archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/base/lsa/server/policy.cxx

529 lines
14 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 1992 - 1994
  6. //
  7. // File: policy.cxx
  8. //
  9. // Contents: SpmBuildCairoToken
  10. //
  11. //
  12. // History: 23-May-1994 MikeSw Created
  13. //
  14. //------------------------------------------------------------------------
  16. #include <lsapch.hxx>
  17. extern "C"
  18. {
  19. #include "adtp.h"
  20. }
  23. //+-------------------------------------------------------------------------
  24. //
  25. // Function: LsapCreateToken
  26. //
  27. // Synopsis: Builds a token from the various pieces of information
  28. // generated during a logon.
  29. //
  30. // Effects:
  31. //
  32. // Arguments: pUserSid - sid of user to create token for
  33. // pTokenGroups - groups passed in to LogonUser or from PAC to
  34. // be put in token
  35. // pTokenPrivs - privileges from PAC to put in token
  36. // TokenType - type of token to create
  37. // pTokenSource - source of the token
  38. // pLogonId - Gets logon ID
  39. // phToken - Get handle to token
  40. //
  41. // Requires:
  42. //
  43. // Returns:
  44. //
  45. // Notes: TokenInformation is always freed, even on failure.
  46. //
  47. //
  48. //--------------------------------------------------------------------------
  51. NTSTATUS NTAPI
  52. LsapCreateToken(
  53. IN PLUID LogonId,
  54. IN PTOKEN_SOURCE TokenSource,
  55. IN SECURITY_LOGON_TYPE LogonType,
  56. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  57. IN LSA_TOKEN_INFORMATION_TYPE InputTokenInformationType,
  58. IN PVOID InputTokenInformation,
  59. IN PTOKEN_GROUPS LocalGroups,
  60. IN PUNICODE_STRING AccountName,
  61. IN PUNICODE_STRING AuthorityName,
  62. IN PUNICODE_STRING WorkstationName,
  63. IN OPTIONAL PUNICODE_STRING ProfilePath,
  64. OUT PHANDLE Token,
  65. OUT PNTSTATUS SubStatus
  66. )
  67. {
  68. SECPKG_PRIMARY_CRED PrimaryCredential;
  70. ZeroMemory( &PrimaryCredential, sizeof(PrimaryCredential) );
  73. if( AccountName != NULL )
  74. {
  75. PrimaryCredential.DownlevelName = *AccountName;
  76. }
  78. if( AuthorityName != NULL )
  79. {
  80. PrimaryCredential.DomainName = *AuthorityName;
  81. }
  83. return LsapCreateTokenEx(
  84. LogonId,
  85. TokenSource,
  86. LogonType,
  87. ImpersonationLevel,
  88. InputTokenInformationType,
  89. InputTokenInformation,
  90. LocalGroups,
  91. WorkstationName,
  92. ProfilePath,
  93. &PrimaryCredential,
  94. SecSessionPrimaryCred,
  95. Token,
  96. SubStatus
  97. );
  99. }
  101. //+-------------------------------------------------------------------------
  102. //
  103. // Function: LsapCreateTokenEx
  104. //
  105. // Synopsis: Builds a token from the various pieces of information
  106. // generated during a logon.
  107. //
  108. // Effects:
  109. //
  110. // Arguments: pUserSid - sid of user to create token for
  111. // pTokenGroups - groups passed in to LogonUser or from PAC to
  112. // be put in token
  113. // pTokenPrivs - privileges from PAC to put in token
  114. // TokenType - type of token to create
  115. // pTokenSource - source of the token
  116. // pLogonId - Gets logon ID
  117. // phToken - Get handle to token
  118. //
  119. // Requires:
  120. //
  121. // Returns:
  122. //
  123. // Notes: TokenInformation is always freed, even on failure.
  124. //
  125. //
  126. //--------------------------------------------------------------------------
  129. NTSTATUS NTAPI
  130. LsapCreateTokenEx(
  131. IN PLUID LogonId,
  132. IN PTOKEN_SOURCE TokenSource,
  133. IN SECURITY_LOGON_TYPE LogonType,
  134. IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
  135. IN LSA_TOKEN_INFORMATION_TYPE InputTokenInformationType,
  136. IN PVOID InputTokenInformation,
  137. IN PTOKEN_GROUPS LocalGroups,
  138. IN PUNICODE_STRING WorkstationName,
  139. IN PUNICODE_STRING ProfilePath,
  140. IN PVOID SessionInformation,
  141. IN SECPKG_SESSIONINFO_TYPE SessionInformationType,
  142. OUT PHANDLE Token,
  143. OUT PNTSTATUS SubStatus
  144. )
  145. {
  146. NTSTATUS Status;
  147. PPRIVILEGE_SET PrivilegesAssigned = NULL;
  148. PLSA_TOKEN_INFORMATION_V2 TokenInformationV2 = NULL;
  149. PLSA_TOKEN_INFORMATION_NULL TokenInformationNull = NULL;
  150. LSA_TOKEN_INFORMATION_TYPE OriginalTokenType = InputTokenInformationType;
  151. QUOTA_LIMITS QuotaLimits;
  152. PUNICODE_STRING NewAccountName = NULL;
  153. PUNICODE_STRING NewAuthorityName = NULL;
  154. PUNICODE_STRING NewProfilePath = NULL;
  155. UNICODE_STRING LocalAccountName = { 0 };
  156. UNICODE_STRING LocalAuthorityName = { 0 };
  157. UNICODE_STRING LocalProfilePath = { 0 };
  158. PSID NewUserSid = NULL;
  159. LSA_TOKEN_INFORMATION_TYPE TokenInformationType = InputTokenInformationType;
  160. PVOID TokenInformation = InputTokenInformation;
  162. PSECPKG_PRIMARY_CRED PrimaryCredential;
  163. PUNICODE_STRING AccountName;
  164. PUNICODE_STRING AuthorityName;
  167. *Token = NULL;
  168. *SubStatus = STATUS_SUCCESS;
  170. if( SessionInformationType != SecSessionPrimaryCred )
  171. {
  172. return STATUS_INVALID_PARAMETER;
  173. }
  175. PrimaryCredential = (PSECPKG_PRIMARY_CRED)SessionInformation;
  177. AccountName = &PrimaryCredential->DownlevelName;
  178. AuthorityName = &PrimaryCredential->DomainName;
  180. //
  181. // Pass the token information through the Local Security Policy
  182. // Filter/Augmentor. This may cause some or all of the token
  183. // information to be replaced/augmented.
  184. //
  186. Status = LsapAuUserLogonPolicyFilter(
  187. LogonType,
  188. &TokenInformationType,
  189. &TokenInformation,
  190. LocalGroups,
  191. &QuotaLimits,
  192. &PrivilegesAssigned
  193. );
  198. if ( !NT_SUCCESS(Status) ) {
  200. goto Cleanup;
  201. }
  203. //
  204. // Check if we only allow admins to logon. We do allow null session
  205. // connections since they are severly restricted, though. Since the
  206. // token type may have been changed, we use the token type originally
  207. // returned by the package.
  208. //
  210. if (LsapAllowAdminLogonsOnly &&
  211. ((OriginalTokenType == LsaTokenInformationV1) ||
  212. (OriginalTokenType == LsaTokenInformationV2))&&
  213. !LsapSidPresentInGroups(
  214. ((PLSA_TOKEN_INFORMATION_V2) TokenInformation)->Groups,
  215. (SID *)LsapAliasAdminsSid)) {
  217. //
  218. // Set the status to be invalid workstation, since all accounts
  219. // except administrative ones are locked out for this
  220. // workstation.
  221. //
  223. *SubStatus = STATUS_INVALID_WORKSTATION;
  224. Status = STATUS_ACCOUNT_RESTRICTION;
  225. goto Cleanup;
  226. }
  228. //
  229. // Case on the token information returned (and subsequently massaged)
  230. // to create the correct kind of token.
  231. //
  233. switch (TokenInformationType) {
  235. case LsaTokenInformationNull:
  237. TokenInformationNull = (PLSA_TOKEN_INFORMATION_NULL) TokenInformation;
  239. //
  240. // The user hasn't logged on to any particular account.
  241. // An impersonation token with WORLD as owner
  242. // will be created.
  243. //
  246. Status = LsapCreateNullToken(
  247. LogonId,
  248. TokenSource,
  249. TokenInformationNull,
  250. Token
  251. );
  253. if ( !NT_SUCCESS(Status) ) {
  254. goto Cleanup;
  255. }
  258. break;
  263. case LsaTokenInformationV1:
  264. case LsaTokenInformationV2:
  266. TokenInformationV2 = (PLSA_TOKEN_INFORMATION_V2) TokenInformation;
  268. //
  269. // the type of token created depends upon the type of logon
  270. // being requested:
  271. //
  272. // InteractiveLogon => PrimaryToken
  273. // BatchLogon => PrimaryToken
  274. // NetworkLogon => ImpersonationToken
  275. //
  277. if (LogonType != Network) {
  279. //
  280. // Primary token
  281. //
  283. Status = LsapCreateV2Token(
  284. LogonId,
  285. TokenSource,
  286. TokenInformationV2,
  287. TokenPrimary,
  288. ImpersonationLevel,
  289. Token
  290. );
  292. if ( !NT_SUCCESS(Status) ) {
  293. goto Cleanup;
  294. }
  297. } else {
  299. //
  300. // Impersonation token
  301. //
  303. Status = LsapCreateV2Token(
  304. LogonId,
  305. TokenSource,
  306. TokenInformationV2,
  307. TokenImpersonation,
  308. ImpersonationLevel,
  309. Token
  310. );
  312. if ( !NT_SUCCESS(Status) ) {
  313. goto Cleanup;
  314. }
  317. }
  319. //
  320. // Copy out the User Sid
  321. //
  323. Status = LsapDuplicateSid( &NewUserSid, TokenInformationV2->User.User.Sid );
  325. if ( !NT_SUCCESS( Status )) {
  326. goto Cleanup;
  327. }
  329. break;
  331. }
  333. //
  334. // Audit special privilege assignment, if there were any
  335. //
  337. if ( PrivilegesAssigned != NULL ) {
  339. //
  340. // Examine the list of privileges being assigned, and
  341. // audit special privileges as appropriate.
  342. //
  344. LsapAdtAuditSpecialPrivileges( PrivilegesAssigned, *LogonId, NewUserSid );
  346. }
  349. NewAccountName = &LocalAccountName ;
  350. NewAuthorityName = &LocalAuthorityName ;
  353. //
  354. // If the original was a null session, set the user name & domain name
  355. // to be anonymous.
  356. //
  358. if (OriginalTokenType == LsaTokenInformationNull)
  359. {
  360. NewAccountName->Buffer = (LPWSTR) LsapAllocateLsaHeap(WellKnownSids[LsapAnonymousSidIndex].Name.MaximumLength);
  361. if (NewAccountName->Buffer == NULL)
  362. {
  363. Status = STATUS_INSUFFICIENT_RESOURCES;
  364. goto Cleanup;
  365. }
  366. NewAccountName->MaximumLength = WellKnownSids[LsapAnonymousSidIndex].Name.MaximumLength;
  367. RtlCopyUnicodeString(
  368. NewAccountName,
  369. &WellKnownSids[LsapAnonymousSidIndex].Name
  370. );
  372. NewAuthorityName->Buffer = (LPWSTR) LsapAllocateLsaHeap(WellKnownSids[LsapAnonymousSidIndex].DomainName.MaximumLength);
  373. if (NewAuthorityName->Buffer == NULL)
  374. {
  375. Status = STATUS_INSUFFICIENT_RESOURCES;
  376. goto Cleanup;
  377. }
  378. NewAuthorityName->MaximumLength = WellKnownSids[LsapAnonymousSidIndex].DomainName.MaximumLength;
  379. RtlCopyUnicodeString(
  380. NewAuthorityName,
  381. &WellKnownSids[LsapAnonymousSidIndex].DomainName
  382. );
  384. }
  385. else
  386. {
  387. NewAccountName->Buffer = (LPWSTR) LsapAllocateLsaHeap(AccountName->MaximumLength);
  388. if (NewAccountName->Buffer == NULL)
  389. {
  390. Status = STATUS_INSUFFICIENT_RESOURCES;
  391. goto Cleanup;
  392. }
  393. NewAccountName->MaximumLength = AccountName->MaximumLength;
  394. RtlCopyUnicodeString(
  395. NewAccountName,
  396. AccountName
  397. );
  399. NewAuthorityName->Buffer = (LPWSTR) LsapAllocateLsaHeap(AuthorityName->MaximumLength);
  400. if (NewAuthorityName->Buffer == NULL)
  401. {
  402. Status = STATUS_INSUFFICIENT_RESOURCES;
  403. goto Cleanup;
  404. }
  405. NewAuthorityName->MaximumLength = AuthorityName->MaximumLength;
  406. RtlCopyUnicodeString(
  407. NewAuthorityName,
  408. AuthorityName
  409. );
  411. if (ARGUMENT_PRESENT(ProfilePath) ) {
  412. NewProfilePath = &LocalProfilePath ;
  414. NewProfilePath->Buffer = (LPWSTR) LsapAllocateLsaHeap(ProfilePath->MaximumLength);
  415. if (NewProfilePath->Buffer == NULL)
  416. {
  417. Status = STATUS_INSUFFICIENT_RESOURCES;
  418. goto Cleanup;
  419. }
  420. NewProfilePath->MaximumLength = ProfilePath->MaximumLength;
  421. RtlCopyUnicodeString(
  422. NewProfilePath,
  423. ProfilePath
  424. );
  426. }
  427. }
  430. Status = LsapSetLogonSessionAccountInfo(
  431. LogonId,
  432. NewAccountName,
  433. NewAuthorityName,
  434. NewProfilePath,
  435. &NewUserSid,
  436. LogonType,
  437. PrimaryCredential
  438. );
  440. if (!NT_SUCCESS(Status))
  441. {
  442. goto Cleanup;
  443. }
  445. LocalAccountName.Buffer = NULL ;
  446. LocalAuthorityName.Buffer = NULL ;
  447. LocalProfilePath.Buffer = NULL ;
  449. //
  450. // Set the token on the session
  451. //
  453. Status = LsapSetSessionToken( *Token, LogonId );
  455. if ( !NT_SUCCESS(Status) ) {
  456. goto Cleanup;
  457. }
  460. Cleanup:
  462. //
  463. // Clean up on failure
  464. //
  466. if ( !NT_SUCCESS(Status) ) {
  468. //
  469. // If we successfully built the token,
  470. // free it.
  471. //
  473. if ( *Token != NULL ) {
  474. NtClose( *Token );
  475. *Token = NULL;
  476. }
  477. }
  480. //
  481. // Always free the token information because the policy filter
  482. // changes it.
  483. //
  485. switch (TokenInformationType) {
  487. case LsaTokenInformationNull:
  489. LsapFreeTokenInformationNull( (PLSA_TOKEN_INFORMATION_NULL) TokenInformation );
  490. break;
  492. case LsaTokenInformationV1:
  494. LsapFreeTokenInformationV1( (PLSA_TOKEN_INFORMATION_V1) TokenInformation );
  495. break;
  497. case LsaTokenInformationV2:
  499. LsapFreeTokenInformationV2( (PLSA_TOKEN_INFORMATION_V2) TokenInformation );
  500. break;
  502. }
  504. if ( LocalAccountName.Buffer != NULL )
  505. {
  506. LsapFreeLsaHeap( LocalAccountName.Buffer );
  507. }
  509. if ( LocalAuthorityName.Buffer != NULL )
  510. {
  511. LsapFreeLsaHeap( LocalAuthorityName.Buffer );
  512. }
  514. if ( LocalProfilePath.Buffer != NULL )
  515. {
  516. LsapFreeLsaHeap( LocalProfilePath.Buffer );
  517. }
  519. if (NewUserSid != NULL) {
  520. LsapFreeLsaHeap( NewUserSid );
  521. }
  522. if ( PrivilegesAssigned != NULL ) {
  524. MIDL_user_free( PrivilegesAssigned );
  525. }
  526. return(Status);
  527. }