archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/admin/extens/acldiag/chkdeleg.cpp

613 lines
21 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1999.
  5. //
  6. // File: ChkDeleg.cpp
  7. //
  8. // Contents: CheckDelegation and support methods
  9. //
  10. //
  11. //----------------------------------------------------------------------------
  12. #include "stdafx.h"
  13. #include <conio.h>
  14. #include <aclapi.h>
  15. #include "adutils.h"
  16. #include <util.h>
  17. #include "ChkDeleg.h"
  18. #include <deltempl.h>
  19. #include <tempcore.h>
  20. #include "SecDesc.h"
  24. #include <sddl.h>
  25. #include <dscmn.h> // from the admin\display project (CrackName)
  27. #ifndef ARRAYSIZE
  28. #define ARRAYSIZE(a) (sizeof(a)/sizeof(a[0]))
  29. #endif
  31. #include <_util.cpp>
  32. #include <_tempcor.cpp>
  33. #include <_deltemp.cpp>
  38. class CTemplateAccessPermissionsHolderManagerVerify : public CTemplateAccessPermissionsHolderManager
  39. {
  40. public:
  42. HRESULT ProcessTemplates (); // for ACLDiag - process each template in turn
  43. HRESULT ProcessPermissions(
  44. const wstring& strObjectClass,
  45. CTemplate* pTemplate,
  46. PACL pAccessList,
  47. CPrincipalList& principalList);
  48. };
  53. HRESULT CheckDelegation ()
  54. {
  55. _TRACE (1, L"Entering CheckDelegation\n");
  56. HRESULT hr = S_OK;
  57. wstring str;
  60. if ( !_Module.DoTabDelimitedOutput () )
  61. {
  62. LoadFromResource (str, IDS_DELEGATION_TEMPLATE_DIAGNOSIS);
  63. MyWprintf (str.c_str ());
  64. }
  66. CTemplateAccessPermissionsHolderManagerVerify templateAccessPermissionsHolderManager;
  68. if ( templateAccessPermissionsHolderManager.LoadTemplates() )
  69. {
  70. hr = templateAccessPermissionsHolderManager.ProcessTemplates ();
  71. }
  72. else
  73. {
  74. LoadFromResource (str, IDS_FAILED_TO_LOAD_TEMPLATES);
  75. MyWprintf (str.c_str ());
  76. hr = E_FAIL;
  77. }
  79. _TRACE (-1, L"Leaving CheckDelegation: 0x%x\n", hr);
  80. return hr;
  81. }
  83. PTOKEN_USER EfspGetTokenUser ()
  84. {
  85. _TRACE (1, L"Entering EfspGetTokenUser\n");
  86. HANDLE hToken = 0;
  87. DWORD dwReturnLength = 0;
  88. PTOKEN_USER pTokenUser = NULL;
  90. BOOL bResult = ::OpenProcessToken (GetCurrentProcess (), TOKEN_QUERY, &hToken);
  91. if ( bResult )
  92. {
  93. bResult = ::GetTokenInformation (
  94. hToken,
  95. TokenUser,
  96. NULL,
  97. 0,
  98. &dwReturnLength
  99. );
  101. if ( !bResult && dwReturnLength > 0 )
  102. {
  103. pTokenUser = (PTOKEN_USER) malloc (dwReturnLength);
  105. if (pTokenUser)
  106. {
  107. bResult = GetTokenInformation (
  108. hToken,
  109. TokenUser,
  110. pTokenUser,
  111. dwReturnLength,
  112. &dwReturnLength
  113. );
  115. if ( !bResult)
  116. {
  117. DWORD dwErr = GetLastError ();
  118. _TRACE (0, L"GetTokenInformation () failed: 0x%x\n", dwErr);
  119. free (pTokenUser);
  120. pTokenUser = NULL;
  121. }
  122. }
  123. }
  124. else
  125. {
  126. DWORD dwErr = GetLastError ();
  127. _TRACE (0, L"GetTokenInformation () failed: 0x%x\n", dwErr);
  128. }
  130. ::CloseHandle (hToken);
  131. }
  132. else
  133. {
  134. DWORD dwErr = GetLastError ();
  135. _TRACE (0, L"OpenProcessToken () failed: 0x%x\n", dwErr);
  136. }
  138. _TRACE (-1, L"Leaving EfspGetTokenUser\n");
  139. return pTokenUser;
  140. }
  142. HRESULT CTemplateAccessPermissionsHolderManagerVerify::ProcessTemplates ()
  143. {
  144. HRESULT hr = S_OK;
  146. DWORD dwErr = 0;
  148. // the access list is read in, modified, written back
  149. // If /fixdeleg is on, this list will be populated from the DS,
  150. // will receive the permissions associated with selected templates is the
  151. // user chooses to fix delegation, and then will be written back to the DS.
  152. PACL pFixDACL = NULL;
  154. LPCWSTR lpszObjectLdapPath = _Module.m_adsiObject.GetLdapPath();
  156. // get the security info
  157. if ( _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  158. {
  159. _TRACE (0, L"calling GetNamedSecurityInfo(%s, ...)\n", lpszObjectLdapPath);
  160. dwErr = ::GetNamedSecurityInfo (
  161. (LPWSTR) lpszObjectLdapPath, // name of the object
  162. SE_DS_OBJECT_ALL, // type of object
  163. DACL_SECURITY_INFORMATION, // type of security information to retrieve
  164. NULL, // receives a pointer to the owner SID
  165. NULL, // receives a pointer to the primary group SID
  166. &pFixDACL, // receives a pointer to the DACL
  167. NULL, // receives a pointer to the SACL
  168. NULL); // receives a pointer to the security descriptor
  169. if (dwErr != ERROR_SUCCESS)
  170. {
  171. _TRACE (0, L"failed on GetNamedSecurityInfo(): dwErr = 0x%x\n", dwErr);
  172. wstring str;
  173. LoadFromResource (str, IDS_DELEGWIZ_ERR_GET_SEC_INFO);
  174. MyWprintf (str.c_str ());
  175. _Module.TurnOffFixDelegation ();
  176. }
  177. }
  179. CPrincipal principal; // a dummy placeholder for us to get
  180. // the incremental rights associated
  181. // with each template
  183. // We will use the current logged-in user as a placeholder only.
  184. PTOKEN_USER pTokenUser = ::EfspGetTokenUser ();
  185. if ( pTokenUser )
  186. {
  187. hr = principal.Initialize (pTokenUser->User.Sid);
  188. free (pTokenUser);
  189. }
  191. if ( SUCCEEDED (hr) )
  192. {
  193. CTemplateList* pList = m_templateManager.GetTemplateList();
  194. for (CTemplateList::iterator itr = pList->begin(); itr != pList->end(); itr++)
  195. {
  196. CTemplate* pTemplate = *itr;
  197. ASSERT(pTemplate != NULL);
  199. // Select the templates one at a time to get the
  200. // permissions representing them
  201. pTemplate->m_bSelected = TRUE;
  203. if ( InitPermissionHoldersFromSelectedTemplates (
  204. &_Module.m_classInfoArray,
  205. &_Module.m_adsiObject) )
  206. {
  207. // This access list will contain only the access control values
  208. // associated with the selected template
  209. PACL pAccessList = 0; //(PACL) ::LocalAlloc (LMEM_ZEROINIT, sizeof (ACL));
  210. if ( 1 ) //pAccessList )
  211. {
  212. DWORD dwErr = UpdateAccessList (
  213. &principal,
  214. _Module.m_adsiObject.GetServerName(),
  215. _Module.m_adsiObject.GetPhysicalSchemaNamingContext(),
  216. &pAccessList
  217. );
  219. if ( 0 == dwErr )
  220. {
  221. CPrincipalList principalList;
  222. PSID pSid = principal.GetSid ();
  223. SID_NAME_USE sne = SidTypeUnknown;
  224. wstring strPrincipalName;
  226. hr = GetNameFromSid (pSid, strPrincipalName, 0, sne);
  227. if ( SUCCEEDED (hr) )
  228. {
  229. hr = ProcessPermissions (_Module.m_adsiObject.GetClass (),
  230. pTemplate, pAccessList, principalList);
  231. if ( SUCCEEDED (hr) && _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  232. {
  233. // loop thru all the principals and classes
  234. CPrincipalList::iterator i;
  235. for (i = principalList.begin(); i != principalList.end(); ++i)
  236. {
  237. CPrincipal* pCurrPrincipal = (*i);
  238. dwErr = UpdateAccessList(
  239. pCurrPrincipal,
  240. _Module.m_adsiObject.GetServerName(),
  241. _Module.m_adsiObject.GetPhysicalSchemaNamingContext(),
  242. &pFixDACL);
  243. if (dwErr != 0)
  244. break;
  245. } // for pCurrPrincipal
  246. }
  247. }
  248. }
  250. ::LocalFree (pAccessList);
  251. }
  252. else
  253. {
  254. hr = E_OUTOFMEMORY;
  255. break;
  256. }
  257. }
  258. pTemplate->m_bSelected = FALSE;
  259. }
  261. if ( _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  262. {
  263. // commit changes
  264. _TRACE (0, L"calling SetNamedSecurityInfo(%s, ...)\n", lpszObjectLdapPath);
  265. dwErr = ::SetNamedSecurityInfoW(
  266. (LPWSTR) lpszObjectLdapPath,
  267. SE_DS_OBJECT_ALL,
  268. DACL_SECURITY_INFORMATION,
  269. NULL,
  270. NULL,
  271. pFixDACL,
  272. 0);
  273. if (dwErr != ERROR_SUCCESS)
  274. {
  275. _TRACE (0, L"failed on SetNamedSecurityInfo(): dwErr = 0x%x\n", dwErr);
  276. wstring str;
  277. LoadFromResource (str, IDS_DELEGWIZ_ERR_SET_SEC_INFO);
  278. MyWprintf (str.c_str ());
  279. }
  280. }
  281. }
  284. if ( pFixDACL )
  285. ::LocalFree (pFixDACL);
  288. return hr;
  289. }
  292. class CTemplateStatus
  293. {
  294. public:
  295. CTemplateStatus () :
  296. m_nACECnt (1),
  297. m_bApplies (false),
  298. m_bInherited (false)
  299. {
  300. }
  302. ULONG m_nACECnt;
  303. bool m_bApplies;
  304. bool m_bInherited;
  305. wstring m_strObjName;
  306. PSID m_psid;
  307. };
  309. typedef list<CTemplateStatus*> CStatusList;
  311. HRESULT CTemplateAccessPermissionsHolderManagerVerify::ProcessPermissions(
  312. const wstring& strObjectClass,
  313. CTemplate* pTemplate,
  314. PACL pDacl,
  315. CPrincipalList& principalList)
  316. {
  317. if ( !pTemplate )
  318. return E_POINTER;
  320. HRESULT hr = S_OK;
  321. CStatusList statusList; // This list will contain 1 entry for each
  322. // SidStart/bInherited/bApplies triplet.
  323. // The counter for each item will incremented
  324. // each time an ACE is found that belongs to
  325. // the object pointed to by the SidStart.
  326. ULONG nExpectedCnt = 0;
  327. bool bApplies = pTemplate->AppliesToClass(strObjectClass.c_str ()) ? true : false;
  328. ACE_SAMNAME* pAceSAMName = 0;
  331. // Look in global DACL for each right
  332. PACCESS_ALLOWED_ACE pAllowedAce = 0;
  334. // iterate through the template ACES
  335. for (int i = 0; i < pDacl->AceCount; i++)
  336. {
  337. if ( GetAce (pDacl, i, (void **)&pAllowedAce) )
  338. {
  339. PSID AceSid = 0;
  340. if ( IsObjectAceType ( pAllowedAce ) )
  341. {
  342. AceSid = RtlObjectAceSid( pAllowedAce );
  343. }
  344. else
  345. {
  346. AceSid = &( ( PKNOWN_ACE )pAllowedAce )->SidStart;
  347. }
  348. ASSERT (IsValidSid (AceSid));
  350. if ( !IsValidSid (AceSid) )
  351. continue;
  353. // wstring strPrincipalName;
  354. // SID_NAME_USE sne = SidTypeUnknown;
  355. // hr = GetNameFromSid (AceSid, strPrincipalName, 0, sne);
  356. // if ( SUCCEEDED (hr) )
  357. {
  358. ACE_SAMNAME* pAceTemplate = new ACE_SAMNAME;
  359. if ( pAceTemplate )
  360. {
  361. pAceTemplate->m_AceType = pAllowedAce->Header.AceType;
  362. switch (pAceTemplate->m_AceType)
  363. {
  364. case ACCESS_ALLOWED_ACE_TYPE:
  365. pAceTemplate->m_pAllowedAce = pAllowedAce;
  366. break;
  368. case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
  369. pAceTemplate->m_pAllowedObjectAce =
  370. reinterpret_cast <PACCESS_ALLOWED_OBJECT_ACE> (pAllowedAce);
  371. break;
  373. case ACCESS_DENIED_ACE_TYPE:
  374. pAceTemplate->m_pDeniedAce =
  375. reinterpret_cast <PACCESS_DENIED_ACE> (pAllowedAce);
  376. break;
  378. case ACCESS_DENIED_OBJECT_ACE_TYPE:
  379. pAceTemplate->m_pDeniedObjectAce =
  380. reinterpret_cast <PACCESS_DENIED_OBJECT_ACE> (pAllowedAce);
  381. break;
  383. default:
  384. break;
  385. }
  386. // pAceTemplate->m_SAMAccountName = strPrincipalName;
  387. pAceTemplate->DebugOut ();
  388. nExpectedCnt++;
  389. ACE_SAMNAME_LIST::iterator itr = _Module.m_DACLList.begin ();
  390. for (; itr != _Module.m_DACLList.end () && SUCCEEDED (hr); itr++)
  391. {
  392. pAceSAMName = *itr;
  394. // to neutralize Sid differences
  395. pAceTemplate->m_SAMAccountName = pAceSAMName->m_SAMAccountName;
  396. if ( *pAceSAMName == *pAceTemplate )
  397. {
  398. bool bFound = false;
  399. CTemplateStatus* pStatus = 0;
  400. CStatusList::iterator itr = statusList.begin ();
  401. wstring strObjName;
  402. PSID psid = 0;
  405. if ( ACCESS_ALLOWED_OBJECT_ACE_TYPE == pAceSAMName->m_AceType )
  406. {
  407. psid = RtlObjectAceSid (pAceSAMName->m_pAllowedObjectAce);
  408. }
  409. else
  410. {
  411. psid = &( ( PKNOWN_ACE )pAceSAMName->m_pAllowedAce )->SidStart;
  412. }
  414. SID_NAME_USE sne = SidTypeUnknown;
  415. hr = GetNameFromSid (psid, strObjName, 0, sne);
  416. if ( SUCCEEDED (hr) )
  417. {
  418. for (; itr != statusList.end (); itr++)
  419. {
  420. pStatus = *itr;
  421. if ( (pStatus->m_bApplies == bApplies) &&
  422. ( pStatus->m_bInherited == pAceSAMName->IsInherited () ) &&
  423. ( !_wcsicmp (
  424. pStatus->m_strObjName.c_str (),
  425. strObjName.c_str ())) )
  426. {
  427. bFound = true;
  428. break;
  429. }
  430. }
  432. if ( bFound )
  433. {
  434. pStatus->m_nACECnt++;
  435. }
  436. else
  437. {
  438. pStatus = new CTemplateStatus;
  439. if ( pStatus )
  440. {
  441. pStatus->m_strObjName = strObjName;
  442. pStatus->m_bApplies = bApplies;
  443. pStatus->m_bInherited = pAceSAMName->IsInherited ();
  444. pStatus->m_psid = psid;
  445. statusList.push_back (pStatus);
  446. }
  447. else
  448. {
  449. hr = E_OUTOFMEMORY;
  450. break;
  451. }
  452. }
  453. }
  454. }
  455. }
  456. }
  457. else
  458. {
  459. hr = E_OUTOFMEMORY;
  460. break;
  461. }
  462. }
  463. }
  464. }
  467. // Now, iterate thru status list and evaluate each item
  468. // If the list is empty, then this template is not present.
  469. // Otherwise, for each present item, if the class and attr count is less than the required count
  470. // the template is partial for the item.
  471. // Otherwise, it is OK.
  472. CStatusList::iterator itr = statusList.begin ();
  473. CTemplateStatus* pStatus = 0;
  474. wstring str;
  475. wstring strStatus;
  478. for (; itr != statusList.end () && SUCCEEDED (hr); itr++)
  479. {
  480. pStatus = *itr;
  482. // Print template description
  483. bool bMisconfigured = false;
  485. if ( _Module.DoTabDelimitedOutput () )
  486. {
  487. FormatMessage (str, IDS_DELEGATION_TITLE_CDO, pTemplate->GetDescription (),
  488. pStatus->m_strObjName.c_str ());
  489. }
  490. else
  491. {
  492. FormatMessage (str, IDS_DELEGATION_TITLE, pTemplate->GetDescription (),
  493. pStatus->m_strObjName.c_str ());
  494. }
  495. MyWprintf (str.c_str ());
  497. // Print "Status: OK/MISCONFIGURED"
  498. if ( pStatus->m_nACECnt < nExpectedCnt )
  499. {
  500. LoadFromResource (strStatus, IDS_MISCONFIGURED);
  501. bMisconfigured = true;
  502. }
  503. else
  504. LoadFromResource (strStatus, IDS_OK);
  506. if ( _Module.DoTabDelimitedOutput () )
  507. FormatMessage (str, IDS_DELTEMPL_STATUS_CDO, strStatus.c_str ());
  508. else
  509. FormatMessage (str, IDS_DELTEMPL_STATUS, strStatus.c_str ());
  510. MyWprintf (str.c_str ());
  512. // Print "Applies on this object: YES/NO"
  513. if ( pStatus->m_bApplies )
  514. {
  515. LoadFromResource (strStatus,
  516. _Module.DoTabDelimitedOutput () ? IDS_APPLIES : IDS_YES);
  517. }
  518. else
  519. {
  520. LoadFromResource (strStatus,
  521. _Module.DoTabDelimitedOutput () ? IDS_DOES_NOT_APPLY : IDS_NO);
  522. }
  524. if ( _Module.DoTabDelimitedOutput () )
  525. FormatMessage (str, IDS_APPLIES_ON_THIS_OBJECT_CDO, strStatus.c_str ());
  526. else
  527. FormatMessage (str, IDS_APPLIES_ON_THIS_OBJECT, strStatus.c_str ());
  528. MyWprintf (str.c_str ());
  530. // Print "Inherited from parent: YES/NO"
  531. if ( pStatus->m_bInherited )
  532. {
  533. LoadFromResource (strStatus,
  534. _Module.DoTabDelimitedOutput () ? IDS_INHERITED : IDS_YES);
  535. }
  536. else
  537. {
  538. LoadFromResource (strStatus,
  539. _Module.DoTabDelimitedOutput () ? IDS_EXPLICIT : IDS_NO);
  540. }
  542. if ( _Module.DoTabDelimitedOutput () )
  543. FormatMessage (str, IDS_INHERITED_FROM_PARENT_CDO, strStatus.c_str ());
  544. else
  545. FormatMessage (str, IDS_INHERITED_FROM_PARENT, strStatus.c_str ());
  546. MyWprintf (str.c_str ());
  548. if ( bMisconfigured && _Module.FixDelegation () && !_Module.DoTabDelimitedOutput () )
  549. {
  550. LoadFromResource (str, IDS_FIX_DELEGATION_QUERY);
  552. while (1)
  553. {
  554. MyWprintf (str.c_str ());
  556. int ch = _getche ();
  558. if ( 'y' == ch )
  559. {
  560. CPrincipal* pPrincipal = new CPrincipal;
  562. if ( pPrincipal )
  563. {
  564. if ( SUCCEEDED (pPrincipal->Initialize (pStatus->m_psid)) )
  565. principalList.push_back (pPrincipal);
  566. else
  567. delete pPrincipal;
  568. }
  569. else
  570. hr = E_OUTOFMEMORY;
  572. MyWprintf (L"\n\n");
  573. break;
  574. }
  575. else if ( 'n' == ch )
  576. {
  577. MyWprintf (L"\n\n");
  578. break;
  579. }
  580. else
  581. {
  582. MyWprintf (L"\n");
  583. continue;
  584. }
  585. }
  586. }
  587. }
  589. if ( !pStatus ) // None found
  590. {
  591. // Print template description
  592. if ( _Module.DoTabDelimitedOutput () )
  593. {
  594. FormatMessage (str, IDS_DELEGATION_NOT_FOUND_CDO,
  595. pTemplate->GetDescription ());
  596. MyWprintf (str.c_str ());
  597. }
  598. else
  599. {
  600. FormatMessage (str, L"\t%1\n\n", pTemplate->GetDescription ());
  601. MyWprintf (str.c_str ());
  603. LoadFromResource (strStatus, IDS_NOT_PRESENT);
  604. FormatMessage (str, IDS_DELTEMPL_STATUS, strStatus.c_str ());
  605. MyWprintf (str.c_str ());
  606. }
  607. }
  609. if ( !_Module.DoTabDelimitedOutput () )
  610. MyWprintf (L"\n");
  611. return hr;
  612. }