archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/windows/appcompat/shims/lib/secutils.cpp

389 lines
8.1 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name:
  7. secutils.cpp
  9. Abstract:
  10. The utility functions for the shims.
  12. History:
  14. 02/09/2001 maonis Created
  15. 08/14/2001 robkenny Moved code inside the ShimLib namespace.
  17. --*/
  19. #include "secutils.h"
  22. namespace ShimLib
  23. {
  24. /*++
  26. Function Description:
  28. Determine if the log on user is a member of the group.
  30. Arguments:
  32. IN dwGroup - specify the alias of the group.
  33. OUT pfIsMember - TRUE if it's a member, FALSE if not.
  35. Return Value:
  37. TRUE - we successfully determined if it's a member.
  38. FALSE otherwise.
  40. DevNote:
  42. We are assuming the calling thread is not impersonating.
  44. History:
  46. 02/12/2001 maonis Created
  48. --*/
  50. BOOL
  51. SearchGroupForSID(
  52. DWORD dwGroup,
  53. BOOL* pfIsMember
  54. )
  55. {
  56. PSID pSID = NULL;
  57. SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
  58. BOOL fRes = TRUE;
  60. if (!AllocateAndInitializeSid(
  61. &SIDAuth,
  62. 2,
  63. SECURITY_BUILTIN_DOMAIN_RID,
  64. dwGroup,
  65. 0,
  66. 0,
  67. 0,
  68. 0,
  69. 0,
  70. 0,
  71. &pSID))
  72. {
  73. DPF("SecurityUtils", eDbgLevelError, "[SearchGroupForSID] AllocateAndInitializeSid failed %d", GetLastError());
  74. return FALSE;
  75. }
  77. if (!CheckTokenMembership(NULL, pSID, pfIsMember))
  78. {
  79. DPF("SecurityUtils", eDbgLevelError, "[SearchGroupForSID] CheckTokenMembership failed: %d", GetLastError());
  80. fRes = FALSE;
  81. }
  83. FreeSid(pSID);
  85. return fRes;
  86. }
  88. /*++
  90. Function Description:
  92. Determine if we should shim this app or not.
  94. If the user is
  95. 1) a member of the Users and
  96. 2) not a member of the Administrators group and
  97. 3) not a member of the Power Users group and
  98. 3) not a member of the Guest group
  100. we'll apply the shim.
  102. Arguments:
  104. None.
  106. Return Value:
  108. TRUE - we should apply the shim.
  109. FALSE otherwise.
  111. History:
  113. 02/12/2001 maonis Created
  115. --*/
  117. BOOL
  118. ShouldApplyShim()
  119. {
  120. BOOL fIsUser, fIsAdmin, fIsPowerUser, fIsGuest;
  122. if (!SearchGroupForSID(DOMAIN_ALIAS_RID_USERS, &fIsUser) ||
  123. !SearchGroupForSID(DOMAIN_ALIAS_RID_ADMINS, &fIsAdmin) ||
  124. !SearchGroupForSID(DOMAIN_ALIAS_RID_POWER_USERS, &fIsPowerUser) ||
  125. !SearchGroupForSID(DOMAIN_ALIAS_RID_GUESTS, &fIsGuest))
  126. {
  127. //
  128. // Don't do anything if we are not sure.
  129. //
  130. return FALSE;
  131. }
  133. return (fIsUser && !fIsPowerUser && !fIsAdmin && !fIsGuest);
  134. }
  136. /*++
  138. Function Description:
  140. Get the current thread on user's SID. If the thread is not
  141. impersonating we get the current process SID instead.
  143. Arguments:
  145. OUT ppThreadSid - points to the current thread's SID.
  147. Return Value:
  149. TRUE - successfully got the SID, the caller is responsible for
  150. freeing it with free().
  151. FALSE otherwise.
  153. History:
  155. 02/12/2001 maonis Created
  157. --*/
  159. BOOL
  160. GetCurrentThreadSid(
  161. OUT PSID* ppThreadSid
  162. )
  163. {
  164. HANDLE hToken;
  165. DWORD dwLastErr;
  166. DWORD cbBuffer, cbRequired;
  167. PTOKEN_USER pUserInfo;
  168. BOOL fRes = FALSE;
  170. // Get the thread token.
  171. if (!OpenThreadToken(
  172. GetCurrentThread(),
  173. TOKEN_QUERY,
  174. FALSE,
  175. &hToken))
  176. {
  177. if ((dwLastErr = GetLastError()) == ERROR_NO_TOKEN)
  178. {
  179. // The thread isn't impersonating so we get the process token instead.
  180. if (!OpenProcessToken(
  181. GetCurrentProcess(),
  182. TOKEN_QUERY,
  183. &hToken))
  184. {
  185. DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] OpenProcessToken failed: %d", GetLastError());
  186. return FALSE;
  187. }
  188. }
  189. else
  190. {
  191. DPF("SecurityUtils", eDbgLevelError,
  192. "[GetThreadSid] OpenThreadToken failed (and not with no token): %d",
  193. dwLastErr);
  194. return FALSE;
  195. }
  196. }
  198. // Call GetTokenInformation with 0 buffer length to get the
  199. // required buffer size for the token info.
  200. cbBuffer = 0;
  201. if (!GetTokenInformation(
  202. hToken,
  203. TokenUser,
  204. NULL,
  205. cbBuffer,
  206. &cbRequired) &&
  207. (dwLastErr = GetLastError()) != ERROR_INSUFFICIENT_BUFFER)
  208. {
  209. DPF("SecurityUtils", eDbgLevelError,
  210. "[GetThreadSid] 1st time calling GetTokenInformation "
  211. "didn't failed with ERROR_INSUFFICIENT_BUFFER: %d",
  212. dwLastErr);
  213. return FALSE;
  214. }
  216. cbBuffer = cbRequired;
  217. pUserInfo = (PTOKEN_USER)malloc(cbBuffer);
  218. if (!pUserInfo)
  219. {
  220. DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] HeapAlloc for user data failed");
  221. return FALSE;
  222. }
  224. // Make the "real" call.
  225. if (!GetTokenInformation(
  226. hToken,
  227. TokenUser,
  228. pUserInfo,
  229. cbBuffer,
  230. &cbRequired))
  231. {
  232. DPF("SecurityUtils", eDbgLevelError,
  233. "[GetThreadSid] 2nd time calling GetTokenInformation failed: %d",
  234. GetLastError());
  235. goto EXIT;
  236. }
  238. cbBuffer = GetLengthSid(pUserInfo->User.Sid);
  239. *ppThreadSid = (PSID)malloc(cbBuffer);
  240. if (!(*ppThreadSid))
  241. {
  242. DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] HeapAlloc for SID failed");
  243. goto EXIT;
  244. }
  246. if (!CopySid(cbBuffer, *ppThreadSid, pUserInfo->User.Sid))
  247. {
  248. DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] CopySid failed: %d", GetLastError());
  249. goto EXIT;
  250. }
  252. fRes = TRUE;
  254. EXIT:
  256. free(pUserInfo);
  257. return fRes;
  258. }
  261. // The GENERIC_MAPPING from generic file access rights to specific and standard
  262. // access types.
  263. static GENERIC_MAPPING s_gmFile =
  264. {
  265. FILE_GENERIC_READ,
  266. FILE_GENERIC_WRITE,
  267. FILE_GENERIC_EXECUTE,
  268. FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE
  269. };
  271. /*++
  273. Function Description:
  275. Given the creation dispositon and the desired access when calling
  276. CreateFile, we determine if the caller is requesting write access.
  278. This is specific for files.
  280. Arguments:
  282. IN pszObject - name of the file or directory.
  283. OUT pam - points to the access mask of the user to this object.
  285. Return Value:
  287. TRUE - successfully got the access mask.
  288. FALSE otherwise.
  290. DevNote:
  292. UNDONE - This might not be a complete list...can add as we debug more apps.
  294. History:
  296. 02/12/2001 maonis Created
  298. --*/
  300. BOOL
  301. RequestWriteAccess(
  302. IN DWORD dwCreationDisposition,
  303. IN DWORD dwDesiredAccess
  304. )
  305. {
  306. MapGenericMask(&dwDesiredAccess, &s_gmFile);
  308. if ((dwCreationDisposition != OPEN_EXISTING) ||
  309. (dwDesiredAccess & DELETE) ||
  310. // Generally, app would not specify FILE_WRITE_DATA directly, and if
  311. // it specifies GENERIC_WRITE, it will get mapped to FILE_WRITE_DATA
  312. // OR other things so checking FILE_WRITE_DATA is sufficient.
  313. (dwDesiredAccess & FILE_WRITE_DATA))
  314. {
  315. return TRUE;
  316. }
  318. return FALSE;
  319. }
  321. /*++
  323. Function Description:
  325. Given the name of a directory, determine if the user can create
  326. new files in this directory.
  328. Arguments:
  330. IN pszDir - name of the directory.
  331. IN pUserSid - the user that's requesting to create files.
  332. OUT pfCanCreate.
  334. Return Value:
  336. TRUE - successfully enabled or disabled the privilege.
  337. FALSE - otherwise.
  339. History:
  341. 04/03/2001 maonis Created
  343. --*/
  345. BOOL
  346. AdjustPrivilege(
  347. LPCWSTR pwszPrivilege,
  348. BOOL fEnable
  349. )
  350. {
  351. HANDLE hToken;
  352. TOKEN_PRIVILEGES tp;
  353. BOOL fRes = FALSE;
  355. // Obtain the process token.
  356. if (OpenProcessToken(
  357. GetCurrentProcess(),
  358. TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
  359. &hToken))
  360. {
  361. // Get the LUID.
  362. if (LookupPrivilegeValueW(NULL, pwszPrivilege, &tp.Privileges[0].Luid))
  363. {
  364. tp.PrivilegeCount = 1;
  366. tp.Privileges[0].Attributes = (fEnable ? SE_PRIVILEGE_ENABLED : 0);
  368. // Enable or disable the privilege.
  369. if (AdjustTokenPrivileges(
  370. hToken,
  371. FALSE,
  372. &tp,
  373. 0,
  374. (PTOKEN_PRIVILEGES)NULL,
  375. 0))
  376. {
  377. fRes = TRUE;
  378. }
  379. }
  381. CloseHandle(hToken);
  382. }
  384. return fRes;
  385. }
  389. }; // end of namespace ShimLib