windows-server-2003/base/fs/remotefs/dfs/lib/security/regsecurity.c

//
//  Copyright (C) 2000, Microsoft Corporation
//
//  File:       regsecurity.c
//
//  Contents:   miscellaneous dfs functions.
//
//  History:    April. 17 2002,   Author: rohanp
//
//-----------------------------------------------------------------------------


#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
#include <malloc.h>
#include "rpc.h"
#include "rpcdce.h"
#include <dfsheader.h>
#include "lm.h"
#include "lmdfs.h"
#include <strsafe.h>
#include <dfsmisc.h>
#include <seopaque.h>
#include <sertlp.h>

#define FLAG_ON(x, y)  ((y)==((x)&(y)))  

//
// Registry generic mapping
//
GENERIC_MAPPING         DfsRegGenMapping = {STANDARD_RIGHTS_READ   | 0x1,
                                            STANDARD_RIGHTS_WRITE    | 0x2,
                                            STANDARD_RIGHTS_EXECUTE  | 0x4,
                                            STANDARD_RIGHTS_REQUIRED | 0x3F};

//
// Security open type (used to help determine permissions to use on open)
//
typedef enum _DFS_SECURITY_OPEN_TYPE
{
    READ_ACCESS_RIGHTS = 0,
    WRITE_ACCESS_RIGHTS,
    MODIFY_ACCESS_RIGHTS,
    NO_ACCESS_RIGHTS,
    RESET_ACCESS_RIGHTS
}  DFS_SECURITY_OPEN_TYPE, *PDFS_SECURITY_OPEN_TYPE;


ACCESS_MASK 
DfsRegGetDesiredAccess(IN DFS_SECURITY_OPEN_TYPE   OpenType,
                       IN SECURITY_INFORMATION SecurityInfo)
{
    ACCESS_MASK DesiredAccess = 0;

    if ( (SecurityInfo & OWNER_SECURITY_INFORMATION) ||
         (SecurityInfo & GROUP_SECURITY_INFORMATION) )
    {
        switch (OpenType)
        {
        case READ_ACCESS_RIGHTS:
            DesiredAccess |= READ_CONTROL;
            break;
        case WRITE_ACCESS_RIGHTS:
            DesiredAccess |= WRITE_OWNER;
            break;
        case MODIFY_ACCESS_RIGHTS:
            DesiredAccess |= READ_CONTROL | WRITE_OWNER;
            break;
        }
    }

    if (SecurityInfo & DACL_SECURITY_INFORMATION)
    {
        switch (OpenType)
        {
        case READ_ACCESS_RIGHTS:
            DesiredAccess |= READ_CONTROL;
            break;
        case WRITE_ACCESS_RIGHTS:
            DesiredAccess |= WRITE_DAC;
            break;
        case MODIFY_ACCESS_RIGHTS:
            DesiredAccess |= READ_CONTROL | WRITE_DAC;
            break;
        }
    }

    if (SecurityInfo & SACL_SECURITY_INFORMATION)
    {
        DesiredAccess |= READ_CONTROL | ACCESS_SYSTEM_SECURITY;
    }

    return DesiredAccess;
}


 
DFSSTATUS
MakeSDAbsolute(IN  PSECURITY_DESCRIPTOR     pOriginalSD,
               IN  SECURITY_INFORMATION     SeInfo,
               OUT PSECURITY_DESCRIPTOR    *ppNewSD,
               IN  PSID                     pOwnerToAdd,
               IN  PSID                     pGroupToAdd)
{
    DFSSTATUS   dwErr = ERROR_SUCCESS;

    BOOL    fDAclPresent = FALSE;
    BOOL    fSAclPresent = FALSE;
    BOOL    fDAclDef = FALSE, fSAclDef = FALSE;
    BOOL    fOwnerDef = FALSE, fGroupDef = FALSE;
    PACL    pDAcl = NULL, pSAcl = NULL;
    PSID    pOwner = NULL, pGroup = NULL;
    ULONG   cSize = 0;
    PBYTE   pbEndOBuf = NULL;
    DWORD   cLen = 0;

    //
    // First, get the info out of the current SD
    //
    if(FLAG_ON(SeInfo, DACL_SECURITY_INFORMATION))
    {
        if(GetSecurityDescriptorDacl(pOriginalSD, &fDAclPresent, &pDAcl, &fDAclDef) == FALSE)
        {
            dwErr = GetLastError();
        }
        else
        {
            if(pDAcl != NULL)
            {
                cSize += pDAcl->AclSize;
            }
        }
    }

    if(dwErr == ERROR_SUCCESS && FLAG_ON(SeInfo, SACL_SECURITY_INFORMATION))
    {
        if(GetSecurityDescriptorSacl(pOriginalSD, &fSAclPresent, &pSAcl, &fSAclDef) == FALSE)
        {
            dwErr = GetLastError();
        }
        else
        {
            if(pSAcl != NULL)
            {
                cSize += pSAcl->AclSize;
            }
        }
    }

    if(pOwnerToAdd != NULL)
    {
        pOwner = pOwnerToAdd;
    }
    else
    {
        if(dwErr == ERROR_SUCCESS && FLAG_ON(SeInfo, OWNER_SECURITY_INFORMATION))
        {
            if(GetSecurityDescriptorOwner(pOriginalSD, &pOwner, &fOwnerDef) == FALSE)
            {
                dwErr = GetLastError();
            }
        }
    }

    if(pGroupToAdd != NULL)
    {
        pGroup = pGroupToAdd;
    }
    else
    {
        if(dwErr == ERROR_SUCCESS && FLAG_ON(SeInfo, GROUP_SECURITY_INFORMATION))
        {
            if(GetSecurityDescriptorGroup(pOriginalSD, &pGroup, &fGroupDef) == FALSE)
            {
                dwErr = GetLastError();
            }
        }
    }

    if(pOwner != NULL)
    {
        cSize += RtlLengthSid(pOwner);
    }

    if(pGroup != NULL)
    {
        cSize += RtlLengthSid(pGroup);
    }

    if(dwErr == ERROR_SUCCESS)
    {
        //
        // Allocate the buffer...
        //
        PBYTE   pBuff = (PBYTE)HeapAlloc(GetProcessHeap(), 0 ,(cSize + sizeof(SECURITY_DESCRIPTOR)));
        if(pBuff == NULL)
        {
            dwErr = ERROR_NOT_ENOUGH_MEMORY;
        }
        else
        {
            //
            // Start copying in the existing items...
            //
            pbEndOBuf = pBuff + cSize + sizeof(SECURITY_DESCRIPTOR);

            if(pOwner != NULL)
            {
                cLen = RtlLengthSid(pOwner);
                pbEndOBuf -= cLen;
                RtlCopyMemory(pbEndOBuf, pOwner, cLen);
                pOwner = (PSID)pbEndOBuf;
            }

            if(pGroup != NULL)
            {
                cLen = RtlLengthSid(pGroup);
                pbEndOBuf -= cLen;
                RtlCopyMemory(pbEndOBuf, pGroup, cLen);
                pGroup = (PSID)pbEndOBuf;
            }

            if(pDAcl != NULL)
            {
                pbEndOBuf -= pDAcl->AclSize;
                RtlCopyMemory(pbEndOBuf, pDAcl, pDAcl->AclSize);
                pDAcl = (PACL)pbEndOBuf;
            }

            if(pSAcl != NULL)
            {
                pbEndOBuf -= pSAcl->AclSize;
                RtlCopyMemory(pbEndOBuf, pSAcl, pSAcl->AclSize);
                pSAcl = (PACL)pbEndOBuf;
            }

            //
            // Ok, now build it...
            //
            *ppNewSD = (PSECURITY_DESCRIPTOR)pBuff;
            if(InitializeSecurityDescriptor(*ppNewSD, SECURITY_DESCRIPTOR_REVISION) == FALSE)
            {
                dwErr = GetLastError();
            }

            if(dwErr == ERROR_SUCCESS && fDAclPresent == TRUE)
            {
                if(SetSecurityDescriptorDacl(*ppNewSD, TRUE, pDAcl, fDAclDef) == FALSE)
                {
                    dwErr = GetLastError();
                }
            }

            if(dwErr == ERROR_SUCCESS && fSAclPresent == TRUE)
            {
                if(SetSecurityDescriptorSacl(*ppNewSD, TRUE, pSAcl, fSAclDef) == FALSE)
                {
                    dwErr = GetLastError();
                }
            }

            if(dwErr == ERROR_SUCCESS && pOwner != NULL)

            {
                if(SetSecurityDescriptorOwner(*ppNewSD, pOwner, fOwnerDef) == FALSE)
                {
                    dwErr = GetLastError();
                }
            }

            if(dwErr == ERROR_SUCCESS && pGroup != NULL)

            {
                if(SetSecurityDescriptorGroup(*ppNewSD, pGroup, fGroupDef) == FALSE)
                {
                    dwErr = GetLastError();
                }
            }

            //
            // Set the new control bits to look like the old ones (minus the selfrel flag, of
            // course...
            //
            if(dwErr == ERROR_SUCCESS)
            {
                RtlpPropagateControlBits((PISECURITY_DESCRIPTOR)*ppNewSD,
                                         (PISECURITY_DESCRIPTOR)pOriginalSD,
                                         ~SE_SELF_RELATIVE );
            }

            if(dwErr != ERROR_SUCCESS)
            {
                HeapFree(GetProcessHeap, 0,(*ppNewSD));
                *ppNewSD = NULL;
            }

        }

    }

    return(dwErr);
}

DFSSTATUS
DfsReadRegistrySecurityInfo(IN  HKEY  hRegistry,
                            IN  SECURITY_INFORMATION   SeInfo,
                            OUT PSECURITY_DESCRIPTOR  *ppSD)
{

    ULONG   cSize = 0;
    DWORD   Status = 0;
    PSECURITY_DESCRIPTOR pAbs = NULL;

    //
    // First, get the size we need
    //
    Status = RegGetKeySecurity(hRegistry,
                              SeInfo,
                              *ppSD,
                              &cSize);
    if(Status == ERROR_INSUFFICIENT_BUFFER)
    {
        Status = ERROR_SUCCESS;
        *ppSD = (PISECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), 0, cSize);
        if(*ppSD == NULL)
        {
            Status = ERROR_NOT_ENOUGH_MEMORY;
        }
        else
        {
            Status = RegGetKeySecurity((HKEY)hRegistry,
                                      SeInfo,
                                      *ppSD,
                                      &cSize);

        }
    }


    return Status;
}

DFSSTATUS
DfsSetRegistrySecurityInfo(IN  HKEY                    hRegistry,
                           IN  SECURITY_INFORMATION      SeInfo,
                           IN  PSECURITY_DESCRIPTOR      pSD)
{
    DFSSTATUS Status = 0;

    if(FLAG_ON(SeInfo, DACL_SECURITY_INFORMATION)) 
    {
            ((PISECURITY_DESCRIPTOR)pSD)->Control |= SE_DACL_AUTO_INHERIT_REQ;
    }

    if(FLAG_ON(SeInfo, SACL_SECURITY_INFORMATION)) 
    {
            ((PISECURITY_DESCRIPTOR)pSD)->Control |= SE_SACL_AUTO_INHERIT_REQ;
    }

    Status = RegSetKeySecurity(hRegistry,
                               SeInfo,
                               pSD);

    return Status;
}