You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1179 lines
30 KiB
1179 lines
30 KiB
//******************************************************************************
|
|
//
|
|
// Microsoft Confidential. Copyright (c) Microsoft Corporation 1999. All rights reserved
|
|
//
|
|
// File: RsopSec.cpp
|
|
//
|
|
// Description: RSOP Namespace Security functions
|
|
//
|
|
// History: 8-26-99 leonardm Created
|
|
//
|
|
//******************************************************************************
|
|
|
|
#include <windows.h>
|
|
#include <objbase.h>
|
|
#include <wbemcli.h>
|
|
#include <accctrl.h>
|
|
#include <aclapi.h>
|
|
#include <lm.h>
|
|
#include "RsopUtil.h"
|
|
#include "RsopSec.h"
|
|
#include "rsopdbg.h"
|
|
#include "smartptr.h"
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8-26-99 leonardm Created
|
|
//
|
|
//******************************************************************************
|
|
STDMETHODIMP GetExplicitAccesses( long lSecurityLevel,
|
|
EXPLICIT_ACCESS** ppExplicitAccess,
|
|
DWORD* pdwCount,
|
|
CWString* psTrustees)
|
|
{
|
|
|
|
WKSTA_INFO_100* pWkstaInfo = NULL;
|
|
NET_API_STATUS status = NetWkstaGetInfo(NULL,100,(LPBYTE*)&pWkstaInfo);
|
|
if(status != NERR_Success)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
CWString sCurrentDomain = pWkstaInfo->wki100_langroup;
|
|
NetApiBufferFree(pWkstaInfo);
|
|
|
|
if(!sCurrentDomain.ValidString() || sCurrentDomain == L"")
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
static ACCESS_MODE AccessMode = GRANT_ACCESS;
|
|
static DWORD Inheritance = SUB_CONTAINERS_ONLY_INHERIT;
|
|
static DWORD AccessPermissions = WBEM_ENABLE |
|
|
WBEM_METHOD_EXECUTE |
|
|
WBEM_FULL_WRITE_REP |
|
|
WBEM_PARTIAL_WRITE_REP |
|
|
WBEM_WRITE_PROVIDER |
|
|
WBEM_REMOTE_ACCESS |
|
|
READ_CONTROL |
|
|
WRITE_DAC;
|
|
|
|
XPtrArray<EXPLICIT_ACCESS> xpExplicitAccess = NULL;
|
|
|
|
if(lSecurityLevel == NAMESPACE_SECURITY_DIAGNOSTIC)
|
|
{
|
|
if(*pdwCount < 1)
|
|
{
|
|
*pdwCount = 1;
|
|
return E_FAIL;
|
|
}
|
|
|
|
*pdwCount = 1;
|
|
|
|
xpExplicitAccess = new EXPLICIT_ACCESS[*pdwCount];
|
|
if(!xpExplicitAccess)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
psTrustees[0] = sCurrentDomain + L"\\Domain Users";
|
|
if(!psTrustees[0].ValidString())
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
BuildExplicitAccessWithName(&(xpExplicitAccess[0]),
|
|
psTrustees[0],
|
|
AccessPermissions,
|
|
AccessMode,
|
|
Inheritance);
|
|
|
|
}
|
|
else if(lSecurityLevel == NAMESPACE_SECURITY_PLANNING)
|
|
{
|
|
if(*pdwCount < 2)
|
|
{
|
|
*pdwCount = 2;
|
|
return E_FAIL;
|
|
}
|
|
|
|
*pdwCount = 2;
|
|
|
|
xpExplicitAccess = new EXPLICIT_ACCESS[*pdwCount];
|
|
|
|
if(!xpExplicitAccess)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
psTrustees[0] = sCurrentDomain + L"\\RSOP Admins";
|
|
if(!psTrustees[0].ValidString())
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
BuildExplicitAccessWithName(&(xpExplicitAccess[0]),
|
|
psTrustees[0],
|
|
AccessPermissions,
|
|
AccessMode,
|
|
Inheritance);
|
|
|
|
psTrustees[1] = sCurrentDomain + L"\\Domain Admins";
|
|
if(!psTrustees[1].ValidString())
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
BuildExplicitAccessWithName(&(xpExplicitAccess[1]),
|
|
psTrustees[1],
|
|
AccessPermissions,
|
|
AccessMode,
|
|
Inheritance);
|
|
|
|
}
|
|
else
|
|
{
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
*ppExplicitAccess = xpExplicitAccess.Acquire();
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8-26-99 leonardm Created
|
|
//
|
|
//******************************************************************************
|
|
STDMETHODIMP RSoPMakeAbsoluteSD(SECURITY_DESCRIPTOR* pSelfRelativeSD, SECURITY_DESCRIPTOR** ppAbsoluteSD)
|
|
{
|
|
BOOL bRes = IsValidSecurityDescriptor(pSelfRelativeSD);
|
|
if(!bRes)
|
|
{
|
|
return WBEM_E_INVALID_PARAMETER;
|
|
}
|
|
|
|
XPtrLF<SECURITY_DESCRIPTOR> xpAbsoluteSD;
|
|
XPtrLF<ACL> xpDacl;
|
|
XPtrLF<ACL> xpSacl;
|
|
XPtrLF<SID> xpOwner;
|
|
XPtrLF<SID> xpPrimaryGroup;
|
|
|
|
|
|
DWORD dwAbsoluteSecurityDescriptorSize = 0;
|
|
DWORD dwDaclSize = 0;
|
|
DWORD dwSaclSize = 0;
|
|
DWORD dwOwnerSize = 0;
|
|
DWORD dwPrimaryGroupSize = 0;
|
|
|
|
bRes = ::MakeAbsoluteSD(
|
|
pSelfRelativeSD,
|
|
xpAbsoluteSD,
|
|
&dwAbsoluteSecurityDescriptorSize,
|
|
xpDacl, // discretionary ACL
|
|
&dwDaclSize, // size of discretionary ACL
|
|
xpSacl, // system ACL
|
|
&dwSaclSize, // size of system ACL
|
|
xpOwner, // owner SID
|
|
&dwOwnerSize, // size of owner SID
|
|
xpPrimaryGroup, // primary-group SID
|
|
&dwPrimaryGroupSize // size of group SID
|
|
);
|
|
|
|
DWORD dwLastError = GetLastError();
|
|
if(dwLastError != ERROR_INSUFFICIENT_BUFFER)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
if(!dwAbsoluteSecurityDescriptorSize)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
xpAbsoluteSD = reinterpret_cast<SECURITY_DESCRIPTOR*>(LocalAlloc(LPTR, dwAbsoluteSecurityDescriptorSize));
|
|
if(!xpAbsoluteSD)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
if(dwDaclSize)
|
|
{
|
|
xpDacl = reinterpret_cast<ACL*>(LocalAlloc(LPTR, dwDaclSize));
|
|
if(!xpDacl)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
}
|
|
if(dwSaclSize)
|
|
{
|
|
xpSacl = reinterpret_cast<ACL*>(LocalAlloc(LPTR, dwSaclSize));
|
|
if(!xpSacl)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
}
|
|
if(dwOwnerSize)
|
|
{
|
|
xpOwner = reinterpret_cast<SID*>(LocalAlloc(LPTR, dwOwnerSize));
|
|
if(!xpOwner)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
}
|
|
if(dwPrimaryGroupSize)
|
|
{
|
|
xpPrimaryGroup = reinterpret_cast<SID*>(LocalAlloc(LPTR, dwPrimaryGroupSize));
|
|
if(!xpPrimaryGroup)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
}
|
|
|
|
bRes = ::MakeAbsoluteSD(
|
|
pSelfRelativeSD,
|
|
xpAbsoluteSD,
|
|
&dwAbsoluteSecurityDescriptorSize,
|
|
xpDacl, // discretionary ACL
|
|
&dwDaclSize, // size of discretionary ACL
|
|
xpSacl, // system ACL
|
|
&dwSaclSize, // size of system ACL
|
|
xpOwner, // owner SID
|
|
&dwOwnerSize, // size of owner SID
|
|
xpPrimaryGroup, // primary-group SID
|
|
&dwPrimaryGroupSize // size of group SID
|
|
);
|
|
|
|
if(!bRes)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
bRes = IsValidSecurityDescriptor(xpAbsoluteSD);
|
|
|
|
if(!bRes)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
xpDacl.Acquire();
|
|
xpSacl.Acquire();
|
|
xpOwner.Acquire();
|
|
xpPrimaryGroup.Acquire();
|
|
|
|
*ppAbsoluteSD = xpAbsoluteSD.Acquire();
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8-26-99 leonardm Created
|
|
//
|
|
//******************************************************************************
|
|
STDMETHODIMP FreeAbsoluteSD(SECURITY_DESCRIPTOR* pAbsoluteSD)
|
|
{
|
|
if(!pAbsoluteSD)
|
|
{
|
|
return E_POINTER;
|
|
}
|
|
|
|
BOOL bRes;
|
|
|
|
BOOL bDaclPresent;
|
|
BOOL bDaclDefaulted;
|
|
|
|
XPtrLF<ACL> xpDacl;
|
|
bRes = GetSecurityDescriptorDacl( pAbsoluteSD,
|
|
&bDaclPresent,
|
|
&xpDacl,
|
|
&bDaclDefaulted);
|
|
|
|
if(!bRes)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
BOOL bSaclPresent;
|
|
BOOL bSaclDefaulted;
|
|
|
|
XPtrLF<ACL> xpSacl;
|
|
bRes = GetSecurityDescriptorSacl( pAbsoluteSD,
|
|
&bSaclPresent,
|
|
&xpSacl,
|
|
&bSaclDefaulted);
|
|
|
|
if(!bRes)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
BOOL bOwnerDefaulted;
|
|
|
|
XPtrLF<SID>xpOwner;
|
|
bRes = GetSecurityDescriptorOwner(pAbsoluteSD, reinterpret_cast<void**>(&xpOwner), &bOwnerDefaulted);
|
|
if(!bRes)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
BOOL bGroupDefaulted;
|
|
|
|
XPtrLF<SID>xpPrimaryGroup;
|
|
bRes = GetSecurityDescriptorGroup(pAbsoluteSD, reinterpret_cast<void**>(&xpPrimaryGroup), &bGroupDefaulted);
|
|
if(!bRes)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8-26-99 leonardm Created
|
|
//
|
|
//******************************************************************************
|
|
STDMETHODIMP GetNamespaceSD(IWbemServices* pWbemServices, SECURITY_DESCRIPTOR** ppSD)
|
|
{
|
|
if(!pWbemServices)
|
|
{
|
|
return E_POINTER;
|
|
}
|
|
|
|
HRESULT hr;
|
|
|
|
XInterface<IWbemClassObject> xpOutParams;
|
|
|
|
const BSTR bstrInstancePath = SysAllocString(L"__systemsecurity=@");
|
|
if(!bstrInstancePath)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
const BSTR bstrMethodName = SysAllocString(L"GetSD");
|
|
if(!bstrMethodName)
|
|
{
|
|
SysFreeString(bstrInstancePath);
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
hr = pWbemServices->ExecMethod( bstrInstancePath,
|
|
bstrMethodName,
|
|
0,
|
|
NULL,
|
|
NULL,
|
|
&xpOutParams,
|
|
NULL);
|
|
|
|
SysFreeString(bstrInstancePath);
|
|
SysFreeString(bstrMethodName);
|
|
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
|
|
VARIANT v;
|
|
XVariant xv(&v);
|
|
|
|
VariantInit(&v);
|
|
|
|
hr = xpOutParams->Get(L"sd", 0, &v, NULL, NULL);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
if(v.vt != (VT_ARRAY | VT_UI1))
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
long lLowerBound;
|
|
hr = SafeArrayGetLBound(v.parray, 1, &lLowerBound);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
long lUpperBound;
|
|
hr = SafeArrayGetUBound(v.parray, 1, &lUpperBound);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
DWORD dwSize = static_cast<DWORD>(lUpperBound - lLowerBound + 1);
|
|
|
|
XPtrLF<SECURITY_DESCRIPTOR> xpSelfRelativeSD = static_cast<SECURITY_DESCRIPTOR*>(LocalAlloc(LPTR, dwSize));
|
|
if(!xpSelfRelativeSD)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
BYTE* pSrc;
|
|
hr = SafeArrayAccessData(v.parray, reinterpret_cast<void**>(&pSrc));
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
CopyMemory(xpSelfRelativeSD, pSrc, dwSize);
|
|
|
|
hr = SafeArrayUnaccessData(v.parray);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
*ppSD = xpSelfRelativeSD.Acquire();
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function:
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8/20/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
STDMETHODIMP SetNamespaceSD(SECURITY_DESCRIPTOR* pSD, IWbemServices* pWbemServices)
|
|
{
|
|
if(!pWbemServices)
|
|
{
|
|
return E_POINTER;
|
|
}
|
|
|
|
HRESULT hr;
|
|
|
|
|
|
//
|
|
// Get the class object
|
|
//
|
|
|
|
XInterface<IWbemClassObject> xpClass;
|
|
|
|
BSTR bstrClassPath = SysAllocString(L"__systemsecurity");
|
|
if(!bstrClassPath)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
hr = pWbemServices->GetObject(bstrClassPath, 0, NULL, &xpClass, NULL);
|
|
|
|
SysFreeString(bstrClassPath);
|
|
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the input parameter class
|
|
//
|
|
|
|
XInterface<IWbemClassObject> xpMethod;
|
|
hr = xpClass->GetMethod(L"SetSD", 0, &xpMethod, NULL);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
|
|
//
|
|
// move the SD into a variant.
|
|
//
|
|
|
|
SAFEARRAYBOUND rgsabound[1];
|
|
rgsabound[0].lLbound = 0;
|
|
|
|
DWORD dwLength = GetSecurityDescriptorLength(pSD);
|
|
|
|
rgsabound[0].cElements = dwLength;
|
|
|
|
SAFEARRAY* psa = SafeArrayCreate(VT_UI1, 1, rgsabound);
|
|
if(!psa)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
BYTE* pDest = NULL;
|
|
|
|
hr = SafeArrayAccessData(psa, reinterpret_cast<void**>(&pDest));
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
CopyMemory(pDest, pSD, dwLength);
|
|
|
|
hr = SafeArrayUnaccessData(psa);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
VARIANT v;
|
|
XVariant xv(&v);
|
|
v.vt = VT_UI1|VT_ARRAY;
|
|
v.parray = psa;
|
|
|
|
|
|
//
|
|
// put the property
|
|
//
|
|
|
|
XInterface<IWbemClassObject> xpInParam;
|
|
hr = xpMethod->SpawnInstance(0, &xpInParam);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
hr = xpInParam->Put(L"sd" , 0, &v, 0);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
//
|
|
// Execute the method
|
|
//
|
|
|
|
BSTR bstrInstancePath = SysAllocString(L"__systemsecurity=@");
|
|
if(!bstrInstancePath)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
|
|
BSTR bstrMethodName = SysAllocString(L"SetSD");
|
|
if(!bstrMethodName)
|
|
{
|
|
SysFreeString(bstrInstancePath);
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
hr = pWbemServices->ExecMethod( bstrInstancePath,
|
|
bstrMethodName,
|
|
0,
|
|
NULL,
|
|
xpInParam,
|
|
NULL,
|
|
NULL);
|
|
|
|
SysFreeString(bstrInstancePath);
|
|
SysFreeString(bstrMethodName);
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
#undef dbg
|
|
#define dbg dbgCommon
|
|
|
|
|
|
const DWORD DEFAULT_ACE_NUM=10;
|
|
|
|
CSecDesc::CSecDesc() :
|
|
m_cAces(0), m_xpSidList(NULL),
|
|
m_cAllocated(0), m_bInitialised(FALSE), m_bFailed(FALSE)
|
|
{
|
|
m_xpSidList = (SidStruct *)LocalAlloc(LPTR, sizeof(SidStruct)*DEFAULT_ACE_NUM);
|
|
if (!m_xpSidList)
|
|
return;
|
|
|
|
m_cAllocated = DEFAULT_ACE_NUM;
|
|
m_bInitialised = TRUE;
|
|
}
|
|
|
|
|
|
CSecDesc::~CSecDesc()
|
|
{
|
|
if (m_xpSidList)
|
|
for (DWORD i = 0; i < m_cAllocated; i++)
|
|
if (m_xpSidList[i].pSid)
|
|
if (m_xpSidList[i].bUseLocalFree)
|
|
LocalFree(m_xpSidList[i].pSid);
|
|
else
|
|
FreeSid(m_xpSidList[i].pSid);
|
|
}
|
|
|
|
|
|
BOOL CSecDesc::ReAllocSidList()
|
|
{
|
|
XPtrLF<SidStruct> xSidListNew;
|
|
|
|
|
|
//
|
|
// first allocate a larger buffer
|
|
//
|
|
|
|
xSidListNew = (SidStruct *)LocalAlloc(LPTR, sizeof(SidStruct)*(m_cAllocated+DEFAULT_ACE_NUM));
|
|
|
|
if (!xSidListNew) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::ReallocArgStrings Cannot add memory, error = %d", GetLastError());
|
|
m_bFailed = TRUE;
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
//
|
|
// copy the arguments
|
|
//
|
|
|
|
for (DWORD i = 0; i < (m_cAllocated); i++) {
|
|
xSidListNew[i] = m_xpSidList[i];
|
|
}
|
|
|
|
m_xpSidList = xSidListNew.Acquire();
|
|
m_cAllocated+= DEFAULT_ACE_NUM;
|
|
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
BOOL CSecDesc::AddLocalSystem(DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddLocalSystem: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
if (!AllocateAndInitializeSid(&authNT, 1, SECURITY_LOCAL_SYSTEM_RID,
|
|
0, 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddLocalSystem: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (m_cAces == m_cAllocated)
|
|
if (!ReAllocSidList())
|
|
return FALSE;
|
|
|
|
|
|
m_xpSidList[m_cAces].pSid = xSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
BOOL CSecDesc::AddAdministrators(DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_ADMINS, 0, 0,
|
|
0, 0, 0, 0, (PSID *)&xSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (m_cAces == m_cAllocated)
|
|
if (!ReAllocSidList())
|
|
return FALSE;
|
|
|
|
|
|
m_xpSidList[m_cAces].pSid = xSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
BOOL CSecDesc::AddNetworkService(DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddNetworkService: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
if (!AllocateAndInitializeSid(&authNT, 1, SECURITY_NETWORK_SERVICE_RID,
|
|
0, 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddNetworkService: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (m_cAces == m_cAllocated)
|
|
if (!ReAllocSidList())
|
|
return FALSE;
|
|
|
|
|
|
m_xpSidList[m_cAces].pSid = xSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
|
|
BOOL CSecDesc::AddAdministratorsAsOwner()
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_ADMINS, 0, 0,
|
|
0, 0, 0, 0, (PSID *)&xSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
m_xpOwnerSid = xSid.Acquire();
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
BOOL CSecDesc::AddAdministratorsAsGroup()
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_ADMINS, 0, 0,
|
|
0, 0, 0, 0, (PSID *)&xSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
m_xpGrpSid = xSid.Acquire();
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
BOOL CSecDesc::AddEveryOne(DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authWORLD = SECURITY_WORLD_SID_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddEveryOne: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
if (!AllocateAndInitializeSid(&authWORLD, 1, SECURITY_WORLD_RID,
|
|
0, 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddEveryOne: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (m_cAces == m_cAllocated)
|
|
if (!ReAllocSidList())
|
|
return FALSE;
|
|
|
|
|
|
m_xpSidList[m_cAces].pSid = xSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
#if 0
|
|
|
|
BOOL CSecDesc::AddThisUser(HANDLE hToken, DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
XPtrLF<SID> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddThisUser: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
xSid = (SID *)GetUserSid(hToken);
|
|
|
|
if (!pSid) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddThisUser: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
if (m_cAces == m_cAllocated)
|
|
if (!ReAllocSidList())
|
|
return FALSE;
|
|
|
|
m_xpSidList[m_cAces].pSid = xSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].bUseLocalFree = TRUE;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
#endif
|
|
|
|
|
|
|
|
BOOL CSecDesc::AddUsers(DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
|
|
if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_USERS,
|
|
0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
|
|
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddUsers: Failed to initialize sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (m_cAces == m_cAllocated)
|
|
if (!ReAllocSidList())
|
|
return FALSE;
|
|
|
|
|
|
m_xpSidList[m_cAces].pSid = xSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
BOOL CSecDesc::AddAuthUsers(DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
|
|
XPtr<SID, FreeSid> xSid;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAuthUsers: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
|
|
if (!AllocateAndInitializeSid(&authNT, 1, SECURITY_AUTHENTICATED_USER_RID,
|
|
0, 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
|
|
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAuthUsers: Failed to initialize authenticated users sid. Error = %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (m_cAces == m_cAllocated)
|
|
if (!ReAllocSidList())
|
|
return FALSE;
|
|
|
|
|
|
m_xpSidList[m_cAces].pSid = xSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
BOOL CSecDesc::AddSid(PSID pSid, DWORD dwAccess, DWORD AceFlags)
|
|
{
|
|
XPtrLF<SID> pLocalSid = 0;
|
|
DWORD dwSidLen = 0;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
if (!IsValidSid(pSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Not a vaild Sid.");
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
dwSidLen = GetLengthSid(pSid);
|
|
|
|
pLocalSid = (SID *)LocalAlloc(LPTR, dwSidLen);
|
|
if (!pLocalSid) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Couldn't allocate memory. Error %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
if (!CopySid(dwSidLen, pLocalSid, pSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Couldn't copy Sid. Error %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
m_xpSidList[m_cAces].pSid = (SID *)pLocalSid.Acquire();
|
|
m_xpSidList[m_cAces].dwAccess = dwAccess;
|
|
m_xpSidList[m_cAces].bUseLocalFree = TRUE;
|
|
m_xpSidList[m_cAces].AceFlags = AceFlags;
|
|
m_cAces++;
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return TRUE;
|
|
}
|
|
|
|
|
|
PISECURITY_DESCRIPTOR CSecDesc::MakeSD()
|
|
{
|
|
XPtrLF<SECURITY_DESCRIPTOR> xsd;
|
|
PACL pAcl = 0;
|
|
DWORD cbMemSize;
|
|
DWORD cbAcl;
|
|
DWORD i;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeSD: Not initialised or failure.");
|
|
return NULL;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
cbAcl = 0;
|
|
|
|
for (i = 0; i < m_cAces; i++)
|
|
cbAcl+= GetLengthSid((SID *)(m_xpSidList[i].pSid));
|
|
|
|
cbAcl += sizeof(ACL) + m_cAces*(sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD));
|
|
|
|
|
|
//
|
|
// Allocate space for the SECURITY_DESCRIPTOR + ACL
|
|
//
|
|
|
|
cbMemSize = sizeof( SECURITY_DESCRIPTOR ) + cbAcl;
|
|
|
|
xsd = (PISECURITY_DESCRIPTOR) LocalAlloc(LPTR, cbMemSize);
|
|
|
|
if (!xsd) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSD: Failed to alocate security descriptor. Error = %d", GetLastError());
|
|
return NULL;
|
|
}
|
|
|
|
|
|
//
|
|
// increment psd by sizeof SECURITY_DESCRIPTOR
|
|
//
|
|
|
|
pAcl = (PACL) ( ( (unsigned char*)((SECURITY_DESCRIPTOR *)xsd) ) + sizeof(SECURITY_DESCRIPTOR) );
|
|
|
|
if (!InitializeAcl(pAcl, cbAcl, ACL_REVISION)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSD: Failed to initialize acl. Error = %d", GetLastError());
|
|
return NULL;
|
|
}
|
|
|
|
|
|
//
|
|
// Add each of the new ACEs
|
|
//
|
|
|
|
for (i = 0; i < m_cAces; i++) {
|
|
if (!AddAccessAllowedAceEx(pAcl, ACL_REVISION, m_xpSidList[i].AceFlags, m_xpSidList[i].dwAccess, m_xpSidList[i].pSid)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSD: Failed to add ace (%d). Error = %d", i, GetLastError());
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Put together the security descriptor
|
|
//
|
|
|
|
if (!InitializeSecurityDescriptor(xsd, SECURITY_DESCRIPTOR_REVISION)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to initialize security descriptor. Error = %d", GetLastError());
|
|
return NULL;
|
|
}
|
|
|
|
if (!SetSecurityDescriptorDacl(xsd, TRUE, pAcl, FALSE)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to set security descriptor dacl. Error = %d", GetLastError());
|
|
return NULL;
|
|
}
|
|
|
|
|
|
if (m_xpOwnerSid) {
|
|
if (!SetSecurityDescriptorOwner(xsd, m_xpOwnerSid, 0)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to set security descriptor dacl. Error = %d", GetLastError());
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
if (m_xpGrpSid) {
|
|
if (!SetSecurityDescriptorGroup(xsd, m_xpGrpSid, 0)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to set security descriptor dacl. Error = %d", GetLastError());
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
m_bFailed = FALSE;
|
|
return xsd.Acquire();
|
|
}
|
|
|
|
|
|
PISECURITY_DESCRIPTOR CSecDesc::MakeSelfRelativeSD()
|
|
{
|
|
XPtrLF<SECURITY_DESCRIPTOR> xAbsoluteSD;
|
|
DWORD dwLastError;
|
|
|
|
if ((!m_bInitialised) || (m_bFailed)) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
|
|
return FALSE;
|
|
}
|
|
|
|
xAbsoluteSD = MakeSD();
|
|
|
|
if (!xAbsoluteSD) {
|
|
dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSelfRelativeSD: Failed to set security descriptor dacl. Error = %d", GetLastError());
|
|
return NULL;
|
|
}
|
|
|
|
m_bFailed = TRUE;
|
|
|
|
|
|
//
|
|
// Make a new self-relative SD here
|
|
//
|
|
|
|
DWORD dwBufferLength = 0;
|
|
::MakeSelfRelativeSD( xAbsoluteSD, 0, &dwBufferLength);
|
|
|
|
dwLastError = GetLastError();
|
|
if((dwLastError != ERROR_INSUFFICIENT_BUFFER) || !dwBufferLength)
|
|
{
|
|
dbg.Msg( DEBUG_MESSAGE_VERBOSE, L"CSecDesc::MakeSelfRelativeSD: MakeSelfRelativeSD failed, 0x%X", dwLastError );
|
|
return NULL;
|
|
}
|
|
|
|
|
|
XPtrLF<SECURITY_DESCRIPTOR> xsd = reinterpret_cast<SECURITY_DESCRIPTOR*>(LocalAlloc(LPTR, dwBufferLength));
|
|
if(!xsd)
|
|
{
|
|
dbg.Msg( DEBUG_MESSAGE_VERBOSE, L"CSecDesc::MakeSelfRelativeSD: MakeSelfRelativeSD failed, 0x%X", E_OUTOFMEMORY );
|
|
return NULL;
|
|
}
|
|
|
|
BOOL bRes = ::MakeSelfRelativeSD( xAbsoluteSD, xsd, &dwBufferLength);
|
|
|
|
if (!bRes) {
|
|
dbg.Msg( DEBUG_MESSAGE_VERBOSE, L"CSecDesc::MakeSelfRelativeSD: MakeSelfRelativeSD failed, 0x%X", GetLastError() );
|
|
return NULL;
|
|
}
|
|
|
|
m_bFailed = FALSE;
|
|
return xsd.Acquire();
|
|
}
|
|
|