Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

183 lines
4.8 KiB

/*++
Copyright (c) 2002 Microsoft Corporation
Module Name :
lockdown.cxx
Abstract:
Upgrade old IIS Lockdown Wizard Settings to whatever
is appropriate in IIS6
Author:
Christopher Achille (cachille)
Project:
Internet Services Setup
Revision History:
May 2002: Created
--*/
#include "stdafx.h"
#include "acl.hxx"
#include "restrlst.hxx"
#include "lockdown.hxx"
#include "reg.hxx"
// IsWebDavDisabled
//
// This checks to see if WebDav was disabled on IIS 5.0. The way
// this was done, was by removing acl's on the file, so the webserver
// could not load the file.
// This will not only check, but it will restore the ACL's so the file
// can be replaced on upgrade.
//
// Parameters:
// pbWasDisabled - [out] Was the file disabled before or not
//
// Return
// TRUE - Success checking
// FALSE - Failed to check
BOOL
IsWebDavDisabled( LPBOOL pbWasDisabled )
{
CSecurityDescriptor SD;
BOOL bAreAclsSupported;
TSTR_PATH strHttpExtPath;
ACCESS_MASK AccessMask;
if ( !strHttpExtPath.Copy( g_pTheApp->m_csPathInetsrv ) ||
!strHttpExtPath.PathAppend( g_OurExtensions[EXTENSION_WEBDAV].szFileName ) )
{
// Failed to construct path
return FALSE;
}
if ( !CSecurityDescriptor::DoesFileSystemSupportACLs( strHttpExtPath.QueryStr(),
&bAreAclsSupported ) )
{
// Failure
return FALSE;
}
else
{
if ( !bAreAclsSupported )
{
// Since ACL's are not supported, lets just exit
*pbWasDisabled = FALSE;
return TRUE;
}
}
if ( !SD.GetSecurityInfoOnFile( strHttpExtPath.QueryStr() ) ||
!SD.QueryEffectiveRightsForTrustee( CSecurityDescriptor::GROUP_USERS,
&AccessMask ) )
{
// Failed to query access
// It is possible that the file is not even on the system
// so just return that it is not disables
*pbWasDisabled = FALSE;
return TRUE;
}
// Was file disabled to be loaded?
*pbWasDisabled = ( AccessMask & ACTRL_FILE_EXECUTE ) == 0;
if ( *pbWasDisabled )
{
// Lets restore ACL, so we can upgrade it
// Copy ACL's from that of inetsrv directory to dll, since it has been acl'd down
if ( !SD.GetSecurityInfoOnFile( g_pTheApp->m_csPathInetsrv.GetBuffer(0) ) ||
!SD.SetSecurityInfoOnFile( strHttpExtPath.QueryStr(), TRUE ) )
{
return FALSE;
}
}
return TRUE;
}
// IsWebDavDisabledViaRegistry
//
// Is WebDav disabled in the registry?
//
// Parameters:
// pbWasDisabled - [out] Was the file disabled before or not
//
// Return
// TRUE - Success checking
// FALSE - Failed to check
BOOL
IsWebDavDisabledViaRegistry( LPBOOL pbWasDisabled )
{
CRegValue Value;
CRegistry Registry;
*pbWasDisabled = FALSE;
if ( !Registry.OpenRegistry( HKEY_LOCAL_MACHINE,
REG_WWWPARAMETERS,
KEY_READ | KEY_WRITE ) )
{
// Failed to open WWW Node
// We will consider this success, since the node might not exist.
return TRUE;
}
if ( Registry.ReadValue( REGISTRY_WWW_DISABLEWEBDAV_NAME,
Value ) )
{
// Successfully read value
*pbWasDisabled = *( (LPDWORD) Value.m_buffData.QueryPtr() ) != 0;
}
Registry.DeleteValue( REGISTRY_WWW_DISABLEWEBDAV_NAME );
return TRUE;
}
// DisableWebDavInRestrictionList
//
// Lockdown access the the HttpExtension Dll. That this meands is that
// we free up the ACL on the file, and deny it through the
// WebSvcRestrictionList
//
BOOL
DisableWebDavInRestrictionList()
{
CRestrictionList RestrictionList;
CSecurityDescriptor SD;
TSTR strDescription;
TSTR_PATH strHttpExtPath;
if ( !strHttpExtPath.Copy( g_pTheApp->m_csPathInetsrv ) ||
!strHttpExtPath.PathAppend( g_OurExtensions[EXTENSION_WEBDAV].szFileName ) )
{
// Failed to construct path
return FALSE;
}
// Update Metabas
if ( !strDescription.LoadString( g_OurExtensions[EXTENSION_WEBDAV].dwProductName ) ||
!RestrictionList.InitMetabase() ||
!RestrictionList.LoadCurrentSettings() ||
!RestrictionList.UpdateItem( strHttpExtPath.QueryStr(),
g_OurExtensions[EXTENSION_WEBDAV].szNotLocalizedGroupName,
strDescription.QueryStr(),
FALSE, // DENY
g_OurExtensions[EXTENSION_WEBDAV].bUIDeletable ) ||
!RestrictionList.SaveSettings() )
{
// Failed to update metabase
return FALSE;
}
return TRUE;
}