archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
3.8 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/inetsrv/iis/svcs/infocomm/common/tokenacl.cxx

336 lines
8.1 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*===================================================================
  2. Microsoft Internet Information Server
  4. Microsoft Confidential.
  5. Copyright 1997 Microsoft Corporation. All Rights Reserved.
  7. File: TokenAcl.cxx
  9. Owner: AndrewS
  11. This file contains code related to NT security on impersonation tokens
  12. ===================================================================*/
  13. #include "tcpdllp.hxx"
  14. #pragma hdrstop
  17. // Local Defines
  20. // Local functions
  21. HRESULT ExpandAcl(PACL paclOld, ULONG cbAclOld, PACL *ppAclNew, PSID psid);
  22. HRESULT AddSidToTokenAcl(HANDLE hToken, PSID pSid, ACCESS_MASK amDesiredAccess);
  23. HRESULT GetEveryoneSid(PSID *ppSidEveryone);
  26. /*===================================================================
  27. GrantAllAccessToToken
  29. Given an impersonation token, grant "Everyone" permissions to that
  30. token so that Out Of Proc ISAPIs will be able to do a GetThreadToken call.
  32. Parameters:
  33. HANDLE hToken - handle to impersonation token for a user
  35. Returns:
  36. HRESULT NOERROR on success
  37. ===================================================================*/
  38. HRESULT GrantAllAccessToToken
  39. (
  40. HANDLE hToken
  41. )
  42. {
  43. HRESULT hr = NOERROR;
  44. DWORD err;
  45. PSID pSidEveryone;
  47. hr = GetEveryoneSid(&pSidEveryone);
  48. if (FAILED(hr))
  49. goto LExit;
  51. hr = AddSidToTokenAcl(hToken, pSidEveryone, TOKEN_ALL_ACCESS);
  53. FreeSid( pSidEveryone );
  55. LExit:
  56. DBG_ASSERT(SUCCEEDED(hr));
  58. return(hr);
  59. }
  61. /*===================================================================
  62. AddSidToTokenAcl
  64. When creating Local server objects (e.g. EXE's) we have some problems because of DCOM security.
  65. The user creating the object must have appropriate permissions on the IIS process WindowStation (bug 549)
  66. and the Desktop.
  68. Add ACE's on the ACL for our WindowStation & Desktop for the current user.
  70. Parameters:
  71. HANDLE hImpersonate - handle to impersonation token for the current user
  73. Returns:
  74. HRESULT NOERROR on success
  75. ===================================================================*/
  76. HRESULT AddSidToTokenAcl
  77. (
  78. HANDLE hToken,
  79. PSID pSid,
  80. ACCESS_MASK amDesiredAccess
  81. )
  82. {
  83. HRESULT hr;
  84. DWORD err;
  85. PSECURITY_DESCRIPTOR psdRelative = NULL;
  86. SECURITY_DESCRIPTOR sdAbsolute;
  87. ULONG cbSdPost;
  88. PACL pDacl = NULL;
  89. PACL pDaclNew = NULL;
  90. ULONG cbSD;
  91. ULONG cbDacl;
  92. ULONG cbSacl;
  93. ULONG cbOwner;
  94. ULONG cbGroup;
  95. ACL_SIZE_INFORMATION AclSize;
  97. //
  98. // Get the SD of the token.
  99. // Call this twice; once to get the size, then again to get the info
  100. //
  101. GetKernelObjectSecurity(hToken,
  102. DACL_SECURITY_INFORMATION,
  103. NULL,
  104. 0,
  105. &cbSD);
  107. psdRelative = (PSECURITY_DESCRIPTOR) new BYTE[cbSD];
  108. if (psdRelative == NULL)
  109. {
  110. hr = E_OUTOFMEMORY;
  111. goto LExit;
  112. }
  114. if (!GetKernelObjectSecurity(hToken,
  115. DACL_SECURITY_INFORMATION,
  116. psdRelative,
  117. cbSD,
  118. &cbSD))
  119. {
  120. DBG_ASSERT(FALSE);
  122. err = GetLastError();
  123. hr = HRESULT_FROM_WIN32(err);
  124. goto LExit;
  125. }
  127. //
  128. // Allocate a new Dacl
  129. //
  130. pDacl = (PACL) new BYTE[cbSD];
  131. if (pDacl == NULL)
  132. {
  133. hr = E_OUTOFMEMORY;
  134. goto LExit;
  135. }
  137. //
  138. // Make an absolute SD from the relative SD we have, and get the Dacl at the same time
  139. //
  140. cbSdPost = sizeof(sdAbsolute);
  141. cbDacl = cbSD;
  142. cbSacl = 0;
  143. cbOwner = 0;
  144. cbGroup = 0;
  145. if (!MakeAbsoluteSD(psdRelative,
  146. &sdAbsolute,
  147. &cbSdPost,
  148. pDacl,
  149. &cbDacl,
  150. NULL,
  151. &cbSacl,
  152. NULL,
  153. &cbOwner,
  154. NULL,
  155. &cbGroup))
  156. {
  157. DBG_ASSERT(FALSE);
  159. err = GetLastError();
  160. hr = HRESULT_FROM_WIN32(err);
  161. goto LExit;
  162. }
  164. //
  165. // Copy ACEs over
  166. //
  167. hr = ExpandAcl(pDacl, cbSD, &pDaclNew, pSid);
  168. if (FAILED(hr))
  169. goto LExit;
  171. //
  172. // Add ACE to allow access
  173. //
  174. if (!AddAccessAllowedAce(pDaclNew, ACL_REVISION, amDesiredAccess, pSid))
  175. {
  176. DBG_ASSERT(FALSE);
  178. err = GetLastError();
  179. hr = HRESULT_FROM_WIN32(err);
  180. goto LExit;
  181. }
  183. //
  184. // Set the new DACL in the SD
  185. //
  186. if (!SetSecurityDescriptorDacl(&sdAbsolute, TRUE, pDaclNew, FALSE))
  187. {
  188. DBG_ASSERT(FALSE);
  190. err = GetLastError();
  191. hr = HRESULT_FROM_WIN32(err);
  192. goto LExit;
  193. }
  195. //
  196. // Set the new SD on the token object
  197. //
  198. if (!SetKernelObjectSecurity(hToken, DACL_SECURITY_INFORMATION, &sdAbsolute))
  199. {
  200. DBG_ASSERT(FALSE);
  202. err = GetLastError();
  203. hr = HRESULT_FROM_WIN32(err);
  204. goto LExit;
  205. }
  207. LExit:
  208. delete pDacl;
  209. delete pDaclNew;
  210. delete psdRelative;
  212. return hr;
  213. }
  215. /*===================================================================
  216. GetEveryoneSid
  218. Get a sid for "Everyone"
  220. Parameters:
  221. PSID pSidEveryone
  223. Returns:
  224. HRESULT NOERROR on success
  225. ===================================================================*/
  226. HRESULT GetEveryoneSid
  227. (
  228. PSID *ppSidEveryone
  229. )
  230. {
  231. BOOL fT;
  232. SID_IDENTIFIER_AUTHORITY sidWorldAuthority = SECURITY_WORLD_SID_AUTHORITY;
  234. fT = AllocateAndInitializeSid(
  235. &sidWorldAuthority, // pIdentifierAuthority
  236. 1, // nSubAuthorityCount
  237. SECURITY_WORLD_RID, // nSubAuthority0
  238. 0, // nSubAuthority1
  239. 0, // nSubAuthority2
  240. 0, // nSubAuthority3
  241. 0, // nSubAuthority4
  242. 0, // nSubAuthority5
  243. 0, // nSubAuthority6
  244. 0, // nSubAuthority7
  245. ppSidEveryone // pSid
  246. );
  247. if( !fT )
  248. return HRESULT_FROM_WIN32(GetLastError());
  249. else
  250. return NOERROR;
  251. }
  253. /*===================================================================
  254. ExpandAcl
  256. Support routine for AddWindowStationSecurity.
  258. Expands the given ACL so that there is room for an additional ACE
  260. Parameters:
  261. paclOld - the old ACL to expand
  262. ppAclNew - the newly allocated expanded acl
  263. psid - the sid to use
  265. Returns:
  266. HRESULT NOERROR on success
  267. ===================================================================*/
  268. HRESULT ExpandAcl
  269. (
  270. PACL paclOld,
  271. ULONG cbAclOld,
  272. PACL *ppAclNew,
  273. PSID psid
  274. )
  275. {
  276. HRESULT hr;
  277. DWORD err;
  278. PACL pAclNew = NULL;
  279. ACL_SIZE_INFORMATION asi;
  280. int dwAclSize;
  281. DWORD iAce;
  282. LPVOID pAce;
  284. DBG_ASSERT(paclOld != NULL);
  285. DBG_ASSERT(ppAclNew != NULL);
  287. //
  288. // Create a new ACL to play with
  289. //
  290. if (!GetAclInformation (paclOld, (LPVOID) &asi, (DWORD) sizeof (asi), AclSizeInformation))
  291. goto LExit;
  293. dwAclSize = cbAclOld + GetLengthSid(psid) + (8 * sizeof(DWORD));
  295. pAclNew = (PACL) new BYTE[dwAclSize];
  296. if (pAclNew == NULL)
  297. {
  298. return(E_OUTOFMEMORY);
  299. }
  301. if (!InitializeAcl(pAclNew, dwAclSize, ACL_REVISION))
  302. goto LExit;
  304. //
  305. // Copy all of the ACEs to the new ACL
  306. //
  307. for (iAce = 0; iAce < asi.AceCount; iAce++)
  308. {
  309. //
  310. // Get the ACE and header info
  311. //
  312. if (!GetAce(paclOld, iAce, &pAce))
  313. goto LExit;
  315. //
  316. // Add the ACE to the new list
  317. //
  318. if (!AddAce(pAclNew, ACL_REVISION, iAce, pAce, ((ACE_HEADER *)pAce)->AceSize))
  319. goto LExit;
  320. }
  322. *ppAclNew = pAclNew;
  323. return(NOERROR);
  325. LExit:
  326. if (pAclNew != NULL)
  327. delete pAclNew;
  329. DBG_ASSERT(FALSE);
  331. err = GetLastError();
  332. hr = HRESULT_FROM_WIN32(err);
  333. return hr;
  334. }