ReactOS  0.4.15-dev-4872-g8a3db97
security.c File Reference
#include "winlogon.h"
Include dependency graph for security.c:

Go to the source code of this file.

Macros

#define DESKTOP_ALL
 
#define DESKTOP_ADMINS_LIMITED
 
#define DESKTOP_INTERACTIVE_LIMITED
 
#define DESKTOP_WINLOGON_ADMINS_LIMITED   (STANDARD_RIGHTS_REQUIRED | DESKTOP_ENUMERATE)
 
#define WINSTA_ALL
 
#define WINSTA_ADMINS_LIMITED   (WINSTA_READATTRIBUTES | WINSTA_ENUMERATE)
 
#define GENERIC_ACCESS
 

Functions

PSECURITY_DESCRIPTOR ConvertToSelfRelative (_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
 Converts an absolute security descriptor to a self-relative format. More...
 
BOOL CreateWinstaSecurity (_Out_ PSECURITY_DESCRIPTOR *WinstaSd)
 Creates a security descriptor for the default window station upon its creation. More...
 
BOOL CreateApplicationDesktopSecurity (_Out_ PSECURITY_DESCRIPTOR *ApplicationDesktopSd)
 Creates a security descriptor for the default application desktop upon its creation. More...
 
BOOL CreateWinlogonDesktopSecurity (_Out_ PSECURITY_DESCRIPTOR *WinlogonDesktopSd)
 Creates a security descriptor for the default Winlogon desktop. This descriptor serves as a security measure for the winlogon desktop so that only Winlogon itself (and admins) can interact with it. More...
 
BOOL CreateScreenSaverSecurity (_Out_ PSECURITY_DESCRIPTOR *ScreenSaverDesktopSd)
 Creates a security descriptor for the screen saver desktop. More...
 
BOOL AllowWinstaAccessToUser (_In_ HWINSTA WinSta, _In_ PSID LogonSid)
 Assigns access to the specific logon user to the default window station. Such access is given to the user when it has logged in. More...
 
BOOL AllowDesktopAccessToUser (_In_ HDESK Desktop, _In_ PSID LogonSid)
 Assigns access to the specific logon user to the default desktop. Such access is given to the user when it has logged in. More...
 
BOOL AllowAccessOnSession (_In_ PWLSESSION Session)
 Assigns both window station and desktop access to the specific session currently active on the system. More...
 

Variables

static SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}
 

Macro Definition Documentation

◆ DESKTOP_ADMINS_LIMITED

#define DESKTOP_ADMINS_LIMITED
Value:
DESKTOP_CREATEWINDOW | DESKTOP_CREATEMENU | DESKTOP_ENUMERATE)
#define DESKTOP_ENUMERATE
Definition: winuser.h:218
#define DESKTOP_READOBJECTS
Definition: winuser.h:222
#define DESKTOP_CREATEMENU
Definition: winuser.h:216
#define DESKTOP_WRITEOBJECTS
Definition: winuser.h:224

Definition at line 19 of file security.c.

◆ DESKTOP_ALL

#define DESKTOP_ALL
Value:
DESKTOP_CREATEMENU | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALRECORD | \
DESKTOP_JOURNALPLAYBACK | DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \
DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED)
#define DESKTOP_ENUMERATE
Definition: winuser.h:218
#define DESKTOP_READOBJECTS
Definition: winuser.h:222
#define DESKTOP_CREATEWINDOW
Definition: winuser.h:217
#define DESKTOP_JOURNALRECORD
Definition: winuser.h:221
#define STANDARD_RIGHTS_REQUIRED
Definition: nt_native.h:63
#define DESKTOP_HOOKCONTROL
Definition: winuser.h:219
#define DESKTOP_WRITEOBJECTS
Definition: winuser.h:224

Definition at line 14 of file security.c.

◆ DESKTOP_INTERACTIVE_LIMITED

#define DESKTOP_INTERACTIVE_LIMITED
Value:
DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW)
#define DESKTOP_ENUMERATE
Definition: winuser.h:218
#define STANDARD_RIGHTS_READ
Definition: nt_native.h:65
#define DESKTOP_CREATEWINDOW
Definition: winuser.h:217

Definition at line 22 of file security.c.

◆ DESKTOP_WINLOGON_ADMINS_LIMITED

#define DESKTOP_WINLOGON_ADMINS_LIMITED   (STANDARD_RIGHTS_REQUIRED | DESKTOP_ENUMERATE)

Definition at line 25 of file security.c.

◆ GENERIC_ACCESS

#define GENERIC_ACCESS
Value:
GENERIC_EXECUTE | GENERIC_ALL)
#define GENERIC_ALL
Definition: nt_native.h:92
#define GENERIC_WRITE
Definition: nt_native.h:90
#define GENERIC_READ
Definition: compat.h:135

Definition at line 35 of file security.c.

◆ WINSTA_ADMINS_LIMITED

#define WINSTA_ADMINS_LIMITED   (WINSTA_READATTRIBUTES | WINSTA_ENUMERATE)

Definition at line 33 of file security.c.

◆ WINSTA_ALL

#define WINSTA_ALL
Value:
WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | \
WINSTA_WRITEATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | \
WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | WINSTA_READSCREEN | \
STANDARD_RIGHTS_REQUIRED)
#define WINSTA_ACCESSGLOBALATOMS
Definition: winuser.h:409
#define WINSTA_ENUMERATE
Definition: winuser.h:412
#define WINSTA_READATTRIBUTES
Definition: winuser.h:414
#define WINSTA_CREATEDESKTOP
Definition: winuser.h:410
#define WINSTA_ENUMDESKTOPS
Definition: winuser.h:411
#define WINSTA_READSCREEN
Definition: winuser.h:415

Definition at line 27 of file security.c.

Function Documentation

◆ AllowAccessOnSession()

BOOL AllowAccessOnSession ( _In_ PWLSESSION  Session)

Assigns both window station and desktop access to the specific session currently active on the system.

Parameters
[in]SessionA pointer to an active session.
Returns
Returns TRUE if the function has successfully assigned access to the current session, FALSE otherwise.

Definition at line 1391 of file security.c.

1393 {
1394  BOOL Success = FALSE;
1395  DWORD Index, SidLength, GroupsLength = 0;
1396  PTOKEN_GROUPS TokenGroup = NULL;
1397  PSID LogonSid;
1398 
1399  /* Get required buffer size and allocate the TOKEN_GROUPS buffer */
1400  if (!GetTokenInformation(Session->UserToken,
1401  TokenGroups,
1402  TokenGroup,
1403  0,
1404  &GroupsLength))
1405  {
1407  {
1408  ERR("AllowAccessOnSession(): Unexpected error code returned, must be ERROR_INSUFFICIENT_BUFFER (error code %lu)\n", GetLastError());
1409  return FALSE;
1410  }
1411 
1412  TokenGroup = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, GroupsLength);
1413  if (TokenGroup == NULL)
1414  {
1415  ERR("AllowAccessOnSession(): Failed to allocate memory buffer for token group!\n");
1416  return FALSE;
1417  }
1418  }
1419 
1420  /* Get the token group information from the access token */
1421  if (!GetTokenInformation(Session->UserToken,
1422  TokenGroups,
1423  TokenGroup,
1424  GroupsLength,
1425  &GroupsLength))
1426  {
1427  ERR("AllowAccessOnSession(): Failed to retrieve the token group information (error code %lu)\n", GetLastError());
1428  goto Quit;
1429  }
1430 
1431  /* Loop through the groups to find the logon SID */
1432  for (Index = 0; Index < TokenGroup->GroupCount; Index++)
1433  {
1434  if ((TokenGroup->Groups[Index].Attributes & SE_GROUP_LOGON_ID)
1435  == SE_GROUP_LOGON_ID)
1436  {
1437  LogonSid = TokenGroup->Groups[Index].Sid;
1438  break;
1439  }
1440  }
1441 
1442  /* Allow window station access to this user within this session */
1443  if (!AllowWinstaAccessToUser(Session->InteractiveWindowStation, LogonSid))
1444  {
1445  ERR("AllowAccessOnSession(): Failed to allow winsta access to the logon user!\n");
1446  goto Quit;
1447  }
1448 
1449  /* Allow application desktop access to this user within this session */
1450  if (!AllowDesktopAccessToUser(Session->ApplicationDesktop, LogonSid))
1451  {
1452  ERR("AllowAccessOnSession(): Failed to allow application desktop access to the logon user!\n");
1453  goto Quit;
1454  }
1455 
1456  /* Get the length of this logon SID */
1457  SidLength = GetLengthSid(LogonSid);
1458 
1459  /* Assign the window station to this logged in user */
1460  if (!SetWindowStationUser(Session->InteractiveWindowStation,
1461  &Session->LogonId,
1462  LogonSid,
1463  SidLength))
1464  {
1465  ERR("AllowAccessOnSession(): Failed to assign the window station to the logon user!\n");
1466  goto Quit;
1467  }
1468 
1469  Success = TRUE;
1470 
1471 Quit:
1472  if (TokenGroup != NULL)
1473  {
1474  RtlFreeHeap(RtlGetProcessHeap(), 0, TokenGroup);
1475  }
1476 
1477  return Success;
1478 }
BOOL WINAPI SetWindowStationUser(IN HWINSTA hWindowStation, IN PLUID pluid, IN PSID psid OPTIONAL, IN DWORD size)
Definition: winsta.c:419
#define TRUE
Definition: types.h:120
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
#define FALSE
Definition: types.h:117
unsigned int BOOL
Definition: ntddk_ex.h:94
BOOL AllowDesktopAccessToUser(_In_ HDESK Desktop, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default desktop. Such access is given to the user wh...
Definition: security.c:1165
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:921
_In_ WDFCOLLECTION _In_ ULONG Index
unsigned long DWORD
Definition: ntddk_ex.h:95
#define SE_GROUP_LOGON_ID
Definition: setypes.h:98
#define ERR(fmt,...)
Definition: debug.h:110
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:1014
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
$ULONG GroupCount
Definition: setypes.h:1010
BOOL WINAPI GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
Definition: security.c:413
BOOL AllowWinstaAccessToUser(_In_ HWINSTA WinSta, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default window station. Such access is given to the ...
Definition: security.c:874
#define ERROR_INSUFFICIENT_BUFFER
Definition: dderror.h:10

Referenced by HandleLogon().

◆ AllowDesktopAccessToUser()

BOOL AllowDesktopAccessToUser ( _In_ HDESK  Desktop,
_In_ PSID  LogonSid 
)

Assigns access to the specific logon user to the default desktop. Such access is given to the user when it has logged in.

Parameters
[in]DesktopA handle to a desktop where the user is given access to it.
[in]LogonSidA pointer to a logon SID that represents the logged in user in question.
Returns
Returns TRUE if the function has successfully assigned access to the user, FALSE otherwise.

Definition at line 1165 of file security.c.

1168 {
1169  BOOL Success = FALSE;
1170  SECURITY_DESCRIPTOR AbsoluteSd;
1171  PSECURITY_DESCRIPTOR RelativeSd = NULL;
1172  PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
1174  DWORD DaclSize;
1175  PACL Dacl;
1176 
1177  /* Create the Winlogon SID */
1179  1,
1181  0, 0, 0, 0, 0, 0, 0,
1182  &WinlogonSid))
1183  {
1184  ERR("AllowDesktopAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
1185  return FALSE;
1186  }
1187 
1188  /* Create the admins SID */
1190  2,
1193  0, 0, 0, 0, 0, 0,
1194  &AdminsSid))
1195  {
1196  ERR("AllowDesktopAccessToUser(): Failed to create the admins SID (error code %lu)\n", GetLastError());
1197  goto Quit;
1198  }
1199 
1200  /* Create the interactive logon SID */
1202  1,
1204  0, 0, 0, 0, 0, 0, 0,
1205  &InteractiveSid))
1206  {
1207  ERR("AllowDesktopAccessToUser(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
1208  goto Quit;
1209  }
1210 
1211  /* HACK: Create the network service SID */
1213  1,
1215  0, 0, 0, 0, 0, 0, 0,
1217  {
1218  ERR("AllowDesktopAccessToUser(): Failed to create the network service SID (error code %lu)\n", GetLastError());
1219  goto Quit;
1220  }
1221 
1222  /*
1223  * Build up the DACL size. This includes a number
1224  * of four ACEs of four different SIDs. The first ACE
1225  * gives full desktop access to Winlogon, the second one gives
1226  * generic limited desktop access to admins. The last two give
1227  * full power to both interactive logon users and logon user as
1228  * well.
1229  */
1230  DaclSize = sizeof(ACL) +
1231  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
1232  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
1233  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(InteractiveSid) +
1234  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(LogonSid) +
1235  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid); /* HACK */
1236 
1237  /* Allocate the DACL now */
1238  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
1240  DaclSize);
1241  if (Dacl == NULL)
1242  {
1243  ERR("AllowDesktopAccessToUser(): Failed to allocate memory buffer for DACL!\n");
1244  goto Quit;
1245  }
1246 
1247  /* Initialize it */
1249  {
1250  ERR("AllowDesktopAccessToUser(): Failed to initialize DACL (error code %lu)\n", GetLastError());
1251  goto Quit;
1252  }
1253 
1254  /* First ACE -- Give full desktop access to Winlogon */
1256  ACL_REVISION,
1257  0,
1258  DESKTOP_ALL,
1259  WinlogonSid))
1260  {
1261  ERR("AllowDesktopAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
1262  goto Quit;
1263  }
1264 
1265  /* Second ACE -- Give limited desktop access to admins */
1267  ACL_REVISION,
1268  0,
1270  AdminsSid))
1271  {
1272  ERR("AllowDesktopAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
1273  goto Quit;
1274  }
1275 
1276  /* Third ACE -- Give full desktop access to interactive logon users */
1278  ACL_REVISION,
1279  0,
1280  DESKTOP_ALL,
1281  InteractiveSid))
1282  {
1283  ERR("AllowDesktopAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1284  goto Quit;
1285  }
1286 
1287  /* Fourth ACE -- Give full desktop access to logon user */
1289  ACL_REVISION,
1290  0,
1291  DESKTOP_ALL,
1292  LogonSid))
1293  {
1294  ERR("AllowDesktopAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1295  goto Quit;
1296  }
1297 
1298  /* HACK: Fifth ACE -- Give full desktop to network services */
1300  ACL_REVISION,
1301  0,
1302  DESKTOP_ALL,
1304  {
1305  ERR("AllowDesktopAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n", GetLastError());
1306  goto Quit;
1307  }
1308 
1309  /* Initialize the security descriptor */
1311  {
1312  ERR("AllowDesktopAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
1313  goto Quit;
1314  }
1315 
1316  /* Set the DACL to the descriptor */
1317  if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
1318  {
1319  ERR("AllowDesktopAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
1320  goto Quit;
1321  }
1322 
1323  /* Conver it to self-relative format */
1324  RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
1325  if (RelativeSd == NULL)
1326  {
1327  ERR("AllowDesktopAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1328  goto Quit;
1329  }
1330 
1331  /* Assign new security to desktop based on this descriptor */
1334  {
1335  ERR("AllowDesktopAccessToUser(): Failed to set desktop security descriptor (error code %lu)\n", GetLastError());
1336  goto Quit;
1337  }
1338 
1339  Success = TRUE;
1340 
1341 Quit:
1342  if (WinlogonSid != NULL)
1343  {
1344  FreeSid(WinlogonSid);
1345  }
1346 
1347  if (AdminsSid != NULL)
1348  {
1349  FreeSid(AdminsSid);
1350  }
1351 
1352  if (InteractiveSid != NULL)
1353  {
1355  }
1356 
1357  /* HACK */
1358  if (NetworkServiceSid != NULL)
1359  {
1361  }
1362  /* END HACK */
1363 
1364  if (Dacl != NULL)
1365  {
1366  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
1367  }
1368 
1369  if (RelativeSd != NULL)
1370  {
1371  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
1372  }
1373 
1374  return Success;
1375 }
static DWORD
Definition: security.c:70
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1008
#define TRUE
Definition: types.h:120
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:931
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1065
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
#define DESKTOP_ALL
Definition: security.c:14
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define SECURITY_INTERACTIVE_RID
Definition: setypes.h:559
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define FALSE
Definition: types.h:117
unsigned int BOOL
Definition: ntddk_ex.h:94
DWORD SECURITY_INFORMATION
Definition: ms-dtyp.idl:311
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:700
struct _ACL ACL
BOOL WINAPI SetUserObjectSecurity(_In_ HANDLE, _In_ PSECURITY_INFORMATION, _In_ PSECURITY_DESCRIPTOR)
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:921
unsigned long DWORD
Definition: ntddk_ex.h:95
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576
#define ERR(fmt,...)
Definition: debug.h:110
PSID InteractiveSid
Definition: globals.c:15
PSID NetworkServiceSid
Definition: globals.c:16
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
#define DESKTOP_ADMINS_LIMITED
Definition: security.c:19
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:676

Referenced by AllowAccessOnSession().

◆ AllowWinstaAccessToUser()

BOOL AllowWinstaAccessToUser ( _In_ HWINSTA  WinSta,
_In_ PSID  LogonSid 
)

Assigns access to the specific logon user to the default window station. Such access is given to the user when it has logged in.

Parameters
[in]WinStaA handle to a window station where the user is given access to it.
[in]LogonSidA pointer to a logon SID that represents the logged in user in question.
Returns
Returns TRUE if the function has successfully assigned access to the user, FALSE otherwise.

Definition at line 874 of file security.c.

877 {
878  BOOL Success = FALSE;
879  SECURITY_DESCRIPTOR AbsoluteSd;
880  PSECURITY_DESCRIPTOR RelativeSd = NULL;
881  PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
883  DWORD DaclSize;
884  PACL Dacl;
885 
886  /* Create the Winlogon SID */
888  1,
890  0, 0, 0, 0, 0, 0, 0,
891  &WinlogonSid))
892  {
893  ERR("AllowWinstaAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
894  return FALSE;
895  }
896 
897  /* Create the admins SID */
899  2,
902  0, 0, 0, 0, 0, 0,
903  &AdminsSid))
904  {
905  ERR("AllowWinstaAccessToUser(): Failed to create the admins SID (error code %lu)\n", GetLastError());
906  goto Quit;
907  }
908 
909  /* Create the interactive logon SID */
911  1,
913  0, 0, 0, 0, 0, 0, 0,
914  &InteractiveSid))
915  {
916  ERR("AllowWinstaAccessToUser(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
917  goto Quit;
918  }
919 
920  /* HACK: Create the network service SID */
922  1,
924  0, 0, 0, 0, 0, 0, 0,
926  {
927  ERR("AllowWinstaAccessToUser(): Failed to create the network service SID (error code %lu)\n", GetLastError());
928  goto Quit;
929  }
930 
931  /*
932  * Build up the DACL size. This includes a number
933  * of eight ACEs of four different SIDs. The first ACE
934  * gives full winsta access to Winlogon, the second one gives
935  * generic access to Winlogon. Such approach is the same
936  * for both interactive logon users and logon user as well.
937  * Only admins are given limited powers.
938  */
939  DaclSize = sizeof(ACL) +
940  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
941  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
942  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
943  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
944  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(InteractiveSid) +
945  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(InteractiveSid) +
946  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(LogonSid) +
947  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(LogonSid) +
948  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid) + /* HACK */
950 
951  /* Allocate the DACL now */
952  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
954  DaclSize);
955  if (Dacl == NULL)
956  {
957  ERR("AllowWinstaAccessToUser(): Failed to allocate memory buffer for DACL!\n");
958  goto Quit;
959  }
960 
961  /* Initialize it */
963  {
964  ERR("AllowWinstaAccessToUser(): Failed to initialize DACL (error code %lu)\n", GetLastError());
965  goto Quit;
966  }
967 
968  /* First ACE -- Give full winsta access to Winlogon */
970  ACL_REVISION,
972  WINSTA_ALL,
973  WinlogonSid))
974  {
975  ERR("AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
976  goto Quit;
977  }
978 
979  /* Second ACE -- Give generic access to Winlogon */
981  ACL_REVISION,
984  WinlogonSid))
985  {
986  ERR("AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
987  goto Quit;
988  }
989 
990  /* Third ACE -- Give limited winsta access to admins */
992  ACL_REVISION,
995  AdminsSid))
996  {
997  ERR("AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
998  goto Quit;
999  }
1000 
1001  /* Fourth ACE -- Give limited desktop access to admins */
1003  ACL_REVISION,
1006  AdminsSid))
1007  {
1008  ERR("AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
1009  goto Quit;
1010  }
1011 
1012  /* Fifth ACE -- Give full winsta access to interactive logon users */
1014  ACL_REVISION,
1016  WINSTA_ALL,
1017  InteractiveSid))
1018  {
1019  ERR("AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1020  goto Quit;
1021  }
1022 
1023  /* Sixth ACE -- Give generic access to interactive logon users */
1025  ACL_REVISION,
1028  InteractiveSid))
1029  {
1030  ERR("AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1031  goto Quit;
1032  }
1033 
1034  /* Seventh ACE -- Give full winsta access to logon user */
1036  ACL_REVISION,
1038  WINSTA_ALL,
1039  LogonSid))
1040  {
1041  ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1042  goto Quit;
1043  }
1044 
1045  /* Eighth ACE -- Give generic access to logon user */
1047  ACL_REVISION,
1050  LogonSid))
1051  {
1052  ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1053  goto Quit;
1054  }
1055 
1056  /* HACK : Ninenth ACE -- Give full winsta access to network services */
1058  ACL_REVISION,
1060  WINSTA_ALL,
1062  {
1063  ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon network service SID (error code %lu)\n", GetLastError());
1064  goto Quit;
1065  }
1066 
1067  /* HACK: Tenth ACE -- Give generic access to network services */
1069  ACL_REVISION,
1073  {
1074  ERR("AllowWinstaAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n", GetLastError());
1075  goto Quit;
1076  }
1077 
1078  /* Initialize the security descriptor */
1080  {
1081  ERR("AllowWinstaAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
1082  goto Quit;
1083  }
1084 
1085  /* Set the DACL to descriptor */
1086  if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
1087  {
1088  ERR("AllowWinstaAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
1089  goto Quit;
1090  }
1091 
1092  /* Convert it to self-relative format */
1093  RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
1094  if (RelativeSd == NULL)
1095  {
1096  ERR("AllowWinstaAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1097  goto Quit;
1098  }
1099 
1100  /* Set new winsta security based on this descriptor */
1102  if (!SetUserObjectSecurity(WinSta, &SecurityInformation, RelativeSd))
1103  {
1104  ERR("AllowWinstaAccessToUser(): Failed to set window station security descriptor (error code %lu)\n", GetLastError());
1105  goto Quit;
1106  }
1107 
1108  Success = TRUE;
1109 
1110 Quit:
1111  if (WinlogonSid != NULL)
1112  {
1113  FreeSid(WinlogonSid);
1114  }
1115 
1116  if (AdminsSid != NULL)
1117  {
1118  FreeSid(AdminsSid);
1119  }
1120 
1121  if (InteractiveSid != NULL)
1122  {
1124  }
1125 
1126  /* HACK */
1127  if (NetworkServiceSid != NULL)
1128  {
1130  }
1131  /* END HACK */
1132 
1133  if (Dacl != NULL)
1134  {
1135  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
1136  }
1137 
1138  if (RelativeSd != NULL)
1139  {
1140  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
1141  }
1142 
1143  return Success;
1144 }
static DWORD
Definition: security.c:70
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1008
#define TRUE
Definition: types.h:120
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:931
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1065
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define SECURITY_INTERACTIVE_RID
Definition: setypes.h:559
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:748
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define FALSE
Definition: types.h:117
unsigned int BOOL
Definition: ntddk_ex.h:94
DWORD SECURITY_INFORMATION
Definition: ms-dtyp.idl:311
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:700
struct _ACL ACL
BOOL WINAPI SetUserObjectSecurity(_In_ HANDLE, _In_ PSECURITY_INFORMATION, _In_ PSECURITY_DESCRIPTOR)
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1339
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define WINSTA_ALL
Definition: security.c:27
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:747
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:921
unsigned long DWORD
Definition: ntddk_ex.h:95
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576
#define ERR(fmt,...)
Definition: debug.h:110
PSID InteractiveSid
Definition: globals.c:15
PSID NetworkServiceSid
Definition: globals.c:16
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
#define GENERIC_ACCESS
Definition: security.c:35
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
#define INHERIT_ONLY_ACE
Definition: setypes.h:749
#define WINSTA_ADMINS_LIMITED
Definition: security.c:33
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
#define OBJECT_INHERIT_ACE
Definition: setypes.h:746
#define DESKTOP_ADMINS_LIMITED
Definition: security.c:19
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:676

Referenced by AllowAccessOnSession().

◆ ConvertToSelfRelative()

PSECURITY_DESCRIPTOR ConvertToSelfRelative ( _In_ PSECURITY_DESCRIPTOR  AbsoluteSd)

Converts an absolute security descriptor to a self-relative format.

Parameters
[in]AbsoluteSdA pointer to an absolute security descriptor to be converted.
Returns
Returns a pointer to a converted security descriptor in self-relative format. If the function fails, NULL is returned otherwise.
Remarks
The function allocates the security descriptor buffer in memory heap, the caller is entirely responsible for freeing such buffer from when it's no longer needed.

Definition at line 64 of file security.c.

66 {
67  PSECURITY_DESCRIPTOR RelativeSd;
68  DWORD DescriptorLength = 0;
69 
70  /* Determine the size for our buffer to allocate */
71  if (!MakeSelfRelativeSD(AbsoluteSd, NULL, &DescriptorLength) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
72  {
73  ERR("ConvertToSelfRelative(): Unexpected error code (error code %lu -- must be ERROR_INSUFFICIENT_BUFFER)\n", GetLastError());
74  return NULL;
75  }
76 
77  /* Allocate the buffer now */
78  RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
80  DescriptorLength);
81  if (RelativeSd == NULL)
82  {
83  ERR("ConvertToSelfRelative(): Failed to allocate buffer for relative SD!\n");
84  return NULL;
85  }
86 
87  /* Convert the security descriptor now */
88  if (!MakeSelfRelativeSD(AbsoluteSd, RelativeSd, &DescriptorLength))
89  {
90  ERR("ConvertToSelfRelative(): Failed to convert the security descriptor to a self relative format (error code %lu)\n", GetLastError());
91  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
92  return NULL;
93  }
94 
95  return RelativeSd;
96 }
BOOL WINAPI MakeSelfRelativeSD(PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor, PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, LPDWORD lpdwBufferLength)
Definition: sec.c:214
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
unsigned long DWORD
Definition: ntddk_ex.h:95
#define ERR(fmt,...)
Definition: debug.h:110
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
#define ERROR_INSUFFICIENT_BUFFER
Definition: dderror.h:10

Referenced by AllowDesktopAccessToUser(), AllowWinstaAccessToUser(), CreateApplicationDesktopSecurity(), CreateScreenSaverSecurity(), CreateWinlogonDesktopSecurity(), and CreateWinstaSecurity().

◆ CreateApplicationDesktopSecurity()

BOOL CreateApplicationDesktopSecurity ( _Out_ PSECURITY_DESCRIPTOR ApplicationDesktopSd)

Creates a security descriptor for the default application desktop upon its creation.

Parameters
[out]ApplicationDesktopSdA pointer to a created security descriptor for the application desktop.
Returns
Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.

Definition at line 359 of file security.c.

361 {
362  BOOL Success = FALSE;
363  SECURITY_DESCRIPTOR AbsoluteSd;
364  PSECURITY_DESCRIPTOR RelativeSd = NULL;
365  PSID WinlogonSid = NULL, AdminsSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
366  DWORD DaclSize;
367  PACL Dacl;
368 
369  /* Create the Winlogon SID */
371  1,
373  0, 0, 0, 0, 0, 0, 0,
374  &WinlogonSid))
375  {
376  ERR("CreateApplicationDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
377  return FALSE;
378  }
379 
380  /* Create the admins SID */
382  2,
385  0, 0, 0, 0, 0, 0,
386  &AdminsSid))
387  {
388  ERR("CreateApplicationDesktopSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
389  goto Quit;
390  }
391 
392  /* HACK: Create the network service SID */
394  1,
396  0, 0, 0, 0, 0, 0, 0,
398  {
399  ERR("CreateApplicationDesktopSecurity(): Failed to create the network service SID (error code %lu)\n", GetLastError());
400  goto Quit;
401  }
402 
403  /*
404  * Build up the DACL size. This includes a number
405  * of two ACEs of two different SIDs. The first ACE
406  * gives full access to Winlogon, the last one gives
407  * limited desktop access to admins.
408  */
409  DaclSize = sizeof(ACL) +
410  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
411  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
412  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid); /* HACK */
413 
414  /* Allocate the DACL now */
415  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
417  DaclSize);
418  if (Dacl == NULL)
419  {
420  ERR("CreateApplicationDesktopSecurity(): Failed to allocate memory buffer for DACL!\n");
421  goto Quit;
422  }
423 
424  /* Initialize it */
426  {
427  ERR("CreateApplicationDesktopSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
428  goto Quit;
429  }
430 
431  /* First ACE -- Give full desktop power to Winlogon */
433  ACL_REVISION,
434  0,
435  DESKTOP_ALL,
436  WinlogonSid))
437  {
438  ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
439  goto Quit;
440  }
441 
442  /* Second ACE -- Give limited desktop power to admins */
444  ACL_REVISION,
445  0,
447  AdminsSid))
448  {
449  ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
450  goto Quit;
451  }
452 
453  /* HACK: Third ACE -- Give full desktop power to network services */
455  ACL_REVISION,
456  0,
457  DESKTOP_ALL,
459  {
460  ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for network services (error code %lu)\n", GetLastError());
461  goto Quit;
462  }
463 
464  /* Initialize the security descriptor */
466  {
467  ERR("CreateApplicationDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
468  goto Quit;
469  }
470 
471  /* Set the DACL to the descriptor */
472  if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
473  {
474  ERR("CreateApplicationDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
475  goto Quit;
476  }
477 
478  /* Conver it to self-relative format */
479  RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
480  if (RelativeSd == NULL)
481  {
482  ERR("CreateApplicationDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
483  goto Quit;
484  }
485 
486  /* Give the descriptor to the caller */
487  *ApplicationDesktopSd = RelativeSd;
488  Success = TRUE;
489 
490 Quit:
491  if (WinlogonSid != NULL)
492  {
493  FreeSid(WinlogonSid);
494  }
495 
496  if (AdminsSid != NULL)
497  {
498  FreeSid(AdminsSid);
499  }
500 
501  /* HACK */
502  if (NetworkServiceSid != NULL)
503  {
505  }
506  /* END HACK */
507 
508  if (Dacl != NULL)
509  {
510  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
511  }
512 
513  if (Success == FALSE)
514  {
515  if (RelativeSd != NULL)
516  {
517  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
518  }
519  }
520 
521  return Success;
522 }
static DWORD
Definition: security.c:70
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1008
#define TRUE
Definition: types.h:120
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:931
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1065
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
#define DESKTOP_ALL
Definition: security.c:14
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define FALSE
Definition: types.h:117
unsigned int BOOL
Definition: ntddk_ex.h:94
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:700
struct _ACL ACL
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:921
unsigned long DWORD
Definition: ntddk_ex.h:95
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576
#define ERR(fmt,...)
Definition: debug.h:110
PSID NetworkServiceSid
Definition: globals.c:16
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
#define DESKTOP_ADMINS_LIMITED
Definition: security.c:19
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:676

Referenced by CreateWindowStationAndDesktops().

◆ CreateScreenSaverSecurity()

BOOL CreateScreenSaverSecurity ( _Out_ PSECURITY_DESCRIPTOR ScreenSaverDesktopSd)

Creates a security descriptor for the screen saver desktop.

Parameters
[out]ScreenSaverDesktopSdA pointer to a created security descriptor for the screen-saver desktop.
Returns
Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.

Definition at line 690 of file security.c.

692 {
693  BOOL Success = FALSE;
694  SECURITY_DESCRIPTOR AbsoluteSd;
695  PSECURITY_DESCRIPTOR RelativeSd = NULL;
696  PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL;
697  DWORD DaclSize;
698  PACL Dacl;
699 
700  /* Create the Winlogon SID */
702  1,
704  0, 0, 0, 0, 0, 0, 0,
705  &WinlogonSid))
706  {
707  ERR("CreateScreenSaverSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
708  return FALSE;
709  }
710 
711  /* Create the admins SID */
713  2,
716  0, 0, 0, 0, 0, 0,
717  &AdminsSid))
718  {
719  ERR("CreateScreenSaverSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
720  goto Quit;
721  }
722 
723  /* Create the interactive logon SID */
725  1,
727  0, 0, 0, 0, 0, 0, 0,
728  &InteractiveSid))
729  {
730  ERR("CreateScreenSaverSecurity(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
731  goto Quit;
732  }
733 
734  /*
735  * Build up the DACL size. This includes a number
736  * of three ACEs of three different SIDs. The first ACE
737  * gives full access to Winlogon, the second one gives
738  * limited desktop access to admins and the last one
739  * gives full desktop access to users who have logged in
740  * interactively.
741  */
742  DaclSize = sizeof(ACL) +
743  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
744  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
746 
747  /* Allocate the DACL now */
748  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
750  DaclSize);
751  if (Dacl == NULL)
752  {
753  ERR("CreateScreenSaverSecurity(): Failed to allocate memory buffer for DACL!\n");
754  goto Quit;
755  }
756 
757  /* Initialize it */
759  {
760  ERR("CreateScreenSaverSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
761  goto Quit;
762  }
763 
764  /* First ACE -- Give full desktop access to Winlogon */
766  ACL_REVISION,
767  0,
768  DESKTOP_ALL,
769  WinlogonSid))
770  {
771  ERR("CreateScreenSaverSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
772  goto Quit;
773  }
774 
775  /* Second ACE -- Give limited desktop access to admins */
777  ACL_REVISION,
780  AdminsSid))
781  {
782  ERR("CreateScreenSaverSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
783  goto Quit;
784  }
785 
786  /* Third ACE -- Give full desktop access to interactive logon users */
788  ACL_REVISION,
792  {
793  ERR("CreateScreenSaverSecurity(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
794  goto Quit;
795  }
796 
797  /* Initialize the security descriptor */
799  {
800  ERR("CreateScreenSaverSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
801  goto Quit;
802  }
803 
804  /* Set the DACL to the descriptor */
805  if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
806  {
807  ERR("CreateScreenSaverSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
808  goto Quit;
809  }
810 
811  /* Conver it to self-relative format */
812  RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
813  if (RelativeSd == NULL)
814  {
815  ERR("CreateScreenSaverSecurity(): Failed to convert security descriptor to self relative format!\n");
816  goto Quit;
817  }
818 
819  /* Give the descriptor to the caller */
820  *ScreenSaverDesktopSd = RelativeSd;
821  Success = TRUE;
822 
823 Quit:
824  if (WinlogonSid != NULL)
825  {
826  FreeSid(WinlogonSid);
827  }
828 
829  if (AdminsSid != NULL)
830  {
831  FreeSid(AdminsSid);
832  }
833 
834  if (InteractiveSid != NULL)
835  {
837  }
838 
839  if (Dacl != NULL)
840  {
841  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
842  }
843 
844  if (Success == FALSE)
845  {
846  if (RelativeSd != NULL)
847  {
848  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
849  }
850  }
851 
852  return Success;
853 }
static DWORD
Definition: security.c:70
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1008
#define TRUE
Definition: types.h:120
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:931
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1065
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
#define DESKTOP_ALL
Definition: security.c:14
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define SECURITY_INTERACTIVE_RID
Definition: setypes.h:559
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:748
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define FALSE
Definition: types.h:117
unsigned int BOOL
Definition: ntddk_ex.h:94
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:700
struct _ACL ACL
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:921
unsigned long DWORD
Definition: ntddk_ex.h:95
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
#define DESKTOP_INTERACTIVE_LIMITED
Definition: security.c:22
#define ERR(fmt,...)
Definition: debug.h:110
PSID InteractiveSid
Definition: globals.c:15
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
#define DESKTOP_ADMINS_LIMITED
Definition: security.c:19
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:676

Referenced by CreateWindowStationAndDesktops().

◆ CreateWinlogonDesktopSecurity()

BOOL CreateWinlogonDesktopSecurity ( _Out_ PSECURITY_DESCRIPTOR WinlogonDesktopSd)

Creates a security descriptor for the default Winlogon desktop. This descriptor serves as a security measure for the winlogon desktop so that only Winlogon itself (and admins) can interact with it.

Parameters
[out]WinlogonDesktopSdA pointer to a created security descriptor for the Winlogon desktop.
Returns
Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.

Definition at line 541 of file security.c.

543 {
544  BOOL Success = FALSE;
545  SECURITY_DESCRIPTOR AbsoluteSd;
546  PSECURITY_DESCRIPTOR RelativeSd = NULL;
547  PSID WinlogonSid = NULL, AdminsSid = NULL;
548  DWORD DaclSize;
549  PACL Dacl;
550 
551  /* Create the Winlogon SID */
553  1,
555  0, 0, 0, 0, 0, 0, 0,
556  &WinlogonSid))
557  {
558  ERR("CreateWinlogonDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
559  return FALSE;
560  }
561 
562  /* Create the admins SID */
564  2,
567  0, 0, 0, 0, 0, 0,
568  &AdminsSid))
569  {
570  ERR("CreateWinlogonDesktopSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
571  goto Quit;
572  }
573 
574  /*
575  * Build up the DACL size. This includes a number
576  * of two ACEs of two different SIDs. The first ACE
577  * gives full access to Winlogon, the last one gives
578  * limited desktop access to admins.
579  */
580  DaclSize = sizeof(ACL) +
581  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
582  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid);
583 
584  /* Allocate the DACL now */
585  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
587  DaclSize);
588  if (Dacl == NULL)
589  {
590  ERR("CreateWinlogonDesktopSecurity(): Failed to allocate memory buffer for DACL!\n");
591  goto Quit;
592  }
593 
594  /* Initialize it */
596  {
597  ERR("CreateWinlogonDesktopSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
598  goto Quit;
599  }
600 
601  /* First ACE -- Give full desktop access to Winlogon */
603  ACL_REVISION,
604  0,
605  DESKTOP_ALL,
606  WinlogonSid))
607  {
608  ERR("CreateWinlogonDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
609  goto Quit;
610  }
611 
612  /* Second ACE -- Give limited desktop access to admins */
614  ACL_REVISION,
615  0,
617  AdminsSid))
618  {
619  ERR("CreateWinlogonDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
620  goto Quit;
621  }
622 
623  /* Initialize the security descriptor */
625  {
626  ERR("CreateWinlogonDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
627  goto Quit;
628  }
629 
630  /* Set the DACL to the descriptor */
631  if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
632  {
633  ERR("CreateWinlogonDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
634  goto Quit;
635  }
636 
637  /* Conver it to self-relative format */
638  RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
639  if (RelativeSd == NULL)
640  {
641  ERR("CreateWinlogonDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
642  goto Quit;
643  }
644 
645  /* Give the descriptor to the caller */
646  *WinlogonDesktopSd = RelativeSd;
647  Success = TRUE;
648 
649 Quit:
650  if (WinlogonSid != NULL)
651  {
652  FreeSid(WinlogonSid);
653  }
654 
655  if (AdminsSid != NULL)
656  {
657  FreeSid(AdminsSid);
658  }
659 
660  if (Dacl != NULL)
661  {
662  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
663  }
664 
665  if (Success == FALSE)
666  {
667  if (RelativeSd != NULL)
668  {
669  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
670  }
671  }
672 
673  return Success;
674 }
static DWORD
Definition: security.c:70
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1008
#define TRUE
Definition: types.h:120
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:931
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1065
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
#define DESKTOP_ALL
Definition: security.c:14
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define FALSE
Definition: types.h:117
unsigned int BOOL
Definition: ntddk_ex.h:94
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:700
struct _ACL ACL
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:921
unsigned long DWORD
Definition: ntddk_ex.h:95
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
#define DESKTOP_WINLOGON_ADMINS_LIMITED
Definition: security.c:25
#define ERR(fmt,...)
Definition: debug.h:110
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:676

Referenced by CreateWindowStationAndDesktops().

◆ CreateWinstaSecurity()

BOOL CreateWinstaSecurity ( _Out_ PSECURITY_DESCRIPTOR WinstaSd)

Creates a security descriptor for the default window station upon its creation.

Parameters
[out]WinstaSdA pointer to a created security descriptor for the window station.
Returns
Returns TRUE if the function has successfully created the security descriptor, FALSE otherwise.

Definition at line 112 of file security.c.

114 {
115  BOOL Success = FALSE;
116  SECURITY_DESCRIPTOR AbsoluteSd;
117  PSECURITY_DESCRIPTOR RelativeSd = NULL;
118  PSID WinlogonSid = NULL, AdminsSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment below for information */
119  DWORD DaclSize;
120  PACL Dacl;
121 
122  /* Create the Winlogon SID */
124  1,
126  0, 0, 0, 0, 0, 0, 0,
127  &WinlogonSid))
128  {
129  ERR("CreateWinstaSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
130  return FALSE;
131  }
132 
133  /* Create the admins SID */
135  2,
138  0, 0, 0, 0, 0, 0,
139  &AdminsSid))
140  {
141  ERR("CreateWinstaSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
142  goto Quit;
143  }
144 
145  /* HACK: Create the network service SID */
147  1,
149  0, 0, 0, 0, 0, 0, 0,
151  {
152  ERR("CreateWinstaSecurity(): Failed to create the network service SID (error code %lu)\n", GetLastError());
153  goto Quit;
154  }
155 
156  /*
157  * Build up the DACL size. This includes a number
158  * of four ACEs of two different SIDs. The first two
159  * ACEs give both window station and generic access
160  * to Winlogon, the last two give limited window station
161  * and desktop access to admins.
162  *
163  * ===================== !!!MUST READ!!! =====================
164  *
165  * HACK -- Include in the DACL two more ACEs for network
166  * service SID. Network services will be granted full
167  * access to the default window station. Whilst technically
168  * services that are either network or local ones are part
169  * and act on behalf of the system, what we are doing here
170  * is a hack because of two reasons:
171  *
172  * 1) Winlogon does not allow default window station (Winsta0)
173  * access to network services on Windows. As a matter of fact,
174  * network services must access their own service window station
175  * (aka Service-0x0-3e4$) which never gets created. Why it never
176  * gets created is explained on the second point.
177  *
178  * 2) Our LSASS terribly lacks in code that handles special logon
179  * service types, NetworkService and LocalService. For this reason
180  * whenever an access token is created for a network service process
181  * for example, its authentication ID (aka LogonId represented as a LUID)
182  * is a uniquely generated ID by LSASS for this process. This is wrong
183  * on so many levels, partly because a network service is not a regular
184  * service and network services have their own special authentication logon
185  * ID (with its respective LUID as {0x3e4, 0x0}). On top of that, a network
186  * service process must have an impersonation token but for whatever reason
187  * we are creating a primary access token instead.
188  *
189  * FOR ANYONE WHO'S INTERESTED ON FIXING THIS, DO NOT FORGET TO REMOVE THIS
190  * HACK!!!
191  *
192  * =========================== !!!END!!! ================================
193  */
194  DaclSize = sizeof(ACL) +
195  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
196  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
197  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
198  sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
201 
202  /* Allocate the DACL now */
203  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
205  DaclSize);
206  if (Dacl == NULL)
207  {
208  ERR("CreateWinstaSecurity(): Failed to allocate memory buffer for DACL!\n");
209  goto Quit;
210  }
211 
212  /* Initialize it */
214  {
215  ERR("CreateWinstaSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
216  goto Quit;
217  }
218 
219  /* First ACE -- give full winsta access to Winlogon */
221  ACL_REVISION,
223  WINSTA_ALL,
224  WinlogonSid))
225  {
226  ERR("CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
227  goto Quit;
228  }
229 
230  /* Second ACE -- give full generic access to Winlogon */
232  ACL_REVISION,
235  WinlogonSid))
236  {
237  ERR("CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
238  goto Quit;
239  }
240 
241  /* Third ACE -- give limited winsta access to admins */
243  ACL_REVISION,
246  AdminsSid))
247  {
248  ERR("CreateWinstaSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
249  goto Quit;
250  }
251 
252  /* Fourth ACE -- give limited desktop access to admins */
254  ACL_REVISION,
257  AdminsSid))
258  {
259  ERR("CreateWinstaSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
260  goto Quit;
261  }
262 
263  /* HACK: Fifth ACE -- give full access to network services */
265  ACL_REVISION,
267  WINSTA_ALL,
269  {
270  ERR("CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n", GetLastError());
271  goto Quit;
272  }
273 
274  /* HACK: Sixth ACE -- give full generic access to network services */
276  ACL_REVISION,
280  {
281  ERR("CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n", GetLastError());
282  goto Quit;
283  }
284 
285  /* Initialize the security descriptor */
287  {
288  ERR("CreateWinstaSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
289  goto Quit;
290  }
291 
292  /* Set the DACL to the descriptor */
293  if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
294  {
295  ERR("CreateWinstaSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
296  goto Quit;
297  }
298 
299  /* Convert it to self-relative format */
300  RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
301  if (RelativeSd == NULL)
302  {
303  ERR("CreateWinstaSecurity(): Failed to convert security descriptor to self relative format!\n");
304  goto Quit;
305  }
306 
307  /* Give the descriptor to the caller */
308  *WinstaSd = RelativeSd;
309  Success = TRUE;
310 
311 Quit:
312  if (WinlogonSid != NULL)
313  {
314  FreeSid(WinlogonSid);
315  }
316 
317  if (AdminsSid != NULL)
318  {
319  FreeSid(AdminsSid);
320  }
321 
322  /* HACK */
323  if (NetworkServiceSid != NULL)
324  {
326  }
327  /* END HACK */
328 
329  if (Dacl != NULL)
330  {
331  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
332  }
333 
334  if (Success == FALSE)
335  {
336  if (RelativeSd != NULL)
337  {
338  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
339  }
340  }
341 
342  return Success;
343 }
static DWORD
Definition: security.c:70
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1008
#define TRUE
Definition: types.h:120
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:931
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1065
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
DWORD WINAPI GetLastError(VOID)
Definition: except.c:1040
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:748
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define FALSE
Definition: types.h:117
unsigned int BOOL
Definition: ntddk_ex.h:94
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:700
struct _ACL ACL
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define WINSTA_ALL
Definition: security.c:27
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:747
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:921
unsigned long DWORD
Definition: ntddk_ex.h:95
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576
#define ERR(fmt,...)
Definition: debug.h:110
PSID NetworkServiceSid
Definition: globals.c:16
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
#define GENERIC_ACCESS
Definition: security.c:35
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1552
#define ACL_REVISION
Definition: setypes.h:39
#define INHERIT_ONLY_ACE
Definition: setypes.h:749
#define WINSTA_ADMINS_LIMITED
Definition: security.c:33
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
#define OBJECT_INHERIT_ACE
Definition: setypes.h:746
#define DESKTOP_ADMINS_LIMITED
Definition: security.c:19
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:676

Referenced by CreateWindowStationAndDesktops().

Variable Documentation

◆ NtAuthority