|
|
//+--------------------------------------------------------------------------
// File: prvlg.cpp
// Contents: privilege manager implementation
//---------------------------------------------------------------------------
#include <pch.cpp>
#include "prvlg.h"
using namespace CertSrv;
LSA_UNICODE_STRING CPrivilegeManager::m_lsaSecurityPrivilege[] = { sizeof(SE_SECURITY_NAME)-2, sizeof(SE_SECURITY_NAME), SE_SECURITY_NAME};
LSA_UNICODE_STRING CPrivilegeManager::m_lsaBackupRestorePrivilege[] = { { sizeof(SE_BACKUP_NAME)-2, sizeof(SE_BACKUP_NAME), SE_BACKUP_NAME }, { sizeof(SE_RESTORE_NAME)-2, sizeof(SE_RESTORE_NAME), SE_RESTORE_NAME }};
HRESULT CPrivilegeManager::OpenPolicy(){ HRESULT hr = S_OK; LSA_OBJECT_ATTRIBUTES ObjectAttributes; NTSTATUS NTStatus;
ZeroMemory(&ObjectAttributes, sizeof(ObjectAttributes));
NTStatus = LsaOpenPolicy( NULL, &ObjectAttributes, POLICY_CREATE_ACCOUNT | POLICY_LOOKUP_NAMES, &m_lsah); if(STATUS_SUCCESS!=NTStatus) { hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(NTStatus)); _JumpError(hr, error, "LsaOpenPolicy"); }
error: return hr;}
HRESULT CPrivilegeManager::ClosePolicy(){ if(m_lsah) LsaClose(m_lsah);
return S_OK;}
void CPrivilegeManager::GetPrivilegeString( DWORD dwRole, PLSA_UNICODE_STRING &plsastr, ULONG &cstr){ switch(dwRole) { case CA_ACCESS_AUDITOR: plsastr = m_lsaSecurityPrivilege; cstr = ARRAYSIZE(m_lsaSecurityPrivilege); break; case CA_ACCESS_OPERATOR: plsastr = m_lsaBackupRestorePrivilege; cstr = ARRAYSIZE(m_lsaBackupRestorePrivilege); break; }
}
HRESULT CPrivilegeManager::AddPrivilege( const PSID pSid, DWORD dwRole){ HRESULT hr = S_OK; NTSTATUS NTStatus; PLSA_UNICODE_STRING plsastr = NULL; ULONG cstr = 0;
GetPrivilegeString( dwRole, plsastr, cstr);
NTStatus = LsaAddAccountRights( m_lsah, pSid, plsastr, cstr); if(STATUS_SUCCESS!=NTStatus) { hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(NTStatus)); _JumpError(hr, error, "LsaAddAcountRights"); } error: return hr;}
HRESULT CPrivilegeManager::RemovePrivilege( const PSID pSid, DWORD dwRole){ HRESULT hr = S_OK; NTSTATUS NTStatus; PLSA_UNICODE_STRING plsastr = NULL; ULONG cstr = 0;
GetPrivilegeString( dwRole, plsastr, cstr);
NTStatus = LsaRemoveAccountRights( m_lsah, pSid, FALSE, plsastr, cstr); if(STATUS_SUCCESS!=NTStatus && STATUS_OBJECT_NAME_NOT_FOUND!=NTStatus) { hr = HRESULT_FROM_WIN32(LsaNtStatusToWinError(NTStatus)); _JumpError(hr, error, "LsaRemoveAcountRights"); } error: return hr;}
HRESULT CPrivilegeManager::InitBuffer( PACCESS_ALLOWED_ACE **buffer, DWORD cAce){ *buffer = (PACCESS_ALLOWED_ACE *)LocalAlloc(LMEM_FIXED, cAce*sizeof(PACCESS_ALLOWED_ACE)); if(!*buffer) { return E_OUTOFMEMORY; } ZeroMemory(*buffer, cAce*sizeof(PACCESS_ALLOWED_ACE)); return S_OK;}
HRESULT CPrivilegeManager::ComputePrivilegeChanges( const PSECURITY_DESCRIPTOR pOldSD, const PSECURITY_DESCRIPTOR pNewSD){ HRESULT hr = S_OK; PACCESS_ALLOWED_ACE pOldAce, pNewAce; DWORD cOldAce, cNewAce; PACL pOldAcl, pNewAcl; // no free
hr = myGetSecurityDescriptorDacl( pOldSD, &pOldAcl); _JumpIfError(hr, error, "myGetDaclFromInfoSecurityDescriptor");
hr = myGetSecurityDescriptorDacl( pNewSD, &pNewAcl); _JumpIfError(hr, error, "myGetDaclFromInfoSecurityDescriptor");
m_cOldAce = pOldAcl->AceCount; m_cNewAce = pNewAcl->AceCount;
hr = InitBuffer( &m_pAddPrivilegeAudit, m_cNewAce); _JumpIfError(hr, error, "InitBuffer");
hr = InitBuffer( &m_pAddPrivilegeBackup, m_cNewAce); _JumpIfError(hr, error, "InitBuffer");
hr = InitBuffer( &m_pRemovePrivilegeAudit, m_cOldAce); _JumpIfError(hr, error, "InitBuffer");
hr = InitBuffer( &m_pRemovePrivilegeBackup, m_cOldAce); _JumpIfError(hr, error, "InitBuffer");
for(cNewAce=0; cNewAce<m_cNewAce; cNewAce++) { if(!GetAce(pNewAcl, cNewAce, (PVOID*)&pNewAce)) { hr = myHLastError(); _JumpError(hr, error, "GetAce"); }
if(pNewAce->Mask&CA_ACCESS_AUDITOR) m_pAddPrivilegeAudit[cNewAce] = pNewAce; if(pNewAce->Mask&CA_ACCESS_OPERATOR) m_pAddPrivilegeBackup[cNewAce] = pNewAce; }
for(cOldAce=0; cOldAce<m_cOldAce; cOldAce++) {
if(!GetAce(pOldAcl, cOldAce, (PVOID*)&pOldAce)) { hr = myHLastError(); _JumpError(hr, error, "GetAce"); }
if(pOldAce->Mask&CA_ACCESS_AUDITOR) m_pRemovePrivilegeAudit[cOldAce] = pOldAce; if(pOldAce->Mask&CA_ACCESS_OPERATOR) m_pRemovePrivilegeBackup[cOldAce] = pOldAce;
for(cNewAce=0; cNewAce<m_cNewAce; cNewAce++) { if(!GetAce(pNewAcl, cNewAce, (PVOID*)&pNewAce)) { hr = myHLastError(); _JumpError(hr, error, "GetAce"); }
if(EqualSid((PSID)&pOldAce->SidStart, (PSID)&pNewAce->SidStart)) { if((pOldAce->Mask&CA_ACCESS_AUDITOR)&& (pNewAce->Mask&CA_ACCESS_AUDITOR)) { m_pRemovePrivilegeAudit[cOldAce] = NULL; } if((pOldAce->Mask&CA_ACCESS_OPERATOR)&& (pNewAce->Mask&CA_ACCESS_OPERATOR)) { m_pRemovePrivilegeBackup[cOldAce] = NULL; } if((pOldAce->Mask&CA_ACCESS_AUDITOR)&& (pNewAce->Mask&CA_ACCESS_AUDITOR)) { m_pAddPrivilegeAudit[cNewAce] = NULL; } if((pOldAce->Mask&CA_ACCESS_OPERATOR)&& (pNewAce->Mask&CA_ACCESS_OPERATOR)) { m_pAddPrivilegeBackup[cNewAce] = NULL; } } } }
error: return hr;}
HRESULT CPrivilegeManager::UpdatePrivileges(){ HRESULT hr = S_OK; DWORD cOldAce, cNewAce;
hr = OpenPolicy(); _JumpIfError(hr, error, "CPrivilegeManager::OpenPolicy");
for(cOldAce=0; cOldAce<m_cOldAce; cOldAce++) { if(m_pRemovePrivilegeBackup[cOldAce]) { hr = RemovePrivilege( (PSID)&(m_pRemovePrivilegeBackup[cOldAce]->SidStart), CA_ACCESS_OPERATOR); _JumpIfError(hr, error, "CPrivilegeManager::RemovePrivilege"); } if(m_pRemovePrivilegeAudit[cOldAce]) { hr = RemovePrivilege( (PSID)&(m_pRemovePrivilegeAudit[cOldAce]->SidStart), CA_ACCESS_AUDITOR); _JumpIfError(hr, error, "CPrivilegeManager::RemovePrivilege"); } }
for(cNewAce=0; cNewAce<m_cNewAce; cNewAce++) { if(m_pAddPrivilegeBackup[cNewAce]) { hr = AddPrivilege( (PSID)&(m_pAddPrivilegeBackup[cNewAce]->SidStart), CA_ACCESS_OPERATOR); _JumpIfError(hr, error, "CPrivilegeManager::AddPrivilege"); } if(m_pAddPrivilegeAudit[cNewAce]) { hr = AddPrivilege( (PSID)&(m_pAddPrivilegeAudit[cNewAce]->SidStart), CA_ACCESS_AUDITOR); _JumpIfError(hr, error, "CPrivilegeManager::AddPrivilege"); } }error: ClosePolicy(); return hr;}
|
