Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

338 lines
12 KiB

  1. /**********************************************************************/
  2. /** Microsoft LAN Manager **/
  3. /** Copyright(c) Microsoft Corp., 1990, 1991 **/
  4. /**********************************************************************/
  5. /*
  6. NTGenSed.hxx
  7. This File contains the prototypes and descriptions for the interface to
  8. the generic security editor dialogs for NT objects.
  9. FILE HISTORY:
  10. Johnl 02-Aug-1991 Created
  11. */
  12. #ifndef _NTGENSED_HXX_
  13. #define _NTGENSED_HXX_
  14. //
  15. // This data type defines information related to a single class of object.
  16. // For example, a FILE object, or PRINT_QUEUE object would have a structure
  17. // like this defined.
  18. //
  19. typedef struct _SED_OBJECT_TYPE_DESCRIPTOR {
  20. //
  21. // Defines whether the object is a container or not.
  22. // TRUE indicates the object may contain other objects.
  23. //
  24. BOOLEAN IsContainer;
  25. //
  26. // A mask containing all valid access types for the object type.
  27. // This mask may not contain any special access types (generic,
  28. // MaximumAllowed, or AccessSystemSecurity).
  29. //
  30. ACCESS_MASK ValidAccessMask;
  31. //
  32. // The (localized) name of the object type.
  33. // For example, "File" or "Print Job".
  34. //
  35. PUNICODE_STRING ObjectTypeName;
  36. //
  37. // The (localized) title to display if protection can be displayed to
  38. // sub-containers.
  39. //
  40. // This string will be presented with a checkbox before it.
  41. // If checked when asked to apply the protection, the application will
  42. // be called at it's callback entry point to apply the security to
  43. // sub-containers.
  44. //
  45. // This field is ignored if the IsContainer field is FALSE.
  46. //
  47. // As an example of how this field is used, the file browser may
  48. // specify the following string in the DIRECTORY object's
  49. // descriptor:
  50. //
  51. // "Apply to sub-directories"
  52. //
  53. PUNICODE_STRING ApplyToSubContainerTitle;
  54. //
  55. // The (localized) title to display if protection can be displayed to
  56. // sub-NONcontainers. For example, a FILE is a sub-NON-container of
  57. // a DIRECTORY object.
  58. //
  59. // This string will be presented with a checkbox before it.
  60. // If checked when asked to apply the protection, the application will
  61. // be called at it's callback entry point to apply the security to
  62. // sub-NONcontainers.
  63. //
  64. // This field is ignored if the IsContainer field is FALSE.
  65. //
  66. // As an example of how this field is used, the file browser may
  67. // specify the following string in the DIRECTORY object's
  68. // descriptor:
  69. //
  70. // "Apply to files under this directory"
  71. //
  72. PUNICODE_STRING ApplyToSubObjectTitle;
  73. //
  74. // The generic mapping for the object type.
  75. //
  76. GENERIC_MAPPING GenericMapping;
  77. //
  78. // An array of 4 (localized) names. These names are the names of the
  79. // generic access types, with entry N defining the name of the
  80. // corresponding generic access type in the GenericMapping field.
  81. //
  82. // For example, for English this should contain:
  83. //
  84. // GenericName[0] = "Read"
  85. // GenericName[1] = "Write"
  86. // GenericName[2] = "Execute"
  87. // GenericName[3] = "All"
  88. //
  89. UNICODE_STRING GenericNames[4];
  90. //
  91. // An array of 8 (localized) names. These names are the names of
  92. // the standard access types. For English this should contain:
  93. //
  94. // StandardName[0] = "Delete"
  95. // StandardName[1] = "Read Control"
  96. // StandardName[2] = "Change Permissions"
  97. // StandardName[3] = "Take Ownership"
  98. // StandardName[4] = "Synchronize"
  99. //
  100. // If "Synchronize" is not supported by the object type, then it does
  101. // not need to be passed and will not be referenced. This is indicated
  102. // by the ValidAccessMask.
  103. //
  104. // Names 5, 6, and 7 are reserved for future use and should either be
  105. // a NULL string or have no string passed at all.
  106. UNICODE_STRING StandardNames[8];
  107. } SED_OBJECT_TYPE_DESCRIPTOR, *PSED_OBJECT_TYPE_DESCRIPTOR;
  108. //
  109. // In some cases, it is desirable to display access names that are
  110. // meaningful in the context of the type of object whose ACL
  111. // is being worked on. For example, for a PRINT_QUEUE object type,
  112. // it may be desirable to display an access type named "Submit Print Jobs".
  113. // The following structures are used for defining these application defined
  114. // access groupings.
  115. //
  116. typedef struct _SED_APPLICATION_ACCESS {
  117. //
  118. // An application defined access grouping consists of an access mask
  119. // and a name by which that combination of access types is to be known.
  120. // The access mask may only contain generic and standard access types.
  121. // Specific access types and other Special access types are ignored.
  122. //
  123. ACCESS_MASK AccessMask;
  124. PUNICODE_STRING Name;
  125. } SED_APPLICATION_ACCESS, *PSED_APPLICATION_ACCESS;
  126. typedef struct _SED_APPLICATION_ACCESSES {
  127. //
  128. // The count field indicates how many application defined access groupings
  129. // are defined by this data structure. The AccessGroup[] array then
  130. // contains that number of elements.
  131. //
  132. ULONG Count;
  133. SED_APPLICATION_ACCESS AccessGroup[ANYSIZE_ARRAY];
  134. }
  135. NTSTATUS
  136. SedDiscretionaryAclEditor(
  137. IN PSED_OBJECT_TYPE_DESCRIPTOR ObjectType (OPTIONAL),
  138. IN PSED_APPLICATION_ACCESSES ApplicationAccesses (OPTIONAL),
  139. IN PUNICODE_NAME ObjectName (OPTIONAL),
  140. IN ??? ApplySecurityCallbackRoutine,
  141. IN ULONG CallbackContext,
  142. IN PSECURITY_DESCRIPTOR SecurityDescriptor,
  143. IN BOOLEAN CouldntReadDacl
  144. )
  145. /*++
  146. Routine Description:
  147. This routine invokes the graphical Discretionary ACL editor DLL. The
  148. graphical DACL editor may be used to modify or create:
  149. - A default Discretionary ACL
  150. - A Discretionary ACL for a particular type of object.
  151. - A Discretionary ACL for a particular named instance of an
  152. object.
  153. Additionally, in the case where the ACl is that of aa named object
  154. instance, and that object may contain other object instances, the
  155. user will be presented with the opportunity to apply the protection
  156. to the entire sub-tree of objects.
  157. Parameters:
  158. ObjectType - This optional parameter is used to specify information
  159. about the type of object whose security is being edited. If the
  160. security does not relate to an instance of an object (such as for
  161. when default protection is being established), then NULL should be
  162. passed.
  163. ApplicationAccesses - This optional parameter may be used to specify
  164. groupings of access types that are particularly useful when operating
  165. on security for the specified object type. For example, it may be
  166. useful to define an access type called "Submit Print Job" for a
  167. PRINT_QUEUE class of object. This parameter is ignored if the
  168. ObjectType parameter is not passed.
  169. ObjectName - This optional parameter is used to pass the name of the
  170. object whose security is being edited. If the security does not
  171. relate to an instance of an object (such as for when default
  172. protection is being established), then NULL should be passed.
  173. This parameter is ignored if the ObjectType parameter is not passed.
  174. ApplySecurityCallbackRoutine - This parameter is used to provide the
  175. address of a routine to be called to apply security to either the
  176. object specified, or, in the case that the object is a container,
  177. to sub-containers or sub-non-containers of that object.
  178. CallbackContext - This value is opaque to the DACL editor. Its only
  179. purpose is so that a context value may be passed back to the
  180. application via the ApplySecurityCallbackRoutine when that routine
  181. is invoked. This may be used by the application to re-locate
  182. context related to the edit session. For example, it may be a
  183. handle to the object whose security is being edited.
  184. SecurityDescriptor - This parameter points to a security descriptor
  185. containing the current discretionary ACL of the object. This
  186. security descriptor may, but does not have to, contain the owner
  187. and group of that object as well. Note that the security descriptor's
  188. DaclPresent flag may be FALSE, indicating either that the object
  189. had no protection, or that the user couldn't read the protection.
  190. CouldntReadDacl - This boolean flag may be used to indicate that the
  191. user does not have read access to the target object's discretionary
  192. acl. In this case, a warning
  193. to the user will be presented along with the option to continue
  194. or cancel.
  195. Presumably the user does have write access to the DACL or
  196. there is no point in activating the editor.
  197. Return Status:
  198. STATUS_MODIFIED - This (success) status code indicates the editor has
  199. been exited and protection has successfully been modified.
  200. STATUS_NOT_MODIFIED - This (success) status code indicates the editor
  201. has been exited without attempting to modify the protection.
  202. STATUS_NOT_ALL_MODIFIED - This (warning) status code indicates the user
  203. requested the protection to be modified, but an attempt to do so
  204. only partially succeeded. The user has been notified of this
  205. situation.
  206. STATUS_FAILED_TO_MODIFY - This (error) status code indicates the user
  207. requested the protection to be modified, but an attempt to do so
  208. has failed. The user has been notified of this situation.
  209. --*/
  210. SedApplyDiscretionaryAcl(
  211. IN ULONG CallbackContext,
  212. IN PSECURITY_DESCRIPTOR SecurityDescriptor,
  213. BOOLEAN ApplyToSubContainers,
  214. BOOLEAN ApplyToSubObjects
  215. )
  216. /*++
  217. Routine Description:
  218. This routine is provided by a caller of the graphical DACL editor.
  219. It is called by the Graphical DACL editor to apply security to
  220. target object(s) when requested by the user.
  221. Parameters:
  222. CallbackContext - This is the value passed as the CallbackContext argument
  223. to the SedDiscretionaryAclEditor() api when the graphical editor
  224. was invoked.
  225. SecurityDescriptor - This parameter points to a security descriptor
  226. containing a new discretionary ACL of either the object (and
  227. optionally the object's sub-containers) or the object's sub-objects.
  228. If the DaclPresent flag of this security descriptor is FALSE, then
  229. security is to be removed from the target object(s).
  230. ApplyToSubContainers - When TRUE, indicates that Dacl is to be applied to
  231. sub-containers of the target object as well as the target object.
  232. This will only be TRUE if the target object is a container object.
  233. ApplyToSubObjects - When TRUE, indicates the Dacl is to be applied to
  234. sub-objects of the target object, but not to the target object
  235. itself or sub-containers of the object. This will only be TRUE if
  236. the target object is a container object.
  237. Return Status:
  238. STATUS_MODIFIED - This (success) status code indicates the protection
  239. has successfully been applied.
  240. STATUS_NOT_ALL_MODIFIED - This (warning) status code indicates that
  241. the protection could not be applied to all of the target objects.
  242. STATUS_FAILED_TO_MODIFY - This (error) status code indicates the
  243. protection could not be applied to any target objects.
  244. --*/
  245. #endif //_NTGENSED_HXX_