Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1167 lines
33 KiB

/*************************************************************************
*
* security.c
*
* NT Security routines
*
* copyright notice: Copyright 1997, Microsoft
*
*************************************************************************/
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <ntexapi.h>
#include <ntseapi.h>
#include <stdlib.h>
#include <stdio.h>
#include <malloc.h>
#include <windows.h>
#include <string.h>
#include <wcstr.h>
#include "seopaque.h"
#include "sertlp.h"
#include <process.h>
#include <winsta.h>
#include <syslib.h>
#include <lmcons.h> // for DNLEN KLB 09-18-96
#include "security.h"
#if DBG
ULONG
DbgPrint(
PCH Format,
...
);
#define DBGPRINT(x) DbgPrint x
#if DBGTRACE
#define TRACE0(x) DbgPrint x
#define TRACE1(x) DbgPrint x
#else
#define TRACE0(x)
#define TRACE1(x)
#endif
#else
#define DBGPRINT(x)
#define TRACE0(x)
#define TRACE1(x)
#endif
typedef struct _SIDLIST {
struct _SIDLIST *Next;
USHORT SidCrc;
PWCHAR pAccountName;
PWCHAR pDomainName;
} SIDLIST, *PSIDLIST;
static PSIDLIST SidCache = NULL;
// Computer Name
WCHAR ComputerName[MAX_COMPUTERNAME_LENGTH+1];
// Admins only ACL
PACL pAdminsOnlyAcl = NULL;
DWORD AdminsOnlyAclSize = 0;
//
// Universal well known SIDs
//
PSID SeNullSid;
PSID SeWorldSid;
PSID SeLocalSid;
PSID SeCreatorOwnerSid;
PSID SeCreatorGroupSid;
//
// Sids defined by NT
//
PSID SeNtAuthoritySid;
PSID SeDialupSid;
PSID SeNetworkSid;
PSID SeBatchSid;
PSID SeInteractiveSid;
PSID SeServiceSid;
PSID SeLocalGuestSid;
PSID SeLocalSystemSid;
PSID SeLocalAdminSid;
PSID SeLocalManagerSid;
PSID SeAliasAdminsSid;
PSID SeAliasUsersSid;
PSID SeAliasGuestsSid;
PSID SeAliasPowerUsersSid;
PSID SeAliasAccountOpsSid;
PSID SeAliasSystemOpsSid;
PSID SeAliasPrintOpsSid;
PSID SeAliasBackupOpsSid;
PSID SeAliasReplicatorSid;
static SID_IDENTIFIER_AUTHORITY SepNullSidAuthority = SECURITY_NULL_SID_AUTHORITY;
static SID_IDENTIFIER_AUTHORITY SepWorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
static SID_IDENTIFIER_AUTHORITY SepLocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;
static SID_IDENTIFIER_AUTHORITY SepCreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
static SID_IDENTIFIER_AUTHORITY SepNtAuthority = SECURITY_NT_AUTHORITY;
//
// Sid of primary domain, and admin account in that domain
//
PSID SepPrimaryDomainSid;
PSID SepPrimaryDomainAdminSid;
// External data
extern ADMIN_ACCOUNTS AllowAccounts[];
extern DWORD AllowAccountEntries;
extern ACCESS_MASK AllowAccess;
extern ADMIN_ACCOUNTS DenyAccounts[];
extern DWORD DenyAccountEntries;
extern ACCESS_MASK DeniedAccess;
// Forward and external references
BOOLEAN
InitializeBuiltinSids();
BOOL
LoadAccountSids();
BOOL
BuildSecureAcl();
BOOL
xxxLookupBuiltinAccount(
PWCHAR pSystemName,
PWCHAR pAccountName,
PSID *ppSid
);
BOOL
GetCurrentUserSid( PSID *ppSid );
/*****************************************************************************
*
* InitSecurity
*
* Initialize the security package
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* TRUE - no error
* FALSE - error
*
****************************************************************************/
BOOL
InitSecurity(
)
{
BOOL rc;
DWORD Size = sizeof(ComputerName)/sizeof(WCHAR);
rc = GetComputerNameW( ComputerName, &Size );
if( !rc ) {
DBGPRINT(("***ERROR*** %d Could not get computer name\n",GetLastError() ));
return( FALSE );
}
rc = InitializeBuiltinSids();
if( !rc ) {
DBGPRINT(("***ERROR*** Some built-in accounts not loaded\n"));
return( FALSE );
}
rc = LoadAccountSids();
if( !rc ) {
DBGPRINT(("***ERROR*** Some accounts not loaded\n"));
return( FALSE );
}
rc = BuildSecureAcl();
if( !rc ) {
DBGPRINT(("***ERROR*** Could not build ACL\n"));
return( FALSE );
}
return( TRUE );
}
/*****************************************************************************
*
* LoadAccountSids
*
* Load the list of account access SIDS.
*
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
BOOL
LoadAccountSids()
{
BOOL rc, Final;
NTSTATUS Status;
SID_IDENTIFIER_AUTHORITY gSystemSidAuthority = SECURITY_NT_AUTHORITY;
Final = TRUE;
//
// Get the SID's for all of the allow accounts
//
//
// Get the SID of the built-in Administrators group
//
Status = RtlAllocateAndInitializeSid(
&gSystemSidAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,0,0,0,0,0,
&(AllowAccounts[ADMIN_ACCOUNT].pSid));
if (!NT_SUCCESS(Status)) {
DBGPRINT(("SYSLIB: Couldn't allocate Administrators SID (0x%x)\n", Status ));
Final = FALSE;
}
//
// SYSTEM
//
Status = RtlAllocateAndInitializeSid(
&gSystemSidAuthority,
1,
SECURITY_LOCAL_SYSTEM_RID,
0,0,0,0,0,0,0,
&(AllowAccounts[SYSTEM_ACCOUNT].pSid));
if (!NT_SUCCESS(Status)) {
DBGPRINT(("SYSLIB: Couldn't allocate SYSTEM SID (0x%x)\n", Status ));
Final = FALSE;
}
//
// Get the current user's Sid
//
//First, see if we run in SYSTEM context.
//If we do, get current user SID from TERMSRV, otherwise use a user SID from process token.
Final = FALSE;
{
HANDLE hToken;
PTOKEN_USER pTokenUser = NULL;
DWORD dwInfoLength = 0;
if(OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&hToken))
{
GetTokenInformation(hToken,TokenUser,pTokenUser,dwInfoLength,&dwInfoLength);
if(dwInfoLength)
{
pTokenUser = (PTOKEN_USER)LocalAlloc(LPTR,dwInfoLength);
if(pTokenUser)
{
if(GetTokenInformation(hToken,TokenUser,pTokenUser,dwInfoLength,&dwInfoLength))
{
if(EqualSid(AllowAccounts[SYSTEM_ACCOUNT].pSid,pTokenUser->User.Sid))
{
rc = xxxLookupAccountName(
ComputerName,
CURRENT_USER,
&(AllowAccounts[USER_ACCOUNT].pSid)
);
if ( !rc )
{
// It might be a special builtin account
rc = xxxLookupBuiltinAccount(
ComputerName,
CURRENT_USER,
&(AllowAccounts[USER_ACCOUNT].pSid)
);
if( !rc )
{
DBGPRINT(("***WARNING*** Could not find SID for current user account, Error %d\n", GetLastError() ));
}
}
if( rc )
{
Final = TRUE;
}
}
else
{
DWORD dwSidLength = GetLengthSid(pTokenUser->User.Sid);
AllowAccounts[USER_ACCOUNT].pSid = (PSID)LocalAlloc(LPTR,dwSidLength);
if(AllowAccounts[USER_ACCOUNT].pSid)
{
CopyMemory(AllowAccounts[USER_ACCOUNT].pSid,pTokenUser->User.Sid,dwSidLength);
Final = TRUE;
}
}
}
LocalFree(pTokenUser);
}
}
CloseHandle(hToken);
}
}
#ifdef notdef
//
// Lookup the SID's for all of the deny accounts
//
for( Index = 0; Index < DenyAccountEntries; Index++ ) {
p = &DenyAccounts[Index];
rc = xxxLookupAccountName(
ComputerName,
p->Name,
&p->pSid
);
if( !rc ) {
// It might be a special builtin account
rc = xxxLookupBuiltinAccount(
ComputerName,
p->Name,
&p->pSid
);
if( !rc ) {
DBGPRINT(("***WARNING*** Could not find SID for account %ws Error %d\n",p->Name,GetLastError() ));
Final = FALSE;
}
}
}
#endif
// Lower level function outputs if any accounts are invalid
return( Final );
}
/*****************************************************************************
*
* IsAllowSid
*
* Returns whether the supplied SID is in the allow group
*
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
BOOL
IsAllowSid(
PSID pSid
)
{
DWORD Index;
PADMIN_ACCOUNTS p;
BOOL AllowSid = FALSE;
for( Index = 0; Index < AllowAccountEntries; Index++ ) {
p = &AllowAccounts[Index];
if( p->pSid && EqualSid( pSid, p->pSid ) ) {
// The Sid is for an allowed account
AllowSid = TRUE;
break;
}
}
return( AllowSid );
}
/*****************************************************************************
*
* xxxLookupAccountName
*
* Wrapper to lookup the SID for a given account name
*
* Returns a pointer to the SID in newly allocated memory
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
BOOL
xxxLookupAccountName(
PWCHAR pSystemName,
PWCHAR pAccountName,
PSID *ppSid
)
{
BOOL rc;
DWORD Size, DomainSize, Error;
SID_NAME_USE Type;
PWCHAR pDomain = NULL;
PSID pSid = NULL;
WCHAR Buf;
WCHAR pCurrentUser[MAX_ACCOUNT_NAME]; // KLB 09-16-96
DWORD dwCurrentUser = MAX_ACCOUNT_NAME; // KLB 09-16-96
WCHAR pAccountToLookup[MAX_ACCOUNT_NAME+DNLEN+1]; // KLB 09-18-96
LPWSTR pLogon32DomainName = NULL; // KLB 09-19-96
WINSTATIONINFORMATION WinInfo; // KLB 09-30-96
ULONG ReturnLength; // KLB 09-30-96
Size = 0;
DomainSize = 0;
/*
* Open the WinStation and Query its information.
*/
memset( &WinInfo, 0, sizeof(WINSTATIONINFORMATION) );
rc = WinStationQueryInformation( SERVERNAME_CURRENT,
LOGONID_CURRENT,
WinStationInformation,
(PVOID)&WinInfo,
sizeof(WINSTATIONINFORMATION),
&ReturnLength );
if ( !rc ) {
DBGPRINT(("error querying winstation information %d.\n", GetLastError() ));
return( FALSE );
}
if( ReturnLength != sizeof(WINSTATIONINFORMATION) ) {
DBGPRINT(("winstation info version mismatch!\n"));
return( FALSE );
}
if (lstrcmpi(pAccountName,CURRENT_USER) == 0) {
lstrcpy( pAccountToLookup, WinInfo.Domain );
lstrcat( pAccountToLookup, L"\\" );
lstrcat( pAccountToLookup, WinInfo.UserName );
} else {
lstrcpy( pAccountToLookup, pAccountName );
}
DBGPRINT(( "looking up account %ws\n", pAccountToLookup ));
rc = LookupAccountNameW(
pSystemName,
pAccountToLookup, // KLB 09-16-96
&Buf, // pSid
&Size,
&Buf, // pDomain
&DomainSize,
&Type
);
if( rc ) {
DBGPRINT(("Internal error on account name %ws\n",pAccountToLookup));
return( FALSE );
}
else {
Error = GetLastError();
if( Error != ERROR_INSUFFICIENT_BUFFER ) {
DBGPRINT(("***ERROR*** %d looking up SID for account name %ws skipped without processing!\n",Error,pAccountToLookup));
return( FALSE );
}
pSid = LocalAlloc( LMEM_FIXED, Size );
if( pSid == NULL ) {
DBGPRINT(("***ERROR*** Out of memory, skipped account %ws without processing!\n",pAccountToLookup));
return( FALSE );
}
pDomain = LocalAlloc( LMEM_FIXED, DomainSize*sizeof(WCHAR) );
if( pDomain == NULL ) {
DBGPRINT(("***ERROR*** Out of memory, skipped account %ws without processing!\n",pAccountToLookup));
LocalFree( pSid );
return( FALSE );
}
rc = LookupAccountNameW(
pSystemName,
pAccountToLookup,
pSid,
&Size,
pDomain,
&DomainSize,
&Type
);
if( !rc ) {
DBGPRINT(("***ERROR*** %d looking up SID for account name %ws skipped without processing!\n",Error,pAccountToLookup));
LocalFree( pSid );
LocalFree( pDomain );
return( FALSE );
}
*ppSid = pSid;
LocalFree( pDomain );
DBGPRINT(( "leaving xxxLookupAccountName(); pSid is okay, returning TRUE.\n" ));
return( TRUE );
}
}
/*****************************************************************************
*
* InitializeBuiltinSids
*
* Initialize the built in SIDS
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
BOOLEAN
InitializeBuiltinSids()
{
ULONG SidWithZeroSubAuthorities;
ULONG SidWithOneSubAuthority;
ULONG SidWithTwoSubAuthorities;
ULONG SidWithThreeSubAuthorities;
SID_IDENTIFIER_AUTHORITY NullSidAuthority;
SID_IDENTIFIER_AUTHORITY WorldSidAuthority;
SID_IDENTIFIER_AUTHORITY LocalSidAuthority;
SID_IDENTIFIER_AUTHORITY CreatorSidAuthority;
SID_IDENTIFIER_AUTHORITY SeNtAuthority;
NullSidAuthority = SepNullSidAuthority;
WorldSidAuthority = SepWorldSidAuthority;
LocalSidAuthority = SepLocalSidAuthority;
CreatorSidAuthority = SepCreatorSidAuthority;
SeNtAuthority = SepNtAuthority;
//
// The following SID sizes need to be allocated
//
SidWithZeroSubAuthorities = RtlLengthRequiredSid( 0 );
SidWithOneSubAuthority = RtlLengthRequiredSid( 1 );
SidWithTwoSubAuthorities = RtlLengthRequiredSid( 2 );
SidWithThreeSubAuthorities = RtlLengthRequiredSid( 3 );
//
// Allocate and initialize the universal SIDs
//
SeNullSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeWorldSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeLocalSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeCreatorOwnerSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeCreatorGroupSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
//
// Fail initialization if we didn't get enough memory for the universal
// SIDs.
//
if ( (SeNullSid == NULL) ||
(SeWorldSid == NULL) ||
(SeLocalSid == NULL) ||
(SeCreatorOwnerSid == NULL) ||
(SeCreatorGroupSid == NULL)
) {
return( FALSE );
}
RtlInitializeSid( SeNullSid, &NullSidAuthority, 1 );
RtlInitializeSid( SeWorldSid, &WorldSidAuthority, 1 );
RtlInitializeSid( SeLocalSid, &LocalSidAuthority, 1 );
RtlInitializeSid( SeCreatorOwnerSid, &CreatorSidAuthority, 1 );
RtlInitializeSid( SeCreatorGroupSid, &CreatorSidAuthority, 1 );
*(RtlSubAuthoritySid( SeNullSid, 0 )) = SECURITY_NULL_RID;
*(RtlSubAuthoritySid( SeWorldSid, 0 )) = SECURITY_WORLD_RID;
*(RtlSubAuthoritySid( SeLocalSid, 0 )) = SECURITY_LOCAL_RID;
*(RtlSubAuthoritySid( SeCreatorOwnerSid, 0 )) = SECURITY_CREATOR_OWNER_RID;
*(RtlSubAuthoritySid( SeCreatorGroupSid, 0 )) = SECURITY_CREATOR_GROUP_RID;
//
// Allocate and initialize the NT defined SIDs
//
SeNtAuthoritySid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithZeroSubAuthorities);
SeDialupSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeNetworkSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeBatchSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeInteractiveSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeServiceSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeLocalGuestSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeLocalSystemSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeLocalAdminSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeLocalManagerSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithOneSubAuthority);
SeAliasAdminsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasUsersSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasGuestsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasPowerUsersSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasAccountOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasSystemOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasPrintOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasBackupOpsSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
SeAliasReplicatorSid = (PSID)RtlAllocateHeap(RtlProcessHeap(), 0, SidWithTwoSubAuthorities);
//
// Fail initialization if we didn't get enough memory for the NT SIDs.
//
if ( (SeNtAuthoritySid == NULL) ||
(SeDialupSid == NULL) ||
(SeNetworkSid == NULL) ||
(SeBatchSid == NULL) ||
(SeInteractiveSid == NULL) ||
(SeServiceSid == NULL) ||
(SeLocalGuestSid == NULL) ||
(SeLocalSystemSid == NULL) ||
(SeLocalAdminSid == NULL) ||
(SeLocalManagerSid == NULL) ||
(SeAliasAdminsSid == NULL) ||
(SeAliasUsersSid == NULL) ||
(SeAliasGuestsSid == NULL) ||
(SeAliasPowerUsersSid == NULL) ||
(SeAliasAccountOpsSid == NULL) ||
(SeAliasSystemOpsSid == NULL) ||
(SeAliasReplicatorSid == NULL) ||
(SeAliasPrintOpsSid == NULL) ||
(SeAliasBackupOpsSid == NULL)
) {
return( FALSE );
}
RtlInitializeSid( SeNtAuthoritySid, &SeNtAuthority, 0 );
RtlInitializeSid( SeDialupSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeNetworkSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeBatchSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeInteractiveSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeServiceSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeLocalGuestSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeLocalSystemSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeLocalAdminSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeLocalManagerSid, &SeNtAuthority, 1 );
RtlInitializeSid( SeAliasAdminsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasUsersSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasGuestsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasPowerUsersSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasAccountOpsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasSystemOpsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasPrintOpsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasBackupOpsSid, &SeNtAuthority, 2);
RtlInitializeSid( SeAliasReplicatorSid, &SeNtAuthority, 2);
*(RtlSubAuthoritySid( SeDialupSid, 0 )) = SECURITY_DIALUP_RID;
*(RtlSubAuthoritySid( SeNetworkSid, 0 )) = SECURITY_NETWORK_RID;
*(RtlSubAuthoritySid( SeBatchSid, 0 )) = SECURITY_BATCH_RID;
*(RtlSubAuthoritySid( SeInteractiveSid, 0 )) = SECURITY_INTERACTIVE_RID;
*(RtlSubAuthoritySid( SeServiceSid, 0 )) = SECURITY_SERVICE_RID;
// *(RtlSubAuthoritySid( SeLocalGuestSid, 0 )) = SECURITY_LOCAL_GUESTS_RID;
*(RtlSubAuthoritySid( SeLocalSystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
// *(RtlSubAuthoritySid( SeLocalAdminSid, 0 )) = SECURITY_LOCAL_ADMIN_RID;
// *(RtlSubAuthoritySid( SeLocalManagerSid, 0 )) = SECURITY_LOCAL_MANAGER_RID;
*(RtlSubAuthoritySid( SeAliasAdminsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasGuestsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasPowerUsersSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasAccountOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasSystemOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasPrintOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasBackupOpsSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasReplicatorSid, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
*(RtlSubAuthoritySid( SeAliasAdminsSid, 1 )) = DOMAIN_ALIAS_RID_ADMINS;
*(RtlSubAuthoritySid( SeAliasUsersSid, 1 )) = DOMAIN_ALIAS_RID_USERS;
*(RtlSubAuthoritySid( SeAliasGuestsSid, 1 )) = DOMAIN_ALIAS_RID_GUESTS;
*(RtlSubAuthoritySid( SeAliasPowerUsersSid, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS;
*(RtlSubAuthoritySid( SeAliasAccountOpsSid, 1 )) = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
*(RtlSubAuthoritySid( SeAliasSystemOpsSid, 1 )) = DOMAIN_ALIAS_RID_SYSTEM_OPS;
*(RtlSubAuthoritySid( SeAliasPrintOpsSid, 1 )) = DOMAIN_ALIAS_RID_PRINT_OPS;
*(RtlSubAuthoritySid( SeAliasBackupOpsSid, 1 )) = DOMAIN_ALIAS_RID_BACKUP_OPS;
*(RtlSubAuthoritySid( SeAliasReplicatorSid, 1 )) = DOMAIN_ALIAS_RID_REPLICATOR;
return( TRUE );
}
/*****************************************************************************
*
* xxxLookupBuiltinAccount
*
* Wrapper to lookup the SID for a given built in account name
*
* Returns a pointer to the SID in newly allocated memory
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
BOOL
xxxLookupBuiltinAccount(
PWCHAR pSystemName,
PWCHAR pAccountName,
PSID *ppSid
)
{
USHORT SidLen;
SID_NAME_USE Type;
PSID pSid = NULL;
if( _wcsicmp( L"NULL_SID", pAccountName ) == 0 ) {
pSid = SeNullSid;
Type = SidTypeInvalid;
}
if( pSid == NULL ) {
SetLastError( ERROR_NONE_MAPPED );
return( FALSE );
}
SidLen = (USHORT)GetLengthSid( pSid );
*ppSid = LocalAlloc(LMEM_FIXED, SidLen );
if( *ppSid == NULL ) {
SetLastError( ERROR_INSUFFICIENT_BUFFER );
return( FALSE );
}
RtlMoveMemory( *ppSid, pSid, SidLen );
return( TRUE );
#ifdef notdef
if( EqualSid( SeNullSid, pSid ) ) {
pName = L"NULL_SID";
Type = SidTypeInvalid;
}
if( EqualSid( SeWorldSid, pSid ) ) {
pName = L"WORLD";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeLocalSid, pSid ) ) {
pName = L"LOCAL_ACCOUNT";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeCreatorOwnerSid, pSid ) ) {
pName = L"CREATOR_OWNER";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeCreatorGroupSid, pSid ) ) {
pName = L"CREATOR_GROUP";
Type = SidTypeWellKnownGroup;
}
//
// Look at the NT SIDS
//
if( EqualSid( SeNtAuthoritySid, pSid ) ) {
pName = L"NTAUTHORITY";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeDialupSid, pSid ) ) {
pName = L"DIALUP";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeNetworkSid, pSid ) ) {
pName = L"NETWORK";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeBatchSid, pSid ) ) {
pName = L"BATCH";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeInteractiveSid, pSid ) ) {
pName = L"INTERACTIVE";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeServiceSid, pSid ) ) {
pName = L"SERVICE";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeLocalGuestSid, pSid ) ) {
pName = L"LOCALGUEST";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeLocalSystemSid, pSid ) ) {
pName = L"LOCALSYSTEM";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeLocalAdminSid, pSid ) ) {
pName = L"LOCALADMIN";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeLocalManagerSid, pSid ) ) {
pName = L"LOCALMANAGER";
Type = SidTypeWellKnownGroup;
}
if( EqualSid( SeAliasAdminsSid, pSid ) ) {
pName = L"ALIAS_ADMINS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasUsersSid, pSid ) ) {
pName = L"ALIAS_USERS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasGuestsSid, pSid ) ) {
pName = L"ALIAS_GUESTS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasPowerUsersSid, pSid ) ) {
pName = L"ALIAS_POWERUSERS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasAccountOpsSid, pSid ) ) {
pName = L"ALIAS_ACCOUNT_OPS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasSystemOpsSid, pSid ) ) {
pName = L"ALIAS_SYSTEM_OPS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasPrintOpsSid, pSid ) ) {
pName = L"ALIAS_PRINT_OPS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasBackupOpsSid, pSid ) ) {
pName = L"ALIAS_BACKUP_OPS";
Type = SidTypeAlias;
}
if( EqualSid( SeAliasReplicatorSid, pSid ) ) {
pName = L"ALIAS_REPLICATOR";
Type = SidTypeAlias;
}
#endif
}
/*****************************************************************************
*
* GetSecureAcl
*
* Comment
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
PACL
GetSecureAcl()
{
return( pAdminsOnlyAcl );
}
/*****************************************************************************
*
* BuildSecureAcl
*
* Comment
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
BOOL
BuildSecureAcl()
{
BOOL rc;
DWORD Index, Error;
PADMIN_ACCOUNTS p;
DWORD AclSize;
PACL pAcl = NULL;
PACCESS_ALLOWED_ACE pAce = NULL;
/*
* Calculate the ACL size
*/
AclSize = sizeof(ACL);
//
// Reserve memory for the deny ACE's
//
for( Index = 0; Index < DenyAccountEntries; Index++ ) {
p = &DenyAccounts[Index];
if( p->pSid ) {
AclSize += sizeof(ACCESS_DENIED_ACE);
AclSize += (GetLengthSid( p->pSid ) - sizeof(DWORD));
}
}
//
// Reserve memory for the allowed ACE's
//
for( Index = 0; Index < AllowAccountEntries; Index++ ) {
p = &AllowAccounts[Index];
if( p->pSid ) {
AclSize += sizeof(ACCESS_ALLOWED_ACE);
AclSize += (GetLengthSid( p->pSid ) - sizeof(DWORD));
}
}
pAcl = LocalAlloc( LMEM_FIXED, AclSize );
if( pAcl == NULL ) {
DBGPRINT(("Could not allocate memory\n"));
return( FALSE );
}
rc = InitializeAcl(
pAcl,
AclSize,
ACL_REVISION
);
if( !rc ) {
DBGPRINT(("Error %d InitializeAcl\n",GetLastError()));
LocalFree( pAcl );
return( FALSE );
}
/*
* Add a deny all ACE for each account in the deny list
*/
for( Index = 0; Index < DenyAccountEntries; Index++ ) {
p = &DenyAccounts[Index];
rc = AddAccessDeniedAce(
pAcl,
ACL_REVISION,
FILE_ALL_ACCESS,
p->pSid
);
if( !rc ) {
Error = GetLastError();
DBGPRINT(("***ERROR*** adding deny ACE %d for account %ws\n",Error,p->Name));
}
}
/*
* Add an allow all ACE for each account in the allow list
*/
for( Index = 0; Index < AllowAccountEntries; Index++ ) {
p = &AllowAccounts[Index];
rc = AddAccessAllowedAce(
pAcl,
ACL_REVISION,
FILE_ALL_ACCESS,
p->pSid
);
if( !rc ) {
Error = GetLastError();
DBGPRINT(("***ERROR*** adding allow ACE %d for account %ws\n",Error,p->Name));
}
}
pAdminsOnlyAcl = pAcl;
AdminsOnlyAclSize = AclSize;
//
// Put the inherit flags on the ACE's
//
for( Index=0; Index < pAcl->AceCount; Index++ ) {
rc = GetAce( pAcl, Index, (PVOID)&pAce );
if( !rc ) {
continue;
}
pAce->Header.AceFlags |= (CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE);
}
return( TRUE );
}
/*****************************************************************************
*
* GetLocalAdminSid
*
* Comment
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
PSID
GetLocalAdminSid()
{
return( SeLocalAdminSid );
}
/*****************************************************************************
*
* GetAdminSid
*
* Comment
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
*
****************************************************************************/
PSID
GetAdminSid()
{
return( AllowAccounts[ADMIN_ACCOUNT].pSid );
}
/*****************************************************************************
*
* GetLocalAdminGroupSid
*
* Comment
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
PSID
GetLocalAdminGroupSid()
{
return( SeAliasAdminsSid );
}
/*****************************************************************************
*
* GetLocalAdminGroupSid
*
* Comment
*
* ENTRY:
* Param1 (input/output)
* Comments
*
* EXIT:
* STATUS_SUCCESS - no error
*
****************************************************************************/
BOOL CheckUserSid()
{
BOOL rc;
PSID pSid;
PSID pPrevSid;
rc = xxxLookupAccountName(
ComputerName,
AllowAccounts[USER_ACCOUNT].Name,
&pSid
);
if( !rc ) {
// It might be a special builtin account
rc = xxxLookupBuiltinAccount(
ComputerName,
AllowAccounts[USER_ACCOUNT].Name,
&pSid
);
}
pPrevSid = AllowAccounts[USER_ACCOUNT].pSid;
if (rc && (!pPrevSid || !EqualSid( pSid, pPrevSid ))) {
AllowAccounts[USER_ACCOUNT].pSid = pSid;
if (pAdminsOnlyAcl) {
LocalFree( pAdminsOnlyAcl );
pAdminsOnlyAcl = NULL;
AdminsOnlyAclSize = 0;
}
rc = BuildSecureAcl();
}
return(rc);
}