archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/admin/services/sched/common/security.cxx

356 lines
9.7 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1996.
  5. //
  6. // File: security.cxx
  7. //
  8. // Contents:
  9. //
  10. // Classes: None.
  11. //
  12. // Functions: None.
  13. //
  14. // History: 26-Jun-96 MarkBl Created
  15. //
  16. //----------------------------------------------------------------------------
  18. #include "..\pch\headers.hxx"
  19. #pragma hdrstop
  20. #include <common.hxx> // MAX_SID_SIZE
  21. #include "..\inc\debug.hxx"
  22. #include "..\inc\security.hxx"
  25. //+---------------------------------------------------------------------------
  26. //
  27. // Function: CreateSecurityDescriptor
  28. //
  29. // Synopsis: Create a security descriptor with the ACE information
  30. // specified.
  31. //
  32. // Arguments: [AceCount] -- ACE count (no. of rgMyAce and rgAce elements).
  33. // [rgMyAce] -- ACE specification array.
  34. // [rgAce] -- Caller allocated array of ptrs to ACEs so
  35. // this function doesn't have to allocate it.
  36. //
  37. // Returns: TRUE -- Function succeeded,
  38. // FALSE -- Otherwise.
  39. //
  40. // Notes: None.
  41. //
  42. //----------------------------------------------------------------------------
  43. PSECURITY_DESCRIPTOR
  44. CreateSecurityDescriptor(
  45. DWORD AceCount,
  46. MYACE rgMyAce[],
  47. PACCESS_ALLOWED_ACE rgAce[],
  48. DWORD * pStatus)
  49. {
  50. PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
  51. PACL pAcl = NULL;
  52. DWORD LengthAces = 0;
  53. DWORD LengthAcl;
  54. DWORD i;
  55. DWORD Status;
  57. for (i = 0; i < AceCount; i++)
  58. {
  59. rgAce[i] = CreateAccessAllowedAce(rgMyAce[i].pSid,
  60. rgMyAce[i].AccessMask,
  61. 0,
  62. rgMyAce[i].InheritFlags,
  63. &Status);
  65. if (rgAce[i] == NULL)
  66. {
  67. goto ErrorExit;
  68. }
  70. LengthAces += rgAce[i]->Header.AceSize;
  71. }
  73. //
  74. // Calculate ACL and SD sizes
  75. //
  77. LengthAcl = sizeof(ACL) + LengthAces;
  79. //
  80. // Create the ACL.
  81. //
  83. pAcl = (PACL)LocalAlloc(LMEM_FIXED, LengthAcl);
  85. if (pAcl == NULL)
  86. {
  87. Status = ERROR_NOT_ENOUGH_MEMORY;
  88. schDebugOut((DEB_ERROR,
  89. "CreateSecurityDescriptor, ACL allocation failed\n"));
  90. goto ErrorExit;
  91. }
  93. if (!InitializeAcl(pAcl, LengthAcl, ACL_REVISION))
  94. {
  95. Status = GetLastError();
  96. schDebugOut((DEB_ERROR,
  97. "CreateSecurityDescriptor, InitializeAcl failed, " \
  98. "status = 0x%lx\n",
  99. Status));
  100. goto ErrorExit;
  101. }
  103. for (i = 0; i < AceCount; i++)
  104. {
  105. if (!AddAce(pAcl,
  106. ACL_REVISION,
  107. 0,
  108. rgAce[i],
  109. rgAce[i]->Header.AceSize))
  110. {
  111. Status = GetLastError();
  112. schDebugOut((DEB_ERROR,
  113. "CreateSecurityDescriptor, AddAce[%l] failed, " \
  114. "status = 0x%lx\n", i, Status));
  115. goto ErrorExit;
  116. }
  118. LocalFree(rgAce[i]);
  119. rgAce[i] = NULL;
  120. }
  122. //
  123. // Create the security descriptor.
  124. //
  126. pSecurityDescriptor = LocalAlloc(LMEM_FIXED,
  127. SECURITY_DESCRIPTOR_MIN_LENGTH);
  129. if (pSecurityDescriptor == NULL)
  130. {
  131. Status = ERROR_NOT_ENOUGH_MEMORY;
  132. schDebugOut((DEB_ERROR,
  133. "CreateSecurityDescriptor, SECURITY_DESCRIPTOR allocation " \
  134. "failed\n"));
  135. goto ErrorExit;
  136. }
  138. if (!InitializeSecurityDescriptor(pSecurityDescriptor,
  139. SECURITY_DESCRIPTOR_REVISION))
  140. {
  141. Status = GetLastError();
  142. schDebugOut((DEB_ERROR,
  143. "CreateSecurityDescriptor, InitializeSecurityDescriptor " \
  144. "failed, status = 0x%lx\n",
  145. Status));
  146. goto ErrorExit;
  147. }
  149. if (!SetSecurityDescriptorDacl(pSecurityDescriptor,
  150. TRUE,
  151. pAcl,
  152. FALSE))
  153. {
  154. Status = GetLastError();
  155. schDebugOut((DEB_ERROR,
  156. "CreateSecurityDescriptor, SetSecurityDescriptorDacl " \
  157. "failed, status = 0x%lx\n",
  158. Status));
  159. goto ErrorExit;
  160. }
  162. if (pStatus != NULL) *pStatus = ERROR_SUCCESS;
  164. return(pSecurityDescriptor);
  166. ErrorExit:
  167. for (i = 0; i < AceCount; i++)
  168. {
  169. if (rgAce[i] != NULL)
  170. {
  171. LocalFree(rgAce[i]);
  172. rgAce[i] = NULL;
  173. }
  174. }
  175. if (pAcl != NULL) LocalFree(pAcl);
  176. if (pSecurityDescriptor != NULL) LocalFree(pSecurityDescriptor);
  178. if (pStatus != NULL) *pStatus = Status;
  180. return(NULL);
  181. }
  183. //+---------------------------------------------------------------------------
  184. //
  185. // Function: DeleteSecurityDescriptor
  186. //
  187. // Synopsis: Deallocate the security descriptor allocated in
  188. // CreateSecurityDescriptor.
  189. //
  190. // Arguments: [pSecurityDescriptor] -- SD returned from
  191. // CreateSecurityDescriptor.
  192. //
  193. // Returns: None.
  194. //
  195. // Notes: None.
  196. //
  197. //----------------------------------------------------------------------------
  198. void
  199. DeleteSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor)
  200. {
  201. BOOL fPresent;
  202. BOOL fDefaulted;
  203. PACL pAcl;
  205. schAssert(pSecurityDescriptor != NULL);
  207. if (GetSecurityDescriptorDacl(pSecurityDescriptor,
  208. &fPresent,
  209. &pAcl,
  210. &fDefaulted))
  211. {
  212. if (fPresent && pAcl != NULL)
  213. {
  214. LocalFree(pAcl);
  215. }
  216. }
  217. else
  218. {
  219. schDebugOut((DEB_ERROR,
  220. "DeleteSecurityDescriptor, GetSecurityDescriptorDacl failed, " \
  221. "status = 0x%lx\n",
  222. GetLastError()));
  223. }
  225. LocalFree(pSecurityDescriptor);
  226. }
  228. //+---------------------------------------------------------------------------
  229. //
  230. // Function: CreateAccessAllowedAce
  231. //
  232. // Synopsis: Scavenged code from winlogon to create an access allowed ACE.
  233. // Modified a bit to use Win32 vs. Rtl.
  234. //
  235. // Arguments: [pSid] -- Sid to which this ACE is applied.
  236. // [AccessMask] -- ACE access mask value.
  237. // [AceFlags] -- ACE flags value.
  238. // [InheritFlags] -- ACE inherit flags value.
  239. //
  240. // Returns: Created ACE if successful.
  241. // NULL on error.
  242. //
  243. // Notes: None.
  244. //
  245. //----------------------------------------------------------------------------
  246. PACCESS_ALLOWED_ACE
  247. CreateAccessAllowedAce(
  248. PSID pSid,
  249. ACCESS_MASK AccessMask,
  250. UCHAR AceFlags,
  251. UCHAR InheritFlags,
  252. DWORD * pStatus)
  253. {
  254. ULONG LengthSid = GetLengthSid(pSid);
  255. ULONG LengthACE = sizeof(ACE_HEADER) + sizeof(ACCESS_MASK) + LengthSid;
  256. PACCESS_ALLOWED_ACE Ace;
  258. Ace = (PACCESS_ALLOWED_ACE)LocalAlloc(LMEM_FIXED, LengthACE);
  260. if (Ace == NULL)
  261. {
  262. if (pStatus != NULL) *pStatus = ERROR_NOT_ENOUGH_MEMORY;
  263. schDebugOut((DEB_ERROR,
  264. "CreateAccessAllowedAce, ACE allocation failed\n"));
  265. return(NULL);
  266. }
  268. Ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
  269. Ace->Header.AceSize = (UCHAR)LengthACE;
  270. Ace->Header.AceFlags = AceFlags | InheritFlags;
  271. Ace->Mask = AccessMask;
  272. CopySid(LengthSid, (PSID)(&(Ace->SidStart)), pSid);
  274. if (pStatus != NULL) *pStatus = ERROR_SUCCESS;
  276. return(Ace);
  277. }
  280. //+---------------------------------------------------------------------------
  281. //
  282. // Function: IsThreadCallerAnAdmin
  283. //
  284. // Synopsis: Determine if the user represented by the specified token is a
  285. // member of the administrators group.
  286. //
  287. // Arguments: [hThreadToken] -- Token to check. If NULL, the current
  288. // thread's token is used if there is one, or else the
  289. // current process' token.
  290. //
  291. // Returns: TRUE -- Match
  292. // FALSE -- Thread caller not an admin or an error occurred.
  293. //
  294. //----------------------------------------------------------------------------
  295. BOOL
  296. IsThreadCallerAnAdmin(HANDLE hThreadToken)
  297. {
  298. //
  299. // Create an admin SID to compare against.
  300. //
  301. #if 1
  302. //
  303. // Efficient way - relies on the format of the SID structure (which is
  304. // published in winnt.h) - valid for at least NT 4 and NT 5
  305. //
  307. schAssert(sizeof SID == 12);
  309. const struct
  310. {
  311. SID Sid;
  312. DWORD SubAuthority1;
  313. } AdminSid =
  314. {
  315. { SID_REVISION, // Revision
  316. 2, // SubAuthorityCount
  317. SECURITY_NT_AUTHORITY, // IdentifierAuthority
  318. SECURITY_BUILTIN_DOMAIN_RID }, // SubAuthority[0]
  319. DOMAIN_ALIAS_RID_ADMINS // SubAuthority[1]
  320. };
  321. #else
  322. /*
  323. #error SID structure has changed!
  324. //
  325. // Inefficient way, initialize at run time
  326. //
  327. BYTE AdminSid[MAX_SID_SIZE];
  328. SID_IDENTIFIER_AUTHORITY IdentifierAuthority = SECURITY_NT_AUTHORITY;
  330. if (! InitializeSid(rgbAdminSid, &IdentifierAuthority, 2))
  331. {
  332. schAssert(0);
  333. CHECK_HRESULT(HRESULT_FROM_WIN32(GetLastError()));
  334. return FALSE;
  335. }
  337. *GetSidSubAuthority(rgbAdminSid, 0) = SECURITY_BUILTIN_DOMAIN_RID;
  338. *GetSidSubAuthority(rgbAdminSid, 1) = DOMAIN_ALIAS_RID_ADMINS;
  339. */
  340. #endif
  342. //
  343. // See if the token is a member.
  344. //
  345. BOOL fIsCallerAdmin;
  346. if (!CheckTokenMembership(hThreadToken,
  347. (PSID) &AdminSid,
  348. &fIsCallerAdmin))
  349. {
  350. CHECK_HRESULT(HRESULT_FROM_WIN32(GetLastError()));
  351. return FALSE;
  352. }
  354. return fIsCallerAdmin;
  355. }