You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
381 lines
9.3 KiB
381 lines
9.3 KiB
|
|
// Copyright (c) 1996-1999 Microsoft Corporation
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// File: secure.cxx
|
|
//
|
|
// This file contains wrapper classes for the NT security
|
|
// objects.
|
|
//
|
|
// Contents: Code common to Tracking (Workstation) Service and
|
|
// Tracking (Server) Service.
|
|
//
|
|
// Classes: CACL, CSID, and CSecDescriptor
|
|
//
|
|
// History: 28-Jan-98 MikeHill Created
|
|
//
|
|
// Notes:
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
#include "pch.cxx"
|
|
#pragma hdrstop
|
|
|
|
#include "trklib.hxx"
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CACL::Initialize, public
|
|
//
|
|
// Synopsis: Initialize the ACL by allocating a buffer
|
|
// and calling InitializeAcl on it.
|
|
//
|
|
// Arguments: None
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
VOID
|
|
CACL::Initialize()
|
|
{
|
|
_fInitialized = TRUE;
|
|
|
|
_pacl = (PACL) new BYTE[ MIN_ACL_SIZE ];
|
|
if( NULL == _pacl )
|
|
TrkRaiseWin32Error( ERROR_NOT_ENOUGH_MEMORY );
|
|
|
|
_cbacl = MIN_ACL_SIZE;
|
|
|
|
if( !InitializeAcl( _pacl, _cbacl, ACL_REVISION ))
|
|
{
|
|
TrkLog((TRKDBG_ERROR, TEXT("Failed InitializeAcl")) );
|
|
TrkRaiseLastError();
|
|
}
|
|
|
|
_fDirty = TRUE;
|
|
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CACL::UnInitialize, public
|
|
//
|
|
// Synopsis: Free the ACL.
|
|
//
|
|
// Arguments: None
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
VOID
|
|
CACL::UnInitialize()
|
|
{
|
|
if( _fInitialized )
|
|
{
|
|
if( NULL != _pacl )
|
|
{
|
|
delete [] _pacl;
|
|
}
|
|
|
|
_fInitialized = FALSE;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CACL::Initialize, public
|
|
//
|
|
// Synopsis: Initialize a SID with its authority
|
|
// and sub-authority(ies).
|
|
//
|
|
// Arguments: [enumCSIDAuthority] (in)
|
|
// An enumeration which tells us which of the
|
|
// standard authorities to use.
|
|
// [cSubAuthorities] (in)
|
|
// The number of sub-auths in this SID.
|
|
// [dwSubAuthority?] (in)
|
|
// The Sub-Authorities.
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
VOID
|
|
CSID::Initialize( enumCSIDAuthority enumcsidAuthority,
|
|
BYTE cSubAuthorities ,
|
|
DWORD dwSubAuthority0 = 0,
|
|
DWORD dwSubAuthority1 = 0,
|
|
DWORD dwSubAuthority2 = 0,
|
|
DWORD dwSubAuthority3 = 0,
|
|
DWORD dwSubAuthority4 = 0,
|
|
DWORD dwSubAuthority5 = 0,
|
|
DWORD dwSubAuthority6 = 0,
|
|
DWORD dwSubAuthority7 = 0 )
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY rgsid_identifier_authority[] = { SECURITY_NT_AUTHORITY };
|
|
|
|
TrkAssert(!_fInitialized);
|
|
|
|
_fInitialized = TRUE;
|
|
_psid = NULL;
|
|
|
|
if( !AllocateAndInitializeSid( &rgsid_identifier_authority[ enumcsidAuthority ],
|
|
cSubAuthorities,
|
|
dwSubAuthority0,
|
|
dwSubAuthority1,
|
|
dwSubAuthority2,
|
|
dwSubAuthority3,
|
|
dwSubAuthority4,
|
|
dwSubAuthority5,
|
|
dwSubAuthority6,
|
|
dwSubAuthority7,
|
|
&_psid ))
|
|
{
|
|
|
|
TrkLog((TRKDBG_ERROR, TEXT("AllocateAndInitializeSid failed")));
|
|
TrkRaiseLastError();
|
|
}
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CSID::UnInitialize, public
|
|
//
|
|
// Synopsis: Free the SID.
|
|
//
|
|
// Arguments: None
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
VOID
|
|
CSID::UnInitialize()
|
|
{
|
|
if( _fInitialized )
|
|
{
|
|
if( NULL != _psid )
|
|
{
|
|
FreeSid( _psid ); // Alloc-ed with AllocAndInitializeSid()
|
|
}
|
|
|
|
_fInitialized = FALSE;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CSecDescriptor::_Allocate, public
|
|
//
|
|
// Synopsis: Allocate a Security Descriptor.
|
|
//
|
|
// Arguments: [cb]
|
|
// Size of buffer to allocate for SD.
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
void
|
|
CSecDescriptor::_Allocate( ULONG cb )
|
|
{
|
|
PSECURITY_DESCRIPTOR psd;
|
|
|
|
psd = (PSECURITY_DESCRIPTOR) new BYTE[ cb ];
|
|
|
|
if( NULL == psd )
|
|
TrkRaiseWin32Error( ERROR_NOT_ENOUGH_MEMORY );
|
|
|
|
if( NULL != _psd )
|
|
delete [] _psd;
|
|
|
|
_psd = psd;
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CSecDescriptor::Initialize, public
|
|
//
|
|
// Synopsis: Allocate a SD, and call a Security API to init it.
|
|
//
|
|
// Arguments: None
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
VOID
|
|
CSecDescriptor::Initialize()
|
|
{
|
|
|
|
_fInitialized = TRUE;
|
|
|
|
_Allocate( SECURITY_DESCRIPTOR_MIN_LENGTH );
|
|
|
|
if( !InitializeSecurityDescriptor( _psd,
|
|
SECURITY_DESCRIPTOR_REVISION ))
|
|
{
|
|
TrkLog((TRKDBG_ERROR, TEXT("Failed InitializeSecurityDescriptor")));
|
|
TrkRaiseLastError();
|
|
}
|
|
|
|
if( !SetSecurityDescriptorControl( _psd,
|
|
SE_DACL_AUTO_INHERITED,
|
|
SE_DACL_AUTO_INHERITED ))
|
|
{
|
|
TrkLog(( TRKDBG_ERROR, TEXT("Failed InitializeSecurityDescriptor (SetSecurityDescriptorControl") ));
|
|
TrkRaiseLastError();
|
|
}
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CSecDescriptor::UnInitialize, public
|
|
//
|
|
// Synopsis: Free the SD buffer, and free its ACLs.
|
|
//
|
|
// Arguments: None
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
VOID
|
|
CSecDescriptor::UnInitialize()
|
|
{
|
|
if( _fInitialized )
|
|
{
|
|
if( NULL != _psd )
|
|
{
|
|
delete [] _psd;
|
|
}
|
|
|
|
_cDacl.UnInitialize();
|
|
_cSacl.UnInitialize();
|
|
|
|
_fInitialized = FALSE;
|
|
}
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CSecDescriptor::AddAce, public
|
|
//
|
|
// Synopsis: Adds an ACE (access allowed or denied) to an
|
|
// ACL in this SID.
|
|
//
|
|
// Arguments: [enumAclType] (in)
|
|
// Either ACL_DACL or ACL_SACL.
|
|
// [enumAccessType] (in)
|
|
// Either AT_ACCESS_ALLOWED or AT_ACCESS_DENIED.
|
|
// [access_mask] (in)
|
|
// The access bits to put in this ACE.
|
|
// [psid] (in)
|
|
// The SID to put in this ACE.
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
void
|
|
CSecDescriptor::AddAce( const enumAclType AclType, const enumAccessType AccessType,
|
|
const ACCESS_MASK access_mask, const PSID psid )
|
|
{
|
|
BOOL fSuccess;
|
|
|
|
// Get a pointer to the member CACL object.
|
|
|
|
CACL *pcacl = ACL_IS_DACL == AclType ? &_cDacl : &_cSacl;
|
|
|
|
// Initialize the CACL if necessary.
|
|
|
|
if( !pcacl->IsInitialized() )
|
|
pcacl->Initialize();
|
|
|
|
// Size the ACL appropriately
|
|
|
|
//pcacl->SetSize( psid ); // Not currently implemented.
|
|
|
|
// Add the ACE to the appropriate ACL.
|
|
|
|
if( AT_ACCESS_ALLOWED == AccessType )
|
|
{
|
|
fSuccess = pcacl->AddAccessAllowed( access_mask, psid );
|
|
}
|
|
else
|
|
{
|
|
fSuccess = pcacl->AddAccessDenied( access_mask, psid );
|
|
}
|
|
|
|
if( !fSuccess )
|
|
{
|
|
TrkLog((TRKDBG_ERROR, TEXT("Couldn't add an ACE to an ACL")));
|
|
TrkRaiseLastError();
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------
|
|
//
|
|
// Function: CSecDescriptor::_ReloadAcl, public
|
|
//
|
|
// Synopsis: Puts the member ACLs back into the member
|
|
// Security Descriptor, if they are dirty.
|
|
//
|
|
// Arguments: [enumAclType] (in)
|
|
// Either ACL_DACL or ACL_SACL.
|
|
//
|
|
// Returns: None
|
|
//
|
|
//--------------------------------------------------------------------
|
|
|
|
VOID
|
|
CSecDescriptor::_ReloadAcl( enumAclType AclType )
|
|
{
|
|
if( ACL_IS_DACL == AclType && _cDacl.IsDirty() )
|
|
{
|
|
if( !SetSecurityDescriptorDacl( _psd, TRUE, _cDacl, FALSE ))
|
|
{
|
|
TrkLog((TRKDBG_ERROR, TEXT("Couldn't put DACL into SD")));
|
|
TrkRaiseLastError();
|
|
}
|
|
_cDacl.ClearDirty();
|
|
}
|
|
else if( ACL_IS_SACL == AclType && _cSacl.IsDirty() )
|
|
{
|
|
if( !SetSecurityDescriptorSacl( _psd, TRUE, _cSacl, FALSE ))
|
|
{
|
|
TrkLog((TRKDBG_ERROR, TEXT("Couldn't put SACL into SD")));
|
|
TrkRaiseLastError();
|
|
}
|
|
_cSacl.ClearDirty();
|
|
}
|
|
|
|
}
|
|
|
|
|