d5/d2e/dll_2win32_2advapi32_2token_2token_8c_source.html

 /*
  * COPYRIGHT:       See COPYING in the top level directory
  * PROJECT:         ReactOS system libraries
  * FILE:            lib/advapi32/token/token.c
  * PURPOSE:         Token functions
  * PROGRAMMER:      Ariadne (ariadne@xs4all.nl)
  * UPDATE HISTORY:
  *                  Created 01/11/98
  */

 #include <advapi32.h>

 #include <ndk/setypes.h>

 WINE_DEFAULT_DEBUG_CHANNEL(advapi);

 /*
  * @implemented
  */
 BOOL WINAPI
 CheckTokenMembership(IN HANDLE ExistingTokenHandle,
                      IN PSID SidToCheck,
                      OUT PBOOL IsMember)
 {
     PISECURITY_DESCRIPTOR SecurityDescriptor = NULL;
     ACCESS_MASK GrantedAccess;
     struct
     {
         PRIVILEGE_SET PrivilegeSet;
         LUID_AND_ATTRIBUTES Privileges[4];
     } PrivBuffer;
     ULONG PrivBufferSize = sizeof(PrivBuffer);
     GENERIC_MAPPING GenericMapping =
     {
         STANDARD_RIGHTS_READ,
         STANDARD_RIGHTS_WRITE,
         STANDARD_RIGHTS_EXECUTE,
         STANDARD_RIGHTS_ALL
     };
     PACL Dacl;
     ULONG SidLen;
     HANDLE hToken = NULL;
     NTSTATUS Status, AccessStatus;

     /* doesn't return gracefully if IsMember is NULL! */
     *IsMember = FALSE;

     SidLen = RtlLengthSid(SidToCheck);

     if (ExistingTokenHandle == NULL)
     {
         Status = NtOpenThreadToken(NtCurrentThread(),
                                    TOKEN_QUERY,
                                    FALSE,
                                    &hToken);

         if (Status == STATUS_NO_TOKEN)
         {
             /* we're not impersonating, open the primary token */
             Status = NtOpenProcessToken(NtCurrentProcess(),
                                         TOKEN_QUERY | TOKEN_DUPLICATE,
                                         &hToken);
             if (NT_SUCCESS(Status))
             {
                 HANDLE hNewToken = FALSE;
                 BOOL DupRet;

                 /* duplicate the primary token to create an impersonation token */
                 DupRet = DuplicateTokenEx(hToken,
                                           TOKEN_QUERY | TOKEN_IMPERSONATE,
                                           NULL,
                                           SecurityImpersonation,
                                           TokenImpersonation,
                                           &hNewToken);

                 NtClose(hToken);

                 if (!DupRet)
                 {
                     WARN("Failed to duplicate the primary token!\n");
                     return FALSE;
                 }

                 hToken = hNewToken;
             }
         }

         if (!NT_SUCCESS(Status))
         {
             goto Cleanup;
         }
     }
     else
     {
         hToken = ExistingTokenHandle;
     }

     /* create a security descriptor */
     SecurityDescriptor = RtlAllocateHeap(RtlGetProcessHeap(),
                                          0,
                                          sizeof(SECURITY_DESCRIPTOR) +
                                              sizeof(ACL) + SidLen +
                                              FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart));
     if (SecurityDescriptor == NULL)
     {
         Status = STATUS_INSUFFICIENT_RESOURCES;
         goto Cleanup;
     }

     Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
                                          SECURITY_DESCRIPTOR_REVISION);
     if (!NT_SUCCESS(Status))
     {
         goto Cleanup;
     }

     /* set the owner and group */
     Status = RtlSetOwnerSecurityDescriptor(SecurityDescriptor,
                                            SidToCheck,
                                            FALSE);
     if (!NT_SUCCESS(Status))
     {
         goto Cleanup;
     }

     Status = RtlSetGroupSecurityDescriptor(SecurityDescriptor,
                                            SidToCheck,
                                            FALSE);
     if (!NT_SUCCESS(Status))
     {
         goto Cleanup;
     }

     /* create the DACL */
     Dacl = (PACL)(SecurityDescriptor + 1);
     Status = RtlCreateAcl(Dacl,
                           sizeof(ACL) + SidLen + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart),
                           ACL_REVISION);
     if (!NT_SUCCESS(Status))
     {
         goto Cleanup;
     }

     Status = RtlAddAccessAllowedAce(Dacl,
                                     ACL_REVISION,
                                     0x1,
                                     SidToCheck);
     if (!NT_SUCCESS(Status))
     {
         goto Cleanup;
     }

     /* assign the DACL to the security descriptor */
     Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
                                           TRUE,
                                           Dacl,
                                           FALSE);
     if (!NT_SUCCESS(Status))
     {
         goto Cleanup;
     }

     /* it's time to perform the access check. Just use _some_ desired access right
        (same as for the ACE) and see if we're getting it granted. This indicates
        our SID is a member of the token. We however can't use a generic access
        right as those aren't mapped and return an error (STATUS_GENERIC_NOT_MAPPED). */
     Status = NtAccessCheck(SecurityDescriptor,
                            hToken,
                            0x1,
                            &GenericMapping,
                            &PrivBuffer.PrivilegeSet,
                            &PrivBufferSize,
                            &GrantedAccess,
                            &AccessStatus);
     if (NT_SUCCESS(Status) && NT_SUCCESS(AccessStatus) && (GrantedAccess == 0x1))
     {
         *IsMember = TRUE;
     }

 Cleanup:
     if (hToken != NULL && hToken != ExistingTokenHandle)
     {
         NtClose(hToken);
     }

     if (SecurityDescriptor != NULL)
     {
         RtlFreeHeap(RtlGetProcessHeap(),
                     0,
                     SecurityDescriptor);
     }

     if (!NT_SUCCESS(Status))
     {
         SetLastError(RtlNtStatusToDosError(Status));
         return FALSE;
     }

     return TRUE;
 }


 /*
  * @implemented
  */
 BOOL WINAPI
 IsTokenRestricted(HANDLE TokenHandle)
 {
     ULONG RetLength;
     PTOKEN_GROUPS lpGroups;
     NTSTATUS Status;
     BOOL Ret = FALSE;

     /* determine the required buffer size and allocate enough memory to read the
        list of restricted SIDs */
     Status = NtQueryInformationToken(TokenHandle,
                                      TokenRestrictedSids,
                                      NULL,
                                      0,
                                      &RetLength);
     if (Status != STATUS_BUFFER_TOO_SMALL)
     {
         SetLastError(RtlNtStatusToDosError(Status));
         return FALSE;
     }

 AllocAndReadRestrictedSids:
     lpGroups = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(),
                                         0,
                                         RetLength);
     if (lpGroups == NULL)
     {
         SetLastError(ERROR_OUTOFMEMORY);
         return FALSE;
     }

     /* actually read the list of the restricted SIDs */
     Status = NtQueryInformationToken(TokenHandle,
                                      TokenRestrictedSids,
                                      lpGroups,
                                      RetLength,
                                      &RetLength);
     if (NT_SUCCESS(Status))
     {
         Ret = (lpGroups->GroupCount != 0);
     }
     else if (Status == STATUS_BUFFER_TOO_SMALL)
     {
         /* looks like the token was modified in the meanwhile, let's just try again */
         HeapFree(GetProcessHeap(),
                  0,
                  lpGroups);

         goto AllocAndReadRestrictedSids;
     }
     else
     {
         SetLastError(RtlNtStatusToDosError(Status));
     }

     /* free allocated memory */
     HeapFree(GetProcessHeap(),
              0,
              lpGroups);

     return Ret;
 }

 /*
  * @unimplemented
  */
 PSID
 WINAPI
 GetSiteSidFromToken(IN HANDLE TokenHandle)
 {
     PTOKEN_GROUPS RestrictedSids;
     ULONG RetLen;
     UINT i;
     NTSTATUS Status;
     PSID PSiteSid = NULL;
     SID_IDENTIFIER_AUTHORITY InternetSiteAuthority = {SECURITY_INTERNETSITE_AUTHORITY};

     Status = NtQueryInformationToken(TokenHandle,
                                      TokenRestrictedSids,
                                      NULL,
                                      0,
                                      &RetLen);
     if (Status != STATUS_BUFFER_TOO_SMALL)
     {
         SetLastError(RtlNtStatusToDosError(Status));
         return NULL;
     }

     RestrictedSids = (PTOKEN_GROUPS)RtlAllocateHeap(RtlGetProcessHeap(),
                                                     0,
                                                     RetLen);
     if (RestrictedSids == NULL)
     {
         SetLastError(ERROR_OUTOFMEMORY);
         return NULL;
     }

     Status = NtQueryInformationToken(TokenHandle,
                                      TokenRestrictedSids,
                                      RestrictedSids,
                                      RetLen,
                                      &RetLen);
     if (NT_SUCCESS(Status))
     {
         for (i = 0; i < RestrictedSids->GroupCount; i++)
         {
             SID* RSSid = RestrictedSids->Groups[i].Sid;

             if (RtlCompareMemory(&(RSSid->IdentifierAuthority),
                                  &InternetSiteAuthority,
                                  sizeof(SID_IDENTIFIER_AUTHORITY)) ==
                                  sizeof(SID_IDENTIFIER_AUTHORITY))
             {
                 PSiteSid = RtlAllocateHeap(RtlGetProcessHeap(),
                                            0,
                                            RtlLengthSid((RestrictedSids->
                                                          Groups[i]).Sid));
                 if (PSiteSid == NULL)
                 {
                     SetLastError(ERROR_OUTOFMEMORY);
                 }
                 else
                 {
                     RtlCopySid(RtlLengthSid(RestrictedSids->Groups[i].Sid),
                                PSiteSid,
                                RestrictedSids->Groups[i].Sid);
                 }

                 break;
             }
         }
     }
     else
     {
         SetLastError(RtlNtStatusToDosError(Status));
     }

     RtlFreeHeap(RtlGetProcessHeap(), 0, RestrictedSids);
     return PSiteSid;
 }
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301

_LUID_AND_ATTRIBUTES
Definition: setypes.h:73

IN
#define IN
Definition: typedefs.h:39

SecurityImpersonation
Definition: lsa.idl:57

STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158

_SID_AND_ATTRIBUTES::Sid
PSID Sid
Definition: setypes.h:493

RtlSetGroupSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410

STANDARD_RIGHTS_WRITE
#define STANDARD_RIGHTS_WRITE
Definition: nt_native.h:66

_TOKEN_GROUPS
Definition: setypes.h:978

_SID
Definition: ms-dtyp.idl:198

_ACCESS_ALLOWED_ACE
Definition: ms-dtyp.idl:215

AccessStatus
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK _Out_ PNTSTATUS AccessStatus
Definition: sefuncs.h:13

TRUE
#define TRUE
Definition: types.h:120

SecurityDescriptor
_In_ USHORT _In_ ULONG _In_ PSOCKADDR _In_ PSOCKADDR _Reserved_ ULONG _In_opt_ PVOID _In_opt_ const WSK_CLIENT_CONNECTION_DISPATCH _In_opt_ PEPROCESS _In_opt_ PETHREAD _In_opt_ PSECURITY_DESCRIPTOR SecurityDescriptor
Definition: wsk.h:182

_ACL
Definition: ms-dtyp.idl:293

x1
_In_ CLIPOBJ _In_ BRUSHOBJ _In_ LONG x1
Definition: winddi.h:3706

WARN
#define WARN(fmt,...)
Definition: debug.h:112

NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26

RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606

NtCurrentThread
#define NtCurrentThread()

_PRIVILEGE_SET
Definition: setypes.h:85

RtlSetOwnerSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)

CheckTokenMembership
BOOL WINAPI CheckTokenMembership(IN HANDLE ExistingTokenHandle, IN PSID SidToCheck, OUT PBOOL IsMember)
Definition: token.c:21

TOKEN_IMPERSONATE
#define TOKEN_IMPERSONATE
Definition: setypes.h:892

RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)

NtOpenProcessToken
NTSTATUS NTAPI NtOpenProcessToken(IN HANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, OUT PHANDLE TokenHandle)
Definition: security.c:350

RtlAddAccessAllowedAce
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)

STANDARD_RIGHTS_EXECUTE
#define STANDARD_RIGHTS_EXECUTE
Definition: nt_native.h:67

Groups
TOpcodeData Groups[17][8]
Definition: disassemblerdata.h:895

RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)

STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69

RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)

SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58

RtlNtStatusToDosError
NTSYSAPI ULONG WINAPI RtlNtStatusToDosError(NTSTATUS)

FALSE
#define FALSE
Definition: types.h:117

BOOL
unsigned int BOOL
Definition: ntddk_ex.h:94

NtQueryInformationToken
_Must_inspect_result_ __kernel_entry NTSTATUS NTAPI NtQueryInformationToken(_In_ HANDLE TokenHandle, _In_ TOKEN_INFORMATION_CLASS TokenInformationClass, _Out_writes_bytes_to_opt_(TokenInformationLength, *ReturnLength) PVOID TokenInformation, _In_ ULONG TokenInformationLength, _Out_ PULONG ReturnLength)
Queries a specific type of information in regard of an access token based upon the information class....
Definition: token.c:2972

TokenHandle
_In_ ACCESS_MASK _In_ ULONG _Out_ PHANDLE TokenHandle
Definition: psfuncs.h:715

setypes.h

RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150

PBOOL
BOOL * PBOOL
Definition: windef.h:161

PTOKEN_GROUPS
struct _TOKEN_GROUPS * PTOKEN_GROUPS

NtCurrentProcess
#define NtCurrentProcess()
Definition: nt_native.h:1657

RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588

PACL
struct _ACL * PACL
Definition: security.c:104

Status
Status
Definition: gdiplustypes.h:24

NtAccessCheck
NTSTATUS NTAPI NtAccessCheck(_In_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ HANDLE TokenHandle, _In_ ACCESS_MASK DesiredAccess, _In_ PGENERIC_MAPPING GenericMapping, _Out_opt_ PPRIVILEGE_SET PrivilegeSet, _Inout_ PULONG PrivilegeSetLength, _Out_ PACCESS_MASK GrantedAccess, _Out_ PNTSTATUS AccessStatus)
Determines whether security access rights can be given to an object depending on the security descrip...
Definition: accesschk.c:711

GetProcessHeap
#define GetProcessHeap()
Definition: compat.h:595

NtOpenThreadToken
NTSTATUS NTAPI NtOpenThreadToken(_In_ HANDLE ThreadHandle, _In_ ACCESS_MASK DesiredAccess, _In_ BOOLEAN OpenAsSelf, _Out_ PHANDLE TokenHandle)
Opens a token that is tied to a thread handle.
Definition: token.c:5262

HeapAlloc
PVOID WINAPI HeapAlloc(HANDLE, DWORD, SIZE_T)

TOKEN_QUERY
#define TOKEN_QUERY
Definition: setypes.h:893

GetSiteSidFromToken
PSID WINAPI GetSiteSidFromToken(IN HANDLE TokenHandle)
Definition: token.c:274

_GENERIC_MAPPING
Definition: nt_native.h:564

NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32

WINAPI
#define WINAPI
Definition: msvc.h:6

SetLastError
#define SetLastError(x)
Definition: compat.h:611

DuplicateTokenEx
BOOL WINAPI DuplicateTokenEx(IN HANDLE ExistingTokenHandle, IN DWORD dwDesiredAccess, IN LPSECURITY_ATTRIBUTES lpTokenAttributes OPTIONAL, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, IN TOKEN_TYPE TokenType, OUT PHANDLE DuplicateTokenHandle)
Definition: security.c:3394

STATUS_NO_TOKEN
#define STATUS_NO_TOKEN
Definition: ntstatus.h:360

Privileges
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET * Privileges
Definition: sefuncs.h:13

NtClose
NTSTATUS NTAPI NtClose(IN HANDLE Handle)
Definition: obhandle.c:3398

TOKEN_DUPLICATE
#define TOKEN_DUPLICATE
Definition: setypes.h:891

Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1552

TokenRestrictedSids
Definition: setypes.h:941

_SID_IDENTIFIER_AUTHORITY
Definition: ms-dtyp.idl:194

RtlCopySid
NTSYSAPI BOOLEAN WINAPI RtlCopySid(DWORD, PSID, PSID)

STANDARD_RIGHTS_READ
#define STANDARD_RIGHTS_READ
Definition: nt_native.h:65

Cleanup
static const WCHAR Cleanup[]
Definition: register.c:80

WINE_DEFAULT_DEBUG_CHANNEL
WINE_DEFAULT_DEBUG_CHANNEL(advapi)

SECURITY_INTERNETSITE_AUTHORITY
#define SECURITY_INTERNETSITE_AUTHORITY
Definition: setypes.h:30

GenericMapping
static GENERIC_MAPPING GenericMapping
Definition: SeInheritance.c:11

STANDARD_RIGHTS_ALL
#define STANDARD_RIGHTS_ALL
Definition: nt_native.h:69

i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248

_TOKEN_GROUPS::Groups
SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]
Definition: setypes.h:983

FIELD_OFFSET
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255

UINT
unsigned int UINT
Definition: ndis.h:50

NULL
#define NULL
Definition: types.h:112

ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39

_TOKEN_GROUPS::GroupCount
$ULONG GroupCount
Definition: setypes.h:979

OUT
#define OUT
Definition: typedefs.h:40

TokenImpersonation
Definition: imports.h:274

ULONG
unsigned int ULONG
Definition: retypes.h:1

_SID::IdentifierAuthority
SID_IDENTIFIER_AUTHORITY IdentifierAuthority
Definition: ms-dtyp.idl:201

advapi32.h

void
Definition: nsiface.idl:2306

GrantedAccess
_In_ PSECURITY_SUBJECT_CONTEXT _In_ BOOLEAN _In_ ACCESS_MASK _In_ ACCESS_MASK _Outptr_opt_ PPRIVILEGE_SET _In_ PGENERIC_MAPPING _In_ KPROCESSOR_MODE _Out_ PACCESS_MASK GrantedAccess
Definition: sefuncs.h:13

IsTokenRestricted
BOOL WINAPI IsTokenRestricted(HANDLE TokenHandle)
Definition: token.c:207

HeapFree
#define HeapFree(x, y, z)
Definition: compat.h:594

ACCESS_MASK
ULONG ACCESS_MASK
Definition: nt_native.h:40

RtlCompareMemory
#define RtlCompareMemory(s1, s2, l)
Definition: env_spec_w32.h:465

ERROR_OUTOFMEMORY
#define ERROR_OUTOFMEMORY
Definition: deptool.c:13