ReactOS 0.4.15-dev-7924-g5949c20
Functions
token.c File Reference
#include <advapi32.h>
#include <ndk/setypes.h>
Include dependency graph for token.c:

Go to the source code of this file.

Functions

 WINE_DEFAULT_DEBUG_CHANNEL (advapi)
 
BOOL WINAPI CheckTokenMembership (IN HANDLE ExistingTokenHandle, IN PSID SidToCheck, OUT PBOOL IsMember)
 
BOOL WINAPI IsTokenRestricted (HANDLE TokenHandle)
 
PSID WINAPI GetSiteSidFromToken (IN HANDLE TokenHandle)
 

Function Documentation

◆ CheckTokenMembership()

BOOL WINAPI CheckTokenMembership ( IN HANDLE  ExistingTokenHandle,
IN PSID  SidToCheck,
OUT PBOOL  IsMember 
)

Definition at line 21 of file token.c.

24{
25 PISECURITY_DESCRIPTOR SecurityDescriptor = NULL;
26 ACCESS_MASK GrantedAccess;
27 struct
28 {
29 PRIVILEGE_SET PrivilegeSet;
30 LUID_AND_ATTRIBUTES Privileges[4];
31 } PrivBuffer;
32 ULONG PrivBufferSize = sizeof(PrivBuffer);
33 GENERIC_MAPPING GenericMapping =
34 {
35 STANDARD_RIGHTS_READ,
36 STANDARD_RIGHTS_WRITE,
37 STANDARD_RIGHTS_EXECUTE,
38 STANDARD_RIGHTS_ALL
39 };
40 PACL Dacl;
41 ULONG SidLen;
42 HANDLE hToken = NULL;
43 NTSTATUS Status, AccessStatus;
44
45 /* doesn't return gracefully if IsMember is NULL! */
46 *IsMember = FALSE;
47
48 SidLen = RtlLengthSid(SidToCheck);
49
50 if (ExistingTokenHandle == NULL)
51 {
52 Status = NtOpenThreadToken(NtCurrentThread(),
53 TOKEN_QUERY,
54 FALSE,
55 &hToken);
56
57 if (Status == STATUS_NO_TOKEN)
58 {
59 /* we're not impersonating, open the primary token */
60 Status = NtOpenProcessToken(NtCurrentProcess(),
61 TOKEN_QUERY | TOKEN_DUPLICATE,
62 &hToken);
63 if (NT_SUCCESS(Status))
64 {
65 HANDLE hNewToken = FALSE;
66 BOOL DupRet;
67
68 /* duplicate the primary token to create an impersonation token */
69 DupRet = DuplicateTokenEx(hToken,
70 TOKEN_QUERY | TOKEN_IMPERSONATE,
71 NULL,
72 SecurityImpersonation,
73 TokenImpersonation,
74 &hNewToken);
75
76 NtClose(hToken);
77
78 if (!DupRet)
79 {
80 WARN("Failed to duplicate the primary token!\n");
81 return FALSE;
82 }
83
84 hToken = hNewToken;
85 }
86 }
87
88 if (!NT_SUCCESS(Status))
89 {
90 goto Cleanup;
91 }
92 }
93 else
94 {
95 hToken = ExistingTokenHandle;
96 }
97
98 /* create a security descriptor */
99 SecurityDescriptor = RtlAllocateHeap(RtlGetProcessHeap(),
100 0,
101 sizeof(SECURITY_DESCRIPTOR) +
102 sizeof(ACL) + SidLen +
103 FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart));
104 if (SecurityDescriptor == NULL)
105 {
106 Status = STATUS_INSUFFICIENT_RESOURCES;
107 goto Cleanup;
108 }
109
110 Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
111 SECURITY_DESCRIPTOR_REVISION);
112 if (!NT_SUCCESS(Status))
113 {
114 goto Cleanup;
115 }
116
117 /* set the owner and group */
118 Status = RtlSetOwnerSecurityDescriptor(SecurityDescriptor,
119 SidToCheck,
120 FALSE);
121 if (!NT_SUCCESS(Status))
122 {
123 goto Cleanup;
124 }
125
126 Status = RtlSetGroupSecurityDescriptor(SecurityDescriptor,
127 SidToCheck,
128 FALSE);
129 if (!NT_SUCCESS(Status))
130 {
131 goto Cleanup;
132 }
133
134 /* create the DACL */
135 Dacl = (PACL)(SecurityDescriptor + 1);
136 Status = RtlCreateAcl(Dacl,
137 sizeof(ACL) + SidLen + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart),
138 ACL_REVISION);
139 if (!NT_SUCCESS(Status))
140 {
141 goto Cleanup;
142 }
143
144 Status = RtlAddAccessAllowedAce(Dacl,
145 ACL_REVISION,
146 0x1,
147 SidToCheck);
148 if (!NT_SUCCESS(Status))
149 {
150 goto Cleanup;
151 }
152
153 /* assign the DACL to the security descriptor */
154 Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
155 TRUE,
156 Dacl,
157 FALSE);
158 if (!NT_SUCCESS(Status))
159 {
160 goto Cleanup;
161 }
162
163 /* it's time to perform the access check. Just use _some_ desired access right
164 (same as for the ACE) and see if we're getting it granted. This indicates
165 our SID is a member of the token. We however can't use a generic access
166 right as those aren't mapped and return an error (STATUS_GENERIC_NOT_MAPPED). */
167 Status = NtAccessCheck(SecurityDescriptor,
168 hToken,
169 0x1,
170 &GenericMapping,
171 &PrivBuffer.PrivilegeSet,
172 &PrivBufferSize,
173 &GrantedAccess,
174 &AccessStatus);
175 if (NT_SUCCESS(Status) && NT_SUCCESS(AccessStatus) && (GrantedAccess == 0x1))
176 {
177 *IsMember = TRUE;
178 }
179
180Cleanup:
181 if (hToken != NULL && hToken != ExistingTokenHandle)
182 {
183 NtClose(hToken);
184 }
185
186 if (SecurityDescriptor != NULL)
187 {
188 RtlFreeHeap(RtlGetProcessHeap(),
189 0,
190 SecurityDescriptor);
191 }
192
193 if (!NT_SUCCESS(Status))
194 {
195 SetLastError(RtlNtStatusToDosError(Status));
196 return FALSE;
197 }
198
199 return TRUE;
200}
GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11
NtAccessCheck
NTSTATUS NTAPI NtAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE ClientToken, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_writes_bytes_(*PrivilegeSetLength) PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access can be granted to a client that requests such access on an object.
Definition: accesschk.c:2214
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
WARN
#define WARN(fmt,...)
Definition: debug.h:112
RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
NULL
#define NULL
Definition: types.h:112
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
DuplicateTokenEx
BOOL WINAPI DuplicateTokenEx(IN HANDLE ExistingTokenHandle, IN DWORD dwDesiredAccess, IN LPSECURITY_ATTRIBUTES lpTokenAttributes OPTIONAL, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN TOKEN_TYPE TokenType, OUT PHANDLE DuplicateTokenHandle)
Definition: security.c:3859
SetLastError
#define SetLastError(x)
Definition: compat.h:752
Cleanup
static const WCHAR Cleanup[]
Definition: register.c:80
BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94
Status
Status
Definition: gdiplustypes.h:25
RtlAddAccessAllowedAce
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
RtlSetOwnerSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
RtlNtStatusToDosError
NTSYSAPI ULONG WINAPI RtlNtStatusToDosError(NTSTATUS)
RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
SecurityImpersonation
@ SecurityImpersonation
Definition: lsa.idl:57
TokenImpersonation
@ TokenImpersonation
Definition: imports.h:274
PACL
struct _ACL * PACL
Definition: security.c:105
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1593
RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40
NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657
STANDARD_RIGHTS_READ
#define STANDARD_RIGHTS_READ
Definition: nt_native.h:65
STANDARD_RIGHTS_ALL
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69
STANDARD_RIGHTS_WRITE
#define STANDARD_RIGHTS_WRITE
Definition: nt_native.h:66
NtClose
NTSTATUS NTAPI NtClose(IN HANDLE Handle)
Definition: obhandle.c:3402
STANDARD_RIGHTS_EXECUTE
#define STANDARD_RIGHTS_EXECUTE
Definition: nt_native.h:67
RtlSetGroupSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
NtOpenProcessToken
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350
NtOpenThreadToken
NTSTATUS NTAPI NtOpenThreadToken(_In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ BOOLEAN OpenAsSelf, _Out_ PHANDLE TokenHandle)
Opens a token that is tied to a thread handle.
Definition: token.c:2474
STATUS_NO_TOKEN
#define STATUS_NO_TOKEN
Definition: ntstatus.h:360
_ACCESS_ALLOWED_ACE
Definition: ms-dtyp.idl:215
_ACL
Definition: ms-dtyp.idl:293
_GENERIC_MAPPING
Definition: nt_native.h:564
_LUID_AND_ATTRIBUTES
Definition: setypes.h:73
_PRIVILEGE_SET
Definition: setypes.h:85
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
ULONG
uint32_t ULONG
Definition: typedefs.h:59
STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:191
Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:17
AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:21
GrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:20
TOKEN_DUPLICATE
#define TOKEN_DUPLICATE
Definition: setypes.h:926
TOKEN_QUERY
#define TOKEN_QUERY
Definition: setypes.h:928
SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
TOKEN_IMPERSONATE
#define TOKEN_IMPERSONATE
Definition: setypes.h:927
ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39
NtCurrentThread
#define NtCurrentThread()

Referenced by Imm32IsInteractiveUserLogon(), is_process_limited(), IsCallerInteractive(), IsInteractiveUserLogon(), IsUserAdmin(), pSetupIsUserAdmin(), and SHTestTokenMembership().

◆ GetSiteSidFromToken()

PSID WINAPI GetSiteSidFromToken ( IN HANDLE  TokenHandle)

Definition at line 274 of file token.c.

275{
276 PTOKEN_GROUPS RestrictedSids;
277 ULONG RetLen;
278 UINT i;
279 NTSTATUS Status;
280 PSID PSiteSid = NULL;
281 SID_IDENTIFIER_AUTHORITY InternetSiteAuthority = {SECURITY_INTERNETSITE_AUTHORITY};
282
283 Status = NtQueryInformationToken(TokenHandle,
284 TokenRestrictedSids,
285 NULL,
286 0,
287 &RetLen);
288 if (Status != STATUS_BUFFER_TOO_SMALL)
289 {
290 SetLastError(RtlNtStatusToDosError(Status));
291 return NULL;
292 }
293
294 RestrictedSids = (PTOKEN_GROUPS)RtlAllocateHeap(RtlGetProcessHeap(),
295 0,
296 RetLen);
297 if (RestrictedSids == NULL)
298 {
299 SetLastError(ERROR_OUTOFMEMORY);
300 return NULL;
301 }
302
303 Status = NtQueryInformationToken(TokenHandle,
304 TokenRestrictedSids,
305 RestrictedSids,
306 RetLen,
307 &RetLen);
308 if (NT_SUCCESS(Status))
309 {
310 for (i = 0; i < RestrictedSids->GroupCount; i++)
311 {
312 SID* RSSid = RestrictedSids->Groups[i].Sid;
313
314 if (RtlCompareMemory(&(RSSid->IdentifierAuthority),
315 &InternetSiteAuthority,
316 sizeof(SID_IDENTIFIER_AUTHORITY)) ==
317 sizeof(SID_IDENTIFIER_AUTHORITY))
318 {
319 PSiteSid = RtlAllocateHeap(RtlGetProcessHeap(),
320 0,
321 RtlLengthSid((RestrictedSids->
322 Groups[i]).Sid));
323 if (PSiteSid == NULL)
324 {
325 SetLastError(ERROR_OUTOFMEMORY);
326 }
327 else
328 {
329 RtlCopySid(RtlLengthSid(RestrictedSids->Groups[i].Sid),
330 PSiteSid,
331 RestrictedSids->Groups[i].Sid);
332 }
333
334 break;
335 }
336 }
337 }
338 else
339 {
340 SetLastError(RtlNtStatusToDosError(Status));
341 }
342
343 RtlFreeHeap(RtlGetProcessHeap(), 0, RestrictedSids);
344 return PSiteSid;
345}
ERROR_OUTOFMEMORY
#define ERROR_OUTOFMEMORY
Definition: deptool.c:13
RtlCompareMemory
#define RtlCompareMemory(s1, s2, l)
Definition: env_spec_w32.h:465
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
RtlCopySid
NTSYSAPI BOOLEAN WINAPI RtlCopySid(DWORD, PSID, PSID)
UINT
unsigned int UINT
Definition: ndis.h:50
TokenHandle
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:726
SECURITY_INTERNETSITE_AUTHORITY
#define SECURITY_INTERNETSITE_AUTHORITY
Definition: setypes.h:30
STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_SID_AND_ATTRIBUTES::Sid
PSID Sid
Definition: setypes.h:506
_SID_IDENTIFIER_AUTHORITY
Definition: ms-dtyp.idl:194
_SID
Definition: ms-dtyp.idl:198
_SID::IdentifierAuthority
SID_IDENTIFIER_AUTHORITY IdentifierAuthority
Definition: ms-dtyp.idl:201
_TOKEN_GROUPS
Definition: setypes.h:1013
_TOKEN_GROUPS::Groups
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:1018
_TOKEN_GROUPS::GroupCount
$ULONG GroupCount
Definition: setypes.h:1014
NtQueryInformationToken
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtQueryInformationToken(_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength, _Out_ PULONG ReturnLength)
Queries a specific type of information in regard of an access token based upon the information class....
Definition: tokencls.c:473
PTOKEN_GROUPS
struct _TOKEN_GROUPS * PTOKEN_GROUPS
TokenRestrictedSids
@ TokenRestrictedSids
Definition: setypes.h:976

◆ IsTokenRestricted()

BOOL WINAPI IsTokenRestricted ( HANDLE  TokenHandle)

Definition at line 207 of file token.c.

208{
209 ULONG RetLength;
210 PTOKEN_GROUPS lpGroups;
211 NTSTATUS Status;
212 BOOL Ret = FALSE;
213
214 /* determine the required buffer size and allocate enough memory to read the
215 list of restricted SIDs */
216 Status = NtQueryInformationToken(TokenHandle,
217 TokenRestrictedSids,
218 NULL,
219 0,
220 &RetLength);
221 if (Status != STATUS_BUFFER_TOO_SMALL)
222 {
223 SetLastError(RtlNtStatusToDosError(Status));
224 return FALSE;
225 }
226
227AllocAndReadRestrictedSids:
228 lpGroups = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(),
229 0,
230 RetLength);
231 if (lpGroups == NULL)
232 {
233 SetLastError(ERROR_OUTOFMEMORY);
234 return FALSE;
235 }
236
237 /* actually read the list of the restricted SIDs */
238 Status = NtQueryInformationToken(TokenHandle,
239 TokenRestrictedSids,
240 lpGroups,
241 RetLength,
242 &RetLength);
243 if (NT_SUCCESS(Status))
244 {
245 Ret = (lpGroups->GroupCount != 0);
246 }
247 else if (Status == STATUS_BUFFER_TOO_SMALL)
248 {
249 /* looks like the token was modified in the meanwhile, let's just try again */
250 HeapFree(GetProcessHeap(),
251 0,
252 lpGroups);
253
254 goto AllocAndReadRestrictedSids;
255 }
256 else
257 {
258 SetLastError(RtlNtStatusToDosError(Status));
259 }
260
261 /* free allocated memory */
262 HeapFree(GetProcessHeap(),
263 0,
264 lpGroups);
265
266 return Ret;
267}
GetProcessHeap
#define GetProcessHeap()
Definition: compat.h:736
HeapAlloc
#define HeapAlloc
Definition: compat.h:733
HeapFree
#define HeapFree(x, y, z)
Definition: compat.h:735

Referenced by SepAnalyzeAcesFromDacl().

◆ WINE_DEFAULT_DEBUG_CHANNEL()

WINE_DEFAULT_DEBUG_CHANNEL ( advapi  )