Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

187 lines
4.3 KiB

  1. //+----------------------------------------------------------------------------
  2. //
  3. // File: setacl.cpp
  4. //
  5. // Module: PBSERVER.DLL
  6. //
  7. // Synopsis: Security/SID/ACL stuff for CM
  8. //
  9. // Copyright (c) 1998-2000 Microsoft Corporation
  10. //
  11. // Author: 09-Mar-2000 SumitC Created
  12. //
  13. //+----------------------------------------------------------------------------
  14. #include <windows.h>
  15. #include "cmdebug.h"
  16. #include "cmutil.h"
  17. //+----------------------------------------------------------------------------
  18. //
  19. // Func: SetAclPerms
  20. //
  21. // Desc: Sets appropriate permissions for CM/CPS's shared objects
  22. //
  23. // Args: [ppAcl] - location to return an allocated ACL
  24. //
  25. // Return: BOOL, TRUE for success, FALSE for failure
  26. //
  27. // Notes: fix for 30991: Security issue, don't use NULL DACLs.
  28. //
  29. // History: 09-Mar-2000 SumitC Created
  30. // 04-Apr-2000 SumitC Give perms to Authenticated_Users as well
  31. //
  32. //-----------------------------------------------------------------------------
  33. BOOL
  34. SetAclPerms(PACL * ppAcl)
  35. {
  36. DWORD dwError = 0;
  37. SID_IDENTIFIER_AUTHORITY siaWorld = SECURITY_WORLD_SID_AUTHORITY;
  38. SID_IDENTIFIER_AUTHORITY siaNtAuth = SECURITY_NT_AUTHORITY;
  39. PSID psidWorldSid = NULL;
  40. PSID psidAdminSid = NULL;
  41. PSID psidUserSid = NULL;
  42. int cbAcl;
  43. PACL pAcl = NULL;
  44. MYDBGASSERT(OS_NT);
  45. // Create a SID for all users
  46. if ( !AllocateAndInitializeSid(
  47. &siaWorld,
  48. 1,
  49. SECURITY_WORLD_RID,
  50. 0,
  51. 0,
  52. 0,
  53. 0,
  54. 0,
  55. 0,
  56. 0,
  57. &psidWorldSid))
  58. {
  59. dwError = GetLastError();
  60. goto Cleanup;
  61. }
  62. // Create a SID for Authenticated Users
  63. if ( !AllocateAndInitializeSid(
  64. &siaNtAuth,
  65. 1,
  66. SECURITY_AUTHENTICATED_USER_RID,
  67. 0,
  68. 0,
  69. 0,
  70. 0,
  71. 0,
  72. 0,
  73. 0,
  74. &psidUserSid))
  75. {
  76. dwError = GetLastError();
  77. goto Cleanup;
  78. }
  79. // Create a SID for Local System account
  80. if ( !AllocateAndInitializeSid(
  81. &siaNtAuth,
  82. 2,
  83. SECURITY_BUILTIN_DOMAIN_RID,
  84. DOMAIN_ALIAS_RID_ADMINS,
  85. 0,
  86. 0,
  87. 0,
  88. 0,
  89. 0,
  90. 0,
  91. &psidAdminSid))
  92. {
  93. dwError = GetLastError();
  94. goto Cleanup;
  95. }
  96. // Calculate the length of required ACL buffer
  97. // with 3 ACEs.
  98. cbAcl = sizeof(ACL)
  99. + 3 * sizeof(ACCESS_ALLOWED_ACE)
  100. + GetLengthSid(psidWorldSid)
  101. + GetLengthSid(psidAdminSid)
  102. + GetLengthSid(psidUserSid);
  103. pAcl = (PACL) LocalAlloc(0, cbAcl);
  104. if (NULL == pAcl)
  105. {
  106. dwError = ERROR_OUTOFMEMORY;
  107. goto Cleanup;
  108. }
  109. if ( ! InitializeAcl(pAcl, cbAcl, ACL_REVISION2))
  110. {
  111. dwError = GetLastError();
  112. goto Cleanup;
  113. }
  114. // Add ACE with EVENT_ALL_ACCESS for all users
  115. if ( ! AddAccessAllowedAce(pAcl,
  116. ACL_REVISION2,
  117. GENERIC_READ | GENERIC_EXECUTE,
  118. psidWorldSid))
  119. {
  120. dwError = GetLastError();
  121. goto Cleanup;
  122. }
  123. // Add ACE with EVENT_ALL_ACCESS for Authenticated Users
  124. if ( ! AddAccessAllowedAce(pAcl,
  125. ACL_REVISION2,
  126. GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
  127. psidUserSid))
  128. {
  129. dwError = GetLastError();
  130. goto Cleanup;
  131. }
  132. // Add ACE with EVENT_ALL_ACCESS for Admins
  133. if ( ! AddAccessAllowedAce(pAcl,
  134. ACL_REVISION2,
  135. GENERIC_ALL,
  136. psidAdminSid))
  137. {
  138. dwError = GetLastError();
  139. goto Cleanup;
  140. }
  141. Cleanup:
  142. if (dwError)
  143. {
  144. if (pAcl)
  145. {
  146. LocalFree(pAcl);
  147. }
  148. }
  149. else
  150. {
  151. *ppAcl = pAcl;
  152. }
  153. if (psidWorldSid)
  154. {
  155. FreeSid(psidWorldSid);
  156. }
  157. if (psidUserSid)
  158. {
  159. FreeSid(psidUserSid);
  160. }
  161. if (psidAdminSid)
  162. {
  163. FreeSid(psidAdminSid);
  164. }
  165. return dwError ? FALSE : TRUE;
  166. }