archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/admin/netui/acledit/h/aclconv.hxx

526 lines
17 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  1. /**********************************************************************/
  2. /** Microsoft LAN Manager **/
  3. /** Copyright(c) Microsoft Corp., 1990, 1991 **/
  4. /**********************************************************************/
  6. /*
  7. AclConv.hxx
  9. This file contains the ACL_TO_PERM_CONVERTER class definition
  13. FILE HISTORY:
  14. Johnl 01-Aug-1991 Created
  16. */
  18. #ifndef _ACLCONV_HXX_
  19. #define _ACLCONV_HXX_
  21. #include <uimsg.h>
  23. #define IERR_ACL_CONV_BASE (IDS_UI_ACLEDIT_BASE+400)
  25. #define IERR_ACLCONV_NONST_ACL_CANT_EDIT (IERR_ACL_CONV_BASE+1)
  26. #define IERR_ACLCONV_NONST_ACL_CAN_EDIT (IERR_ACL_CONV_BASE+2)
  27. #define IERR_ACLCONV_CANT_VIEW_CAN_EDIT (IERR_ACL_CONV_BASE+3)
  28. #define IERR_ACLCONV_LM_INHERITING_PERMS (IERR_ACL_CONV_BASE+4)
  29. #define IERR_ACLCONV_LM_NO_ACL (IERR_ACL_CONV_BASE+5)
  30. #define IERR_ACLCONV_READ_ONLY (IERR_ACL_CONV_BASE+6)
  31. #define IERR_ACLCONV_CANT_EDIT_PERM_ON_LM_SHARE_LEVEL (IERR_ACL_CONV_BASE+7)
  33. #ifndef RC_INVOKED
  35. #include <base.hxx>
  36. #include <lmobj.hxx>
  37. #include <lmoacces.hxx>
  39. extern "C"
  40. {
  41. #include <sedapi.h>
  43. APIERR QueryLoggedOnDomainInfo( NLS_STR * pnlsDC,
  44. NLS_STR * pnlsDomain,
  45. HWND hwnd ) ;
  46. }
  48. #include <subject.hxx>
  50. enum TREE_APPLY_FLAGS {
  51. TREEAPPLY_ACCESS_PERMS,
  52. TREEAPPLY_AUDIT_PERMS,
  53. } ;
  56. /*************************************************************************
  58. NAME: ACL_TO_PERM_CONVERTER
  60. SYNOPSIS: Abstract superclass that can retrieve, interpret and set
  61. an ACL.
  63. INTERFACE:
  65. PARENT:
  67. USES:
  69. CAVEATS:
  71. NOTES: New Sub-objects refers to objects (such as files) that will
  72. be created in an NT container object (such as a directory)
  73. and gets the New Object permissions set up in the container
  74. object.
  77. HISTORY:
  78. Johnl 02-Aug-1991 Created
  80. **************************************************************************/
  82. class MASK_MAP ; // Forward reference
  83. class ACCPERM ;
  84. class PERMISSION ;
  86. class ACL_TO_PERM_CONVERTER : public BASE
  87. {
  88. public:
  90. /* Fill the passed ACCPERM with the set of PERMISSIONS that represent this
  91. * ACL. If the ACL is one we don't recognize, then the ACCPERM will be
  92. * empty and the error code will be one of the IERR_ACLCONV_* error codes
  93. *
  94. */
  95. virtual APIERR GetPermissions( ACCPERM * pAccperm, BOOL fAccessPerms ) = 0 ;
  97. /* Initialize the ACCPERM with the default "Blank" permissions. Used
  98. * when applying an ACL to a resource that doesn't have an ACL already,
  99. * or when blowing away an unrecognized ACL.
  100. */
  101. virtual APIERR GetBlankPermissions( ACCPERM * pAccperm ) = 0 ;
  103. /* Applies the new permissions specified in the ACCPERM class to the
  104. * specified resource.
  105. * accperm - New permission set
  106. * fApplyToSubContainers - Apply this permission set to subcontainer
  107. * objects (such as directories etc., will only
  108. * be TRUE if this is a container resource.
  109. * fApplyToSubObjects - Apply this permission set to container objects
  110. * (such as files etc.). Will only be TRUE if
  111. * this is a container resource.
  112. * applyflags - Indicates whether we should set access or audit perms.
  113. * pfReportError - Set to TRUE if the caller should report the error,
  114. * FALSE if the error has already been reported
  115. */
  116. virtual APIERR WritePermissions( ACCPERM & accperm,
  117. BOOL fApplyToSubContainers,
  118. BOOL fApplyToSubObjects,
  119. enum TREE_APPLY_FLAGS applyflags,
  120. BOOL *pfReportError ) = 0 ;
  122. /* Create a permission object that is ready to be added to an ACCPERM
  123. *
  124. * ppPerm - Pointer to receive new'ed PERMISSION object (client should
  125. * delete or add to an ACCPERM and let it delete the
  126. * permission)
  127. * fAccessPermission - TRUE if this is an ACCESS_PERMISSION or an
  128. * AUDIT_PERMISSION
  129. * pSubj - Pointer to new'ed SUBJECT (will be deleted by permission)
  130. *
  131. * The pointer to the bitfields contain the following information:
  132. *
  133. * NT Obj Perm NT Obj Audit
  134. * LM Perm. LM Audit NT Cont Perm NT Cont Audit
  135. * =====================================================================
  136. * pbits1 - Access Perm Success Access Perm Success
  137. * pbits2 - NA Failed NEW Obj Access Perm Failed
  138. * (pbits3 - NA NA NA * )
  139. * (pbits4 - NA NA NA * )
  140. *
  141. * * We don't support NEW Obj. auditting settings, if we did, then we
  142. * would add the pbits3 and pbits4.
  143. */
  144. virtual APIERR BuildPermission( PERMISSION * * ppPerm,
  145. BOOL fAccessPermission,
  146. SUBJECT * pSubj,
  147. BITFIELD * pbits1,
  148. BITFIELD * pbits2 = NULL,
  149. BOOL fContainerPermsInheritted = TRUE ) ;
  151. /* When we try and write a permission list but one of the users/groups
  152. * have been removed from the server's list, we need to let the user
  153. * know which one. This method retrieves the responsible subject.
  154. *
  155. * This should only be called immediately after WritePermissions returns
  156. * NERR_UserNotFound.
  157. */
  158. virtual APIERR QueryFailingSubject( NLS_STR * pnlsSubjUniqueName ) = 0 ;
  160. //
  161. // If the ACL has an owner, this virtual returns it. If there is no
  162. // owner, then NULL will be returned. Note that only NT ACLs have
  163. // owners.
  164. //
  165. virtual const TCHAR * QueryOwnerName( void ) const ;
  167. /* Returns a server in the user's logged on domain and/or the logged on
  168. * domain. Note that either parameter maybe NULL.
  169. */
  170. APIERR QueryLoggedOnDomainInfo( NLS_STR * pnlsDCInLoggedOnDomain,
  171. NLS_STR * pnlsLoggedOnDomain ) ;
  174. MASK_MAP * QueryAccessMap( void ) const
  175. { return _paccmaskmap ; }
  177. MASK_MAP * QueryAuditMap( void ) const
  178. { return _pauditmaskmap ; }
  180. /* Note: Not all ACLs will support the New object concept, the default
  181. * implementation will simply return NULL.
  182. */
  183. virtual MASK_MAP * QueryNewObjectAccessMap( void ) const ;
  185. /* In some cases (i.e., LM) the resource maybe inheritting from a parent
  186. * resource. This method returns the name of the resource that
  187. * is being inheritted from. This will only be defined in the LM case.
  188. */
  189. virtual APIERR QueryInherittingResource( NLS_STR * pnlsInherittingResName );
  191. const LOCATION * QueryLocation( void ) const
  192. { return &_location ; }
  194. /* Returns TRUE if this resource is readonly.
  195. */
  196. BOOL IsReadOnly( void ) const
  197. { return _fReadOnly ; }
  199. /* Returns TRUE if this resource is based on an NT platform.
  200. *
  201. * We know this can't fail, getting it from the location class may fail
  202. */
  203. BOOL IsNT( void ) const
  204. { return _fIsNT ; }
  206. /* Returns TRUE if the object is a container object
  207. */
  208. BOOL IsContainer( void ) const
  209. { return _fIsContainer ; }
  211. BOOL IsNewObjectsSupported( void ) const
  212. { return _fIsNewObjectsSupported ; }
  214. virtual ~ACL_TO_PERM_CONVERTER() ;
  216. void SetWritePermHwnd( HWND hwndOwner )
  217. { _hwndErrorParent = hwndOwner ; }
  219. HWND QueryWritePermHwnd( void ) const
  220. { return _hwndErrorParent ; }
  222. BOOL IsMnemonicsDisplayed( void ) const
  223. { return _fShowMnemonics ; }
  225. protected:
  227. ACL_TO_PERM_CONVERTER( const TCHAR * pszServer,
  228. MASK_MAP * paccessmap,
  229. MASK_MAP * pauditmap,
  230. BOOL fIsNT,
  231. BOOL fIsContainer,
  232. BOOL fIsNewObjectsSupported,
  233. BOOL fShowMnemonics = TRUE ) ;
  235. void SetReadOnlyFlag( BOOL fIsReadOnly )
  236. { _fReadOnly = fIsReadOnly ; }
  238. LOCATION _location ;
  240. private:
  242. BOOL _fReadOnly ; // We can only read the ACL if TRUE
  243. BOOL _fIsNT ; // This resource is on an NT machine
  244. BOOL _fIsContainer ;
  245. BOOL _fIsNewObjectsSupported ;
  247. MASK_MAP * _paccmaskmap ;
  248. MASK_MAP * _pauditmaskmap ;
  250. /* Caches a DC from the logged on domain. Initialized from
  251. * QueryDCInLoggedOnDomain.
  252. */
  253. NLS_STR _nlsLoggedOnDC ;
  254. NLS_STR _nlsLoggedOnDomain ;
  256. /* This member is needed for a semi-hack. When WritePermission is called
  257. * for an NT ACL converter what actually happens is the callback function
  258. * is called and it is responsible for all error handling. Thus this
  259. * member is passed to the callback where it is used for message boxes etc.
  260. */
  261. HWND _hwndErrorParent ;
  263. //
  264. // True if mnemonics (i.e., (RWXD)) should be shown
  265. //
  266. BOOL _fShowMnemonics ;
  267. } ;
  270. /*************************************************************************
  272. NAME: LM_ACL_TO_PERM_CONVERTER
  274. SYNOPSIS: This class converts a Lanman ACE to a set of PERMISSIONs
  275. stored in the ACCPERM class.
  277. INTERFACE:
  279. PARENT:
  281. USES:
  283. CAVEATS: The fApplyTo* flags on WritePermissions should only be set
  284. if the resource is a *file* resource, otherwise bad things
  285. will happen.
  287. NOTES:
  289. HISTORY:
  290. Johnl 02-Aug-1991 Created
  292. **************************************************************************/
  294. class LM_ACL_TO_PERM_CONVERTER : public ACL_TO_PERM_CONVERTER
  295. {
  296. public:
  297. /* Constructor:
  298. * pchServer is the server name of the resource
  299. * pchResourceName is the LM canonicalized resource name (i.e.,
  300. * appropriate to call NetAccessSetInfo with).
  301. * paccessmap is the access permission bitfield map
  302. * pauditmap is the audit permission bitfield map
  303. * fIsContainer - TRUE if directory, FALSE if file
  304. * pfuncCallback - What to call back to when writing security
  305. * ulCallbackContext - Context for the callback
  306. * fIsBadIntersection - TRUE if this is a multi-select and the
  307. * security is not the same on all of the resources
  308. */
  309. LM_ACL_TO_PERM_CONVERTER( const TCHAR * pchServer,
  310. const TCHAR * pchResourceName,
  311. MASK_MAP *paccessmap,
  312. MASK_MAP *pauditmap,
  313. BOOL fIsContainer,
  314. PSED_FUNC_APPLY_SEC_CALLBACK pfuncCallback,
  315. ULONG_PTR ulCallbackContext,
  316. BOOL fIsBadIntersection ) ;
  318. ~LM_ACL_TO_PERM_CONVERTER() ;
  320. /* See parent for more info.
  321. */
  322. virtual APIERR GetPermissions( ACCPERM * pAccperm, BOOL fAccessPerms ) ;
  323. virtual APIERR GetBlankPermissions( ACCPERM * pAccperm ) ;
  324. virtual APIERR WritePermissions( ACCPERM & accperm,
  325. BOOL fApplyToSubContainers,
  326. BOOL fApplyToSubObjects,
  327. enum TREE_APPLY_FLAGS applyflags,
  328. BOOL *pfReportError ) ;
  329. virtual APIERR QueryInherittingResource( NLS_STR * pnlsInherittingResName );
  331. virtual APIERR QueryFailingSubject( NLS_STR * pnlsSubjUniqueName ) ;
  333. protected:
  335. /* The name of the resource this resource is inheritting from (NULL if
  336. * none).
  337. */
  338. NLS_STR _nlsInherittingResName ;
  340. /* This method fills in the _nlsInherittingResName by working back up
  341. * the directory tree until it finds a resource that the current resource
  342. * is inheritting from.
  343. */
  344. APIERR FindInherittingResource( void ) ;
  346. /* These two methods map the failed to successful audit bits and the
  347. * successful to failed audit bits respectively.
  348. */
  349. USHORT FailToSuccessAuditFlags( USHORT usFailAuditMask ) ;
  350. USHORT SuccessToFailAuditFlags( USHORT usSuccessAuditMask ) ;
  352. private:
  354. /* Used to retrieve the ACL and write the ACL on GetPermissions and
  355. * WritePermissions.
  356. */
  357. NET_ACCESS_1 _lmobjNetAccess1 ;
  359. // The following two are for the call back method
  360. PSED_FUNC_APPLY_SEC_CALLBACK _pfuncCallback ;
  361. ULONG_PTR _ulCallbackContext ;
  363. //
  364. // Set to TRUE if we should blank out the audit/perm info because the
  365. // user has multi-selected non-equal ACLs
  366. //
  367. BOOL _fIsBadIntersection ;
  369. } ;
  371. /*************************************************************************
  373. NAME: NT_ACL_TO_PERM_CONVERTER
  375. SYNOPSIS: The ACL Converter for NT ACLs
  378. INTERFACE: See ACL_TO_PERM_CONVERTER
  380. PARENT: ACL_TO_PERM_CONVERTER
  382. USES: MASK_MAP
  384. CAVEATS: If the client indicates that NewObjectPerms are supported,
  385. then the accperm will contain NT_CONT_ACCESS_PERMS (and
  386. this class will assume that), otherwise the accperm will
  387. contain ACCESS_PERMS objects.
  389. NOTES: If New Sub-Objects are not supported, then the paccessmapNewObject
  390. parameter should be NULL. If they are supported, then the
  391. PERMTYPE_GENERAL permissions of the new object MASK_MAP should
  392. match exactly the PERMTYPE_GENERAL permissions of the
  393. paccessmap parameter.
  395. HISTORY:
  396. Johnl 27-Sep-1991 Created
  398. **************************************************************************/
  400. class NT_ACL_TO_PERM_CONVERTER : public ACL_TO_PERM_CONVERTER
  401. {
  402. private:
  403. MASK_MAP * _pmaskmapNewObject ;
  405. /* This member gets initialized by BuildNewObjectPerms.
  406. */
  407. OS_SECURITY_DESCRIPTOR * _possecdescNewItemPerms ;
  409. //
  410. // Contains the owner name of the security descriptor (initialized
  411. // in SidsToNames()).
  412. //
  413. NLS_STR _nlsOwner ;
  415. /* These private members are stored here till we need them for the callback
  416. * method.
  417. */
  418. PSECURITY_DESCRIPTOR _psecuritydesc ;
  419. PGENERIC_MAPPING _pGenericMapping ;
  420. PGENERIC_MAPPING _pGenericMappingNewObjects ;
  421. BOOL _fMapSpecificToGeneric ;
  422. BOOL _fCantReadACL ;
  423. ULONG_PTR _ulCallbackContext ;
  424. HANDLE _hInstance ;
  425. LPDWORD _lpdwReturnStatus ;
  426. PSED_FUNC_APPLY_SEC_CALLBACK _pfuncCallback ;
  428. protected:
  429. /* These two methods convert a security descriptor to an accperm
  430. * and an accperm to a security descriptor, respectively.
  431. *
  432. * SecurityDesc2Accperm will return, in addition to standard APIERRs,
  433. * IERR_ACLCONV_* manifests.
  434. */
  435. APIERR SecurityDesc2Accperm( const PSECURITY_DESCRIPTOR psecdesc,
  436. ACCPERM * pAccperm,
  437. BOOL fAccessPerm ) ;
  439. APIERR Accperm2SecurityDesc( ACCPERM * pAccperm,
  440. OS_SECURITY_DESCRIPTOR * possecdesc,
  441. BOOL fAccessPerm ) ;
  443. /* Help method for building access permissions
  444. */
  445. APIERR NT_ACL_TO_PERM_CONVERTER::CreateNewPermission(
  446. PERMISSION ** ppPermission,
  447. BOOL fAccess,
  448. PSID psidSubject,
  449. ACCESS_MASK Mask1,
  450. BOOL fMask2Used,
  451. ACCESS_MASK Mask2,
  452. BOOL fContainerPermsInheritted = TRUE ) ;
  454. APIERR SidsToNames( ACCPERM * pAccperm,
  455. BOOL fAccess,
  456. PSID psidOwner = NULL ) ;
  458. /* These two methods are used by Accperm2SecurityDesc, specifically, they
  459. * are helper routines for building up the the security descriptor's
  460. * DACL.
  461. */
  462. APIERR ConvertAllowAccessPerms( ACCPERM * pAccperm,
  463. OS_ACL * posaclDACL ) ;
  464. APIERR ConvertDenyAllAccessPerms( ACCPERM * pAccperm,
  465. OS_ACL * posaclDACL ) ;
  467. APIERR BuildNewObjectPerms( const OS_SECURITY_DESCRIPTOR & ossecContainer );
  468. APIERR RemoveUndesirableACEs( OS_ACL * posacl ) ;
  470. OS_SECURITY_DESCRIPTOR * QueryNewObjectPerms( void ) const
  471. { return _possecdescNewItemPerms ; }
  473. //
  474. // The client indicated they were unable to read the ACL because the
  475. // user doesn't have privilege. Presumably they have write permissions
  476. //
  477. BOOL IsNonReadable( void ) const
  478. { return _fCantReadACL ; }
  480. public:
  481. /* Constructor:
  482. * pchServer is the server name of the resource
  483. * pchResourceName is the name
  484. * paccessmap is the access permission bitfield map
  485. * paccessmapNewObject is the new object permission bitfield map, it
  486. * should be NULL if this is not a container object that supports
  487. * new sub-objects
  488. * pauditmap is the audit permission bitfield map
  489. */
  490. NT_ACL_TO_PERM_CONVERTER( const TCHAR * pchServer,
  491. const TCHAR * pchResourceName,
  492. MASK_MAP * paccessmap,
  493. MASK_MAP * paccessmapNewObject,
  494. MASK_MAP * pauditmap,
  495. BOOL fIsContainer,
  496. BOOL fIsNewObjectsSupported,
  497. PSECURITY_DESCRIPTOR psecdesc,
  498. PGENERIC_MAPPING pGenericMapping,
  499. PGENERIC_MAPPING pGenericMappingNewObjects,
  500. BOOL fMapSpecificToGeneric,
  501. BOOL fCantReadACL,
  502. BOOL fCantWriteACL,
  503. PSED_FUNC_APPLY_SEC_CALLBACK pfuncCallback,
  504. ULONG_PTR ulCallbackContext,
  505. HANDLE hInstance,
  506. LPDWORD lpdwReturnStatus,
  507. BOOL fShowMnemonics ) ;
  509. ~NT_ACL_TO_PERM_CONVERTER() ;
  511. /* See parent for more info.
  512. */
  513. virtual APIERR GetPermissions( ACCPERM * pAccperm, BOOL fAccessPerms ) ;
  514. virtual APIERR GetBlankPermissions( ACCPERM * pAccperm ) ;
  515. virtual APIERR WritePermissions( ACCPERM & accperm,
  516. BOOL fApplyToSubContainers,
  517. BOOL fApplyToSubObjects,
  518. enum TREE_APPLY_FLAGS applyflags,
  519. BOOL *pfReportError ) ;
  520. virtual APIERR QueryFailingSubject( NLS_STR * pnlsSubjUniqueName ) ;
  521. virtual MASK_MAP * QueryNewObjectAccessMap( void ) const ;
  522. virtual const TCHAR * QueryOwnerName( void ) const ;
  523. } ;
  525. #endif //RC_INVOKED
  526. #endif //_ACLCONV_HXX_