ReactOS 0.4.16-dev-1946-g52006dd
security.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS Winlogon
3 * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4 * PURPOSE: Security utility infrastructure implementation of Winlogon
5 * COPYRIGHT: Copyright 2022 George Bișoc <george.bisoc@reactos.org>
6 */
7
8/* INCLUDES *****************************************************************/
9
10#include "winlogon.h"
11
12/* DEFINES ******************************************************************/
13
14#define DESKTOP_ALL (DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW | \
15 DESKTOP_CREATEMENU | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALRECORD | \
16 DESKTOP_JOURNALPLAYBACK | DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \
17 DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED)
18
19#define DESKTOP_ADMINS_LIMITED (DESKTOP_WRITEOBJECTS | DESKTOP_READOBJECTS | \
20 DESKTOP_CREATEWINDOW | DESKTOP_CREATEMENU | DESKTOP_ENUMERATE)
21
22#define DESKTOP_INTERACTIVE_LIMITED (STANDARD_RIGHTS_READ | DESKTOP_ENUMERATE | \
23 DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW)
24
25#define DESKTOP_WINLOGON_ADMINS_LIMITED (STANDARD_RIGHTS_REQUIRED | DESKTOP_ENUMERATE)
26
27#define WINSTA_ALL (WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES | \
28 WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | \
29 WINSTA_WRITEATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | \
30 WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | WINSTA_READSCREEN | \
31 STANDARD_RIGHTS_REQUIRED)
32
33#define WINSTA_ADMINS_LIMITED (WINSTA_READATTRIBUTES | WINSTA_ENUMERATE)
34
35#define GENERIC_ACCESS (GENERIC_READ | GENERIC_WRITE | \
36 GENERIC_EXECUTE | GENERIC_ALL)
37
38/* GLOBALS ******************************************************************/
39
40static SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
41
42/* FUNCTIONS ****************************************************************/
43
63PSECURITY_DESCRIPTOR
64ConvertToSelfRelative(
65 _In_ PSECURITY_DESCRIPTOR AbsoluteSd)
66{
67 PSECURITY_DESCRIPTOR RelativeSd;
68 DWORD DescriptorLength = 0;
69
70 /* Determine the size for allocating our buffer */
71 if (MakeSelfRelativeSD(AbsoluteSd, NULL, &DescriptorLength) ||
72 (GetLastError() != ERROR_INSUFFICIENT_BUFFER))
73 {
74 ERR("ConvertToSelfRelative(): error %lu, expected ERROR_INSUFFICIENT_BUFFER\n", GetLastError());
75 return NULL;
76 }
77
78 /* Allocate the buffer now */
79 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
80 HEAP_ZERO_MEMORY,
81 DescriptorLength);
82 if (RelativeSd == NULL)
83 {
84 ERR("ConvertToSelfRelative(): Failed to allocate buffer for relative SD\n");
85 return NULL;
86 }
87
88 /* Convert the security descriptor now */
89 if (!MakeSelfRelativeSD(AbsoluteSd, RelativeSd, &DescriptorLength))
90 {
91 ERR("ConvertToSelfRelative(): Failed to convert the security descriptor to a self relative format (error %lu)\n", GetLastError());
92 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
93 return NULL;
94 }
95
96 return RelativeSd;
97}
98
112BOOL
113CreateWinstaSecurity(
114 _Out_ PSECURITY_DESCRIPTOR *WinstaSd)
115{
116 BOOL Success = FALSE;
117 SECURITY_DESCRIPTOR AbsoluteSd;
118 PSECURITY_DESCRIPTOR RelativeSd = NULL;
119 PSID WinlogonSid = NULL, AdminsSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment below for information */
120 DWORD DaclSize;
121 PACL Dacl;
122
123 /* Create the Winlogon SID */
124 if (!AllocateAndInitializeSid(&NtAuthority,
125 1,
126 SECURITY_LOCAL_SYSTEM_RID,
127 0, 0, 0, 0, 0, 0, 0,
128 &WinlogonSid))
129 {
130 ERR("CreateWinstaSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
131 return FALSE;
132 }
133
134 /* Create the admins SID */
135 if (!AllocateAndInitializeSid(&NtAuthority,
136 2,
137 SECURITY_BUILTIN_DOMAIN_RID,
138 DOMAIN_ALIAS_RID_ADMINS,
139 0, 0, 0, 0, 0, 0,
140 &AdminsSid))
141 {
142 ERR("CreateWinstaSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
143 goto Quit;
144 }
145
146 /* HACK: Create the network service SID */
147 if (!AllocateAndInitializeSid(&NtAuthority,
148 1,
149 SECURITY_NETWORK_SERVICE_RID,
150 0, 0, 0, 0, 0, 0, 0,
151 &NetworkServiceSid))
152 {
153 ERR("CreateWinstaSecurity(): Failed to create the network service SID (error code %lu)\n", GetLastError());
154 goto Quit;
155 }
156
157 /*
158 * Build up the DACL size. This includes a number
159 * of four ACEs of two different SIDs. The first two
160 * ACEs give both window station and generic access
161 * to Winlogon, the last two give limited window station
162 * and desktop access to admins.
163 *
164 * ===================== !!!MUST READ!!! =====================
165 *
166 * HACK -- Include in the DACL two more ACEs for network
167 * service SID. Network services will be granted full
168 * access to the default window station. Whilst technically
169 * services that are either network or local ones are part
170 * and act on behalf of the system, what we are doing here
171 * is a hack because of two reasons:
172 *
173 * 1) Winlogon does not allow default window station (Winsta0)
174 * access to network services on Windows. As a matter of fact,
175 * network services must access their own service window station
176 * (aka Service-0x0-3e4$) which never gets created. Why it never
177 * gets created is explained on the second point.
178 *
179 * 2) Our LSASS terribly lacks in code that handles special logon
180 * service types, NetworkService and LocalService. For this reason
181 * whenever an access token is created for a network service process
182 * for example, its authentication ID (aka LogonId represented as a LUID)
183 * is a uniquely generated ID by LSASS for this process. This is wrong
184 * on so many levels, partly because a network service is not a regular
185 * service and network services have their own special authentication logon
186 * ID (with its respective LUID as {0x3e4, 0x0}). On top of that, a network
187 * service process must have an impersonation token but for whatever reason
188 * we are creating a primary access token instead.
189 *
190 * FOR ANYONE WHO'S INTERESTED ON FIXING THIS, DO NOT FORGET TO REMOVE THIS
191 * HACK!!!
192 *
193 * =========================== !!!END!!! ================================
194 */
195 DaclSize = sizeof(ACL) +
196 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
197 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
198 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
199 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
200 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid) +
201 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid);
202
203 /* Allocate the DACL now */
204 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
205 HEAP_ZERO_MEMORY,
206 DaclSize);
207 if (Dacl == NULL)
208 {
209 ERR("CreateWinstaSecurity(): Failed to allocate memory buffer for DACL!\n");
210 goto Quit;
211 }
212
213 /* Initialize it */
214 if (!InitializeAcl(Dacl, DaclSize, ACL_REVISION))
215 {
216 ERR("CreateWinstaSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
217 goto Quit;
218 }
219
220 /* First ACE -- give full winsta access to Winlogon */
221 if (!AddAccessAllowedAceEx(Dacl,
222 ACL_REVISION,
223 NO_PROPAGATE_INHERIT_ACE,
224 WINSTA_ALL,
225 WinlogonSid))
226 {
227 ERR("CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
228 goto Quit;
229 }
230
231 /* Second ACE -- give full generic access to Winlogon */
232 if (!AddAccessAllowedAceEx(Dacl,
233 ACL_REVISION,
234 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
235 GENERIC_ACCESS,
236 WinlogonSid))
237 {
238 ERR("CreateWinstaSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
239 goto Quit;
240 }
241
242 /* Third ACE -- give limited winsta access to admins */
243 if (!AddAccessAllowedAceEx(Dacl,
244 ACL_REVISION,
245 NO_PROPAGATE_INHERIT_ACE,
246 WINSTA_ADMINS_LIMITED,
247 AdminsSid))
248 {
249 ERR("CreateWinstaSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
250 goto Quit;
251 }
252
253 /* Fourth ACE -- give limited desktop access to admins */
254 if (!AddAccessAllowedAceEx(Dacl,
255 ACL_REVISION,
256 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
257 DESKTOP_ADMINS_LIMITED,
258 AdminsSid))
259 {
260 ERR("CreateWinstaSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
261 goto Quit;
262 }
263
264 /* HACK: Fifth ACE -- give full access to network services */
265 if (!AddAccessAllowedAceEx(Dacl,
266 ACL_REVISION,
267 NO_PROPAGATE_INHERIT_ACE,
268 WINSTA_ALL,
269 NetworkServiceSid))
270 {
271 ERR("CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n", GetLastError());
272 goto Quit;
273 }
274
275 /* HACK: Sixth ACE -- give full generic access to network services */
276 if (!AddAccessAllowedAceEx(Dacl,
277 ACL_REVISION,
278 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
279 GENERIC_ACCESS,
280 NetworkServiceSid))
281 {
282 ERR("CreateWinstaSecurity(): Failed to set ACE for network service (error code %lu)\n", GetLastError());
283 goto Quit;
284 }
285
286 /* Initialize the security descriptor */
287 if (!InitializeSecurityDescriptor(&AbsoluteSd, SECURITY_DESCRIPTOR_REVISION))
288 {
289 ERR("CreateWinstaSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
290 goto Quit;
291 }
292
293 /* Set the DACL to the descriptor */
294 if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
295 {
296 ERR("CreateWinstaSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
297 goto Quit;
298 }
299
300 /* Convert it to self-relative format */
301 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
302 if (RelativeSd == NULL)
303 {
304 ERR("CreateWinstaSecurity(): Failed to convert security descriptor to self relative format!\n");
305 goto Quit;
306 }
307
308 /* Give the descriptor to the caller */
309 *WinstaSd = RelativeSd;
310 Success = TRUE;
311
312Quit:
313 if (WinlogonSid != NULL)
314 {
315 FreeSid(WinlogonSid);
316 }
317
318 if (AdminsSid != NULL)
319 {
320 FreeSid(AdminsSid);
321 }
322
323 /* HACK */
324 if (NetworkServiceSid != NULL)
325 {
326 FreeSid(NetworkServiceSid);
327 }
328 /* END HACK */
329
330 if (Dacl != NULL)
331 {
332 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
333 }
334
335 if (Success == FALSE)
336 {
337 if (RelativeSd != NULL)
338 {
339 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
340 }
341 }
342
343 return Success;
344}
345
359BOOL
360CreateApplicationDesktopSecurity(
361 _Out_ PSECURITY_DESCRIPTOR *ApplicationDesktopSd)
362{
363 BOOL Success = FALSE;
364 SECURITY_DESCRIPTOR AbsoluteSd;
365 PSECURITY_DESCRIPTOR RelativeSd = NULL;
366 PSID WinlogonSid = NULL, AdminsSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
367 DWORD DaclSize;
368 PACL Dacl;
369
370 /* Create the Winlogon SID */
371 if (!AllocateAndInitializeSid(&NtAuthority,
372 1,
373 SECURITY_LOCAL_SYSTEM_RID,
374 0, 0, 0, 0, 0, 0, 0,
375 &WinlogonSid))
376 {
377 ERR("CreateApplicationDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
378 return FALSE;
379 }
380
381 /* Create the admins SID */
382 if (!AllocateAndInitializeSid(&NtAuthority,
383 2,
384 SECURITY_BUILTIN_DOMAIN_RID,
385 DOMAIN_ALIAS_RID_ADMINS,
386 0, 0, 0, 0, 0, 0,
387 &AdminsSid))
388 {
389 ERR("CreateApplicationDesktopSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
390 goto Quit;
391 }
392
393 /* HACK: Create the network service SID */
394 if (!AllocateAndInitializeSid(&NtAuthority,
395 1,
396 SECURITY_NETWORK_SERVICE_RID,
397 0, 0, 0, 0, 0, 0, 0,
398 &NetworkServiceSid))
399 {
400 ERR("CreateApplicationDesktopSecurity(): Failed to create the network service SID (error code %lu)\n", GetLastError());
401 goto Quit;
402 }
403
404 /*
405 * Build up the DACL size. This includes a number
406 * of two ACEs of two different SIDs. The first ACE
407 * gives full access to Winlogon, the last one gives
408 * limited desktop access to admins.
409 */
410 DaclSize = sizeof(ACL) +
411 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
412 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
413 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid); /* HACK */
414
415 /* Allocate the DACL now */
416 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
417 HEAP_ZERO_MEMORY,
418 DaclSize);
419 if (Dacl == NULL)
420 {
421 ERR("CreateApplicationDesktopSecurity(): Failed to allocate memory buffer for DACL!\n");
422 goto Quit;
423 }
424
425 /* Initialize it */
426 if (!InitializeAcl(Dacl, DaclSize, ACL_REVISION))
427 {
428 ERR("CreateApplicationDesktopSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
429 goto Quit;
430 }
431
432 /* First ACE -- Give full desktop power to Winlogon */
433 if (!AddAccessAllowedAceEx(Dacl,
434 ACL_REVISION,
435 0,
436 DESKTOP_ALL,
437 WinlogonSid))
438 {
439 ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
440 goto Quit;
441 }
442
443 /* Second ACE -- Give limited desktop power to admins */
444 if (!AddAccessAllowedAceEx(Dacl,
445 ACL_REVISION,
446 0,
447 DESKTOP_ADMINS_LIMITED,
448 AdminsSid))
449 {
450 ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
451 goto Quit;
452 }
453
454 /* HACK: Third ACE -- Give full desktop power to network services */
455 if (!AddAccessAllowedAceEx(Dacl,
456 ACL_REVISION,
457 0,
458 DESKTOP_ALL,
459 NetworkServiceSid))
460 {
461 ERR("CreateApplicationDesktopSecurity(): Failed to set ACE for network services (error code %lu)\n", GetLastError());
462 goto Quit;
463 }
464
465 /* Initialize the security descriptor */
466 if (!InitializeSecurityDescriptor(&AbsoluteSd, SECURITY_DESCRIPTOR_REVISION))
467 {
468 ERR("CreateApplicationDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
469 goto Quit;
470 }
471
472 /* Set the DACL to the descriptor */
473 if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
474 {
475 ERR("CreateApplicationDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
476 goto Quit;
477 }
478
479 /* Conver it to self-relative format */
480 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
481 if (RelativeSd == NULL)
482 {
483 ERR("CreateApplicationDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
484 goto Quit;
485 }
486
487 /* Give the descriptor to the caller */
488 *ApplicationDesktopSd = RelativeSd;
489 Success = TRUE;
490
491Quit:
492 if (WinlogonSid != NULL)
493 {
494 FreeSid(WinlogonSid);
495 }
496
497 if (AdminsSid != NULL)
498 {
499 FreeSid(AdminsSid);
500 }
501
502 /* HACK */
503 if (NetworkServiceSid != NULL)
504 {
505 FreeSid(NetworkServiceSid);
506 }
507 /* END HACK */
508
509 if (Dacl != NULL)
510 {
511 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
512 }
513
514 if (Success == FALSE)
515 {
516 if (RelativeSd != NULL)
517 {
518 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
519 }
520 }
521
522 return Success;
523}
524
541BOOL
542CreateWinlogonDesktopSecurity(
543 _Out_ PSECURITY_DESCRIPTOR *WinlogonDesktopSd)
544{
545 BOOL Success = FALSE;
546 SECURITY_DESCRIPTOR AbsoluteSd;
547 PSECURITY_DESCRIPTOR RelativeSd = NULL;
548 PSID WinlogonSid = NULL, AdminsSid = NULL;
549 DWORD DaclSize;
550 PACL Dacl;
551
552 /* Create the Winlogon SID */
553 if (!AllocateAndInitializeSid(&NtAuthority,
554 1,
555 SECURITY_LOCAL_SYSTEM_RID,
556 0, 0, 0, 0, 0, 0, 0,
557 &WinlogonSid))
558 {
559 ERR("CreateWinlogonDesktopSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
560 return FALSE;
561 }
562
563 /* Create the admins SID */
564 if (!AllocateAndInitializeSid(&NtAuthority,
565 2,
566 SECURITY_BUILTIN_DOMAIN_RID,
567 DOMAIN_ALIAS_RID_ADMINS,
568 0, 0, 0, 0, 0, 0,
569 &AdminsSid))
570 {
571 ERR("CreateWinlogonDesktopSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
572 goto Quit;
573 }
574
575 /*
576 * Build up the DACL size. This includes a number
577 * of two ACEs of two different SIDs. The first ACE
578 * gives full access to Winlogon, the last one gives
579 * limited desktop access to admins.
580 */
581 DaclSize = sizeof(ACL) +
582 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
583 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid);
584
585 /* Allocate the DACL now */
586 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
587 HEAP_ZERO_MEMORY,
588 DaclSize);
589 if (Dacl == NULL)
590 {
591 ERR("CreateWinlogonDesktopSecurity(): Failed to allocate memory buffer for DACL!\n");
592 goto Quit;
593 }
594
595 /* Initialize it */
596 if (!InitializeAcl(Dacl, DaclSize, ACL_REVISION))
597 {
598 ERR("CreateWinlogonDesktopSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
599 goto Quit;
600 }
601
602 /* First ACE -- Give full desktop access to Winlogon */
603 if (!AddAccessAllowedAceEx(Dacl,
604 ACL_REVISION,
605 0,
606 DESKTOP_ALL,
607 WinlogonSid))
608 {
609 ERR("CreateWinlogonDesktopSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
610 goto Quit;
611 }
612
613 /* Second ACE -- Give limited desktop access to admins */
614 if (!AddAccessAllowedAceEx(Dacl,
615 ACL_REVISION,
616 0,
617 DESKTOP_WINLOGON_ADMINS_LIMITED,
618 AdminsSid))
619 {
620 ERR("CreateWinlogonDesktopSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
621 goto Quit;
622 }
623
624 /* Initialize the security descriptor */
625 if (!InitializeSecurityDescriptor(&AbsoluteSd, SECURITY_DESCRIPTOR_REVISION))
626 {
627 ERR("CreateWinlogonDesktopSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
628 goto Quit;
629 }
630
631 /* Set the DACL to the descriptor */
632 if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
633 {
634 ERR("CreateWinlogonDesktopSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
635 goto Quit;
636 }
637
638 /* Conver it to self-relative format */
639 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
640 if (RelativeSd == NULL)
641 {
642 ERR("CreateWinlogonDesktopSecurity(): Failed to convert security descriptor to self relative format!\n");
643 goto Quit;
644 }
645
646 /* Give the descriptor to the caller */
647 *WinlogonDesktopSd = RelativeSd;
648 Success = TRUE;
649
650Quit:
651 if (WinlogonSid != NULL)
652 {
653 FreeSid(WinlogonSid);
654 }
655
656 if (AdminsSid != NULL)
657 {
658 FreeSid(AdminsSid);
659 }
660
661 if (Dacl != NULL)
662 {
663 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
664 }
665
666 if (Success == FALSE)
667 {
668 if (RelativeSd != NULL)
669 {
670 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
671 }
672 }
673
674 return Success;
675}
676
690BOOL
691CreateScreenSaverSecurity(
692 _Out_ PSECURITY_DESCRIPTOR *ScreenSaverDesktopSd)
693{
694 BOOL Success = FALSE;
695 SECURITY_DESCRIPTOR AbsoluteSd;
696 PSECURITY_DESCRIPTOR RelativeSd = NULL;
697 PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL;
698 DWORD DaclSize;
699 PACL Dacl;
700
701 /* Create the Winlogon SID */
702 if (!AllocateAndInitializeSid(&NtAuthority,
703 1,
704 SECURITY_LOCAL_SYSTEM_RID,
705 0, 0, 0, 0, 0, 0, 0,
706 &WinlogonSid))
707 {
708 ERR("CreateScreenSaverSecurity(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
709 return FALSE;
710 }
711
712 /* Create the admins SID */
713 if (!AllocateAndInitializeSid(&NtAuthority,
714 2,
715 SECURITY_BUILTIN_DOMAIN_RID,
716 DOMAIN_ALIAS_RID_ADMINS,
717 0, 0, 0, 0, 0, 0,
718 &AdminsSid))
719 {
720 ERR("CreateScreenSaverSecurity(): Failed to create the admins SID (error code %lu)\n", GetLastError());
721 goto Quit;
722 }
723
724 /* Create the interactive logon SID */
725 if (!AllocateAndInitializeSid(&NtAuthority,
726 1,
727 SECURITY_INTERACTIVE_RID,
728 0, 0, 0, 0, 0, 0, 0,
729 &InteractiveSid))
730 {
731 ERR("CreateScreenSaverSecurity(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
732 goto Quit;
733 }
734
735 /*
736 * Build up the DACL size. This includes a number
737 * of three ACEs of three different SIDs. The first ACE
738 * gives full access to Winlogon, the second one gives
739 * limited desktop access to admins and the last one
740 * gives full desktop access to users who have logged in
741 * interactively.
742 */
743 DaclSize = sizeof(ACL) +
744 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
745 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
746 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(InteractiveSid);
747
748 /* Allocate the DACL now */
749 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
750 HEAP_ZERO_MEMORY,
751 DaclSize);
752 if (Dacl == NULL)
753 {
754 ERR("CreateScreenSaverSecurity(): Failed to allocate memory buffer for DACL!\n");
755 goto Quit;
756 }
757
758 /* Initialize it */
759 if (!InitializeAcl(Dacl, DaclSize, ACL_REVISION))
760 {
761 ERR("CreateScreenSaverSecurity(): Failed to initialize DACL (error code %lu)\n", GetLastError());
762 goto Quit;
763 }
764
765 /* First ACE -- Give full desktop access to Winlogon */
766 if (!AddAccessAllowedAceEx(Dacl,
767 ACL_REVISION,
768 0,
769 DESKTOP_ALL,
770 WinlogonSid))
771 {
772 ERR("CreateScreenSaverSecurity(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
773 goto Quit;
774 }
775
776 /* Second ACE -- Give limited desktop access to admins */
777 if (!AddAccessAllowedAceEx(Dacl,
778 ACL_REVISION,
779 NO_PROPAGATE_INHERIT_ACE,
780 DESKTOP_ADMINS_LIMITED,
781 AdminsSid))
782 {
783 ERR("CreateScreenSaverSecurity(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
784 goto Quit;
785 }
786
787 /* Third ACE -- Give full desktop access to interactive logon users */
788 if (!AddAccessAllowedAceEx(Dacl,
789 ACL_REVISION,
790 NO_PROPAGATE_INHERIT_ACE,
791 DESKTOP_INTERACTIVE_LIMITED,
792 InteractiveSid))
793 {
794 ERR("CreateScreenSaverSecurity(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
795 goto Quit;
796 }
797
798 /* Initialize the security descriptor */
799 if (!InitializeSecurityDescriptor(&AbsoluteSd, SECURITY_DESCRIPTOR_REVISION))
800 {
801 ERR("CreateScreenSaverSecurity(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
802 goto Quit;
803 }
804
805 /* Set the DACL to the descriptor */
806 if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
807 {
808 ERR("CreateScreenSaverSecurity(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
809 goto Quit;
810 }
811
812 /* Conver it to self-relative format */
813 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
814 if (RelativeSd == NULL)
815 {
816 ERR("CreateScreenSaverSecurity(): Failed to convert security descriptor to self relative format!\n");
817 goto Quit;
818 }
819
820 /* Give the descriptor to the caller */
821 *ScreenSaverDesktopSd = RelativeSd;
822 Success = TRUE;
823
824Quit:
825 if (WinlogonSid != NULL)
826 {
827 FreeSid(WinlogonSid);
828 }
829
830 if (AdminsSid != NULL)
831 {
832 FreeSid(AdminsSid);
833 }
834
835 if (InteractiveSid != NULL)
836 {
837 FreeSid(InteractiveSid);
838 }
839
840 if (Dacl != NULL)
841 {
842 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
843 }
844
845 if (Success == FALSE)
846 {
847 if (RelativeSd != NULL)
848 {
849 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
850 }
851 }
852
853 return Success;
854}
855
874BOOL
875AllowWinstaAccessToUser(
876 _In_ HWINSTA WinSta,
877 _In_ PSID LogonSid)
878{
879 BOOL Success = FALSE;
880 SECURITY_DESCRIPTOR AbsoluteSd;
881 PSECURITY_DESCRIPTOR RelativeSd = NULL;
882 PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
883 SECURITY_INFORMATION SecurityInformation;
884 DWORD DaclSize;
885 PACL Dacl;
886
887 /* Create the Winlogon SID */
888 if (!AllocateAndInitializeSid(&NtAuthority,
889 1,
890 SECURITY_LOCAL_SYSTEM_RID,
891 0, 0, 0, 0, 0, 0, 0,
892 &WinlogonSid))
893 {
894 ERR("AllowWinstaAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
895 return FALSE;
896 }
897
898 /* Create the admins SID */
899 if (!AllocateAndInitializeSid(&NtAuthority,
900 2,
901 SECURITY_BUILTIN_DOMAIN_RID,
902 DOMAIN_ALIAS_RID_ADMINS,
903 0, 0, 0, 0, 0, 0,
904 &AdminsSid))
905 {
906 ERR("AllowWinstaAccessToUser(): Failed to create the admins SID (error code %lu)\n", GetLastError());
907 goto Quit;
908 }
909
910 /* Create the interactive logon SID */
911 if (!AllocateAndInitializeSid(&NtAuthority,
912 1,
913 SECURITY_INTERACTIVE_RID,
914 0, 0, 0, 0, 0, 0, 0,
915 &InteractiveSid))
916 {
917 ERR("AllowWinstaAccessToUser(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
918 goto Quit;
919 }
920
921 /* HACK: Create the network service SID */
922 if (!AllocateAndInitializeSid(&NtAuthority,
923 1,
924 SECURITY_NETWORK_SERVICE_RID,
925 0, 0, 0, 0, 0, 0, 0,
926 &NetworkServiceSid))
927 {
928 ERR("AllowWinstaAccessToUser(): Failed to create the network service SID (error code %lu)\n", GetLastError());
929 goto Quit;
930 }
931
932 /*
933 * Build up the DACL size. This includes a number
934 * of eight ACEs of four different SIDs. The first ACE
935 * gives full winsta access to Winlogon, the second one gives
936 * generic access to Winlogon. Such approach is the same
937 * for both interactive logon users and logon user as well.
938 * Only admins are given limited powers.
939 */
940 DaclSize = sizeof(ACL) +
941 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
942 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
943 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
944 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
945 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(InteractiveSid) +
946 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(InteractiveSid) +
947 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(LogonSid) +
948 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(LogonSid) +
949 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid) + /* HACK */
950 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid);
951
952 /* Allocate the DACL now */
953 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
954 HEAP_ZERO_MEMORY,
955 DaclSize);
956 if (Dacl == NULL)
957 {
958 ERR("AllowWinstaAccessToUser(): Failed to allocate memory buffer for DACL!\n");
959 goto Quit;
960 }
961
962 /* Initialize it */
963 if (!InitializeAcl(Dacl, DaclSize, ACL_REVISION))
964 {
965 ERR("AllowWinstaAccessToUser(): Failed to initialize DACL (error code %lu)\n", GetLastError());
966 goto Quit;
967 }
968
969 /* First ACE -- Give full winsta access to Winlogon */
970 if (!AddAccessAllowedAceEx(Dacl,
971 ACL_REVISION,
972 NO_PROPAGATE_INHERIT_ACE,
973 WINSTA_ALL,
974 WinlogonSid))
975 {
976 ERR("AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
977 goto Quit;
978 }
979
980 /* Second ACE -- Give generic access to Winlogon */
981 if (!AddAccessAllowedAceEx(Dacl,
982 ACL_REVISION,
983 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
984 GENERIC_ACCESS,
985 WinlogonSid))
986 {
987 ERR("AllowWinstaAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
988 goto Quit;
989 }
990
991 /* Third ACE -- Give limited winsta access to admins */
992 if (!AddAccessAllowedAceEx(Dacl,
993 ACL_REVISION,
994 NO_PROPAGATE_INHERIT_ACE,
995 WINSTA_ADMINS_LIMITED,
996 AdminsSid))
997 {
998 ERR("AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
999 goto Quit;
1000 }
1001
1002 /* Fourth ACE -- Give limited desktop access to admins */
1003 if (!AddAccessAllowedAceEx(Dacl,
1004 ACL_REVISION,
1005 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
1006 DESKTOP_ADMINS_LIMITED,
1007 AdminsSid))
1008 {
1009 ERR("AllowWinstaAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
1010 goto Quit;
1011 }
1012
1013 /* Fifth ACE -- Give full winsta access to interactive logon users */
1014 if (!AddAccessAllowedAceEx(Dacl,
1015 ACL_REVISION,
1016 NO_PROPAGATE_INHERIT_ACE,
1017 WINSTA_ALL,
1018 InteractiveSid))
1019 {
1020 ERR("AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1021 goto Quit;
1022 }
1023
1024 /* Sixth ACE -- Give generic access to interactive logon users */
1025 if (!AddAccessAllowedAceEx(Dacl,
1026 ACL_REVISION,
1027 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
1028 GENERIC_ACCESS,
1029 InteractiveSid))
1030 {
1031 ERR("AllowWinstaAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1032 goto Quit;
1033 }
1034
1035 /* Seventh ACE -- Give full winsta access to logon user */
1036 if (!AddAccessAllowedAceEx(Dacl,
1037 ACL_REVISION,
1038 NO_PROPAGATE_INHERIT_ACE,
1039 WINSTA_ALL,
1040 LogonSid))
1041 {
1042 ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1043 goto Quit;
1044 }
1045
1046 /* Eighth ACE -- Give generic access to logon user */
1047 if (!AddAccessAllowedAceEx(Dacl,
1048 ACL_REVISION,
1049 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
1050 GENERIC_ACCESS,
1051 LogonSid))
1052 {
1053 ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1054 goto Quit;
1055 }
1056
1057 /* HACK : Ninenth ACE -- Give full winsta access to network services */
1058 if (!AddAccessAllowedAceEx(Dacl,
1059 ACL_REVISION,
1060 NO_PROPAGATE_INHERIT_ACE,
1061 WINSTA_ALL,
1062 NetworkServiceSid))
1063 {
1064 ERR("AllowWinstaAccessToUser(): Failed to set ACE for logon network service SID (error code %lu)\n", GetLastError());
1065 goto Quit;
1066 }
1067
1068 /* HACK: Tenth ACE -- Give generic access to network services */
1069 if (!AddAccessAllowedAceEx(Dacl,
1070 ACL_REVISION,
1071 INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE,
1072 GENERIC_ACCESS,
1073 NetworkServiceSid))
1074 {
1075 ERR("AllowWinstaAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n", GetLastError());
1076 goto Quit;
1077 }
1078
1079 /* Initialize the security descriptor */
1080 if (!InitializeSecurityDescriptor(&AbsoluteSd, SECURITY_DESCRIPTOR_REVISION))
1081 {
1082 ERR("AllowWinstaAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
1083 goto Quit;
1084 }
1085
1086 /* Set the DACL to descriptor */
1087 if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
1088 {
1089 ERR("AllowWinstaAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
1090 goto Quit;
1091 }
1092
1093 /* Convert it to self-relative format */
1094 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
1095 if (RelativeSd == NULL)
1096 {
1097 ERR("AllowWinstaAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1098 goto Quit;
1099 }
1100
1101 /* Set new winsta security based on this descriptor */
1102 SecurityInformation = DACL_SECURITY_INFORMATION;
1103 if (!SetUserObjectSecurity(WinSta, &SecurityInformation, RelativeSd))
1104 {
1105 ERR("AllowWinstaAccessToUser(): Failed to set window station security descriptor (error code %lu)\n", GetLastError());
1106 goto Quit;
1107 }
1108
1109 Success = TRUE;
1110
1111Quit:
1112 if (WinlogonSid != NULL)
1113 {
1114 FreeSid(WinlogonSid);
1115 }
1116
1117 if (AdminsSid != NULL)
1118 {
1119 FreeSid(AdminsSid);
1120 }
1121
1122 if (InteractiveSid != NULL)
1123 {
1124 FreeSid(InteractiveSid);
1125 }
1126
1127 /* HACK */
1128 if (NetworkServiceSid != NULL)
1129 {
1130 FreeSid(NetworkServiceSid);
1131 }
1132 /* END HACK */
1133
1134 if (Dacl != NULL)
1135 {
1136 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
1137 }
1138
1139 if (RelativeSd != NULL)
1140 {
1141 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
1142 }
1143
1144 return Success;
1145}
1146
1165BOOL
1166AllowDesktopAccessToUser(
1167 _In_ HDESK Desktop,
1168 _In_ PSID LogonSid)
1169{
1170 BOOL Success = FALSE;
1171 SECURITY_DESCRIPTOR AbsoluteSd;
1172 PSECURITY_DESCRIPTOR RelativeSd = NULL;
1173 PSID WinlogonSid = NULL, AdminsSid = NULL, InteractiveSid = NULL, NetworkServiceSid = NULL; /* NetworkServiceSid is a HACK, see the comment in CreateWinstaSecurity for information */
1174 SECURITY_INFORMATION SecurityInformation;
1175 DWORD DaclSize;
1176 PACL Dacl;
1177
1178 /* Create the Winlogon SID */
1179 if (!AllocateAndInitializeSid(&NtAuthority,
1180 1,
1181 SECURITY_LOCAL_SYSTEM_RID,
1182 0, 0, 0, 0, 0, 0, 0,
1183 &WinlogonSid))
1184 {
1185 ERR("AllowDesktopAccessToUser(): Failed to create the Winlogon SID (error code %lu)\n", GetLastError());
1186 return FALSE;
1187 }
1188
1189 /* Create the admins SID */
1190 if (!AllocateAndInitializeSid(&NtAuthority,
1191 2,
1192 SECURITY_BUILTIN_DOMAIN_RID,
1193 DOMAIN_ALIAS_RID_ADMINS,
1194 0, 0, 0, 0, 0, 0,
1195 &AdminsSid))
1196 {
1197 ERR("AllowDesktopAccessToUser(): Failed to create the admins SID (error code %lu)\n", GetLastError());
1198 goto Quit;
1199 }
1200
1201 /* Create the interactive logon SID */
1202 if (!AllocateAndInitializeSid(&NtAuthority,
1203 1,
1204 SECURITY_INTERACTIVE_RID,
1205 0, 0, 0, 0, 0, 0, 0,
1206 &InteractiveSid))
1207 {
1208 ERR("AllowDesktopAccessToUser(): Failed to create the interactive SID (error code %lu)\n", GetLastError());
1209 goto Quit;
1210 }
1211
1212 /* HACK: Create the network service SID */
1213 if (!AllocateAndInitializeSid(&NtAuthority,
1214 1,
1215 SECURITY_NETWORK_SERVICE_RID,
1216 0, 0, 0, 0, 0, 0, 0,
1217 &NetworkServiceSid))
1218 {
1219 ERR("AllowDesktopAccessToUser(): Failed to create the network service SID (error code %lu)\n", GetLastError());
1220 goto Quit;
1221 }
1222
1223 /*
1224 * Build up the DACL size. This includes a number
1225 * of four ACEs of four different SIDs. The first ACE
1226 * gives full desktop access to Winlogon, the second one gives
1227 * generic limited desktop access to admins. The last two give
1228 * full power to both interactive logon users and logon user as
1229 * well.
1230 */
1231 DaclSize = sizeof(ACL) +
1232 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(WinlogonSid) +
1233 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(AdminsSid) +
1234 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(InteractiveSid) +
1235 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(LogonSid) +
1236 sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + GetLengthSid(NetworkServiceSid); /* HACK */
1237
1238 /* Allocate the DACL now */
1239 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
1240 HEAP_ZERO_MEMORY,
1241 DaclSize);
1242 if (Dacl == NULL)
1243 {
1244 ERR("AllowDesktopAccessToUser(): Failed to allocate memory buffer for DACL!\n");
1245 goto Quit;
1246 }
1247
1248 /* Initialize it */
1249 if (!InitializeAcl(Dacl, DaclSize, ACL_REVISION))
1250 {
1251 ERR("AllowDesktopAccessToUser(): Failed to initialize DACL (error code %lu)\n", GetLastError());
1252 goto Quit;
1253 }
1254
1255 /* First ACE -- Give full desktop access to Winlogon */
1256 if (!AddAccessAllowedAceEx(Dacl,
1257 ACL_REVISION,
1258 0,
1259 DESKTOP_ALL,
1260 WinlogonSid))
1261 {
1262 ERR("AllowDesktopAccessToUser(): Failed to set ACE for Winlogon (error code %lu)\n", GetLastError());
1263 goto Quit;
1264 }
1265
1266 /* Second ACE -- Give limited desktop access to admins */
1267 if (!AddAccessAllowedAceEx(Dacl,
1268 ACL_REVISION,
1269 0,
1270 DESKTOP_ADMINS_LIMITED,
1271 AdminsSid))
1272 {
1273 ERR("AllowDesktopAccessToUser(): Failed to set ACE for admins (error code %lu)\n", GetLastError());
1274 goto Quit;
1275 }
1276
1277 /* Third ACE -- Give full desktop access to interactive logon users */
1278 if (!AddAccessAllowedAceEx(Dacl,
1279 ACL_REVISION,
1280 0,
1281 DESKTOP_ALL,
1282 InteractiveSid))
1283 {
1284 ERR("AllowDesktopAccessToUser(): Failed to set ACE for interactive SID (error code %lu)\n", GetLastError());
1285 goto Quit;
1286 }
1287
1288 /* Fourth ACE -- Give full desktop access to logon user */
1289 if (!AddAccessAllowedAceEx(Dacl,
1290 ACL_REVISION,
1291 0,
1292 DESKTOP_ALL,
1293 LogonSid))
1294 {
1295 ERR("AllowDesktopAccessToUser(): Failed to set ACE for logon user SID (error code %lu)\n", GetLastError());
1296 goto Quit;
1297 }
1298
1299 /* HACK: Fifth ACE -- Give full desktop to network services */
1300 if (!AddAccessAllowedAceEx(Dacl,
1301 ACL_REVISION,
1302 0,
1303 DESKTOP_ALL,
1304 NetworkServiceSid))
1305 {
1306 ERR("AllowDesktopAccessToUser(): Failed to set ACE for network service SID (error code %lu)\n", GetLastError());
1307 goto Quit;
1308 }
1309
1310 /* Initialize the security descriptor */
1311 if (!InitializeSecurityDescriptor(&AbsoluteSd, SECURITY_DESCRIPTOR_REVISION))
1312 {
1313 ERR("AllowDesktopAccessToUser(): Failed to initialize absolute security descriptor (error code %lu)\n", GetLastError());
1314 goto Quit;
1315 }
1316
1317 /* Set the DACL to the descriptor */
1318 if (!SetSecurityDescriptorDacl(&AbsoluteSd, TRUE, Dacl, FALSE))
1319 {
1320 ERR("AllowDesktopAccessToUser(): Failed to set up DACL to absolute security descriptor (error code %lu)\n", GetLastError());
1321 goto Quit;
1322 }
1323
1324 /* Conver it to self-relative format */
1325 RelativeSd = ConvertToSelfRelative(&AbsoluteSd);
1326 if (RelativeSd == NULL)
1327 {
1328 ERR("AllowDesktopAccessToUser(): Failed to convert security descriptor to self relative format!\n");
1329 goto Quit;
1330 }
1331
1332 /* Assign new security to desktop based on this descriptor */
1333 SecurityInformation = DACL_SECURITY_INFORMATION;
1334 if (!SetUserObjectSecurity(Desktop, &SecurityInformation, RelativeSd))
1335 {
1336 ERR("AllowDesktopAccessToUser(): Failed to set desktop security descriptor (error code %lu)\n", GetLastError());
1337 goto Quit;
1338 }
1339
1340 Success = TRUE;
1341
1342Quit:
1343 if (WinlogonSid != NULL)
1344 {
1345 FreeSid(WinlogonSid);
1346 }
1347
1348 if (AdminsSid != NULL)
1349 {
1350 FreeSid(AdminsSid);
1351 }
1352
1353 if (InteractiveSid != NULL)
1354 {
1355 FreeSid(InteractiveSid);
1356 }
1357
1358 /* HACK */
1359 if (NetworkServiceSid != NULL)
1360 {
1361 FreeSid(NetworkServiceSid);
1362 }
1363 /* END HACK */
1364
1365 if (Dacl != NULL)
1366 {
1367 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
1368 }
1369
1370 if (RelativeSd != NULL)
1371 {
1372 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
1373 }
1374
1375 return Success;
1376}
1377
1391BOOL
1392AllowAccessOnSession(
1393 _In_ PWLSESSION Session)
1394{
1395 BOOL Success = FALSE;
1396 DWORD Index, SidLength, GroupsLength = 0;
1397 PTOKEN_GROUPS TokenGroup = NULL;
1398 PSID LogonSid;
1399
1400 /* Get required buffer size and allocate the TOKEN_GROUPS buffer */
1401 if (!GetTokenInformation(Session->UserToken,
1402 TokenGroups,
1403 TokenGroup,
1404 0,
1405 &GroupsLength))
1406 {
1407 if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
1408 {
1409 ERR("AllowAccessOnSession(): Unexpected error code returned, must be ERROR_INSUFFICIENT_BUFFER (error code %lu)\n", GetLastError());
1410 return FALSE;
1411 }
1412
1413 TokenGroup = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, GroupsLength);
1414 if (TokenGroup == NULL)
1415 {
1416 ERR("AllowAccessOnSession(): Failed to allocate memory buffer for token group!\n");
1417 return FALSE;
1418 }
1419 }
1420
1421 /* Get the token group information from the access token */
1422 if (!GetTokenInformation(Session->UserToken,
1423 TokenGroups,
1424 TokenGroup,
1425 GroupsLength,
1426 &GroupsLength))
1427 {
1428 ERR("AllowAccessOnSession(): Failed to retrieve the token group information (error code %lu)\n", GetLastError());
1429 goto Quit;
1430 }
1431
1432 /* Loop through the groups to find the logon SID */
1433 for (Index = 0; Index < TokenGroup->GroupCount; Index++)
1434 {
1435 if ((TokenGroup->Groups[Index].Attributes & SE_GROUP_LOGON_ID)
1436 == SE_GROUP_LOGON_ID)
1437 {
1438 LogonSid = TokenGroup->Groups[Index].Sid;
1439 break;
1440 }
1441 }
1442
1443 /* Allow window station access to this user within this session */
1444 if (!AllowWinstaAccessToUser(Session->InteractiveWindowStation, LogonSid))
1445 {
1446 ERR("AllowAccessOnSession(): Failed to allow winsta access to the logon user!\n");
1447 goto Quit;
1448 }
1449
1450 /* Allow application desktop access to this user within this session */
1451 if (!AllowDesktopAccessToUser(Session->ApplicationDesktop, LogonSid))
1452 {
1453 ERR("AllowAccessOnSession(): Failed to allow application desktop access to the logon user!\n");
1454 goto Quit;
1455 }
1456
1457 /* Get the length of this logon SID */
1458 SidLength = GetLengthSid(LogonSid);
1459
1460 /* Assign the window station to this logged in user */
1461 if (!SetWindowStationUser(Session->InteractiveWindowStation,
1462 &Session->LogonId,
1463 LogonSid,
1464 SidLength))
1465 {
1466 ERR("AllowAccessOnSession(): Failed to assign the window station to the logon user!\n");
1467 goto Quit;
1468 }
1469
1470 Success = TRUE;
1471
1472Quit:
1473 if (TokenGroup != NULL)
1474 {
1475 RtlFreeHeap(RtlGetProcessHeap(), 0, TokenGroup);
1476 }
1477
1478 return Success;
1479}
1480
1481/* EOF */
InteractiveSid
PSID InteractiveSid
Definition: globals.c:15
NetworkServiceSid
PSID NetworkServiceSid
Definition: globals.c:16
ERR
#define ERR(fmt,...)
Definition: precomp.h:57
DESKTOP_WINLOGON_ADMINS_LIMITED
#define DESKTOP_WINLOGON_ADMINS_LIMITED
Definition: security.c:25
DESKTOP_ADMINS_LIMITED
#define DESKTOP_ADMINS_LIMITED
Definition: security.c:19
GENERIC_ACCESS
#define GENERIC_ACCESS
Definition: security.c:35
AllowWinstaAccessToUser
BOOL AllowWinstaAccessToUser(_In_ HWINSTA WinSta, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default window station. Such access is given to the ...
Definition: security.c:875
CreateApplicationDesktopSecurity
BOOL CreateApplicationDesktopSecurity(_Out_ PSECURITY_DESCRIPTOR *ApplicationDesktopSd)
Creates a security descriptor for the default application desktop upon its creation.
Definition: security.c:360
ConvertToSelfRelative
PSECURITY_DESCRIPTOR ConvertToSelfRelative(_In_ PSECURITY_DESCRIPTOR AbsoluteSd)
Converts an absolute security descriptor to a self-relative format.
Definition: security.c:64
WINSTA_ADMINS_LIMITED
#define WINSTA_ADMINS_LIMITED
Definition: security.c:33
CreateWinstaSecurity
BOOL CreateWinstaSecurity(_Out_ PSECURITY_DESCRIPTOR *WinstaSd)
Creates a security descriptor for the default window station upon its creation.
Definition: security.c:113
NtAuthority
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
AllowDesktopAccessToUser
BOOL AllowDesktopAccessToUser(_In_ HDESK Desktop, _In_ PSID LogonSid)
Assigns access to the specific logon user to the default desktop. Such access is given to the user wh...
Definition: security.c:1166
CreateWinlogonDesktopSecurity
BOOL CreateWinlogonDesktopSecurity(_Out_ PSECURITY_DESCRIPTOR *WinlogonDesktopSd)
Creates a security descriptor for the default Winlogon desktop. This descriptor serves as a security ...
Definition: security.c:542
AllowAccessOnSession
BOOL AllowAccessOnSession(_In_ PWLSESSION Session)
Assigns both window station and desktop access to the specific session currently active on the system...
Definition: security.c:1392
DESKTOP_ALL
#define DESKTOP_ALL
Definition: security.c:14
DESKTOP_INTERACTIVE_LIMITED
#define DESKTOP_INTERACTIVE_LIMITED
Definition: security.c:22
CreateScreenSaverSecurity
BOOL CreateScreenSaverSecurity(_Out_ PSECURITY_DESCRIPTOR *ScreenSaverDesktopSd)
Creates a security descriptor for the screen saver desktop.
Definition: security.c:691
WINSTA_ALL
#define WINSTA_ALL
Definition: security.c:27
RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:616
RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:634
ERROR_INSUFFICIENT_BUFFER
#define ERROR_INSUFFICIENT_BUFFER
Definition: dderror.h:10
NULL
#define NULL
Definition: types.h:112
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
GetTokenInformation
BOOL WINAPI GetTokenInformation(HANDLE TokenHandle, TOKEN_INFORMATION_CLASS TokenInformationClass, LPVOID TokenInformation, DWORD TokenInformationLength, PDWORD ReturnLength)
Definition: security.c:411
AllocateAndInitializeSid
BOOL WINAPI AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority, BYTE nSubAuthorityCount, DWORD nSubAuthority0, DWORD nSubAuthority1, DWORD nSubAuthority2, DWORD nSubAuthority3, DWORD nSubAuthority4, DWORD nSubAuthority5, DWORD nSubAuthority6, DWORD nSubAuthority7, PSID *pSid)
Definition: security.c:674
InitializeAcl
BOOL WINAPI InitializeAcl(PACL pAcl, DWORD nAclLength, DWORD dwAclRevision)
Definition: security.c:1006
InitializeSecurityDescriptor
BOOL WINAPI InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor, DWORD dwRevision)
Definition: security.c:929
AddAccessAllowedAceEx
BOOL WINAPI AddAccessAllowedAceEx(PACL pAcl, DWORD dwAceRevision, DWORD AceFlags, DWORD AccessMask, PSID pSid)
Definition: security.c:1063
GetLengthSid
DWORD WINAPI GetLengthSid(PSID pSid)
Definition: security.c:919
FreeSid
PVOID WINAPI FreeSid(PSID pSid)
Definition: security.c:698
HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
Success
@ Success
Definition: eventcreate.c:712
BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94
DWORD
unsigned long DWORD
Definition: ntddk_ex.h:95
SecurityInformation
_Must_inspect_result_ _In_ PFILE_OBJECT _In_ SECURITY_INFORMATION SecurityInformation
Definition: fltkernel.h:1340
SECURITY_INFORMATION
DWORD SECURITY_INFORMATION
Definition: ms-dtyp.idl:311
ACL
struct _ACL ACL
ACCESS_ALLOWED_ACE
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1625
DaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1626
SE_GROUP_LOGON_ID
#define SE_GROUP_LOGON_ID
Definition: setypes.h:98
_Out_
#define _Out_
Definition: no_sal2.h:160
_In_
#define _In_
Definition: no_sal2.h:158
DWORD
#define DWORD
Definition: nt_native.h:44
SetSecurityDescriptorDacl
BOOL WINAPI SetSecurityDescriptorDacl(PSECURITY_DESCRIPTOR pSecurityDescriptor, BOOL bDaclPresent, PACL pDacl, BOOL bDaclDefaulted)
Definition: sec.c:262
MakeSelfRelativeSD
BOOL WINAPI MakeSelfRelativeSD(PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor, PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor, LPDWORD lpdwBufferLength)
Definition: sec.c:214
_ACCESS_ALLOWED_ACE
Definition: ms-dtyp.idl:215
_ACL
Definition: ms-dtyp.idl:293
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_SID_AND_ATTRIBUTES::Sid
PSID Sid
Definition: setypes.h:506
_SID_AND_ATTRIBUTES::Attributes
$ULONG Attributes
Definition: setypes.h:508
_SID_IDENTIFIER_AUTHORITY
Definition: ms-dtyp.idl:194
_SID
Definition: ms-dtyp.idl:198
_TOKEN_GROUPS
Definition: setypes.h:1025
_TOKEN_GROUPS::Groups
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:1030
_TOKEN_GROUPS::GroupCount
$ULONG GroupCount
Definition: setypes.h:1026
_WLSESSION
Definition: winlogon.h:221
Index
_In_ WDFCOLLECTION _In_ ULONG Index
Definition: wdfcollection.h:182
GetLastError
DWORD WINAPI GetLastError(void)
Definition: except.c:1042
SetWindowStationUser
BOOL WINAPI SetWindowStationUser(IN HWINSTA hWindowStation, IN PLUID pluid, IN PSID psid OPTIONAL, IN DWORD size)
Definition: winsta.c:419
SetUserObjectSecurity
BOOL WINAPI SetUserObjectSecurity(_In_ HANDLE, _In_ PSECURITY_INFORMATION, _In_ PSECURITY_DESCRIPTOR)
CONTAINER_INHERIT_ACE
#define CONTAINER_INHERIT_ACE
Definition: setypes.h:747
INHERIT_ONLY_ACE
#define INHERIT_ONLY_ACE
Definition: setypes.h:749
SECURITY_BUILTIN_DOMAIN_RID
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
DACL_SECURITY_INFORMATION
#define DACL_SECURITY_INFORMATION
Definition: setypes.h:125
SECURITY_INTERACTIVE_RID
#define SECURITY_INTERACTIVE_RID
Definition: setypes.h:559
SECURITY_LOCAL_SYSTEM_RID
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
SECURITY_NT_AUTHORITY
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554
OBJECT_INHERIT_ACE
#define OBJECT_INHERIT_ACE
Definition: setypes.h:746
TokenGroups
@ TokenGroups
Definition: setypes.h:979
NO_PROPAGATE_INHERIT_ACE
#define NO_PROPAGATE_INHERIT_ACE
Definition: setypes.h:748
SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39
SECURITY_NETWORK_SERVICE_RID
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576
DOMAIN_ALIAS_RID_ADMINS
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652