archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/base/cluster/clusrtl/fixup.c

330 lines
8.4 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1998 Microsoft Corporation
  5. Module Name:
  7. FixUp.c
  9. Abstract:
  11. This module contains common security routines for
  12. NT Clusters rolling upgrade and backward compatibility.
  14. Author:
  16. Galen Barbee (galenb) 31-Mar-1998
  18. --*/
  20. #include "clusrtlp.h"
  22. PSECURITY_DESCRIPTOR
  23. ClRtlConvertClusterSDToNT4Format(
  24. IN PSECURITY_DESCRIPTOR psd
  25. )
  27. /*++
  29. Routine Description:
  31. Convert the SD from nt 5 to nt 4 format. This means enforcing the
  32. following rules:
  34. 1. Convert denied ACE to allowed ACE. Convert "Full Control" access
  35. mask to CLUAPI_NO_ACCESS.
  37. Arguments:
  39. psd [IN] Security descriptor.
  41. Return Value:
  43. The new SD in self-Relative format
  45. --*/
  47. {
  48. PACL pacl;
  49. BOOL bHasDACL;
  50. BOOL bDACLDefaulted;
  51. PSECURITY_DESCRIPTOR psec = NULL;
  53. if (NULL == psd) {
  54. return NULL;
  55. }
  57. psec = ClRtlCopySecurityDescriptor(psd);
  58. ASSERT(psec != NULL);
  60. if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) &&
  61. ( bHasDACL != FALSE ) ) {
  63. ACL_SIZE_INFORMATION asiAclSize;
  64. DWORD dwBufLength;
  66. dwBufLength = sizeof(asiAclSize);
  68. if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {
  70. ACCESS_DENIED_ACE * pAce;
  71. DWORD dwIndex;
  73. for (dwIndex = 0; dwIndex < asiAclSize.AceCount; dwIndex++) {
  75. if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {
  77. if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) {
  79. if (pAce->Mask & SPECIFIC_RIGHTS_ALL) {
  80. pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
  81. pAce->Mask = CLUSAPI_NO_ACCESS;
  82. }
  84. } // end if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
  86. } // end if (GetAce())
  88. } // end for
  90. } // end if (GetAclInformation())
  92. } // end if (HrGetSecurityDescriptorDacl()) and DACL is present
  94. ASSERT(IsValidSecurityDescriptor(psec));
  96. return psec;
  98. } //*** ClRtlConvertClusterSDToNT4Format()
  100. PSECURITY_DESCRIPTOR
  101. ClRtlConvertClusterSDToNT5Format(
  102. IN PSECURITY_DESCRIPTOR psd
  103. )
  105. /*++
  107. Routine Description:
  109. Convert the SD from nt 5 to nt 4 format. This means enforcing the
  110. following rules:
  112. 1. Convert allowed ACE with mask CLUAPI_NO_ACCESS to denied ACE mask full control.
  114. Arguments:
  116. psd [IN] Security descriptor.
  118. Return Value:
  120. The new SD in self-Relative format
  122. --*/
  124. {
  125. PACL pacl;
  126. BOOL bHasDACL;
  127. BOOL bDACLDefaulted;
  128. PSECURITY_DESCRIPTOR psec = NULL;
  130. if (NULL == psd) {
  131. return NULL;
  132. }
  134. psec = ClRtlCopySecurityDescriptor(psd);
  135. ASSERT(psec != NULL);
  137. if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) &&
  138. ( bHasDACL != FALSE ) ) {
  140. ACL_SIZE_INFORMATION asiAclSize;
  141. DWORD dwBufLength;
  143. dwBufLength = sizeof(asiAclSize);
  145. if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {
  147. ACCESS_DENIED_ACE * pAce;
  148. DWORD dwIndex;
  150. for (dwIndex = 0; dwIndex < asiAclSize.AceCount; dwIndex++) {
  152. if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {
  154. if (pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) {
  156. if (pAce->Mask & CLUSAPI_NO_ACCESS) {
  157. pAce->Header.AceType = ACCESS_DENIED_ACE_TYPE;
  158. pAce->Mask = SPECIFIC_RIGHTS_ALL;
  159. }
  161. } // end if (pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE)
  163. } // end if (GetAce())
  165. } // end for
  167. } // end if (GetAclInformation())
  169. } // end if (HrGetSecurityDescriptorDacl()) and DACL is present
  171. ASSERT(IsValidSecurityDescriptor(psec));
  173. return psec;
  175. } //*** ClRtlConvertClusterSDToNT5Format()
  177. static GENERIC_MAPPING gmFileShareMap =
  178. {
  179. FILE_GENERIC_READ,
  180. FILE_GENERIC_WRITE,
  181. FILE_GENERIC_EXECUTE,
  182. FILE_ALL_ACCESS
  183. };
  185. #define SPECIFIC_CHANGE (DELETE | FILE_GENERIC_WRITE)
  186. #define SPECIFIC_READ (FILE_GENERIC_READ | FILE_LIST_DIRECTORY | FILE_EXECUTE)
  187. #define GENERIC_CHANGE (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE)
  189. PSECURITY_DESCRIPTOR
  190. ClRtlConvertFileShareSDToNT4Format(
  191. IN PSECURITY_DESCRIPTOR psd
  192. )
  194. /*++
  196. Routine Description:
  198. Convert the SD from nt 5 to nt 4 format. This means enforcing the
  199. following rules:
  201. Arguments:
  203. psd [IN] Security descriptor.
  205. Return Value:
  207. The new SD in self-Relative format
  209. --*/
  211. {
  212. PACL pacl;
  213. BOOL bHasDACL;
  214. BOOL bDACLDefaulted;
  215. PSECURITY_DESCRIPTOR psec = NULL;
  217. if (NULL == psd) {
  218. return NULL;
  219. }
  221. psec = ClRtlCopySecurityDescriptor(psd);
  222. ASSERT(psec != NULL);
  224. if ( (GetSecurityDescriptorDacl(psec, (LPBOOL) &bHasDACL, (PACL *) &pacl, (LPBOOL) &bDACLDefaulted)) &&
  225. ( bHasDACL != FALSE ) ) {
  227. ACL_SIZE_INFORMATION asiAclSize;
  228. DWORD dwBufLength;
  229. ACCESS_MASK amTemp1;
  230. ACCESS_MASK amTemp2;
  232. dwBufLength = sizeof(asiAclSize);
  234. if (GetAclInformation(pacl, &asiAclSize, dwBufLength, AclSizeInformation)) {
  236. ACCESS_DENIED_ACE * pAce;
  237. DWORD dwSid;
  238. DWORD dwIndex;
  240. for (dwIndex = 0; dwIndex < asiAclSize.AceCount; dwIndex++) {
  242. amTemp1 = 0;
  243. amTemp2 = 0;
  245. if (GetAce(pacl, dwIndex, (LPVOID *) &pAce)) {
  247. // delete deny read ACEs since they don't mean anything to AclEdit
  248. if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) &&
  249. (pAce->Mask == SPECIFIC_READ)) {
  251. dwSid = pAce->SidStart;
  253. if (DeleteAce(pacl, dwIndex)) {
  254. asiAclSize.AceCount -= 1;
  255. dwIndex -= 1;
  256. }
  257. else {
  258. ClRtlDbgPrint(LOG_UNUSUAL,
  259. "[ClRtl] DeteteAce failed removing ACE #%1!d! due to error %2!d!\n",
  260. dwIndex,
  261. GetLastError());
  262. }
  264. continue;
  265. }
  267. // convert deny change deny read ACEs to deny all ACEs
  268. if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) &&
  269. (pAce->Mask == (SPECIFIC_CHANGE | SPECIFIC_READ))) {
  270. pAce->Mask = GENERIC_ALL;
  271. continue;
  272. }
  274. // convert deny change ACEs to allow read (read only) ACEs
  275. if ((pAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) &&
  276. (pAce->Mask == SPECIFIC_CHANGE)) {
  277. pAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
  278. pAce->Mask = GENERIC_READ | GENERIC_EXECUTE;
  279. continue;
  280. }
  282. // convert specific allow change to generic allow change
  283. if ((pAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) &&
  284. (pAce->Mask == SPECIFIC_CHANGE)) {
  285. pAce->Mask = GENERIC_CHANGE;
  286. continue;
  287. }
  289. // convert specific all to generic all
  290. if ((pAce->Mask & gmFileShareMap.GenericAll) == gmFileShareMap.GenericAll) {
  291. amTemp1 |= GENERIC_ALL;
  292. amTemp2 |= gmFileShareMap.GenericAll;
  293. }
  294. else {
  297. // convert specific read to generic read
  298. if ((pAce->Mask & gmFileShareMap.GenericRead) == gmFileShareMap.GenericRead) {
  299. amTemp1 |= GENERIC_READ;
  300. amTemp2 |= gmFileShareMap.GenericRead;
  301. }
  303. // convert specific write to generic write which includes delete
  304. if ((pAce->Mask & gmFileShareMap.GenericWrite) == gmFileShareMap.GenericWrite) {
  305. amTemp1 |= (GENERIC_WRITE | DELETE);
  306. amTemp2 |= gmFileShareMap.GenericWrite;
  307. }
  309. // convert specific execute to generic execute
  310. if ((pAce->Mask & gmFileShareMap.GenericExecute) == gmFileShareMap.GenericExecute) {
  311. amTemp1 |= GENERIC_EXECUTE;
  312. amTemp2 |= gmFileShareMap.GenericExecute;
  313. }
  314. }
  316. pAce->Mask &= ~amTemp2; // turn off specific bits
  317. pAce->Mask |= amTemp1; // turn on generic bits
  318. } // end if (GetAce())
  320. } // end for
  322. } // end if (GetAclInformation())
  324. } // end if (HrGetSecurityDescriptorDacl()) and DACL is present
  326. ASSERT(IsValidSecurityDescriptor(psec));
  328. return psec;
  330. } //*** ClRtlConvertFileShareSDToNT4Format()