archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 75c48ba87f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '75c48ba87f'
${ noResults }
windows-xp/Source/XPSP1/NT/com/ole32/dcomss/objex/token.cxx

799 lines
17 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1995 Microsoft Corporation
  5. Module Name:
  7. Token.cxx
  9. Abstract:
  11. Implementation for Windows NT security interfaces.
  13. Platform:
  15. Windows NT user mode.
  17. Notes:
  19. Not portable to non-Windows NT platforms.
  21. Author:
  23. Mario Goertzel [MarioGo]
  25. Revision History:
  27. MarioGo 12/21/1995 Bits 'n pieces
  29. --*/
  31. #include <or.hxx>
  32. #include <aclapi.h>
  33. #include <access.hxx>
  35. CRITICAL_SECTION gcsTokenLock;
  37. extern "C"
  38. {
  39. // The following is a private function provided to try to empiracally
  40. // determine if the two access token have been restricted with comparable
  41. // WinSafer authorization Levels. When TRUE is returned, the pdwResult
  42. // output parameter will receive any of the following values:
  43. // -1 = Client's access token is more authorized than Server's.
  44. // 0 = Client's access token is comparable level to Server's.
  45. // 1 = Server's access token is more authorized than Client's.
  46. // BUGBUG: Remove when we discover which private header this thing is in.
  48. WINADVAPI
  49. BOOL WINAPI
  50. SaferiCompareTokenLevels (
  51. IN HANDLE ClientAccessToken,
  52. IN HANDLE ServerAccessToken,
  53. OUT PDWORD pdwResult
  54. );
  55. }
  58. ORSTATUS
  59. LookupOrCreateToken2(
  60. IN HANDLE hClientToken,
  61. OUT CToken **ppToken
  62. )
  63. /*++
  65. Routine Description:
  67. Finds or allocates a new token object for the caller.
  69. Arguments:
  71. hCaller - RPC binding handle of the caller of RPCSS.
  73. pToken - Upon a successful return this will hold the token.
  74. It can be destroyed by calling Release();
  76. Return Value:
  79. OR_OK - success
  80. OR_NOACCESS - If the caller is not local, or cannot be impersonated.
  81. OR_NOMEM - Unable to allocate an object.
  83. --*/
  84. {
  85. ORSTATUS status;
  86. UINT type;
  87. LUID luid;
  88. PTOKEN_USER ptu;
  89. TOKEN_STATISTICS ts;
  90. BOOL fSuccess;
  91. DWORD needed;
  92. HANDLE hJobObject = NULL;
  93. LUID luidMod;
  95. needed = sizeof(ts);
  96. fSuccess = GetTokenInformation(hClientToken,
  97. TokenStatistics,
  98. &ts,
  99. sizeof(ts),
  100. &needed
  101. );
  102. if (!fSuccess)
  103. {
  104. KdPrintEx((DPFLTR_DCOMSS_ID,
  105. DPFLTR_WARNING_LEVEL,
  106. "OR: GetTokenInfo failed %d\n",
  107. GetLastError()));
  109. ASSERT(GetLastError() != ERROR_INSUFFICIENT_BUFFER);
  110. status = OR_NOMEM;
  111. goto Cleanup;
  112. }
  114. luid = ts.AuthenticationId;
  115. luidMod = ts.ModifiedId;
  116. //
  117. // Check if the token is already in the list
  118. //
  120. {
  121. CMutexLock lock(&gcsTokenLock);
  123. CListElement *ple;
  125. ple = gpTokenList->First();
  127. fSuccess = FALSE;
  128. while(ple)
  129. {
  130. CToken *pToken = CToken::ContainingRecord(ple);
  132. if (pToken->MatchLuid(luid) &&
  133. (pToken->MatchModifiedLuid(luidMod)) &&
  134. (S_OK == pToken->MatchToken(hClientToken, TRUE)))
  135. {
  136. pToken->AddRef();
  137. *ppToken = pToken;
  138. status = OR_OK;
  139. fSuccess = TRUE;
  140. break;
  141. }
  142. else
  143. {
  144. ple = ple->Next();
  145. }
  146. }
  147. }
  149. if (fSuccess)
  150. {
  151. status = OR_OK;
  152. CloseHandle(hClientToken);
  153. goto Cleanup;
  154. }
  156. //
  157. // New user, need to allocate a token object.
  158. //
  160. // Lookup the SID to store in the new token object.
  162. needed = DEBUG_MIN(1, 0x2c);
  164. do
  165. {
  166. ptu = (PTOKEN_USER)alloca(needed);
  167. ASSERT(ptu);
  169. fSuccess = GetTokenInformation(hClientToken,
  170. TokenUser,
  171. (PBYTE)ptu,
  172. needed,
  173. &needed);
  175. // If this assert is hit increase the 24 both here and above
  176. ASSERT(needed <= 0x2c);
  177. }
  178. while ( fSuccess == FALSE
  179. && GetLastError() == ERROR_INSUFFICIENT_BUFFER);
  181. if (!fSuccess)
  182. {
  183. KdPrintEx((DPFLTR_DCOMSS_ID,
  184. DPFLTR_WARNING_LEVEL,
  185. "OR: GetTokenInfo (2) failed %d\n",
  186. GetLastError()));
  188. ASSERT(GetLastError() != ERROR_INSUFFICIENT_BUFFER);
  189. status = OR_NOMEM;
  190. goto Cleanup;
  191. }
  193. PSID psid;
  194. psid = ptu->User.Sid;
  195. ASSERT(IsValidSid(psid) == TRUE);
  197. // Allocate the token object
  199. needed = GetLengthSid(psid) - sizeof(SID);
  200. *ppToken = new(needed) CToken(hClientToken,
  201. hJobObject,
  202. luid,
  203. psid,
  204. needed + sizeof(SID));
  206. if (*ppToken)
  207. {
  208. CMutexLock lock(&gcsTokenLock);
  210. (*ppToken)->Insert();
  212. status = OR_OK;
  214. #if DBG_DETAIL
  215. {
  216. DWORD d = 50;
  217. WCHAR buffer[50];
  218. GetUserName(buffer, &d);
  219. KdPrintEx((DPFLTR_DCOMSS_ID,
  220. DPFLTR_WARNING_LEVEL,
  221. "OR: New user connected: %S (%p)\n",
  222. buffer,
  223. *ppToken));
  224. }
  225. #endif
  227. }
  228. else
  229. {
  230. status = OR_NOMEM;
  231. }
  233. Cleanup:
  235. if (OR_OK != status)
  236. {
  237. if (NULL != hJobObject)
  238. CloseHandle(hJobObject);
  239. }
  241. // status contains the result of the operation.
  243. return(status);
  244. }
  247. ORSTATUS
  248. LookupOrCreateToken(
  249. IN handle_t hCaller,
  250. IN BOOL fLocal,
  251. OUT CToken **ppToken
  252. )
  253. /*++
  255. Routine Description:
  257. Finds or allocates a new token object for the caller.
  259. Arguments:
  261. hCaller - RPC binding handle of the caller of RPCSS.
  263. fLocal - Looking up a local client, check local security.
  265. pToken - Upon a successful return this will hold the token.
  266. It can be destroyed by calling Release();
  268. Return Value:
  271. OR_OK - success
  272. OR_NOACCESS - If the caller is not local, or cannot be impersonated.
  273. OR_NOMEM - Unable to allocate an object.
  275. --*/
  276. {
  277. ORSTATUS status;
  278. UINT type;
  279. HANDLE hClientToken = 0;
  280. BOOL fSuccess;
  282. if (fLocal)
  283. {
  284. status = I_RpcBindingInqTransportType(hCaller, &type);
  286. if (status != RPC_S_OK || type != TRANSPORT_TYPE_LPC)
  287. {
  288. return(OR_NOACCESS);
  289. }
  290. }
  292. status = RpcImpersonateClient(hCaller);
  293. if (status != RPC_S_OK)
  294. {
  295. return(OR_NOACCESS);
  296. }
  298. fSuccess = OpenThreadToken(GetCurrentThread(),
  299. TOKEN_ALL_ACCESS,
  300. TRUE,
  301. &hClientToken);
  303. if (fSuccess)
  304. {
  305. status = LookupOrCreateToken2(hClientToken, ppToken);
  306. if(OR_OK == status)
  307. {
  308. // The token object now controls the life of the token handle
  309. hClientToken = 0;
  310. }
  311. else
  312. {
  313. CloseHandle(hClientToken);
  314. hClientToken = 0;
  315. }
  316. }
  317. else
  318. {
  319. KdPrintEx((DPFLTR_DCOMSS_ID,
  320. DPFLTR_WARNING_LEVEL,
  321. "OR: OpenThreadToken failed %d\n",
  322. GetLastError()));
  324. status = OR_NOMEM;
  325. ASSERT(hClientToken == 0);
  326. goto Cleanup;
  327. }
  330. Cleanup:
  331. // status contains the result of the operation.
  333. RPC_STATUS t = RpcRevertToSelfEx(hCaller);
  334. ASSERT(t == RPC_S_OK);
  336. return(status);
  337. }
  339. CToken::~CToken()
  340. {
  341. ASSERT(_lHKeyRefs == 0);
  342. ASSERT(_hHKCRKey == NULL);
  344. if (_hHKCRKey != NULL)
  345. {
  346. // Shouldn't happen...but close it anyway just in
  347. // case. Assert above will catch this if it occurs
  348. RegCloseKey(_hHKCRKey);
  349. }
  351. CloseHandle(_hImpersonationToken);
  353. if (NULL != _hJobObject)
  354. {
  355. TerminateJobObject(_hJobObject, 0);
  356. CloseHandle(_hJobObject);
  357. }
  358. }
  360. STDMETHODIMP CToken::QueryInterface(REFIID riid, LPVOID* ppv)
  361. {
  362. if (riid == IID_IUnknown || riid == IID_IUserToken)
  363. {
  364. *ppv = this;
  365. AddRef();
  366. return S_OK;
  367. }
  368. return E_NOINTERFACE;
  369. }
  371. STDMETHODIMP_(ULONG) CToken::AddRef()
  372. {
  373. return InterlockedIncrement(&_lRefs);
  374. }
  376. STDMETHODIMP_(ULONG) CToken::Release()
  377. {
  378. LONG lNewRefs;
  380. CMutexLock lock(&gcsTokenLock);
  382. lNewRefs = InterlockedDecrement(&_lRefs);
  383. if (lNewRefs == 0)
  384. {
  385. Remove();
  386. delete this;
  387. }
  389. return lNewRefs;
  390. }
  393. STDMETHODIMP
  394. CToken::GetUserClassesRootKey(HKEY* phKey)
  395. {
  396. CMutexLock lock(&gcsTokenLock);
  398. if ( _lHKeyRefs++ == 0 )
  399. {
  400. ASSERT(_hHKCRKey == NULL);
  402. // The original IUserToken implementation allowed for not
  403. // having a token. That should never happen with a CToken.
  404. ASSERT(_hImpersonationToken);
  406. // Open per-user hive
  407. LONG lRet = RegOpenUserClassesRoot(_hImpersonationToken,
  408. 0,
  409. KEY_READ,
  410. &_hHKCRKey);
  411. if (lRet != ERROR_SUCCESS)
  412. {
  413. // In case of an error, we fall back on HKCR since that
  414. // is what the original IUserToken implementation did.
  415. _hHKCRKey = HKEY_CLASSES_ROOT;
  416. }
  417. }
  419. *phKey = _hHKCRKey;
  421. ASSERT(*phKey != NULL);
  423. return S_OK;
  424. }
  426. STDMETHODIMP
  427. CToken::ReleaseUserClassesRootKey()
  428. {
  429. CMutexLock lock(&gcsTokenLock);
  431. ASSERT(_lHKeyRefs > 0);
  432. ASSERT(_hHKCRKey != NULL);
  434. if (--_lHKeyRefs == 0)
  435. {
  436. if (_hHKCRKey != HKEY_CLASSES_ROOT)
  437. {
  438. RegCloseKey(_hHKCRKey);
  439. }
  441. _hHKCRKey = NULL;
  442. }
  444. return S_OK;
  445. }
  447. STDMETHODIMP
  448. CToken::GetUserSid(BYTE **ppSid, USHORT *pcbSid)
  449. {
  450. // IUserToken interface assumes that sid lengths always
  451. // <= USHRT_MAX. Truncating here on purpose; assert is
  452. // to catch cases where this is a bad idea. GetLengthSid
  453. // is a very cheap call, so there's no need to cache it.
  454. DWORD dwSidLen = GetLengthSid(&_sid);
  455. ASSERT(dwSidLen <= USHRT_MAX);
  457. *pcbSid = (USHORT)dwSidLen;
  458. *ppSid = (BYTE*)&_sid;
  460. return S_OK;
  461. }
  463. void
  464. CToken::Impersonate()
  465. {
  466. ASSERT(_hImpersonationToken);
  468. BOOL f = SetThreadToken(0, _hImpersonationToken);
  469. ASSERT(f);
  471. return;
  472. }
  474. void
  475. CToken::Revert()
  476. {
  477. BOOL f = SetThreadToken(0, 0);
  478. ASSERT(f);
  479. return;
  480. }
  482. ULONG GetSessionId2(
  483. HANDLE hToken)
  484. {
  485. BOOL Result;
  486. ULONG SessionId = 0;
  487. ULONG ReturnLength;
  489. //
  490. // Use the _HYDRA_ extension to GetTokenInformation to
  491. // return the SessionId from the token.
  492. //
  494. Result = GetTokenInformation(
  495. hToken,
  496. TokenSessionId,
  497. &SessionId,
  498. sizeof(SessionId),
  499. &ReturnLength
  500. );
  502. if( !Result ) {
  503. SessionId = 0; // Default to console
  504. }
  506. return SessionId;
  507. }
  509. ULONG CToken::GetSessionId()
  510. {
  511. return GetSessionId2(_hImpersonationToken);
  512. }
  514. BOOL CToken::MatchModifiedLuid(LUID luid)
  515. {
  516. ASSERT(_hImpersonationToken);
  518. TOKEN_STATISTICS ts;
  519. BOOL fSuccess;
  520. DWORD needed;
  521. LUID luidMod;
  522. needed = sizeof(ts);
  523. fSuccess = GetTokenInformation(_hImpersonationToken,
  524. TokenStatistics,
  525. &ts,
  526. sizeof(ts),
  527. &needed
  528. );
  529. if (!fSuccess)
  530. {
  531. KdPrintEx((DPFLTR_DCOMSS_ID,
  532. DPFLTR_WARNING_LEVEL,
  533. "OR: GetTokenInfo failed %d\n",
  534. GetLastError()));
  536. ASSERT(GetLastError() != ERROR_INSUFFICIENT_BUFFER);
  537. return FALSE;
  538. }
  539. luidMod = ts.ModifiedId;
  540. return( luidMod.LowPart == luid.LowPart
  541. && luidMod.HighPart == luid.HighPart);
  542. }
  544. HRESULT CompareRestrictedSids(
  545. HANDLE hToken1,
  546. HANDLE hToken2)
  547. {
  548. HRESULT hr = S_OK;
  549. PSID pRestrictedSid1 = NULL;
  550. PSID pRestrictedSid2 = NULL;
  552. #if(_WIN32_WINNT >= 0x0500)
  553. PTOKEN_GROUPS pSids1;
  554. PTOKEN_GROUPS pSids2;
  555. NTSTATUS error;
  556. ULONG needed;
  558. //Get restricted SIDs.
  559. needed = DEBUG_MIN(1, 300);
  560. do
  561. {
  562. pSids1 = (PTOKEN_GROUPS) alloca(needed);
  564. error = NtQueryInformationToken(hToken1,
  565. TokenRestrictedSids,
  566. pSids1,
  567. needed,
  568. &needed);
  570. }
  571. while (error == STATUS_BUFFER_TOO_SMALL);
  573. if(!error && pSids1->GroupCount > 0)
  574. {
  575. pRestrictedSid1 = pSids1->Groups[0].Sid;
  576. }
  578. //Get restricted SIDs.
  579. needed = DEBUG_MIN(1, 300);
  580. do
  581. {
  582. pSids2 = (PTOKEN_GROUPS) alloca(needed);
  584. error = NtQueryInformationToken(hToken2,
  585. TokenRestrictedSids,
  586. pSids2,
  587. needed,
  588. &needed);
  590. }
  591. while (error == STATUS_BUFFER_TOO_SMALL);
  593. if(!error && pSids2->GroupCount > 0)
  594. {
  595. pRestrictedSid2 = pSids2->Groups[0].Sid;
  596. }
  598. if(pRestrictedSid1 && pRestrictedSid2)
  599. {
  600. //We have two restricted tokens.
  601. //Compare the first restricted SID.
  602. if(EqualSid(pRestrictedSid1, pRestrictedSid2))
  603. {
  604. hr = S_OK;
  605. }
  606. else
  607. {
  608. hr = S_FALSE;
  609. }
  610. }
  611. else if(pRestrictedSid1 || pRestrictedSid2)
  612. {
  613. //We have one restricted token and one normal token.
  614. hr = S_FALSE;
  615. }
  616. else
  617. {
  618. //We have two normal tokens.
  619. hr = S_OK;
  620. }
  622. #endif //(_WIN32_WINNT >= 0x0500)
  623. return hr;
  624. }
  627. HRESULT
  628. CToken::MatchToken(
  629. IN HANDLE hToken,
  630. IN BOOL bMatchRestricted)
  631. {
  632. HRESULT hr;
  633. NTSTATUS error;
  634. PTOKEN_USER ptu;
  635. DWORD needed = DEBUG_MIN(1, 0x2c);
  637. //Get the user SID.
  638. do
  639. {
  640. ptu = (PTOKEN_USER)alloca(needed);
  642. error = NtQueryInformationToken(hToken,
  643. TokenUser,
  644. (PBYTE)ptu,
  645. needed,
  646. &needed);
  648. // If this assert is hit increase the 24 both here and above
  649. ASSERT(needed <= 0x2c);
  650. }
  651. while (error == STATUS_BUFFER_TOO_SMALL);
  653. if (error)
  654. {
  655. KdPrintEx((DPFLTR_DCOMSS_ID,
  656. DPFLTR_WARNING_LEVEL,
  657. "OR: GetTokenInfo (2) failed %d\n",
  658. error));
  660. return HRESULT_FROM_WIN32(error);
  661. }
  663. //Compare the user SID.
  664. if(!EqualSid(ptu->User.Sid, &_sid))
  665. return S_FALSE;
  667. //Compare the Hydra session ID.
  668. if(GetSessionId2(hToken) != GetSessionId())
  669. return S_FALSE;
  671. //Compare the restricted SID.
  672. if (bMatchRestricted)
  673. hr = CompareRestrictedSids(hToken, _hImpersonationToken);
  674. else
  675. hr = S_OK;
  677. return hr;
  678. }
  680. HRESULT
  681. CToken::MatchToken2(
  682. IN CToken *pToken,
  683. IN BOOL bMatchRestricted)
  684. {
  685. HRESULT hr;
  687. if(!pToken)
  688. return S_OK;
  690. //Compare the user SID.
  691. if(!EqualSid(&pToken->_sid, &_sid))
  692. return S_FALSE;
  694. //Compare the Hydra session id.
  695. if(GetSessionId2(pToken->_hImpersonationToken) != GetSessionId())
  696. return S_FALSE;
  698. //Compare the restricted SID.
  699. if (bMatchRestricted)
  700. hr = CompareRestrictedSids(pToken->_hImpersonationToken, _hImpersonationToken);
  701. else
  702. hr = S_OK;
  704. return hr;
  705. }
  707. HRESULT
  708. CToken::CompareSaferLevels(CToken *pToken)
  709. /*++
  711. Routine Description:
  713. Compare the safer trust level of the specified token with
  714. our own.
  716. Arguments:
  718. pToken - token to compare against
  720. Return Value:
  722. S_FALSE: This token is of lesser authorization than the
  723. other token.
  724. S_OK: This token is of greater or equal authorization
  725. than the other token.
  727. Anything else: An error occured.
  729. --*/
  730. {
  731. if (!pToken) return S_OK;
  733. return CompareSaferLevels(pToken->_hImpersonationToken);
  734. }
  736. HRESULT
  737. CToken::CompareSaferLevels(HANDLE hToken)
  738. /*++
  740. Routine Description:
  742. Compare the safer trust level of the specified token with
  743. our own.
  745. Arguments:
  747. hToken - token to compare against
  749. Return Value:
  751. S_FALSE: This token is of lesser authorization than the
  752. other token.
  753. S_OK: This token is of greater or equal authorization
  754. than the other token.
  756. Anything else: An error occured.
  758. --*/
  759. {
  760. HRESULT hr = S_OK;
  761. DWORD dwResult;
  762. BOOL bRet = SaferiCompareTokenLevels(_hImpersonationToken, hToken,
  763. &dwResult);
  764. if (bRet)
  765. {
  766. // -1 = Client's access token (_hImpersonationToken) is more authorized
  767. // than Server's (hToken).
  768. if ( ((LONG)dwResult) > 0 )
  769. hr = S_FALSE;
  770. }
  771. else
  772. hr = HRESULT_FROM_WIN32(GetLastError());
  774. return hr;
  775. }
  777. // NT #307301
  778. // Sometimes we just need to check the SessionID
  780. HRESULT
  781. CToken::MatchTokenSessionID(CToken *pToken)
  782. {
  783. //Compare the Hydra session id.
  784. if(GetSessionId2(pToken->_hImpersonationToken) != GetSessionId())
  785. return S_FALSE;
  787. return S_OK;
  788. }
  790. //
  791. // MatchTokenLUID
  792. //
  793. // Compares this token's LUID to that of the passed in token.
  794. // Returns S_OK on a match, S_FALSE on a mismatch.
  795. //
  796. HRESULT CToken::MatchTokenLuid(CToken* pToken)
  797. {
  798. return MatchLuid(pToken->_luid) ? S_OK : S_FALSE;
  799. }