|
|
/*++
Copyright (c) 1990-1993 Microsoft Corporation
Module Name:
splrpc.c
Abstract:
This file contains routines for starting and stopping RPC servers.
SpoolerStartRpcServer SpoolerStopRpcServer
Author:
Krishna Ganugapati krishnaG
Environment:
User Mode - Win32
Revision History:
14-Oct-1993 KrishnaG Created 25-May-1999 khaleds Added: CreateNamedPipeSecurityDescriptor BuildNamedPipeProtection--*/
//
// INCLUDES
//
#define NOMINMAX
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <windows.h>
#include <winspool.h>
#include <winsplp.h>
#include <rpc.h>
#include "splsvr.h"
#include "splr.h"
#include "server.h"
#ifndef _SRVRMEM_H_
#include "srvrmem.h"
#endif
WCHAR szSerializeRpc []= L"SerializeRpc";WCHAR szCallExitProcessOnShutdown []= L"CallExitProcessOnShutdown";WCHAR szMaxRpcSize []= L"MaxRpcSize";WCHAR szPrintKey[] = L"System\\CurrentControlSet\\Control\\Print";
#define DEFAULT_MAX_RPC_SIZE 1024*1024 // default maximum rpc data block size in bytes
DWORD dwCallExitProcessOnShutdown = TRUE;
RPC_STATUSSpoolerStartRpcServer( VOID)/*++
Routine Description:
Arguments:
Return Value:
NERR_Success, or any RPC error codes that can be returned from RpcServerUnregisterIf.
--*/{ unsigned char * InterfaceAddress; RPC_STATUS status; PSECURITY_DESCRIPTOR SecurityDescriptor = NULL; BOOL Bool;
HKEY hKey; DWORD cbData; DWORD dwSerializeRpc = 0; DWORD dwType; DWORD dwMaxRpcSize;
InterfaceAddress = "\\pipe\\spoolss";
// Croft up a security descriptor that will grant everyone
// all access to the object (basically, no security)
//
// We do this by putting in a NULL Dacl.
//
// NOTE: rpc should copy the security descriptor,
// Since it currently doesn't, simply allocate it for now and
// leave it around forever.
//
SecurityDescriptor = CreateNamedPipeSecurityDescriptor(); if (SecurityDescriptor == 0) { DBGMSG(DBG_ERROR, ("Spoolss: out of memory\n")); return FALSE; }
//
// For now, ignore the second argument.
//
status = RpcServerUseProtseqEpA("ncacn_np", 10, InterfaceAddress, SecurityDescriptor);
if (status) { DBGMSG(DBG_WARN, ("RpcServerUseProtseqEpA 1 = %u\n",status)); return FALSE; }
//
// For now, ignore the second argument.
//
status = RpcServerUseProtseqEpA("ncalrpc", 10, "spoolss", SecurityDescriptor);
if (status) { DBGMSG(DBG_WARN, ("RpcServerUseProtseqEpA 2 = %u\n",status)); return FALSE; }
if (!RegOpenKeyEx(HKEY_LOCAL_MACHINE, szPrintKey, 0, KEY_READ, &hKey)) {
//
// Ignore failure case since we can use the default
//
cbData = sizeof(dwSerializeRpc); RegQueryValueEx(hKey, szSerializeRpc, NULL, &dwType, (LPBYTE)&dwSerializeRpc, &cbData);
//
// This value can be used to control if spooler controls ExitProcess
// on shutdown
//
cbData = sizeof(dwCallExitProcessOnShutdown); RegQueryValueEx(hKey, szCallExitProcessOnShutdown, NULL, &dwType, (LPBYTE)&dwCallExitProcessOnShutdown, &cbData);
//
// dwMaxRpcSize specifies the maximum size in bytes of incoming RPC data blocks.
//
cbData = sizeof(dwMaxRpcSize); if (RegQueryValueEx(hKey, szMaxRpcSize, NULL, &dwType, (LPBYTE)&dwMaxRpcSize, &cbData) != ERROR_SUCCESS) { dwMaxRpcSize = DEFAULT_MAX_RPC_SIZE; }
RegCloseKey(hKey); }
//
// Now we need to add the interface. We can just use the winspool_ServerIfHandle
// specified by the MIDL compiler in the stubs (winspl_s.c).
//
status = RpcServerRegisterIf2( winspool_ServerIfHandle, 0, 0, 0, RPC_C_PROTSEQ_MAX_REQS_DEFAULT, dwMaxRpcSize, NULL );
if (status) { DBGMSG(DBG_WARN, ("RpcServerRegisterIf = %u\n",status)); return FALSE; }
if (dwSerializeRpc) {
// By default, rpc will serialize access to context handles. Since
// the spooler needs to be able to have two threads access a context
// handle at once, and it knows what it is doing, we will tell rpc
// not to serialize access to context handles.
I_RpcSsDontSerializeContext(); }
status = RpcMgmtSetServerStackSize(INITIAL_STACK_COMMIT);
if (status != RPC_S_OK) { DBGMSG(DBG_ERROR, ("Spoolss : RpcMgmtSetServerStackSize = %d\n", status)); }
// The first argument specifies the minimum number of threads to
// create to handle calls; the second argument specifies the maximum
// concurrent calls to handle. The third argument indicates that
// the routine should not wait.
status = RpcServerListen(1,SPL_MAX_RPC_CALLS,1);
if ( status != RPC_S_OK ) { DBGMSG(DBG_ERROR, ("Spoolss : RpcServerListen = %d\n", status)); }
return (status);}
#define MAX_ACE 7
#define DBGCHK( Condition, ErrorInfo ) \
if( Condition ) DBGMSG( DBG_WARNING, ErrorInfo )
/*++
Routine Description: This routine adds prepares the required masks and flags required for the DACL on the named pipes used by RPC Arguments: None Return Value: An allocated Security Descriptor
--*/
PSECURITY_DESCRIPTORCreateNamedPipeSecurityDescriptor( VOID ){ UCHAR AceType[MAX_ACE]; PSID AceSid[MAX_ACE]; BYTE InheritFlags[MAX_ACE]; DWORD AceCount; PSECURITY_DESCRIPTOR ServerSD = NULL; //
// For Code optimization we replace 5 individaul
// SID_IDENTIFIER_AUTHORITY with an array of
// SID_IDENTIFIER_AUTHORITYs
// where
// SidAuthority[0] = UserSidAuthority
// SidAuthority[1] = PowerSidAuthority
// SidAuthority[2] = EveryOneSidAuthority
// SidAuthority[3] = CreatorSidAuthority
// SidAuthority[4] = SystemSidAuthority
// SidAuthority[5] = AdminSidAuthority
//
SID_IDENTIFIER_AUTHORITY SidAuthority[MAX_ACE] = { SECURITY_NT_AUTHORITY, SECURITY_NT_AUTHORITY, SECURITY_WORLD_SID_AUTHORITY, SECURITY_NT_AUTHORITY, SECURITY_CREATOR_SID_AUTHORITY, SECURITY_NT_AUTHORITY, SECURITY_NT_AUTHORITY }; //
// For code optimization we replace 6 individual Sids with
// an array of Sids; On Whistler, Anonymous user will no longer
// be granted access to resources whose ACLs grant access to Everyone.
//
// We need to give access to Anonymous user to access the RPC pipe
// for the reverse RPC connection when RPC calls could come as
// Anonymous from either NT4 machines, Whistler Personal or Whitler
// across domains.
//
// Sid[0] = UserSid
// Sid[1] = PowerSid
// Sid[2] = EveryOne
// Sid[3] = Anonymous
// Sid[4] = CreatorSid
// Sid[5] = SystemSid
// Sid[6] = AdminSid
//
PSID Sids[MAX_ACE] = {NULL,NULL,NULL,NULL,NULL};
ACCESS_MASK AceMask[MAX_ACE] = { FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE , FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE , (FILE_GENERIC_READ | FILE_WRITE_DATA | FILE_ALL_ACCESS) & ~WRITE_DAC &~WRITE_OWNER & ~DELETE & ~FILE_CREATE_PIPE_INSTANCE, (FILE_GENERIC_READ | FILE_WRITE_DATA | FILE_ALL_ACCESS) & ~WRITE_DAC &~WRITE_OWNER & ~DELETE & ~FILE_CREATE_PIPE_INSTANCE, STANDARD_RIGHTS_ALL | FILE_GENERIC_WRITE | FILE_GENERIC_READ | FILE_ALL_ACCESS, STANDARD_RIGHTS_ALL | FILE_GENERIC_WRITE | FILE_GENERIC_READ | FILE_ALL_ACCESS, STANDARD_RIGHTS_ALL | FILE_GENERIC_WRITE | FILE_GENERIC_READ | FILE_ALL_ACCESS };
DWORD SubAuthorities[3*MAX_ACE] = { 2 , SECURITY_BUILTIN_DOMAIN_RID , DOMAIN_ALIAS_RID_USERS , 2 , SECURITY_BUILTIN_DOMAIN_RID , DOMAIN_ALIAS_RID_POWER_USERS , 1 , SECURITY_WORLD_RID , 0 , 1 , SECURITY_ANONYMOUS_LOGON_RID , 0 , 1 , SECURITY_CREATOR_OWNER_RID , 0 , 1 , SECURITY_LOCAL_SYSTEM_RID , 0 , 2 , SECURITY_BUILTIN_DOMAIN_RID , DOMAIN_ALIAS_RID_ADMINS }; //
// Name Pipe SD
//
for(AceCount = 0; ( (AceCount < MAX_ACE) && AllocateAndInitializeSid(&SidAuthority[AceCount], (BYTE)SubAuthorities[AceCount*3], SubAuthorities[AceCount*3+1], SubAuthorities[AceCount*3+2], 0, 0, 0, 0, 0, 0, &Sids[AceCount])); AceCount++) { AceType[AceCount] = ACCESS_ALLOWED_ACE_TYPE; AceSid[AceCount] = Sids[AceCount]; InheritFlags[AceCount] = 0; }
if(AceCount == MAX_ACE) { if(!BuildNamedPipeProtection( AceType, AceCount, AceSid, AceMask, InheritFlags, NULL, NULL, NULL, &ServerSD ) ) { DBGMSG( DBG_WARNING,( "Couldn't buidl Named Pipe protection" ) ); } } else { DBGMSG( DBG_WARNING,( "Couldn't Allocate and initialize SIDs" ) ); }
for(AceCount=0;AceCount<MAX_ACE;AceCount++) { if(Sids[AceCount]) FreeSid( Sids[AceCount] ); } return ServerSD;}
BOOLBuildNamedPipeProtection( IN PUCHAR AceType, IN DWORD AceCount, IN PSID *AceSid, IN ACCESS_MASK *AceMask, IN BYTE *InheritFlags, IN PSID OwnerSid, IN PSID GroupSid, IN PGENERIC_MAPPING GenericMap, OUT PSECURITY_DESCRIPTOR *ppSecurityDescriptor )
/*++
Routine Description:
This routine builds a self-relative security descriptor ready to be applied to one of the print manager objects.
If so indicated, a pointer to the last RID of the SID in the last ACE of the DACL is returned and a flag set indicating that the RID must be replaced before the security descriptor is applied to an object. This is to support USER object protection, which must grant some access to the user represented by the object.
The SACL of each of these objects will be set to:
Audit Success | Fail WORLD (Write | Delete | WriteDacl | AccessSystemSecurity)
Arguments:
AceType - Array of AceTypes. Must be ACCESS_ALLOWED_ACE_TYPE or ACCESS_DENIED_ACE_TYPE.
AceCount - The number of ACEs to be included in the DACL.
AceSid - Points to an array of SIDs to be granted access by the DACL. If the target SAM object is a User object, then the last entry in this array is expected to be the SID of an account within the domain with the last RID not yet set. The RID will be set during actual account creation.
AceMask - Points to an array of accesses to be granted by the DACL. The n'th entry of this array corresponds to the n'th entry of the AceSid array. These masks should not include any generic access types.
InheritFlags - Pointer to an array of inherit flags. The n'th entry of this array corresponds to the n'th entry of the AceSid array.
OwnerSid - The SID of the owner to be assigned to the descriptor.
GroupSid - The SID of the group to be assigned to the descriptor.
GenericMap - Points to a generic mapping for the target object type.
ppSecurityDescriptor - Receives a pointer to the security descriptor. This will be allcated from the process' heap, not the spooler's, and should therefore be freed with LocalFree().
IN DWORD AceCount, IN PSID *AceSid, IN ACCESS_MASK *AceMask, IN BYTE *InheritFlags, IN PSID OwnerSid, IN PSID GroupSid, IN PGENERIC_MAPPING GenericMap, OUT PSECURITY_DESCRIPTOR *ppSecurityDescriptor
Return Value:
TBS.
--*/{
SECURITY_DESCRIPTOR Absolute; PSECURITY_DESCRIPTOR Relative = NULL; PACL TmpAcl= NULL; PACCESS_ALLOWED_ACE TmpAce; DWORD SDLength; DWORD DaclLength; DWORD i; BOOL OK;
//
// The approach is to set up an absolute security descriptor that
// looks like what we want and then copy it to make a self-relative
// security descriptor.
//
OK = InitializeSecurityDescriptor( &Absolute, SECURITY_DESCRIPTOR_REVISION1 );
DBGCHK( !OK, ( "Failed to initialize security descriptor. Error %d", GetLastError() ) );
//
// Owner
//
OK = SetSecurityDescriptorOwner( &Absolute, OwnerSid, FALSE );
DBGCHK( !OK, ( "Failed to set security descriptor owner. Error %d", GetLastError() ) );
//
// Group
//
OK = SetSecurityDescriptorGroup( &Absolute, GroupSid, FALSE );
DBGCHK( !OK, ( "Failed to set security descriptor group. Error %d", GetLastError() ) );
//
// Discretionary ACL
//
// Calculate its length,
// Allocate it,
// Initialize it,
// Add each ACE
// Set ACE as InheritOnly if necessary
// Add it to the security descriptor
//
DaclLength = (DWORD)sizeof(ACL); for (i=0; i<AceCount; i++) {
DaclLength += GetLengthSid( AceSid[i] ) + (DWORD)sizeof(ACCESS_ALLOWED_ACE) - (DWORD)sizeof(DWORD); //Subtract out SidStart field length
}
TmpAcl = SrvrAllocSplMem( DaclLength );
if (!TmpAcl) { DBGCHK( !TmpAcl, ( "Out of heap space: Can't allocate ACL." ) ); *ppSecurityDescriptor = NULL; return(FALSE); }
OK = InitializeAcl( TmpAcl, DaclLength, ACL_REVISION2 );
DBGCHK( !OK, ( "Failed to set initialize ACL. Error %d", GetLastError() ) );
for (i=0; i<AceCount; i++) { if( AceType[i] == ACCESS_ALLOWED_ACE_TYPE ) OK = AddAccessAllowedAce ( TmpAcl, ACL_REVISION2, AceMask[i], AceSid[i] ); else OK = AddAccessDeniedAce ( TmpAcl, ACL_REVISION2, AceMask[i], AceSid[i] );
DBGCHK( !OK, ( "Failed to add access-allowed ACE. Error %d", GetLastError() ) );
if (InheritFlags[i] != 0) { OK = GetAce( TmpAcl, i, (LPVOID *)&TmpAce ); DBGCHK( !OK, ( "Failed to get ACE. Error %d", GetLastError() ) );
TmpAce->Header.AceFlags = InheritFlags[i]; } }
OK = SetSecurityDescriptorDacl (&Absolute, TRUE, TmpAcl, FALSE ); DBGCHK( !OK, ( "Failed to set security descriptor DACL. Error %d", GetLastError() ) );
//
// Convert the Security Descriptor to Self-Relative
//
// Get the length needed
// Allocate that much memory
// Copy it
// Free the generated absolute ACLs
//
SDLength = GetSecurityDescriptorLength( &Absolute );
Relative = LocalAlloc( 0, SDLength );
if (!Relative) { DBGCHK( !Relative, ( "Out of heap space: Can't allocate security descriptor" ) ); goto Fail; }
OK = MakeSelfRelativeSD(&Absolute, Relative, &SDLength );
if (!OK) { DBGCHK( !OK, ( "Failed to create self-relative security descriptor DACL. Error %d", GetLastError() ) ); goto Fail; }
SrvrFreeSplMem( TmpAcl ); *ppSecurityDescriptor = Relative; return( OK );
Fail:
if (TmpAcl){ FreeSplMem(TmpAcl); }
if (Relative) { LocalFree(Relative); } *ppSecurityDescriptor = NULL; return(FALSE);
}
|
