archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
3.8 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/net/config/common/ncbase/regkysec.cpp

1064 lines
26 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 2000.
  5. //
  6. // File: RegKeySecurity.cpp
  7. //
  8. // Contents: Provides code for changes to Regkey Security
  9. //
  10. //
  11. // Notes:
  12. //
  13. // Author: ckotze 4 July 2000
  14. //
  15. //----------------------------------------------------------------------------
  17. #include <pch.h>
  18. #pragma hdrstop
  19. #include <ncreg.h>
  20. #include <regkysec.h>
  21. #include <ncutil.h>
  22. #include <ncdebug.h>
  24. //+---------------------------------------------------------------------------
  25. //
  26. // Function: CRegKeySecurity constructor
  27. //
  28. // Purpose:
  29. //
  30. // Arguments:
  31. //
  32. // Returns:
  33. //
  34. // Author: ckotze 4 July 2000
  35. //
  36. // Notes:
  37. //
  38. CRegKeySecurity::CRegKeySecurity() : m_psdRegKey(NULL), m_bDaclDefaulted(FALSE), m_hkeyCurrent(0),
  39. m_paclDacl(NULL), m_bHasDacl(FALSE), m_psidGroup(NULL), m_psidOwner(NULL), m_paclSacl(NULL), m_bHasSacl(FALSE)
  40. {
  42. }
  44. //+---------------------------------------------------------------------------
  45. //
  46. // Function: CRegKeySecurity destructor
  47. //
  48. // Purpose:
  49. //
  50. // Arguments:
  51. //
  52. // Returns:
  53. //
  54. // Author: ckotze 4 July 2000
  55. //
  56. // Notes:
  57. //
  58. CRegKeySecurity::~CRegKeySecurity()
  59. {
  60. if (m_psdRegKey)
  61. {
  62. delete[] m_psdRegKey;
  63. }
  65. RegCloseKey();
  67. m_listAllAce.clear();
  68. }
  70. //+---------------------------------------------------------------------------
  71. //
  72. // Function: RegOpenKey
  73. //
  74. // Purpose: Opens the Registry Key with enough privileges to set the
  75. // permission on the Key.
  76. //
  77. // Arguments:
  78. // hkeyRoot - the root key from which to open the subkey
  79. //
  80. // strKeyName - the subkey to open.
  81. //
  82. // Returns: An S_OK if the key was successfully opened, and error code
  83. // otherwise
  84. //
  85. // Author: ckotze 4 July 2000
  86. //
  87. // Notes:
  88. //
  89. HRESULT CRegKeySecurity::RegOpenKey(const HKEY hkeyRoot, LPCTSTR strKeyName)
  90. {
  91. LONG lResult = 0;
  92. DWORD dwRightsRequired = KEY_ALL_ACCESS;
  94. if (m_hkeyCurrent)
  95. {
  96. RegCloseKey();
  97. }
  99. if ((lResult = HrRegOpenKeyEx(hkeyRoot, strKeyName, dwRightsRequired, &m_hkeyCurrent)) != ERROR_SUCCESS)
  100. {
  101. return HRESULT_FROM_WIN32(lResult);
  102. }
  103. return S_OK;
  104. }
  106. //+---------------------------------------------------------------------------
  107. //
  108. // Function: GetKeySecurity
  109. //
  110. // Purpose: Retrieves the Security Descriptor for the currently open
  111. // Registry key.
  112. //
  113. // Arguments: None
  114. //
  115. //
  116. //
  117. // Returns: An S_OK if the key was successfully opened, and error code
  118. // otherwise
  119. //
  120. // Author: ckotze 4 July 2000
  121. //
  122. // Notes:
  123. //
  124. HRESULT CRegKeySecurity::GetKeySecurity()
  125. {
  126. HRESULT hr = S_OK;
  127. DWORD cbSD = 1; // try a size that won't be large enough
  128. LONG lResult;
  130. if (!m_hkeyCurrent)
  131. {
  132. TraceError("CRegKeySecurity::GetKeySecurity", E_UNEXPECTED);
  133. return E_UNEXPECTED;
  134. }
  136. // First call should get the correct size.
  138. if ((hr = HrRegGetKeySecurity(m_hkeyCurrent, OWNER_SECURITY_INFORMATION |
  139. GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
  140. &m_psdRegKey, &cbSD)) != S_OK)
  141. {
  142. if (m_psdRegKey)
  143. {
  144. delete[] m_psdRegKey;
  145. }
  147. if (HRESULT_FROM_WIN32(ERROR_INSUFFICIENT_BUFFER) == hr)
  148. {
  150. m_psdRegKey = reinterpret_cast<PSECURITY_DESCRIPTOR>(new BYTE[cbSD]);
  152. hr = HrRegGetKeySecurity(m_hkeyCurrent, OWNER_SECURITY_INFORMATION |
  153. GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
  154. m_psdRegKey, &cbSD);
  155. }
  156. }
  158. return hr;
  159. }
  161. //+---------------------------------------------------------------------------
  162. //
  163. // Function: SetKeySecurity
  164. //
  165. // Purpose: Updates the Security Descriptor of the currently open key.
  166. //
  167. //
  168. // Arguments: None
  169. //
  170. //
  171. // Returns: An S_OK if the key was successfully opened, and error code
  172. // otherwise
  173. //
  174. // Author: ckotze 4 July 2000
  175. //
  176. // Notes:
  177. //
  178. HRESULT CRegKeySecurity::SetKeySecurity()
  179. {
  180. HRESULT hr = S_OK;
  182. if ((hr = HrRegSetKeySecurity(m_hkeyCurrent, OWNER_SECURITY_INFORMATION
  183. | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, m_psdRegKey)) != S_OK)
  184. {
  185. TraceError("CRegKeySecurity::SetKeySecurity", hr);
  186. }
  188. return hr;
  189. }
  191. //+---------------------------------------------------------------------------
  192. //
  193. // Function: RegCloseKey
  194. //
  195. // Purpose: Closes the currently open registry key.
  196. //
  197. //
  198. // Arguments: None
  199. //
  200. //
  201. //
  202. // Returns: An S_OK if the key was successfully opened, and error code
  203. // otherwise
  204. //
  205. // Author: ckotze 4 July 2000
  206. //
  207. // Notes:
  208. //
  209. HRESULT CRegKeySecurity::RegCloseKey()
  210. {
  211. HRESULT hr = S_OK;
  213. if (m_hkeyCurrent)
  214. {
  215. LONG err;
  217. err = ::RegCloseKey(m_hkeyCurrent);
  219. hr = HRESULT_FROM_WIN32(err);
  221. m_hkeyCurrent = 0;
  222. }
  224. return hr;
  225. }
  227. //+---------------------------------------------------------------------------
  228. //
  229. // Function: GetSecurityDescriptorDacl
  230. //
  231. // Purpose: Retrieve the Discretionary Access Control List from the SD
  232. //
  233. //
  234. // Arguments:
  235. //
  236. //
  237. // Returns: An S_OK if the key was successfully opened, and error code
  238. // otherwise
  239. //
  240. // Author: ckotze 4 July 2000
  241. //
  242. // Notes:
  243. //
  244. HRESULT CRegKeySecurity::GetSecurityDescriptorDacl()
  245. {
  246. HRESULT hr = S_OK;
  248. if (!m_psdRegKey)
  249. {
  250. return E_UNEXPECTED;
  251. }
  253. if (!::GetSecurityDescriptorDacl(m_psdRegKey,
  254. (LPBOOL)&m_bHasDacl,
  255. (PACL *)&m_paclDacl,
  256. (LPBOOL)&m_bDaclDefaulted))
  257. {
  258. DWORD dwErr;
  260. dwErr = GetLastError();
  262. hr = HRESULT_FROM_WIN32(dwErr);
  263. }
  265. return hr;
  266. }
  268. //+---------------------------------------------------------------------------
  269. //
  270. // Function: SetSecurityDescriptorDacl
  271. //
  272. // Purpose: Update the Discretionary Access Control List in the SD
  273. //
  274. //
  275. // Arguments:
  276. //
  277. //
  278. // Returns: An S_OK if the key was successfully opened, and error code
  279. // otherwise
  280. //
  281. // Author: ckotze 4 July 2000
  282. //
  283. // Notes:
  284. //
  285. HRESULT CRegKeySecurity::SetSecurityDescriptorDacl(PACL paclDacl, DWORD dwNumEntries)
  286. {
  287. HRESULT hr = E_FAIL;
  288. DWORD dwErr = 0;
  289. SECURITY_DESCRIPTOR psdSD = {0};
  291. SECURITY_DESCRIPTOR_CONTROL pSDCControl;
  292. PACL pDacl = NULL;
  293. PACL pSacl = NULL;
  294. PSID psidOwner = NULL;
  295. PSID psidGroup = NULL;
  296. DWORD dwSDSize = sizeof(psdSD);
  297. DWORD dwOwnerSIDSize = 0;
  298. DWORD dwGroupSIDSize = 0;
  299. DWORD cbDacl = 0;
  300. DWORD cbSacl = 0;
  301. DWORD dwRevision = 0;
  303. if (!paclDacl)
  304. {
  305. return E_INVALIDARG;
  306. }
  308. if (GetSecurityDescriptorControl(m_psdRegKey, &pSDCControl, &dwRevision))
  309. {
  310. if (SE_SELF_RELATIVE & pSDCControl)
  311. {
  312. if (!MakeAbsoluteSD(m_psdRegKey, &psdSD, &dwSDSize, pDacl, &cbDacl, pSacl, &cbSacl, psidOwner, &dwOwnerSIDSize, psidGroup, &dwGroupSIDSize))
  313. {
  314. pDacl = reinterpret_cast<PACL>(new BYTE[cbDacl]);
  316. if (!pDacl)
  317. {
  318. return E_OUTOFMEMORY;
  319. }
  321. psidOwner = new BYTE[dwOwnerSIDSize];
  323. if (!psidOwner)
  324. {
  325. delete[] pDacl;
  327. return E_OUTOFMEMORY;
  328. }
  330. psidGroup = new BYTE[dwGroupSIDSize];
  332. if (!psidGroup)
  333. {
  334. delete[] pDacl;
  335. delete[] psidOwner;
  337. return E_OUTOFMEMORY;
  338. }
  339. else if (MakeAbsoluteSD(m_psdRegKey, &psdSD, &dwSDSize, pDacl, &cbDacl, pSacl, &cbSacl, psidOwner, &dwOwnerSIDSize, psidGroup, &dwGroupSIDSize))
  340. {
  341. if (!::SetSecurityDescriptorDacl(&psdSD, m_bHasDacl, paclDacl, m_bDaclDefaulted))
  342. {
  343. dwErr = GetLastError();
  344. }
  345. if (!MakeSelfRelativeSD(&psdSD, m_psdRegKey, &dwSDSize) && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
  346. {
  347. if (m_psdRegKey)
  348. {
  349. delete[] m_psdRegKey;
  350. }
  352. m_psdRegKey = reinterpret_cast<PSECURITY_DESCRIPTOR>(new BYTE[dwSDSize]);
  354. if (MakeSelfRelativeSD(&psdSD, m_psdRegKey, &dwSDSize))
  355. {
  356. hr = S_OK;
  357. SetLastError(0);
  358. m_paclDacl = NULL;
  359. }
  360. }
  361. }
  363. delete[] pDacl;
  364. delete[] psidOwner;
  365. delete[] psidGroup;
  367. }
  368. }
  369. }
  370. else
  371. {
  372. DWORD dwErr;
  374. dwErr = GetLastError();
  375. hr = HRESULT_FROM_WIN32(dwErr);
  376. }
  378. return hr;
  379. }
  381. //+---------------------------------------------------------------------------
  382. //
  383. // Function: GrantRightsOnRegKey
  384. //
  385. // Purpose: Add the specified account to the ACL with the permissions
  386. // required and the inheritance information.
  387. //
  388. // Arguments:
  389. // psidUserOrGroup - The sid (Security Identifier) of the user to
  390. // be added.
  391. // amPermissionMask - The permissions to be granted.
  392. //
  393. // kamMask - Applies to this key or child keys or both?
  394. //
  395. //
  396. // Returns: An S_OK if the key was successfully opened, and error code
  397. // otherwise
  398. //
  399. // Author: ckotze 4 July 2000
  400. //
  401. // Notes:
  402. //
  403. HRESULT CRegKeySecurity::GrantRightsOnRegKey(PCSID psidUserOrGroup, ACCESS_MASK amPermissionsMask, KEY_APPLY_MASK kamMask)
  404. {
  405. HRESULT hr = E_FAIL;
  406. PACCESS_ALLOWED_ACE paaAllowedAce = NULL;
  407. PACCESS_DENIED_ACE paaDeniedAce = NULL;
  408. BOOL bAceMatch = FALSE;
  409. BYTE cAceFlags = 0;
  410. DWORD cbAcl = 0;
  411. DWORD cbAce = 0;
  413. if (!IsValidSid(const_cast<PSID>(psidUserOrGroup)))
  414. {
  415. return HRESULT_FROM_WIN32(ERROR_INVALID_SID);
  416. }
  418. hr = GetAccessControlEntriesFromAcl();
  420. if (FAILED(hr))
  421. {
  422. return hr;
  423. }
  425. cbAcl = sizeof(ACL);
  427. for (ACEITER i = m_listAllAce.begin(); i != m_listAllAce.end() ; i++)
  428. {
  429. CAccessControlEntry paEntry(*i);
  431. cbAcl += sizeof(ACCESS_ALLOWED_ACE) + 8 +
  432. paEntry.GetLengthSid()- sizeof(DWORD);
  434. // Assert(kamMask)
  436. switch (kamMask)
  437. {
  438. case KEY_CURRENT:
  439. {
  440. cAceFlags = 0; // Do not allow this to be inherited by children.
  441. break;
  442. }
  443. case KEY_CHILDREN:
  444. {
  445. cAceFlags = CONTAINER_INHERIT_ACE;
  446. cAceFlags |= INHERIT_ONLY_ACE;
  447. break;
  448. }
  449. case KEY_ALL:
  450. {
  451. cAceFlags = CONTAINER_INHERIT_ACE;
  452. break;
  453. }
  454. default:
  455. return E_INVALIDARG;
  456. }
  458. if (paEntry.HasExactRights(amPermissionsMask) && paEntry.HasExactInheritFlags(cAceFlags) && paEntry.IsEqualSid(psidUserOrGroup))
  459. {
  460. bAceMatch = TRUE;
  461. }
  462. }
  464. if (!bAceMatch)
  465. {
  466. ACCESS_ALLOWED_ACE paEntry = {NULL};
  467. ACL_REVISION_INFORMATION AclRevisionInfo;
  468. PACL pNewDACL = NULL;
  469. CAccessControlEntry AccessControlEntry(ACCESS_ALLOWED_ACE_TYPE, amPermissionsMask, cAceFlags, psidUserOrGroup);
  471. // subtract ACE.SidStart from the size
  472. cbAce = sizeof (paEntry) - sizeof (DWORD);
  473. // add this ACE's SID length
  474. cbAce += 8 + GetLengthSid(const_cast<PSID>(psidUserOrGroup));
  475. // add the length of each ACE to the total ACL length
  476. cbAcl += cbAce;
  478. m_listAllAce.insert(m_listAllAce.end(), AccessControlEntry);
  480. AclRevisionInfo.AclRevision = ACL_REVISION;
  482. hr = BuildAndApplyACLFromList(cbAcl, AclRevisionInfo);
  484. if (SUCCEEDED(hr))
  485. {
  486. hr = SetKeySecurity();
  487. }
  488. }
  489. else
  490. {
  491. hr = S_FALSE;
  492. }
  494. return hr;
  495. }
  497. //+---------------------------------------------------------------------------
  498. //
  499. // Function: RevokeRightsOnRegKey
  500. //
  501. // Purpose: Remove the specified account to the ACL with the permissions
  502. // required and the inheritance information.
  503. //
  504. // Arguments:
  505. // psidUserOrGroup - The sid (Security Identifier) of the user to
  506. // be added.
  507. // amPermissionMask - The permissions to be granted.
  508. //
  509. // kamMask - Applies to this key or child keys or both?
  510. //
  511. // Returns: An S_OK if the key was successfully opened, and error code
  512. // otherwise
  513. //
  514. // Author: ckotze 4 July 2000
  515. //
  516. // Notes: This is designed to only remove the exact combination of user
  517. // rights and sid and key apply mask. This is to stop us from
  518. // accidentally deleting a key that was put there for the user/group
  519. // by an administrator.
  520. //
  521. HRESULT CRegKeySecurity::RevokeRightsOnRegKey(PCSID psidUserOrGroup, ACCESS_MASK amPermissionsMask, KEY_APPLY_MASK kamMask)
  522. {
  523. HRESULT hr = S_OK;
  524. PACCESS_ALLOWED_ACE paaAllowedAce = NULL;
  525. PACCESS_DENIED_ACE paaDeniedAce = NULL;
  526. BOOL bAceMatch = FALSE;
  527. BYTE cAceFlags = 0;
  528. DWORD cbAcl = 0;
  529. DWORD cbAce = 0;
  531. if (!IsValidSid(const_cast<PSID>(psidUserOrGroup)))
  532. {
  533. return HRESULT_FROM_WIN32(ERROR_INVALID_SID);
  534. }
  536. hr = GetAccessControlEntriesFromAcl();
  538. if (FAILED(hr))
  539. {
  540. return hr;
  541. }
  543. cbAcl = sizeof(ACL);
  545. for (ACEITER i = m_listAllAce.begin(); i != m_listAllAce.end() ; i++)
  546. {
  547. CAccessControlEntry paEntry(*i);
  549. // Assert(kamMask)
  551. switch (kamMask)
  552. {
  553. case KEY_CURRENT:
  554. {
  555. cAceFlags = 0; // Do not allow this to be inherited by children.
  556. break;
  557. }
  558. case KEY_CHILDREN:
  559. {
  560. cAceFlags = CONTAINER_INHERIT_ACE;
  561. cAceFlags |= INHERIT_ONLY_ACE;
  562. break;
  563. }
  564. case KEY_ALL:
  565. {
  566. cAceFlags = CONTAINER_INHERIT_ACE;
  567. break;
  568. }
  569. default:
  570. return E_INVALIDARG;
  571. }
  573. if (paEntry.HasExactRights(amPermissionsMask) && paEntry.HasExactInheritFlags(cAceFlags) && paEntry.IsEqualSid(psidUserOrGroup))
  574. {
  575. ACEITER j = i;
  576. i = m_listAllAce.erase(j);
  577. bAceMatch = TRUE;
  578. }
  579. else
  580. {
  581. cbAcl += sizeof(ACCESS_ALLOWED_ACE) + 8 +
  582. paEntry.GetLengthSid()- sizeof(DWORD);
  584. }
  585. }
  587. if (bAceMatch)
  588. {
  589. ACCESS_ALLOWED_ACE paEntry = {NULL};
  590. ACL_REVISION_INFORMATION AclRevisionInfo;
  591. PACL pNewDACL = NULL;
  593. // subtract ACE.SidStart from the size
  594. cbAce = sizeof (paEntry) - sizeof (DWORD);
  595. // add this ACE's SID length
  596. cbAce += 8 + GetLengthSid(const_cast<PSID>(psidUserOrGroup));
  597. // add the length of each ACE to the total ACL length
  598. cbAcl += cbAce;
  600. AclRevisionInfo.AclRevision = ACL_REVISION;
  602. hr = BuildAndApplyACLFromList(cbAcl, AclRevisionInfo);
  604. if (SUCCEEDED(hr))
  605. {
  606. hr = SetKeySecurity();
  607. }
  608. }
  609. else
  610. {
  611. hr = S_FALSE;
  612. }
  614. return hr;
  615. }
  618. //+---------------------------------------------------------------------------
  619. //
  620. // Function: GetAccessControlEntriesFromAcl
  621. //
  622. // Purpose: Retrieves all the ACE's from the ACL and stores them in an
  623. // STL list for easier manipulation.
  624. //
  625. // Arguments:
  626. //
  627. //
  628. //
  629. // Returns: An S_OK if the key was successfully opened, and error code
  630. // otherwise
  631. //
  632. // Author: ckotze 4 July 2000
  633. //
  634. // Notes:
  635. //
  636. HRESULT CRegKeySecurity::GetAccessControlEntriesFromAcl()
  637. {
  638. ACL_SIZE_INFORMATION asiAclSize;
  639. ACL_REVISION_INFORMATION ariAclRevision;
  640. DWORD dwBufLength;
  641. DWORD dwAcl;
  642. DWORD dwTotalEntries = 0;
  643. HRESULT hr = S_OK;
  644. PACCESS_ALLOWED_ACE paaAllowedAce = NULL;
  645. PACCESS_DENIED_ACE paaDeniedAce = NULL;
  646. ACCESS_MASK amAccessAllowedMask = 0;
  647. ACCESS_MASK amAccessDeniedMask = 0;
  649. if (!m_paclDacl)
  650. {
  651. hr = GetSecurityDescriptorDacl();
  652. if (FAILED(hr))
  653. {
  654. return hr;
  655. }
  656. }
  658. if (!IsValidAcl(m_paclDacl))
  659. {
  660. return HRESULT_FROM_WIN32(ERROR_INVALID_ACL);
  661. }
  663. dwBufLength = sizeof(asiAclSize);
  665. if (!GetAclInformation(m_paclDacl,
  666. &asiAclSize,
  667. dwBufLength,
  668. AclSizeInformation))
  669. {
  670. return(FALSE);
  671. }
  673. dwBufLength = sizeof(ariAclRevision);
  675. if (!GetAclInformation(m_paclDacl,
  676. &ariAclRevision,
  677. dwBufLength,
  678. AclRevisionInformation))
  679. {
  680. return(FALSE);
  681. }
  683. switch (ariAclRevision.AclRevision)
  684. {
  685. case ACL_REVISION1 :
  686. {
  687. break;
  688. }
  689. case ACL_REVISION2 :
  690. {
  691. break;
  692. }
  693. default :
  694. {
  695. return(FALSE);
  696. }
  697. }
  699. if (asiAclSize.AceCount <= 0)
  700. {
  701. return E_INVALIDARG;
  702. }
  704. m_listAllAce.clear();
  706. for (dwAcl = 0;dwAcl < asiAclSize.AceCount; dwAcl++)
  707. {
  708. if (!GetAce(m_paclDacl,
  709. dwAcl,
  710. reinterpret_cast<LPVOID *>(&paaAllowedAce)))
  711. {
  712. return HRESULT_FROM_WIN32(ERROR_INVALID_ACL);
  713. }
  715. if (paaAllowedAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE)
  716. {
  717. CAccessControlEntry pEntry(*paaAllowedAce);
  719. m_listAllAce.insert(m_listAllAce.end(), pEntry);
  720. }
  721. else
  722. {
  723. CAccessControlEntry pEntry(*paaAllowedAce);
  725. m_listAllAce.insert(m_listAllAce.begin(), pEntry);
  726. }
  727. }
  729. return S_OK;
  731. }
  734. HRESULT CRegKeySecurity::BuildAndApplyACLFromList(DWORD cbAcl, ACL_REVISION_INFORMATION AclRevisionInfo)
  735. {
  736. HRESULT hr = S_OK;
  737. DWORD cbAce = 0;
  738. PACL pNewDACL = NULL;
  740. pNewDACL = reinterpret_cast<PACL>(new BYTE[cbAcl]);
  742. if (!pNewDACL)
  743. {
  744. return E_OUTOFMEMORY;
  745. }
  747. ZeroMemory(pNewDACL, cbAcl);
  749. if (InitializeAcl(pNewDACL, cbAcl, AclRevisionInfo.AclRevision))
  750. {
  751. for (ACEITER i = m_listAllAce.begin(); i != m_listAllAce.end(); i++)
  752. {
  753. CAccessControlEntry Ace = *i;
  755. if (IsValidAcl(pNewDACL))
  756. {
  757. hr = Ace.AddToACL(&pNewDACL, AclRevisionInfo);
  759. if (FAILED(hr))
  760. {
  761. break;
  762. }
  763. }
  764. else
  765. {
  766. hr = HRESULT_FROM_WIN32(ERROR_INVALID_ACL);
  767. break;
  768. }
  769. }
  771. if (SUCCEEDED(hr))
  772. {
  773. hr = SetSecurityDescriptorDacl(pNewDACL, m_listAllAce.size());
  774. }
  775. delete[] pNewDACL;
  776. }
  778. return hr;
  779. }
  783. //+---------------------------------------------------------------------------
  784. //
  785. // Function: CAccessControlEntry constructor
  786. //
  787. // Purpose:
  788. //
  789. //
  790. // Arguments:
  791. //
  792. //
  793. //
  794. //
  795. // Returns: An S_OK if the key was successfully opened, and error code
  796. // otherwise
  797. //
  798. // Author: ckotze 4 July 2000
  799. //
  800. // Notes:
  801. //
  802. CAccessControlEntry::CAccessControlEntry()
  803. {
  805. }
  807. //+---------------------------------------------------------------------------
  808. //
  809. // Function: CAccessControlEntry copy constructor
  810. //
  811. // Purpose: To contruct a new CAccessControEntry based on the supplied
  812. // Access Control Entry for storage in an STL list.
  813. //
  814. // Arguments:
  815. // aaAllowed - An ACCESS_ALLOWED_ACE or ACCESS_DENIED_ACE
  816. //
  817. //
  818. // Returns: An S_OK if the key was successfully opened, and error code
  819. // otherwise
  820. //
  821. // Author: ckotze 4 July 2000
  822. //
  823. // Notes: Since STL doesn't know how to work with Sids we get the string
  824. // representation of the sid and then store that inside the list.
  825. //
  826. CAccessControlEntry::CAccessControlEntry(const ACCESS_ALLOWED_ACE& aaAllowed)
  827. {
  828. m_cAceType = aaAllowed.Header.AceType;
  829. m_amMask = aaAllowed.Mask;
  830. m_cAceFlags = aaAllowed.Header.AceFlags;
  832. CNCUtility::SidToString(&aaAllowed.SidStart, m_strSid);
  833. m_dwLengthSid = ::GetLengthSid(reinterpret_cast<PSID>(const_cast<LPDWORD>(&aaAllowed.SidStart)));
  834. }
  836. //+---------------------------------------------------------------------------
  837. //
  838. // Function: CAccessControlEntry copy constructor
  839. //
  840. // Purpose: To contruct a new CAccessControEntry based on the supplied
  841. // Access Control Entry fields for storage in an STL list.
  842. //
  843. //
  844. // Arguments:
  845. // AceType - The type of ACE (allowed or denied or audit etc)
  846. //
  847. // amMask - Permissions Mask
  848. //
  849. // AceFlags - AceFlags
  850. //
  851. // psidUserOrGroup - The User or Group we're interested in
  852. //
  853. //
  854. //
  855. // Returns: An S_OK if the key was successfully opened, and error code
  856. // otherwise
  857. //
  858. // Author: ckotze 4 July 2000
  859. //
  860. // Notes: Since STL doesn't know how to work with Sids we get the string
  861. // representation of the sid and then store that inside the list.
  862. //
  863. CAccessControlEntry::CAccessControlEntry(const BYTE AceType, const ACCESS_MASK amMask, const BYTE AceFlags, PCSID psidUserOrGroup)
  864. {
  865. m_cAceType = AceType;
  866. m_amMask = amMask;
  867. m_cAceFlags = AceFlags;
  869. CNCUtility::SidToString(psidUserOrGroup, m_strSid);
  870. m_dwLengthSid = ::GetLengthSid(const_cast<PSID>(psidUserOrGroup));
  871. }
  873. //+---------------------------------------------------------------------------
  874. //
  875. // Function: CAccessControlEntry destructor
  876. //
  877. // Purpose:
  878. //
  879. //
  880. // Arguments:
  881. //
  882. //
  883. //
  884. // Returns: An S_OK if the key was successfully opened, and error code
  885. // otherwise
  886. //
  887. // Author: ckotze 4 July 2000
  888. //
  889. // Notes:
  890. //
  891. CAccessControlEntry::~CAccessControlEntry()
  892. {
  893. }
  895. //+---------------------------------------------------------------------------
  896. //
  897. // Function: AddToACL
  898. //
  899. // Purpose: Adds this current AccessControlEntry to the specified ACL
  900. //
  901. //
  902. // Arguments:
  903. // pAcl - Access Control List to Add to
  904. //
  905. // AclRevisionInfo - Version of ACL
  906. //
  907. // Returns: An S_OK if the key was successfully opened, and error code
  908. // otherwise
  909. //
  910. // Author: ckotze 4 July 2000
  911. //
  912. // Notes:
  913. //
  914. HRESULT CAccessControlEntry::AddToACL(PACL* pAcl, ACL_REVISION_INFORMATION AclRevisionInfo)
  915. {
  916. HRESULT hr;
  917. PSID pSid = NULL;
  919. hr = CNCUtility::StringToSid(m_strSid, pSid);
  921. if (FAILED(hr))
  922. {
  923. return hr;
  924. }
  926. if (m_cAceType == ACCESS_ALLOWED_ACE_TYPE)
  927. {
  928. if (!::AddAccessAllowedAceEx(*pAcl, AclRevisionInfo.AclRevision, m_cAceFlags, m_amMask, pSid))
  929. {
  930. DWORD dwErr;
  932. dwErr = GetLastError();
  933. hr = HRESULT_FROM_WIN32(dwErr);
  934. }
  935. }
  936. else
  937. {
  938. if (!::AddAccessDeniedAceEx(*pAcl, AclRevisionInfo.AclRevision, m_cAceFlags, m_amMask, pSid))
  939. {
  940. DWORD dwErr;
  942. dwErr = GetLastError();
  943. hr = HRESULT_FROM_WIN32(dwErr);
  944. }
  945. }
  947. if (pSid)
  948. {
  949. FreeSid(pSid);
  950. }
  952. return S_OK;
  953. }
  955. //+---------------------------------------------------------------------------
  956. //
  957. // Function: HasExactRights
  958. //
  959. // Purpose: Checks to see if this ACE has the exact same rights that we
  960. // are looking for
  961. //
  962. //
  963. // Arguments:
  964. // amRightsRequired - The AccessMask in question
  965. //
  966. //
  967. // Returns: An S_OK if the key was successfully opened, and error code
  968. // otherwise
  969. //
  970. // Author: ckotze 4 July 2000
  971. //
  972. // Notes:
  973. //
  974. BOOL CAccessControlEntry::HasExactRights(ACCESS_MASK amRightsRequired) const
  975. {
  976. return (amRightsRequired == m_amMask);
  977. }
  979. //+---------------------------------------------------------------------------
  980. //
  981. // Function: GetLengthSid
  982. //
  983. // Purpose: returns the length of the sid in this AccessControlEntry
  984. //
  985. // Arguments:
  986. //
  987. //
  988. //
  989. //
  990. // Returns: An S_OK if the key was successfully opened, and error code
  991. // otherwise
  992. //
  993. // Author: ckotze 4 July 2000
  994. //
  995. // Notes:
  996. //
  997. DWORD CAccessControlEntry::GetLengthSid() const
  998. {
  999. return m_dwLengthSid;
  1000. }
  1002. //+---------------------------------------------------------------------------
  1003. //
  1004. // Function: HasExactRights
  1005. //
  1006. // Purpose: Checks to see if this ACE has the exact same inherit flags
  1007. // that we are looking for
  1008. //
  1009. //
  1010. // Arguments:
  1011. // amRightsRequired - The AccessMask in question
  1012. //
  1013. //
  1014. // Returns: An S_OK if the key was successfully opened, and error code
  1015. // otherwise
  1016. //
  1017. // Author: ckotze 4 July 2000
  1018. //
  1019. // Notes:
  1020. //
  1021. BOOL CAccessControlEntry::HasExactInheritFlags(BYTE AceFlags)
  1022. {
  1023. return (m_cAceFlags == AceFlags);
  1024. }
  1026. //+---------------------------------------------------------------------------
  1027. //
  1028. // Function: IsEqualSid
  1029. //
  1030. // Purpose: Is this the same Sid as the one we're looking for?
  1031. //
  1032. //
  1033. // Arguments:
  1034. // psidUserOrGroup - Sid in question
  1035. //
  1036. //
  1037. //
  1038. // Returns: An S_OK if the key was successfully opened, and error code
  1039. // otherwise
  1040. //
  1041. // Author: ckotze 4 July 2000
  1042. //
  1043. // Notes:
  1044. //
  1045. BOOL CAccessControlEntry::IsEqualSid(PCSID psidUserOrGroup) const
  1046. {
  1047. HRESULT hr;
  1048. BOOL bEqualSid = FALSE;
  1049. PSID pSid = NULL;
  1051. hr = CNCUtility::StringToSid(m_strSid, pSid);
  1053. if (SUCCEEDED(hr))
  1054. {
  1055. bEqualSid = ::EqualSid(pSid, const_cast<PSID>(psidUserOrGroup));
  1056. }
  1058. if (pSid)
  1059. {
  1060. FreeSid(pSid);
  1061. }
  1063. return bEqualSid;
  1064. }