You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
698 lines
22 KiB
698 lines
22 KiB
//+-------------------------------------------------------------------
|
|
//
|
|
// Copyright (C) 1995, Microsoft Corporation.
|
|
//
|
|
// File: daclwrap.cxx
|
|
//
|
|
// Contents: class encapsulating file security.
|
|
//
|
|
// Classes: CDaclWrap
|
|
//
|
|
// History: Nov-93 Created DaveMont
|
|
//
|
|
//--------------------------------------------------------------------
|
|
#include <t2.hxx>
|
|
#include <daclwrap.hxx>
|
|
|
|
#if DBG
|
|
extern ULONG Debug;
|
|
#endif
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap::CDaclWrap, public
|
|
//
|
|
// Synopsis: initialize data members, constructor will not throw
|
|
//
|
|
// Arguments: none
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
CDaclWrap::CDaclWrap()
|
|
: _ccaa(0)
|
|
{
|
|
}
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: Dtor, public
|
|
//
|
|
// Synopsis: cleanup allocated data
|
|
//
|
|
// Arguments: none
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
CDaclWrap::~CDaclWrap()
|
|
{
|
|
for (ULONG j = 0; j < _ccaa; j++)
|
|
delete _aaa[j].pcaa;
|
|
}
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap::SetAccess, public
|
|
//
|
|
// Synopsis: caches data for a new ACE
|
|
//
|
|
// Arguments: IN [option] - rePlace, Revoke, Grant, Deny
|
|
// IN [Name] - principal (username)
|
|
// IN [System] - server/machine where Name is defined
|
|
// IN [access] - access mode (Read Change None All)
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
ULONG CDaclWrap::SetAccess(ULONG option, WCHAR *Name, WCHAR *System, ULONG access)
|
|
{
|
|
ULONG ret;
|
|
|
|
// sorry, static number of ACCESSes can be set at one time
|
|
|
|
if (_ccaa >= CMAXACES)
|
|
return(ERROR_BUFFER_OVERFLOW);
|
|
|
|
// allocate a new account access class
|
|
|
|
if (NULL == (_aaa[_ccaa].pcaa = new CAccountAccess(Name, System)))
|
|
{
|
|
return(ERROR_NOT_ENOUGH_MEMORY);
|
|
}
|
|
|
|
// to fix the bug where someone asks to both grant and deny under
|
|
// the /p option (the deny is thru access = N)
|
|
|
|
if ((GENERIC_NONE == access) && (OPTION_REPLACE == option))
|
|
{
|
|
_aaa[_ccaa].option = OPTION_DENY;
|
|
} else
|
|
{
|
|
_aaa[_ccaa].option = option;
|
|
}
|
|
|
|
SID *psid;
|
|
|
|
if (ERROR_SUCCESS == ( ret = _aaa[_ccaa].pcaa->Init(access)))
|
|
{
|
|
// get the sid to make sure the username is valid
|
|
|
|
if (ERROR_SUCCESS == ( ret =_aaa[_ccaa].pcaa->Sid(&psid)))
|
|
{
|
|
// loop thru the existing sids, making sure the new one is not a duplicate
|
|
|
|
SID *poldsid;
|
|
for (ULONG check = 0;check < _ccaa ; check++)
|
|
{
|
|
if (ERROR_SUCCESS == ( ret =_aaa[check].pcaa->Sid(&poldsid)))
|
|
{
|
|
if (EqualSid(psid,poldsid))
|
|
{
|
|
VERBOSE((stderr, "SetAccess found matching new sids\n"))
|
|
delete _aaa[_ccaa].pcaa;
|
|
return(ERROR_BAD_ARGUMENTS);
|
|
}
|
|
}
|
|
}
|
|
_ccaa++;
|
|
}
|
|
else
|
|
{
|
|
delete _aaa[_ccaa].pcaa;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
delete _aaa[_ccaa].pcaa;
|
|
}
|
|
return(ret);
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap:BuildAcl, public
|
|
//
|
|
// Synopsis: merges cached new aces with the input ACL
|
|
//
|
|
// Arguments: OUT [pnewdacl] - Address of new ACL to build
|
|
// IN [poldacl] - (OPTIONAL) old ACL that is to be merged
|
|
// IN [revision] - ACL revision
|
|
// IN [fdir] - True = directory
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
ULONG CDaclWrap::BuildAcl(ACL **pnewdacl, ACL *poldacl, UCHAR revision, BOOL fdir)
|
|
{
|
|
ULONG ret, caclsize;
|
|
|
|
// get the size of the new ACL we are going to create
|
|
|
|
if (ERROR_SUCCESS == (ret = _GetNewAclSize(&caclsize, poldacl, fdir)))
|
|
{
|
|
// allocate the new ACL
|
|
|
|
if (ERROR_SUCCESS == (ret = _AllocateNewAcl(pnewdacl, caclsize, revision)))
|
|
{
|
|
// and fill it up
|
|
|
|
if (ERROR_SUCCESS != (ret = _FillNewAcl(*pnewdacl, poldacl, fdir)))
|
|
{
|
|
// free the buffer if we failed
|
|
|
|
LocalFree(*pnewdacl);
|
|
}
|
|
|
|
}
|
|
}
|
|
return(ret);
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap:_GetNewAclSize, private
|
|
//
|
|
// Synopsis: returns the size need to merge the new ACEs with the old ACL,
|
|
// this is an ugly algorithm:
|
|
//
|
|
//if (old aces exist)
|
|
// for (new aces)
|
|
// if (new ace option == GRANT)
|
|
// for (old aces)
|
|
// if (new ace SID == old ace SID)
|
|
// do inheritance check
|
|
// found = true
|
|
// if (old ace type == ALLOWED)
|
|
// old ace mask |= new ace mask
|
|
// else
|
|
// old ace mask &= ~new ace mask
|
|
// if (!found)
|
|
// add size of new ace
|
|
// else
|
|
// new ace mask = 0
|
|
// else
|
|
// add size of new ace
|
|
//
|
|
// for (old aces)
|
|
// for (new aces)
|
|
// if (new ace option == DENY, REPLACE, REVOKE)
|
|
// if (new ace SID == old ace SID)
|
|
// found = true
|
|
// break
|
|
// if (!found)
|
|
// add size of old ace
|
|
// else
|
|
// old ace mask = 0
|
|
//else
|
|
// for (new aces)
|
|
// add size of new ace
|
|
//
|
|
//
|
|
// Arguments: OUT [caclsize] - returns size
|
|
// IN [poldacl] - (OPTIONAL) old ACL that is to be merged
|
|
// IN [fdir] - True = directory
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
ULONG CDaclWrap::_GetNewAclSize(ULONG *caclsize, ACL *poldacl, BOOL fdir)
|
|
{
|
|
ULONG ret;
|
|
|
|
// the size for the ACL header
|
|
|
|
*caclsize = sizeof(ACL);
|
|
|
|
// initialize the access requests
|
|
for (ULONG j = 0; j < _ccaa; j++)
|
|
_aaa[j].pcaa->ReInit();
|
|
|
|
// if we are merging, calculate the merge size
|
|
|
|
if (poldacl && (poldacl->AceCount != 0))
|
|
{
|
|
// first the grant options
|
|
|
|
for (j = 0; j < _ccaa; j++)
|
|
{
|
|
SID *psid;
|
|
if (OPTION_GRANT == _aaa[j].option)
|
|
{
|
|
BOOL ffound = FALSE;
|
|
ACE_HEADER *pah = (ACE_HEADER *)Add2Ptr(poldacl, sizeof(ACL));
|
|
|
|
for (ULONG cace = 0; cace < poldacl->AceCount;
|
|
cace++, pah = (ACE_HEADER *)Add2Ptr(pah, pah->AceSize))
|
|
{
|
|
if (ERROR_SUCCESS == (ret = _aaa[j].pcaa->Sid(&psid)))
|
|
{
|
|
if (EqualSid(psid,
|
|
(SID *)&((ACCESS_ALLOWED_ACE *)
|
|
pah)->SidStart) )
|
|
{
|
|
// if old and new types are the same, just and with the old
|
|
|
|
if (fdir && (pah->AceType == _aaa[j].pcaa->AceType()))
|
|
{
|
|
// make sure that we can handle the inheritance
|
|
_aaa[j].pcaa->AddInheritance(pah->AceFlags);
|
|
|
|
ffound = TRUE;
|
|
} else if (pah->AceType == _aaa[j].pcaa->AceType())
|
|
{
|
|
ffound = TRUE;
|
|
}
|
|
|
|
if (ACCESS_ALLOWED_ACE_TYPE == pah->AceType)
|
|
{
|
|
(ACCESS_MASK) ((ACCESS_ALLOWED_ACE *)
|
|
pah)->Mask |= _aaa[j].pcaa->AccessMask();
|
|
} else if (ACCESS_DENIED_ACE_TYPE == pah->AceType)
|
|
{
|
|
(ACCESS_MASK) ((ACCESS_ALLOWED_ACE *)
|
|
pah)->Mask &= ~_aaa[j].pcaa->AccessMask();
|
|
} else
|
|
{
|
|
VERBOSE((stderr, "_GetNewAclSize found an ace that was not allowed or denied\n"))
|
|
return(ERROR_INVALID_DATA);
|
|
}
|
|
}
|
|
} else
|
|
{
|
|
return(ret);
|
|
}
|
|
}
|
|
if (!ffound)
|
|
{
|
|
// bugbug allowed/denied sizes currently the same
|
|
|
|
*caclsize += sizeof(ACCESS_ALLOWED_ACE) -
|
|
sizeof(DWORD) +
|
|
GetLengthSid(psid);
|
|
|
|
SIZE((stderr, "adding on size of an new ACE (to the new ACL) = %d\n",*caclsize))
|
|
} else
|
|
{
|
|
if (fdir && (ERROR_SUCCESS != (ret = _aaa[j].pcaa->TestInheritance())))
|
|
return(ret);
|
|
_aaa[j].pcaa->ClearAccessMask();
|
|
}
|
|
} else if ( (OPTION_REPLACE == _aaa[j].option) ||
|
|
(OPTION_DENY == _aaa[j].option) )
|
|
{
|
|
if (ERROR_SUCCESS == (ret = _aaa[j].pcaa->Sid(&psid)))
|
|
{
|
|
// bugbug allowed/denied sizes currently the same
|
|
|
|
*caclsize += sizeof(ACCESS_ALLOWED_ACE) -
|
|
sizeof(DWORD) +
|
|
GetLengthSid(psid);
|
|
|
|
SIZE((stderr, "adding on size of an new ACE (to the new ACL) = %d\n",*caclsize))
|
|
} else
|
|
return(ret);
|
|
}
|
|
}
|
|
// now for the deny, replace & revoke options
|
|
|
|
ACE_HEADER *pah = (ACE_HEADER *)Add2Ptr(poldacl, sizeof(ACL));
|
|
SID *psid;
|
|
|
|
// loop thru the old ACL
|
|
|
|
for (ULONG cace = 0; cace < poldacl->AceCount;
|
|
cace++, pah = (ACE_HEADER *)Add2Ptr(pah, pah->AceSize))
|
|
{
|
|
BOOL ffound = FALSE;
|
|
|
|
// and thru the new ACEs looking for matching SIDs
|
|
|
|
for (ULONG j = 0; j < _ccaa; j++)
|
|
{
|
|
if ( (_aaa[j].option & OPTION_DENY ) ||
|
|
(_aaa[j].option & OPTION_REPLACE ) ||
|
|
(_aaa[j].option & OPTION_REVOKE ) )
|
|
{
|
|
if (ERROR_SUCCESS == (ret = _aaa[j].pcaa->Sid(&psid)))
|
|
{
|
|
if (EqualSid(psid,
|
|
(SID *)&((ACCESS_ALLOWED_ACE *)
|
|
pah)->SidStart) )
|
|
{
|
|
ffound = TRUE;
|
|
}
|
|
} else
|
|
return(ret);
|
|
}
|
|
}
|
|
if (!ffound)
|
|
{
|
|
// if we did not find a match, add the size of the old ACE
|
|
|
|
*caclsize += ((ACE_HEADER *)pah)->AceSize;
|
|
|
|
SIZE((stderr, "adding on size of an old ACE (to the new ACL) = %d\n",*caclsize))
|
|
} else
|
|
{
|
|
(ACCESS_MASK) ((ACCESS_ALLOWED_ACE *)pah)->Mask = 0;
|
|
}
|
|
}
|
|
SIZE((stderr, "final size for new ACL = %d\n",*caclsize))
|
|
} else
|
|
{
|
|
// no old ACL, just add up the sizes of the new aces
|
|
|
|
for (j = 0; j < _ccaa; j++)
|
|
{
|
|
// need to know the size of the sid
|
|
|
|
SID *psid;
|
|
if (ERROR_SUCCESS == (ret = _aaa[j].pcaa->Sid(&psid)))
|
|
{
|
|
// bugbug allowed/denied sizes currently the same
|
|
|
|
*caclsize += sizeof(ACCESS_ALLOWED_ACE) -
|
|
sizeof(DWORD) +
|
|
GetLengthSid(psid);
|
|
|
|
SIZE((stderr, "adding on size of an new ACE (to the new ACL) = %d\n",*caclsize))
|
|
} else
|
|
{
|
|
return(ret);
|
|
}
|
|
}
|
|
SIZE((stderr, "final size for new ACL = %d\n",*caclsize))
|
|
}
|
|
return(ERROR_SUCCESS);
|
|
}
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap:_AllocateNewAcl, private
|
|
//
|
|
// Synopsis: allocates and initializes the new ACL
|
|
//
|
|
// Arguments: OUT [pnewdacl] - address of new ACL to allocate
|
|
// IN [caclsize] - size to allocate for the new ACL
|
|
// IN [revision] - revision of the new ACL
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
ULONG CDaclWrap::_AllocateNewAcl(ACL **pnewdacl, ULONG caclsize, ULONG revision)
|
|
{
|
|
if (NULL == (*pnewdacl = (ACL *) LocalAlloc(LMEM_FIXED, caclsize)))
|
|
{
|
|
return(ERROR_NOT_ENOUGH_MEMORY);
|
|
}
|
|
|
|
if (!InitializeAcl(*pnewdacl,caclsize, revision))
|
|
{
|
|
ULONG ret = GetLastError();
|
|
LocalFree(*pnewdacl);
|
|
return(ret);
|
|
|
|
}
|
|
|
|
return(ERROR_SUCCESS);
|
|
}
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap:_SetAllowedAce, private
|
|
//
|
|
// Synopsis: appends an allowed ACE to the input ACL
|
|
//
|
|
// Arguments: IN [dacl] - ACL to add the ACE to
|
|
// IN [mask] - access mask to add
|
|
// IN [psid] - SID to add
|
|
// IN [fdir] - if a Dir add inherit ACE as well
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
ULONG CDaclWrap::_SetAllowedAce(ACL *dacl, ACCESS_MASK mask, SID *psid, BOOL fdir)
|
|
{
|
|
ULONG ret = ERROR_SUCCESS;
|
|
|
|
// compute the size of the ACE we are making
|
|
|
|
USHORT acesize = (USHORT)(sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(psid));
|
|
|
|
SIZE((stderr, "adding allowed ace, size = %d\n",fdir ? acesize*2 : acesize))
|
|
|
|
// static buffer in the hopes we won't have to allocate memory
|
|
|
|
BYTE buf[1024];
|
|
|
|
// allocator either uses buf or allocates a new buffer if size is not enough
|
|
|
|
FastAllocator fa(buf, 1024);
|
|
|
|
// get the buffer for the ACE
|
|
|
|
ACCESS_ALLOWED_ACE *paaa = (ACCESS_ALLOWED_ACE *)fa.GetBuf(acesize);
|
|
if (!paaa) {
|
|
return (ERROR_NOT_ENOUGH_MEMORY);
|
|
}
|
|
|
|
// fill in the ACE
|
|
|
|
memcpy(&paaa->SidStart,psid,GetLengthSid(psid));
|
|
paaa->Mask = mask;
|
|
|
|
paaa->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
|
|
paaa->Header.AceFlags = fdir ? CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE : 0;
|
|
paaa->Header.AceSize = acesize;
|
|
|
|
// put the ACE into the ACL
|
|
|
|
if (!AddAce(dacl,
|
|
dacl->AclRevision,
|
|
0xffffffff,
|
|
paaa,
|
|
paaa->Header.AceSize))
|
|
ret = GetLastError();
|
|
return(ret);
|
|
}
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap:_SetDeniedAce, private
|
|
//
|
|
// Synopsis: appends a denied ACE to the input ACL
|
|
//
|
|
// Arguments: IN [dacl] - ACL to add the ACE to
|
|
// IN [mask] - access mask to add
|
|
// IN [psid] - SID to add
|
|
// IN [fdir] - if a Dir add inherit ACE as well
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
ULONG CDaclWrap::_SetDeniedAce(ACL *dacl, ACCESS_MASK mask, SID *psid, BOOL fdir)
|
|
{
|
|
ULONG ret = ERROR_SUCCESS;
|
|
|
|
// compute the size of the ACE we are making
|
|
|
|
USHORT acesize = (USHORT)(sizeof(ACCESS_DENIED_ACE) -
|
|
sizeof(DWORD) +
|
|
GetLengthSid(psid));
|
|
|
|
SIZE((stderr, "adding denied ace, size = %d\n",acesize))
|
|
|
|
// static buffer in the hopes we won't have to allocate memory
|
|
|
|
BYTE buf[1024];
|
|
|
|
// allocator either uses buf or allocates a new buffer if size is not enough
|
|
|
|
FastAllocator fa(buf, 1024);
|
|
|
|
// get the buffer for the ACE
|
|
|
|
ACCESS_DENIED_ACE *paaa = (ACCESS_DENIED_ACE *)fa.GetBuf(acesize);
|
|
if (!paaa)
|
|
return (ERROR_NOT_ENOUGH_MEMORY);
|
|
|
|
// fill in the ACE
|
|
|
|
memcpy(&paaa->SidStart,psid,GetLengthSid(psid));
|
|
paaa->Mask = mask;
|
|
|
|
paaa->Header.AceType = ACCESS_DENIED_ACE_TYPE;
|
|
paaa->Header.AceFlags = fdir ? CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE : 0;
|
|
paaa->Header.AceSize = acesize;
|
|
|
|
// put the ACE into the ACL
|
|
|
|
if (!AddAce(dacl,
|
|
dacl->AclRevision,
|
|
0xffffffff,
|
|
paaa,
|
|
paaa->Header.AceSize))
|
|
ret = GetLastError();
|
|
return(ret);
|
|
}
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Member: CDaclWrap:_FillNewAcl, private
|
|
//
|
|
// Synopsis: The worker routine that actually fills the ACL, it adds the
|
|
// new denied ACEs, then if the new ACEs are being merged with
|
|
// an existing ACL, the existing ACL's ACE's (that don't
|
|
// conflict) are added, finally the new allowed ACEs are added.
|
|
// another ugly algorithm:
|
|
//
|
|
//for (new aces)
|
|
// if (new ace option == DENY)
|
|
// add new ace
|
|
//
|
|
//if (old aces)
|
|
// for (old aces)
|
|
// if (old ace mask != 0)
|
|
// add old ace
|
|
//
|
|
// for (new aces)
|
|
// if (new ace option != DENY)
|
|
// if ( new ace option != REVOKE)
|
|
// if (new ace mask != 0
|
|
// add new ace
|
|
//
|
|
//else
|
|
// for (new aces)
|
|
// if (new ace option != DENY)
|
|
// add new ace
|
|
//
|
|
// Arguments: IN [pnewdacl] - the new ACL to be filled
|
|
// IN [poldacl] - (OPTIONAL) old ACL that is to be merged
|
|
// IN [fdir] - TRUE = directory
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
ULONG CDaclWrap::_FillNewAcl(ACL *pnewdacl, ACL *poldacl, BOOL fdir)
|
|
{
|
|
SID *psid = NULL;
|
|
ULONG ret;
|
|
|
|
// set new denied aces
|
|
|
|
VERBOSE((stderr, "start addr of new ACL %p\n",pnewdacl))
|
|
|
|
for (ULONG j = 0; j < _ccaa; j++)
|
|
{
|
|
if (_aaa[j].option & OPTION_DENY)
|
|
{
|
|
if (ERROR_SUCCESS == (ret = _aaa[j].pcaa->Sid(&psid)))
|
|
{
|
|
if (!psid) {
|
|
return (ERROR_INVALID_DATA);
|
|
}
|
|
if (ERROR_SUCCESS != (ret = _SetDeniedAce(pnewdacl,
|
|
_aaa[j].pcaa->AccessMask(),
|
|
psid,
|
|
fdir )))
|
|
return(ret);
|
|
} else
|
|
return(ret);
|
|
}
|
|
}
|
|
|
|
// check and see if the ACL from from the file is in correct format
|
|
|
|
if (poldacl)
|
|
{
|
|
SIZE((stderr, "old ACL size = %d, acecount = %d\n",poldacl->AclSize,
|
|
poldacl->AceCount))
|
|
|
|
ACE_HEADER *pah = (ACE_HEADER *)Add2Ptr(poldacl, sizeof(ACL));
|
|
|
|
//
|
|
// loop thru the old ACL, and add all explicit aces
|
|
//
|
|
|
|
BOOL fallowedacefound = FALSE;
|
|
for (ULONG cace = 0; cace < poldacl->AceCount;
|
|
cace++, pah = (ACE_HEADER *)Add2Ptr(pah, pah->AceSize))
|
|
{
|
|
// error exit if the old ACL is incorrectly formated
|
|
|
|
if(pah->AceFlags & INHERITED_ACE)
|
|
continue;
|
|
|
|
|
|
if (pah->AceType == ACCESS_DENIED_ACE_TYPE && fallowedacefound)
|
|
{
|
|
VERBOSE((stderr, "_FillNewAcl found an denied ACE after an allowed ACE\n"))
|
|
return(ERROR_INVALID_DATA);
|
|
}
|
|
else if (pah->AceType == ACCESS_ALLOWED_ACE_TYPE)
|
|
fallowedacefound = TRUE;
|
|
|
|
// add the old ace to the new ACL if the old ace's mask is not zero
|
|
|
|
if ( 0 != (ACCESS_MASK)((ACCESS_ALLOWED_ACE *)pah)->Mask)
|
|
{
|
|
// add the old ace
|
|
if (!AddAce(pnewdacl,
|
|
pnewdacl->AclRevision,
|
|
0xffffffff,
|
|
pah,
|
|
pah->AceSize))
|
|
return(GetLastError());
|
|
}
|
|
}
|
|
|
|
// now for the new aces
|
|
|
|
for (ULONG j = 0; j < _ccaa; j++)
|
|
{
|
|
if ( (_aaa[j].option != OPTION_DENY) &&
|
|
(_aaa[j].option != OPTION_REVOKE) &&
|
|
(_aaa[j].pcaa->AccessMask() != 0) )
|
|
{
|
|
if (ERROR_SUCCESS == (ret = _aaa[j].pcaa->Sid(&psid)))
|
|
{
|
|
if (!psid) {
|
|
return (ERROR_INVALID_DATA);
|
|
}
|
|
if (ERROR_SUCCESS != (ret = _SetAllowedAce(pnewdacl,
|
|
_aaa[j].pcaa->AccessMask(),
|
|
psid,
|
|
fdir )))
|
|
return(ret);
|
|
} else
|
|
return(ret);
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// loop thru the old ACL, and add all the inherited aces
|
|
//
|
|
pah = (ACE_HEADER *)Add2Ptr(poldacl, sizeof(ACL));
|
|
|
|
for (ULONG cace = 0; cace < poldacl->AceCount;
|
|
cace++, pah = (ACE_HEADER *)Add2Ptr(pah, pah->AceSize))
|
|
{
|
|
if(pah->AceFlags & INHERITED_ACE)
|
|
{
|
|
// add the old ace to the new ACL if the old ace's mask is not zero
|
|
|
|
if ( 0 != (ACCESS_MASK)((ACCESS_ALLOWED_ACE *)pah)->Mask)
|
|
{
|
|
// add the old ace
|
|
if (!AddAce(pnewdacl,
|
|
pnewdacl->AclRevision,
|
|
0xffffffff,
|
|
pah,
|
|
pah->AceSize))
|
|
return(GetLastError());
|
|
}
|
|
}
|
|
}
|
|
|
|
} else
|
|
{
|
|
// no old acl, just add the (rest) of the new aces
|
|
for (ULONG j = 0; j < _ccaa; j++)
|
|
{
|
|
if (_aaa[j].option != OPTION_DENY)
|
|
{
|
|
if (ERROR_SUCCESS == (ret = _aaa[j].pcaa->Sid(&psid)))
|
|
{
|
|
if (!psid) {
|
|
return (ERROR_INVALID_DATA);
|
|
}
|
|
if (ERROR_SUCCESS != (ret = _SetAllowedAce(pnewdacl,
|
|
_aaa[j].pcaa->AccessMask(),
|
|
psid,
|
|
fdir )))
|
|
return(ret);
|
|
} else
|
|
return(ret);
|
|
}
|
|
}
|
|
}
|
|
|
|
return(ERROR_SUCCESS);
|
|
}
|