#include "lsasrv.h"
#include "resources.h"

Include dependency graph for privileges.c:

Classes
struct	PRIVILEGE_DATA

struct	RIGHT_DATA

Functions
NTSTATUS	LsarpLookupPrivilegeName (PLUID Value, PRPC_UNICODE_STRING *Name)

NTSTATUS	LsarpLookupPrivilegeDisplayName (PRPC_UNICODE_STRING Name, USHORT ClientLanguage, USHORT ClientSystemDefaultLanguage, PRPC_UNICODE_STRING DisplayName, USHORT LanguageReturned)

PLUID	LsarpLookupPrivilegeValue (IN PRPC_UNICODE_STRING Name)

NTSTATUS	LsarpEnumeratePrivileges (DWORD *EnumerationContext, PLSAPR_PRIVILEGE_ENUM_BUFFER EnumerationBuffer, DWORD PreferedMaximumLength)

NTSTATUS	LsapLookupAccountRightName (ULONG RightValue, PRPC_UNICODE_STRING *Name)

ACCESS_MASK	LsapLookupAccountRightValue (IN PRPC_UNICODE_STRING Name)

Variables
static const PRIVILEGE_DATA	WellKnownPrivileges []

static const RIGHT_DATA	WellKnownRights []

Function Documentation

◆ LsapLookupAccountRightName()

NTSTATUS LsapLookupAccountRightName	(	ULONG	RightValue,
		PRPC_UNICODE_STRING *	Name
	)

Definition at line 343 of file privileges.c.

{
    PRPC_UNICODE_STRING NameBuffer;
    ULONG i;
 
    for (i = 0; i < ARRAYSIZE(WellKnownRights); i++)
    {
        if (WellKnownRights[i].Flag == RightValue)
        {
            NameBuffer = MIDL_user_allocate(sizeof(RPC_UNICODE_STRING));
            if (NameBuffer == NULL)
                return STATUS_NO_MEMORY;
 
            NameBuffer->Length = (USHORT)wcslen(WellKnownRights[i].Name) * sizeof(WCHAR);
            NameBuffer->MaximumLength = NameBuffer->Length + sizeof(WCHAR);
 
            NameBuffer->Buffer = MIDL_user_allocate(NameBuffer->MaximumLength);
            if (NameBuffer->Buffer == NULL)
            {
                MIDL_user_free(NameBuffer);
                return STATUS_INSUFFICIENT_RESOURCES;
            }
 
            wcscpy(NameBuffer->Buffer, WellKnownRights[i].Name);
 
            *Name = NameBuffer;
 
            return STATUS_SUCCESS;
        }
    }
 
    return STATUS_NO_SUCH_PRIVILEGE;
}

Referenced by LsarEnumerateAccountRights().

◆ LsapLookupAccountRightValue()

ACCESS_MASK LsapLookupAccountRightValue ( IN PRPC_UNICODE_STRING Name )

Definition at line 380 of file privileges.c.

{
    ULONG i;
 
    if (Name->Length == 0 || Name->Buffer == NULL)
        return 0;
 
    for (i = 0; i < ARRAYSIZE(WellKnownRights); i++)
    {
        if (_wcsicmp(Name->Buffer, WellKnownRights[i].Name) == 0)
            return WellKnownRights[i].Flag;
    }
 
    return 0;
}

Referenced by LsarAddAccountRights(), LsarEnumerateAccountsWithUserRight(), and LsarRemoveAccountRights().

◆ LsarpEnumeratePrivileges()

NTSTATUS LsarpEnumeratePrivileges	(	DWORD *	EnumerationContext,
		PLSAPR_PRIVILEGE_ENUM_BUFFER	EnumerationBuffer,
		DWORD	PreferedMaximumLength
	)

Definition at line 246 of file privileges.c.

{
    PLSAPR_POLICY_PRIVILEGE_DEF Privileges = NULL;
    ULONG EnumIndex;
    ULONG EnumCount = 0;
    ULONG RequiredLength = 0;
    ULONG i;
    BOOLEAN MoreEntries = FALSE;
    NTSTATUS Status = STATUS_SUCCESS;
 
    EnumIndex = *EnumerationContext;
 
    for (; EnumIndex < ARRAYSIZE(WellKnownPrivileges); EnumIndex++)
    {
        TRACE("EnumIndex: %lu\n", EnumIndex);
        TRACE("Privilege Name: %S\n", WellKnownPrivileges[EnumIndex].Name);
        TRACE("Name Length: %lu\n", wcslen(WellKnownPrivileges[EnumIndex].Name));
 
        if ((RequiredLength +
             wcslen(WellKnownPrivileges[EnumIndex].Name) * sizeof(WCHAR) +
             sizeof(UNICODE_NULL) +
             sizeof(LSAPR_POLICY_PRIVILEGE_DEF)) > PreferedMaximumLength)
        {
            MoreEntries = TRUE;
            break;
        }
 
        RequiredLength += (wcslen(WellKnownPrivileges[EnumIndex].Name) * sizeof(WCHAR) +
                           sizeof(UNICODE_NULL) + sizeof(LSAPR_POLICY_PRIVILEGE_DEF));
        EnumCount++;
    }
 
    TRACE("EnumCount: %lu\n", EnumCount);
    TRACE("RequiredLength: %lu\n", RequiredLength);
 
    if (EnumCount == 0)
        goto done;
 
    Privileges = MIDL_user_allocate(EnumCount * sizeof(LSAPR_POLICY_PRIVILEGE_DEF));
    if (Privileges == NULL)
    {
        Status = STATUS_INSUFFICIENT_RESOURCES;
        goto done;
    }
 
    EnumIndex = *EnumerationContext;
 
    for (i = 0; i < EnumCount; i++, EnumIndex++)
    {
        Privileges[i].LocalValue = WellKnownPrivileges[EnumIndex].Luid;
 
        Privileges[i].Name.Length = (USHORT)wcslen(WellKnownPrivileges[EnumIndex].Name) * sizeof(WCHAR);
        Privileges[i].Name.MaximumLength = (USHORT)Privileges[i].Name.Length + sizeof(UNICODE_NULL);
 
        Privileges[i].Name.Buffer = MIDL_user_allocate(Privileges[i].Name.MaximumLength);
        if (Privileges[i].Name.Buffer == NULL)
        {
            Status = STATUS_INSUFFICIENT_RESOURCES;
            goto done;
        }
 
        memcpy(Privileges[i].Name.Buffer,
               WellKnownPrivileges[EnumIndex].Name,
               Privileges[i].Name.Length);
    }
 
done:
    if (NT_SUCCESS(Status))
    {
        EnumerationBuffer->Entries = EnumCount;
        EnumerationBuffer->Privileges = Privileges;
        *EnumerationContext += EnumCount;
    }
    else
    {
        if (Privileges != NULL)
        {
            for (i = 0; i < EnumCount; i++)
            {
                if (Privileges[i].Name.Buffer != NULL)
                    MIDL_user_free(Privileges[i].Name.Buffer);
            }
 
            MIDL_user_free(Privileges);
        }
    }
 
    if ((Status == STATUS_SUCCESS) && (MoreEntries != FALSE))
        Status = STATUS_MORE_ENTRIES;
 
    return Status;
}

Referenced by LsarEnumeratePrivileges().

◆ LsarpLookupPrivilegeDisplayName()

NTSTATUS LsarpLookupPrivilegeDisplayName	(	PRPC_UNICODE_STRING	Name,
		USHORT	ClientLanguage,
		USHORT	ClientSystemDefaultLanguage,
		PRPC_UNICODE_STRING *	DisplayName,
		USHORT *	LanguageReturned
	)

Definition at line 125 of file privileges.c.

{
    PRPC_UNICODE_STRING DisplayNameBuffer;
    HINSTANCE hInstance;
    ULONG Index;
    UINT nLength;
 
    TRACE("LsarpLookupPrivilegeDisplayName(%p 0x%04hu 0x%04hu %p %p)\n",
          Name, ClientLanguage, ClientSystemDefaultLanguage, DisplayName, LanguageReturned);
 
    if (Name->Length == 0 || Name->Buffer == NULL)
        return STATUS_INVALID_PARAMETER;
 
    hInstance = GetModuleHandleW(L"lsasrv.dll");
 
    for (Index = 0; Index < ARRAYSIZE(WellKnownPrivileges); Index++)
    {
        if (_wcsicmp(Name->Buffer, WellKnownPrivileges[Index].Name) == 0)
        {
            TRACE("Index: %u\n", Index);
            nLength = LsapGetResourceStringLengthEx(hInstance,
                                                    IDS_CREATE_TOKEN_PRIVILEGE + Index,
                                                    ClientLanguage);
            if (nLength != 0)
            {
                DisplayNameBuffer = MIDL_user_allocate(sizeof(RPC_UNICODE_STRING));
                if (DisplayNameBuffer == NULL)
                    return STATUS_NO_MEMORY;
 
                DisplayNameBuffer->Length = nLength * sizeof(WCHAR);
                DisplayNameBuffer->MaximumLength = DisplayNameBuffer->Length + sizeof(WCHAR);
 
                DisplayNameBuffer->Buffer = MIDL_user_allocate(DisplayNameBuffer->MaximumLength);
                if (DisplayNameBuffer->Buffer == NULL)
                {
                    MIDL_user_free(DisplayNameBuffer);
                    return STATUS_NO_MEMORY;
                }
 
                LsapLoadStringEx(hInstance,
                                 IDS_CREATE_TOKEN_PRIVILEGE + Index,
                                 ClientLanguage,
                                 DisplayNameBuffer->Buffer,
                                 nLength);
 
                *DisplayName = DisplayNameBuffer;
                *LanguageReturned = ClientLanguage;
            }
            else
            {
                nLength = LsapGetResourceStringLengthEx(hInstance,
                                                        IDS_CREATE_TOKEN_PRIVILEGE + Index,
                                                        ClientSystemDefaultLanguage);
                if (nLength != 0)
                {
                    DisplayNameBuffer = MIDL_user_allocate(sizeof(RPC_UNICODE_STRING));
                    if (DisplayNameBuffer == NULL)
                        return STATUS_NO_MEMORY;
 
                    DisplayNameBuffer->Length = nLength * sizeof(WCHAR);
                    DisplayNameBuffer->MaximumLength = DisplayNameBuffer->Length + sizeof(WCHAR);
 
                    DisplayNameBuffer->Buffer = MIDL_user_allocate(DisplayNameBuffer->MaximumLength);
                    if (DisplayNameBuffer->Buffer == NULL)
                    {
                        MIDL_user_free(DisplayNameBuffer);
                        return STATUS_NO_MEMORY;
                    }
 
                    LsapLoadStringEx(hInstance,
                                     IDS_CREATE_TOKEN_PRIVILEGE + Index,
                                     ClientSystemDefaultLanguage,
                                     DisplayNameBuffer->Buffer,
                                     nLength);
 
                    *DisplayName = DisplayNameBuffer;
                    *LanguageReturned = ClientSystemDefaultLanguage;
                }
                else
                {
                    return STATUS_INVALID_PARAMETER;
#if 0
                    nLength = LsapGetResourceStringLengthEx(hInstance,
                                                            IDS_CREATE_TOKEN_PRIVILEGE + Index,
                                                            0x409);
#endif
                }
            }
 
            return STATUS_SUCCESS;
        }
    }
 
    return STATUS_NO_SUCH_PRIVILEGE;
}

Referenced by LsarLookupPrivilegeDisplayName().

◆ LsarpLookupPrivilegeName()

NTSTATUS LsarpLookupPrivilegeName	(	PLUID	Value,
		PRPC_UNICODE_STRING *	Name
	)

Definition at line 80 of file privileges.c.

{
    PRPC_UNICODE_STRING NameBuffer;
    ULONG Priv;
 
    if (Value->HighPart != 0 ||
        (Value->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
         Value->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE))
    {
        return STATUS_NO_SUCH_PRIVILEGE;
    }
 
    for (Priv = 0; Priv < ARRAYSIZE(WellKnownPrivileges); Priv++)
    {
        if (Value->LowPart == WellKnownPrivileges[Priv].Luid.LowPart &&
            Value->HighPart == WellKnownPrivileges[Priv].Luid.HighPart)
        {
            NameBuffer = MIDL_user_allocate(sizeof(RPC_UNICODE_STRING));
            if (NameBuffer == NULL)
                return STATUS_NO_MEMORY;
 
            NameBuffer->Length = (USHORT)wcslen(WellKnownPrivileges[Priv].Name) * sizeof(WCHAR);
            NameBuffer->MaximumLength = NameBuffer->Length + sizeof(WCHAR);
 
            NameBuffer->Buffer = MIDL_user_allocate(NameBuffer->MaximumLength);
            if (NameBuffer->Buffer == NULL)
            {
                MIDL_user_free(NameBuffer);
                return STATUS_NO_MEMORY;
            }
 
            wcscpy(NameBuffer->Buffer, WellKnownPrivileges[Priv].Name);
 
            *Name = NameBuffer;
 
            return STATUS_SUCCESS;
        }
    }
 
    return STATUS_NO_SUCH_PRIVILEGE;
}

Referenced by LsarLookupPrivilegeName().

◆ LsarpLookupPrivilegeValue()

PLUID LsarpLookupPrivilegeValue ( IN PRPC_UNICODE_STRING Name )

Definition at line 227 of file privileges.c.

{
    ULONG Priv;
 
    if (Name->Length == 0 || Name->Buffer == NULL)
        return NULL;
 
    for (Priv = 0; Priv < ARRAYSIZE(WellKnownPrivileges); Priv++)
    {
        if (_wcsicmp(Name->Buffer, WellKnownPrivileges[Priv].Name) == 0)
            return (PLUID)&(WellKnownPrivileges[Priv].Luid);
    }
 
    return NULL;
}

Referenced by LsarAddAccountRights(), LsarEnumerateAccountsWithUserRight(), LsarLookupPrivilegeValue(), and LsarRemoveAccountRights().

Variable Documentation

◆ WellKnownPrivileges

const PRIVILEGE_DATA WellKnownPrivileges[]

static

Definition at line 29 of file privileges.c.

Referenced by LsarpEnumeratePrivileges(), LsarpLookupPrivilegeDisplayName(), LsarpLookupPrivilegeName(), and LsarpLookupPrivilegeValue().

◆ WellKnownRights

const RIGHT_DATA WellKnownRights[]

static

Initial value:

=
{
    {SECURITY_ACCESS_INTERACTIVE_LOGON, SE_INTERACTIVE_LOGON_NAME},
    {SECURITY_ACCESS_NETWORK_LOGON, SE_NETWORK_LOGON_NAME},
    {SECURITY_ACCESS_BATCH_LOGON, SE_BATCH_LOGON_NAME},
    {SECURITY_ACCESS_SERVICE_LOGON, SE_SERVICE_LOGON_NAME},
    {SECURITY_ACCESS_DENY_INTERACTIVE_LOGON, SE_DENY_INTERACTIVE_LOGON_NAME},
    {SECURITY_ACCESS_DENY_NETWORK_LOGON, SE_DENY_NETWORK_LOGON_NAME},
    {SECURITY_ACCESS_DENY_BATCH_LOGON, SE_DENY_BATCH_LOGON_NAME},
    {SECURITY_ACCESS_DENY_SERVICE_LOGON, SE_DENY_SERVICE_LOGON_NAME},
    {SECURITY_ACCESS_REMOTE_INTERACTIVE_LOGON, SE_REMOTE_INTERACTIVE_LOGON_NAME},
    {SECURITY_ACCESS_DENY_REMOTE_INTERACTIVE_LOGON, SE_DENY_REMOTE_INTERACTIVE_LOGON_NAME}
}

Definition at line 62 of file privileges.c.

Referenced by LsapLookupAccountRightName(), and LsapLookupAccountRightValue().

Classes

Functions

Variables