Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

381 lines
8.9 KiB

  1. // Copyright (c) 1996-1999 Microsoft Corporation
  2. //+-------------------------------------------------------------------------
  3. //
  4. // Microsoft Windows
  5. //
  6. // File: secure.cxx
  7. //
  8. // This file contains wrapper classes for the NT security
  9. // objects.
  10. //
  11. // Contents: Code common to Tracking (Workstation) Service and
  12. // Tracking (Server) Service.
  13. //
  14. // Classes: CACL, CSID, and CSecDescriptor
  15. //
  16. // History: 28-Jan-98 MikeHill Created
  17. //
  18. // Notes:
  19. //
  20. //--------------------------------------------------------------------------
  21. #include "pch.cxx"
  22. #pragma hdrstop
  23. #include "trklib.hxx"
  24. //+-------------------------------------------------------------------
  25. //
  26. // Function: CACL::Initialize, public
  27. //
  28. // Synopsis: Initialize the ACL by allocating a buffer
  29. // and calling InitializeAcl on it.
  30. //
  31. // Arguments: None
  32. //
  33. // Returns: None
  34. //
  35. //--------------------------------------------------------------------
  36. VOID
  37. CACL::Initialize()
  38. {
  39. _fInitialized = TRUE;
  40. _pacl = (PACL) new BYTE[ MIN_ACL_SIZE ];
  41. if( NULL == _pacl )
  42. TrkRaiseWin32Error( ERROR_NOT_ENOUGH_MEMORY );
  43. _cbacl = MIN_ACL_SIZE;
  44. if( !InitializeAcl( _pacl, _cbacl, ACL_REVISION ))
  45. {
  46. TrkLog((TRKDBG_ERROR, TEXT("Failed InitializeAcl")) );
  47. TrkRaiseLastError();
  48. }
  49. _fDirty = TRUE;
  50. }
  51. //+-------------------------------------------------------------------
  52. //
  53. // Function: CACL::UnInitialize, public
  54. //
  55. // Synopsis: Free the ACL.
  56. //
  57. // Arguments: None
  58. //
  59. // Returns: None
  60. //
  61. //--------------------------------------------------------------------
  62. VOID
  63. CACL::UnInitialize()
  64. {
  65. if( _fInitialized )
  66. {
  67. if( NULL != _pacl )
  68. {
  69. delete [] _pacl;
  70. }
  71. _fInitialized = FALSE;
  72. }
  73. }
  74. //+-------------------------------------------------------------------
  75. //
  76. // Function: CACL::Initialize, public
  77. //
  78. // Synopsis: Initialize a SID with its authority
  79. // and sub-authority(ies).
  80. //
  81. // Arguments: [enumCSIDAuthority] (in)
  82. // An enumeration which tells us which of the
  83. // standard authorities to use.
  84. // [cSubAuthorities] (in)
  85. // The number of sub-auths in this SID.
  86. // [dwSubAuthority?] (in)
  87. // The Sub-Authorities.
  88. //
  89. // Returns: None
  90. //
  91. //--------------------------------------------------------------------
  92. VOID
  93. CSID::Initialize( enumCSIDAuthority enumcsidAuthority,
  94. BYTE cSubAuthorities ,
  95. DWORD dwSubAuthority0 = 0,
  96. DWORD dwSubAuthority1 = 0,
  97. DWORD dwSubAuthority2 = 0,
  98. DWORD dwSubAuthority3 = 0,
  99. DWORD dwSubAuthority4 = 0,
  100. DWORD dwSubAuthority5 = 0,
  101. DWORD dwSubAuthority6 = 0,
  102. DWORD dwSubAuthority7 = 0 )
  103. {
  104. SID_IDENTIFIER_AUTHORITY rgsid_identifier_authority[] = { SECURITY_NT_AUTHORITY };
  105. TrkAssert(!_fInitialized);
  106. _fInitialized = TRUE;
  107. _psid = NULL;
  108. if( !AllocateAndInitializeSid( &rgsid_identifier_authority[ enumcsidAuthority ],
  109. cSubAuthorities,
  110. dwSubAuthority0,
  111. dwSubAuthority1,
  112. dwSubAuthority2,
  113. dwSubAuthority3,
  114. dwSubAuthority4,
  115. dwSubAuthority5,
  116. dwSubAuthority6,
  117. dwSubAuthority7,
  118. &_psid ))
  119. {
  120. TrkLog((TRKDBG_ERROR, TEXT("AllocateAndInitializeSid failed")));
  121. TrkRaiseLastError();
  122. }
  123. }
  124. //+-------------------------------------------------------------------
  125. //
  126. // Function: CSID::UnInitialize, public
  127. //
  128. // Synopsis: Free the SID.
  129. //
  130. // Arguments: None
  131. //
  132. // Returns: None
  133. //
  134. //--------------------------------------------------------------------
  135. VOID
  136. CSID::UnInitialize()
  137. {
  138. if( _fInitialized )
  139. {
  140. if( NULL != _psid )
  141. {
  142. FreeSid( _psid ); // Alloc-ed with AllocAndInitializeSid()
  143. }
  144. _fInitialized = FALSE;
  145. }
  146. }
  147. //+-------------------------------------------------------------------
  148. //
  149. // Function: CSecDescriptor::_Allocate, public
  150. //
  151. // Synopsis: Allocate a Security Descriptor.
  152. //
  153. // Arguments: [cb]
  154. // Size of buffer to allocate for SD.
  155. //
  156. // Returns: None
  157. //
  158. //--------------------------------------------------------------------
  159. void
  160. CSecDescriptor::_Allocate( ULONG cb )
  161. {
  162. PSECURITY_DESCRIPTOR psd;
  163. psd = (PSECURITY_DESCRIPTOR) new BYTE[ cb ];
  164. if( NULL == psd )
  165. TrkRaiseWin32Error( ERROR_NOT_ENOUGH_MEMORY );
  166. if( NULL != _psd )
  167. delete [] _psd;
  168. _psd = psd;
  169. }
  170. //+-------------------------------------------------------------------
  171. //
  172. // Function: CSecDescriptor::Initialize, public
  173. //
  174. // Synopsis: Allocate a SD, and call a Security API to init it.
  175. //
  176. // Arguments: None
  177. //
  178. // Returns: None
  179. //
  180. //--------------------------------------------------------------------
  181. VOID
  182. CSecDescriptor::Initialize()
  183. {
  184. _fInitialized = TRUE;
  185. _Allocate( SECURITY_DESCRIPTOR_MIN_LENGTH );
  186. if( !InitializeSecurityDescriptor( _psd,
  187. SECURITY_DESCRIPTOR_REVISION ))
  188. {
  189. TrkLog((TRKDBG_ERROR, TEXT("Failed InitializeSecurityDescriptor")));
  190. TrkRaiseLastError();
  191. }
  192. if( !SetSecurityDescriptorControl( _psd,
  193. SE_DACL_AUTO_INHERITED,
  194. SE_DACL_AUTO_INHERITED ))
  195. {
  196. TrkLog(( TRKDBG_ERROR, TEXT("Failed InitializeSecurityDescriptor (SetSecurityDescriptorControl") ));
  197. TrkRaiseLastError();
  198. }
  199. }
  200. //+-------------------------------------------------------------------
  201. //
  202. // Function: CSecDescriptor::UnInitialize, public
  203. //
  204. // Synopsis: Free the SD buffer, and free its ACLs.
  205. //
  206. // Arguments: None
  207. //
  208. // Returns: None
  209. //
  210. //--------------------------------------------------------------------
  211. VOID
  212. CSecDescriptor::UnInitialize()
  213. {
  214. if( _fInitialized )
  215. {
  216. if( NULL != _psd )
  217. {
  218. delete [] _psd;
  219. }
  220. _cDacl.UnInitialize();
  221. _cSacl.UnInitialize();
  222. _fInitialized = FALSE;
  223. }
  224. }
  225. //+-------------------------------------------------------------------
  226. //
  227. // Function: CSecDescriptor::AddAce, public
  228. //
  229. // Synopsis: Adds an ACE (access allowed or denied) to an
  230. // ACL in this SID.
  231. //
  232. // Arguments: [enumAclType] (in)
  233. // Either ACL_DACL or ACL_SACL.
  234. // [enumAccessType] (in)
  235. // Either AT_ACCESS_ALLOWED or AT_ACCESS_DENIED.
  236. // [access_mask] (in)
  237. // The access bits to put in this ACE.
  238. // [psid] (in)
  239. // The SID to put in this ACE.
  240. //
  241. // Returns: None
  242. //
  243. //--------------------------------------------------------------------
  244. void
  245. CSecDescriptor::AddAce( const enumAclType AclType, const enumAccessType AccessType,
  246. const ACCESS_MASK access_mask, const PSID psid )
  247. {
  248. BOOL fSuccess;
  249. // Get a pointer to the member CACL object.
  250. CACL *pcacl = ACL_IS_DACL == AclType ? &_cDacl : &_cSacl;
  251. // Initialize the CACL if necessary.
  252. if( !pcacl->IsInitialized() )
  253. pcacl->Initialize();
  254. // Size the ACL appropriately
  255. //pcacl->SetSize( psid ); // Not currently implemented.
  256. // Add the ACE to the appropriate ACL.
  257. if( AT_ACCESS_ALLOWED == AccessType )
  258. {
  259. fSuccess = pcacl->AddAccessAllowed( access_mask, psid );
  260. }
  261. else
  262. {
  263. fSuccess = pcacl->AddAccessDenied( access_mask, psid );
  264. }
  265. if( !fSuccess )
  266. {
  267. TrkLog((TRKDBG_ERROR, TEXT("Couldn't add an ACE to an ACL")));
  268. TrkRaiseLastError();
  269. }
  270. return;
  271. }
  272. //+-------------------------------------------------------------------
  273. //
  274. // Function: CSecDescriptor::_ReloadAcl, public
  275. //
  276. // Synopsis: Puts the member ACLs back into the member
  277. // Security Descriptor, if they are dirty.
  278. //
  279. // Arguments: [enumAclType] (in)
  280. // Either ACL_DACL or ACL_SACL.
  281. //
  282. // Returns: None
  283. //
  284. //--------------------------------------------------------------------
  285. VOID
  286. CSecDescriptor::_ReloadAcl( enumAclType AclType )
  287. {
  288. if( ACL_IS_DACL == AclType && _cDacl.IsDirty() )
  289. {
  290. if( !SetSecurityDescriptorDacl( _psd, TRUE, _cDacl, FALSE ))
  291. {
  292. TrkLog((TRKDBG_ERROR, TEXT("Couldn't put DACL into SD")));
  293. TrkRaiseLastError();
  294. }
  295. _cDacl.ClearDirty();
  296. }
  297. else if( ACL_IS_SACL == AclType && _cSacl.IsDirty() )
  298. {
  299. if( !SetSecurityDescriptorSacl( _psd, TRUE, _cSacl, FALSE ))
  300. {
  301. TrkLog((TRKDBG_ERROR, TEXT("Couldn't put SACL into SD")));
  302. TrkRaiseLastError();
  303. }
  304. _cSacl.ClearDirty();
  305. }
  306. }