/*++
Copyright (c) 2001 Microsoft Corporation
Module Name:
secutils.cpp
Abstract:
The utility functions for the shims.
History:
02/09/2001 maonis Created
08/14/2001 robkenny Moved code inside the ShimLib namespace.
--*/
#include "secutils.h"
namespace ShimLib
{
/*++
Function Description:
Determine if the log on user is a member of the group.
Arguments:
IN dwGroup - specify the alias of the group.
OUT pfIsMember - TRUE if it's a member, FALSE if not.
Return Value:
TRUE - we successfully determined if it's a member.
FALSE otherwise.
DevNote:
We are assuming the calling thread is not impersonating.
History:
02/12/2001 maonis Created
--*/
BOOL
SearchGroupForSID(
DWORD dwGroup,
BOOL* pfIsMember
)
{
PSID pSID = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
BOOL fRes = TRUE;
if (!AllocateAndInitializeSid(
&SIDAuth,
2,
SECURITY_BUILTIN_DOMAIN_RID,
dwGroup,
0,
0,
0,
0,
0,
0,
&pSID))
{
DPF("SecurityUtils", eDbgLevelError, "[SearchGroupForSID] AllocateAndInitializeSid failed %d", GetLastError());
return FALSE;
}
if (!CheckTokenMembership(NULL, pSID, pfIsMember))
{
DPF("SecurityUtils", eDbgLevelError, "[SearchGroupForSID] CheckTokenMembership failed: %d", GetLastError());
fRes = FALSE;
}
FreeSid(pSID);
return fRes;
}
/*++
Function Description:
Determine if we should shim this app or not.
If the user is
1) a member of the Users and
2) not a member of the Administrators group and
3) not a member of the Power Users group and
3) not a member of the Guest group
we'll apply the shim.
Arguments:
None.
Return Value:
TRUE - we should apply the shim.
FALSE otherwise.
History:
02/12/2001 maonis Created
--*/
BOOL
ShouldApplyShim()
{
BOOL fIsUser, fIsAdmin, fIsPowerUser, fIsGuest;
if (!SearchGroupForSID(DOMAIN_ALIAS_RID_USERS, &fIsUser) ||
!SearchGroupForSID(DOMAIN_ALIAS_RID_ADMINS, &fIsAdmin) ||
!SearchGroupForSID(DOMAIN_ALIAS_RID_POWER_USERS, &fIsPowerUser) ||
!SearchGroupForSID(DOMAIN_ALIAS_RID_GUESTS, &fIsGuest))
{
//
// Don't do anything if we are not sure.
//
return FALSE;
}
return (fIsUser && !fIsPowerUser && !fIsAdmin && !fIsGuest);
}
/*++
Function Description:
Get the current thread on user's SID. If the thread is not
impersonating we get the current process SID instead.
Arguments:
OUT ppThreadSid - points to the current thread's SID.
Return Value:
TRUE - successfully got the SID, the caller is responsible for
freeing it with free().
FALSE otherwise.
History:
02/12/2001 maonis Created
--*/
BOOL
GetCurrentThreadSid(
OUT PSID* ppThreadSid
)
{
HANDLE hToken;
DWORD dwLastErr;
DWORD cbBuffer, cbRequired;
PTOKEN_USER pUserInfo;
BOOL fRes = FALSE;
// Get the thread token.
if (!OpenThreadToken(
GetCurrentThread(),
TOKEN_QUERY,
FALSE,
&hToken))
{
if ((dwLastErr = GetLastError()) == ERROR_NO_TOKEN)
{
// The thread isn't impersonating so we get the process token instead.
if (!OpenProcessToken(
GetCurrentProcess(),
TOKEN_QUERY,
&hToken))
{
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] OpenProcessToken failed: %d", GetLastError());
return FALSE;
}
}
else
{
DPF("SecurityUtils", eDbgLevelError,
"[GetThreadSid] OpenThreadToken failed (and not with no token): %d",
dwLastErr);
return FALSE;
}
}
// Call GetTokenInformation with 0 buffer length to get the
// required buffer size for the token info.
cbBuffer = 0;
if (!GetTokenInformation(
hToken,
TokenUser,
NULL,
cbBuffer,
&cbRequired) &&
(dwLastErr = GetLastError()) != ERROR_INSUFFICIENT_BUFFER)
{
DPF("SecurityUtils", eDbgLevelError,
"[GetThreadSid] 1st time calling GetTokenInformation "
"didn't failed with ERROR_INSUFFICIENT_BUFFER: %d",
dwLastErr);
return FALSE;
}
cbBuffer = cbRequired;
pUserInfo = (PTOKEN_USER)malloc(cbBuffer);
if (!pUserInfo)
{
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] HeapAlloc for user data failed");
return FALSE;
}
// Make the "real" call.
if (!GetTokenInformation(
hToken,
TokenUser,
pUserInfo,
cbBuffer,
&cbRequired))
{
DPF("SecurityUtils", eDbgLevelError,
"[GetThreadSid] 2nd time calling GetTokenInformation failed: %d",
GetLastError());
goto EXIT;
}
cbBuffer = GetLengthSid(pUserInfo->User.Sid);
*ppThreadSid = (PSID)malloc(cbBuffer);
if (!(*ppThreadSid))
{
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] HeapAlloc for SID failed");
goto EXIT;
}
if (!CopySid(cbBuffer, *ppThreadSid, pUserInfo->User.Sid))
{
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] CopySid failed: %d", GetLastError());
goto EXIT;
}
fRes = TRUE;
EXIT:
free(pUserInfo);
return fRes;
}
// The GENERIC_MAPPING from generic file access rights to specific and standard
// access types.
static GENERIC_MAPPING s_gmFile =
{
FILE_GENERIC_READ,
FILE_GENERIC_WRITE,
FILE_GENERIC_EXECUTE,
FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE
};
/*++
Function Description:
Given the creation dispositon and the desired access when calling
CreateFile, we determine if the caller is requesting write access.
This is specific for files.
Arguments:
IN pszObject - name of the file or directory.
OUT pam - points to the access mask of the user to this object.
Return Value:
TRUE - successfully got the access mask.
FALSE otherwise.
DevNote:
UNDONE - This might not be a complete list...can add as we debug more apps.
History:
02/12/2001 maonis Created
--*/
BOOL
RequestWriteAccess(
IN DWORD dwCreationDisposition,
IN DWORD dwDesiredAccess
)
{
MapGenericMask(&dwDesiredAccess, &s_gmFile);
if ((dwCreationDisposition != OPEN_EXISTING) ||
(dwDesiredAccess & DELETE) ||
// Generally, app would not specify FILE_WRITE_DATA directly, and if
// it specifies GENERIC_WRITE, it will get mapped to FILE_WRITE_DATA
// OR other things so checking FILE_WRITE_DATA is sufficient.
(dwDesiredAccess & FILE_WRITE_DATA))
{
return TRUE;
}
return FALSE;
}
/*++
Function Description:
Given the name of a directory, determine if the user can create
new files in this directory.
Arguments:
IN pszDir - name of the directory.
IN pUserSid - the user that's requesting to create files.
OUT pfCanCreate.
Return Value:
TRUE - successfully enabled or disabled the privilege.
FALSE - otherwise.
History:
04/03/2001 maonis Created
--*/
BOOL
AdjustPrivilege(
LPCWSTR pwszPrivilege,
BOOL fEnable
)
{
HANDLE hToken;
TOKEN_PRIVILEGES tp;
BOOL fRes = FALSE;
// Obtain the process token.
if (OpenProcessToken(
GetCurrentProcess(),
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&hToken))
{
// Get the LUID.
if (LookupPrivilegeValueW(NULL, pwszPrivilege, &tp.Privileges[0].Luid))
{
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = (fEnable ? SE_PRIVILEGE_ENABLED : 0);
// Enable or disable the privilege.
if (AdjustTokenPrivileges(
hToken,
FALSE,
&tp,
0,
(PTOKEN_PRIVILEGES)NULL,
0))
{
fRes = TRUE;
}
}
CloseHandle(hToken);
}
return fRes;
}
}; // end of namespace ShimLib