mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2132 lines
57 KiB
2132 lines
57 KiB
/*++
|
|
|
|
Copyright (c) 1989 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
seurtl.c
|
|
|
|
Abstract:
|
|
|
|
This Module implements many security rtl routines defined in nturtl.h
|
|
|
|
Author:
|
|
|
|
Robert Reichel (RobertRe) 1-Mar-1991
|
|
|
|
Environment:
|
|
|
|
Pure Runtime Library Routine
|
|
User mode callable only
|
|
|
|
Revision History:
|
|
|
|
--*/
|
|
|
|
|
|
#include <ntos.h>
|
|
#include <nturtl.h>
|
|
#include <ntlsa.h> // needed for RtlGetPrimaryDomain
|
|
#include "seopaque.h"
|
|
#include "sertlp.h"
|
|
#include "ldrp.h"
|
|
|
|
|
|
|
|
|
|
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
// //
|
|
// Exported Procedures //
|
|
// //
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
|
|
#if WHEN_LSAUDLL_MOVED_TO_NTDLL
|
|
NTSTATUS
|
|
RtlGetPrimaryDomain(
|
|
IN ULONG SidLength,
|
|
OUT PBOOLEAN PrimaryDomainPresent,
|
|
OUT PUNICODE_STRING PrimaryDomainName,
|
|
OUT PUSHORT RequiredNameLength,
|
|
OUT PSID PrimaryDomainSid OPTIONAL,
|
|
OUT PULONG RequiredSidLength
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This procedure opens the LSA policy object and retrieves
|
|
the primary domain information for this machine.
|
|
|
|
Arguments:
|
|
|
|
SidLength - Specifies the length of the PrimaryDomainSid
|
|
parameter.
|
|
|
|
PrimaryDomainPresent - Receives a boolean value indicating
|
|
whether this machine has a primary domain or not. TRUE
|
|
indicates the machine does have a primary domain. FALSE
|
|
indicates the machine does not.
|
|
|
|
PrimaryDomainName - Points to the unicode string to receive
|
|
the primary domain name. This parameter will only be
|
|
used if there is a primary domain.
|
|
|
|
RequiredNameLength - Recevies the length of the primary
|
|
domain name (in bytes). This parameter will only be
|
|
used if there is a primary domain.
|
|
|
|
PrimaryDomainSid - This optional parameter, if present,
|
|
points to a buffer to receive the primary domain's
|
|
SID. This parameter will only be used if there is a
|
|
primary domain.
|
|
|
|
RequiredSidLength - Recevies the length of the primary
|
|
domain SID (in bytes). This parameter will only be
|
|
used if there is a primary domain.
|
|
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The requested information has been retrieved.
|
|
|
|
STATUS_BUFFER_TOO_SMALL - One of the return buffers was not
|
|
large enough to receive the corresponding information.
|
|
The RequiredNameLength and RequiredSidLength parameter
|
|
values have been set to indicate the needed length.
|
|
|
|
Other status values as may be returned by:
|
|
|
|
LsaOpenPolicy()
|
|
LsaQueryInformationPolicy()
|
|
RtlCopySid()
|
|
|
|
|
|
--*/
|
|
|
|
|
|
|
|
|
|
{
|
|
NTSTATUS Status, IgnoreStatus;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
LSA_HANDLE LsaHandle;
|
|
SECURITY_QUALITY_OF_SERVICE SecurityQualityOfService;
|
|
PPOLICY_PRIMARY_DOMAIN_INFO PrimaryDomainInfo;
|
|
|
|
|
|
//
|
|
// Set up the Security Quality Of Service
|
|
//
|
|
|
|
SecurityQualityOfService.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
|
SecurityQualityOfService.ImpersonationLevel = SecurityImpersonation;
|
|
SecurityQualityOfService.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
|
|
SecurityQualityOfService.EffectiveOnly = FALSE;
|
|
|
|
//
|
|
// Set up the object attributes to open the Lsa policy object
|
|
//
|
|
|
|
InitializeObjectAttributes(&ObjectAttributes,
|
|
NULL,
|
|
0L,
|
|
(HANDLE)NULL,
|
|
NULL);
|
|
ObjectAttributes.SecurityQualityOfService = &SecurityQualityOfService;
|
|
|
|
//
|
|
// Open the local LSA policy object
|
|
//
|
|
|
|
Status = LsaOpenPolicy( NULL,
|
|
&ObjectAttributes,
|
|
POLICY_VIEW_LOCAL_INFORMATION,
|
|
&LsaHandle
|
|
);
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// Get the primary domain info
|
|
//
|
|
Status = LsaQueryInformationPolicy(LsaHandle,
|
|
PolicyPrimaryDomainInformation,
|
|
(PVOID *)&PrimaryDomainInfo);
|
|
IgnoreStatus = LsaClose(LsaHandle);
|
|
ASSERT(NT_SUCCESS(IgnoreStatus));
|
|
}
|
|
|
|
if (NT_SUCCESS(Status)) {
|
|
|
|
//
|
|
// Is there a primary domain?
|
|
//
|
|
|
|
if (PrimaryDomainInfo->Sid != NULL) {
|
|
|
|
//
|
|
// Yes
|
|
//
|
|
|
|
(*PrimaryDomainPresent) = TRUE;
|
|
(*RequiredNameLength) = PrimaryDomainInfo->Name.Length;
|
|
(*RequiredSidLength) = RtlLengthSid(PrimaryDomainInfo->Sid);
|
|
|
|
|
|
|
|
//
|
|
// Copy the name
|
|
//
|
|
|
|
if (PrimaryDomainName->MaximumLength >=
|
|
PrimaryDomainInfo->Name.Length) {
|
|
RtlCopyUnicodeString(
|
|
PrimaryDomainName,
|
|
&PrimaryDomainInfo->Name
|
|
);
|
|
} else {
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
}
|
|
|
|
|
|
//
|
|
// Copy the SID (if appropriate)
|
|
//
|
|
|
|
if (PrimaryDomainSid != NULL && NT_SUCCESS(Status)) {
|
|
|
|
Status = RtlCopySid(SidLength,
|
|
PrimaryDomainSid,
|
|
PrimaryDomainInfo->Sid
|
|
);
|
|
}
|
|
} else {
|
|
|
|
(*PrimaryDomainPresent) = FALSE;
|
|
}
|
|
|
|
//
|
|
// We're finished with the buffer returned by LSA
|
|
//
|
|
|
|
IgnoreStatus = LsaFreeMemory(PrimaryDomainInfo);
|
|
ASSERT(NT_SUCCESS(IgnoreStatus));
|
|
|
|
}
|
|
|
|
|
|
return(Status);
|
|
}
|
|
#endif //WHEN_LSAUDLL_MOVED_TO_NTDLL
|
|
|
|
|
|
NTSTATUS
|
|
RtlNewSecurityObjectWithMultipleInheritance (
|
|
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
|
|
IN PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL,
|
|
OUT PSECURITY_DESCRIPTOR * NewDescriptor,
|
|
IN GUID **pObjectType OPTIONAL,
|
|
IN ULONG GuidCount,
|
|
IN BOOLEAN IsDirectoryObject,
|
|
IN ULONG AutoInheritFlags,
|
|
IN HANDLE Token OPTIONAL,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
- - WARNING - -
|
|
|
|
This service is for use by protected subsystems that project their own
|
|
type of object. This service is explicitly not for use by the
|
|
executive for executive objects and must not be called from kernel
|
|
mode.
|
|
|
|
Arguments:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
Return Value:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
--*/
|
|
{
|
|
|
|
//
|
|
// Simple call the newer RtlpNewSecurityObject
|
|
//
|
|
|
|
return RtlpNewSecurityObject (
|
|
ParentDescriptor,
|
|
CreatorDescriptor,
|
|
NewDescriptor,
|
|
pObjectType,
|
|
GuidCount,
|
|
IsDirectoryObject,
|
|
AutoInheritFlags,
|
|
Token,
|
|
GenericMapping );
|
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlNewSecurityObjectEx (
|
|
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
|
|
IN PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL,
|
|
OUT PSECURITY_DESCRIPTOR * NewDescriptor,
|
|
IN GUID *ObjectType OPTIONAL,
|
|
IN BOOLEAN IsDirectoryObject,
|
|
IN ULONG AutoInheritFlags,
|
|
IN HANDLE Token OPTIONAL,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
- - WARNING - -
|
|
|
|
This service is for use by protected subsystems that project their own
|
|
type of object. This service is explicitly not for use by the
|
|
executive for executive objects and must not be called from kernel
|
|
mode.
|
|
|
|
Arguments:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
Return Value:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
--*/
|
|
{
|
|
|
|
//
|
|
// Simple call the newer RtlpNewSecurityObject
|
|
//
|
|
|
|
return RtlpNewSecurityObject (
|
|
ParentDescriptor,
|
|
CreatorDescriptor,
|
|
NewDescriptor,
|
|
ObjectType ? &ObjectType : NULL,
|
|
ObjectType ? 1 : 0,
|
|
IsDirectoryObject,
|
|
AutoInheritFlags,
|
|
Token,
|
|
GenericMapping );
|
|
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
RtlNewSecurityObject (
|
|
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
|
|
IN PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL,
|
|
OUT PSECURITY_DESCRIPTOR * NewDescriptor,
|
|
IN BOOLEAN IsDirectoryObject,
|
|
IN HANDLE Token,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
- - WARNING - -
|
|
|
|
This service is for use by protected subsystems that project their own
|
|
type of object. This service is explicitly not for use by the
|
|
executive for executive objects and must not be called from kernel
|
|
mode.
|
|
|
|
Arguments:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
Return Value:
|
|
|
|
See RtlpNewSecurityObject.
|
|
|
|
--*/
|
|
{
|
|
|
|
//
|
|
// Simple call the newer RtlpNewSecurityObject
|
|
//
|
|
|
|
return RtlpNewSecurityObject (
|
|
ParentDescriptor,
|
|
CreatorDescriptor,
|
|
NewDescriptor,
|
|
NULL, // No ObjectType
|
|
0,
|
|
IsDirectoryObject,
|
|
0, // No Automatic inheritance
|
|
Token,
|
|
GenericMapping );
|
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlSetSecurityObject (
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
IN PSECURITY_DESCRIPTOR ModificationDescriptor,
|
|
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
IN HANDLE Token OPTIONAL
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
See RtlpSetSecurityObject.
|
|
|
|
Arguments:
|
|
|
|
See RtlpSetSecurityObject.
|
|
|
|
Return Value:
|
|
|
|
See RtlpSetSecurityObject.
|
|
|
|
--*/
|
|
|
|
{
|
|
|
|
//
|
|
// Simply call RtlpSetSecurityObject specifying no auto inheritance.
|
|
//
|
|
|
|
return RtlpSetSecurityObject( NULL,
|
|
SecurityInformation,
|
|
ModificationDescriptor,
|
|
ObjectsSecurityDescriptor,
|
|
0, // No AutoInheritance
|
|
PagedPool,
|
|
GenericMapping,
|
|
Token );
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlSetSecurityObjectEx (
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
IN PSECURITY_DESCRIPTOR ModificationDescriptor,
|
|
IN OUT PSECURITY_DESCRIPTOR *ObjectsSecurityDescriptor,
|
|
IN ULONG AutoInheritFlags,
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
IN HANDLE Token OPTIONAL
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
See RtlpSetSecurityObject.
|
|
|
|
Arguments:
|
|
|
|
See RtlpSetSecurityObject.
|
|
|
|
Return Value:
|
|
|
|
See RtlpSetSecurityObject.
|
|
|
|
--*/
|
|
|
|
{
|
|
|
|
//
|
|
// Simply call RtlpSetSecurityObject specifying no auto inheritance.
|
|
//
|
|
|
|
return RtlpSetSecurityObject( NULL,
|
|
SecurityInformation,
|
|
ModificationDescriptor,
|
|
ObjectsSecurityDescriptor,
|
|
AutoInheritFlags,
|
|
PagedPool,
|
|
GenericMapping,
|
|
Token );
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlQuerySecurityObject (
|
|
IN PSECURITY_DESCRIPTOR ObjectDescriptor,
|
|
IN SECURITY_INFORMATION SecurityInformation,
|
|
OUT PSECURITY_DESCRIPTOR ResultantDescriptor,
|
|
IN ULONG DescriptorLength,
|
|
OUT PULONG ReturnLength
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Query information from a protected server object's existing security
|
|
descriptor.
|
|
|
|
This procedure, called only from user mode, is used to retrieve
|
|
information from a security descriptor on an existing protected
|
|
server's object. All access checking is expected to be done before
|
|
calling this routine. This includes checking for READ_CONTROL, and
|
|
privilege to read a system ACL as appropriate.
|
|
|
|
- - WARNING - -
|
|
|
|
This service is for use by protected subsystems that project their own
|
|
type of object. This service is explicitly not for use by the
|
|
executive for executive objects and must not be called from kernel
|
|
mode.
|
|
|
|
|
|
Arguments:
|
|
|
|
ObjectDescriptor - Points to a pointer to a security descriptor to be
|
|
queried.
|
|
|
|
SecurityInformation - Identifies the security information being
|
|
requested.
|
|
|
|
ResultantDescriptor - Points to buffer to receive the resultant
|
|
security descriptor. The resultant security descriptor will
|
|
contain all information requested by the SecurityInformation
|
|
parameter.
|
|
|
|
DescriptorLength - Is an unsigned integer which indicates the length,
|
|
in bytes, of the buffer provided to receive the resultant
|
|
descriptor.
|
|
|
|
ReturnLength - Receives an unsigned integer indicating the actual
|
|
number of bytes needed in the ResultantDescriptor to store the
|
|
requested information. If the value returned is greater than the
|
|
value passed via the DescriptorLength parameter, then
|
|
STATUS_BUFFER_TOO_SMALL is returned and no information is returned.
|
|
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The operation was successful.
|
|
|
|
STATUS_BUFFER_TOO_SMALL - The buffer provided to receive the requested
|
|
information was not large enough to hold the information. No
|
|
information has been returned.
|
|
|
|
STATUS_BAD_DESCRIPTOR_FORMAT - Indicates the provided object's security
|
|
descriptor was not in self-relative format.
|
|
|
|
--*/
|
|
|
|
{
|
|
|
|
PSID Group;
|
|
PSID Owner;
|
|
PACL Dacl;
|
|
PACL Sacl;
|
|
|
|
ULONG GroupSize = 0;
|
|
ULONG DaclSize = 0;
|
|
ULONG SaclSize = 0;
|
|
ULONG OwnerSize = 0;
|
|
|
|
PCHAR Field;
|
|
PCHAR Base;
|
|
|
|
|
|
PISECURITY_DESCRIPTOR IObjectDescriptor;
|
|
PISECURITY_DESCRIPTOR_RELATIVE IResultantDescriptor;
|
|
|
|
|
|
IResultantDescriptor = (PISECURITY_DESCRIPTOR_RELATIVE)ResultantDescriptor;
|
|
IObjectDescriptor = (PISECURITY_DESCRIPTOR)ObjectDescriptor;
|
|
|
|
//
|
|
// For each item specified in the SecurityInformation, extract it
|
|
// and get it to the point where it can be copied into a new
|
|
// descriptor.
|
|
//
|
|
|
|
if (SecurityInformation & GROUP_SECURITY_INFORMATION) {
|
|
|
|
Group = RtlpGroupAddrSecurityDescriptor(IObjectDescriptor);
|
|
|
|
if (Group != NULL) {
|
|
GroupSize = LongAlignSize(SeLengthSid(Group));
|
|
}
|
|
}
|
|
|
|
if (SecurityInformation & DACL_SECURITY_INFORMATION) {
|
|
|
|
Dacl = RtlpDaclAddrSecurityDescriptor( IObjectDescriptor );
|
|
|
|
if (Dacl != NULL) {
|
|
DaclSize = LongAlignSize(Dacl->AclSize);
|
|
}
|
|
}
|
|
|
|
if (SecurityInformation & SACL_SECURITY_INFORMATION) {
|
|
|
|
Sacl = RtlpSaclAddrSecurityDescriptor( IObjectDescriptor );
|
|
|
|
if (Sacl != NULL) {
|
|
SaclSize = LongAlignSize(Sacl->AclSize);
|
|
}
|
|
|
|
}
|
|
|
|
if (SecurityInformation & OWNER_SECURITY_INFORMATION) {
|
|
|
|
Owner = RtlpOwnerAddrSecurityDescriptor ( IObjectDescriptor );
|
|
|
|
if (Owner != NULL) {
|
|
OwnerSize = LongAlignSize(SeLengthSid(Owner));
|
|
}
|
|
}
|
|
|
|
*ReturnLength = sizeof( SECURITY_DESCRIPTOR_RELATIVE ) +
|
|
GroupSize +
|
|
DaclSize +
|
|
SaclSize +
|
|
OwnerSize;
|
|
|
|
if (*ReturnLength > DescriptorLength) {
|
|
return( STATUS_BUFFER_TOO_SMALL );
|
|
}
|
|
|
|
RtlCreateSecurityDescriptorRelative(
|
|
IResultantDescriptor,
|
|
SECURITY_DESCRIPTOR_REVISION
|
|
);
|
|
|
|
RtlpSetControlBits( IResultantDescriptor, SE_SELF_RELATIVE );
|
|
|
|
Base = (PCHAR)(IResultantDescriptor);
|
|
Field = Base + (ULONG)sizeof(SECURITY_DESCRIPTOR_RELATIVE);
|
|
|
|
if (SecurityInformation & SACL_SECURITY_INFORMATION) {
|
|
|
|
if (SaclSize > 0) {
|
|
RtlMoveMemory( Field, Sacl, SaclSize );
|
|
IResultantDescriptor->Sacl = RtlPointerToOffset(Base,Field);
|
|
Field += SaclSize;
|
|
}
|
|
|
|
RtlpPropagateControlBits(
|
|
IResultantDescriptor,
|
|
IObjectDescriptor,
|
|
SE_SACL_PRESENT | SE_SACL_DEFAULTED
|
|
);
|
|
}
|
|
|
|
if (SecurityInformation & DACL_SECURITY_INFORMATION) {
|
|
|
|
if (DaclSize > 0) {
|
|
RtlMoveMemory( Field, Dacl, DaclSize );
|
|
IResultantDescriptor->Dacl = RtlPointerToOffset(Base,Field);
|
|
Field += DaclSize;
|
|
}
|
|
|
|
RtlpPropagateControlBits(
|
|
IResultantDescriptor,
|
|
IObjectDescriptor,
|
|
SE_DACL_PRESENT | SE_DACL_DEFAULTED
|
|
);
|
|
}
|
|
|
|
if (SecurityInformation & OWNER_SECURITY_INFORMATION) {
|
|
|
|
if (OwnerSize > 0) {
|
|
RtlMoveMemory( Field, Owner, OwnerSize );
|
|
IResultantDescriptor->Owner = RtlPointerToOffset(Base,Field);
|
|
Field += OwnerSize;
|
|
}
|
|
|
|
RtlpPropagateControlBits(
|
|
IResultantDescriptor,
|
|
IObjectDescriptor,
|
|
SE_OWNER_DEFAULTED
|
|
);
|
|
|
|
}
|
|
|
|
if (SecurityInformation & GROUP_SECURITY_INFORMATION) {
|
|
|
|
if (GroupSize > 0) {
|
|
RtlMoveMemory( Field, Group, GroupSize );
|
|
IResultantDescriptor->Group = RtlPointerToOffset(Base,Field);
|
|
}
|
|
|
|
RtlpPropagateControlBits(
|
|
IResultantDescriptor,
|
|
IObjectDescriptor,
|
|
SE_GROUP_DEFAULTED
|
|
);
|
|
}
|
|
|
|
return( STATUS_SUCCESS );
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlDeleteSecurityObject (
|
|
IN OUT PSECURITY_DESCRIPTOR * ObjectDescriptor
|
|
)
|
|
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
Delete a protected server object's security descriptor.
|
|
|
|
This procedure, called only from user mode, is used to delete a
|
|
security descriptor associated with a protected server's object. This
|
|
routine will normally be called by a protected server during object
|
|
deletion.
|
|
|
|
- - WARNING - -
|
|
|
|
This service is for use by protected subsystems that project their own
|
|
type of object. This service is explicitly not for use by the
|
|
executive for executive objects and must not be called from kernel
|
|
mode.
|
|
|
|
|
|
Arguments:
|
|
|
|
ObjectDescriptor - Points to a pointer to a security descriptor to be
|
|
deleted.
|
|
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The operation was successful.
|
|
|
|
--*/
|
|
|
|
{
|
|
RtlFreeHeap( RtlProcessHeap(), 0, (PVOID)*ObjectDescriptor );
|
|
|
|
return( STATUS_SUCCESS );
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlNewInstanceSecurityObject(
|
|
IN BOOLEAN ParentDescriptorChanged,
|
|
IN BOOLEAN CreatorDescriptorChanged,
|
|
IN PLUID OldClientTokenModifiedId,
|
|
OUT PLUID NewClientTokenModifiedId,
|
|
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
|
|
IN PSECURITY_DESCRIPTOR CreatorDescriptor OPTIONAL,
|
|
OUT PSECURITY_DESCRIPTOR * NewDescriptor,
|
|
IN BOOLEAN IsDirectoryObject,
|
|
IN HANDLE Token,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
If the return status is STATUS_SUCCESS and the NewSecurity return
|
|
value is NULL, then the security desscriptor of the original
|
|
instance of the object is valid for this instance as well.
|
|
|
|
Arguments:
|
|
|
|
ParentDescriptorChanged - Supplies a flag indicating whether the
|
|
parent security descriptor has changed since the last time
|
|
this set of parameters was used.
|
|
|
|
CreatorDescriptorChanged - Supplies a flag indicating whether the
|
|
creator security descriptor has changed since the last time
|
|
this set of parameters was used.
|
|
|
|
OldClientTokenModifiedId - Supplies the ModifiedId from the passed
|
|
token that was in effect when this call was last made with
|
|
these parameters. If the current ModifiedId is different from
|
|
the one passed in here, the security descriptor must be
|
|
rebuilt.
|
|
|
|
NewClientTokenModifiedId - Returns the current ModifiedId from the
|
|
passed token.
|
|
|
|
ParentDescriptor - Supplies the Security Descriptor for the parent
|
|
directory under which a new object is being created. If there is
|
|
no parent directory, then this argument is specified as NULL.
|
|
|
|
CreatorDescriptor - (Optionally) Points to a security descriptor
|
|
presented by the creator of the object. If the creator of the
|
|
object did not explicitly pass security information for the new
|
|
object, then a null pointer should be passed.
|
|
|
|
NewDescriptor - Points to a pointer that is to be made to point to the
|
|
newly allocated self-relative security descriptor.
|
|
|
|
IsDirectoryObject - Specifies if the new object is going to be a
|
|
directory object. A value of TRUE indicates the object is a
|
|
container of other objects.
|
|
|
|
Token - Supplies the token for the client on whose behalf the
|
|
object is being created. If it is an impersonation token,
|
|
then it must be at SecurityIdentification level or higher. If
|
|
it is not an impersonation token, the operation proceeds
|
|
normally.
|
|
|
|
A client token is used to retrieve default security
|
|
information for the new object, such as default owner, primary
|
|
group, and discretionary access control. The token must be
|
|
open for TOKEN_QUERY access.
|
|
|
|
GenericMapping - Supplies a pointer to a generic mapping array denoting
|
|
the mapping between each generic right to specific rights.
|
|
|
|
Return Value:
|
|
|
|
return-value - Description of conditions needed to return value. - or -
|
|
None.
|
|
|
|
--*/
|
|
|
|
{
|
|
|
|
TOKEN_STATISTICS ClientTokenStatistics;
|
|
ULONG ReturnLength;
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
//
|
|
// Get the current token modified LUID
|
|
//
|
|
|
|
|
|
Status = NtQueryInformationToken(
|
|
Token, // Handle
|
|
TokenStatistics, // TokenInformationClass
|
|
&ClientTokenStatistics, // TokenInformation
|
|
sizeof(TOKEN_STATISTICS), // TokenInformationLength
|
|
&ReturnLength // ReturnLength
|
|
);
|
|
|
|
if ( !NT_SUCCESS( Status )) {
|
|
return( Status );
|
|
}
|
|
|
|
*NewClientTokenModifiedId = ClientTokenStatistics.ModifiedId;
|
|
|
|
if ( RtlEqualLuid(NewClientTokenModifiedId, OldClientTokenModifiedId) ) {
|
|
|
|
if ( !(ParentDescriptorChanged || CreatorDescriptorChanged) ) {
|
|
|
|
//
|
|
// The old security descriptor is valid for this new instance
|
|
// of the object type as well. Pass back success and NULL for
|
|
// the NewDescriptor.
|
|
//
|
|
|
|
*NewDescriptor = NULL;
|
|
return( STATUS_SUCCESS );
|
|
|
|
}
|
|
}
|
|
|
|
//
|
|
// Something has changed, take the long route and build a new
|
|
// descriptor
|
|
//
|
|
|
|
return( RtlNewSecurityObject( ParentDescriptor,
|
|
CreatorDescriptor,
|
|
NewDescriptor,
|
|
IsDirectoryObject,
|
|
Token,
|
|
GenericMapping
|
|
));
|
|
}
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlNewSecurityGrantedAccess(
|
|
IN ACCESS_MASK DesiredAccess,
|
|
OUT PPRIVILEGE_SET Privileges,
|
|
IN OUT PULONG Length,
|
|
IN HANDLE Token OPTIONAL,
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
OUT PACCESS_MASK RemainingDesiredAccess
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine implements privilege policy by examining the bits in
|
|
a DesiredAccess mask and adjusting them based on privilege checks.
|
|
|
|
Currently, a request for ACCESS_SYSTEM_SECURITY may only be satisfied
|
|
by the caller having SeSecurityPrivilege.
|
|
|
|
Note that this routine is only to be called when an object is being
|
|
created. When an object is being opened, it is expected that
|
|
NtAccessCheck will be called, and that routine will implement
|
|
another policy for substituting privileges for DACL access.
|
|
|
|
Arguments:
|
|
|
|
DesiredAccess - Supplies the user's desired access mask
|
|
|
|
Privileges - Supplies a pointer to an empty buffer in which will
|
|
be returned a privilege set describing any privileges that were
|
|
used to gain access.
|
|
|
|
Note that this is not an optional parameter, that is, enough
|
|
room for a single privilege must always be passed.
|
|
|
|
Length - Supplies the length of the Privileges parameter in bytes.
|
|
If the supplies length is not adequate to store the entire
|
|
privilege set, this field will return the minimum length required.
|
|
|
|
Token - (optionally) Supplies the token for the client on whose
|
|
behalf the object is being accessed. If this value is
|
|
specified as null, then the token on the thread is opened and
|
|
examined to see if it is an impersonation token. If it is,
|
|
then it must be at SecurityIdentification level or higher. If
|
|
it is not an impersonation token, the operation proceeds
|
|
normally.
|
|
|
|
GenericMapping - Supplies the generic mapping associated with this
|
|
object type.
|
|
|
|
RemainingDesiredAccess - Returns the DesiredAccess mask after any bits
|
|
have been masked off. If no access types could be granted, this
|
|
mask will be identical to the one passed in.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The operation completed successfully.
|
|
|
|
STATUS_BUFFER_TOO_SMALL - The passed buffer was not large enough
|
|
to contain the information being returned.
|
|
|
|
STATUS_BAD_IMPERSONATION_LEVEL - The caller or passed token was
|
|
impersonating, but not at a high enough level.
|
|
|
|
|
|
--*/
|
|
|
|
{
|
|
PRIVILEGE_SET RequiredPrivilege;
|
|
BOOLEAN Result = FALSE;
|
|
NTSTATUS Status;
|
|
ULONG PrivilegeCount = 0;
|
|
HANDLE ThreadToken;
|
|
BOOLEAN TokenPassed;
|
|
TOKEN_STATISTICS ThreadTokenStatistics;
|
|
ULONG ReturnLength;
|
|
ULONG SizeRequired;
|
|
ULONG PrivilegeNumber = 0;
|
|
|
|
|
|
//
|
|
// If the caller hasn't passed a token, call the kernel and get
|
|
// his impersonation token. This call will fail if the caller is
|
|
// not impersonating a client, so if the caller is not
|
|
// impersonating someone, he'd better have passed in an explicit
|
|
// token.
|
|
//
|
|
|
|
if (!ARGUMENT_PRESENT( Token )) {
|
|
|
|
Status = NtOpenThreadToken(
|
|
NtCurrentThread(),
|
|
TOKEN_QUERY,
|
|
TRUE,
|
|
&ThreadToken
|
|
);
|
|
|
|
TokenPassed = FALSE;
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
return( Status );
|
|
}
|
|
|
|
} else {
|
|
|
|
ThreadToken = Token;
|
|
TokenPassed = TRUE;
|
|
}
|
|
|
|
Status = NtQueryInformationToken(
|
|
ThreadToken, // Handle
|
|
TokenStatistics, // TokenInformationClass
|
|
&ThreadTokenStatistics, // TokenInformation
|
|
sizeof(TOKEN_STATISTICS), // TokenInformationLength
|
|
&ReturnLength // ReturnLength
|
|
);
|
|
|
|
ASSERT( NT_SUCCESS(Status) );
|
|
|
|
RtlMapGenericMask(
|
|
&DesiredAccess,
|
|
GenericMapping
|
|
);
|
|
|
|
*RemainingDesiredAccess = DesiredAccess;
|
|
|
|
if ( DesiredAccess & ACCESS_SYSTEM_SECURITY ) {
|
|
|
|
RequiredPrivilege.PrivilegeCount = 1;
|
|
RequiredPrivilege.Control = PRIVILEGE_SET_ALL_NECESSARY;
|
|
RequiredPrivilege.Privilege[0].Luid = RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE);
|
|
RequiredPrivilege.Privilege[0].Attributes = 0;
|
|
|
|
//
|
|
// NtPrivilegeCheck will make sure we are impersonating
|
|
// properly.
|
|
//
|
|
|
|
Status = NtPrivilegeCheck(
|
|
ThreadToken,
|
|
&RequiredPrivilege,
|
|
&Result
|
|
);
|
|
|
|
if ( (!NT_SUCCESS ( Status )) || (!Result) ) {
|
|
|
|
if (!TokenPassed) {
|
|
NtClose( ThreadToken );
|
|
}
|
|
|
|
if ( !NT_SUCCESS( Status )) {
|
|
return( Status );
|
|
}
|
|
|
|
if ( !Result ) {
|
|
return( STATUS_PRIVILEGE_NOT_HELD );
|
|
}
|
|
|
|
}
|
|
|
|
//
|
|
// We have the required privilege, turn off the bit in
|
|
// copy of the input mask and remember that we need to return
|
|
// this privilege.
|
|
//
|
|
|
|
*RemainingDesiredAccess &= ~ACCESS_SYSTEM_SECURITY;
|
|
}
|
|
|
|
if (!TokenPassed) {
|
|
NtClose( ThreadToken );
|
|
}
|
|
|
|
SizeRequired = sizeof(PRIVILEGE_SET);
|
|
|
|
if ( SizeRequired > *Length ) {
|
|
*Length = SizeRequired;
|
|
return( STATUS_BUFFER_TOO_SMALL );
|
|
}
|
|
|
|
if (Result) {
|
|
|
|
Privileges->PrivilegeCount = 1;
|
|
Privileges->Control = 0;
|
|
Privileges->Privilege[PrivilegeNumber].Luid = RtlConvertLongToLuid(SE_SECURITY_PRIVILEGE);
|
|
Privileges->Privilege[PrivilegeNumber].Attributes = SE_PRIVILEGE_USED_FOR_ACCESS;
|
|
|
|
} else {
|
|
|
|
Privileges->PrivilegeCount = 0;
|
|
Privileges->Control = 0;
|
|
Privileges->Privilege[PrivilegeNumber].Luid = RtlConvertLongToLuid(0);
|
|
Privileges->Privilege[PrivilegeNumber].Attributes = 0;
|
|
|
|
}
|
|
|
|
return( STATUS_SUCCESS );
|
|
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlCopySecurityDescriptor(
|
|
IN PSECURITY_DESCRIPTOR InputSecurityDescriptor,
|
|
OUT PSECURITY_DESCRIPTOR *OutputSecurityDescriptor
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine will copy a self-relative security descriptor from
|
|
any memory into the correct type of memory required by security
|
|
descriptor Rtl routines.
|
|
|
|
This allows security descriptors to be kept in whatever kind of
|
|
storage is most convenient for the current application. A security
|
|
descriptor should be copied via this routine and the copy passed
|
|
into any Rtl routine that in any way modify the security descriptor
|
|
(eg RtlSetSecurityObject).
|
|
|
|
The storage allocated by this routine must be freed by
|
|
RtlDeleteSecurityObject.
|
|
|
|
Arguments:
|
|
|
|
InputSecurityDescriptor - contains the source security descriptor
|
|
|
|
OutputSecurityDescriptor - returns a copy of the security descriptor
|
|
in the correct kind of memory.
|
|
|
|
|
|
Return Value:
|
|
|
|
STATUS_NO_MEMORY - There was not enough memory available to the current
|
|
process to complete this operation.
|
|
|
|
--*/
|
|
|
|
{
|
|
|
|
PACL Dacl;
|
|
PACL Sacl;
|
|
|
|
PSID Owner;
|
|
PSID PrimaryGroup;
|
|
|
|
ULONG DaclSize;
|
|
ULONG OwnerSize;
|
|
ULONG PrimaryGroupSize;
|
|
ULONG SaclSize;
|
|
ULONG TotalSize;
|
|
|
|
PISECURITY_DESCRIPTOR ISecurityDescriptor =
|
|
(PISECURITY_DESCRIPTOR)InputSecurityDescriptor;
|
|
|
|
|
|
RtlpQuerySecurityDescriptor(
|
|
ISecurityDescriptor,
|
|
&Owner,
|
|
&OwnerSize,
|
|
&PrimaryGroup,
|
|
&PrimaryGroupSize,
|
|
&Dacl,
|
|
&DaclSize,
|
|
&Sacl,
|
|
&SaclSize
|
|
);
|
|
|
|
TotalSize = sizeof(SECURITY_DESCRIPTOR_RELATIVE) +
|
|
OwnerSize +
|
|
PrimaryGroupSize +
|
|
DaclSize +
|
|
SaclSize;
|
|
|
|
*OutputSecurityDescriptor = RtlAllocateHeap( RtlProcessHeap(), MAKE_TAG( SE_TAG ), TotalSize );
|
|
|
|
if ( *OutputSecurityDescriptor == NULL ) {
|
|
return( STATUS_NO_MEMORY );
|
|
}
|
|
|
|
RtlMoveMemory( *OutputSecurityDescriptor,
|
|
ISecurityDescriptor,
|
|
TotalSize
|
|
);
|
|
|
|
return( STATUS_SUCCESS );
|
|
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
RtlpInitializeAllowedAce(
|
|
IN PACCESS_ALLOWED_ACE AllowedAce,
|
|
IN USHORT AceSize,
|
|
IN UCHAR InheritFlags,
|
|
IN UCHAR AceFlags,
|
|
IN ACCESS_MASK Mask,
|
|
IN PSID AllowedSid
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function assigns the specified ACE values into an allowed type ACE.
|
|
|
|
Arguments:
|
|
|
|
AllowedAce - Supplies a pointer to the ACE that is initialized.
|
|
|
|
AceSize - Supplies the size of the ACE in bytes.
|
|
|
|
InheritFlags - Supplies ACE inherit flags.
|
|
|
|
AceFlags - Supplies ACE type specific control flags.
|
|
|
|
Mask - Supplies the allowed access masks.
|
|
|
|
AllowedSid - Supplies the pointer to the SID of user/group which is allowed
|
|
the specified access.
|
|
|
|
Return Value:
|
|
|
|
Returns status from RtlCopySid.
|
|
|
|
--*/
|
|
{
|
|
AllowedAce->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
|
|
AllowedAce->Header.AceSize = AceSize;
|
|
AllowedAce->Header.AceFlags = AceFlags | InheritFlags;
|
|
|
|
AllowedAce->Mask = Mask;
|
|
|
|
return RtlCopySid(
|
|
RtlLengthSid(AllowedSid),
|
|
&(AllowedAce->SidStart),
|
|
AllowedSid
|
|
);
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
RtlpInitializeDeniedAce(
|
|
IN PACCESS_DENIED_ACE DeniedAce,
|
|
IN USHORT AceSize,
|
|
IN UCHAR InheritFlags,
|
|
IN UCHAR AceFlags,
|
|
IN ACCESS_MASK Mask,
|
|
IN PSID DeniedSid
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function assigns the specified ACE values into a denied type ACE.
|
|
|
|
Arguments:
|
|
|
|
DeniedAce - Supplies a pointer to the ACE that is initialized.
|
|
|
|
AceSize - Supplies the size of the ACE in bytes.
|
|
|
|
InheritFlags - Supplies ACE inherit flags.
|
|
|
|
AceFlags - Supplies ACE type specific control flags.
|
|
|
|
Mask - Supplies the denied access masks.
|
|
|
|
AllowedSid - Supplies the pointer to the SID of user/group which is denied
|
|
the specified access.
|
|
|
|
Return Value:
|
|
|
|
Returns status from RtlCopySid.
|
|
|
|
--*/
|
|
{
|
|
DeniedAce->Header.AceType = ACCESS_DENIED_ACE_TYPE;
|
|
DeniedAce->Header.AceSize = AceSize;
|
|
DeniedAce->Header.AceFlags = AceFlags | InheritFlags;
|
|
|
|
DeniedAce->Mask = Mask;
|
|
|
|
return RtlCopySid(
|
|
RtlLengthSid(DeniedSid),
|
|
&(DeniedAce->SidStart),
|
|
DeniedSid
|
|
);
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
RtlpInitializeAuditAce(
|
|
IN PACCESS_ALLOWED_ACE AuditAce,
|
|
IN USHORT AceSize,
|
|
IN UCHAR InheritFlags,
|
|
IN UCHAR AceFlags,
|
|
IN ACCESS_MASK Mask,
|
|
IN PSID AuditSid
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function assigns the specified ACE values into an audit type ACE.
|
|
|
|
Arguments:
|
|
|
|
AuditAce - Supplies a pointer to the ACE that is initialized.
|
|
|
|
AceSize - Supplies the size of the ACE in bytes.
|
|
|
|
InheritFlags - Supplies ACE inherit flags.
|
|
|
|
AceFlags - Supplies ACE type specific control flags.
|
|
|
|
Mask - Supplies the allowed access masks.
|
|
|
|
AuditSid - Supplies the pointer to the SID of user/group which is to be
|
|
audited.
|
|
|
|
Return Value:
|
|
|
|
Returns status from RtlCopySid.
|
|
|
|
--*/
|
|
{
|
|
AuditAce->Header.AceType = SYSTEM_AUDIT_ACE_TYPE;
|
|
AuditAce->Header.AceSize = AceSize;
|
|
AuditAce->Header.AceFlags = AceFlags | InheritFlags;
|
|
|
|
AuditAce->Mask = Mask;
|
|
|
|
return RtlCopySid(
|
|
RtlLengthSid(AuditSid),
|
|
&(AuditAce->SidStart),
|
|
AuditSid
|
|
);
|
|
}
|
|
|
|
NTSTATUS
|
|
RtlCreateAndSetSD(
|
|
IN PRTL_ACE_DATA AceData,
|
|
IN ULONG AceCount,
|
|
IN PSID OwnerSid OPTIONAL,
|
|
IN PSID GroupSid OPTIONAL,
|
|
OUT PSECURITY_DESCRIPTOR *NewDescriptor
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function creates an absolute security descriptor containing
|
|
the supplied ACE information.
|
|
|
|
A sample usage of this function:
|
|
|
|
//
|
|
// Order matters! These ACEs are inserted into the DACL in the
|
|
// following order. Security access is granted or denied based on
|
|
// the order of the ACEs in the DACL.
|
|
//
|
|
|
|
RTL_ACE_DATA AceData[4] = {
|
|
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
|
GENERIC_ALL, &LocalAdminSid},
|
|
|
|
{ACCESS_DENIED_ACE_TYPE, 0, 0,
|
|
GENERIC_ALL, &NetworkSid},
|
|
|
|
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
|
WKSTA_CONFIG_GUEST_INFO_GET |
|
|
WKSTA_CONFIG_USER_INFO_GET, &DomainUsersSid},
|
|
|
|
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
|
WKSTA_CONFIG_GUEST_INFO_GET, &DomainGuestsSid}
|
|
};
|
|
|
|
PSECURITY_DESCRIPTOR WkstaSecurityDescriptor;
|
|
|
|
|
|
return RtlCreateAndSetSD(
|
|
AceData,
|
|
4,
|
|
LocalSystemSid,
|
|
LocalSystemSid,
|
|
&WkstaSecurityDescriptor
|
|
);
|
|
|
|
Arguments:
|
|
|
|
AceData - Supplies the structure of information that describes the DACL.
|
|
|
|
AceCount - Supplies the number of entries in AceData structure.
|
|
|
|
OwnerSid - Supplies the pointer to the SID of the security descriptor
|
|
owner. If not specified, a security descriptor with no owner
|
|
will be created.
|
|
|
|
GroupSid - Supplies the pointer to the SID of the security descriptor
|
|
primary group. If not specified, a security descriptor with no primary
|
|
group will be created.
|
|
|
|
NewDescriptor - Returns a pointer to the absolute security descriptor
|
|
allocated using RtlAllocateHeap.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - if successful
|
|
STATUS_NO_MEMORY - if cannot allocate memory for DACL, ACEs, and
|
|
security descriptor.
|
|
|
|
Any other status codes returned from the security Rtl routines.
|
|
|
|
NOTE : the user security object created by calling this function may be
|
|
freed up by calling RtlDeleteSecurityObject().
|
|
|
|
--*/
|
|
{
|
|
|
|
NTSTATUS ntstatus = STATUS_SUCCESS;
|
|
ULONG i;
|
|
|
|
//
|
|
// Pointer to memory dynamically allocated by this routine to hold
|
|
// the absolute security descriptor, the DACL, the SACL, and all the ACEs.
|
|
//
|
|
// +---------------------------------------------------------------+
|
|
// | Security Descriptor |
|
|
// +-------------------------------+-------+---------------+-------+
|
|
// | DACL | ACE 1 | . . . | ACE n |
|
|
// +-------------------------------+-------+---------------+-------+
|
|
// | SACL | ACE 1 | . . . | ACE n |
|
|
// +-------------------------------+-------+---------------+-------+
|
|
//
|
|
|
|
PSECURITY_DESCRIPTOR AbsoluteSd = NULL;
|
|
PACL Dacl = NULL; // Pointer to the DACL portion of above buffer
|
|
PACL Sacl = NULL; // Pointer to the SACL portion of above buffer
|
|
|
|
ULONG DaclSize = sizeof(ACL);
|
|
ULONG SaclSize = sizeof(ACL);
|
|
ULONG MaxAceSize = 0;
|
|
PVOID MaxAce = NULL;
|
|
|
|
PCHAR CurrentAvailable;
|
|
ULONG Size;
|
|
|
|
PVOID HeapHandle = RtlProcessHeap();
|
|
|
|
|
|
ASSERT( AceCount > 0 );
|
|
|
|
//
|
|
// Compute the total size of the DACL and SACL ACEs and the maximum
|
|
// size of any ACE.
|
|
//
|
|
|
|
for (i = 0; i < AceCount; i++) {
|
|
ULONG AceSize;
|
|
|
|
AceSize = RtlLengthSid(*(AceData[i].Sid));
|
|
|
|
switch (AceData[i].AceType) {
|
|
case ACCESS_ALLOWED_ACE_TYPE:
|
|
AceSize += sizeof(ACCESS_ALLOWED_ACE);
|
|
DaclSize += AceSize;
|
|
break;
|
|
|
|
case ACCESS_DENIED_ACE_TYPE:
|
|
AceSize += sizeof(ACCESS_DENIED_ACE);
|
|
DaclSize += AceSize;
|
|
break;
|
|
|
|
case SYSTEM_AUDIT_ACE_TYPE:
|
|
AceSize += sizeof(SYSTEM_AUDIT_ACE);
|
|
SaclSize += AceSize;
|
|
break;
|
|
|
|
default:
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
MaxAceSize = MaxAceSize > AceSize ? MaxAceSize : AceSize;
|
|
}
|
|
|
|
//
|
|
// Allocate a chunk of memory large enough for the security descriptor,
|
|
// the DACL, the SACL and all ACEs.
|
|
//
|
|
// A security descriptor is of opaque data type but
|
|
// SECURITY_DESCRIPTOR_MIN_LENGTH is the right size.
|
|
//
|
|
|
|
Size = SECURITY_DESCRIPTOR_MIN_LENGTH;
|
|
if ( DaclSize != sizeof(ACL) ) {
|
|
Size += DaclSize;
|
|
}
|
|
if ( SaclSize != sizeof(ACL) ) {
|
|
Size += SaclSize;
|
|
}
|
|
|
|
if ((AbsoluteSd = RtlAllocateHeap(
|
|
HeapHandle, MAKE_TAG( SE_TAG ),
|
|
Size
|
|
)) == NULL) {
|
|
ntstatus = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Initialize the Dacl and Sacl
|
|
//
|
|
|
|
CurrentAvailable = (PCHAR)AbsoluteSd + SECURITY_DESCRIPTOR_MIN_LENGTH;
|
|
|
|
if ( DaclSize != sizeof(ACL) ) {
|
|
Dacl = (PACL)CurrentAvailable;
|
|
CurrentAvailable += DaclSize;
|
|
|
|
ntstatus = RtlCreateAcl( Dacl, DaclSize, ACL_REVISION );
|
|
|
|
if ( !NT_SUCCESS(ntstatus) ) {
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
if ( SaclSize != sizeof(ACL) ) {
|
|
Sacl = (PACL)CurrentAvailable;
|
|
CurrentAvailable += SaclSize;
|
|
|
|
ntstatus = RtlCreateAcl( Sacl, SaclSize, ACL_REVISION );
|
|
|
|
if ( !NT_SUCCESS(ntstatus) ) {
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Allocate a temporary buffer big enough for the biggest ACE.
|
|
//
|
|
|
|
if ((MaxAce = RtlAllocateHeap(
|
|
HeapHandle, MAKE_TAG( SE_TAG ),
|
|
MaxAceSize
|
|
)) == NULL ) {
|
|
ntstatus = STATUS_NO_MEMORY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Initialize each ACE, and append it into the end of the DACL or SACL.
|
|
//
|
|
|
|
for (i = 0; i < AceCount; i++) {
|
|
ULONG AceSize;
|
|
PACL CurrentAcl;
|
|
|
|
AceSize = RtlLengthSid(*(AceData[i].Sid));
|
|
|
|
switch (AceData[i].AceType) {
|
|
case ACCESS_ALLOWED_ACE_TYPE:
|
|
|
|
AceSize += sizeof(ACCESS_ALLOWED_ACE);
|
|
CurrentAcl = Dacl;
|
|
ntstatus = RtlpInitializeAllowedAce(
|
|
MaxAce,
|
|
(USHORT) AceSize,
|
|
AceData[i].InheritFlags,
|
|
AceData[i].AceFlags,
|
|
AceData[i].Mask,
|
|
*(AceData[i].Sid)
|
|
);
|
|
break;
|
|
|
|
case ACCESS_DENIED_ACE_TYPE:
|
|
AceSize += sizeof(ACCESS_DENIED_ACE);
|
|
CurrentAcl = Dacl;
|
|
ntstatus = RtlpInitializeDeniedAce(
|
|
MaxAce,
|
|
(USHORT) AceSize,
|
|
AceData[i].InheritFlags,
|
|
AceData[i].AceFlags,
|
|
AceData[i].Mask,
|
|
*(AceData[i].Sid)
|
|
);
|
|
break;
|
|
|
|
case SYSTEM_AUDIT_ACE_TYPE:
|
|
AceSize += sizeof(SYSTEM_AUDIT_ACE);
|
|
CurrentAcl = Sacl;
|
|
ntstatus = RtlpInitializeAuditAce(
|
|
MaxAce,
|
|
(USHORT) AceSize,
|
|
AceData[i].InheritFlags,
|
|
AceData[i].AceFlags,
|
|
AceData[i].Mask,
|
|
*(AceData[i].Sid)
|
|
);
|
|
break;
|
|
}
|
|
|
|
if ( !NT_SUCCESS( ntstatus ) ) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Append the initialized ACE to the end of DACL or SACL
|
|
//
|
|
|
|
if (! NT_SUCCESS (ntstatus = RtlAddAce(
|
|
CurrentAcl,
|
|
ACL_REVISION,
|
|
MAXULONG,
|
|
MaxAce,
|
|
AceSize
|
|
))) {
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Create the security descriptor with absolute pointers to SIDs
|
|
// and ACLs.
|
|
//
|
|
// Owner = OwnerSid
|
|
// Group = GroupSid
|
|
// Dacl = Dacl
|
|
// Sacl = Sacl
|
|
//
|
|
|
|
if (! NT_SUCCESS(ntstatus = RtlCreateSecurityDescriptor(
|
|
AbsoluteSd,
|
|
SECURITY_DESCRIPTOR_REVISION
|
|
))) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (! NT_SUCCESS(ntstatus = RtlSetOwnerSecurityDescriptor(
|
|
AbsoluteSd,
|
|
OwnerSid,
|
|
FALSE
|
|
))) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (! NT_SUCCESS(ntstatus = RtlSetGroupSecurityDescriptor(
|
|
AbsoluteSd,
|
|
GroupSid,
|
|
FALSE
|
|
))) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (! NT_SUCCESS(ntstatus = RtlSetDaclSecurityDescriptor(
|
|
AbsoluteSd,
|
|
TRUE,
|
|
Dacl,
|
|
FALSE
|
|
))) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (! NT_SUCCESS(ntstatus = RtlSetSaclSecurityDescriptor(
|
|
AbsoluteSd,
|
|
FALSE,
|
|
Sacl,
|
|
FALSE
|
|
))) {
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Done
|
|
//
|
|
|
|
ntstatus = STATUS_SUCCESS;
|
|
|
|
//
|
|
// Clean up
|
|
//
|
|
|
|
Cleanup:
|
|
//
|
|
// Either return the security descriptor to the caller or delete it
|
|
//
|
|
|
|
if ( NT_SUCCESS( ntstatus ) ) {
|
|
*NewDescriptor = AbsoluteSd;
|
|
} else if ( AbsoluteSd != NULL ) {
|
|
(void) RtlFreeHeap(HeapHandle, 0, AbsoluteSd);
|
|
}
|
|
|
|
//
|
|
// Delete the temporary ACE
|
|
//
|
|
|
|
if ( MaxAce != NULL ) {
|
|
(void) RtlFreeHeap(HeapHandle, 0, MaxAce);
|
|
}
|
|
return ntstatus;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
RtlCreateUserSecurityObject(
|
|
IN PRTL_ACE_DATA AceData,
|
|
IN ULONG AceCount,
|
|
IN PSID OwnerSid,
|
|
IN PSID GroupSid,
|
|
IN BOOLEAN IsDirectoryObject,
|
|
IN PGENERIC_MAPPING GenericMapping,
|
|
OUT PSECURITY_DESCRIPTOR *NewDescriptor
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function creates the DACL for the security descriptor based on
|
|
on the ACE information specified, and creates the security descriptor
|
|
which becomes the user-mode security object.
|
|
|
|
A sample usage of this function:
|
|
|
|
//
|
|
// Structure that describes the mapping of Generic access rights to
|
|
// object specific access rights for the ConfigurationInfo object.
|
|
//
|
|
|
|
GENERIC_MAPPING WsConfigInfoMapping = {
|
|
STANDARD_RIGHTS_READ | // Generic read
|
|
WKSTA_CONFIG_GUEST_INFO_GET |
|
|
WKSTA_CONFIG_USER_INFO_GET |
|
|
WKSTA_CONFIG_ADMIN_INFO_GET,
|
|
STANDARD_RIGHTS_WRITE | // Generic write
|
|
WKSTA_CONFIG_INFO_SET,
|
|
STANDARD_RIGHTS_EXECUTE, // Generic execute
|
|
WKSTA_CONFIG_ALL_ACCESS // Generic all
|
|
};
|
|
|
|
//
|
|
// Order matters! These ACEs are inserted into the DACL in the
|
|
// following order. Security access is granted or denied based on
|
|
// the order of the ACEs in the DACL.
|
|
//
|
|
|
|
RTL_ACE_DATA AceData[4] = {
|
|
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
|
GENERIC_ALL, &LocalAdminSid},
|
|
|
|
{ACCESS_DENIED_ACE_TYPE, 0, 0,
|
|
GENERIC_ALL, &NetworkSid},
|
|
|
|
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
|
WKSTA_CONFIG_GUEST_INFO_GET |
|
|
WKSTA_CONFIG_USER_INFO_GET, &DomainUsersSid},
|
|
|
|
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
|
WKSTA_CONFIG_GUEST_INFO_GET, &DomainGuestsSid}
|
|
};
|
|
|
|
PSECURITY_DESCRIPTOR WkstaSecurityObject;
|
|
|
|
|
|
return RtlCreateUserSecurityObject(
|
|
AceData,
|
|
4,
|
|
LocalSystemSid,
|
|
LocalSystemSid,
|
|
FALSE,
|
|
&WsConfigInfoMapping,
|
|
&WkstaSecurityObject
|
|
);
|
|
|
|
Arguments:
|
|
|
|
AceData - Supplies the structure of information that describes the DACL.
|
|
|
|
AceCount - Supplies the number of entries in AceData structure.
|
|
|
|
OwnerSid - Supplies the pointer to the SID of the security descriptor
|
|
owner.
|
|
|
|
GroupSid - Supplies the pointer to the SID of the security descriptor
|
|
primary group.
|
|
|
|
IsDirectoryObject - Supplies the flag which indicates whether the
|
|
user-mode object is a directory object.
|
|
|
|
GenericMapping - Supplies the pointer to a generic mapping array denoting
|
|
the mapping between each generic right to specific rights.
|
|
|
|
NewDescriptor - Returns a pointer to the self-relative security descriptor
|
|
which represents the user-mode object.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - if successful
|
|
STATUS_NO_MEMORY - if cannot allocate memory for DACL, ACEs, and
|
|
security descriptor.
|
|
|
|
Any other status codes returned from the security Rtl routines.
|
|
|
|
NOTE : the user security object created by calling this function may be
|
|
freed up by calling RtlDeleteSecurityObject().
|
|
|
|
--*/
|
|
{
|
|
|
|
NTSTATUS ntstatus;
|
|
PSECURITY_DESCRIPTOR AbsoluteSd;
|
|
HANDLE TokenHandle;
|
|
PVOID HeapHandle = RtlProcessHeap();
|
|
|
|
ntstatus = RtlCreateAndSetSD(
|
|
AceData,
|
|
AceCount,
|
|
OwnerSid,
|
|
GroupSid,
|
|
&AbsoluteSd
|
|
);
|
|
|
|
if (! NT_SUCCESS(ntstatus)) {
|
|
return ntstatus;
|
|
}
|
|
|
|
ntstatus = NtOpenProcessToken(
|
|
NtCurrentProcess(),
|
|
TOKEN_QUERY,
|
|
&TokenHandle
|
|
);
|
|
|
|
if (! NT_SUCCESS(ntstatus)) {
|
|
(void) RtlFreeHeap(HeapHandle, 0, AbsoluteSd);
|
|
return ntstatus;
|
|
}
|
|
|
|
//
|
|
// Create the security object (a user-mode object is really a pseudo-
|
|
// object represented by a security descriptor that have relative
|
|
// pointers to SIDs and ACLs). This routine allocates the memory to
|
|
// hold the relative security descriptor so the memory allocated for the
|
|
// DACL, ACEs, and the absolute descriptor can be freed.
|
|
//
|
|
ntstatus = RtlNewSecurityObject(
|
|
NULL, // Parent descriptor
|
|
AbsoluteSd, // Creator descriptor
|
|
NewDescriptor, // Pointer to new descriptor
|
|
IsDirectoryObject, // Is directory object
|
|
TokenHandle, // Token
|
|
GenericMapping // Generic mapping
|
|
);
|
|
|
|
(void) NtClose(TokenHandle);
|
|
|
|
//
|
|
// Free dynamic memory before returning
|
|
//
|
|
(void) RtlFreeHeap(HeapHandle, 0, AbsoluteSd);
|
|
return ntstatus;
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
NTSTATUS
|
|
RtlConvertToAutoInheritSecurityObject(
|
|
IN PSECURITY_DESCRIPTOR ParentDescriptor OPTIONAL,
|
|
IN PSECURITY_DESCRIPTOR CurrentSecurityDescriptor,
|
|
OUT PSECURITY_DESCRIPTOR *NewSecurityDescriptor,
|
|
IN GUID *ObjectType OPTIONAL,
|
|
IN BOOLEAN IsDirectoryObject,
|
|
IN PGENERIC_MAPPING GenericMapping
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This is a converts a security descriptor whose ACLs are not marked
|
|
as AutoInherit to a security descriptor whose ACLs are marked as
|
|
AutoInherit.
|
|
|
|
See further detailed description on ConvertToAutoInheritPrivateObjectSecurity.
|
|
|
|
Arguments:
|
|
|
|
ParentDescriptor - Supplies the Security Descriptor for the parent
|
|
directory under which a object exists. If there is
|
|
no parent directory, then this argument is specified as NULL.
|
|
|
|
CurrentSecurityDescriptor - Supplies a pointer to the objects security descriptor
|
|
that is going to be altered by this procedure.
|
|
|
|
NewSecurityDescriptor Points to a pointer that is to be made to point to the
|
|
newly allocated self-relative security descriptor. When no
|
|
longer needed, this descriptor must be freed using
|
|
DestroyPrivateObjectSecurity().
|
|
|
|
ObjectType - GUID of the object type being created. If the object being
|
|
created has no GUID associated with it, then this argument is
|
|
specified as NULL.
|
|
|
|
IsDirectoryObject - Specifies if the object is a
|
|
directory object. A value of TRUE indicates the object is a
|
|
container of other objects.
|
|
|
|
GenericMapping - Supplies a pointer to a generic mapping array denoting
|
|
the mapping between each generic right to specific rights.
|
|
|
|
Return Value:
|
|
|
|
STATUS_SUCCESS - The operation was successful.
|
|
|
|
STATUS_UNKNOWN_REVISION - Indicates the source ACL is a revision that
|
|
is unknown to this routine. (Only revision 2 ACLs are support by this routine.)
|
|
|
|
STATUS_INVALID_ACL - The structure of one of the ACLs in invalid.
|
|
|
|
|
|
|
|
--*/
|
|
{
|
|
|
|
//
|
|
// Simply call the corresponding Rtlp routine telling it which allocator
|
|
// to use.
|
|
//
|
|
|
|
return RtlpConvertToAutoInheritSecurityObject(
|
|
ParentDescriptor,
|
|
CurrentSecurityDescriptor,
|
|
NewSecurityDescriptor,
|
|
ObjectType,
|
|
IsDirectoryObject,
|
|
GenericMapping );
|
|
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
RtlDefaultNpAcl(
|
|
OUT PACL * pAcl
|
|
)
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine constructs a default ACL to be applied to
|
|
named pipe objects when the caller has not specified one.
|
|
See NT bug 131090.
|
|
|
|
The ACL constructed is as follows:
|
|
|
|
Need to build an ACL that looks like the following:
|
|
|
|
Local System : F
|
|
Administrators: F
|
|
Owner: F
|
|
Everyone: R
|
|
Anonymous: R
|
|
|
|
The owner is determined by querying the currently effective
|
|
token and extracting the default owner.
|
|
|
|
Arguments:
|
|
|
|
pAcl - Receives a pointer to an ACL to apply to the named pipe
|
|
being created. Guaranteed to be NULL on return if an error
|
|
occurs.
|
|
|
|
This must be freed by calling RtlFreeHeap.
|
|
|
|
Return Value:
|
|
|
|
NT Status.
|
|
|
|
--*/
|
|
{
|
|
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
|
|
SID_IDENTIFIER_AUTHORITY CreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
|
|
SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
|
|
|
|
ULONG AclSize = 0;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
ULONG ReturnLength = 0;
|
|
PTOKEN_OWNER OwnerSid = NULL;
|
|
|
|
HANDLE hToken;
|
|
|
|
//
|
|
// Initialize OUT parameters
|
|
//
|
|
|
|
*pAcl = NULL;
|
|
|
|
//
|
|
// Open thread token
|
|
//
|
|
|
|
Status = NtOpenThreadToken(
|
|
NtCurrentThread(),
|
|
TOKEN_QUERY,
|
|
TRUE,
|
|
&hToken
|
|
);
|
|
|
|
if (STATUS_NO_TOKEN == Status) {
|
|
|
|
//
|
|
// Not impersonating, get process token
|
|
//
|
|
|
|
Status = NtOpenProcessToken(
|
|
NtCurrentProcess(),
|
|
TOKEN_QUERY,
|
|
&hToken
|
|
);
|
|
}
|
|
|
|
if (NT_SUCCESS( Status )) {
|
|
|
|
//
|
|
// Get the default owner
|
|
//
|
|
|
|
Status = NtQueryInformationToken (
|
|
hToken,
|
|
TokenOwner,
|
|
NULL,
|
|
0,
|
|
&ReturnLength
|
|
);
|
|
|
|
if (STATUS_BUFFER_TOO_SMALL == Status) {
|
|
|
|
OwnerSid = (PTOKEN_OWNER)RtlAllocateHeap( RtlProcessHeap(), 0, ReturnLength );
|
|
|
|
if (OwnerSid) {
|
|
|
|
Status = NtQueryInformationToken (
|
|
hToken,
|
|
TokenOwner,
|
|
OwnerSid,
|
|
ReturnLength,
|
|
&ReturnLength
|
|
);
|
|
|
|
if (NT_SUCCESS( Status )) {
|
|
|
|
//
|
|
// Compute the size needed
|
|
//
|
|
|
|
UCHAR SidBuffer[16];
|
|
ASSERT( 16 == RtlLengthRequiredSid( 2 ));
|
|
|
|
AclSize += RtlLengthRequiredSid( 1 ); // LocalSystem Sid
|
|
AclSize += RtlLengthRequiredSid( 2 ); // Administrators
|
|
AclSize += RtlLengthRequiredSid( 1 ); // Everyone (World)
|
|
AclSize += RtlLengthRequiredSid( 1 ); // Anonymous Logon Sid
|
|
|
|
AclSize += RtlLengthSid( OwnerSid->Owner ); // Owner
|
|
|
|
AclSize += sizeof( ACL ); // Header
|
|
AclSize += 5 * (sizeof( ACCESS_ALLOWED_ACE ) - sizeof( ULONG ));
|
|
|
|
//
|
|
// Allocate the Acl out of the local process heap
|
|
//
|
|
|
|
*pAcl = (PACL)RtlAllocateHeap( RtlProcessHeap(), 0, AclSize );
|
|
|
|
if (*pAcl != NULL) {
|
|
|
|
RtlCreateAcl( *pAcl, AclSize, ACL_REVISION );
|
|
|
|
//
|
|
// Create each SID in turn and copy the resultant ACE into
|
|
// the new ACL
|
|
//
|
|
|
|
//
|
|
// Local System - Generic All
|
|
//
|
|
|
|
RtlInitializeSid( SidBuffer, &NtAuthority, 1);
|
|
*(RtlSubAuthoritySid( SidBuffer, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
|
|
RtlAddAccessAllowedAce( *pAcl, ACL_REVISION, GENERIC_ALL, (PSID)SidBuffer );
|
|
|
|
//
|
|
// Admins - Generic All
|
|
//
|
|
|
|
RtlInitializeSid( SidBuffer, &NtAuthority, 2);
|
|
*(RtlSubAuthoritySid( SidBuffer, 0 )) = SECURITY_BUILTIN_DOMAIN_RID;
|
|
*(RtlSubAuthoritySid( SidBuffer, 1 )) = DOMAIN_ALIAS_RID_ADMINS;
|
|
RtlAddAccessAllowedAce( *pAcl, ACL_REVISION, GENERIC_ALL, (PSID)SidBuffer );
|
|
|
|
//
|
|
// Owner - Generic All
|
|
//
|
|
|
|
RtlAddAccessAllowedAce( *pAcl, ACL_REVISION, GENERIC_ALL, OwnerSid->Owner );
|
|
|
|
//
|
|
// World - Generic Read
|
|
//
|
|
|
|
RtlInitializeSid( SidBuffer, &WorldSidAuthority, 1 );
|
|
*(RtlSubAuthoritySid( SidBuffer, 0 )) = SECURITY_WORLD_RID;
|
|
RtlAddAccessAllowedAce( *pAcl, ACL_REVISION, GENERIC_READ, (PSID)SidBuffer );
|
|
|
|
//
|
|
// Anonymous Logon - Generic Read
|
|
//
|
|
|
|
RtlInitializeSid( SidBuffer, &NtAuthority, 1);
|
|
*(RtlSubAuthoritySid( SidBuffer, 0 )) = SECURITY_ANONYMOUS_LOGON_RID;
|
|
RtlAddAccessAllowedAce( *pAcl, ACL_REVISION, GENERIC_READ, (PSID)SidBuffer );
|
|
|
|
} else {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
|
|
RtlFreeHeap( RtlProcessHeap(), 0, OwnerSid );
|
|
|
|
} else {
|
|
|
|
Status = STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
|
|
NtClose( hToken );
|
|
}
|
|
|
|
if (!NT_SUCCESS( Status )) {
|
|
|
|
//
|
|
// Something failed, clean up OUT
|
|
// parameters.
|
|
//
|
|
|
|
if (*pAcl != NULL) {
|
|
RtlFreeHeap( RtlProcessHeap(), 0, *pAcl );
|
|
*pAcl = NULL;
|
|
}
|
|
}
|
|
|
|
return( Status );
|
|
}
|