d2/dcb/dll_2win32_2samsrv_2security_8c_source.html

/*

 * COPYRIGHT:       See COPYING in the top level directory

 * PROJECT:         Security Account Manager (SAM) Server

 * FILE:            reactos/dll/win32/samsrv/security.c

 * PURPOSE:         Security descriptor functions

 *

 * PROGRAMMERS:     Eric Kohl

 */


#include "samsrv.h"


/* GLOBALS *****************************************************************/


static SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY};

static SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};


/* FUNCTIONS ***************************************************************/


NTSTATUS

SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd,

                   OUT PULONG Size)

{

    PSECURITY_DESCRIPTOR AbsSD = NULL;

    PSECURITY_DESCRIPTOR RelSD = NULL;

    PSID EveryoneSid = NULL;

    PSID AnonymousSid = NULL;

    PSID AdministratorsSid = NULL;

    PACL Dacl = NULL;

    PACL Sacl = NULL;

    ULONG DaclSize;

    ULONG SaclSize;

    ULONG RelSDSize = 0;

    NTSTATUS Status = STATUS_SUCCESS;


    /* Create the Everyone SID */

    Status = RtlAllocateAndInitializeSid(&WorldAuthority,

                                         1,

                                         SECURITY_WORLD_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Anonymous SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         1,

                                         SECURITY_ANONYMOUS_LOGON_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AnonymousSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Administrators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ADMINS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AdministratorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Allocate a buffer for the absolute SD */

    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            sizeof(SECURITY_DESCRIPTOR));

    if (AbsSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Create the absolute SD */

    Status = RtlCreateSecurityDescriptor(AbsSD,

                                         SECURITY_DESCRIPTOR_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the DACL */

    DaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AdministratorsSid);


    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Dacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Dacl,

                          DaclSize,

                          ACL_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    SAM_SERVER_READ | SAM_SERVER_EXECUTE,

                                    EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    SAM_SERVER_ALL_ACCESS,

                                    AdministratorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the DACL */

    Status = RtlSetDaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Dacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the SACL */

    SaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AnonymousSid);


    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Sacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Sacl,

                          SaclSize,

                          ACL_REVISION);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |

                                  SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |

                                  SAM_SERVER_SHUTDOWN,

                                  EveryoneSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,

                                  AnonymousSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the SACL */

    Status = RtlSetSaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Sacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the owner SID */

    Status = RtlSetOwnerSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the group SID */

    Status = RtlSetGroupSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Get the required buffer size for the self-relative SD */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         NULL,

                                         &RelSDSize);

    if (Status != STATUS_BUFFER_TOO_SMALL)

        goto done;


    /* Allocate a buffer for the self-relative SD */

    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            RelSDSize);

    if (RelSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Convert the absolute SD to self-relative format */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         RelSD,

                                         &RelSDSize);

    if (Status == STATUS_BUFFER_TOO_SMALL)

    {

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    *ServerSd = RelSD;

    *Size = RelSDSize;


done:

    if (!NT_SUCCESS(Status))

    {

        if (RelSD != NULL)

            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);

    }


    if (EveryoneSid != NULL)

        RtlFreeSid(EveryoneSid);


    if (AnonymousSid != NULL)

        RtlFreeSid(AnonymousSid);


    if (AdministratorsSid != NULL)

        RtlFreeSid(AdministratorsSid);


    if (Dacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);


    if (Sacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);


    if (AbsSD != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);


    return Status;

}


NTSTATUS

SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,

                          OUT PULONG Size)

{

    PSECURITY_DESCRIPTOR AbsSD = NULL;

    PSECURITY_DESCRIPTOR RelSD = NULL;

    PSID EveryoneSid = NULL;

    PSID AnonymousSid = NULL;

    PSID AdministratorsSid = NULL;

    PACL Dacl = NULL;

    PACL Sacl = NULL;

    ULONG DaclSize;

    ULONG SaclSize;

    ULONG RelSDSize = 0;

    NTSTATUS Status = STATUS_SUCCESS;


    /* Create the Everyone SID */

    Status = RtlAllocateAndInitializeSid(&WorldAuthority,

                                         1,

                                         SECURITY_WORLD_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Anonymous SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         1,

                                         SECURITY_ANONYMOUS_LOGON_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AnonymousSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Administrators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ADMINS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AdministratorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Allocate a buffer for the absolute SD */

    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            sizeof(SECURITY_DESCRIPTOR));

    if (AbsSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Create the absolute SD */

    Status = RtlCreateSecurityDescriptor(AbsSD,

                                         SECURITY_DESCRIPTOR_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the DACL */

    DaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AdministratorsSid);


    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Dacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Dacl,

                          DaclSize,

                          ACL_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    DOMAIN_READ | DOMAIN_EXECUTE,

                                    EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    SAM_SERVER_ALL_ACCESS,

                                    AdministratorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the DACL */

    Status = RtlSetDaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Dacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the SACL */

    SaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AnonymousSid);


    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Sacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Sacl,

                          SaclSize,

                          ACL_REVISION);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |

                                  SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |

                                  SAM_SERVER_SHUTDOWN,

                                  EveryoneSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,

                                  AnonymousSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the SACL */

    Status = RtlSetSaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Sacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the owner SID */

    Status = RtlSetOwnerSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the group SID */

    Status = RtlSetGroupSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Get the required buffer size for the self-relative SD */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         NULL,

                                         &RelSDSize);

    if (Status != STATUS_BUFFER_TOO_SMALL)

        goto done;


    /* Allocate a buffer for the self-relative SD */

    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            RelSDSize);

    if (RelSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Convert the absolute SD to self-relative format */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         RelSD,

                                         &RelSDSize);

    if (Status == STATUS_BUFFER_TOO_SMALL)

    {

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    *ServerSd = RelSD;

    *Size = RelSDSize;


done:

    if (!NT_SUCCESS(Status))

    {

        if (RelSD != NULL)

            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);

    }


    if (EveryoneSid != NULL)

        RtlFreeSid(EveryoneSid);


    if (AnonymousSid != NULL)

        RtlFreeSid(AnonymousSid);


    if (AdministratorsSid != NULL)

        RtlFreeSid(AdministratorsSid);


    if (Dacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);


    if (Sacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);


    if (AbsSD != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);


    return Status;

}


NTSTATUS

SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,

                          OUT PULONG Size)

{

    PSECURITY_DESCRIPTOR AbsSD = NULL;

    PSECURITY_DESCRIPTOR RelSD = NULL;

    PSID EveryoneSid = NULL;

    PSID AnonymousSid = NULL;

    PSID AdministratorsSid = NULL;

    PSID UsersSid = NULL;

    PSID GuestsSid = NULL;

    PACL Dacl = NULL;

    PACL Sacl = NULL;

    ULONG DaclSize;

    ULONG SaclSize;

    ULONG RelSDSize = 0;

    NTSTATUS Status = STATUS_SUCCESS;


    /* Create the Everyone SID */

    Status = RtlAllocateAndInitializeSid(&WorldAuthority,

                                         1,

                                         SECURITY_WORLD_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Anonymous SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         1,

                                         SECURITY_ANONYMOUS_LOGON_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AnonymousSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Administrators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ADMINS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AdministratorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Users SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_USERS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &UsersSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Guests SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_GUESTS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &GuestsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Allocate a buffer for the absolute SD */

    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            sizeof(SECURITY_DESCRIPTOR));

    if (AbsSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Create the absolute SD */

    Status = RtlCreateSecurityDescriptor(AbsSD,

                                         SECURITY_DESCRIPTOR_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the DACL */

    DaclSize = sizeof(ACL) +

               4 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AdministratorsSid) +

               RtlLengthSid(UsersSid) +

               RtlLengthSid(GuestsSid);


    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Dacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Dacl,

                          DaclSize,

                          ACL_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    DOMAIN_READ | DOMAIN_EXECUTE,

                                    EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    DOMAIN_READ | DOMAIN_EXECUTE,

                                    UsersSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    DOMAIN_ALL_ACCESS & ~DOMAIN_CREATE_GROUP,

                                    AdministratorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    DOMAIN_READ | DOMAIN_EXECUTE | DOMAIN_CREATE_USER | DOMAIN_CREATE_ALIAS,

                                    GuestsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the DACL */

    Status = RtlSetDaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Dacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the SACL */

    SaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AnonymousSid);


    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Sacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Sacl,

                          SaclSize,

                          ACL_REVISION);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |

                                  SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |

                                  SAM_SERVER_SHUTDOWN,

                                  EveryoneSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,

                                  AnonymousSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the SACL */

    Status = RtlSetSaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Sacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the owner SID */

    Status = RtlSetOwnerSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the group SID */

    Status = RtlSetGroupSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Get the required buffer size for the self-relative SD */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         NULL,

                                         &RelSDSize);

    if (Status != STATUS_BUFFER_TOO_SMALL)

        goto done;


    /* Allocate a buffer for the self-relative SD */

    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            RelSDSize);

    if (RelSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Convert the absolute SD to self-relative format */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         RelSD,

                                         &RelSDSize);

    if (Status == STATUS_BUFFER_TOO_SMALL)

    {

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    *ServerSd = RelSD;

    *Size = RelSDSize;


done:

    if (!NT_SUCCESS(Status))

    {

        if (RelSD != NULL)

            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);

    }


    if (EveryoneSid != NULL)

        RtlFreeSid(EveryoneSid);


    if (AnonymousSid != NULL)

        RtlFreeSid(AnonymousSid);


    if (AdministratorsSid != NULL)

        RtlFreeSid(AdministratorsSid);


    if (Dacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);


    if (Sacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);


    if (AbsSD != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);


    return Status;

}


NTSTATUS

SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd,

                  OUT PULONG Size)

{

    PSECURITY_DESCRIPTOR AbsSD = NULL;

    PSECURITY_DESCRIPTOR RelSD = NULL;

    PSID EveryoneSid = NULL;

    PSID AnonymousSid = NULL;

    PSID AdministratorsSid = NULL;

    PSID AccountOperatorsSid = NULL;

    PACL Dacl = NULL;

    PACL Sacl = NULL;

    ULONG DaclSize;

    ULONG SaclSize;

    ULONG RelSDSize = 0;

    NTSTATUS Status = STATUS_SUCCESS;


    /* Create the Everyone SID */

    Status = RtlAllocateAndInitializeSid(&WorldAuthority,

                                         1,

                                         SECURITY_WORLD_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Anonymous SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         1,

                                         SECURITY_ANONYMOUS_LOGON_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AnonymousSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Administrators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ADMINS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AdministratorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Account Operators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ACCOUNT_OPS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AccountOperatorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Allocate a buffer for the absolute SD */

    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            sizeof(SECURITY_DESCRIPTOR));

    if (AbsSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Create the absolute SD */

    Status = RtlCreateSecurityDescriptor(AbsSD,

                                         SECURITY_DESCRIPTOR_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the DACL */

    DaclSize = sizeof(ACL) +

               3 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AdministratorsSid) +

               RtlLengthSid(AccountOperatorsSid);


    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Dacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Dacl,

                          DaclSize,

                          ACL_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    READ_CONTROL | ALIAS_READ_INFORMATION | ALIAS_LIST_MEMBERS,

                                    EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    ALIAS_ALL_ACCESS,

                                    AdministratorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    ALIAS_ALL_ACCESS,

                                    AccountOperatorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the DACL */

    Status = RtlSetDaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Dacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the SACL */

    SaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AnonymousSid);


    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Sacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Sacl,

                          SaclSize,

                          ACL_REVISION);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |

                                  ALIAS_WRITE_ACCOUNT | ALIAS_REMOVE_MEMBER |

                                  ALIAS_ADD_MEMBER,

                                  EveryoneSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,

                                  AnonymousSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the SACL */

    Status = RtlSetSaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Sacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the owner SID */

    Status = RtlSetOwnerSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the group SID */

    Status = RtlSetGroupSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Get the required buffer size for the self-relative SD */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         NULL,

                                         &RelSDSize);

    if (Status != STATUS_BUFFER_TOO_SMALL)

        goto done;


    /* Allocate a buffer for the self-relative SD */

    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            RelSDSize);

    if (RelSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Convert the absolute SD to self-relative format */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         RelSD,

                                         &RelSDSize);

    if (Status == STATUS_BUFFER_TOO_SMALL)

    {

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    *AliasSd = RelSD;

    *Size = RelSDSize;


done:

    if (!NT_SUCCESS(Status))

    {

        if (RelSD != NULL)

            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);

    }


    if (EveryoneSid != NULL)

        RtlFreeSid(EveryoneSid);


    if (AnonymousSid != NULL)

        RtlFreeSid(AnonymousSid);


    if (AdministratorsSid != NULL)

        RtlFreeSid(AdministratorsSid);


    if (Dacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);


    if (Sacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);


    if (AbsSD != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);


    return Status;

}


NTSTATUS

SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd,

                  OUT PULONG Size)

{

    PSECURITY_DESCRIPTOR AbsSD = NULL;

    PSECURITY_DESCRIPTOR RelSD = NULL;

    PSID EveryoneSid = NULL;

    PSID AnonymousSid = NULL;

    PSID AdministratorsSid = NULL;

    PSID AccountOperatorsSid = NULL;

    PACL Dacl = NULL;

    PACL Sacl = NULL;

    ULONG DaclSize;

    ULONG SaclSize;

    ULONG RelSDSize = 0;

    NTSTATUS Status = STATUS_SUCCESS;


    /* Create the Everyone SID */

    Status = RtlAllocateAndInitializeSid(&WorldAuthority,

                                         1,

                                         SECURITY_WORLD_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Anonymous SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         1,

                                         SECURITY_ANONYMOUS_LOGON_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AnonymousSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Administrators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ADMINS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AdministratorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Account Operators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ACCOUNT_OPS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AccountOperatorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Allocate a buffer for the absolute SD */

    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            sizeof(SECURITY_DESCRIPTOR));

    if (AbsSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Create the absolute SD */

    Status = RtlCreateSecurityDescriptor(AbsSD,

                                         SECURITY_DESCRIPTOR_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the DACL */

    DaclSize = sizeof(ACL) +

               3 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AdministratorsSid) +

               RtlLengthSid(AccountOperatorsSid);


    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Dacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Dacl,

                          DaclSize,

                          ACL_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    READ_CONTROL | GROUP_LIST_MEMBERS | GROUP_READ_INFORMATION,

                                    EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    GROUP_ALL_ACCESS,

                                    AdministratorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    GROUP_ALL_ACCESS,

                                    AccountOperatorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the DACL */

    Status = RtlSetDaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Dacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the SACL */

    SaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AnonymousSid);


    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Sacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Sacl,

                          SaclSize,

                          ACL_REVISION);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |

                                  GROUP_REMOVE_MEMBER | GROUP_ADD_MEMBER |

                                  GROUP_WRITE_ACCOUNT,

                                  EveryoneSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,

                                  AnonymousSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the SACL */

    Status = RtlSetSaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Sacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the owner SID */

    Status = RtlSetOwnerSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the group SID */

    Status = RtlSetGroupSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Get the required buffer size for the self-relative SD */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         NULL,

                                         &RelSDSize);

    if (Status != STATUS_BUFFER_TOO_SMALL)

        goto done;


    /* Allocate a buffer for the self-relative SD */

    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            RelSDSize);

    if (RelSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Convert the absolute SD to self-relative format */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         RelSD,

                                         &RelSDSize);

    if (Status == STATUS_BUFFER_TOO_SMALL)

    {

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    *GroupSd = RelSD;

    *Size = RelSDSize;


done:

    if (!NT_SUCCESS(Status))

    {

        if (RelSD != NULL)

            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);

    }


    if (EveryoneSid != NULL)

        RtlFreeSid(EveryoneSid);


    if (AnonymousSid != NULL)

        RtlFreeSid(AnonymousSid);


    if (AdministratorsSid != NULL)

        RtlFreeSid(AdministratorsSid);


    if (Dacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);


    if (Sacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);


    if (AbsSD != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);


    return Status;

}


NTSTATUS

SampCreateUserSD(IN PSID UserSid,

                 OUT PSECURITY_DESCRIPTOR *UserSd,

                 OUT PULONG Size)

{

    PSECURITY_DESCRIPTOR AbsSD = NULL;

    PSECURITY_DESCRIPTOR RelSD = NULL;

    PSID EveryoneSid = NULL;

    PSID AnonymousSid = NULL;

    PSID AdministratorsSid = NULL;

    PACL Dacl = NULL;

    PACL Sacl = NULL;

    ULONG DaclSize;

    ULONG SaclSize;

    ULONG RelSDSize = 0;

    NTSTATUS Status = STATUS_SUCCESS;


    /* Create the Everyone SID */

    Status = RtlAllocateAndInitializeSid(&WorldAuthority,

                                         1,

                                         SECURITY_WORLD_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Anonymous SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         1,

                                         SECURITY_ANONYMOUS_LOGON_RID,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AnonymousSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Create the Administrators SID */

    Status = RtlAllocateAndInitializeSid(&NtAuthority,

                                         2,

                                         SECURITY_BUILTIN_DOMAIN_RID,

                                         DOMAIN_ALIAS_RID_ADMINS,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         0,

                                         &AdministratorsSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* Allocate a buffer for the absolute SD */

    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            sizeof(SECURITY_DESCRIPTOR));

    if (AbsSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Create the absolute SD */

    Status = RtlCreateSecurityDescriptor(AbsSD,

                                         SECURITY_DESCRIPTOR_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the DACL */

    DaclSize = sizeof(ACL) +

               3 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AdministratorsSid) +

               RtlLengthSid(UserSid);


    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Dacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Dacl,

                          DaclSize,

                          ACL_REVISION);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    READ_CONTROL | USER_READ_GROUP_INFORMATION | USER_LIST_GROUPS |

                                    USER_CHANGE_PASSWORD | USER_READ_ACCOUNT | USER_READ_LOGON |

                                    USER_READ_PREFERENCES | USER_READ_GENERAL,

                                    EveryoneSid);

    ASSERT(NT_SUCCESS(Status));

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    USER_ALL_ACCESS,

                                    AdministratorsSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAccessAllowedAce(Dacl,

                                    ACL_REVISION,

                                    READ_CONTROL | USER_CHANGE_PASSWORD | USER_WRITE_PREFERENCES,

                                    UserSid);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the DACL */

    Status = RtlSetDaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Dacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* allocate and create the SACL */

    SaclSize = sizeof(ACL) +

               2 * sizeof(ACE) +

               RtlLengthSid(EveryoneSid) +

               RtlLengthSid(AnonymousSid);


    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),

                           HEAP_ZERO_MEMORY,

                           DaclSize);

    if (Sacl == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    Status = RtlCreateAcl(Sacl,

                          SaclSize,

                          ACL_REVISION);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |

                                  USER_CHANGE_PASSWORD | USER_WRITE_PREFERENCES,

                                  EveryoneSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    Status = RtlAddAuditAccessAce(Sacl,

                                  ACL_REVISION,

                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,

                                  AnonymousSid,

                                  TRUE,

                                  TRUE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the SACL */

    Status = RtlSetSaclSecurityDescriptor(AbsSD,

                                          TRUE,

                                          Sacl,

                                          FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the owner SID */

    Status = RtlSetOwnerSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Set the group SID */

    Status = RtlSetGroupSecurityDescriptor(AbsSD,

                                           AdministratorsSid,

                                           FALSE);

    ASSERT(Status == STATUS_SUCCESS);

    if (!NT_SUCCESS(Status))

        goto done;


    /* Get the required buffer size for the self-relative SD */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         NULL,

                                         &RelSDSize);

    if (Status != STATUS_BUFFER_TOO_SMALL)

        goto done;


    /* Allocate a buffer for the self-relative SD */

    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),

                            HEAP_ZERO_MEMORY,

                            RelSDSize);

    if (RelSD == NULL)

    {

        Status = STATUS_INSUFFICIENT_RESOURCES;

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    /* Convert the absolute SD to self-relative format */

    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,

                                         RelSD,

                                         &RelSDSize);

    if (Status == STATUS_BUFFER_TOO_SMALL)

    {

    ASSERT(Status == STATUS_SUCCESS);

        goto done;

    }


    *UserSd = RelSD;

    *Size = RelSDSize;


done:

    if (!NT_SUCCESS(Status))

    {

        if (RelSD != NULL)

            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);

    }


    if (EveryoneSid != NULL)

        RtlFreeSid(EveryoneSid);


    if (AnonymousSid != NULL)

        RtlFreeSid(AnonymousSid);


    if (AdministratorsSid != NULL)

        RtlFreeSid(AdministratorsSid);


    if (Dacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);


    if (Sacl != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);


    if (AbsSD != NULL)

        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);


    return Status;

}


/* EOF */

NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26

NtAuthority
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40

RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:616

RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:634

NULL
#define NULL
Definition: types.h:112

TRUE
#define TRUE
Definition: types.h:120

FALSE
#define FALSE
Definition: types.h:117

NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33

HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134

WorldAuthority
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: security.c:14

SampCreateBuiltinDomainSD
NTSTATUS SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd, OUT PULONG Size)
Definition: security.c:283

SampCreateGroupSD
NTSTATUS SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd, OUT PULONG Size)
Definition: security.c:1146

SampCreateServerSD
NTSTATUS SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd, OUT PULONG Size)
Definition: security.c:21

SampCreateAliasSD
NTSTATUS SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd, OUT PULONG Size)
Definition: security.c:859

SampCreateUserSD
NTSTATUS SampCreateUserSD(IN PSID UserSid, OUT PSECURITY_DESCRIPTOR *UserSd, OUT PULONG Size)
Definition: security.c:1433

SampCreateAccountDomainSD
NTSTATUS SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd, OUT PULONG Size)
Definition: security.c:545

Status
Status
Definition: gdiplustypes.h:25

RtlAddAccessAllowedAce
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)

RtlSetOwnerSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)

RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)

ASSERT
#define ASSERT(a)
Definition: mode.c:44

ACL
struct _ACL ACL

Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1617

RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)

RtlAddAuditAccessAce
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)

SaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL _Inout_ PULONG SaclSize
Definition: rtlfuncs.h:1620

RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150

RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)

Sacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG _Out_writes_bytes_to_opt_ SaclSize PACL Sacl
Definition: rtlfuncs.h:1619

RtlFreeSid
NTSYSAPI PVOID NTAPI RtlFreeSid(_In_ _Post_invalid_ PSID Sid)

DaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1618

SPECIFIC_RIGHTS_ALL
#define SPECIFIC_RIGHTS_ALL
Definition: nt_native.h:71

WRITE_DAC
#define WRITE_DAC
Definition: nt_native.h:59

ACCESS_SYSTEM_SECURITY
#define ACCESS_SYSTEM_SECURITY
Definition: nt_native.h:77

STANDARD_RIGHTS_ALL
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69

DELETE
#define DELETE
Definition: nt_native.h:57

READ_CONTROL
#define READ_CONTROL
Definition: nt_native.h:58

RtlAllocateAndInitializeSid
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290

RtlSetGroupSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410

RtlSetSaclSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342

RtlAbsoluteToSelfRelativeSD
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626

USER_READ_GENERAL
#define USER_READ_GENERAL
Definition: ntsam.h:126

SAM_SERVER_READ
#define SAM_SERVER_READ
Definition: ntsam.h:106

USER_READ_LOGON
#define USER_READ_LOGON
Definition: ntsam.h:129

GROUP_ALL_ACCESS
#define GROUP_ALL_ACCESS
Definition: ntsam.h:92

SAM_SERVER_EXECUTE
#define SAM_SERVER_EXECUTE
Definition: ntsam.h:114

GROUP_READ_INFORMATION
#define GROUP_READ_INFORMATION
Definition: ntsam.h:75

GROUP_ADD_MEMBER
#define GROUP_ADD_MEMBER
Definition: ntsam.h:77

DOMAIN_ALL_ACCESS
#define DOMAIN_ALL_ACCESS
Definition: ntsam.h:62

SAM_SERVER_SHUTDOWN
#define SAM_SERVER_SHUTDOWN
Definition: ntsam.h:100

DOMAIN_CREATE_GROUP
#define DOMAIN_CREATE_GROUP
Definition: ntsam.h:38

USER_READ_PREFERENCES
#define USER_READ_PREFERENCES
Definition: ntsam.h:127

USER_READ_ACCOUNT
#define USER_READ_ACCOUNT
Definition: ntsam.h:130

DOMAIN_CREATE_ALIAS
#define DOMAIN_CREATE_ALIAS
Definition: ntsam.h:39

DOMAIN_EXECUTE
#define DOMAIN_EXECUTE
Definition: ntsam.h:57

ALIAS_WRITE_ACCOUNT
#define ALIAS_WRITE_ACCOUNT
Definition: ntsam.h:13

ALIAS_LIST_MEMBERS
#define ALIAS_LIST_MEMBERS
Definition: ntsam.h:11

USER_LIST_GROUPS
#define USER_LIST_GROUPS
Definition: ntsam.h:134

GROUP_LIST_MEMBERS
#define GROUP_LIST_MEMBERS
Definition: ntsam.h:79

ALIAS_READ_INFORMATION
#define ALIAS_READ_INFORMATION
Definition: ntsam.h:12

USER_WRITE_PREFERENCES
#define USER_WRITE_PREFERENCES
Definition: ntsam.h:128

USER_ALL_ACCESS
#define USER_ALL_ACCESS
Definition: ntsam.h:153

GROUP_WRITE_ACCOUNT
#define GROUP_WRITE_ACCOUNT
Definition: ntsam.h:76

GROUP_REMOVE_MEMBER
#define GROUP_REMOVE_MEMBER
Definition: ntsam.h:78

USER_CHANGE_PASSWORD
#define USER_CHANGE_PASSWORD
Definition: ntsam.h:132

ALIAS_REMOVE_MEMBER
#define ALIAS_REMOVE_MEMBER
Definition: ntsam.h:10

DOMAIN_CREATE_USER
#define DOMAIN_CREATE_USER
Definition: ntsam.h:37

USER_READ_GROUP_INFORMATION
#define USER_READ_GROUP_INFORMATION
Definition: ntsam.h:135

DOMAIN_READ
#define DOMAIN_READ
Definition: ntsam.h:45

SAM_SERVER_ALL_ACCESS
#define SAM_SERVER_ALL_ACCESS
Definition: ntsam.h:118

SAM_SERVER_CREATE_DOMAIN
#define SAM_SERVER_CREATE_DOMAIN
Definition: ntsam.h:102

ALIAS_ALL_ACCESS
#define ALIAS_ALL_ACCESS
Definition: ntsam.h:26

SAM_SERVER_INITIALIZE
#define SAM_SERVER_INITIALIZE
Definition: ntsam.h:101

ALIAS_ADD_MEMBER
#define ALIAS_ADD_MEMBER
Definition: ntsam.h:9

samsrv.h

STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: shellext.h:65

STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69

_ACE
Definition: rtltypes.h:987

_ACL
Definition: ms-dtyp.idl:293

_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301

_SID_IDENTIFIER_AUTHORITY
Definition: ms-dtyp.idl:194

_SID
Definition: ms-dtyp.idl:198

PULONG
uint32_t * PULONG
Definition: typedefs.h:59

IN
#define IN
Definition: typedefs.h:39

ULONG
uint32_t ULONG
Definition: typedefs.h:59

OUT
#define OUT
Definition: typedefs.h:40

STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158

Size
_Must_inspect_result_ _In_ WDFDEVICE _In_ PWDF_DEVICE_PROPERTY_DATA _In_ DEVPROPTYPE _In_ ULONG Size
Definition: wdfdevice.h:4533

SECURITY_ANONYMOUS_LOGON_RID
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:563

DOMAIN_ALIAS_RID_USERS
#define DOMAIN_ALIAS_RID_USERS
Definition: setypes.h:653

DOMAIN_ALIAS_RID_GUESTS
#define DOMAIN_ALIAS_RID_GUESTS
Definition: setypes.h:654

SECURITY_BUILTIN_DOMAIN_RID
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581

SECURITY_WORLD_SID_AUTHORITY
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527

SECURITY_WORLD_RID
#define SECURITY_WORLD_RID
Definition: setypes.h:541

DOMAIN_ALIAS_RID_ACCOUNT_OPS
#define DOMAIN_ALIAS_RID_ACCOUNT_OPS
Definition: setypes.h:657

SECURITY_NT_AUTHORITY
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554

SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58

ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39

DOMAIN_ALIAS_RID_ADMINS
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652