ReactOS 0.4.16-dev-106-g10b08aa
security.c File Reference
#include "lsasrv.h"
Include dependency graph for security.c:

Go to the source code of this file.

Functions

NTSTATUS LsapCreatePolicySd (PSECURITY_DESCRIPTOR *PolicySd, PULONG PolicySdSize)
 
NTSTATUS LsapCreateAccountSd (PSECURITY_DESCRIPTOR *AccountSd, PULONG AccountSdSize)
 
NTSTATUS LsapCreateSecretSd (PSECURITY_DESCRIPTOR *SecretSd, PULONG SecretSdSize)
 
NTSTATUS LsapCreateTokenSd (_In_ const TOKEN_USER *User, _Outptr_ PSECURITY_DESCRIPTOR *TokenSd, _Out_ PULONG TokenSdSize)
 Creates a security descriptor for the token object.
 

Function Documentation

◆ LsapCreateAccountSd()

NTSTATUS LsapCreateAccountSd ( PSECURITY_DESCRIPTOR AccountSd,
PULONG  AccountSdSize 
)

Definition at line 268 of file security.c.

270{
271 SECURITY_DESCRIPTOR AbsoluteSd;
272 PSECURITY_DESCRIPTOR RelativeSd = NULL;
273 ULONG RelativeSdSize = 0;
274 PSID AdministratorsSid = NULL;
275 PSID EveryoneSid = NULL;
277 PACL Dacl = NULL;
280
281 if (AccountSd == NULL || AccountSdSize == NULL)
283
284 *AccountSd = NULL;
285 *AccountSdSize = 0;
286
287 /* Initialize the SD */
290 if (!NT_SUCCESS(Status))
291 return Status;
292
294 2,
297 0,
298 0,
299 0,
300 0,
301 0,
302 0,
303 &AdministratorsSid);
304 if (!NT_SUCCESS(Status))
305 goto done;
306
308 1,
310 0,
311 0,
312 0,
313 0,
314 0,
315 0,
316 0,
317 &EveryoneSid);
318 if (!NT_SUCCESS(Status))
319 goto done;
320
322 1,
324 0,
325 0,
326 0,
327 0,
328 0,
329 0,
330 0,
332 if (!NT_SUCCESS(Status))
333 goto done;
334
335 /* Allocate and initialize the DACL */
336 DaclSize = sizeof(ACL) +
337 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
338 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
339
340 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
342 DaclSize);
343 if (Dacl == NULL)
344 {
346 goto done;
347 }
348
350 DaclSize,
352 if (!NT_SUCCESS(Status))
353 goto done;
354
358 AdministratorsSid);
359 if (!NT_SUCCESS(Status))
360 goto done;
361
365 EveryoneSid);
366 if (!NT_SUCCESS(Status))
367 goto done;
368
370 TRUE,
371 Dacl,
372 FALSE);
373 if (!NT_SUCCESS(Status))
374 goto done;
375
378 FALSE);
379 if (!NT_SUCCESS(Status))
380 goto done;
381
383 AdministratorsSid,
384 FALSE);
385 if (!NT_SUCCESS(Status))
386 goto done;
387
389 RelativeSd,
390 &RelativeSdSize);
392 goto done;
393
394 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
396 RelativeSdSize);
397 if (RelativeSd == NULL)
398 {
400 goto done;
401 }
402
404 RelativeSd,
405 &RelativeSdSize);
406 if (!NT_SUCCESS(Status))
407 goto done;
408
409 *AccountSd = RelativeSd;
410 *AccountSdSize = RelativeSdSize;
411
412done:
413 if (Dacl != NULL)
414 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
415
416 if (AdministratorsSid != NULL)
417 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
418
419 if (EveryoneSid != NULL)
420 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
421
422 if (LocalSystemSid != NULL)
423 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
424
425 if (!NT_SUCCESS(Status))
426 {
427 if (RelativeSd != NULL)
428 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
429 }
430
431 return Status;
432}
LONG NTSTATUS
Definition: precomp.h:26
PSID LocalSystemSid
Definition: globals.c:16
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
#define NULL
Definition: types.h:112
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
SID_IDENTIFIER_AUTHORITY WorldSidAuthority
Definition: database.c:18
Status
Definition: gdiplustypes.h:25
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
struct _ACL ACL
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1605
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1606
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626
#define ACCOUNT_EXECUTE
Definition: ntlsa.h:36
#define ACCOUNT_ALL_ACCESS
Definition: ntlsa.h:33
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
uint32_t ULONG
Definition: typedefs.h:59
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define ACL_REVISION
Definition: setypes.h:39
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652

Referenced by LsarpCreateAccount().

◆ LsapCreatePolicySd()

NTSTATUS LsapCreatePolicySd ( PSECURITY_DESCRIPTOR PolicySd,
PULONG  PolicySdSize 
)

Definition at line 14 of file security.c.

16{
17 SECURITY_DESCRIPTOR AbsoluteSd;
18 PSECURITY_DESCRIPTOR RelativeSd = NULL;
19 ULONG RelativeSdSize = 0;
20 PSID AnonymousSid = NULL;
21 PSID AdministratorsSid = NULL;
22 PSID EveryoneSid = NULL;
26 PACL Dacl = NULL;
29
30 if (PolicySd == NULL || PolicySdSize == NULL)
32
33 *PolicySd = NULL;
34 *PolicySdSize = 0;
35
36 /* Initialize the SD */
39 if (!NT_SUCCESS(Status))
40 return Status;
41
43 1,
45 0,
46 0,
47 0,
48 0,
49 0,
50 0,
51 0,
52 &AnonymousSid);
53 if (!NT_SUCCESS(Status))
54 goto done;
55
57 2,
60 0,
61 0,
62 0,
63 0,
64 0,
65 0,
66 &AdministratorsSid);
67 if (!NT_SUCCESS(Status))
68 goto done;
69
71 1,
73 0,
74 0,
75 0,
76 0,
77 0,
78 0,
79 0,
80 &EveryoneSid);
81 if (!NT_SUCCESS(Status))
82 goto done;
83
85 1,
87 0,
88 0,
89 0,
90 0,
91 0,
92 0,
93 0,
95 if (!NT_SUCCESS(Status))
96 goto done;
97
99 1,
101 0,
102 0,
103 0,
104 0,
105 0,
106 0,
107 0,
109 if (!NT_SUCCESS(Status))
110 goto done;
111
113 1,
115 0,
116 0,
117 0,
118 0,
119 0,
120 0,
121 0,
123 if (!NT_SUCCESS(Status))
124 goto done;
125
126 /* Allocate and initialize the DACL */
127 DaclSize = sizeof(ACL) +
128 sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
129 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
130 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) +
131 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
134
135 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
137 DaclSize);
138 if (Dacl == NULL)
139 {
141 goto done;
142 }
143
145 DaclSize,
147 if (!NT_SUCCESS(Status))
148 goto done;
149
153 AnonymousSid);
154 if (!NT_SUCCESS(Status))
155 goto done;
156
160 AdministratorsSid);
161 if (!NT_SUCCESS(Status))
162 goto done;
163
167 EveryoneSid);
168 if (!NT_SUCCESS(Status))
169 goto done;
170
174 AnonymousSid);
175 if (!NT_SUCCESS(Status))
176 goto done;
177
182 if (!NT_SUCCESS(Status))
183 goto done;
184
189 if (!NT_SUCCESS(Status))
190 goto done;
191
193 TRUE,
194 Dacl,
195 FALSE);
196 if (!NT_SUCCESS(Status))
197 goto done;
198
201 FALSE);
202 if (!NT_SUCCESS(Status))
203 goto done;
204
206 AdministratorsSid,
207 FALSE);
208 if (!NT_SUCCESS(Status))
209 goto done;
210
212 RelativeSd,
213 &RelativeSdSize);
215 goto done;
216
217 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
219 RelativeSdSize);
220 if (RelativeSd == NULL)
221 {
223 goto done;
224 }
225
227 RelativeSd,
228 &RelativeSdSize);
229 if (!NT_SUCCESS(Status))
230 goto done;
231
232 *PolicySd = RelativeSd;
233 *PolicySdSize = RelativeSdSize;
234
235done:
236 if (Dacl != NULL)
237 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
238
239 if (AnonymousSid != NULL)
240 RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid);
241
242 if (AdministratorsSid != NULL)
243 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
244
245 if (EveryoneSid != NULL)
246 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
247
248 if (LocalServiceSid != NULL)
249 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid);
250
251 if (NetworkServiceSid != NULL)
252 RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid);
253
254 if (LocalSystemSid != NULL)
255 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
256
257 if (!NT_SUCCESS(Status))
258 {
259 if (RelativeSd != NULL)
260 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
261 }
262
263 return Status;
264}
PSID NetworkServiceSid
Definition: globals.c:16
PSID LocalServiceSid
Definition: globals.c:16
NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid)
#define POLICY_EXECUTE
Definition: ntsecapi.h:76
#define POLICY_NOTIFICATION
Definition: ntsecapi.h:73
#define POLICY_VIEW_LOCAL_INFORMATION
Definition: ntsecapi.h:61
#define POLICY_ALL_ACCESS
Definition: ntsecapi.h:77
#define POLICY_LOOKUP_NAMES
Definition: ntsecapi.h:72
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:563
#define SECURITY_LOCAL_SERVICE_RID
Definition: setypes.h:575
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576

Referenced by LsapCreateDatabaseObjects().

◆ LsapCreateSecretSd()

NTSTATUS LsapCreateSecretSd ( PSECURITY_DESCRIPTOR SecretSd,
PULONG  SecretSdSize 
)

Definition at line 436 of file security.c.

438{
439 SECURITY_DESCRIPTOR AbsoluteSd;
440 PSECURITY_DESCRIPTOR RelativeSd = NULL;
441 ULONG RelativeSdSize = 0;
442 PSID AdministratorsSid = NULL;
443 PSID EveryoneSid = NULL;
445 PACL Dacl = NULL;
448
449 if (SecretSd == NULL || SecretSdSize == NULL)
451
452 *SecretSd = NULL;
453 *SecretSdSize = 0;
454
455 /* Initialize the SD */
458 if (!NT_SUCCESS(Status))
459 return Status;
460
462 2,
465 0,
466 0,
467 0,
468 0,
469 0,
470 0,
471 &AdministratorsSid);
472 if (!NT_SUCCESS(Status))
473 goto done;
474
476 1,
478 0,
479 0,
480 0,
481 0,
482 0,
483 0,
484 0,
485 &EveryoneSid);
486 if (!NT_SUCCESS(Status))
487 goto done;
488
490 1,
492 0,
493 0,
494 0,
495 0,
496 0,
497 0,
498 0,
500 if (!NT_SUCCESS(Status))
501 goto done;
502
503 /* Allocate and initialize the DACL */
504 DaclSize = sizeof(ACL) +
505 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
506 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
507
508 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
510 DaclSize);
511 if (Dacl == NULL)
512 {
514 goto done;
515 }
516
518 DaclSize,
520 if (!NT_SUCCESS(Status))
521 goto done;
522
526 AdministratorsSid);
527 if (!NT_SUCCESS(Status))
528 goto done;
529
533 EveryoneSid);
534 if (!NT_SUCCESS(Status))
535 goto done;
536
538 TRUE,
539 Dacl,
540 FALSE);
541 if (!NT_SUCCESS(Status))
542 goto done;
543
546 FALSE);
547 if (!NT_SUCCESS(Status))
548 goto done;
549
551 AdministratorsSid,
552 FALSE);
553 if (!NT_SUCCESS(Status))
554 goto done;
555
557 RelativeSd,
558 &RelativeSdSize);
560 goto done;
561
562 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
564 RelativeSdSize);
565 if (RelativeSd == NULL)
566 {
568 goto done;
569 }
570
572 RelativeSd,
573 &RelativeSdSize);
574 if (!NT_SUCCESS(Status))
575 goto done;
576
577 *SecretSd = RelativeSd;
578 *SecretSdSize = RelativeSdSize;
579
580done:
581 if (Dacl != NULL)
582 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
583
584 if (AdministratorsSid != NULL)
585 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
586
587 if (EveryoneSid != NULL)
588 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
589
590 if (LocalSystemSid != NULL)
591 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
592
593 if (!NT_SUCCESS(Status))
594 {
595 if (RelativeSd != NULL)
596 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
597 }
598
599 return Status;
600}
#define SECRET_ALL_ACCESS
Definition: ntlsa.h:41
#define SECRET_EXECUTE
Definition: ntlsa.h:44

Referenced by LsarCreateSecret().

◆ LsapCreateTokenSd()

NTSTATUS LsapCreateTokenSd ( _In_ const TOKEN_USER User,
_Outptr_ PSECURITY_DESCRIPTOR TokenSd,
_Out_ PULONG  TokenSdSize 
)

Creates a security descriptor for the token object.

Parameters
[in]UserA primary user to be given to the function. This user represents the owner that is in charge of this object.
[out]TokenSdA pointer to an allocated security descriptor for the token object.
[out]TokenSdSizeA pointer to a returned size of the descriptor.
Returns
STATUS_SUCCESS is returned if the function has successfully created the security descriptor. STATUS_INVALID_PARAMETER is returned if one of the parameters are not valid. STATUS_INSUFFICIENT_RESOURCES is returned if memory heap allocation for specific security buffers couldn't be done. A NTSTATUS status code is returned otherwise.
Remarks
Bot the local system and user are given full access rights for the token (they can open it, read and write into it, etc.) whereas admins can only read from the token. This security descriptor is TO NOT BE confused with the default DACL of the token which is another thing that serves different purpose.

Definition at line 637 of file security.c.

641{
642 SECURITY_DESCRIPTOR AbsoluteSd;
643 PSECURITY_DESCRIPTOR RelativeSd = NULL;
644 ULONG RelativeSdSize = 0;
645 PSID AdministratorsSid = NULL;
647 PACL Dacl = NULL;
650
651 if (TokenSd == NULL || TokenSdSize == NULL)
653
654 *TokenSd = NULL;
655 *TokenSdSize = 0;
656
657 /* Initialize the SD */
660 if (!NT_SUCCESS(Status))
661 return Status;
662
664 1,
666 0, 0, 0, 0, 0, 0, 0,
668 if (!NT_SUCCESS(Status))
669 goto done;
670
672 2,
675 0, 0, 0, 0, 0, 0,
676 &AdministratorsSid);
677 if (!NT_SUCCESS(Status))
678 goto done;
679
680 /* Allocate and initialize the DACL */
681 DaclSize = sizeof(ACL) +
683 sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(AdministratorsSid) +
684 sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(User->User.Sid);
685
686 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
688 DaclSize);
689 if (Dacl == NULL)
690 {
692 goto done;
693 }
694
696 DaclSize,
698 if (!NT_SUCCESS(Status))
699 goto done;
700
705 if (!NT_SUCCESS(Status))
706 goto done;
707
711 AdministratorsSid);
712 if (!NT_SUCCESS(Status))
713 goto done;
714
718 User->User.Sid);
719 if (!NT_SUCCESS(Status))
720 goto done;
721
723 TRUE,
724 Dacl,
725 FALSE);
726 if (!NT_SUCCESS(Status))
727 goto done;
728
730 AdministratorsSid,
731 FALSE);
732 if (!NT_SUCCESS(Status))
733 goto done;
734
736 RelativeSd,
737 &RelativeSdSize);
739 goto done;
740
741 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
743 RelativeSdSize);
744 if (RelativeSd == NULL)
745 {
747 goto done;
748 }
749
751 RelativeSd,
752 &RelativeSdSize);
753 if (!NT_SUCCESS(Status))
754 goto done;
755
756 *TokenSd = RelativeSd;
757 *TokenSdSize = RelativeSdSize;
758
759done:
760 if (Dacl != NULL)
761 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
762
763 if (AdministratorsSid != NULL)
764 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
765
766 if (LocalSystemSid != NULL)
767 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
768
769 if (!NT_SUCCESS(Status))
770 {
771 if (RelativeSd != NULL)
772 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
773 }
774
775 return Status;
776}
#define TOKEN_READ
Definition: setypes.h:951
#define TOKEN_ALL_ACCESS
Definition: setypes.h:946

Referenced by LsapLogonUser().