archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/shell/osshell/accessib/utilman/secdescr.c

436 lines
9.4 KiB
Raw Normal View History

Add source files
4 years ago
  1. // ----------------------------------------------------------------------------
  2. //
  3. // SecDescr.c
  4. //
  5. //
  6. // Author: Jost Eckhardt
  7. //
  8. // This code was written for ECO Kommunikation Insight
  9. // Copyright (c) 1997-1999 Microsoft Corporation
  10. // ----------------------------------------------------------------------------
  11. #include <windows.h>
  12. #include <stdlib.h>
  13. #include <malloc.h>
  14. #include <TCHAR.h>
  15. #include <WinSvc.h>
  16. #include "_UMTool.h"
  18. static PSECURITY_DESCRIPTOR GetObjectSecurityDescr(
  19. obj_sec_descr_tsp obj,
  20. DWORD dwAccessMaskOwner,
  21. DWORD dwAccessMaskLoggedOnUser);
  22. static BOOL GetUserSidFromToken(HANDLE hToken, PSID *ppSid);
  23. static BOOL GetGroupSidFromToken(HANDLE hToken, PSID *ppSid);
  25. // ---------------------------
  26. // InitSecurityAttributes - initialize the security descriptor in the
  27. // obj_sec_attr_tsp struct using a null DACL.
  28. //
  29. // Caller must call ClearSecurityAttributes when done with the struct.
  30. //
  31. void InitSecurityAttributes(obj_sec_attr_tsp psa)
  32. {
  33. memset(psa,0,sizeof(obj_sec_attr_ts));
  34. psa->sa.nLength = sizeof(SECURITY_ATTRIBUTES);
  36. psa->sa.bInheritHandle = TRUE;
  37. psa->sa.lpSecurityDescriptor = GetObjectSecurityDescr(&psa->objsd, 0, 0);
  38. }
  40. // ---------------------------
  41. // InitSecurityAttributesEx - initialize the security descriptor in the
  42. // obj_sec_attr_tsp struct using a non-null DACL
  43. //
  44. // dwAccessMaskOwner - If non-zero specifies the access allowed to the creator
  45. // dwAccessMaskLoggedOnUser - If non-zero specifies the access allowed to the current user
  46. //
  47. // If dwAccessMaskOwner and dwAccessMaskLoggedOnUser are zero the security descriptor
  48. // will have a NULL DACL. Caller must call ClearSecurityAttributes when done
  49. // with the struct.
  50. //
  51. void InitSecurityAttributesEx(obj_sec_attr_tsp psa, DWORD dwAccessMaskOwner, DWORD dwAccessMaskLoggedOnUser)
  52. {
  53. memset(psa,0,sizeof(obj_sec_attr_ts));
  54. psa->sa.nLength = sizeof(SECURITY_ATTRIBUTES);
  56. psa->sa.bInheritHandle = TRUE;
  57. psa->sa.lpSecurityDescriptor = GetObjectSecurityDescr(&psa->objsd, dwAccessMaskOwner, dwAccessMaskLoggedOnUser);
  58. }
  60. // ---------------------------
  61. // ClearSecurityAttributes - free memory from the security descriptor
  62. //
  63. void ClearSecurityAttributes(obj_sec_attr_tsp psa)
  64. {
  65. if (psa->sa.lpSecurityDescriptor)
  66. free(psa->sa.lpSecurityDescriptor);
  68. if (psa->objsd.psidUser)
  69. free(psa->objsd.psidUser);
  71. if (psa->objsd.psidGroup)
  72. free(psa->objsd.psidGroup);
  74. memset(psa,0,sizeof(obj_sec_attr_ts));
  75. }
  77. // ---------------------------
  78. static PSECURITY_DESCRIPTOR GetObjectSecurityDescr(
  79. obj_sec_descr_tsp obj,
  80. DWORD dwAccessMaskOwner,
  81. DWORD dwAccessMaskLoggedOnUser)
  82. {
  83. PSECURITY_DESCRIPTOR psd = NULL;
  84. HANDLE hToken;
  85. GENERIC_MAPPING gm = {1, 2, 4, 8};
  86. DWORD dwDesired = 1;
  87. BOOL fAccess = FALSE;
  88. DWORD dwGranted;
  89. PRIVILEGE_SET ps;
  90. DWORD cbPriv = sizeof (ps);
  91. PACL pAcl;
  92. ULONG cbAcl;
  93. PSID psidCurUser;
  95. obj->psidUser = obj->psidGroup = NULL;
  97. // Get the user's SID
  99. if (!ImpersonateSelf(SecurityImpersonation))
  100. return NULL;
  102. if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &hToken))
  103. goto GSSD_ERROR;
  105. if (!GetUserSidFromToken(hToken, &obj->psidUser))
  106. goto GSSD_ERROR;
  108. // assumption: if either access masks are given
  109. // then the owner access mask must be given
  111. if (dwAccessMaskLoggedOnUser && !dwAccessMaskOwner)
  112. goto GSSD_ERROR;
  114. // Figure the size of an access-allowed ACL (if an
  115. // access mask is supplied there will be one ACE)
  117. cbAcl = 0;
  118. if (dwAccessMaskOwner)
  119. {
  120. cbAcl = sizeof(ACL)
  121. + sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)
  122. + GetLengthSid(obj->psidUser);
  123. }
  125. psidCurUser = 0;
  126. if (dwAccessMaskLoggedOnUser)
  127. {
  128. psidCurUser = InteractiveUserSid(TRUE);
  129. if (psidCurUser)
  130. {
  131. cbAcl += sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)
  132. + GetLengthSid(psidCurUser);
  133. }
  134. }
  136. // Allocate space for the SD and the ACL
  138. psd = malloc(SECURITY_DESCRIPTOR_MIN_LENGTH + cbAcl);
  140. if (!psd)
  141. goto GSSD_ERROR;
  143. // Add ACEs to the ACL if specified
  145. pAcl = NULL;
  146. if (dwAccessMaskOwner)
  147. {
  148. // Point to the ACL in the security descriptor
  150. pAcl = (ACL *)((BYTE *)psd + SECURITY_DESCRIPTOR_MIN_LENGTH);
  152. if (!InitializeAcl(pAcl, cbAcl, ACL_REVISION))
  153. goto GSSD_ERROR;
  155. // Set access allowed for creator
  157. if (!AddAccessAllowedAce(pAcl,
  158. ACL_REVISION,
  159. dwAccessMaskOwner,
  160. obj->psidUser))
  161. goto GSSD_ERROR;
  163. // Set access allowed for everyone else
  165. if (psidCurUser)
  166. {
  167. if (!AddAccessAllowedAce(pAcl,
  168. ACL_REVISION,
  169. dwAccessMaskLoggedOnUser,
  170. psidCurUser))
  171. goto GSSD_ERROR;
  172. }
  173. }
  175. // Initialize the security descriptor etc...
  177. if (!InitializeSecurityDescriptor(psd, SECURITY_DESCRIPTOR_REVISION))
  178. goto GSSD_ERROR;
  179. if (!SetSecurityDescriptorDacl(psd, TRUE, (dwAccessMaskOwner)?pAcl:NULL, FALSE))
  180. goto GSSD_ERROR;
  181. if (!SetSecurityDescriptorOwner(psd, obj->psidUser, FALSE))
  182. goto GSSD_ERROR;
  183. if (!GetGroupSidFromToken(hToken, &obj->psidGroup))
  184. goto GSSD_ERROR;
  185. if (!SetSecurityDescriptorGroup(psd, obj->psidGroup, FALSE))
  186. goto GSSD_ERROR;
  187. if (!AccessCheck(psd, hToken, dwDesired, &gm, &ps, &cbPriv,&dwGranted, &fAccess))
  188. goto GSSD_ERROR;
  190. RevertToSelf();
  192. return psd;
  194. GSSD_ERROR:
  196. if (psd)
  197. free(psd);
  198. if (obj->psidUser)
  199. free(obj->psidUser);
  200. if (obj->psidGroup)
  201. free(obj->psidGroup);
  203. RevertToSelf();
  204. return NULL;
  205. }
  207. // ----------------------------------------
  208. static BOOL GetGroupSidFromToken(HANDLE hToken, PSID *ppSid)
  209. {
  210. TOKEN_PRIMARY_GROUP *pGroup = NULL;
  211. PSID psidGroup = NULL;
  212. DWORD cbSid;
  213. DWORD cbRequired;
  215. if (GetTokenInformation(hToken, TokenPrimaryGroup, NULL, 0, &cbRequired))
  216. return FALSE;
  218. if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
  219. return FALSE;
  221. pGroup = malloc(cbRequired);
  223. if (!pGroup)
  224. return FALSE;
  226. if (!GetTokenInformation(hToken, TokenPrimaryGroup, pGroup,cbRequired, &cbRequired))
  227. goto GGSFT_ERROR;
  229. cbSid = GetLengthSid(pGroup->PrimaryGroup);
  230. psidGroup = malloc(cbSid);
  232. if (!psidGroup)
  233. goto GGSFT_ERROR;
  235. if (!CopySid(cbSid, psidGroup, pGroup->PrimaryGroup))
  236. goto GGSFT_ERROR;
  238. *ppSid = psidGroup;
  239. psidGroup = NULL;
  241. return TRUE;
  243. GGSFT_ERROR:
  245. if (psidGroup)
  246. free(psidGroup);
  248. free(pGroup);
  250. return FALSE;
  251. }
  253. // ----------------------------------------
  254. static BOOL GetUserSidFromToken(HANDLE hToken, PSID *ppSid)
  255. {
  256. TOKEN_USER *pUser = NULL;
  257. PSID psidUser = NULL;
  258. DWORD cbSid;
  259. DWORD cbRequired;
  261. if (GetTokenInformation(hToken, TokenUser, NULL, 0, &cbRequired))
  262. return FALSE;
  264. if (GetLastError() != ERROR_INSUFFICIENT_BUFFER )
  265. return FALSE;
  267. pUser = malloc(cbRequired);
  269. if (!pUser)
  270. return FALSE;
  272. if (!GetTokenInformation(hToken, TokenUser, pUser, cbRequired,&cbRequired))
  273. goto GUSFT_ERROR;
  275. cbSid = GetLengthSid(pUser->User.Sid);
  276. psidUser = malloc(cbSid);
  278. if (!psidUser)
  279. goto GUSFT_ERROR;
  280. if (!CopySid(cbSid, psidUser, pUser->User.Sid))
  281. goto GUSFT_ERROR;
  283. *ppSid = psidUser;
  284. psidUser = NULL;
  285. return TRUE;
  287. GUSFT_ERROR:
  288. if (psidUser)
  289. free(psidUser);
  291. free(pUser);
  292. return FALSE;
  293. }
  295. PSID EveryoneSid(BOOL fFetch)
  296. {
  297. static PSID psidEverybody = 0;
  298. SID_IDENTIFIER_AUTHORITY siaEverybody = SECURITY_WORLD_SID_AUTHORITY;
  299. BOOL fRv = FALSE;
  301. if (!fFetch)
  302. {
  303. if (psidEverybody)
  304. {
  305. FreeSid(psidEverybody);
  306. psidEverybody = 0;
  307. }
  308. return 0;
  309. }
  311. if (!psidEverybody)
  312. {
  313. if (!AllocateAndInitializeSid(
  314. &siaEverybody,
  315. 1,
  316. SECURITY_WORLD_RID,
  317. 0, 0, 0, 0, 0, 0, 0,
  318. &psidEverybody
  319. ))
  320. {
  321. psidEverybody = 0;
  322. }
  323. }
  325. return psidEverybody;
  326. }
  328. PSID AdminSid(BOOL fFetch)
  329. {
  330. static PSID psidAdmin = 0;
  331. SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY;
  332. BOOL fRv = FALSE;
  334. if (!fFetch)
  335. {
  336. if (psidAdmin)
  337. {
  338. FreeSid(psidAdmin);
  339. psidAdmin = 0;
  340. }
  341. return 0;
  342. }
  344. if (!psidAdmin)
  345. {
  346. if (!AllocateAndInitializeSid(&siaNtAuthority,
  347. 2,
  348. SECURITY_BUILTIN_DOMAIN_RID,
  349. DOMAIN_ALIAS_RID_ADMINS,
  350. 0, 0, 0, 0, 0, 0,
  351. &psidAdmin))
  352. {
  353. psidAdmin = 0;
  354. }
  355. }
  357. return psidAdmin;
  358. }
  360. PSID InteractiveUserSid(BOOL fFetch)
  361. {
  362. static PSID psidInteractiveUser = 0;
  363. SID_IDENTIFIER_AUTHORITY siaLocalSystem = SECURITY_NT_AUTHORITY;
  364. BOOL fRv = FALSE;
  366. if (!fFetch)
  367. {
  368. if (psidInteractiveUser)
  369. {
  370. FreeSid(psidInteractiveUser);
  371. psidInteractiveUser = 0;
  372. }
  373. return 0;
  374. }
  376. if (!psidInteractiveUser)
  377. {
  378. if (!AllocateAndInitializeSid(&siaLocalSystem,
  379. 1,
  380. SECURITY_INTERACTIVE_RID,
  381. 0, 0, 0, 0, 0, 0, 0,
  382. &psidInteractiveUser))
  383. {
  384. psidInteractiveUser = 0;
  385. }
  386. }
  388. return psidInteractiveUser;
  389. }
  391. PSID SystemSid(BOOL fFetch)
  392. {
  393. static PSID psidSystem = 0;
  394. SID_IDENTIFIER_AUTHORITY siaLocalSystem = SECURITY_NT_AUTHORITY;
  395. BOOL fRv = FALSE;
  397. if (!fFetch)
  398. {
  399. if (psidSystem)
  400. {
  401. FreeSid(psidSystem);
  402. psidSystem = 0;
  403. }
  404. return 0;
  405. }
  407. if (!psidSystem)
  408. {
  409. if (!AllocateAndInitializeSid(&siaLocalSystem,
  410. 1,
  411. SECURITY_LOCAL_SYSTEM_RID,
  412. 0, 0, 0, 0, 0, 0, 0,
  413. &psidSystem))
  414. {
  415. psidSystem = 0;
  416. }
  417. }
  419. return psidSystem;
  420. }
  422. void InitWellknownSids()
  423. {
  424. EveryoneSid(TRUE);
  425. AdminSid(TRUE);
  426. InteractiveUserSid(TRUE);
  427. SystemSid(TRUE);
  428. }
  430. void UninitWellknownSids()
  431. {
  432. EveryoneSid(FALSE);
  433. AdminSid(FALSE);
  434. InteractiveUserSid(FALSE);
  435. SystemSid(FALSE);
  436. }