archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
1.5 GiB
 
 
 
 
 
 
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/shell/osshell/security/rshx32/printsi.cpp

750 lines
25 KiB
Raw Blame History

//+-------------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (C) Microsoft Corporation, 1996 - 1999
//
// File: printsi.cpp
//
// This file contains the implementation of the CPrintSecurity object.
//
//--------------------------------------------------------------------------
#include "rshx32.h"
// The following array defines the permission names for NT printers.
SI_ACCESS siPrintAccesses[] =
{
{ &GUID_NULL, PRINTER_EXECUTE, MAKEINTRESOURCE(IDS_PRINT_PRINT), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
{ &GUID_NULL, PRINTER_ALL_ACCESS, MAKEINTRESOURCE(IDS_PRINT_ADMINISTER), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
{ &GUID_NULL, JOB_ALL_ACCESS, MAKEINTRESOURCE(IDS_PRINT_ADMINISTER_JOBS), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC | OBJECT_INHERIT_ACE | INHERIT_ONLY_ACE },
// { &GUID_NULL, DELETE, MAKEINTRESOURCE(IDS_PRINT_DELETE), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, STANDARD_RIGHTS_READ, MAKEINTRESOURCE(IDS_PRINT_READ), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, WRITE_DAC, MAKEINTRESOURCE(IDS_PRINT_CHANGE_PERM), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, WRITE_OWNER, MAKEINTRESOURCE(IDS_PRINT_CHANGE_OWNER), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, PRINTER_ALL_ACCESS|JOB_ALL_ACCESS, MAKEINTRESOURCE(IDS_PRINT_JOB_ALL), 0 },
{ &GUID_NULL, 0, MAKEINTRESOURCE(IDS_NONE), 0 },
};
#define iPrintDefAccess 0 // PRINTER_EXECUTE (i.e. "Print" access)
#define PRINTER_ALL_AUDIT (PRINTER_ALL_ACCESS | ACCESS_SYSTEM_SECURITY)
#define JOB_ALL_AUDIT (JOB_ALL_ACCESS | ACCESS_SYSTEM_SECURITY)
#define PRINTER_JOB_ALL_AUDIT (PRINTER_ALL_ACCESS | JOB_ALL_ACCESS | ACCESS_SYSTEM_SECURITY)
// The following array defines the auditting names for NT printers.
SI_ACCESS siPrintAudits[] =
{
{ &GUID_NULL, PRINTER_EXECUTE, MAKEINTRESOURCE(IDS_PRINT_PRINT), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
{ &GUID_NULL, PRINTER_ALL_AUDIT, MAKEINTRESOURCE(IDS_PRINT_ADMINISTER), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC },
{ &GUID_NULL, JOB_ALL_AUDIT, MAKEINTRESOURCE(IDS_PRINT_ADMINISTER_JOBS), SI_ACCESS_GENERAL | SI_ACCESS_SPECIFIC | OBJECT_INHERIT_ACE | INHERIT_ONLY_ACE },
// { &GUID_NULL, DELETE, MAKEINTRESOURCE(IDS_PRINT_DELETE), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, STANDARD_RIGHTS_READ, MAKEINTRESOURCE(IDS_PRINT_READ), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, WRITE_DAC, MAKEINTRESOURCE(IDS_PRINT_CHANGE_PERM), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, WRITE_OWNER, MAKEINTRESOURCE(IDS_PRINT_CHANGE_OWNER), SI_ACCESS_SPECIFIC },
{ &GUID_NULL, PRINTER_ALL_AUDIT|JOB_ALL_AUDIT, MAKEINTRESOURCE(IDS_PRINT_JOB_ALL), 0 },
{ &GUID_NULL, 0, MAKEINTRESOURCE(IDS_NONE), 0 },
};
#define iPrintDefAudit 0 // PRINTER_EXECUTE (i.e. "Print" access)
// The following array defines the inheritance types for NT printers.
SI_INHERIT_TYPE siPrintInheritTypes[] =
{
&GUID_NULL, 0, MAKEINTRESOURCE(IDS_PRINT_PRINTER),
&GUID_NULL, INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE, MAKEINTRESOURCE(IDS_PRINT_DOCUMENT_ONLY),
&GUID_NULL, OBJECT_INHERIT_ACE, MAKEINTRESOURCE(IDS_PRINT_PRINTER_DOCUMENT),
};
BOOL
GetPrinterAlloc(HANDLE hPrinter, DWORD dwLevel, LPBYTE *ppBuffer)
{
BOOL bResult;
DWORD dwLength = 0;
LPBYTE pBuffer = NULL;
bResult = GetPrinter(hPrinter, dwLevel, NULL, 0, &dwLength);
if (dwLength)
{
bResult = FALSE;
pBuffer = (LPBYTE)LocalAlloc(LPTR, dwLength);
if (pBuffer)
{
bResult = GetPrinter(hPrinter, dwLevel, pBuffer, dwLength, &dwLength);
if (!bResult)
{
LocalFree(pBuffer);
pBuffer = NULL;
}
}
}
*ppBuffer = pBuffer;
return bResult;
}
STDMETHODIMP
CheckPrinterAccess(LPCTSTR pszObjectName,
LPDWORD pdwAccessGranted,
LPTSTR pszServer,
ULONG cchServer)
{
HRESULT hr = S_OK;
UINT i;
PRINTER_DEFAULTS PrinterDefaults;
DWORD dwAccessDesired[] = { ALL_SECURITY_ACCESS,
READ_CONTROL,
WRITE_DAC,
WRITE_OWNER,
ACCESS_SYSTEM_SECURITY };
HANDLE hPrinter = NULL;
PrinterDefaults.pDatatype = NULL;
PrinterDefaults.pDevMode = NULL;
TraceEnter(TRACE_PRINTSI, "CheckPrinterAccess");
TraceAssert(pdwAccessGranted != NULL);
__try
{
*pdwAccessGranted = 0;
for (i = 0; i < ARRAYSIZE(dwAccessDesired); i++)
{
if ((dwAccessDesired[i] & *pdwAccessGranted) == dwAccessDesired[i])
continue; // already have this access
PrinterDefaults.DesiredAccess = dwAccessDesired[i];
if (OpenPrinter((LPTSTR)pszObjectName, &hPrinter, &PrinterDefaults))
{
*pdwAccessGranted |= dwAccessDesired[i];
ClosePrinter(hPrinter);
}
else
{
DWORD dwErr = GetLastError();
if (dwErr != ERROR_ACCESS_DENIED &&
dwErr != ERROR_PRIVILEGE_NOT_HELD)
{
ExitGracefully(hr, HRESULT_FROM_WIN32(dwErr), "OpenPrinter failed");
}
}
}
if (pszServer)
{
PrinterDefaults.DesiredAccess = PRINTER_READ;
if (OpenPrinter((LPTSTR)pszObjectName, &hPrinter, &PrinterDefaults))
{
PPRINTER_INFO_2 ppi = NULL;
if (GetPrinterAlloc(hPrinter, 2, (LPBYTE*)&ppi))
{
if (ppi && ppi->pServerName)
lstrcpyn(pszServer, ppi->pServerName, cchServer);
else
*pszServer = TEXT('\0');
LocalFree(ppi);
}
ClosePrinter(hPrinter);
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
hr = HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND);
}
exit_gracefully:
Trace((TEXT("Access = 0x%08x"), *pdwAccessGranted));
TraceLeaveResult(hr);
}
STDMETHODIMP
CPrintSecurity::Initialize(HDPA hItemList,
DWORD dwFlags,
LPTSTR pszServer,
LPTSTR pszObject)
{
return CSecurityInformation::Initialize(hItemList,
dwFlags | SI_NO_TREE_APPLY | SI_NO_ACL_PROTECT,
pszServer,
pszObject);
}
//
// NT6 REVIEW
//
// GetAceSid, FindManagePrinterACE, MungeAclForPrinter and
// CPrintSecurity::SetSecurity only exist here because
// 1) The spooler removes JOB_ACCESS_ADMINISTER from an ACE unless the
// ACE has INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE.
// 2) The NT4 ACL editor (ACLEDIT) needs extra bogus ACEs to recognize
// "Manage Documents" access. (Must support downlevel clients.)
//
// The first case should be rare, since you have to perform certain
// steps in the NT5 ACL editor (ACLUI) to cause this situation. The
// second situation is common, since CREATER_OWNER and Administrators
// usually have "Manage Documents" access.
//
// If the spooler guys decide to not support NT4 clients for NT6, and they
// stop stripping JOB_ACCESS_ADMINISTER from ACEs, then MungeAclForPrinter
// and CPrintSecurity::SetSecurity can be removed entirely. ENCOURAGE THEM
// TO MAKE THAT CHANGE. (They can also remove similar hacks from their own
// code that add bogus ACEs for the old ACL editor.)
//
PSID
GetAceSid(PACE_HEADER pAce)
{
switch (pAce->AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
case ACCESS_DENIED_ACE_TYPE:
case SYSTEM_AUDIT_ACE_TYPE:
case SYSTEM_ALARM_ACE_TYPE:
return (PSID)&((PKNOWN_ACE)pAce)->SidStart;
case ACCESS_ALLOWED_COMPOUND_ACE_TYPE:
return (PSID)&((PCOMPOUND_ACCESS_ALLOWED_ACE)pAce)->SidStart;
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
case ACCESS_DENIED_OBJECT_ACE_TYPE:
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
case SYSTEM_ALARM_OBJECT_ACE_TYPE:
return RtlObjectAceSid(pAce);
}
return NULL;
}
PACE_HEADER
FindManagePrinterACE(PACL pAcl, PSID pSid)
{
UINT i;
PACE_HEADER pAce;
if (!pAcl || !pSid)
return NULL;
for (i = 0, pAce = (PACE_HEADER)FirstAce(pAcl);
i < pAcl->AceCount;
i++, pAce = (PACE_HEADER)NextAce(pAce))
{
if (pAce->AceType == ACCESS_ALLOWED_ACE_TYPE
&& (((PKNOWN_ACE)pAce)->Mask & PRINTER_ALL_ACCESS) == PRINTER_ALL_ACCESS
&& !(pAce->AceFlags & INHERIT_ONLY_ACE)
&& EqualSid(pSid, GetAceSid(pAce)))
{
return pAce;
}
}
return NULL;
}
BOOL
MungeAclForPrinter(PACL pAcl, PACL *ppAclOut)
{
USHORT i;
PACE_HEADER pAce;
PACE_HEADER pAceCopy = NULL;
if (ppAclOut == NULL)
return FALSE;
*ppAclOut = NULL;
if (pAcl == NULL)
return TRUE;
TraceEnter(TRACE_PRINTSI, "MungeAclForPrinter");
for (i = 0, pAce = (PACE_HEADER)FirstAce(pAcl);
i < pAcl->AceCount;
i++, pAce = (PACE_HEADER)NextAce(pAce))
{
//
// If this ACE has the JOB_ACCESS_ADMINISTER bit and the inherit
// flags indicate that it applies to both printers and documents,
// then we need to treat it specially, since the spooler won't save
// JOB_ACCESS_ADMINISTER on a printer ACE (INHERIT_ONLY_ACE not set).
//
if ((((PKNOWN_ACE)pAce)->Mask & JOB_ACCESS_ADMINISTER) &&
(pAce->AceFlags & (INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE)) == OBJECT_INHERIT_ACE)
{
//
// Split into 2 aces: one with no inheritance, and one with
// INHERIT_ONLY_ACE turned on. Let the spooler do whatever
// it wants with the mask.
//
// This requires allocating a larger ACL and copying all
// previous aces over.
//
TraceMsg("Splitting JOB_ACCESS_ADMINISTER ACE into 2");
if (*ppAclOut == NULL)
{
//
// Allocate new ACL and copy previous aces. The length is enough
// for 1 copy of all previous aces, and 3 copies (max) of all
// remaining aces.
//
ULONG nPrevLength = (ULONG)((ULONG_PTR)pAce - (ULONG_PTR)pAcl);
*ppAclOut = (PACL)LocalAlloc(LPTR, nPrevLength + (pAcl->AclSize - nPrevLength) * 3);
if (!*ppAclOut)
TraceLeaveValue(FALSE);
CopyMemory(*ppAclOut, pAcl, nPrevLength);
(*ppAclOut)->AclSize = (USHORT)LocalSize(*ppAclOut);
(*ppAclOut)->AceCount = i;
pAceCopy = (PACE_HEADER)ByteOffset(*ppAclOut, nPrevLength);
}
// Turn off inheritance and copy this ace
pAce->AceFlags &= ~OBJECT_INHERIT_ACE;
CopyMemory(pAceCopy, pAce, pAce->AceSize);
pAceCopy = (PACE_HEADER)NextAce(pAceCopy);
(*ppAclOut)->AceCount++;
// Now turn on inheritance (with INHERIT_ONLY_ACE) and copy it
// again (it gets copied way down below). Note that this may
// causes the next IF clause to add a bogus ACE also.
pAce->AceFlags |= OBJECT_INHERIT_ACE | INHERIT_ONLY_ACE;
}
//
// If this ACE has JOB_ALL_ACCESS and INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE,
// and there isn't also a "Manage Printers" ACE for the same SID, add a
// bogus ACE with READ_CONTROL and CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE.
// The old ACL editor on downlevel clients needs this to recognize
// "Manage Documents" access.
//
if (pAce->AceType == ACCESS_ALLOWED_ACE_TYPE
&& (((PKNOWN_ACE)pAce)->Mask & JOB_ALL_ACCESS) == JOB_ALL_ACCESS
&& (pAce->AceFlags & (INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE)) == (INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE)
&& !FindManagePrinterACE(pAcl, GetAceSid(pAce)))
{
TraceMsg("Adding bogus ACE for downlevel support");
if (*ppAclOut == NULL)
{
//
// Allocate new ACL and copy previous aces. The length is enough
// for 1 copy of all previous aces, and 3 copies (max) of all
// remaining aces.
//
ULONG nPrevLength = (ULONG)((ULONG_PTR)pAce - (ULONG_PTR)pAcl);
*ppAclOut = (PACL)LocalAlloc(LPTR, nPrevLength + (pAcl->AclSize - nPrevLength) * 3);
if (!*ppAclOut)
TraceLeaveValue(FALSE);
CopyMemory(*ppAclOut, pAcl, nPrevLength);
(*ppAclOut)->AclSize = (USHORT)LocalSize(*ppAclOut);
(*ppAclOut)->AceCount = i;
pAceCopy = (PACE_HEADER)ByteOffset(*ppAclOut, nPrevLength);
}
// Copy this ace, turn on CONTAINER_INHERIT_ACE, and set
// the mask to STANDARD_RIGHTS_READ.
CopyMemory(pAceCopy, pAce, pAce->AceSize);
pAceCopy->AceFlags &= ~OBJECT_INHERIT_ACE;
pAceCopy->AceFlags |= INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE;
((PKNOWN_ACE)pAceCopy)->Mask = STANDARD_RIGHTS_READ;
pAceCopy = (PACE_HEADER)NextAce(pAceCopy);
(*ppAclOut)->AceCount++;
}
if (*ppAclOut != NULL)
{
// Copy current ace
CopyMemory(pAceCopy, pAce, pAce->AceSize);
pAceCopy = (PACE_HEADER)NextAce(pAceCopy);
(*ppAclOut)->AceCount++;
}
}
if (*ppAclOut != NULL)
{
TraceAssert((ULONG_PTR)pAceCopy > (ULONG_PTR)*ppAclOut &&
(ULONG_PTR)pAceCopy <= (ULONG_PTR)*ppAclOut + (*ppAclOut)->AclSize);
// Set the ACL size to the correct value
(*ppAclOut)->AclSize = (WORD)((ULONG_PTR)pAceCopy - (ULONG_PTR)*ppAclOut);
}
TraceLeaveValue(TRUE);
}
///////////////////////////////////////////////////////////
//
// ISecurityInformation methods
//
///////////////////////////////////////////////////////////
STDMETHODIMP
CPrintSecurity::SetSecurity(SECURITY_INFORMATION si, PSECURITY_DESCRIPTOR pSD)
{
PACL pDacl = NULL;
PACL pSacl = NULL;
PACL pDaclCopy = NULL;
PACL pSaclCopy = NULL;
BOOL bPresent;
BOOL bDefaulted;
SECURITY_DESCRIPTOR sd;
TraceEnter(TRACE_PRINTSI, "CPrintSecurity::SetSecurity");
HRESULT hr = S_OK;
if ((si & DACL_SECURITY_INFORMATION)
&& GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaulted)
&& bPresent)
{
if (MungeAclForPrinter(pDacl, &pDaclCopy) && pDaclCopy)
pDacl = pDaclCopy;
}
if ((si & SACL_SECURITY_INFORMATION)
&& GetSecurityDescriptorSacl(pSD, &bPresent, &pSacl, &bDefaulted)
&& bPresent)
{
if (MungeAclForPrinter(pSacl, &pSaclCopy) && pSaclCopy)
pSacl = pSaclCopy;
}
if (pDaclCopy || pSaclCopy)
{
// Build a new SECURITY_DESCRIPTOR
PSID psid;
DWORD dwRevision;
SECURITY_DESCRIPTOR_CONTROL sdControl = 0;
if(!GetSecurityDescriptorControl(pSD, &sdControl, &dwRevision))
{
DWORD dwErr = GetLastError();
ExitGracefully(hr, HRESULT_FROM_WIN32(dwErr),"GetSecurityDescriptorControl failed");
}
if(!InitializeSecurityDescriptor(&sd, dwRevision))
{
DWORD dwErr = GetLastError();
ExitGracefully(hr, HRESULT_FROM_WIN32(dwErr),"InitializeSecurityDescriptor failed");
}
sd.Control = (SECURITY_DESCRIPTOR_CONTROL)(sdControl & ~SE_SELF_RELATIVE);
if ((si & OWNER_SECURITY_INFORMATION)
&& GetSecurityDescriptorOwner(pSD, &psid, &bDefaulted))
{
if(!SetSecurityDescriptorOwner(&sd, psid, bDefaulted))
{
DWORD dwErr = GetLastError();
ExitGracefully(hr, HRESULT_FROM_WIN32(dwErr),"SetSecurityDescriptorOwner failed");
}
}
if ((si & GROUP_SECURITY_INFORMATION)
&& GetSecurityDescriptorGroup(pSD, &psid, &bDefaulted))
{
if(!SetSecurityDescriptorGroup(&sd, psid, bDefaulted))
{
DWORD dwErr = GetLastError();
ExitGracefully(hr, HRESULT_FROM_WIN32(dwErr),"SetSecurityDescriptorGroup failed");
}
}
if (si & SACL_SECURITY_INFORMATION)
{
if(!SetSecurityDescriptorSacl(&sd,
sdControl & SE_SACL_PRESENT,
pSacl,
sdControl & SE_SACL_DEFAULTED))
{
DWORD dwErr = GetLastError();
ExitGracefully(hr, HRESULT_FROM_WIN32(dwErr),"SetSecurityDescriptorSacl failed");
}
}
if (si & DACL_SECURITY_INFORMATION)
{
if(!SetSecurityDescriptorDacl(&sd,
sdControl & SE_DACL_PRESENT,
pDacl,
sdControl & SE_DACL_DEFAULTED))
{
DWORD dwErr = GetLastError();
ExitGracefully(hr, HRESULT_FROM_WIN32(dwErr),"SetSecurityDescriptorDacl failed");
}
}
// Switch to the new security descriptor
pSD = &sd;
}
// The base class does the rest of the work
hr = CSecurityInformation::SetSecurity(si, pSD);
exit_gracefully:
if (pDaclCopy)
LocalFree(pDaclCopy);
if (pSaclCopy)
LocalFree(pSaclCopy);
TraceLeaveResult(hr);
}
STDMETHODIMP
CPrintSecurity::GetAccessRights(const GUID* /*pguidObjectType*/,
DWORD dwFlags,
PSI_ACCESS *ppAccesses,
ULONG *pcAccesses,
ULONG *piDefaultAccess)
{
TraceEnter(TRACE_PRINTSI, "CPrintSecurity::GetAccessRights");
TraceAssert(ppAccesses != NULL);
TraceAssert(pcAccesses != NULL);
TraceAssert(piDefaultAccess != NULL);
if (dwFlags & SI_EDIT_AUDITS)
{
*ppAccesses = siPrintAudits;
*pcAccesses = ARRAYSIZE(siPrintAudits);
*piDefaultAccess = iPrintDefAudit;
}
else
{
*ppAccesses = siPrintAccesses;
*pcAccesses = ARRAYSIZE(siPrintAccesses);
*piDefaultAccess = iPrintDefAccess;
}
TraceLeaveResult(S_OK);
}
GENERIC_MAPPING JobMap =
{
JOB_READ,
JOB_WRITE,
JOB_EXECUTE,
JOB_ALL_ACCESS
};
GENERIC_MAPPING PrinterMap =
{
PRINTER_READ,
PRINTER_WRITE,
PRINTER_EXECUTE,
PRINTER_ALL_ACCESS
};
GENERIC_MAPPING FullPrinterMap =
{
PRINTER_READ | JOB_READ,
PRINTER_WRITE | JOB_WRITE,
PRINTER_EXECUTE | JOB_EXECUTE,
PRINTER_ALL_ACCESS | JOB_ALL_ACCESS
};
STDMETHODIMP
CPrintSecurity::MapGeneric(const GUID* /*pguidObjectType*/,
UCHAR *pAceFlags,
ACCESS_MASK *pmask)
{
PGENERIC_MAPPING pMap;
TraceEnter(TRACE_PRINTSI, "CPrintSecurity::MapGeneric");
TraceAssert(pAceFlags != NULL);
TraceAssert(pmask != NULL);
// This flag has no meaning for printers, but it's often turned on
// in legacy ACLs. Turn it off here
*pAceFlags &= ~CONTAINER_INHERIT_ACE;
// Choose the correct generic mapping according to the inherit
// scope of this ACE.
if (*pAceFlags & OBJECT_INHERIT_ACE)
{
if (*pAceFlags & INHERIT_ONLY_ACE)
pMap = &JobMap; // documents only
else
pMap = &FullPrinterMap; // printers & documents
}
else
pMap = &PrinterMap; // printers only
// Note that the case where INHERIT_ONLY_ACE is ON but OBJECT_INHERIT_ACE
// is OFF falls under the "printers only" case above. However, this
// case makes no sense (inherit-only, but not onto documents) and it
// doesn't matter how we do the mapping.
// Map any generic bits to standard & specific bits.
// When using the NT5 ACL APIs, ntmarta.dll maps generic bits, so this
// isn't always necessary, but we'll do it anyway to be sure.
MapGenericMask(pmask, pMap);
// Turn off any extra bits that ntmarta.dll may have turned on
// (ntmarta uses a different mapping). But leave ACCESS_SYSTEM_SECURITY
// alone in case we're editing a SACL.
*pmask &= (pMap->GenericAll | ACCESS_SYSTEM_SECURITY);
TraceLeaveResult(S_OK);
}
STDMETHODIMP
CPrintSecurity::GetInheritTypes(PSI_INHERIT_TYPE *ppInheritTypes,
ULONG *pcInheritTypes)
{
TraceEnter(TRACE_PRINTSI, "CPrintSecurity::GetInheritTypes");
TraceAssert(ppInheritTypes != NULL);
TraceAssert(pcInheritTypes != NULL);
*ppInheritTypes = siPrintInheritTypes;
*pcInheritTypes = ARRAYSIZE(siPrintInheritTypes);
TraceLeaveResult(S_OK);
}
//
// The base class versions of ReadObjectSecurity and WriteObjectSecurity
// use Get/SetNamedSecurityInfo, et al. These API's are generic,
// involve lots of conversions, and are problematic. Since there is no
// inheritance propagation required for printers, override them here
// and use GetPrinter/SetPrinter.
//
STDMETHODIMP
CPrintSecurity::ReadObjectSecurity(LPCTSTR pszObject,
SECURITY_INFORMATION si,
PSECURITY_DESCRIPTOR *ppSD)
{
HRESULT hr;
DWORD dwErr = NOERROR;
HANDLE hPrinter;
PRINTER_DEFAULTS pd = {0};
DWORD dwLength = 0;
TraceEnter(TRACE_PRINTSI, "CPrintSecurity::ReadObjectSecurity");
TraceAssert(pszObject != NULL);
TraceAssert(si != 0);
TraceAssert(ppSD != NULL);
//
// Assume that required privileges have already been
// enabled, if appropriate.
//
if (si & (DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
pd.DesiredAccess |= READ_CONTROL;
if (si & SACL_SECURITY_INFORMATION)
pd.DesiredAccess |= ACCESS_SYSTEM_SECURITY;
__try
{
*ppSD = NULL;
if (OpenPrinter((LPTSTR)pszObject, &hPrinter, &pd))
{
PPRINTER_INFO_3 ppi = NULL;
if (GetPrinterAlloc(hPrinter, 3, (LPBYTE*)&ppi))
{
//
// Rather than allocating a new buffer and copying the
// security descriptor, we can re-use the existing buffer
// by simply moving the security descriptor to the top.
//
dwLength = GetSecurityDescriptorLength(ppi->pSecurityDescriptor);
*ppSD = ppi;
// This is an overlapped copy, so use MoveMemory.
MoveMemory(*ppSD,
ppi->pSecurityDescriptor,
dwLength);
}
else
dwErr = GetLastError();
ClosePrinter(hPrinter);
}
else
dwErr = GetLastError();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
dwErr = ERROR_PROC_NOT_FOUND;
}
hr = HRESULT_FROM_WIN32(dwErr);
TraceLeaveResult(hr);
}
STDMETHODIMP
CPrintSecurity::WriteObjectSecurity(LPCTSTR pszObject,
SECURITY_INFORMATION si,
PSECURITY_DESCRIPTOR pSD)
{
HRESULT hr;
DWORD dwErr = NOERROR;
HANDLE hPrinter;
PRINTER_DEFAULTS pd = {0};
TraceEnter(TRACE_PRINTSI, "CPrintSecurity::WriteObjectSecurity");
TraceAssert(pszObject != NULL);
TraceAssert(si != 0);
TraceAssert(pSD != NULL);
//
// Assume that required privileges have already been
// enabled, if appropriate.
//
if (si & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION))
pd.DesiredAccess |= WRITE_OWNER;
if (si & SACL_SECURITY_INFORMATION)
pd.DesiredAccess |= ACCESS_SYSTEM_SECURITY;
if (si & DACL_SECURITY_INFORMATION)
pd.DesiredAccess |= WRITE_DAC;
__try
{
if (OpenPrinter((LPTSTR)pszObject, &hPrinter, &pd))
{
PRINTER_INFO_3 pi = { pSD };
if (!SetPrinter(hPrinter, 3, (LPBYTE)&pi, 0))
dwErr = GetLastError();
ClosePrinter(hPrinter);
}
else
dwErr = GetLastError();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
dwErr = ERROR_PROC_NOT_FOUND;
}
hr = HRESULT_FROM_WIN32(dwErr);
TraceLeaveResult(hr);
}
STDMETHODIMP
CPrintSecurity::GetInheritSource(SECURITY_INFORMATION si,
PACL pACL,
PINHERITED_FROM *ppInheritArray)
{
return E_NOTIMPL;
}