mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
389 lines
8.1 KiB
389 lines
8.1 KiB
/*++
|
|
|
|
Copyright (c) 2001 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
secutils.cpp
|
|
|
|
Abstract:
|
|
The utility functions for the shims.
|
|
|
|
History:
|
|
|
|
02/09/2001 maonis Created
|
|
08/14/2001 robkenny Moved code inside the ShimLib namespace.
|
|
|
|
--*/
|
|
|
|
#include "secutils.h"
|
|
|
|
|
|
namespace ShimLib
|
|
{
|
|
/*++
|
|
|
|
Function Description:
|
|
|
|
Determine if the log on user is a member of the group.
|
|
|
|
Arguments:
|
|
|
|
IN dwGroup - specify the alias of the group.
|
|
OUT pfIsMember - TRUE if it's a member, FALSE if not.
|
|
|
|
Return Value:
|
|
|
|
TRUE - we successfully determined if it's a member.
|
|
FALSE otherwise.
|
|
|
|
DevNote:
|
|
|
|
We are assuming the calling thread is not impersonating.
|
|
|
|
History:
|
|
|
|
02/12/2001 maonis Created
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
SearchGroupForSID(
|
|
DWORD dwGroup,
|
|
BOOL* pfIsMember
|
|
)
|
|
{
|
|
PSID pSID = NULL;
|
|
SID_IDENTIFIER_AUTHORITY SIDAuth = SECURITY_NT_AUTHORITY;
|
|
BOOL fRes = TRUE;
|
|
|
|
if (!AllocateAndInitializeSid(
|
|
&SIDAuth,
|
|
2,
|
|
SECURITY_BUILTIN_DOMAIN_RID,
|
|
dwGroup,
|
|
0,
|
|
0,
|
|
0,
|
|
0,
|
|
0,
|
|
0,
|
|
&pSID))
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError, "[SearchGroupForSID] AllocateAndInitializeSid failed %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
|
|
if (!CheckTokenMembership(NULL, pSID, pfIsMember))
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError, "[SearchGroupForSID] CheckTokenMembership failed: %d", GetLastError());
|
|
fRes = FALSE;
|
|
}
|
|
|
|
FreeSid(pSID);
|
|
|
|
return fRes;
|
|
}
|
|
|
|
/*++
|
|
|
|
Function Description:
|
|
|
|
Determine if we should shim this app or not.
|
|
|
|
If the user is
|
|
1) a member of the Users and
|
|
2) not a member of the Administrators group and
|
|
3) not a member of the Power Users group and
|
|
3) not a member of the Guest group
|
|
|
|
we'll apply the shim.
|
|
|
|
Arguments:
|
|
|
|
None.
|
|
|
|
Return Value:
|
|
|
|
TRUE - we should apply the shim.
|
|
FALSE otherwise.
|
|
|
|
History:
|
|
|
|
02/12/2001 maonis Created
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
ShouldApplyShim()
|
|
{
|
|
BOOL fIsUser, fIsAdmin, fIsPowerUser, fIsGuest;
|
|
|
|
if (!SearchGroupForSID(DOMAIN_ALIAS_RID_USERS, &fIsUser) ||
|
|
!SearchGroupForSID(DOMAIN_ALIAS_RID_ADMINS, &fIsAdmin) ||
|
|
!SearchGroupForSID(DOMAIN_ALIAS_RID_POWER_USERS, &fIsPowerUser) ||
|
|
!SearchGroupForSID(DOMAIN_ALIAS_RID_GUESTS, &fIsGuest))
|
|
{
|
|
//
|
|
// Don't do anything if we are not sure.
|
|
//
|
|
return FALSE;
|
|
}
|
|
|
|
return (fIsUser && !fIsPowerUser && !fIsAdmin && !fIsGuest);
|
|
}
|
|
|
|
/*++
|
|
|
|
Function Description:
|
|
|
|
Get the current thread on user's SID. If the thread is not
|
|
impersonating we get the current process SID instead.
|
|
|
|
Arguments:
|
|
|
|
OUT ppThreadSid - points to the current thread's SID.
|
|
|
|
Return Value:
|
|
|
|
TRUE - successfully got the SID, the caller is responsible for
|
|
freeing it with free().
|
|
FALSE otherwise.
|
|
|
|
History:
|
|
|
|
02/12/2001 maonis Created
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
GetCurrentThreadSid(
|
|
OUT PSID* ppThreadSid
|
|
)
|
|
{
|
|
HANDLE hToken;
|
|
DWORD dwLastErr;
|
|
DWORD cbBuffer, cbRequired;
|
|
PTOKEN_USER pUserInfo;
|
|
BOOL fRes = FALSE;
|
|
|
|
// Get the thread token.
|
|
if (!OpenThreadToken(
|
|
GetCurrentThread(),
|
|
TOKEN_QUERY,
|
|
FALSE,
|
|
&hToken))
|
|
{
|
|
if ((dwLastErr = GetLastError()) == ERROR_NO_TOKEN)
|
|
{
|
|
// The thread isn't impersonating so we get the process token instead.
|
|
if (!OpenProcessToken(
|
|
GetCurrentProcess(),
|
|
TOKEN_QUERY,
|
|
&hToken))
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] OpenProcessToken failed: %d", GetLastError());
|
|
return FALSE;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError,
|
|
"[GetThreadSid] OpenThreadToken failed (and not with no token): %d",
|
|
dwLastErr);
|
|
return FALSE;
|
|
}
|
|
}
|
|
|
|
// Call GetTokenInformation with 0 buffer length to get the
|
|
// required buffer size for the token info.
|
|
cbBuffer = 0;
|
|
if (!GetTokenInformation(
|
|
hToken,
|
|
TokenUser,
|
|
NULL,
|
|
cbBuffer,
|
|
&cbRequired) &&
|
|
(dwLastErr = GetLastError()) != ERROR_INSUFFICIENT_BUFFER)
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError,
|
|
"[GetThreadSid] 1st time calling GetTokenInformation "
|
|
"didn't failed with ERROR_INSUFFICIENT_BUFFER: %d",
|
|
dwLastErr);
|
|
return FALSE;
|
|
}
|
|
|
|
cbBuffer = cbRequired;
|
|
pUserInfo = (PTOKEN_USER)malloc(cbBuffer);
|
|
if (!pUserInfo)
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] HeapAlloc for user data failed");
|
|
return FALSE;
|
|
}
|
|
|
|
// Make the "real" call.
|
|
if (!GetTokenInformation(
|
|
hToken,
|
|
TokenUser,
|
|
pUserInfo,
|
|
cbBuffer,
|
|
&cbRequired))
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError,
|
|
"[GetThreadSid] 2nd time calling GetTokenInformation failed: %d",
|
|
GetLastError());
|
|
goto EXIT;
|
|
}
|
|
|
|
cbBuffer = GetLengthSid(pUserInfo->User.Sid);
|
|
*ppThreadSid = (PSID)malloc(cbBuffer);
|
|
if (!(*ppThreadSid))
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] HeapAlloc for SID failed");
|
|
goto EXIT;
|
|
}
|
|
|
|
if (!CopySid(cbBuffer, *ppThreadSid, pUserInfo->User.Sid))
|
|
{
|
|
DPF("SecurityUtils", eDbgLevelError, "[GetThreadSid] CopySid failed: %d", GetLastError());
|
|
goto EXIT;
|
|
}
|
|
|
|
fRes = TRUE;
|
|
|
|
EXIT:
|
|
|
|
free(pUserInfo);
|
|
return fRes;
|
|
}
|
|
|
|
|
|
// The GENERIC_MAPPING from generic file access rights to specific and standard
|
|
// access types.
|
|
static GENERIC_MAPPING s_gmFile =
|
|
{
|
|
FILE_GENERIC_READ,
|
|
FILE_GENERIC_WRITE,
|
|
FILE_GENERIC_EXECUTE,
|
|
FILE_GENERIC_READ | FILE_GENERIC_WRITE | FILE_GENERIC_EXECUTE
|
|
};
|
|
|
|
/*++
|
|
|
|
Function Description:
|
|
|
|
Given the creation dispositon and the desired access when calling
|
|
CreateFile, we determine if the caller is requesting write access.
|
|
|
|
This is specific for files.
|
|
|
|
Arguments:
|
|
|
|
IN pszObject - name of the file or directory.
|
|
OUT pam - points to the access mask of the user to this object.
|
|
|
|
Return Value:
|
|
|
|
TRUE - successfully got the access mask.
|
|
FALSE otherwise.
|
|
|
|
DevNote:
|
|
|
|
UNDONE - This might not be a complete list...can add as we debug more apps.
|
|
|
|
History:
|
|
|
|
02/12/2001 maonis Created
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
RequestWriteAccess(
|
|
IN DWORD dwCreationDisposition,
|
|
IN DWORD dwDesiredAccess
|
|
)
|
|
{
|
|
MapGenericMask(&dwDesiredAccess, &s_gmFile);
|
|
|
|
if ((dwCreationDisposition != OPEN_EXISTING) ||
|
|
(dwDesiredAccess & DELETE) ||
|
|
// Generally, app would not specify FILE_WRITE_DATA directly, and if
|
|
// it specifies GENERIC_WRITE, it will get mapped to FILE_WRITE_DATA
|
|
// OR other things so checking FILE_WRITE_DATA is sufficient.
|
|
(dwDesiredAccess & FILE_WRITE_DATA))
|
|
{
|
|
return TRUE;
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
/*++
|
|
|
|
Function Description:
|
|
|
|
Given the name of a directory, determine if the user can create
|
|
new files in this directory.
|
|
|
|
Arguments:
|
|
|
|
IN pszDir - name of the directory.
|
|
IN pUserSid - the user that's requesting to create files.
|
|
OUT pfCanCreate.
|
|
|
|
Return Value:
|
|
|
|
TRUE - successfully enabled or disabled the privilege.
|
|
FALSE - otherwise.
|
|
|
|
History:
|
|
|
|
04/03/2001 maonis Created
|
|
|
|
--*/
|
|
|
|
BOOL
|
|
AdjustPrivilege(
|
|
LPCWSTR pwszPrivilege,
|
|
BOOL fEnable
|
|
)
|
|
{
|
|
HANDLE hToken;
|
|
TOKEN_PRIVILEGES tp;
|
|
BOOL fRes = FALSE;
|
|
|
|
// Obtain the process token.
|
|
if (OpenProcessToken(
|
|
GetCurrentProcess(),
|
|
TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
|
|
&hToken))
|
|
{
|
|
// Get the LUID.
|
|
if (LookupPrivilegeValueW(NULL, pwszPrivilege, &tp.Privileges[0].Luid))
|
|
{
|
|
tp.PrivilegeCount = 1;
|
|
|
|
tp.Privileges[0].Attributes = (fEnable ? SE_PRIVILEGE_ENABLED : 0);
|
|
|
|
// Enable or disable the privilege.
|
|
if (AdjustTokenPrivileges(
|
|
hToken,
|
|
FALSE,
|
|
&tp,
|
|
0,
|
|
(PTOKEN_PRIVILEGES)NULL,
|
|
0))
|
|
{
|
|
fRes = TRUE;
|
|
}
|
|
}
|
|
|
|
CloseHandle(hToken);
|
|
}
|
|
|
|
return fRes;
|
|
}
|
|
|
|
|
|
|
|
}; // end of namespace ShimLib
|