archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 75c48ba87f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '75c48ba87f'
${ noResults }
windows-xp/Source/XPSP1/NT/shell/shlwapi/shellacl.c

335 lines
10 KiB
Raw Normal View History

Add source files
4 years ago
  1. #include "priv.h"
  2. #pragma hdrstop
  5. //---------------------------------------------------------------------------
  6. // GetUserToken - Gets the current process's user token and returns
  7. // it. It can later be free'd with LocalFree.
  8. //
  9. // REARCHITECT (reinerf) - stolen from shell32\securent.c, we should consolidate
  10. // the code somewhere and export it
  11. //---------------------------------------------------------------------------
  12. PTOKEN_USER GetUserToken(HANDLE hUser)
  13. {
  14. PTOKEN_USER pUser;
  15. DWORD dwSize = 64;
  16. HANDLE hToClose = NULL;
  18. if (hUser == NULL)
  19. {
  20. OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hUser);
  21. hToClose = hUser;
  22. }
  24. pUser = (PTOKEN_USER)LocalAlloc(LPTR, dwSize);
  25. if (pUser)
  26. {
  27. DWORD dwNewSize;
  28. BOOL fOk = GetTokenInformation(hUser, TokenUser, pUser, dwSize, &dwNewSize);
  29. if (!fOk && (GetLastError() == ERROR_INSUFFICIENT_BUFFER))
  30. {
  31. LocalFree((HLOCAL)pUser);
  33. pUser = (PTOKEN_USER)LocalAlloc(LPTR, dwNewSize);
  34. if (pUser)
  35. {
  36. fOk = GetTokenInformation(hUser, TokenUser, pUser, dwNewSize, &dwNewSize);
  37. }
  38. }
  39. if (!fOk)
  40. {
  41. LocalFree((HLOCAL)pUser);
  42. pUser = NULL;
  43. }
  44. }
  46. if (hToClose)
  47. {
  48. CloseHandle(hToClose);
  49. }
  51. return pUser;
  52. }
  54. //
  55. // checks to see if the SHELL_USER_SID is all zeros (flag which means we should really use the users current sid)
  56. //
  57. __inline BOOL IsCurrentUserShellSID(PSHELL_USER_SID psusID)
  58. {
  59. SID_IDENTIFIER_AUTHORITY sidNULL = {0};
  61. if ((psusID->dwUserGroupID == 0) &&
  62. (psusID->dwUserID == 0) &&
  63. memcmp(&psusID->sidAuthority, &sidNULL, sizeof(SID_IDENTIFIER_AUTHORITY)) == 0)
  64. {
  65. return TRUE;
  66. }
  68. return FALSE;
  69. }
  72. //
  73. // Sets the specified ACE in the ACL to have dwAccessMask permissions.
  74. //
  75. __inline BOOL MakeACEInheritable(PACL pAcl, int iIndex, DWORD dwAccessMask)
  76. {
  77. ACE_HEADER* pAceHeader;
  79. if (GetAce(pAcl, iIndex, (LPVOID*)&pAceHeader))
  80. {
  81. pAceHeader->AceFlags |= dwAccessMask;
  82. return TRUE;
  83. }
  85. return FALSE;
  86. }
  89. //
  90. // Helper function to generate a SECURITY_DESCRIPTOR with the specified rights
  91. //
  92. // OUT: psd - A pointer to a uninitialized SECURITY_DESCRIPTOR struct to be inited and filled in
  93. // in by this function
  94. //
  95. // IN: PSHELL_USER_PERMISSION - An array of PSHELL_USER_PERMISSION pointers that specify what access to grant
  96. // cUserPerm - The count of PSHELL_USER_PERMISSION pointers in the array above
  97. //
  98. //
  99. STDAPI_(SECURITY_DESCRIPTOR*) GetShellSecurityDescriptor(PSHELL_USER_PERMISSION* apUserPerm, int cUserPerm)
  100. {
  101. BOOL fSuccess = TRUE; // assume success
  102. SECURITY_DESCRIPTOR* pSD = NULL;
  103. PSID* apSids = NULL;
  104. int cAces = cUserPerm; // one ACE for each entry to start with
  105. int iAceIndex = 0; // helps us keep count of how many ACE's we have added (count as we go)
  106. PTOKEN_USER pUserToken = NULL;
  107. DWORD cbSidLength = 0;
  108. DWORD cbAcl;
  109. PACL pAcl;
  110. int i;
  112. ASSERT(!IsBadReadPtr(apUserPerm, sizeof(PSHELL_USER_PERMISSION) * cUserPerm));
  114. // healthy parameter checking
  115. if (!apUserPerm || cUserPerm <= 0)
  116. {
  117. return NULL;
  118. }
  120. // first find out how many additional ACE's we are going to need
  121. // because of inheritance
  122. for (i = 0; i < cUserPerm; i++)
  123. {
  124. if (apUserPerm[i]->fInherit)
  125. {
  126. cAces++;
  127. }
  129. // also check to see if any of these are using susCurrentUser, in which case
  130. // we want to get the users token now so we have it already
  131. if ((pUserToken == NULL) && IsCurrentUserShellSID(&apUserPerm[i]->susID))
  132. {
  133. pUserToken = GetUserToken(NULL);
  134. if (!pUserToken)
  135. {
  136. DWORD dwLastError = GetLastError();
  137. TraceMsg(TF_WARNING, "Failed to get the users token. Error = %d", dwLastError);
  138. fSuccess = FALSE;
  139. goto cleanup;
  140. }
  141. }
  142. }
  144. // alloc the array to hold all the SID's
  145. apSids = (PSID*)LocalAlloc(LPTR, cUserPerm * sizeof(PSID));
  147. if (!apSids)
  148. {
  149. DWORD dwLastError = GetLastError();
  150. TraceMsg(TF_WARNING, "Failed allocate memory for %i SID's. Error = %d", cUserPerm, dwLastError);
  151. fSuccess = FALSE;
  152. goto cleanup;
  153. }
  155. // initialize the SID's
  156. for (i = 0; i < cUserPerm; i++)
  157. {
  158. DWORD cbSid;
  160. // check for the special case of susCurrentUser
  161. if (IsCurrentUserShellSID(&apUserPerm[i]->susID))
  162. {
  163. ASSERT(pUserToken);
  164. apSids[i] = pUserToken->User.Sid;
  165. }
  166. else
  167. {
  168. SID_IDENTIFIER_AUTHORITY sidAuthority = apUserPerm[i]->susID.sidAuthority;
  170. if (!AllocateAndInitializeSid(&sidAuthority,
  171. (BYTE)(apUserPerm[i]->susID.dwUserID ? 2 : 1), // if dwUserID is nonzero, then there are two SubAuthorities
  172. apUserPerm[i]->susID.dwUserGroupID,
  173. apUserPerm[i]->susID.dwUserID,
  174. 0, 0, 0, 0, 0, 0, &apSids[i]))
  175. {
  176. DWORD dwLastError = GetLastError();
  177. TraceMsg(TF_WARNING, "AllocateAndInitializeSid: Failed to initialze SID. Error = %d", cUserPerm, dwLastError);
  178. fSuccess = FALSE;
  179. goto cleanup;
  180. }
  181. }
  183. // add up all the SID lengths for an easy ACL size computation later...
  184. cbSid = GetLengthSid(apSids[i]);
  186. cbSidLength += cbSid;
  188. if (apUserPerm[i]->fInherit)
  189. {
  190. // if we have an inherit ACE as well, we need to add in the size of the SID again
  191. cbSidLength += cbSid;
  192. }
  194. }
  196. // calculate the size of the ACL we will be building (note: used sizeof(ACCESS_ALLOWED_ACE) b/c all ACE's are the same
  197. // size (excepting wacko object ACE's which we dont deal with).
  198. //
  199. // this makes the size computation easy, since the size of the ACL will be the size of all the ACE's + the size of the SID's.
  200. cbAcl = SIZEOF(ACL) + (cAces * (sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD))) + cbSidLength;
  202. // HACKHACK (reinerf)
  203. //
  204. // we allocate enough space for the SECURITY_DESCRIPTOR and the ACL together and pass them both back to the
  205. // caller to free. we need to to this since the SECURITY_DESCRIPTOR contains a pointer to the ACL
  206. pSD = (SECURITY_DESCRIPTOR*)LocalAlloc(LPTR, SIZEOF(SECURITY_DESCRIPTOR) + cbAcl);
  208. if (!pSD)
  209. {
  210. DWORD dwLastError = GetLastError();
  211. TraceMsg(TF_WARNING, "Failed to allocate space for the SECURITY_DESCRIPTOR and the ACL. Error = %d", dwLastError);
  212. fSuccess = FALSE;
  213. goto cleanup;
  214. }
  216. // set the address of the ACL to right after the SECURITY_DESCRIPTOR in the
  217. // block of memory we just allocated
  218. pAcl = (PACL)(pSD + 1);
  220. if (!InitializeAcl(pAcl, cbAcl, ACL_REVISION))
  221. {
  222. DWORD dwLastError = GetLastError();
  223. TraceMsg(TF_WARNING, "InitializeAcl: Failed to init the ACL. Error = %d", dwLastError);
  224. fSuccess = FALSE;
  225. goto cleanup;
  226. }
  228. for (i = 0; i < cUserPerm; i++)
  229. {
  230. BOOL bRet;
  232. // add the ACE's to the ACL
  233. if (apUserPerm[i]->dwAccessType == ACCESS_ALLOWED_ACE_TYPE)
  234. {
  235. bRet = AddAccessAllowedAce(pAcl, ACL_REVISION, apUserPerm[i]->dwAccessMask, apSids[i]);
  236. }
  237. else
  238. {
  239. bRet = AddAccessDeniedAce(pAcl, ACL_REVISION, apUserPerm[i]->dwAccessMask, apSids[i]);
  240. }
  242. if (!bRet)
  243. {
  244. DWORD dwLastError = GetLastError();
  245. TraceMsg(TF_WARNING, "AddAccessAllowed/DeniedAce: Failed to add SID. Error = %d", dwLastError);
  246. fSuccess = FALSE;
  247. goto cleanup;
  248. }
  250. // sucessfully added an ace
  251. iAceIndex++;
  253. ASSERT(iAceIndex <= cAces);
  255. // if its an inherit ACL, also add another ACE for the inheritance part
  256. if (apUserPerm[i]->fInherit)
  257. {
  258. // add the ACE's to the ACL
  259. if (apUserPerm[i]->dwAccessType == ACCESS_ALLOWED_ACE_TYPE)
  260. {
  261. bRet = AddAccessAllowedAce(pAcl, ACL_REVISION, apUserPerm[i]->dwInheritAccessMask, apSids[i]);
  262. }
  263. else
  264. {
  265. bRet = AddAccessDeniedAce(pAcl, ACL_REVISION, apUserPerm[i]->dwInheritAccessMask, apSids[i]);
  266. }
  268. if (!bRet)
  269. {
  270. DWORD dwLastError = GetLastError();
  271. TraceMsg(TF_WARNING, "AddAccessAllowed/DeniedAce: Failed to add SID. Error = %d", dwLastError);
  272. fSuccess = FALSE;
  273. goto cleanup;
  274. }
  276. if (!MakeACEInheritable(pAcl, iAceIndex, apUserPerm[i]->dwInheritMask))
  277. {
  278. DWORD dwLastError = GetLastError();
  279. TraceMsg(TF_WARNING, "MakeACEInheritable: Failed to add SID. Error = %d", dwLastError);
  280. fSuccess = FALSE;
  281. goto cleanup;
  282. }
  284. // sucessfully added another ace
  285. iAceIndex++;
  287. ASSERT(iAceIndex <= cAces);
  288. }
  289. }
  291. if (!InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION))
  292. {
  293. DWORD dwLastError = GetLastError();
  294. TraceMsg(TF_WARNING, "InitializeSecurityDescriptor: Failed to init the descriptor. Error = %d", dwLastError);
  295. fSuccess = FALSE;
  296. goto cleanup;
  297. }
  299. if (!SetSecurityDescriptorDacl(pSD, TRUE, pAcl, FALSE))
  300. {
  301. DWORD dwLastError = GetLastError();
  302. TraceMsg(TF_WARNING, "SetSecurityDescriptorDacl: Failed to set the DACL. Error = %d", dwLastError);
  303. fSuccess = FALSE;
  304. goto cleanup;
  305. }
  307. cleanup:
  308. if (apSids)
  309. {
  310. for (i = 0; i < cUserPerm; i++)
  311. {
  312. if (apSids[i])
  313. {
  314. // if this is one of the ones we allocated (eg not the users sid), free it
  315. if (!pUserToken || (apSids[i] != pUserToken->User.Sid))
  316. {
  317. FreeSid(apSids[i]);
  318. }
  319. }
  320. }
  322. LocalFree(apSids);
  323. }
  325. if (pUserToken)
  326. LocalFree(pUserToken);
  328. if (!fSuccess && pSD)
  329. {
  330. LocalFree(pSD);
  331. pSD = NULL;
  332. }
  334. return pSD;
  335. }