Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

220 lines
4.5 KiB

  1. /*++
  2. Copyright (c) Microsoft Corporation. All rights reserved.
  3. Module Name:
  4. SeUtil.c
  5. Abstract:
  6. This module contains various security utility functions.
  7. Author:
  8. Adrian J. Oney - April 23, 2002
  9. Revision History:
  10. --*/
  11. #include "WlDef.h"
  12. #pragma hdrstop
  13. #ifdef ALLOC_PRAGMA
  14. #pragma alloc_text(PAGE, SeUtilSecurityInfoFromSecurityDescriptor)
  15. #ifndef _KERNELIMPLEMENTATION_
  16. #pragma alloc_text(PAGE, SeSetSecurityAccessMask)
  17. #endif
  18. #endif
  19. NTSTATUS
  20. SeUtilSecurityInfoFromSecurityDescriptor(
  21. IN PSECURITY_DESCRIPTOR SecurityDescriptor,
  22. OUT BOOLEAN *DaclFromDefaultSource,
  23. OUT PSECURITY_INFORMATION SecurityInformation
  24. )
  25. /*++
  26. Routine Description:
  27. This routine retrieves security information from a security descriptor.
  28. Arguments:
  29. SecurityDescriptor - Security descriptor to retrieve information from.
  30. DaclFromDefaultSource - Receives TRUE if the DACL was constructed by a
  31. default mechanism.
  32. SecurityInformation - Information as extracted from the descriptor.
  33. Return Value:
  34. NTSTATUS (On error, SecurityInformation receives 0).
  35. --*/
  36. {
  37. SECURITY_INFORMATION finalSecurityInformation;
  38. BOOLEAN fromDefaultSource;
  39. BOOLEAN aclPresent;
  40. NTSTATUS status;
  41. PSID sid;
  42. PACL acl;
  43. PAGED_CODE();
  44. //
  45. // Preinitialize the security information to zero.
  46. //
  47. *DaclFromDefaultSource = FALSE;
  48. RtlZeroMemory(SecurityInformation, sizeof(SECURITY_INFORMATION));
  49. finalSecurityInformation = 0;
  50. //
  51. // Extract the owner information.
  52. //
  53. status = RtlGetOwnerSecurityDescriptor(
  54. SecurityDescriptor,
  55. &sid,
  56. &fromDefaultSource
  57. );
  58. if (!NT_SUCCESS(status)) {
  59. return status;
  60. }
  61. if (sid != NULL) {
  62. finalSecurityInformation |= OWNER_SECURITY_INFORMATION;
  63. }
  64. //
  65. // Extract the group information.
  66. //
  67. status = RtlGetGroupSecurityDescriptor(
  68. SecurityDescriptor,
  69. &sid,
  70. &fromDefaultSource
  71. );
  72. if (!NT_SUCCESS(status)) {
  73. return status;
  74. }
  75. if (sid != NULL) {
  76. finalSecurityInformation |= GROUP_SECURITY_INFORMATION;
  77. }
  78. //
  79. // Extract the SACL (Auditing ACL) information.
  80. //
  81. status = RtlGetSaclSecurityDescriptor(
  82. SecurityDescriptor,
  83. &aclPresent,
  84. &acl,
  85. &fromDefaultSource
  86. );
  87. if (!NT_SUCCESS(status)) {
  88. return status;
  89. }
  90. if (aclPresent) {
  91. finalSecurityInformation |= SACL_SECURITY_INFORMATION;
  92. }
  93. //
  94. // Extract the DACL (discretionary/access ACL) information.
  95. //
  96. status = RtlGetDaclSecurityDescriptor(
  97. SecurityDescriptor,
  98. &aclPresent,
  99. &acl,
  100. &fromDefaultSource
  101. );
  102. if (!NT_SUCCESS(status)) {
  103. return status;
  104. }
  105. if (aclPresent) {
  106. finalSecurityInformation |= DACL_SECURITY_INFORMATION;
  107. }
  108. //
  109. // Return the final result.
  110. //
  111. *DaclFromDefaultSource = fromDefaultSource;
  112. *SecurityInformation = finalSecurityInformation;
  113. return STATUS_SUCCESS;
  114. }
  115. #ifndef _KERNELIMPLEMENTATION_
  116. VOID
  117. SeSetSecurityAccessMask(
  118. IN SECURITY_INFORMATION SecurityInformation,
  119. OUT ACCESS_MASK *DesiredAccess
  120. )
  121. /*++
  122. Routine Description:
  123. This routine builds an access mask representing the accesses necessary
  124. to set the object security information specified in the SecurityInformation
  125. parameter. While it is not difficult to determine this information,
  126. the use of a single routine to generate it will ensure minimal impact
  127. when the security information associated with an object is extended in
  128. the future (to include mandatory access control information).
  129. Arguments:
  130. SecurityInformation - Identifies the object's security information to be
  131. modified.
  132. DesiredAccess - Points to an access mask to be set to represent the
  133. accesses necessary to modify the information specified in the
  134. SecurityInformation parameter.
  135. Return Value:
  136. None.
  137. --*/
  138. {
  139. PAGED_CODE();
  140. //
  141. // Figure out accesses needed to perform the indicated operation(s).
  142. //
  143. (*DesiredAccess) = 0;
  144. if ((SecurityInformation & OWNER_SECURITY_INFORMATION) ||
  145. (SecurityInformation & GROUP_SECURITY_INFORMATION) ) {
  146. (*DesiredAccess) |= WRITE_OWNER;
  147. }
  148. if (SecurityInformation & DACL_SECURITY_INFORMATION) {
  149. (*DesiredAccess) |= WRITE_DAC;
  150. }
  151. if (SecurityInformation & SACL_SECURITY_INFORMATION) {
  152. (*DesiredAccess) |= ACCESS_SYSTEM_SECURITY;
  153. }
  154. return;
  155. }
  156. #endif // _KERNELIMPLEMENTATION_