archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
3.8 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/gina/rsoputil/rsopsec.cpp

1341 lines
32 KiB
Raw Normal View History

Add source files
4 years ago
  1. //******************************************************************************
  2. //
  3. // Microsoft Confidential. Copyright (c) Microsoft Corporation 1999. All rights reserved
  4. //
  5. // File: RsopSec.cpp
  6. //
  7. // Description: RSOP Namespace Security functions
  8. //
  9. // History: 8-26-99 leonardm Created
  10. //
  11. //******************************************************************************
  13. #include <windows.h>
  14. #include <objbase.h>
  15. #include <wbemcli.h>
  16. #include <accctrl.h>
  17. #include <aclapi.h>
  18. #include <lm.h>
  19. #include "RsopUtil.h"
  20. #include "RsopSec.h"
  21. #include "rsopdbg.h"
  22. #include "smartptr.h"
  25. //******************************************************************************
  26. //
  27. // Function:
  28. //
  29. // Description:
  30. //
  31. // Parameters:
  32. //
  33. // Return:
  34. //
  35. // History: 8-26-99 leonardm Created
  36. //
  37. //******************************************************************************
  38. STDMETHODIMP GetExplicitAccesses( long lSecurityLevel,
  39. EXPLICIT_ACCESS** ppExplicitAccess,
  40. DWORD* pdwCount,
  41. CWString* psTrustees)
  42. {
  44. WKSTA_INFO_100* pWkstaInfo = NULL;
  45. NET_API_STATUS status = NetWkstaGetInfo(NULL,100,(LPBYTE*)&pWkstaInfo);
  46. if(status != NERR_Success)
  47. {
  48. return E_FAIL;
  49. }
  51. CWString sCurrentDomain = pWkstaInfo->wki100_langroup;
  52. NetApiBufferFree(pWkstaInfo);
  54. if(!sCurrentDomain.ValidString() || sCurrentDomain == L"")
  55. {
  56. return E_FAIL;
  57. }
  60. static ACCESS_MODE AccessMode = GRANT_ACCESS;
  61. static DWORD Inheritance = SUB_CONTAINERS_ONLY_INHERIT;
  62. static DWORD AccessPermissions = WBEM_ENABLE |
  63. WBEM_METHOD_EXECUTE |
  64. WBEM_FULL_WRITE_REP |
  65. WBEM_PARTIAL_WRITE_REP |
  66. WBEM_WRITE_PROVIDER |
  67. WBEM_REMOTE_ACCESS |
  68. READ_CONTROL |
  69. WRITE_DAC;
  71. XPtrArray<EXPLICIT_ACCESS> xpExplicitAccess = NULL;
  73. if(lSecurityLevel == NAMESPACE_SECURITY_DIAGNOSTIC)
  74. {
  75. if(*pdwCount < 1)
  76. {
  77. *pdwCount = 1;
  78. return E_FAIL;
  79. }
  81. *pdwCount = 1;
  83. xpExplicitAccess = new EXPLICIT_ACCESS[*pdwCount];
  84. if(!xpExplicitAccess)
  85. {
  86. return E_OUTOFMEMORY;
  87. }
  89. psTrustees[0] = sCurrentDomain + L"\\Domain Users";
  90. if(!psTrustees[0].ValidString())
  91. {
  92. return E_OUTOFMEMORY;
  93. }
  95. BuildExplicitAccessWithName(&(xpExplicitAccess[0]),
  96. psTrustees[0],
  97. AccessPermissions,
  98. AccessMode,
  99. Inheritance);
  101. }
  102. else if(lSecurityLevel == NAMESPACE_SECURITY_PLANNING)
  103. {
  104. if(*pdwCount < 2)
  105. {
  106. *pdwCount = 2;
  107. return E_FAIL;
  108. }
  110. *pdwCount = 2;
  112. xpExplicitAccess = new EXPLICIT_ACCESS[*pdwCount];
  114. if(!xpExplicitAccess)
  115. {
  116. return E_OUTOFMEMORY;
  117. }
  118. psTrustees[0] = sCurrentDomain + L"\\RSOP Admins";
  119. if(!psTrustees[0].ValidString())
  120. {
  121. return E_OUTOFMEMORY;
  122. }
  123. BuildExplicitAccessWithName(&(xpExplicitAccess[0]),
  124. psTrustees[0],
  125. AccessPermissions,
  126. AccessMode,
  127. Inheritance);
  129. psTrustees[1] = sCurrentDomain + L"\\Domain Admins";
  130. if(!psTrustees[1].ValidString())
  131. {
  132. return E_OUTOFMEMORY;
  133. }
  134. BuildExplicitAccessWithName(&(xpExplicitAccess[1]),
  135. psTrustees[1],
  136. AccessPermissions,
  137. AccessMode,
  138. Inheritance);
  140. }
  141. else
  142. {
  143. return E_INVALIDARG;
  144. }
  146. *ppExplicitAccess = xpExplicitAccess.Acquire();
  148. return S_OK;
  149. }
  151. //******************************************************************************
  152. //
  153. // Function:
  154. //
  155. // Description:
  156. //
  157. // Parameters:
  158. //
  159. // Return:
  160. //
  161. // History: 8-26-99 leonardm Created
  162. //
  163. //******************************************************************************
  164. STDMETHODIMP ReplaceDaclOnSD(PSECURITY_DESCRIPTOR pSD, long lSecurityLevel)
  165. {
  166. HRESULT hr;
  168. XPtrArray<EXPLICIT_ACCESS> xpExplicitAccess = NULL;
  170. DWORD dwCount = 2;
  171. XPtrArray<CWString> xpTrustees = new CWString[dwCount];
  172. if(!xpTrustees)
  173. {
  174. return E_OUTOFMEMORY;
  175. }
  177. hr = GetExplicitAccesses(lSecurityLevel, &xpExplicitAccess, &dwCount, xpTrustees);
  178. if(FAILED(hr))
  179. {
  180. return hr;
  181. }
  183. //
  184. // Get the DACL of the Security descriptor
  185. //
  187. BOOL bDaclPresent;
  188. BOOL bDaclDefaulted;
  189. ACL* pAcl = NULL;
  191. BOOL bRes = GetSecurityDescriptorDacl(pSD, &bDaclPresent, &pAcl,&bDaclDefaulted);
  192. if(!bRes)
  193. {
  194. return E_FAIL;
  195. }
  197. if(bDaclPresent)
  198. {
  200. //
  201. // Get the count of existing ACEs
  202. //
  204. ACL_SIZE_INFORMATION info;
  205. bRes = GetAclInformation(pAcl, &info, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
  206. if(!bRes)
  207. {
  208. return E_FAIL;
  209. }
  212. //
  213. // Remove existing ACEs from DACL
  214. //
  216. for(int aceIndex = info.AceCount - 1; aceIndex >= 0; aceIndex--)
  217. {
  218. bRes = DeleteAce(pAcl, aceIndex);
  219. if(!bRes)
  220. {
  221. return E_FAIL;
  222. }
  223. }
  225. LocalFree(pAcl);
  226. }
  228. pAcl = NULL;
  231. //
  232. // SetEntriesInAcl
  233. //
  235. DWORD dwRes = SetEntriesInAcl(dwCount, xpExplicitAccess, NULL, &pAcl);
  236. if(dwRes != ERROR_SUCCESS)
  237. {
  238. return E_FAIL;
  239. }
  242. //
  243. // SetSecurityDescriptorDacl
  244. //
  246. bRes = SetSecurityDescriptorDacl(pSD, bDaclPresent, pAcl, bDaclDefaulted);
  247. if(!bRes)
  248. {
  249. DWORD dwLastError = GetLastError();
  250. return E_FAIL;
  251. }
  253. return S_OK;
  254. }
  256. //******************************************************************************
  257. //
  258. // Function:
  259. //
  260. // Description:
  261. //
  262. // Parameters:
  263. //
  264. // Return:
  265. //
  266. // History: 8-26-99 leonardm Created
  267. //
  268. //******************************************************************************
  269. STDMETHODIMP RSoPMakeAbsoluteSD(SECURITY_DESCRIPTOR* pSelfRelativeSD, SECURITY_DESCRIPTOR** ppAbsoluteSD)
  270. {
  271. BOOL bRes = IsValidSecurityDescriptor(pSelfRelativeSD);
  272. if(!bRes)
  273. {
  274. return WBEM_E_INVALID_PARAMETER;
  275. }
  277. XPtrLF<SECURITY_DESCRIPTOR> xpAbsoluteSD;
  278. XPtrLF<ACL> xpDacl;
  279. XPtrLF<ACL> xpSacl;
  280. XPtrLF<SID> xpOwner;
  281. XPtrLF<SID> xpPrimaryGroup;
  284. DWORD dwAbsoluteSecurityDescriptorSize = 0;
  285. DWORD dwDaclSize = 0;
  286. DWORD dwSaclSize = 0;
  287. DWORD dwOwnerSize = 0;
  288. DWORD dwPrimaryGroupSize = 0;
  290. bRes = ::MakeAbsoluteSD(
  291. pSelfRelativeSD,
  292. xpAbsoluteSD,
  293. &dwAbsoluteSecurityDescriptorSize,
  294. xpDacl, // discretionary ACL
  295. &dwDaclSize, // size of discretionary ACL
  296. xpSacl, // system ACL
  297. &dwSaclSize, // size of system ACL
  298. xpOwner, // owner SID
  299. &dwOwnerSize, // size of owner SID
  300. xpPrimaryGroup, // primary-group SID
  301. &dwPrimaryGroupSize // size of group SID
  302. );
  304. DWORD dwLastError = GetLastError();
  305. if(dwLastError != ERROR_INSUFFICIENT_BUFFER)
  306. {
  307. return E_FAIL;
  308. }
  310. if(!dwAbsoluteSecurityDescriptorSize)
  311. {
  312. return E_FAIL;
  313. }
  315. xpAbsoluteSD = reinterpret_cast<SECURITY_DESCRIPTOR*>(LocalAlloc(LPTR, dwAbsoluteSecurityDescriptorSize));
  316. if(!xpAbsoluteSD)
  317. {
  318. return E_OUTOFMEMORY;
  319. }
  321. if(dwDaclSize)
  322. {
  323. xpDacl = reinterpret_cast<ACL*>(LocalAlloc(LPTR, dwDaclSize));
  324. if(!xpDacl)
  325. {
  326. return E_OUTOFMEMORY;
  327. }
  328. }
  329. if(dwSaclSize)
  330. {
  331. xpSacl = reinterpret_cast<ACL*>(LocalAlloc(LPTR, dwSaclSize));
  332. if(!xpSacl)
  333. {
  334. return E_OUTOFMEMORY;
  335. }
  336. }
  337. if(dwOwnerSize)
  338. {
  339. xpOwner = reinterpret_cast<SID*>(LocalAlloc(LPTR, dwOwnerSize));
  340. if(!xpOwner)
  341. {
  342. return E_OUTOFMEMORY;
  343. }
  344. }
  345. if(dwPrimaryGroupSize)
  346. {
  347. xpPrimaryGroup = reinterpret_cast<SID*>(LocalAlloc(LPTR, dwPrimaryGroupSize));
  348. if(!xpPrimaryGroup)
  349. {
  350. return E_OUTOFMEMORY;
  351. }
  352. }
  354. bRes = ::MakeAbsoluteSD(
  355. pSelfRelativeSD,
  356. xpAbsoluteSD,
  357. &dwAbsoluteSecurityDescriptorSize,
  358. xpDacl, // discretionary ACL
  359. &dwDaclSize, // size of discretionary ACL
  360. xpSacl, // system ACL
  361. &dwSaclSize, // size of system ACL
  362. xpOwner, // owner SID
  363. &dwOwnerSize, // size of owner SID
  364. xpPrimaryGroup, // primary-group SID
  365. &dwPrimaryGroupSize // size of group SID
  366. );
  368. if(!bRes)
  369. {
  370. return E_FAIL;
  371. }
  373. bRes = IsValidSecurityDescriptor(xpAbsoluteSD);
  375. if(!bRes)
  376. {
  377. return E_FAIL;
  378. }
  380. xpDacl.Acquire();
  381. xpSacl.Acquire();
  382. xpOwner.Acquire();
  383. xpPrimaryGroup.Acquire();
  385. *ppAbsoluteSD = xpAbsoluteSD.Acquire();
  387. return S_OK;
  388. }
  390. //******************************************************************************
  391. //
  392. // Function:
  393. //
  394. // Description:
  395. //
  396. // Parameters:
  397. //
  398. // Return:
  399. //
  400. // History: 8-26-99 leonardm Created
  401. //
  402. //******************************************************************************
  403. STDMETHODIMP FreeAbsoluteSD(SECURITY_DESCRIPTOR* pAbsoluteSD)
  404. {
  405. if(!pAbsoluteSD)
  406. {
  407. return E_POINTER;
  408. }
  410. BOOL bRes;
  412. BOOL bDaclPresent;
  413. BOOL bDaclDefaulted;
  415. XPtrLF<ACL> xpDacl;
  416. bRes = GetSecurityDescriptorDacl( pAbsoluteSD,
  417. &bDaclPresent,
  418. &xpDacl,
  419. &bDaclDefaulted);
  421. if(!bRes)
  422. {
  423. return E_FAIL;
  424. }
  426. BOOL bSaclPresent;
  427. BOOL bSaclDefaulted;
  429. XPtrLF<ACL> xpSacl;
  430. bRes = GetSecurityDescriptorSacl( pAbsoluteSD,
  431. &bSaclPresent,
  432. &xpSacl,
  433. &bSaclDefaulted);
  435. if(!bRes)
  436. {
  437. return E_FAIL;
  438. }
  440. BOOL bOwnerDefaulted;
  442. XPtrLF<SID>xpOwner;
  443. bRes = GetSecurityDescriptorOwner(pAbsoluteSD, reinterpret_cast<void**>(&xpOwner), &bOwnerDefaulted);
  444. if(!bRes)
  445. {
  446. return E_FAIL;
  447. }
  450. BOOL bGroupDefaulted;
  452. XPtrLF<SID>xpPrimaryGroup;
  453. bRes = GetSecurityDescriptorGroup(pAbsoluteSD, reinterpret_cast<void**>(&xpPrimaryGroup), &bGroupDefaulted);
  454. if(!bRes)
  455. {
  456. return E_FAIL;
  457. }
  459. return S_OK;
  460. }
  462. //******************************************************************************
  463. //
  464. // Function:
  465. //
  466. // Description:
  467. //
  468. // Parameters:
  469. //
  470. // Return:
  471. //
  472. // History: 8-26-99 leonardm Created
  473. //
  474. //******************************************************************************
  475. STDMETHODIMP GetNamespaceSD(IWbemServices* pWbemServices, SECURITY_DESCRIPTOR** ppSD)
  476. {
  477. if(!pWbemServices)
  478. {
  479. return E_POINTER;
  480. }
  482. HRESULT hr;
  484. XInterface<IWbemClassObject> xpOutParams;
  486. const BSTR bstrInstancePath = SysAllocString(L"__systemsecurity=@");
  487. if(!bstrInstancePath)
  488. {
  489. return E_OUTOFMEMORY;
  490. }
  492. const BSTR bstrMethodName = SysAllocString(L"GetSD");
  493. if(!bstrMethodName)
  494. {
  495. SysFreeString(bstrInstancePath);
  496. return E_OUTOFMEMORY;
  497. }
  499. hr = pWbemServices->ExecMethod( bstrInstancePath,
  500. bstrMethodName,
  501. 0,
  502. NULL,
  503. NULL,
  504. &xpOutParams,
  505. NULL);
  507. SysFreeString(bstrInstancePath);
  508. SysFreeString(bstrMethodName);
  510. if(FAILED(hr))
  511. {
  512. return hr;
  513. }
  516. VARIANT v;
  517. XVariant xv(&v);
  519. VariantInit(&v);
  521. hr = xpOutParams->Get(L"sd", 0, &v, NULL, NULL);
  522. if(FAILED(hr))
  523. {
  524. return hr;
  525. }
  527. if(v.vt != (VT_ARRAY | VT_UI1))
  528. {
  529. return E_FAIL;
  530. }
  532. long lLowerBound;
  533. hr = SafeArrayGetLBound(v.parray, 1, &lLowerBound);
  534. if(FAILED(hr))
  535. {
  536. return hr;
  537. }
  539. long lUpperBound;
  540. hr = SafeArrayGetUBound(v.parray, 1, &lUpperBound);
  541. if(FAILED(hr))
  542. {
  543. return hr;
  544. }
  546. DWORD dwSize = static_cast<DWORD>(lUpperBound - lLowerBound + 1);
  548. XPtrLF<SECURITY_DESCRIPTOR> xpSelfRelativeSD = static_cast<SECURITY_DESCRIPTOR*>(LocalAlloc(LPTR, dwSize));
  549. if(!xpSelfRelativeSD)
  550. {
  551. return E_OUTOFMEMORY;
  552. }
  554. BYTE* pSrc;
  555. hr = SafeArrayAccessData(v.parray, reinterpret_cast<void**>(&pSrc));
  556. if(FAILED(hr))
  557. {
  558. return hr;
  559. }
  561. CopyMemory(xpSelfRelativeSD, pSrc, dwSize);
  563. hr = SafeArrayUnaccessData(v.parray);
  564. if(FAILED(hr))
  565. {
  566. return hr;
  567. }
  569. *ppSD = xpSelfRelativeSD.Acquire();
  571. return S_OK;
  572. }
  574. //******************************************************************************
  575. //
  576. // Function:
  577. //
  578. // Description:
  579. //
  580. // Parameters:
  581. //
  582. // Return:
  583. //
  584. // History: 8/20/99 leonardm Created.
  585. //
  586. //******************************************************************************
  587. STDMETHODIMP SetNamespaceSD(SECURITY_DESCRIPTOR* pSD, IWbemServices* pWbemServices)
  588. {
  589. if(!pWbemServices)
  590. {
  591. return E_POINTER;
  592. }
  594. HRESULT hr;
  597. //
  598. // Get the class object
  599. //
  601. XInterface<IWbemClassObject> xpClass;
  603. BSTR bstrClassPath = SysAllocString(L"__systemsecurity");
  604. if(!bstrClassPath)
  605. {
  606. return E_OUTOFMEMORY;
  607. }
  609. hr = pWbemServices->GetObject(bstrClassPath, 0, NULL, &xpClass, NULL);
  611. SysFreeString(bstrClassPath);
  613. if(FAILED(hr))
  614. {
  615. return hr;
  616. }
  619. //
  620. // Get the input parameter class
  621. //
  623. XInterface<IWbemClassObject> xpMethod;
  624. hr = xpClass->GetMethod(L"SetSD", 0, &xpMethod, NULL);
  625. if(FAILED(hr))
  626. {
  627. return hr;
  628. }
  631. //
  632. // move the SD into a variant.
  633. //
  635. SAFEARRAYBOUND rgsabound[1];
  636. rgsabound[0].lLbound = 0;
  638. DWORD dwLength = GetSecurityDescriptorLength(pSD);
  640. rgsabound[0].cElements = dwLength;
  642. SAFEARRAY* psa = SafeArrayCreate(VT_UI1, 1, rgsabound);
  643. if(!psa)
  644. {
  645. return E_FAIL;
  646. }
  648. BYTE* pDest = NULL;
  650. hr = SafeArrayAccessData(psa, reinterpret_cast<void**>(&pDest));
  651. if(FAILED(hr))
  652. {
  653. return hr;
  654. }
  656. CopyMemory(pDest, pSD, dwLength);
  658. hr = SafeArrayUnaccessData(psa);
  659. if(FAILED(hr))
  660. {
  661. return hr;
  662. }
  664. VARIANT v;
  665. XVariant xv(&v);
  666. v.vt = VT_UI1|VT_ARRAY;
  667. v.parray = psa;
  670. //
  671. // put the property
  672. //
  674. XInterface<IWbemClassObject> xpInParam;
  675. hr = xpMethod->SpawnInstance(0, &xpInParam);
  676. if(FAILED(hr))
  677. {
  678. return hr;
  679. }
  681. hr = xpInParam->Put(L"sd" , 0, &v, 0);
  682. if(FAILED(hr))
  683. {
  684. return hr;
  685. }
  687. //
  688. // Execute the method
  689. //
  691. BSTR bstrInstancePath = SysAllocString(L"__systemsecurity=@");
  692. if(!bstrInstancePath)
  693. {
  694. return E_OUTOFMEMORY;
  695. }
  698. BSTR bstrMethodName = SysAllocString(L"SetSD");
  699. if(!bstrMethodName)
  700. {
  701. SysFreeString(bstrInstancePath);
  702. return E_OUTOFMEMORY;
  703. }
  705. hr = pWbemServices->ExecMethod( bstrInstancePath,
  706. bstrMethodName,
  707. 0,
  708. NULL,
  709. xpInParam,
  710. NULL,
  711. NULL);
  713. SysFreeString(bstrInstancePath);
  714. SysFreeString(bstrMethodName);
  716. return hr;
  717. }
  719. //******************************************************************************
  720. //
  721. // Function:
  722. //
  723. // Description:
  724. //
  725. // Parameters:
  726. //
  727. // Return:
  728. //
  729. // History: 8/20/99 leonardm Created.
  730. //
  731. //******************************************************************************
  732. HRESULT SetNamespaceSecurity(const WCHAR* pszNamespace,
  733. long lSecurityLevel,
  734. IWbemServices* pWbemServices)
  735. {
  736. HRESULT hr;
  738. if(!pszNamespace)
  739. {
  740. return E_POINTER;
  741. }
  743. CWString sNamespace = pszNamespace;
  744. if(!sNamespace.ValidString() || sNamespace == L"" || !pWbemServices)
  745. {
  746. return E_INVALIDARG;
  747. }
  749. XPtrLF<SECURITY_DESCRIPTOR> xpOrgSelfRelativeSD;
  750. hr = GetNamespaceSD(pWbemServices, &xpOrgSelfRelativeSD);
  751. if(FAILED(hr))
  752. {
  753. return hr;
  754. }
  756. SECURITY_DESCRIPTOR* pAbsoluteSD = NULL;
  757. hr = RSoPMakeAbsoluteSD(xpOrgSelfRelativeSD, &pAbsoluteSD);
  758. if(FAILED(hr))
  759. {
  760. return hr;
  761. }
  763. hr = ReplaceDaclOnSD(pAbsoluteSD, lSecurityLevel);
  764. if(FAILED(hr))
  765. {
  766. FreeAbsoluteSD(pAbsoluteSD);
  767. return hr;
  768. }
  771. //
  772. // Make a new self-relative SD here before proceeding.
  773. //
  775. DWORD dwBufferLength = 0;
  776. MakeSelfRelativeSD( pAbsoluteSD, NULL,&dwBufferLength);
  778. DWORD dwLastError = GetLastError();
  779. if((dwLastError != ERROR_INSUFFICIENT_BUFFER) || !dwBufferLength)
  780. {
  781. FreeAbsoluteSD(pAbsoluteSD);
  782. return E_FAIL;
  783. }
  785. XPtrLF<SECURITY_DESCRIPTOR> xpNewSelfRelativeSD = reinterpret_cast<SECURITY_DESCRIPTOR*>(LocalAlloc(LPTR, dwBufferLength));
  786. if(!xpNewSelfRelativeSD)
  787. {
  788. FreeAbsoluteSD(pAbsoluteSD);
  789. return E_OUTOFMEMORY;
  790. }
  792. BOOL bRes = MakeSelfRelativeSD( pAbsoluteSD, xpNewSelfRelativeSD, &dwBufferLength);
  793. hr = FreeAbsoluteSD(pAbsoluteSD);
  794. if(!bRes || FAILED(hr))
  795. {
  796. return E_FAIL;
  797. }
  799. xpNewSelfRelativeSD->Control |= SE_DACL_PROTECTED;
  801. bRes = IsValidSecurityDescriptor(xpNewSelfRelativeSD);
  802. if(!bRes)
  803. {
  804. return E_FAIL;
  805. }
  807. hr = SetNamespaceSD( xpNewSelfRelativeSD, pWbemServices);
  809. return hr;
  810. }
  813. #undef dbg
  814. #define dbg dbgCommon
  817. const DWORD DEFAULT_ACE_NUM=10;
  819. CSecDesc::CSecDesc() :
  820. m_cAces(0), m_xpSidList(NULL),
  821. m_cAllocated(0), m_bInitialised(FALSE), m_bFailed(FALSE)
  822. {
  823. m_xpSidList = (SidStruct *)LocalAlloc(LPTR, sizeof(SidStruct)*DEFAULT_ACE_NUM);
  824. if (!m_xpSidList)
  825. return;
  827. m_cAllocated = DEFAULT_ACE_NUM;
  828. m_bInitialised = TRUE;
  829. }
  832. CSecDesc::~CSecDesc()
  833. {
  834. if (m_xpSidList)
  835. for (DWORD i = 0; i < m_cAllocated; i++)
  836. if (m_xpSidList[i].pSid)
  837. if (m_xpSidList[i].bUseLocalFree)
  838. LocalFree(m_xpSidList[i].pSid);
  839. else
  840. FreeSid(m_xpSidList[i].pSid);
  841. }
  844. BOOL CSecDesc::ReAllocSidList()
  845. {
  846. XPtrLF<SidStruct> xSidListNew;
  849. //
  850. // first allocate a larger buffer
  851. //
  853. xSidListNew = (SidStruct *)LocalAlloc(LPTR, sizeof(SidStruct)*(m_cAllocated+DEFAULT_ACE_NUM));
  855. if (!xSidListNew) {
  856. dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::ReallocArgStrings Cannot add memory, error = %d", GetLastError());
  857. m_bFailed = TRUE;
  858. return FALSE;
  859. }
  862. //
  863. // copy the arguments
  864. //
  866. for (DWORD i = 0; i < (m_cAllocated); i++) {
  867. xSidListNew[i] = m_xpSidList[i];
  868. }
  870. m_xpSidList = xSidListNew.Acquire();
  871. m_cAllocated+= DEFAULT_ACE_NUM;
  873. return TRUE;
  874. }
  878. BOOL CSecDesc::AddLocalSystem(DWORD dwAccess, DWORD AceFlags)
  879. {
  880. SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
  881. XPtr<SID, FreeSid> xSid;
  883. if ((!m_bInitialised) || (m_bFailed)) {
  884. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddLocalSystem: Not initialised or failure.");
  885. return FALSE;
  886. }
  888. m_bFailed = TRUE;
  890. if (!AllocateAndInitializeSid(&authNT, 1, SECURITY_LOCAL_SYSTEM_RID,
  891. 0, 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
  892. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddLocalSystem: Failed to initialize sid. Error = %d", GetLastError());
  893. return FALSE;
  894. }
  897. if (m_cAces == m_cAllocated)
  898. if (!ReAllocSidList())
  899. return FALSE;
  902. m_xpSidList[m_cAces].pSid = xSid.Acquire();
  903. m_xpSidList[m_cAces].dwAccess = dwAccess;
  904. m_xpSidList[m_cAces].AceFlags = AceFlags;
  905. m_cAces++;
  908. m_bFailed = FALSE;
  909. return TRUE;
  910. }
  913. BOOL CSecDesc::AddAdministrators(DWORD dwAccess, DWORD AceFlags)
  914. {
  915. SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
  916. XPtr<SID, FreeSid> xSid;
  918. if ((!m_bInitialised) || (m_bFailed)) {
  919. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
  920. return FALSE;
  921. }
  923. m_bFailed = TRUE;
  925. if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
  926. DOMAIN_ALIAS_RID_ADMINS, 0, 0,
  927. 0, 0, 0, 0, (PSID *)&xSid)) {
  928. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Failed to initialize sid. Error = %d", GetLastError());
  929. return FALSE;
  930. }
  933. if (m_cAces == m_cAllocated)
  934. if (!ReAllocSidList())
  935. return FALSE;
  938. m_xpSidList[m_cAces].pSid = xSid.Acquire();
  939. m_xpSidList[m_cAces].dwAccess = dwAccess;
  940. m_xpSidList[m_cAces].AceFlags = AceFlags;
  941. m_cAces++;
  944. m_bFailed = FALSE;
  945. return TRUE;
  946. }
  949. BOOL CSecDesc::AddAdministratorsAsOwner()
  950. {
  951. SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
  952. XPtr<SID, FreeSid> xSid;
  954. if ((!m_bInitialised) || (m_bFailed)) {
  955. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
  956. return FALSE;
  957. }
  959. m_bFailed = TRUE;
  961. if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
  962. DOMAIN_ALIAS_RID_ADMINS, 0, 0,
  963. 0, 0, 0, 0, (PSID *)&xSid)) {
  964. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Failed to initialize sid. Error = %d", GetLastError());
  965. return FALSE;
  966. }
  969. m_xpOwnerSid = xSid.Acquire();
  971. m_bFailed = FALSE;
  972. return TRUE;
  973. }
  975. BOOL CSecDesc::AddAdministratorsAsGroup()
  976. {
  977. SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
  978. XPtr<SID, FreeSid> xSid;
  980. if ((!m_bInitialised) || (m_bFailed)) {
  981. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
  982. return FALSE;
  983. }
  985. m_bFailed = TRUE;
  987. if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
  988. DOMAIN_ALIAS_RID_ADMINS, 0, 0,
  989. 0, 0, 0, 0, (PSID *)&xSid)) {
  990. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Failed to initialize sid. Error = %d", GetLastError());
  991. return FALSE;
  992. }
  995. m_xpGrpSid = xSid.Acquire();
  997. m_bFailed = FALSE;
  998. return TRUE;
  999. }
  1002. BOOL CSecDesc::AddEveryOne(DWORD dwAccess, DWORD AceFlags)
  1003. {
  1004. SID_IDENTIFIER_AUTHORITY authWORLD = SECURITY_WORLD_SID_AUTHORITY;
  1005. XPtr<SID, FreeSid> xSid;
  1007. if ((!m_bInitialised) || (m_bFailed)) {
  1008. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddEveryOne: Not initialised or failure.");
  1009. return FALSE;
  1010. }
  1012. m_bFailed = TRUE;
  1014. if (!AllocateAndInitializeSid(&authWORLD, 1, SECURITY_WORLD_RID,
  1015. 0, 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
  1016. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddEveryOne: Failed to initialize sid. Error = %d", GetLastError());
  1017. return FALSE;
  1018. }
  1021. if (m_cAces == m_cAllocated)
  1022. if (!ReAllocSidList())
  1023. return FALSE;
  1026. m_xpSidList[m_cAces].pSid = xSid.Acquire();
  1027. m_xpSidList[m_cAces].dwAccess = dwAccess;
  1028. m_xpSidList[m_cAces].AceFlags = AceFlags;
  1029. m_cAces++;
  1032. m_bFailed = FALSE;
  1033. return TRUE;
  1034. }
  1037. #if 0
  1039. BOOL CSecDesc::AddThisUser(HANDLE hToken, DWORD dwAccess, DWORD AceFlags)
  1040. {
  1041. XPtrLF<SID> xSid;
  1043. if ((!m_bInitialised) || (m_bFailed)) {
  1044. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddThisUser: Not initialised or failure.");
  1045. return FALSE;
  1046. }
  1048. m_bFailed = TRUE;
  1050. xSid = (SID *)GetUserSid(hToken);
  1052. if (!pSid) {
  1053. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddThisUser: Failed to initialize sid. Error = %d", GetLastError());
  1054. return FALSE;
  1055. }
  1057. if (m_cAces == m_cAllocated)
  1058. if (!ReAllocSidList())
  1059. return FALSE;
  1061. m_xpSidList[m_cAces].pSid = xSid.Acquire();
  1062. m_xpSidList[m_cAces].dwAccess = dwAccess;
  1063. m_xpSidList[m_cAces].bUseLocalFree = TRUE;
  1064. m_xpSidList[m_cAces].AceFlags = AceFlags;
  1065. m_cAces++;
  1068. m_bFailed = FALSE;
  1069. return TRUE;
  1070. }
  1071. #endif
  1075. BOOL CSecDesc::AddUsers(DWORD dwAccess, DWORD AceFlags)
  1076. {
  1077. SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
  1078. XPtr<SID, FreeSid> xSid;
  1080. if ((!m_bInitialised) || (m_bFailed)) {
  1081. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
  1082. return FALSE;
  1083. }
  1085. m_bFailed = TRUE;
  1088. if (!AllocateAndInitializeSid(&authNT, 2, SECURITY_BUILTIN_DOMAIN_RID,
  1089. DOMAIN_ALIAS_RID_USERS,
  1090. 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
  1092. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddUsers: Failed to initialize sid. Error = %d", GetLastError());
  1093. return FALSE;
  1094. }
  1097. if (m_cAces == m_cAllocated)
  1098. if (!ReAllocSidList())
  1099. return FALSE;
  1102. m_xpSidList[m_cAces].pSid = xSid.Acquire();
  1103. m_xpSidList[m_cAces].dwAccess = dwAccess;
  1104. m_xpSidList[m_cAces].AceFlags = AceFlags;
  1105. m_cAces++;
  1108. m_bFailed = FALSE;
  1109. return TRUE;
  1110. }
  1112. BOOL CSecDesc::AddAuthUsers(DWORD dwAccess, DWORD AceFlags)
  1113. {
  1114. SID_IDENTIFIER_AUTHORITY authNT = SECURITY_NT_AUTHORITY;
  1115. XPtr<SID, FreeSid> xSid;
  1117. if ((!m_bInitialised) || (m_bFailed)) {
  1118. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAuthUsers: Not initialised or failure.");
  1119. return FALSE;
  1120. }
  1122. m_bFailed = TRUE;
  1125. if (!AllocateAndInitializeSid(&authNT, 1, SECURITY_AUTHENTICATED_USER_RID,
  1126. 0, 0, 0, 0, 0, 0, 0, (PSID *)&xSid)) {
  1128. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAuthUsers: Failed to initialize authenticated users sid. Error = %d", GetLastError());
  1129. return FALSE;
  1130. }
  1133. if (m_cAces == m_cAllocated)
  1134. if (!ReAllocSidList())
  1135. return FALSE;
  1138. m_xpSidList[m_cAces].pSid = xSid.Acquire();
  1139. m_xpSidList[m_cAces].dwAccess = dwAccess;
  1140. m_xpSidList[m_cAces].AceFlags = AceFlags;
  1141. m_cAces++;
  1144. m_bFailed = FALSE;
  1145. return TRUE;
  1146. }
  1148. BOOL CSecDesc::AddSid(PSID pSid, DWORD dwAccess, DWORD AceFlags)
  1149. {
  1150. XPtrLF<SID> pLocalSid = 0;
  1151. DWORD dwSidLen = 0;
  1153. if ((!m_bInitialised) || (m_bFailed)) {
  1154. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Not initialised or failure.");
  1155. return FALSE;
  1156. }
  1158. m_bFailed = TRUE;
  1160. if (!IsValidSid(pSid)) {
  1161. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Not a vaild Sid.");
  1162. return FALSE;
  1163. }
  1166. dwSidLen = GetLengthSid(pSid);
  1168. pLocalSid = (SID *)LocalAlloc(LPTR, dwSidLen);
  1169. if (!pLocalSid) {
  1170. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Couldn't allocate memory. Error %d", GetLastError());
  1171. return FALSE;
  1172. }
  1175. if (!CopySid(dwSidLen, pLocalSid, pSid)) {
  1176. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddSid: Couldn't copy Sid. Error %d", GetLastError());
  1177. return FALSE;
  1178. }
  1181. m_xpSidList[m_cAces].pSid = (SID *)pLocalSid.Acquire();
  1182. m_xpSidList[m_cAces].dwAccess = dwAccess;
  1183. m_xpSidList[m_cAces].bUseLocalFree = TRUE;
  1184. m_xpSidList[m_cAces].AceFlags = AceFlags;
  1185. m_cAces++;
  1188. m_bFailed = FALSE;
  1189. return TRUE;
  1190. }
  1193. PISECURITY_DESCRIPTOR CSecDesc::MakeSD()
  1194. {
  1195. XPtrLF<SECURITY_DESCRIPTOR> xsd;
  1196. PACL pAcl = 0;
  1197. DWORD cbMemSize;
  1198. DWORD cbAcl;
  1199. DWORD i;
  1201. if ((!m_bInitialised) || (m_bFailed)) {
  1202. dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeSD: Not initialised or failure.");
  1203. return NULL;
  1204. }
  1206. m_bFailed = TRUE;
  1208. cbAcl = 0;
  1210. for (i = 0; i < m_cAces; i++)
  1211. cbAcl+= GetLengthSid((SID *)(m_xpSidList[i].pSid));
  1213. cbAcl += sizeof(ACL) + m_cAces*(sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD));
  1216. //
  1217. // Allocate space for the SECURITY_DESCRIPTOR + ACL
  1218. //
  1220. cbMemSize = sizeof( SECURITY_DESCRIPTOR ) + cbAcl;
  1222. xsd = (PISECURITY_DESCRIPTOR) LocalAlloc(LPTR, cbMemSize);
  1224. if (!xsd) {
  1225. dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSD: Failed to alocate security descriptor. Error = %d", GetLastError());
  1226. return NULL;
  1227. }
  1230. //
  1231. // increment psd by sizeof SECURITY_DESCRIPTOR
  1232. //
  1234. pAcl = (PACL) ( ( (unsigned char*)((SECURITY_DESCRIPTOR *)xsd) ) + sizeof(SECURITY_DESCRIPTOR) );
  1236. if (!InitializeAcl(pAcl, cbAcl, ACL_REVISION)) {
  1237. dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSD: Failed to initialize acl. Error = %d", GetLastError());
  1238. return NULL;
  1239. }
  1242. //
  1243. // Add each of the new ACEs
  1244. //
  1246. for (i = 0; i < m_cAces; i++) {
  1247. if (!AddAccessAllowedAceEx(pAcl, ACL_REVISION, m_xpSidList[i].AceFlags, m_xpSidList[i].dwAccess, m_xpSidList[i].pSid)) {
  1248. dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSD: Failed to add ace (%d). Error = %d", i, GetLastError());
  1249. return NULL;
  1250. }
  1251. }
  1253. //
  1254. // Put together the security descriptor
  1255. //
  1257. if (!InitializeSecurityDescriptor(xsd, SECURITY_DESCRIPTOR_REVISION)) {
  1258. dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to initialize security descriptor. Error = %d", GetLastError());
  1259. return NULL;
  1260. }
  1262. if (!SetSecurityDescriptorDacl(xsd, TRUE, pAcl, FALSE)) {
  1263. dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to set security descriptor dacl. Error = %d", GetLastError());
  1264. return NULL;
  1265. }
  1268. if (m_xpOwnerSid) {
  1269. if (!SetSecurityDescriptorOwner(xsd, m_xpOwnerSid, 0)) {
  1270. dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to set security descriptor dacl. Error = %d", GetLastError());
  1271. return NULL;
  1272. }
  1273. }
  1275. if (m_xpGrpSid) {
  1276. if (!SetSecurityDescriptorGroup(xsd, m_xpGrpSid, 0)) {
  1277. dbg.Msg( DEBUG_MESSAGE_WARNING, L"MakeGenericSecurityDesc: Failed to set security descriptor dacl. Error = %d", GetLastError());
  1278. return NULL;
  1279. }
  1280. }
  1284. m_bFailed = FALSE;
  1285. return xsd.Acquire();
  1286. }
  1289. PISECURITY_DESCRIPTOR CSecDesc::MakeSelfRelativeSD()
  1290. {
  1291. XPtrLF<SECURITY_DESCRIPTOR> xAbsoluteSD;
  1292. DWORD dwLastError;
  1294. if ((!m_bInitialised) || (m_bFailed)) {
  1295. dbg.Msg( DEBUG_MESSAGE_WARNING, L"AddAdministrators: Not initialised or failure.");
  1296. return FALSE;
  1297. }
  1299. xAbsoluteSD = MakeSD();
  1301. if (!xAbsoluteSD) {
  1302. dbg.Msg( DEBUG_MESSAGE_WARNING, L"CSecDesc::MakeSelfRelativeSD: Failed to set security descriptor dacl. Error = %d", GetLastError());
  1303. return NULL;
  1304. }
  1306. m_bFailed = TRUE;
  1309. //
  1310. // Make a new self-relative SD here
  1311. //
  1313. DWORD dwBufferLength = 0;
  1314. ::MakeSelfRelativeSD( xAbsoluteSD, 0, &dwBufferLength);
  1316. dwLastError = GetLastError();
  1317. if((dwLastError != ERROR_INSUFFICIENT_BUFFER) || !dwBufferLength)
  1318. {
  1319. dbg.Msg( DEBUG_MESSAGE_VERBOSE, L"CSecDesc::MakeSelfRelativeSD: MakeSelfRelativeSD failed, 0x%X", dwLastError );
  1320. return NULL;
  1321. }
  1324. XPtrLF<SECURITY_DESCRIPTOR> xsd = reinterpret_cast<SECURITY_DESCRIPTOR*>(LocalAlloc(LPTR, dwBufferLength));
  1325. if(!xsd)
  1326. {
  1327. dbg.Msg( DEBUG_MESSAGE_VERBOSE, L"CSecDesc::MakeSelfRelativeSD: MakeSelfRelativeSD failed, 0x%X", E_OUTOFMEMORY );
  1328. return NULL;
  1329. }
  1331. BOOL bRes = ::MakeSelfRelativeSD( xAbsoluteSD, xsd, &dwBufferLength);
  1333. if (!bRes) {
  1334. dbg.Msg( DEBUG_MESSAGE_VERBOSE, L"CSecDesc::MakeSelfRelativeSD: MakeSelfRelativeSD failed, 0x%X", GetLastError() );
  1335. return NULL;
  1336. }
  1338. m_bFailed = FALSE;
  1339. return xsd.Acquire();
  1340. }