Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1617 lines
49 KiB

/*++
Copyright (c) 1995 Microsoft Corporation
Module Name:
regsec.cpp
Abstract:
ISecurityInformation implementation for Registry Key
Author:
Hitesh Raigandhi (raigah) May-1999
Revision History:
--*/
//Include Files:
#include "wchar.h"
#include "regsec.h"
#include "regresid.h"
#include "assert.h"
// ISecurityInformation interface implementation
EXTERN_C const GUID IID_ISecurityInformation ;
// = { 0x965fc360, 0x16ff, 0x11d0, 0x91, 0xcb, 0x0, 0xaa, 0x0, 0xbb, 0xb7, 0x23 };
//The Following array defines the permission names for Registry Key Objects
SI_ACCESS siKeyAccesses[] =
{
{ NULL,
KEY_ALL_ACCESS,
MAKEINTRESOURCE(IDS_SEC_EDITOR_FULL_ACCESS),
SI_ACCESS_GENERAL | CONTAINER_INHERIT_ACE | SI_ACCESS_SPECIFIC },
{ NULL,
KEY_QUERY_VALUE,
MAKEINTRESOURCE(IDS_SEC_EDITOR_QUERY_VALUE),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
KEY_SET_VALUE,
MAKEINTRESOURCE(IDS_SEC_EDITOR_SET_VALUE),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
KEY_CREATE_SUB_KEY,
MAKEINTRESOURCE(IDS_SEC_EDITOR_CREATE_SUBKEY),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
KEY_ENUMERATE_SUB_KEYS,
MAKEINTRESOURCE(IDS_SEC_EDITOR_ENUM_SUBKEYS),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
KEY_NOTIFY,
MAKEINTRESOURCE(IDS_SEC_EDITOR_NOTIFY),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
KEY_CREATE_LINK,
MAKEINTRESOURCE(IDS_SEC_EDITOR_CREATE_LINK),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
0x00010000, /* DELETE, */
MAKEINTRESOURCE(IDS_SEC_EDITOR_DELETE),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
WRITE_DAC,
MAKEINTRESOURCE(IDS_SEC_EDITOR_WRITE_DAC),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
WRITE_OWNER,
MAKEINTRESOURCE(IDS_SEC_EDITOR_WRITE_OWNER),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
READ_CONTROL,
MAKEINTRESOURCE(IDS_SEC_EDITOR_READ_CONTROL),
SI_ACCESS_SPECIFIC | CONTAINER_INHERIT_ACE },
{ NULL,
KEY_READ,
MAKEINTRESOURCE(IDS_SEC_EDITOR_READ),
SI_ACCESS_GENERAL | CONTAINER_INHERIT_ACE },
};
// The following array defines the inheritance types for Registry.
//
//
// For Keys, objects and containers are the same, so no need for OBJECT_INHERIT_ACE
//
SI_INHERIT_TYPE siKeyInheritTypes[] =
{
NULL, 0, MAKEINTRESOURCE(IDS_KEY_FOLDER),
NULL, CONTAINER_INHERIT_ACE, MAKEINTRESOURCE(IDS_KEY_FOLDER_SUBFOLDER),
NULL, INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE, MAKEINTRESOURCE(IDS_KEY_SUBFOLDER_ONLY)
};
#define iKeyDefAccess 10 // index of value in array siKeyAccesses
#ifndef ARRAYSIZE
#define ARRAYSIZE(x) (sizeof(x)/sizeof(x[0]))
#endif
PWSTR _PredefinedKeyName[] = { L"CLASSES_ROOT",
L"CURRENT_USER",
L"MACHINE",
L"USERS",
L"CONFIG" };
//CKeySecurityInformation Functions
HRESULT
CKeySecurityInformation::Initialize( LPCWSTR strKeyName,
LPCWSTR strParentName,
LPCWSTR strMachineName,
LPCWSTR strPageTitle,
BOOL bRemote,
PREDEFINE_KEY PredefinedKey,
BOOL bReadOnly,
HWND hWnd)
{
if( strParentName )
if( !strKeyName )
return HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER);
if( NULL == strMachineName )
return HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER);
if( NULL == hWnd )
return HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER);
if( NULL == strPageTitle )
return HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER);
AuthzInitializeResourceManager(NULL,
NULL,
NULL,
NULL,
0,
&m_ResourceManager );
HRESULT hr = S_OK;
m_strKeyName = strKeyName;
m_strParentName = strParentName;
m_strMachineName = strMachineName;
m_strPageTitle = strPageTitle;
m_bRemote = bRemote;
m_PredefinedKey = PredefinedKey;
m_bReadOnly = bReadOnly;
m_hWnd = hWnd;
m_dwFlags = SI_EDIT_ALL | SI_ADVANCED | SI_CONTAINER
| SI_RESET_DACL_TREE | SI_RESET_SACL_TREE
| SI_OWNER_RECURSE | SI_PAGE_TITLE | SI_EDIT_EFFECTIVE;
if( m_bReadOnly )
m_dwFlags |= SI_READONLY | SI_OWNER_READONLY ;
//Set Handle to Predfined key
if( S_OK != ( hr = SetHandleToPredefinedKey() ) )
return hr;
//Set CompleteName
if( S_OK != ( hr = SetCompleteName() ) )
return hr;
return S_OK;
}
CKeySecurityInformation::~CKeySecurityInformation()
{
if( m_strCompleteName )
LocalFree( m_strCompleteName );
//Close Handle to Remote Registry if it was successfully opened.
if( m_bRemote && m_hkeyPredefinedKey )
RegCloseKey(m_hkeyPredefinedKey);
AuthzFreeResourceManager(m_ResourceManager);
}
//Sets the complete name in Format:
// "\\machine_name\Predefined_keyName\regkey_path
HRESULT
CKeySecurityInformation::SetCompleteName()
{
UINT len = 0;
PWSTR pstrCompleteName;
if( m_bRemote )
{
len += wcslen( m_strMachineName );
len++;
}
len += wcslen(_PredefinedKeyName[ m_PredefinedKey]);
len++;
if( m_strParentName )
{
len += wcslen(m_strParentName);
len++;
}
if( m_strKeyName )
{
len += wcslen(m_strKeyName);
len++;
}
len++; //Terminating null
pstrCompleteName = (PWSTR)LocalAlloc(LPTR, len * sizeof(WCHAR));
if( pstrCompleteName == NULL )
return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY);
if( m_bRemote )
{
wcscpy(pstrCompleteName,m_strMachineName);
wcscat(pstrCompleteName, L"\\");
}
wcscat(pstrCompleteName,_PredefinedKeyName[ m_PredefinedKey]);
wcscat(pstrCompleteName,L"\\");
if(m_strParentName)
{
wcscat(pstrCompleteName,m_strParentName);
wcscat(pstrCompleteName,L"\\");
}
if(m_strKeyName)
{
wcscat(pstrCompleteName, m_strKeyName );
wcscat(pstrCompleteName,L"\\");
}
m_strCompleteName = pstrCompleteName;
return S_OK;
}
//Doesn't have Predefined key name attached
//Caller must LocalFree
LPCWSTR
CKeySecurityInformation::GetCompleteName1()
{
UINT len = 0;
PWSTR pstrCompleteName;
if( m_strParentName )
{
len += wcslen(m_strParentName);
len++;
}
if( m_strKeyName )
{
len += wcslen(m_strKeyName);
len++;
}
len++; //Terminating null
pstrCompleteName = (PWSTR)LocalAlloc(LPTR, len * sizeof(WCHAR));
if( pstrCompleteName == NULL )
return NULL;
if(m_strParentName)
{
wcscpy(pstrCompleteName,m_strParentName);
wcscat(pstrCompleteName,L"\\");
}
if(m_strKeyName)
{
wcscat(pstrCompleteName, m_strKeyName );
wcscat(pstrCompleteName,L"\\");
}
return pstrCompleteName;
}
HRESULT
CKeySecurityInformation::SetHandleToPredefinedKey()
{
DWORD dwErr;
HRESULT hr = S_OK;
if( !m_bRemote ) {
switch ( m_PredefinedKey ){
case PREDEFINE_KEY_CLASSES_ROOT:
m_hkeyPredefinedKey= HKEY_CLASSES_ROOT;
break;
case PREDEFINE_KEY_CURRENT_USER:
m_hkeyPredefinedKey = HKEY_CURRENT_USER;
break;
case PREDEFINE_KEY_LOCAL_MACHINE :
m_hkeyPredefinedKey = HKEY_LOCAL_MACHINE;
break;
case PREDEFINE_KEY_USERS:
m_hkeyPredefinedKey = HKEY_USERS;
break;
case PREDEFINE_KEY_CURRENT_CONFIG :
m_hkeyPredefinedKey = HKEY_CURRENT_CONFIG;
break;
default:
//assert(false);
break;
}
}
else { //IsRemoteRegistry
switch ( m_PredefinedKey ){
case PREDEFINE_KEY_CLASSES_ROOT:
case PREDEFINE_KEY_CURRENT_USER:
case PREDEFINE_KEY_CURRENT_CONFIG:
m_hkeyPredefinedKey = 0;
break;
case PREDEFINE_KEY_LOCAL_MACHINE :
m_hkeyPredefinedKey = HKEY_LOCAL_MACHINE;
break;
case PREDEFINE_KEY_USERS:
m_hkeyPredefinedKey = HKEY_USERS;
break;
default:
//assert(false);
break;
}
if( m_hkeyPredefinedKey ){
dwErr = RegConnectRegistry( m_strMachineName,
m_hkeyPredefinedKey,
&m_hkeyPredefinedKey );
if( dwErr ) {
m_hkeyPredefinedKey = 0;
hr = HRESULT_FROM_WIN32( dwErr );
}
}
} //IsRemoteRegistry
return hr;
}
/*
JeffreyS 1/24/97:
If you don't set the SI_RESET flag in
ISecurityInformation::GetObjectInformation, then fDefault should never be TRUE
so you can ignore it. Returning E_NOTIMPL in this case is OK too.
If you want the user to be able to reset the ACL to some default state
(defined by you) then turn on SI_RESET and return your default ACL
when fDefault is TRUE. This happens if/when the user pushes a button
that is only visible when SI_RESET is on.
*/
STDMETHODIMP
CKeySecurityInformation::GetObjectInformation (
PSI_OBJECT_INFO pObjectInfo )
{
assert( NULL != pObjectInfo );
pObjectInfo->dwFlags = m_dwFlags;
pObjectInfo->hInstance = GetModuleHandle(NULL);
// pObjectInfo->pszServerName = (LPWSTR)m_strMachineName;
pObjectInfo->pszServerName = (LPWSTR)m_strMachineName;
pObjectInfo->pszObjectName = (LPWSTR)m_strPageTitle;
return S_OK;
}
STDMETHODIMP
CKeySecurityInformation::GetAccessRights(
const GUID *pguidObjectType,
DWORD dwFlags,
PSI_ACCESS *ppAccess,
ULONG *pcAccesses,
ULONG *piDefaultAccess
)
{
assert( NULL != ppAccess );
assert( NULL != pcAccesses );
assert( NULL != piDefaultAccess );
*ppAccess = siKeyAccesses;
*pcAccesses = ARRAYSIZE(siKeyAccesses);
*piDefaultAccess = iKeyDefAccess;
return S_OK;
}
GENERIC_MAPPING KeyMap =
{
KEY_READ,
KEY_WRITE,
KEY_READ,
KEY_ALL_ACCESS
};
STDMETHODIMP
CKeySecurityInformation::MapGeneric(
const GUID *pguidObjectType,
UCHAR *pAceFlags,
ACCESS_MASK *pMask
)
{
//jeffreys
// After returning from the object picker dialog, aclui passes
//CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE to MapGeneric for validation when
// initializing Permission entry for <objectname> dialog.
//hiteshr: since registry keys don't have OBJECT_INHERIT_ACE, remove this FLAG,
//this will cause "this keys and subkeys" to appear as default in combobox.
*pAceFlags &= ~OBJECT_INHERIT_ACE;
MapGenericMask(pMask, &KeyMap);
return S_OK;
}
STDMETHODIMP
CKeySecurityInformation::GetInheritTypes (
PSI_INHERIT_TYPE *ppInheritTypes,
ULONG *pcInheritTypes
)
{
assert( NULL != ppInheritTypes );
assert( NULL != pcInheritTypes );
*ppInheritTypes = siKeyInheritTypes;
*pcInheritTypes = ARRAYSIZE(siKeyInheritTypes);
return S_OK;
}
STDMETHODIMP
CKeySecurityInformation::PropertySheetPageCallback(
HWND hwnd,
UINT uMsg,
SI_PAGE_TYPE uPage
)
{
switch (uMsg)
{
case PSPCB_SI_INITDIALOG:
m_hWndProperty = hwnd;
break;
case PSPCB_RELEASE:
m_hWndProperty = NULL;
break;
}
return S_OK;
}
STDMETHODIMP
CKeySecurityInformation::GetSecurity( IN SECURITY_INFORMATION RequestedInformation,
OUT PSECURITY_DESCRIPTOR *ppSecurityDescriptor,
IN BOOL fDefault )
{
if( fDefault )
return E_NOTIMPL;
assert( NULL != ppSecurityDescriptor );
HRESULT hr;
LPCTSTR pstrKeyName = GetCompleteName();
DWORD dwErr = 0;
dwErr = GetNamedSecurityInfo( (LPTSTR)pstrKeyName,
SE_REGISTRY_KEY,
RequestedInformation,
NULL,
NULL,
NULL,
NULL,
ppSecurityDescriptor);
return ( ( dwErr != ERROR_SUCCESS ) ? HRESULT_FROM_WIN32(dwErr) : S_OK);
}
STDMETHODIMP
CKeySecurityInformation::SetSecurity(IN SECURITY_INFORMATION si,
IN PSECURITY_DESCRIPTOR pSD )
{
if( NULL == pSD )
return HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER);
HRESULT hr = S_OK;
SECURITY_INFORMATION siLocal = 0;
SECURITY_DESCRIPTOR sdLocal = {0};
ACL daclEmpty = {0};
HKEY hkeyOld = NULL;
HKEY hKeyNew = NULL;
BOOL bWriteInfo = false;
DWORD Error = 0;
//
// Create a security descriptor with no SACL and an
// empty DACL for recursively resetting security
//
InitializeSecurityDescriptor(&sdLocal, SECURITY_DESCRIPTOR_REVISION);
InitializeAcl(&daclEmpty, sizeof(ACL), ACL_REVISION);
SetSecurityDescriptorDacl(&sdLocal, TRUE, &daclEmpty, FALSE);
SetSecurityDescriptorSacl(&sdLocal, TRUE, &daclEmpty, FALSE);
//
// If we need to recursively set the Owner, get the Owner &
// Group from pSD.
//
if (si & SI_OWNER_RECURSE)
{
PSID psid;
BOOL bDefaulted;
assert(si & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION));
siLocal |= si & (OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION);
if (GetSecurityDescriptorOwner(pSD, &psid, &bDefaulted))
SetSecurityDescriptorOwner(&sdLocal, psid, bDefaulted);
if (GetSecurityDescriptorGroup(pSD, &psid, &bDefaulted))
SetSecurityDescriptorGroup(&sdLocal, psid, bDefaulted);
}
if (si & SI_RESET_DACL_TREE)
{
assert(si & DACL_SECURITY_INFORMATION);
siLocal |= si & DACL_SECURITY_INFORMATION;
}
if (si & SI_RESET_SACL_TREE)
{
assert(si & SACL_SECURITY_INFORMATION);
siLocal |= si & SACL_SECURITY_INFORMATION;
}
if( siLocal )
{
//Open the key with current Maximum Allowed Permisson
//When applying permissons recursively , we first use current permisson,
//if current permisson doesn't have enough rights, we reopen handle to key with
//new permissons. If none (old or new )has enough permissons to enumerate child and
// Query info we fail.
REGSAM samDesired = MAXIMUM_ALLOWED;
if( si & SACL_SECURITY_INFORMATION )
samDesired |= ACCESS_SYSTEM_SECURITY;
if( si & DACL_SECURITY_INFORMATION )
samDesired |= WRITE_DAC;
if( si & OWNER_SECURITY_INFORMATION )
samDesired |= WRITE_OWNER;
//Open the selected key
if( S_OK != ( hr = OpenKey( samDesired, &hkeyOld ) ) ){
return hr;
}
//Check if key has Enumeration Permisson
DWORD NumberOfSubKeys = 0;
DWORD MaxSubKeyLength = 0;
// Find out the total number of subkeys
Error = RegQueryInfoKey(
hkeyOld,
NULL,
NULL,
NULL,
&NumberOfSubKeys,
&MaxSubKeyLength,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
);
if( Error != ERROR_SUCCESS ){
if( Error == ERROR_ACCESS_DENIED ) {
hr = WriteObjectSecurity( hkeyOld, si, pSD );
if( hr != S_OK )
{
if( m_hkeyPredefinedKey != hkeyOld )
RegCloseKey( hkeyOld );
return hr;
}
bWriteInfo = true;
//
// Handle doesn't allow KEY_QUERY_VALUE or READ_CONTROL access.
// Open a new handle with these accesses.
//
samDesired = MAXIMUM_ALLOWED;
if( si & SACL_SECURITY_INFORMATION ) {
samDesired |= ACCESS_SYSTEM_SECURITY;
} else if( si & DACL_SECURITY_INFORMATION ) {
samDesired |= WRITE_DAC;
} else if( si & OWNER_SECURITY_INFORMATION ) {
samDesired |= WRITE_OWNER;
}
Error = RegOpenKeyEx( hkeyOld,
NULL,
REG_OPTION_RESERVED,
samDesired,
&hKeyNew
);
if( Error != ERROR_SUCCESS )
{
if( m_hkeyPredefinedKey != hkeyOld )
RegCloseKey( hkeyOld );
return HRESULT_FROM_WIN32(Error);
}
else
{
if( m_hkeyPredefinedKey != hkeyOld )
RegCloseKey( hkeyOld );
}
Error = RegQueryInfoKey(
hKeyNew,
NULL,
NULL,
NULL,
&NumberOfSubKeys,
&MaxSubKeyLength,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL );
if( Error != ERROR_SUCCESS ) {
RegCloseKey( hKeyNew );
return HRESULT_FROM_WIN32( Error );
}
}
else
{
if( m_hkeyPredefinedKey != hkeyOld )
RegCloseKey( hkeyOld );
return HRESULT_FROM_WIN32( Error );
}
}
else
hKeyNew = hkeyOld;
if( NumberOfSubKeys )
{
assert( MaxSubKeyLength <= MAX_PATH );
DWORD SubKeyNameLength = 0;
WCHAR SubKeyName[MAX_PATH + 1];
//
// The key has subkeys.
// Find out if we are able to enumerate the key using the handle
// passed as argument.
//
SubKeyNameLength = MAX_PATH;
Error = RegEnumKey( hKeyNew,
0,
SubKeyName,
SubKeyNameLength );
if( Error != ERROR_SUCCESS ){
if( Error == ERROR_ACCESS_DENIED && bWriteInfo == false ){
hr = WriteObjectSecurity( hkeyOld, si, pSD );
if( hr != S_OK )
{
if( m_hkeyPredefinedKey != hkeyOld )
RegCloseKey( hkeyOld );
return hr;
}
bWriteInfo = true;
//
// Handle doesn't allow KEY_QUERY_VALUE or READ_CONTROL access.
// Open a new handle with these accesses.
//
samDesired = MAXIMUM_ALLOWED;
if( si & SACL_SECURITY_INFORMATION ) {
samDesired |= ACCESS_SYSTEM_SECURITY;
} else if( si & DACL_SECURITY_INFORMATION ) {
samDesired |= WRITE_DAC;
} else if( si & OWNER_SECURITY_INFORMATION ) {
samDesired |= WRITE_OWNER;
}
Error = RegOpenKeyEx( hkeyOld,
NULL,
REG_OPTION_RESERVED,
samDesired,
&hKeyNew
);
if( Error != ERROR_SUCCESS )
{
if( m_hkeyPredefinedKey != hkeyOld )
RegCloseKey( hkeyOld );
return HRESULT_FROM_WIN32(Error);
}
else
{
if( m_hkeyPredefinedKey != hkeyOld )
RegCloseKey( hkeyOld );
}
SubKeyNameLength = MAX_PATH;
Error = RegEnumKey( hKeyNew,
0,
SubKeyName,
SubKeyNameLength );
if( Error != ERROR_SUCCESS ){
RegCloseKey( hKeyNew );
return HRESULT_FROM_WIN32(Error);
}
}
else
{
if( m_hkeyPredefinedKey != hKeyNew )
RegCloseKey( hKeyNew );
return HRESULT_FROM_WIN32(Error);
}
}
}
}
//
// Recursively apply new Owner and/or reset the ACLs
//
if (siLocal)
{
BOOL bNotAllApplied = FALSE;
hr = SetSubKeysSecurity( hKeyNew, siLocal, &sdLocal, &bNotAllApplied, true );
RegFlushKey( hKeyNew );
if( m_hkeyPredefinedKey != hKeyNew )
RegCloseKey( hKeyNew );
if( bNotAllApplied )
{
if( siLocal & OWNER_SECURITY_INFORMATION )
{
DisplayMessage( GetInFocusHWnd(),
GetModuleHandle(NULL),
IDS_SET_OWNER_RECURSIVE_EX_FAIL,
IDS_SECURITY );
}
else if( ( siLocal & DACL_SECURITY_INFORMATION ) || ( siLocal & SACL_SECURITY_INFORMATION ) )
{
DisplayMessage( GetInFocusHWnd(),
GetModuleHandle(NULL),
IDS_SET_SECURITY_RECURSIVE_EX_FAIL,
IDS_SECURITY);
}
}
if( hr != S_OK )
return hr;
}
si &= ~(SI_OWNER_RECURSE | SI_RESET_DACL_TREE | SI_RESET_SACL_TREE);
//This sets the security for the top keys
if (si != 0)
{
hr = WriteObjectSecurity( GetCompleteName(),
si,
pSD );
if( hr != S_OK )
{
if( siLocal )
RegCloseKey( hkeyOld );
return hr;
}
}
return hr;
}
STDMETHODIMP
CKeySecurityInformation::WriteObjectSecurity(LPCTSTR pszObject,
IN SECURITY_INFORMATION si,
IN PSECURITY_DESCRIPTOR pSD )
{
DWORD dwErr;
SECURITY_DESCRIPTOR_CONTROL wSDControl = 0;
DWORD dwRevision;
PSID psidOwner = NULL;
PSID psidGroup = NULL;
PACL pDacl = NULL;
PACL pSacl = NULL;
BOOL bDefaulted;
BOOL bPresent;
//
// Get pointers to various security descriptor parts for
// calling SetNamedSecurityInfo
//
if( !GetSecurityDescriptorControl(pSD, &wSDControl, &dwRevision) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorOwner(pSD, &psidOwner, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorGroup(pSD, &psidGroup, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorSacl(pSD, &bPresent, &pSacl, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if ((si & DACL_SECURITY_INFORMATION) && (wSDControl & SE_DACL_PROTECTED))
si |= PROTECTED_DACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_DACL_SECURITY_INFORMATION;
if ((si & SACL_SECURITY_INFORMATION) && (wSDControl & SE_SACL_PROTECTED))
si |= PROTECTED_SACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_SACL_SECURITY_INFORMATION;
//if the selected key is predefined key, it has no parent and hence
//cannot inherit any permisson from parent.
//if PROTECTED_DACL_SECURITY_INFORMATION flag is not set in this case
// SetSecurityInfo succeeds, but permissions are not set.[bug in SetSecurityInfo].
if ( (si & DACL_SECURITY_INFORMATION) && !m_strKeyName )
si |= PROTECTED_DACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_DACL_SECURITY_INFORMATION;
if ( (si & SACL_SECURITY_INFORMATION) && !m_strKeyName )
si |= PROTECTED_SACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_SACL_SECURITY_INFORMATION;
//We are on the root object
if( m_strKeyName == NULL )
{
dwErr = SetSecurityInfo( m_hkeyPredefinedKey,
SE_REGISTRY_KEY,
si,
psidOwner,
psidGroup,
pDacl,
pSacl);
}else
{
dwErr = SetNamedSecurityInfo((LPWSTR)pszObject,
SE_REGISTRY_KEY,
si,
psidOwner,
psidGroup,
pDacl,
pSacl);
}
return (dwErr ? HRESULT_FROM_WIN32(dwErr) : S_OK);
}
STDMETHODIMP
CKeySecurityInformation::WriteObjectSecurity(HKEY hkey,
IN SECURITY_INFORMATION si,
IN PSECURITY_DESCRIPTOR pSD )
{
DWORD dwErr;
SECURITY_DESCRIPTOR_CONTROL wSDControl = 0;
DWORD dwRevision;
PSID psidOwner = NULL;
PSID psidGroup = NULL;
PACL pDacl = NULL;
PACL pSacl = NULL;
BOOL bDefaulted;
BOOL bPresent;
//
// Get pointers to various security descriptor parts for
// calling SetNamedSecurityInfo
//
;
if( !GetSecurityDescriptorControl(pSD, &wSDControl, &dwRevision) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorOwner(pSD, &psidOwner, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorGroup(pSD, &psidGroup, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if( !GetSecurityDescriptorSacl(pSD, &bPresent, &pSacl, &bDefaulted) )
{
dwErr = GetLastError();
return HRESULT_FROM_WIN32(dwErr);
}
if ((si & DACL_SECURITY_INFORMATION) && (wSDControl & SE_DACL_PROTECTED))
si |= PROTECTED_DACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_DACL_SECURITY_INFORMATION;
if ((si & SACL_SECURITY_INFORMATION) && (wSDControl & SE_SACL_PROTECTED))
si |= PROTECTED_SACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_SACL_SECURITY_INFORMATION;
dwErr = SetSecurityInfo( hkey,
SE_REGISTRY_KEY,
si,
psidOwner,
psidGroup,
pDacl,
pSacl);
return (dwErr ? HRESULT_FROM_WIN32(dwErr) : S_OK);
}
HRESULT
CKeySecurityInformation::SetSubKeysSecurity( HKEY hkey,
SECURITY_INFORMATION si,
PSECURITY_DESCRIPTOR pSD,
LPBOOL pbNotAllApplied,
bool bFirstCall )
{
ULONG Error;
REGSAM samDesired;
HRESULT hr;
HRESULT hrRet;
HKEY hKeyNew;
//For First Call we call SetSecurityInfoEx in last
if( !bFirstCall ){
SECURITY_DESCRIPTOR_CONTROL wSDControl = 0;
DWORD dwRevision;
PSID psidOwner = NULL;
PSID psidGroup = NULL;
PACL pDacl = NULL;
PACL pSacl = NULL;
BOOL bDefaulted;
BOOL bPresent;
DWORD dwErr;
//
// Get pointers to various security descriptor parts for
// calling SetNamedSecurityInfo
//
if( !GetSecurityDescriptorControl(pSD, &wSDControl, &dwRevision) )
{
*pbNotAllApplied = TRUE;
goto SET_FOR_CHILD;
}
if( !GetSecurityDescriptorOwner(pSD, &psidOwner, &bDefaulted) )
{
*pbNotAllApplied = TRUE;
goto SET_FOR_CHILD;
}
if( !GetSecurityDescriptorGroup(pSD, &psidGroup, &bDefaulted) )
{
*pbNotAllApplied = TRUE;
goto SET_FOR_CHILD;
}
if( !GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaulted) )
{
*pbNotAllApplied = TRUE;
goto SET_FOR_CHILD;
}
if( !GetSecurityDescriptorSacl(pSD, &bPresent, &pSacl, &bDefaulted) )
{
*pbNotAllApplied = TRUE;
goto SET_FOR_CHILD;
}
if ((si & DACL_SECURITY_INFORMATION) && (wSDControl & SE_DACL_PROTECTED))
si |= PROTECTED_DACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_DACL_SECURITY_INFORMATION;
if ((si & SACL_SECURITY_INFORMATION) && (wSDControl & SE_SACL_PROTECTED))
si |= PROTECTED_SACL_SECURITY_INFORMATION;
else
si |= UNPROTECTED_SACL_SECURITY_INFORMATION;
dwErr = SetSecurityInfo( hkey,
SE_REGISTRY_KEY,
si,
psidOwner,
psidGroup,
pDacl,
pSacl);
if( dwErr != ERROR_SUCCESS )
{
*pbNotAllApplied = TRUE;
goto SET_FOR_CHILD;
//return HRESULT_FROM_WIN32(dwErr);
}
//RegFlushKey( hkey );
}
SET_FOR_CHILD:
DWORD NumberOfSubKeys = 0;
DWORD MaxSubKeyLength = 0;
// Find out the total number of subkeys
Error = RegQueryInfoKey(
hkey,
NULL,
NULL,
NULL,
&NumberOfSubKeys,
&MaxSubKeyLength,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL
);
if( Error != ERROR_SUCCESS ){
if( Error == ERROR_ACCESS_DENIED ) {
//
// Handle doesn't allow KEY_QUERY_VALUE or READ_CONTROL access.
// Open a new handle with these accesses.
//
samDesired = KEY_QUERY_VALUE | READ_CONTROL; // MAXIMUM_ALLOWED | READ_CONTROL;
if( si & SACL_SECURITY_INFORMATION ) {
samDesired |= ACCESS_SYSTEM_SECURITY;
} else if( si & DACL_SECURITY_INFORMATION ) {
samDesired |= WRITE_DAC;
} else if( si & OWNER_SECURITY_INFORMATION ) {
samDesired |= WRITE_OWNER;
}
Error = RegOpenKeyEx( hkey,
NULL,
REG_OPTION_RESERVED,
samDesired,
&hKeyNew
);
if( Error != ERROR_SUCCESS ) {
*pbNotAllApplied = TRUE;
return S_OK;
}
Error = RegQueryInfoKey(
hKeyNew,
NULL,
NULL,
NULL,
&NumberOfSubKeys,
&MaxSubKeyLength,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL );
if( Error != ERROR_SUCCESS ) {
RegCloseKey( hKeyNew );
*pbNotAllApplied = TRUE;
return S_OK;
}
else
RegCloseKey( hKeyNew );
}
else{
*pbNotAllApplied = TRUE;
return S_OK;
}
}
if( NumberOfSubKeys == 0 ) {
return S_OK;
}
assert( MaxSubKeyLength <= MAX_PATH );
DWORD SubKeyNameLength = 0;
WCHAR SubKeyName[MAX_PATH + 1];
//
// The key has subkeys.
// Find out if we are able to enumerate the key using the handle
// passed as argument.
//
SubKeyNameLength = MAX_PATH;
Error = RegEnumKey( hkey,
0,
SubKeyName,
SubKeyNameLength );
if( Error != ERROR_SUCCESS ){
if( Error == ERROR_ACCESS_DENIED ) {
//
// Handle doesn't allow 'enumerate' access.
// Open a new handle with KEY_ENUMERATE_SUB_KEYS access.
//
Error = RegOpenKeyEx( hkey,
NULL,
REG_OPTION_RESERVED,
KEY_ENUMERATE_SUB_KEYS, // samDesired,
&hKeyNew
);
if( Error != ERROR_SUCCESS ){
*pbNotAllApplied = TRUE;
return S_OK;
}
}
else{
*pbNotAllApplied = TRUE;
return S_OK;
}
}
else {
hKeyNew = hkey;
}
for( DWORD Index = 0; Index < NumberOfSubKeys; Index++ )
{
// If the key has subkeys, then for each subkey, do:
// - Determine the subkey name
SubKeyNameLength = MAX_PATH;
Error = RegEnumKey( hKeyNew,
Index,
SubKeyName,
SubKeyNameLength );
if( Error != ERROR_SUCCESS ) {
*pbNotAllApplied = TRUE;
continue;
//return HRESULT_FROM_WIN32( Error );
}
// - Open a handle to the subkey
samDesired = MAXIMUM_ALLOWED;
if( si & SACL_SECURITY_INFORMATION )
samDesired |= ACCESS_SYSTEM_SECURITY;
if( si & DACL_SECURITY_INFORMATION )
samDesired |= WRITE_DAC;
if( si & OWNER_SECURITY_INFORMATION )
samDesired |= WRITE_OWNER;
HKEY hkeyChild;
Error = RegOpenKeyEx( hKeyNew,
SubKeyName,
REG_OPTION_RESERVED,
samDesired,
&hkeyChild
);
if( ERROR_SUCCESS != Error ){
*pbNotAllApplied = TRUE;
continue;
// return HRESULT_FROM_WIN32( Error );
}
// - Set the security of the child's subkeys
if( S_OK != ( hr = SetSubKeysSecurity( hkeyChild,
si,
pSD,
pbNotAllApplied,
false ) ) ){
//This case will occur only if some fatal error occur which
//prevents propogation on rest of the tree.
if( hKeyNew != hkey )
RegCloseKey( hKeyNew );
RegCloseKey( hkeyChild );
return hr;
}
else{
RegCloseKey( hkeyChild );
}
} //For loop
if( hKeyNew != hkey )
RegCloseKey( hKeyNew );
return S_OK;;
}
HRESULT
CKeySecurityInformation::OpenKey(IN DWORD Permission,
OUT PHKEY pKey )
{
LPCWSTR CompleteNameString = NULL;;
ULONG Error;
if( m_strKeyName == NULL){
//This is a predefined key
*pKey = m_hkeyPredefinedKey;
}
else{
CompleteNameString = GetCompleteName1();
assert( CompleteNameString != NULL );
// Open handle to the key
Error = RegOpenKeyEx(m_hkeyPredefinedKey,
CompleteNameString,
0,
Permission,
pKey );
if( Error != ERROR_SUCCESS ) {
return HRESULT_FROM_WIN32( Error );
}
}
if( CompleteNameString )
LocalFree( (HLOCAL) CompleteNameString);
return S_OK;
}
OBJECT_TYPE_LIST g_DefaultOTL[] = {
{0, 0, (LPGUID)&GUID_NULL},
};
BOOL SkipLocalGroup(LPCWSTR pszServerName, PSID psid)
{
SID_NAME_USE use;
WCHAR szAccountName[MAX_PATH];
WCHAR szDomainName[MAX_PATH];
DWORD dwAccountLen = MAX_PATH;
DWORD dwDomainLen = MAX_PATH;
if(LookupAccountSid(pszServerName,
psid,
szAccountName,
&dwAccountLen,
szDomainName,
&dwDomainLen,
&use))
{
if(use == SidTypeWellKnownGroup)
return TRUE;
}
//Built In sids have first subauthority of 32 ( s-1-5-32 )
//
if((*(GetSidSubAuthorityCount(psid)) >= 1 ) && (*(GetSidSubAuthority(psid,0)) == 32))
return TRUE;
return FALSE;
}
STDMETHODIMP
CKeySecurityInformation::GetEffectivePermission(const GUID* pguidObjectType,
PSID pUserSid,
LPCWSTR pszServerName,
PSECURITY_DESCRIPTOR pSD,
POBJECT_TYPE_LIST *ppObjectTypeList,
ULONG *pcObjectTypeListLength,
PACCESS_MASK *ppGrantedAccessList,
ULONG *pcGrantedAccessListLength)
{
AUTHZ_RESOURCE_MANAGER_HANDLE RM = NULL; //Used for access check
AUTHZ_CLIENT_CONTEXT_HANDLE CC = NULL;
LUID luid = {0xdead,0xbeef};
AUTHZ_ACCESS_REQUEST AReq;
AUTHZ_ACCESS_REPLY AReply;
HRESULT hr = S_OK;
DWORD dwFlags;
AReq.ObjectTypeList = g_DefaultOTL;
AReq.ObjectTypeListLength = ARRAYSIZE(g_DefaultOTL);
AReply.GrantedAccessMask = NULL;
AReply.Error = NULL;
//Get RM
if( (RM = GetAUTHZ_RM()) == NULL )
return S_FALSE;
//Initialize the client context
BOOL bSkipLocalGroup = SkipLocalGroup(pszServerName, pUserSid);
if( !AuthzInitializeContextFromSid(bSkipLocalGroup? AUTHZ_SKIP_TOKEN_GROUPS :0,
pUserSid,
RM,
NULL,
luid,
NULL,
&CC) )
{
return HRESULT_FROM_WIN32(GetLastError());
}
//Do the Access Check
AReq.DesiredAccess = MAXIMUM_ALLOWED;
AReq.PrincipalSelfSid = NULL;
AReq.OptionalArguments = NULL;
AReply.ResultListLength = AReq.ObjectTypeListLength;
AReply.SaclEvaluationResults = NULL;
if( (AReply.GrantedAccessMask = (PACCESS_MASK)LocalAlloc(LPTR, sizeof(ACCESS_MASK)*AReply.ResultListLength) ) == NULL )
return E_OUTOFMEMORY;
if( (AReply.Error = (PDWORD)LocalAlloc(LPTR, sizeof(DWORD)*AReply.ResultListLength)) == NULL )
{
LocalFree(AReply.GrantedAccessMask);
return E_OUTOFMEMORY;
}
if( !AuthzAccessCheck(0,
CC,
&AReq,
NULL,
pSD,
NULL,
0,
&AReply,
NULL) )
{
LocalFree(AReply.GrantedAccessMask);
LocalFree(AReply.Error);
return HRESULT_FROM_WIN32(GetLastError());
}
if(CC)
AuthzFreeContext(CC);
*ppObjectTypeList = AReq.ObjectTypeList;
*pcObjectTypeListLength = AReq.ObjectTypeListLength;
*ppGrantedAccessList = AReply.GrantedAccessMask;
*pcGrantedAccessListLength = AReq.ObjectTypeListLength;
return S_OK;
}
STDMETHODIMP
CKeySecurityInformation::GetInheritSource(SECURITY_INFORMATION si,
PACL pACL,
PINHERITED_FROM *ppInheritArray)
{
HRESULT hr = S_OK;
if (NULL == m_strKeyName || !pACL || !ppInheritArray)
return E_UNEXPECTED;
DWORD dwErr = ERROR_SUCCESS;
PINHERITED_FROM pTempInherit = NULL;
PINHERITED_FROM pTempInherit2 = NULL;
LPWSTR pStrTemp = NULL;
LPCWSTR pszName = GetCompleteName();
pTempInherit = (PINHERITED_FROM)LocalAlloc( LPTR, sizeof(INHERITED_FROM)*pACL->AceCount);
if(pTempInherit == NULL)
{
hr = E_OUTOFMEMORY;
goto exit_gracefully;
}
dwErr = GetInheritanceSource((LPWSTR)pszName,
SE_REGISTRY_KEY,
si,
TRUE,
NULL,
0,
pACL,
NULL,
&KeyMap,
pTempInherit);
hr = HRESULT_FROM_WIN32(dwErr);
if( FAILED(hr) )
goto exit_gracefully;
DWORD nSize;
UINT i;
nSize = sizeof(INHERITED_FROM)*pACL->AceCount;
for(i = 0; i < pACL->AceCount; ++i)
{
if(pTempInherit[i].AncestorName)
nSize += ((wcslen(pTempInherit[i].AncestorName)+1)*sizeof(WCHAR));
}
pTempInherit2 = (PINHERITED_FROM)LocalAlloc( LPTR, nSize );
if(pTempInherit2 == NULL)
{
hr = E_OUTOFMEMORY;
goto exit_gracefully;
}
pStrTemp = (LPWSTR)(pTempInherit2 + pACL->AceCount);
for(i = 0; i < pACL->AceCount; ++i)
{
pTempInherit2[i].GenerationGap = pTempInherit[i].GenerationGap;
if(pTempInherit[i].AncestorName)
{
pTempInherit2[i].AncestorName = pStrTemp;
wcscpy(pStrTemp,pTempInherit[i].AncestorName);
pStrTemp += (wcslen(pTempInherit[i].AncestorName)+1);
}
}
exit_gracefully:
if(SUCCEEDED(hr))
{
//FreeInheritedFromArray(pTempInherit, pACL->AceCount,NULL);
*ppInheritArray = pTempInherit2;
}
if(pTempInherit)
LocalFree(pTempInherit);
return hr;
}
///////////////////////////////////////////////////////////
//
// IUnknown methods
//
///////////////////////////////////////////////////////////
STDMETHODIMP_(ULONG)
CSecurityInformation::AddRef()
{
return ++m_cRef;
}
STDMETHODIMP_(ULONG)
CSecurityInformation::Release()
{
if (--m_cRef == 0)
{
delete this;
return 0;
}
return m_cRef;
}
STDMETHODIMP
CSecurityInformation::QueryInterface(REFIID riid, LPVOID FAR* ppv)
{
// if (IsEqualIID(riid, IID_IUnknown) || IsEqualIID(riid, IID_ISecurityInformation))
if ( IsEqualIID(riid, IID_ISecurityInformation) )
{
*ppv = (LPSECURITYINFO)this;
m_cRef++;
return S_OK;
}
else if(IsEqualIID(riid, IID_IEffectivePermission) )
{
*ppv = (LPEFFECTIVEPERMISSION)this;
m_cRef++;
return S_OK;
}
else if(IsEqualIID(riid, IID_ISecurityObjectTypeInfo) )
{
*ppv = (LPSecurityObjectTypeInfo)this;
m_cRef++;
return S_OK;
}
else
{
*ppv = NULL;
return E_NOINTERFACE;
}
}
HRESULT CreateSecurityInformation( IN LPCWSTR strKeyName,
IN LPCWSTR strParentName,
IN LPCWSTR strMachineName,
IN LPCWSTR strPageTitle,
IN BOOL bRemote,
IN PREDEFINE_KEY PredefinedKey,
IN BOOL bReadOnly,
IN HWND hWnd,
OUT LPSECURITYINFO *ppSi)
{
HRESULT hr;
if( !ppSi )
return HRESULT_FROM_WIN32(ERROR_INVALID_PARAMETER);
CKeySecurityInformation *ckey = new CKeySecurityInformation;
if( NULL == ckey )
return HRESULT_FROM_WIN32(ERROR_NOT_ENOUGH_MEMORY);
if( S_OK != ( hr = ckey->Initialize( strKeyName,
strParentName,
strMachineName,
strPageTitle,
bRemote,
PredefinedKey,
bReadOnly,
hWnd ) ) )
{
delete ckey;
return hr;
}
else
{
*ppSi = ckey;
return S_OK;
}
}
//Some helper functions
BOOL DisplayMessage( HWND hWnd,
HINSTANCE hInstance,
DWORD dwMessageId,
DWORD dwCaptionId )
{
WCHAR pszMessage[1025];
WCHAR pszTitle[1025];
LPWSTR lpTitle = NULL;
if( !LoadString(hInstance, dwMessageId, pszMessage, 1024 ) )
return FALSE;
if( dwCaptionId )
{
if( LoadString(hInstance, dwCaptionId, pszTitle, 1024 ) )
lpTitle = pszTitle;
}
// Display the string.
MessageBox( hWnd, (LPCTSTR)pszMessage, (LPCTSTR)lpTitle, MB_OK | MB_ICONINFORMATION |MB_APPLMODAL );
return TRUE;
}