archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/services/smartcrd/common/ntacls.cpp

1234 lines
33 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (C) Microsoft Corporation, 1996 - 1999
  5. Module Name:
  7. NTacls
  9. Abstract:
  11. This module implements the CSecurityAttribute class. It's job is to
  12. encapsulate the NT security descriptors as needed by Calais.
  14. Author:
  16. Doug Barlow (dbarlow) 1/24/1997
  18. Environment:
  20. Windows NT, Win32, C++ w/ Exceptions
  22. Notes:
  24. ?Notes?
  26. --*/
  28. #ifndef WIN32_LEAN_AND_MEAN
  29. #define WIN32_LEAN_AND_MEAN
  30. #endif
  31. #include <windows.h>
  32. #include <CalaisLb.h>
  35. const CSecurityDescriptor::SecurityId
  36. CSecurityDescriptor::SID_Null = { SECURITY_NULL_SID_AUTHORITY, 1, SECURITY_NULL_RID, 0 },
  37. CSecurityDescriptor::SID_World = { SECURITY_WORLD_SID_AUTHORITY, 1, SECURITY_WORLD_RID, 0 },
  38. CSecurityDescriptor::SID_Local = { SECURITY_LOCAL_SID_AUTHORITY, 1, SECURITY_LOCAL_RID, 0 },
  39. CSecurityDescriptor::SID_Owner = { SECURITY_CREATOR_SID_AUTHORITY, 1, SECURITY_CREATOR_OWNER_RID, 0 },
  40. CSecurityDescriptor::SID_Group = { SECURITY_CREATOR_SID_AUTHORITY, 1, SECURITY_CREATOR_GROUP_RID, 0 },
  41. CSecurityDescriptor::SID_Admins = { SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS },
  42. CSecurityDescriptor::SID_SrvOps = { SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_SYSTEM_OPS },
  43. CSecurityDescriptor::SID_DialUp = { SECURITY_NT_AUTHORITY, 1, SECURITY_DIALUP_RID, 0 },
  44. CSecurityDescriptor::SID_Network = { SECURITY_NT_AUTHORITY, 1, SECURITY_NETWORK_RID, 0 },
  45. CSecurityDescriptor::SID_Batch = { SECURITY_NT_AUTHORITY, 1, SECURITY_BATCH_RID, 0 },
  46. CSecurityDescriptor::SID_Interactive = { SECURITY_NT_AUTHORITY, 1, SECURITY_INTERACTIVE_RID, 0 },
  47. CSecurityDescriptor::SID_Service = { SECURITY_NT_AUTHORITY, 1, SECURITY_SERVICE_RID, 0 },
  48. CSecurityDescriptor::SID_System = { SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SYSTEM_RID, 0 },
  49. CSecurityDescriptor::SID_LocalService ={ SECURITY_NT_AUTHORITY, 1, SECURITY_LOCAL_SERVICE_RID, 0 },
  50. CSecurityDescriptor::SID_SysDomain = { SECURITY_NT_AUTHORITY, 1, SECURITY_BUILTIN_DOMAIN_RID, 0 };
  52. CSecurityDescriptor::CSecurityDescriptor()
  53. {
  54. m_pSD = NULL;
  55. m_pOwner = NULL;
  56. m_pGroup = NULL;
  57. m_pDACL = NULL;
  58. m_pSACL= NULL;
  59. m_fInheritance = FALSE;
  60. }
  62. CSecurityDescriptor::~CSecurityDescriptor()
  63. {
  64. if (m_pSD)
  65. delete m_pSD;
  66. if (m_pOwner)
  67. delete[] (LPBYTE)m_pOwner;
  68. if (m_pGroup)
  69. delete[] (LPBYTE)m_pGroup;
  70. if (m_pDACL)
  71. delete[] (LPBYTE)m_pDACL;
  72. if (m_pSACL)
  73. delete[] (LPBYTE)m_pSACL;
  74. }
  76. HRESULT CSecurityDescriptor::Initialize()
  77. {
  78. if (m_pSD)
  79. {
  80. delete m_pSD;
  81. m_pSD = NULL;
  82. }
  83. if (m_pOwner)
  84. {
  85. delete[] (LPBYTE)(m_pOwner);
  86. m_pOwner = NULL;
  87. }
  88. if (m_pGroup)
  89. {
  90. delete[] (LPBYTE)(m_pGroup);
  91. m_pGroup = NULL;
  92. }
  93. if (m_pDACL)
  94. {
  95. delete[] (LPBYTE)(m_pDACL);
  96. m_pDACL = NULL;
  97. }
  98. if (m_pSACL)
  99. {
  100. delete[] (LPBYTE)(m_pSACL);
  101. m_pSACL = NULL;
  102. }
  104. m_pSD = new SECURITY_DESCRIPTOR;
  105. if (!m_pSD)
  106. return E_OUTOFMEMORY;
  107. if (!InitializeSecurityDescriptor(m_pSD, SECURITY_DESCRIPTOR_REVISION))
  108. {
  109. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  110. delete m_pSD;
  111. m_pSD = NULL;
  112. _ASSERTE(FALSE);
  113. return hr;
  114. }
  115. // Set the DACL to allow EVERYONE
  116. SetSecurityDescriptorDacl(m_pSD, TRUE, NULL, FALSE);
  117. return S_OK;
  118. }
  120. HRESULT CSecurityDescriptor::InitializeFromProcessToken(BOOL bDefaulted)
  121. {
  122. PSID pUserSid;
  123. PSID pGroupSid;
  124. HRESULT hr;
  126. Initialize();
  127. hr = GetProcessSids(&pUserSid, &pGroupSid);
  128. if (!FAILED(hr))
  129. hr = SetOwner(pUserSid, bDefaulted);
  130. if (!FAILED(hr))
  131. hr = SetGroup(pGroupSid, bDefaulted);
  133. if (pUserSid)
  134. delete[] (LPBYTE)(pUserSid);
  135. if (pGroupSid)
  136. delete[] (LPBYTE)(pGroupSid);
  138. if (FAILED(hr))
  139. return hr;
  140. return S_OK;
  141. }
  143. HRESULT CSecurityDescriptor::InitializeFromThreadToken(BOOL bDefaulted, BOOL bRevertToProcessToken)
  144. {
  145. PSID pUserSid;
  146. PSID pGroupSid;
  147. HRESULT hr;
  149. Initialize();
  150. hr = GetThreadSids(&pUserSid, &pGroupSid);
  151. if (HRESULT_CODE(hr) == ERROR_NO_TOKEN && bRevertToProcessToken)
  152. hr = GetProcessSids(&pUserSid, &pGroupSid);
  153. if (!FAILED(hr))
  154. hr = SetOwner(pUserSid, bDefaulted);
  155. if (!FAILED(hr))
  156. hr = SetGroup(pGroupSid, bDefaulted);
  158. if (pUserSid)
  159. delete[] (LPBYTE)(pUserSid);
  160. if (pGroupSid)
  161. delete[] (LPBYTE)(pGroupSid);
  163. if (FAILED(hr))
  164. return hr;
  165. return S_OK;
  166. }
  168. HRESULT CSecurityDescriptor::SetOwner(PSID pOwnerSid, BOOL bDefaulted)
  169. {
  170. _ASSERTE(m_pSD);
  172. // Mark the SD as having no owner
  173. if (!SetSecurityDescriptorOwner(m_pSD, NULL, bDefaulted))
  174. {
  175. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  176. _ASSERTE(FALSE);
  177. return hr;
  178. }
  180. if (m_pOwner)
  181. {
  182. delete[] (LPBYTE)(m_pOwner);
  183. m_pOwner = NULL;
  184. }
  186. // If they asked for no owner don't do the copy
  187. if (pOwnerSid == NULL)
  188. return S_OK;
  190. // Make a copy of the Sid for the return value
  191. DWORD dwSize = GetLengthSid(pOwnerSid);
  193. m_pOwner = (PSID) new BYTE[dwSize];
  194. if (!m_pOwner)
  195. {
  196. // Insufficient memory to allocate Sid
  197. _ASSERTE(FALSE);
  198. return E_OUTOFMEMORY;
  199. }
  200. if (!CopySid(dwSize, m_pOwner, pOwnerSid))
  201. {
  202. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  203. _ASSERTE(FALSE);
  204. delete[] (LPBYTE)(m_pOwner);
  205. m_pOwner = NULL;
  206. return hr;
  207. }
  209. _ASSERTE(IsValidSid(m_pOwner));
  211. if (!SetSecurityDescriptorOwner(m_pSD, m_pOwner, bDefaulted))
  212. {
  213. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  214. _ASSERTE(FALSE);
  215. delete[] (LPBYTE)(m_pOwner);
  216. m_pOwner = NULL;
  217. return hr;
  218. }
  220. return S_OK;
  221. }
  223. HRESULT CSecurityDescriptor::SetGroup(PSID pGroupSid, BOOL bDefaulted)
  224. {
  225. _ASSERTE(m_pSD);
  227. // Mark the SD as having no Group
  228. if (!SetSecurityDescriptorGroup(m_pSD, NULL, bDefaulted))
  229. {
  230. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  231. _ASSERTE(FALSE);
  232. return hr;
  233. }
  235. if (m_pGroup)
  236. {
  237. delete[] (LPBYTE)(m_pGroup);
  238. m_pGroup = NULL;
  239. }
  241. // If they asked for no Group don't do the copy
  242. if (pGroupSid == NULL)
  243. return S_OK;
  245. // Make a copy of the Sid for the return value
  246. DWORD dwSize = GetLengthSid(pGroupSid);
  248. m_pGroup = (PSID) new BYTE[dwSize];
  249. if (!m_pGroup)
  250. {
  251. // Insufficient memory to allocate Sid
  252. _ASSERTE(FALSE);
  253. return E_OUTOFMEMORY;
  254. }
  255. if (!CopySid(dwSize, m_pGroup, pGroupSid))
  256. {
  257. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  258. _ASSERTE(FALSE);
  259. delete[] (LPBYTE)(m_pGroup);
  260. m_pGroup = NULL;
  261. return hr;
  262. }
  264. _ASSERTE(IsValidSid(m_pGroup));
  266. if (!SetSecurityDescriptorGroup(m_pSD, m_pGroup, bDefaulted))
  267. {
  268. HRESULT hr = HRESULT_FROM_WIN32(GetLastError());
  269. _ASSERTE(FALSE);
  270. delete[] (LPBYTE)(m_pGroup);
  271. m_pGroup = NULL;
  272. return hr;
  273. }
  275. return S_OK;
  276. }
  278. HRESULT CSecurityDescriptor::Allow(const SecurityId *psidPrincipal, DWORD dwAccessMask)
  279. {
  280. HRESULT hr = AddAccessAllowedACEToACL(&m_pDACL, psidPrincipal, dwAccessMask);
  281. if (SUCCEEDED(hr))
  282. {
  283. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  284. hr = HRESULT_FROM_WIN32(GetLastError());
  285. }
  286. return hr;
  287. }
  289. HRESULT CSecurityDescriptor::Allow(LPCTSTR pszPrincipal, DWORD dwAccessMask)
  290. {
  291. HRESULT hr = AddAccessAllowedACEToACL(&m_pDACL, pszPrincipal, dwAccessMask);
  292. if (SUCCEEDED(hr))
  293. {
  294. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  295. hr = HRESULT_FROM_WIN32(GetLastError());
  296. }
  297. return hr;
  298. }
  300. HRESULT CSecurityDescriptor::AllowOwner(DWORD dwAccessMask)
  301. {
  302. HRESULT hr = AddAccessAllowedACEToACL(&m_pDACL, dwAccessMask);
  303. if (SUCCEEDED(hr))
  304. {
  305. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  306. hr = HRESULT_FROM_WIN32(GetLastError());
  307. }
  308. return hr;
  309. }
  311. HRESULT CSecurityDescriptor::Deny(const SecurityId *psidPrincipal, DWORD dwAccessMask)
  312. {
  313. HRESULT hr = AddAccessDeniedACEToACL(&m_pDACL, psidPrincipal, dwAccessMask);
  314. if (SUCCEEDED(hr))
  315. {
  316. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  317. hr = HRESULT_FROM_WIN32(GetLastError());
  318. }
  319. return hr;
  320. }
  322. HRESULT CSecurityDescriptor::Deny(LPCTSTR pszPrincipal, DWORD dwAccessMask)
  323. {
  324. HRESULT hr = AddAccessDeniedACEToACL(&m_pDACL, pszPrincipal, dwAccessMask);
  325. if (SUCCEEDED(hr))
  326. {
  327. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  328. hr = HRESULT_FROM_WIN32(GetLastError());
  329. }
  330. return hr;
  331. }
  333. HRESULT CSecurityDescriptor::Revoke(LPCTSTR pszPrincipal)
  334. {
  335. HRESULT hr = RemovePrincipalFromACL(m_pDACL, pszPrincipal);
  336. if (SUCCEEDED(hr))
  337. {
  338. if (!SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE))
  339. hr = HRESULT_FROM_WIN32(GetLastError());
  340. }
  341. return hr;
  342. }
  344. HRESULT CSecurityDescriptor::GetProcessSids(PSID* ppUserSid, PSID* ppGroupSid)
  345. {
  346. BOOL bRes;
  347. HRESULT hr;
  348. HANDLE hToken = NULL;
  349. if (ppUserSid)
  350. *ppUserSid = NULL;
  351. if (ppGroupSid)
  352. *ppGroupSid = NULL;
  353. bRes = OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken);
  354. if (!bRes)
  355. {
  356. // Couldn't open process token
  357. hr = HRESULT_FROM_WIN32(GetLastError());
  358. _ASSERTE(FALSE);
  359. return hr;
  360. }
  361. hr = GetTokenSids(hToken, ppUserSid, ppGroupSid);
  362. CloseHandle(hToken);
  363. return hr;
  364. }
  366. HRESULT CSecurityDescriptor::GetThreadSids(PSID* ppUserSid, PSID* ppGroupSid, BOOL bOpenAsSelf)
  367. {
  368. BOOL bRes;
  369. HRESULT hr;
  370. HANDLE hToken = NULL;
  371. if (ppUserSid)
  372. *ppUserSid = NULL;
  373. if (ppGroupSid)
  374. *ppGroupSid = NULL;
  375. bRes = OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, bOpenAsSelf, &hToken);
  376. if (!bRes)
  377. {
  378. // Couldn't open thread token
  379. hr = HRESULT_FROM_WIN32(GetLastError());
  380. return hr;
  381. }
  382. hr = GetTokenSids(hToken, ppUserSid, ppGroupSid);
  383. CloseHandle(hToken);
  384. return hr;
  385. }
  388. HRESULT CSecurityDescriptor::GetTokenSids(HANDLE hToken, PSID* ppUserSid, PSID* ppGroupSid)
  389. {
  390. DWORD dwSize;
  391. HRESULT hr;
  392. PTOKEN_USER ptkUser = NULL;
  393. PTOKEN_PRIMARY_GROUP ptkGroup = NULL;
  395. if (ppUserSid)
  396. *ppUserSid = NULL;
  397. if (ppGroupSid)
  398. *ppGroupSid = NULL;
  400. if (ppUserSid)
  401. {
  402. // Get length required for TokenUser by specifying buffer length of 0
  403. GetTokenInformation(hToken, TokenUser, NULL, 0, &dwSize);
  404. hr = GetLastError();
  405. if (hr != ERROR_INSUFFICIENT_BUFFER)
  406. {
  407. // Expected ERROR_INSUFFICIENT_BUFFER
  408. _ASSERTE(FALSE);
  409. hr = HRESULT_FROM_WIN32(hr);
  410. goto failed;
  411. }
  413. ptkUser = (TOKEN_USER*) new BYTE[dwSize];
  414. if (!ptkUser)
  415. {
  416. // Insufficient memory to allocate TOKEN_USER
  417. _ASSERTE(FALSE);
  418. hr = E_OUTOFMEMORY;
  419. goto failed;
  420. }
  421. // Get Sid of process token.
  422. if (!GetTokenInformation(hToken, TokenUser, ptkUser, dwSize, &dwSize))
  423. {
  424. // Couldn't get user info
  425. hr = HRESULT_FROM_WIN32(GetLastError());
  426. _ASSERTE(FALSE);
  427. goto failed;
  428. }
  430. // Make a copy of the Sid for the return value
  431. dwSize = GetLengthSid(ptkUser->User.Sid);
  433. PSID pSid = (PSID) new BYTE[dwSize];
  434. if (!pSid)
  435. {
  436. // Insufficient memory to allocate Sid
  437. _ASSERTE(FALSE);
  438. hr = E_OUTOFMEMORY;
  439. goto failed;
  440. }
  441. if (!CopySid(dwSize, pSid, ptkUser->User.Sid))
  442. {
  443. hr = HRESULT_FROM_WIN32(GetLastError());
  444. _ASSERTE(FALSE);
  445. goto failed;
  446. }
  448. _ASSERTE(IsValidSid(pSid));
  449. *ppUserSid = pSid;
  450. delete[] (LPBYTE)(ptkUser);
  451. ptkUser = NULL;
  452. }
  453. if (ppGroupSid)
  454. {
  455. // Get length required for TokenPrimaryGroup by specifying buffer length of 0
  456. GetTokenInformation(hToken, TokenPrimaryGroup, NULL, 0, &dwSize);
  457. hr = GetLastError();
  458. if (hr != ERROR_INSUFFICIENT_BUFFER)
  459. {
  460. // Expected ERROR_INSUFFICIENT_BUFFER
  461. _ASSERTE(FALSE);
  462. hr = HRESULT_FROM_WIN32(hr);
  463. goto failed;
  464. }
  466. ptkGroup = (TOKEN_PRIMARY_GROUP*) new BYTE[dwSize];
  467. if (!ptkGroup)
  468. {
  469. // Insufficient memory to allocate TOKEN_USER
  470. _ASSERTE(FALSE);
  471. hr = E_OUTOFMEMORY;
  472. goto failed;
  473. }
  474. // Get Sid of process token.
  475. if (!GetTokenInformation(hToken, TokenPrimaryGroup, ptkGroup, dwSize, &dwSize))
  476. {
  477. // Couldn't get user info
  478. hr = HRESULT_FROM_WIN32(GetLastError());
  479. _ASSERTE(FALSE);
  480. goto failed;
  481. }
  483. // Make a copy of the Sid for the return value
  484. dwSize = GetLengthSid(ptkGroup->PrimaryGroup);
  486. PSID pSid = (PSID) new BYTE[dwSize];
  487. if (!pSid)
  488. {
  489. // Insufficient memory to allocate Sid
  490. _ASSERTE(FALSE);
  491. hr = E_OUTOFMEMORY;
  492. goto failed;
  493. }
  494. if (!CopySid(dwSize, pSid, ptkGroup->PrimaryGroup))
  495. {
  496. hr = HRESULT_FROM_WIN32(GetLastError());
  497. _ASSERTE(FALSE);
  498. goto failed;
  499. }
  501. _ASSERTE(IsValidSid(pSid));
  503. *ppGroupSid = pSid;
  504. delete[] (LPBYTE)(ptkGroup);
  505. ptkGroup = NULL;
  506. }
  508. return S_OK;
  510. failed:
  511. if (ptkUser)
  512. delete[] (LPBYTE)(ptkUser);
  513. if (ptkGroup)
  514. delete[] (LPBYTE)(ptkGroup);
  515. return hr;
  516. }
  519. HRESULT CSecurityDescriptor::GetCurrentUserSID(PSID *ppSid)
  520. {
  521. HANDLE tkHandle = NULL;
  523. if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &tkHandle))
  524. {
  525. TOKEN_USER *tkUser;
  526. DWORD tkSize;
  527. DWORD sidLength;
  529. // Call to get size information for alloc
  530. GetTokenInformation(tkHandle, TokenUser, NULL, 0, &tkSize);
  531. tkUser = (TOKEN_USER *) new BYTE[tkSize];
  532. if (NULL == tkUser)
  533. {
  534. CloseHandle(tkHandle);
  535. return E_OUTOFMEMORY;
  536. }
  538. // Now make the real call
  539. if (GetTokenInformation(tkHandle, TokenUser, tkUser, tkSize, &tkSize))
  540. {
  541. sidLength = GetLengthSid(tkUser->User.Sid);
  542. *ppSid = (PSID) new BYTE[sidLength];
  543. if (NULL != *ppSid)
  544. {
  545. memcpy(*ppSid, tkUser->User.Sid, sidLength);
  546. CloseHandle(tkHandle);
  548. delete[] (LPBYTE)(tkUser);
  549. return S_OK;
  550. }
  551. else
  552. {
  553. CloseHandle(tkHandle);
  554. delete[] (LPBYTE)(tkUser);
  555. return E_OUTOFMEMORY;
  556. }
  557. }
  558. else
  559. {
  560. CloseHandle(tkHandle);
  561. delete[] (LPBYTE)(tkUser);
  562. return HRESULT_FROM_WIN32(GetLastError());
  563. }
  564. }
  565. return HRESULT_FROM_WIN32(GetLastError());
  566. }
  569. HRESULT CSecurityDescriptor::GetPrincipalSID(LPCTSTR pszPrincipal, PSID *ppSid)
  570. {
  571. HRESULT hr;
  572. LPTSTR pszRefDomain = NULL;
  573. DWORD dwDomainSize = 0;
  574. DWORD dwSidSize = 0;
  575. SID_NAME_USE snu;
  577. // Call to get size info for alloc
  578. LookupAccountName(NULL, pszPrincipal, *ppSid, &dwSidSize, pszRefDomain, &dwDomainSize, &snu);
  580. hr = GetLastError();
  581. if (hr != ERROR_INSUFFICIENT_BUFFER)
  582. return HRESULT_FROM_WIN32(hr);
  584. pszRefDomain = new TCHAR[dwDomainSize];
  585. if (pszRefDomain == NULL)
  586. return E_OUTOFMEMORY;
  588. *ppSid = (PSID) new BYTE[dwSidSize];
  589. if (*ppSid != NULL)
  590. {
  591. if (!LookupAccountName(NULL, pszPrincipal, *ppSid, &dwSidSize, pszRefDomain, &dwDomainSize, &snu))
  592. {
  593. delete[] (LPBYTE)(*ppSid);
  594. *ppSid = NULL;
  595. delete[] pszRefDomain;
  596. return HRESULT_FROM_WIN32(GetLastError());
  597. }
  598. delete[] pszRefDomain;
  599. return S_OK;
  600. }
  601. delete[] pszRefDomain;
  602. return E_OUTOFMEMORY;
  603. }
  606. HRESULT CSecurityDescriptor::Attach(PSECURITY_DESCRIPTOR pSelfRelativeSD)
  607. {
  608. PACL pDACL = NULL;
  609. PACL pSACL = NULL;
  610. BOOL bDACLPresent, bSACLPresent;
  611. BOOL bDefaulted;
  612. PACL m_pDACL = NULL;
  613. ACCESS_ALLOWED_ACE* pACE;
  614. HRESULT hr;
  615. PSID pUserSid;
  616. PSID pGroupSid;
  618. hr = Initialize();
  619. if(FAILED(hr))
  620. return hr;
  622. // get the existing DACL.
  623. if (!GetSecurityDescriptorDacl(pSelfRelativeSD, &bDACLPresent, &pDACL, &bDefaulted))
  624. goto failed;
  626. if (bDACLPresent)
  627. {
  628. if (pDACL)
  629. {
  630. // allocate new DACL.
  631. if (!(m_pDACL = (PACL) new BYTE[pDACL->AclSize]))
  632. goto failed;
  634. // initialize the DACL
  635. if (!InitializeAcl(m_pDACL, pDACL->AclSize, ACL_REVISION))
  636. goto failed;
  638. // copy the ACES
  639. for (int i = 0; i < pDACL->AceCount; i++)
  640. {
  641. if (!GetAce(pDACL, i, (void **)&pACE))
  642. goto failed;
  644. if (!AddAccessAllowedAce(m_pDACL, ACL_REVISION, pACE->Mask, (PSID)&(pACE->SidStart)))
  645. goto failed;
  646. }
  648. if (!IsValidAcl(m_pDACL))
  649. goto failed;
  650. }
  652. // set the DACL
  653. if (!SetSecurityDescriptorDacl(m_pSD, m_pDACL ? TRUE : FALSE, m_pDACL, bDefaulted))
  654. goto failed;
  655. }
  657. // get the existing SACL.
  658. if (!GetSecurityDescriptorSacl(pSelfRelativeSD, &bSACLPresent, &pSACL, &bDefaulted))
  659. goto failed;
  661. if (bSACLPresent)
  662. {
  663. if (pSACL)
  664. {
  665. // allocate new SACL.
  666. if (!(m_pSACL = (PACL) new BYTE[pSACL->AclSize]))
  667. goto failed;
  669. // initialize the SACL
  670. if (!InitializeAcl(m_pSACL, pSACL->AclSize, ACL_REVISION))
  671. goto failed;
  673. // copy the ACES
  674. for (int i = 0; i < pSACL->AceCount; i++)
  675. {
  676. if (!GetAce(pSACL, i, (void **)&pACE))
  677. goto failed;
  679. if (!AddAccessAllowedAce(m_pSACL, ACL_REVISION, pACE->Mask, (PSID)&(pACE->SidStart)))
  680. goto failed;
  681. }
  683. if (!IsValidAcl(m_pSACL))
  684. goto failed;
  685. }
  687. // set the SACL
  688. if (!SetSecurityDescriptorSacl(m_pSD, m_pSACL ? TRUE : FALSE, m_pSACL, bDefaulted))
  689. goto failed;
  690. }
  692. if (!GetSecurityDescriptorOwner(m_pSD, &pUserSid, &bDefaulted))
  693. goto failed;
  695. if (FAILED(SetOwner(pUserSid, bDefaulted)))
  696. goto failed;
  698. if (!GetSecurityDescriptorGroup(m_pSD, &pGroupSid, &bDefaulted))
  699. goto failed;
  701. if (FAILED(SetGroup(pGroupSid, bDefaulted)))
  702. goto failed;
  704. if (!IsValidSecurityDescriptor(m_pSD))
  705. goto failed;
  707. return hr;
  709. failed:
  710. if (m_pDACL)
  711. delete[] (LPBYTE)(m_pDACL);
  712. if (m_pSD)
  713. delete[] (LPBYTE)(m_pSD);
  714. return E_UNEXPECTED;
  715. }
  717. HRESULT CSecurityDescriptor::AttachObject(HANDLE hObject)
  718. {
  719. HRESULT hr;
  720. DWORD dwSize = 0;
  721. PSECURITY_DESCRIPTOR pSD = NULL;
  723. GetKernelObjectSecurity(hObject, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
  724. DACL_SECURITY_INFORMATION, pSD, 0, &dwSize);
  726. hr = GetLastError();
  727. if (hr != ERROR_INSUFFICIENT_BUFFER)
  728. return HRESULT_FROM_WIN32(hr);
  730. pSD = (PSECURITY_DESCRIPTOR) new BYTE[dwSize];
  731. if (NULL==pSD)
  732. return E_OUTOFMEMORY;
  734. if (!GetKernelObjectSecurity(hObject, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
  735. DACL_SECURITY_INFORMATION, pSD, dwSize, &dwSize))
  736. {
  737. hr = HRESULT_FROM_WIN32(GetLastError());
  738. delete[] (LPBYTE)(pSD);
  739. return hr;
  740. }
  742. hr = Attach(pSD);
  743. delete[] (LPBYTE)(pSD);
  744. return hr;
  745. }
  748. HRESULT CSecurityDescriptor::CopyACL(PACL pDest, PACL pSrc)
  749. {
  750. ACL_SIZE_INFORMATION aclSizeInfo;
  751. LPVOID pAce;
  752. ACE_HEADER *aceHeader;
  754. if (pSrc == NULL)
  755. return S_OK;
  757. if (!GetAclInformation(pSrc, (LPVOID) &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation))
  758. return HRESULT_FROM_WIN32(GetLastError());
  760. // Copy all of the ACEs to the new ACL
  761. for (UINT i = 0; i < aclSizeInfo.AceCount; i++)
  762. {
  763. if (!GetAce(pSrc, i, &pAce))
  764. return HRESULT_FROM_WIN32(GetLastError());
  766. aceHeader = (ACE_HEADER *) pAce;
  768. if (!AddAce(pDest, ACL_REVISION, 0xffffffff, pAce, aceHeader->AceSize))
  769. return HRESULT_FROM_WIN32(GetLastError());
  770. }
  772. return S_OK;
  773. }
  775. HRESULT CSecurityDescriptor::AddAccessDeniedACEToACL(PACL *ppAcl, LPCTSTR pszPrincipal, DWORD dwAccessMask)
  776. {
  777. ACL_SIZE_INFORMATION aclSizeInfo;
  778. int aclSize;
  779. DWORD returnValue;
  780. PSID principalSID;
  781. PACL oldACL, newACL;
  783. oldACL = *ppAcl;
  785. returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
  786. if (FAILED(returnValue))
  787. return returnValue;
  789. aclSizeInfo.AclBytesInUse = 0;
  790. if (*ppAcl != NULL)
  791. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  793. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  795. newACL = (PACL) new BYTE[aclSize];
  796. if (NULL==newACL)
  797. {
  798. delete[] (LPBYTE)principalSID;
  799. return E_OUTOFMEMORY;
  800. }
  802. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  803. {
  804. delete[] (LPBYTE)(newACL);
  805. delete[] (LPBYTE)(principalSID);
  806. return HRESULT_FROM_WIN32(GetLastError());
  807. }
  809. if (!AddAccessDeniedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  810. {
  811. delete[] (LPBYTE)(newACL);
  812. delete[] (LPBYTE)(principalSID);
  813. return HRESULT_FROM_WIN32(GetLastError());
  814. }
  816. returnValue = CopyACL(newACL, oldACL);
  817. if (FAILED(returnValue))
  818. {
  819. delete[] (LPBYTE)(newACL);
  820. delete[] (LPBYTE)(principalSID);
  821. return returnValue;
  822. }
  824. *ppAcl = newACL;
  826. if (oldACL != NULL)
  827. delete[] (LPBYTE)(oldACL);
  828. delete[] (LPBYTE)(principalSID);
  829. return S_OK;
  830. }
  833. HRESULT CSecurityDescriptor::AddAccessDeniedACEToACL(PACL *ppAcl, const SecurityId *psidPrincipal, DWORD dwAccessMask)
  834. {
  835. ACL_SIZE_INFORMATION aclSizeInfo;
  836. int aclSize;
  837. DWORD returnValue;
  838. PSID principalSID;
  839. PACL oldACL, newACL;
  840. DWORD dwLen, dwIx;
  842. oldACL = *ppAcl;
  844. ASSERT(255 >= psidPrincipal->dwRidCount);
  845. dwLen = GetSidLengthRequired((UCHAR)psidPrincipal->dwRidCount);
  846. principalSID = (PSID)(new BYTE[dwLen]);
  847. if (NULL==principalSID)
  848. return E_OUTOFMEMORY;
  849. if (!InitializeSid(
  850. principalSID,
  851. (PSID_IDENTIFIER_AUTHORITY)&psidPrincipal->sid,
  852. (UCHAR)psidPrincipal->dwRidCount))
  853. {
  854. delete[] (LPBYTE)principalSID;
  855. return HRESULT_FROM_WIN32(GetLastError());
  856. }
  857. for (dwIx = 0; dwIx < psidPrincipal->dwRidCount; dwIx += 1)
  858. *GetSidSubAuthority(principalSID, dwIx) = psidPrincipal->rgRids[dwIx];
  859. if (!IsValidSid(principalSID))
  860. {
  861. delete[] (LPBYTE)principalSID;
  862. return HRESULT_FROM_WIN32(GetLastError());
  863. }
  865. aclSizeInfo.AclBytesInUse = 0;
  866. if (*ppAcl != NULL)
  867. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  869. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  871. newACL = (PACL) new BYTE[aclSize];
  872. if (NULL==newACL)
  873. {
  874. delete[] (LPBYTE)principalSID;
  875. return E_OUTOFMEMORY;
  876. }
  878. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  879. {
  880. delete[] (LPBYTE)newACL;
  881. delete[] (LPBYTE)(principalSID);
  882. return HRESULT_FROM_WIN32(GetLastError());
  883. }
  885. if (!AddAccessDeniedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  886. {
  887. delete[] (LPBYTE)newACL;
  888. delete[] (LPBYTE)(principalSID);
  889. return HRESULT_FROM_WIN32(GetLastError());
  890. }
  892. returnValue = CopyACL(newACL, oldACL);
  893. if (FAILED(returnValue))
  894. {
  895. delete[] (LPBYTE)newACL;
  896. delete[] (LPBYTE)(principalSID);
  897. return returnValue;
  898. }
  900. *ppAcl = newACL;
  902. if (oldACL != NULL)
  903. delete[] (LPBYTE)(oldACL);
  904. delete[] (LPBYTE)(principalSID);
  905. return S_OK;
  906. }
  909. HRESULT CSecurityDescriptor::AddAccessAllowedACEToACL(PACL *ppAcl, const SecurityId *psidPrincipal, DWORD dwAccessMask)
  910. {
  911. ACL_SIZE_INFORMATION aclSizeInfo;
  912. int aclSize;
  913. DWORD returnValue;
  914. PSID principalSID = NULL;
  915. PACL oldACL, newACL;
  916. DWORD dwLen, dwIx;
  918. oldACL = *ppAcl;
  920. ASSERT(255 >= psidPrincipal->dwRidCount);
  921. dwLen = GetSidLengthRequired((UCHAR)psidPrincipal->dwRidCount);
  922. principalSID = (PSID)(new BYTE[dwLen]);
  923. if (NULL==principalSID)
  924. return E_OUTOFMEMORY;
  925. if (!InitializeSid(
  926. principalSID,
  927. (PSID_IDENTIFIER_AUTHORITY)&psidPrincipal->sid,
  928. (UCHAR)psidPrincipal->dwRidCount))
  929. {
  930. delete[] (LPBYTE)principalSID;
  931. return HRESULT_FROM_WIN32(GetLastError());
  932. }
  933. for (dwIx = 0; dwIx < psidPrincipal->dwRidCount; dwIx += 1)
  934. *GetSidSubAuthority(principalSID, dwIx) = psidPrincipal->rgRids[dwIx];
  935. if (!IsValidSid(principalSID))
  936. {
  937. delete[] (LPBYTE)principalSID;
  938. return HRESULT_FROM_WIN32(GetLastError());
  939. }
  941. aclSizeInfo.AclBytesInUse = 0;
  942. if (*ppAcl != NULL)
  943. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  945. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  947. newACL = (PACL) new BYTE[aclSize];
  948. if (NULL==newACL) {
  949. delete[] (LPBYTE)principalSID;
  950. return E_OUTOFMEMORY;
  951. }
  953. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  954. {
  955. delete[] (LPBYTE)newACL;
  956. delete[] (LPBYTE)principalSID;
  957. return HRESULT_FROM_WIN32(GetLastError());
  958. }
  960. returnValue = CopyACL(newACL, oldACL);
  961. if (FAILED(returnValue))
  962. {
  963. delete[] (LPBYTE)newACL;
  964. delete[] (LPBYTE)principalSID;
  965. return returnValue;
  966. }
  968. if (!AddAccessAllowedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  969. {
  970. delete[] (LPBYTE)newACL;
  971. delete[] (LPBYTE)principalSID;
  972. return HRESULT_FROM_WIN32(GetLastError());
  973. }
  975. *ppAcl = newACL;
  977. if (oldACL != NULL)
  978. delete[] (LPBYTE)(oldACL);
  979. delete[] (LPBYTE)principalSID;
  980. return S_OK;
  981. }
  984. HRESULT CSecurityDescriptor::AddAccessAllowedACEToACL(PACL *ppAcl, LPCTSTR pszPrincipal, DWORD dwAccessMask)
  985. {
  986. ACL_SIZE_INFORMATION aclSizeInfo;
  987. int aclSize;
  988. DWORD returnValue;
  989. PSID principalSID;
  990. PACL oldACL, newACL;
  992. oldACL = *ppAcl;
  994. returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
  995. if (FAILED(returnValue))
  996. return returnValue;
  998. aclSizeInfo.AclBytesInUse = 0;
  999. if (*ppAcl != NULL)
  1000. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  1002. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
  1004. newACL = (PACL) new BYTE[aclSize];
  1005. if (NULL==newACL)
  1006. {
  1007. delete[] (LPBYTE)principalSID;
  1008. return E_OUTOFMEMORY;
  1009. }
  1011. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  1012. {
  1013. delete[] (LPBYTE)(newACL);
  1014. delete[] (LPBYTE)(principalSID);
  1015. return HRESULT_FROM_WIN32(GetLastError());
  1016. }
  1018. returnValue = CopyACL(newACL, oldACL);
  1019. if (FAILED(returnValue))
  1020. {
  1021. delete[] (LPBYTE)(newACL);
  1022. delete[] (LPBYTE)(principalSID);
  1023. return returnValue;
  1024. }
  1026. if (!AddAccessAllowedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
  1027. {
  1028. delete[] (LPBYTE)(newACL);
  1029. delete[] (LPBYTE)(principalSID);
  1030. return HRESULT_FROM_WIN32(GetLastError());
  1031. }
  1033. *ppAcl = newACL;
  1035. if (oldACL != NULL)
  1036. delete[] (LPBYTE)(oldACL);
  1037. delete[] (LPBYTE)(principalSID);
  1038. return S_OK;
  1039. }
  1041. HRESULT CSecurityDescriptor::AddAccessAllowedACEToACL(PACL *ppAcl, DWORD dwAccessMask)
  1042. {
  1043. ACL_SIZE_INFORMATION aclSizeInfo;
  1044. int aclSize;
  1045. DWORD returnValue;
  1046. PACL oldACL, newACL;
  1048. oldACL = *ppAcl;
  1050. if (!IsValidSid(m_pOwner))
  1051. {
  1052. _ASSERTE(FALSE);
  1053. return E_INVALIDARG;
  1054. }
  1056. aclSizeInfo.AclBytesInUse = 0;
  1057. if (*ppAcl != NULL)
  1058. GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  1060. aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(m_pOwner) - sizeof(DWORD);
  1062. newACL = (PACL) new BYTE[aclSize];
  1063. if (NULL==newACL)
  1064. {
  1065. return E_OUTOFMEMORY;
  1066. }
  1068. if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
  1069. {
  1070. delete[] (LPBYTE)(newACL);
  1071. return HRESULT_FROM_WIN32(GetLastError());
  1072. }
  1074. returnValue = CopyACL(newACL, oldACL);
  1075. if (FAILED(returnValue))
  1076. {
  1077. delete[] (LPBYTE)(newACL);
  1078. return returnValue;
  1079. }
  1081. if (!AddAccessAllowedAce(newACL, ACL_REVISION2, dwAccessMask, m_pOwner))
  1082. {
  1083. delete[] (LPBYTE)(newACL);
  1084. return HRESULT_FROM_WIN32(GetLastError());
  1085. }
  1087. *ppAcl = newACL;
  1089. if (oldACL != NULL)
  1090. delete[] (LPBYTE)(oldACL);
  1091. return S_OK;
  1092. }
  1094. HRESULT CSecurityDescriptor::RemovePrincipalFromACL(PACL pAcl, LPCTSTR pszPrincipal)
  1095. {
  1096. ACL_SIZE_INFORMATION aclSizeInfo;
  1097. ULONG i;
  1098. LPVOID ace;
  1099. ACCESS_ALLOWED_ACE *accessAllowedAce;
  1100. ACCESS_DENIED_ACE *accessDeniedAce;
  1101. SYSTEM_AUDIT_ACE *systemAuditAce;
  1102. PSID principalSID;
  1103. DWORD returnValue;
  1104. ACE_HEADER *aceHeader;
  1106. returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
  1107. if (FAILED(returnValue))
  1108. return returnValue;
  1110. GetAclInformation(pAcl, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  1112. for (i = 0; i < aclSizeInfo.AceCount; i++)
  1113. {
  1114. if (!GetAce(pAcl, i, &ace))
  1115. {
  1116. delete[] (LPBYTE)(principalSID);
  1117. return HRESULT_FROM_WIN32(GetLastError());
  1118. }
  1120. aceHeader = (ACE_HEADER *) ace;
  1122. if (aceHeader->AceType == ACCESS_ALLOWED_ACE_TYPE)
  1123. {
  1124. accessAllowedAce = (ACCESS_ALLOWED_ACE *) ace;
  1126. if (EqualSid(principalSID, (PSID) &accessAllowedAce->SidStart))
  1127. {
  1128. DeleteAce(pAcl, i);
  1129. delete[] (LPBYTE)(principalSID);
  1130. return S_OK;
  1131. }
  1132. } else
  1134. if (aceHeader->AceType == ACCESS_DENIED_ACE_TYPE)
  1135. {
  1136. accessDeniedAce = (ACCESS_DENIED_ACE *) ace;
  1138. if (EqualSid(principalSID, (PSID) &accessDeniedAce->SidStart))
  1139. {
  1140. DeleteAce(pAcl, i);
  1141. delete[] (LPBYTE)(principalSID);
  1142. return S_OK;
  1143. }
  1144. } else
  1146. if (aceHeader->AceType == SYSTEM_AUDIT_ACE_TYPE)
  1147. {
  1148. systemAuditAce = (SYSTEM_AUDIT_ACE *) ace;
  1150. if (EqualSid(principalSID, (PSID) &systemAuditAce->SidStart))
  1151. {
  1152. DeleteAce(pAcl, i);
  1153. delete[] (LPBYTE)(principalSID);
  1154. return S_OK;
  1155. }
  1156. }
  1157. }
  1158. delete[] (LPBYTE)(principalSID);
  1159. return S_OK;
  1160. }
  1163. HRESULT CSecurityDescriptor::SetPrivilege(LPCTSTR privilege, BOOL bEnable, HANDLE hToken)
  1164. {
  1165. HRESULT hr;
  1166. TOKEN_PRIVILEGES tpPrevious;
  1167. TOKEN_PRIVILEGES tp;
  1168. DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES);
  1169. LUID luid;
  1170. HANDLE hMyToken = NULL;
  1172. // if no token specified open process token
  1173. if (hToken == 0)
  1174. {
  1175. if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hMyToken))
  1176. {
  1177. hr = HRESULT_FROM_WIN32(GetLastError());
  1178. _ASSERTE(FALSE);
  1179. return hr;
  1180. }
  1181. hToken = hMyToken;
  1182. }
  1184. if (!LookupPrivilegeValue(NULL, privilege, &luid ))
  1185. {
  1186. hr = HRESULT_FROM_WIN32(GetLastError());
  1187. _ASSERTE(FALSE);
  1188. if (NULL != hMyToken)
  1189. CloseHandle(hMyToken);
  1190. return hr;
  1191. }
  1193. tp.PrivilegeCount = 1;
  1194. tp.Privileges[0].Luid = luid;
  1195. tp.Privileges[0].Attributes = 0;
  1197. if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &tpPrevious, &cbPrevious))
  1198. {
  1199. hr = HRESULT_FROM_WIN32(GetLastError());
  1200. _ASSERTE(FALSE);
  1201. if (NULL != hMyToken)
  1202. CloseHandle(hMyToken);
  1203. return hr;
  1204. }
  1206. tpPrevious.PrivilegeCount = 1;
  1207. tpPrevious.Privileges[0].Luid = luid;
  1209. if (bEnable)
  1210. tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED);
  1211. else
  1212. tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED & tpPrevious.Privileges[0].Attributes);
  1214. if (!AdjustTokenPrivileges(hToken, FALSE, &tpPrevious, cbPrevious, NULL, NULL))
  1215. {
  1216. hr = HRESULT_FROM_WIN32(GetLastError());
  1217. _ASSERTE(FALSE);
  1218. if (NULL != hMyToken)
  1219. CloseHandle(hMyToken);
  1220. return hr;
  1221. }
  1222. if (NULL != hMyToken)
  1223. CloseHandle(hMyToken);
  1224. return S_OK;
  1225. }
  1227. CSecurityDescriptor::operator LPSECURITY_ATTRIBUTES()
  1228. {
  1229. m_saAttrs.nLength = sizeof (m_saAttrs);
  1230. m_saAttrs.lpSecurityDescriptor = m_pSD;
  1231. m_saAttrs.bInheritHandle = m_fInheritance;
  1232. return (&m_saAttrs);
  1233. }