECURITY_DESCRIPTOR ConfigurationInfoSd;
PSECURITY_DESCRIPTOR MessageSendSd;
//
// Structure that describes the mapping of Generic access rights to
// object specific access rights for the ConfigurationInfo object.
//
GENERIC_MAPPING WsConfigInfoMapping = {
STANDARD_RIGHTS_READ | // Generic read
WKSTA_CONFIG_GUEST_INFO_GET |
WKSTA_CONFIG_USER_INFO_GET |
WKSTA_CONFIG_ADMIN_INFO_GET,
STANDARD_RIGHTS_WRITE | // Generic write
WKSTA_CONFIG_INFO_SET,
STANDARD_RIGHTS_EXECUTE, // Generic execute
WKSTA_CONFIG_ALL_ACCESS // Generic all
};
//
// Structure that describes the mapping of generic access rights to
// object specific access rights for the MessageSend object.
//
GENERIC_MAPPING WsMessageSendMapping = {
STANDARD_RIGHTS_READ, // Generic read
STANDARD_RIGHTS_WRITE | // Generic write
WKSTA_MESSAGE_SEND,
STANDARD_RIGHTS_EXECUTE, // Generic execute
WKSTA_MESSAGE_ALL_ACCESS // Generic all
};
NET_API_STATUS
WsCreateWkstaObjects(
VOID
)
/*++
Routine Description:
This function creates the workstation user-mode objects which are
represented by security descriptors.
Arguments:
None.
Return Value:
NET_API_STATUS - NERR_Success or reason for failure.
--*/
{
NTSTATUS ntstatus;
//
// Create ConfigurationInfo object
//
if (! NT_SUCCESS (ntstatus = WsCreateConfigInfoObject())) {
IF_DEBUG(UTIL) {
NetpKdPrint(("[Wksta] Failure to create ConfigurationInfo object\n"));
}
return NetpNtStatusToApiStatus(ntstatus);
}
//
// Create MessageSend object
//
if (! NT_SUCCESS (ntstatus = WsCreateMessageSendObject())) {
IF_DEBUG(UTIL) {
NetpKdPrint(("[Wksta] Failure to create MessageSend object\n"));
}
return NetpNtStatusToApiStatus(ntstatus);
}
return NERR_Success;
}
STATIC
NTSTATUS
WsCreateConfigInfoObject(
VOID
)
/*++
Routine Description:
This function creates the workstation configuration information object.
Arguments:
None.
Return Value:
NTSTATUS - status returned from NetpCreateSecurityObject.
--*/
{
//
// Order matters! These ACEs are inserted into the DACL in the
// following order. Security access is granted or denied based on
// the order of the ACEs in the DACL.
//
// Local users, admins, and operators are allowed to get all information.
// Only admins are allowed to set information. Users are allowed to get
// user and guest info; guests are allowed to get guest info only.
//
#define CONFIG_INFO_ACES 8 // Number of ACEs in this DACL
ACE_DATA AceData[CONFIG_INFO_ACES] = {
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_CONFIG_GUEST_INFO_GET |
WKSTA_CONFIG_USER_INFO_GET |
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->LocalSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_ALL, &WsLmsvcsGlobalData->AliasAdminsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_CONFIG_GUEST_INFO_GET |
WKSTA_CONFIG_USER_INFO_GET |
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->AliasAccountOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_CONFIG_GUEST_INFO_GET |
WKSTA_CONFIG_USER_INFO_GET |
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->AliasSystemOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_CONFIG_GUEST_INFO_GET |
WKSTA_CONFIG_USER_INFO_GET |
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->AliasPrintOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_CONFIG_GUEST_INFO_GET |
WKSTA_CONFIG_USER_INFO_GET, &WsLmsvcsGlobalData->AliasUsersSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_CONFIG_GUEST_INFO_GET, &WsLmsvcsGlobalData->WorldSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_CONFIG_GUEST_INFO_GET, &WsLmsvcsGlobalData->AnonymousLogonSid}
};
return NetpCreateSecurityObject(
AceData,
CONFIG_INFO_ACES,
WsLmsvcsGlobalData->LocalSystemSid,
WsLmsvcsGlobalData->LocalSystemSid,
&WsConfigInfoMapping,
&ConfigurationInfoSd
);
}
STATIC
NTSTATUS
WsCreateMessageSendObject(
VOID
)
/*++
Routine Description:
This function creates the workstation message send object.
Arguments:
None.
Return Value:
NTSTATUS - status returned from NetpCreateSecurityObject.
--*/
{
//
// Order matters! These ACEs are inserted into the DACL in the
// following order. Security access is granted or denied based on
// the order of the ACEs in the DACL.
//
// Any local user, and domain admins and operators are allowed to
// send messages. Remote users besides domain admins, and operators
// are not allowed to send messages.
//
#define MESSAGE_SEND_ACES 5 // Number of ACEs in this DACL
ACE_DATA AceData[MESSAGE_SEND_ACES] = {
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_ALL, &WsLmsvcsGlobalData->LocalSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_ALL, &WsLmsvcsGlobalData->AliasAdminsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_MESSAGE_SEND, &WsLmsvcsGlobalData->AliasAccountOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_MESSAGE_SEND, &WsLmsvcsGlobalData->AliasSystemOpsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
WKSTA_MESSAGE_SEND, &WsLmsvcsGlobalData->AliasPrintOpsSid}
};
return NetpCreateSecurityObject(
AceData,
MESSAGE_SEND_ACES,
WsLmsvcsGlobalData->LocalSystemSid,
WsLmsvcsGlobalData->LocalSystemSid,
&WsMessageSendMapping,
&MessageSendSd
);
}
VOID
WsDestroyWkstaObjects(
VOID
)
/*++
Routine Description:
This function destroys the workstation user-mode objects which are
represented by security descriptors.
Arguments:
None.
Return Value:
None.
--*/
{
(void) NetpDeleteSecurityObject(&ConfigurationInfoSd);
(void) NetpDeleteSecurityObject(&MessageSendSd);
}