archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/admin/common/accentry.cpp

779 lines
15 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1994-1999 Microsoft Corporation
  5. Module Name :
  7. accentry.cpp
  9. Abstract:
  11. CAccessEntry class implementation
  13. Author:
  15. Ronald Meijer (ronaldm)
  17. Project:
  19. Internet Services Manager
  21. Revision History:
  22. 1/9/2000 sergeia Cleaned out from usrbrows.cpp
  24. --*/
  26. //
  27. // Include Files
  28. //
  29. #include "stdafx.h"
  30. #include <iiscnfgp.h>
  31. #include "common.h"
  32. #include "objpick.h"
  33. #include "accentry.h"
  37. #ifdef _DEBUG
  38. #undef THIS_FILE
  39. static char BASED_CODE THIS_FILE[] = __FILE__;
  40. #endif
  43. #define new DEBUG_NEW
  44. #define SZ_USER_CLASS _T("user")
  45. #define SZ_GROUP_CLASS _T("group")
  47. BOOL
  48. CAccessEntry::LookupAccountSid(
  49. OUT CString & strFullUserName,
  50. OUT int & nPictureID,
  51. IN PSID pSid,
  52. IN LPCTSTR lpstrSystemName /* OPTIONAL */
  53. )
  54. /*++
  56. Routine Description:
  58. Get a full user name and picture ID from the SID
  60. Arguments:
  62. CString &strFullUserName : Returns the user name
  63. int & nPictureID : Returns offset into the imagemap that
  64. represents the account type.
  65. PSID pSid : Input SID pointer
  66. LPCTSTR lpstrSystemName : System name or NULL
  68. Return Value:
  70. TRUE for success, FALSE for failure.
  72. --*/
  73. {
  74. DWORD cbUserName = PATHLEN * sizeof(TCHAR);
  75. DWORD cbRefDomainName = PATHLEN * sizeof(TCHAR);
  77. CString strUserName;
  78. CString strRefDomainName;
  79. SID_NAME_USE SidToNameUse;
  81. LPTSTR lpUserName = strUserName.GetBuffer(PATHLEN);
  82. LPTSTR lpRefDomainName = strRefDomainName.GetBuffer(PATHLEN);
  83. BOOL fLookUpOK = ::LookupAccountSid(
  84. lpstrSystemName,
  85. pSid,
  86. lpUserName,
  87. &cbUserName,
  88. lpRefDomainName,
  89. &cbRefDomainName,
  90. &SidToNameUse
  91. );
  93. strUserName.ReleaseBuffer();
  94. strRefDomainName.ReleaseBuffer();
  96. strFullUserName.Empty();
  98. if (fLookUpOK)
  99. {
  100. if (!strRefDomainName.IsEmpty()
  101. && strRefDomainName.CompareNoCase(_T("BUILTIN")))
  102. {
  103. strFullUserName += strRefDomainName;
  104. strFullUserName += "\\";
  105. }
  107. strFullUserName += strUserName;
  109. nPictureID = SidToNameUse;
  110. }
  111. else
  112. {
  113. strFullUserName.LoadString(IDS_UNKNOWN_USER);
  114. nPictureID = SidTypeUnknown;
  115. }
  117. //
  118. // SID_NAME_USE is 1-based
  119. //
  120. --nPictureID ;
  122. return fLookUpOK;
  123. }
  127. CAccessEntry::CAccessEntry(
  128. IN LPVOID pAce,
  129. IN BOOL fResolveSID
  130. )
  131. /*++
  133. Routine Description:
  135. Construct from an ACE
  137. Arguments:
  139. LPVOID pAce : Pointer to ACE object
  140. BOOL fResolveSID : TRUE to resolve the SID immediately
  142. Return Value:
  144. N/A
  146. --*/
  147. : m_pSid(NULL),
  148. m_fSIDResolved(FALSE),
  149. m_fDeletable(TRUE),
  150. m_fInvisible(FALSE),
  151. m_nPictureID(SidTypeUnknown-1), // SID_NAME_USE is 1-based
  152. m_lpstrSystemName(NULL),
  153. m_accMask(0L),
  154. m_fDeleted(FALSE),
  155. m_strUserName()
  156. {
  157. MarkEntryAsClean();
  159. PACE_HEADER ph = (PACE_HEADER)pAce;
  160. PSID pSID = NULL;
  162. switch(ph->AceType)
  163. {
  164. case ACCESS_ALLOWED_ACE_TYPE:
  165. pSID = (PSID)&((PACCESS_ALLOWED_ACE)pAce)->SidStart;
  166. m_accMask = ((PACCESS_ALLOWED_ACE)pAce)->Mask;
  167. break;
  169. case ACCESS_DENIED_ACE_TYPE:
  170. case SYSTEM_AUDIT_ACE_TYPE:
  171. case SYSTEM_ALARM_ACE_TYPE:
  172. default:
  173. //
  174. // Not supported!
  175. //
  176. ASSERT_MSG("Unsupported ACE type");
  177. break;
  178. }
  180. if (pSID == NULL)
  181. {
  182. return;
  183. }
  185. //
  186. // Allocate a new copy of the sid.
  187. //
  188. DWORD cbSize = ::RtlLengthSid(pSID);
  189. m_pSid = (PSID)AllocMem(cbSize);
  190. if (m_pSid != NULL)
  191. {
  192. DWORD err = ::RtlCopySid(cbSize, m_pSid, pSID);
  193. ASSERT(err == ERROR_SUCCESS);
  194. }
  196. //
  197. // Only the non-deletable administrators have execute
  198. // privileges
  199. //
  200. m_fDeletable = (m_accMask & FILE_EXECUTE) == 0L;
  202. //
  203. // Enum_keys is a special access right that literally "everyone"
  204. // has, but it doesn't designate an operator, so it should not
  205. // show up in the operator list if this is the only right it has.
  206. //
  207. m_fInvisible = (m_accMask == MD_ACR_ENUM_KEYS);
  209. //SetAccessMask(lpAccessEntry);
  211. if (fResolveSID)
  212. {
  213. ResolveSID();
  214. }
  215. }
  219. CAccessEntry::CAccessEntry(
  220. IN ACCESS_MASK accPermissions,
  221. IN PSID pSid,
  222. IN LPCTSTR lpstrSystemName, OPTIONAL
  223. IN BOOL fResolveSID
  224. )
  225. /*++
  227. Routine Description:
  229. Constructor from access permissions and SID.
  231. Arguments:
  233. ACCESS_MASK accPermissions : Access mask
  234. PSID pSid : Pointer to SID
  235. LPCTSTR lpstrSystemName : Optional system name
  236. BOOL fResolveSID : TRUE to resolve SID immediately
  238. Return Value:
  240. N/A
  242. --*/
  243. : m_pSid(NULL),
  244. m_fSIDResolved(FALSE),
  245. m_fDeletable(TRUE),
  246. m_fInvisible(FALSE),
  247. m_fDeleted(FALSE),
  248. m_nPictureID(SidTypeUnknown-1), // SID_NAME_USE is 1-based
  249. m_strUserName(),
  250. m_lpstrSystemName(NULL),
  251. m_accMask(accPermissions)
  252. {
  253. MarkEntryAsClean();
  255. //
  256. // Allocate a new copy of the sid.
  257. //
  258. DWORD cbSize = ::RtlLengthSid(pSid);
  259. m_pSid = (PSID)AllocMem(cbSize);
  260. if (m_pSid != NULL)
  261. {
  262. DWORD err = ::RtlCopySid(cbSize, m_pSid, pSid);
  263. ASSERT(err == ERROR_SUCCESS);
  264. }
  265. if (lpstrSystemName != NULL)
  266. {
  267. m_lpstrSystemName = AllocTString(::lstrlen(lpstrSystemName) + 1);
  268. if (m_lpstrSystemName != NULL)
  269. {
  270. ::lstrcpy(m_lpstrSystemName, lpstrSystemName);
  271. }
  272. }
  274. if (fResolveSID)
  275. {
  276. TRACEEOLID("Bogus SID");
  277. ResolveSID();
  278. }
  279. }
  283. CAccessEntry::CAccessEntry(
  284. IN PSID pSid,
  285. IN LPCTSTR pszUserName,
  286. IN LPCTSTR pszClassName
  287. )
  288. /*++
  290. Routine Description:
  292. Constructor from access sid and user/class name.
  294. Arguments:
  296. PSID pSid, Pointer to SID
  297. LPCTSTR pszUserName User name
  298. LPCTSTR pszClassName User Class name
  300. Return Value:
  302. N/A
  304. --*/
  305. : m_pSid(NULL),
  306. m_fSIDResolved(pszUserName != NULL),
  307. m_fDeletable(TRUE),
  308. m_fInvisible(FALSE),
  309. m_fDeleted(FALSE),
  310. m_nPictureID(SidTypeUnknown-1), // SID_NAME_USE is 1-based
  311. m_strUserName(pszUserName),
  312. m_lpstrSystemName(NULL),
  313. m_accMask(0)
  314. {
  315. MarkEntryAsClean();
  317. //
  318. // Allocate a new copy of the sid.
  319. //
  320. DWORD cbSize = ::RtlLengthSid(pSid);
  321. m_pSid = (PSID)AllocMem(cbSize);
  322. if (m_pSid != NULL)
  323. {
  324. DWORD err = ::RtlCopySid(cbSize, m_pSid, pSid);
  325. ASSERT(err == ERROR_SUCCESS);
  326. }
  327. if (lstrcmpi(SZ_USER_CLASS, pszClassName) == 0)
  328. {
  329. m_nPictureID = SidTypeUser - 1;
  330. }
  331. else if (lstrcmpi(SZ_GROUP_CLASS, pszClassName) == 0)
  332. {
  333. m_nPictureID = SidTypeGroup - 1;
  334. }
  335. }
  340. CAccessEntry::CAccessEntry(
  341. IN CAccessEntry & ae
  342. )
  343. /*++
  345. Routine Description:
  347. Copy constructor
  349. Arguments:
  351. CAccessEntry & ae : Source to copy from
  353. Return Value:
  355. N/A
  357. --*/
  358. : m_fSIDResolved(ae.m_fSIDResolved),
  359. m_fDeletable(ae.m_fDeletable),
  360. m_fInvisible(ae.m_fInvisible),
  361. m_fDeleted(ae.m_fDeleted),
  362. m_fDirty(ae.m_fDirty),
  363. m_nPictureID(ae.m_nPictureID),
  364. m_strUserName(ae.m_strUserName),
  365. m_lpstrSystemName(ae.m_lpstrSystemName),
  366. m_accMask(ae.m_accMask)
  367. {
  368. DWORD cbSize = ::RtlLengthSid(ae.m_pSid);
  369. m_pSid = (PSID)AllocMem(cbSize);
  370. if (m_pSid != NULL)
  371. {
  372. DWORD err = ::RtlCopySid(cbSize, m_pSid, ae.m_pSid);
  373. ASSERT(err == ERROR_SUCCESS);
  374. }
  375. }
  380. CAccessEntry::~CAccessEntry()
  381. /*++
  383. Routine Description:
  385. Destructor
  387. Arguments:
  389. N/A
  391. Return Value:
  393. N/A
  395. --*/
  396. {
  397. TRACEEOLID(_T("Destroying local copy of the SID"));
  398. ASSERT_PTR(m_pSid);
  399. FreeMem(m_pSid);
  401. if (m_lpstrSystemName != NULL)
  402. {
  403. FreeMem(m_lpstrSystemName);
  404. }
  405. }
  410. BOOL
  411. CAccessEntry::ResolveSID()
  412. /*++
  414. Routine Description:
  416. Look up the user name and type.
  418. Arguments:
  420. None
  422. Return Value:
  424. TRUE for success, FALSE for failure.
  426. Notes:
  428. This could take some time.
  430. --*/
  431. {
  432. //
  433. // Even if it fails, it will be considered
  434. // resolved
  435. //
  436. m_fSIDResolved = TRUE;
  438. return CAccessEntry::LookupAccountSid(
  439. m_strUserName,
  440. m_nPictureID,
  441. m_pSid,
  442. m_lpstrSystemName
  443. );
  444. }
  448. void
  449. CAccessEntry::AddPermissions(
  450. IN ACCESS_MASK accNewPermissions
  451. )
  452. /*++
  454. Routine Description:
  456. Add permissions to this entry.
  458. Arguments:
  460. ACCESS_MASK accNewPermissions : New access permissions to be added
  462. Return Value:
  464. None.
  466. --*/
  467. {
  468. m_accMask |= accNewPermissions;
  469. m_fInvisible = (m_accMask == MD_ACR_ENUM_KEYS);
  470. m_fDeletable = (m_accMask & FILE_EXECUTE) == 0L;
  471. MarkEntryAsChanged();
  472. }
  476. void
  477. CAccessEntry::RemovePermissions(
  478. IN ACCESS_MASK accPermissions
  479. )
  480. /*++
  482. Routine Description:
  484. Remove permissions from this entry.
  486. Arguments:
  488. ACCESS_MASK accPermissions : Access permissions to be taken away
  490. --*/
  491. {
  492. m_accMask &= ~accPermissions;
  493. MarkEntryAsChanged();
  494. }
  496. //
  497. // Helper Functions
  498. //
  499. // <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
  503. PSID
  504. GetOwnerSID()
  505. /*++
  507. Routine Description:
  509. Return a pointer to the primary owner SID we're using.
  511. Arguments:
  513. None
  515. Return Value:
  517. Pointer to owner SID.
  519. --*/
  520. {
  521. PSID pSID = NULL;
  523. SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
  525. if (!::AllocateAndInitializeSid(
  526. &NtAuthority,
  527. 2,
  528. SECURITY_BUILTIN_DOMAIN_RID,
  529. DOMAIN_ALIAS_RID_ADMINS,
  530. 0, 0, 0, 0, 0, 0,
  531. &pSID
  532. ))
  533. {
  534. TRACEEOLID("Unable to get primary SID " << ::GetLastError());
  535. }
  537. return pSID;
  538. }
  542. BOOL
  543. BuildAclBlob(
  544. IN CObListPlus & oblSID,
  545. OUT CBlob & blob
  546. )
  547. /*++
  549. Routine Description:
  551. Build a security descriptor blob from the access entries in the oblist
  553. Arguments:
  555. CObListPlus & oblSID : Input list of access entries
  556. CBlob & blob : Output blob
  558. Return Value:
  560. TRUE if the list is dirty. If the list had no entries marked
  561. as dirty, the blob generated will be empty, and this function will
  562. return FALSE.
  564. Notes:
  566. Entries marked as deleted will not be added to the list.
  568. --*/
  569. {
  570. ASSERT(blob.IsEmpty());
  572. BOOL fAclDirty = FALSE;
  573. CAccessEntry * pEntry;
  575. DWORD dwAclSize = sizeof(ACL) - sizeof(DWORD);
  576. CObListIter obli(oblSID);
  577. int cItems = 0;
  579. while(NULL != (pEntry = (CAccessEntry *)obli.Next()))
  580. {
  581. if (!pEntry->IsDeleted())
  582. {
  583. dwAclSize += GetLengthSid(pEntry->GetSid());
  584. dwAclSize += sizeof(ACCESS_ALLOWED_ACE);
  585. ++cItems;
  586. }
  588. if (pEntry->IsDirty())
  589. {
  590. fAclDirty = TRUE;
  591. }
  592. }
  594. if (fAclDirty)
  595. {
  596. //
  597. // Build the acl
  598. //
  599. PACL pacl = NULL;
  601. if (cItems > 0 && dwAclSize > 0)
  602. {
  603. pacl = (PACL)AllocMem(dwAclSize);
  604. if (pacl != NULL)
  605. {
  606. if (InitializeAcl(pacl, dwAclSize, ACL_REVISION))
  607. {
  608. obli.Reset();
  609. while(NULL != (pEntry = (CAccessEntry *)obli.Next()))
  610. {
  611. if (!pEntry->IsDeleted())
  612. {
  613. VERIFY(AddAccessAllowedAce(
  614. pacl,
  615. ACL_REVISION,
  616. pEntry->QueryAccessMask(),
  617. pEntry->GetSid()
  618. ));
  619. }
  620. }
  621. }
  622. }
  623. else
  624. {
  625. return FALSE;
  626. }
  627. }
  629. //
  630. // Build the security descriptor
  631. //
  632. PSECURITY_DESCRIPTOR pSD =
  633. (PSECURITY_DESCRIPTOR)AllocMem(SECURITY_DESCRIPTOR_MIN_LENGTH);
  634. if (pSD != NULL)
  635. {
  636. VERIFY(InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION));
  637. VERIFY(SetSecurityDescriptorDacl(pSD, TRUE, pacl, FALSE));
  638. }
  639. else
  640. {
  641. return FALSE;
  642. }
  644. //
  645. // Set owner and primary group
  646. //
  647. PSID pSID = GetOwnerSID();
  648. ASSERT(pSID);
  649. VERIFY(SetSecurityDescriptorOwner(pSD, pSID, TRUE));
  650. VERIFY(SetSecurityDescriptorGroup(pSD, pSID, TRUE));
  652. //
  653. // Convert to self-relative
  654. //
  655. PSECURITY_DESCRIPTOR pSDSelfRelative = NULL;
  656. DWORD dwSize = 0L;
  657. MakeSelfRelativeSD(pSD, pSDSelfRelative, &dwSize);
  658. pSDSelfRelative = AllocMem(dwSize);
  659. if (pSDSelfRelative != NULL)
  660. {
  661. MakeSelfRelativeSD(pSD, pSDSelfRelative, &dwSize);
  663. //
  664. // Blob takes ownership
  665. //
  666. blob.SetValue(dwSize, (PBYTE)pSDSelfRelative, FALSE);
  667. }
  669. //
  670. // Clean up
  671. //
  672. FreeMem(pSD);
  673. FreeSid(pSID);
  674. }
  676. return fAclDirty;
  677. }
  681. DWORD
  682. BuildAclOblistFromBlob(
  683. IN CBlob & blob,
  684. OUT CObListPlus & oblSID
  685. )
  686. /*++
  688. Routine Description:
  690. Build an oblist of access entries from a security descriptor blob
  692. Arguments:
  694. CBlob & blob : Input blob
  695. CObListPlus & oblSID : Output oblist of access entries
  697. Return Value:
  699. Error return code
  701. --*/
  702. {
  703. PSECURITY_DESCRIPTOR pSD = NULL;
  705. if (!blob.IsEmpty())
  706. {
  707. pSD = (PSECURITY_DESCRIPTOR)blob.GetData();
  708. }
  710. if (pSD == NULL)
  711. {
  712. //
  713. // Empty...
  714. //
  715. return ERROR_SUCCESS;
  716. }
  718. if (!IsValidSecurityDescriptor(pSD))
  719. {
  720. return ::GetLastError();
  721. }
  723. ASSERT(GetSecurityDescriptorLength(pSD) == blob.GetSize());
  725. PACL pacl = NULL;
  726. BOOL fDaclPresent = FALSE;
  727. BOOL fDaclDef= FALSE;
  729. VERIFY(GetSecurityDescriptorDacl(pSD, &fDaclPresent, &pacl, &fDaclDef));
  731. if (!fDaclPresent || pacl == NULL)
  732. {
  733. return ERROR_SUCCESS;
  734. }
  736. if (!IsValidAcl(pacl))
  737. {
  738. return GetLastError();
  739. }
  741. CError err;
  743. for (WORD w = 0; w < pacl->AceCount; ++w)
  744. {
  745. PVOID pAce;
  747. if (GetAce(pacl, w, &pAce))
  748. {
  749. CAccessEntry * pEntry = new CAccessEntry(pAce, TRUE);
  751. if (pEntry)
  752. {
  753. oblSID.AddTail(pEntry);
  754. }
  755. else
  756. {
  757. TRACEEOLID("BuildAclOblistFromBlob: OOM");
  758. err = ERROR_NOT_ENOUGH_MEMORY;
  759. break;
  760. }
  761. }
  762. else
  763. {
  764. //
  765. // Save last error, but continue
  766. //
  767. err.GetLastWinError();
  768. }
  769. }
  771. //
  772. // Return last error
  773. //
  774. return err;
  775. }