ReactOS 0.4.16-dev-1946-g52006dd
Functions
security.c File Reference
#include "lsasrv.h"
Include dependency graph for security.c:

Go to the source code of this file.

Functions

NTSTATUS LsapCreatePolicySd (PSECURITY_DESCRIPTOR *PolicySd, PULONG PolicySdSize)
 
NTSTATUS LsapCreateAccountSd (PSECURITY_DESCRIPTOR *AccountSd, PULONG AccountSdSize)
 
NTSTATUS LsapCreateSecretSd (PSECURITY_DESCRIPTOR *SecretSd, PULONG SecretSdSize)
 
NTSTATUS LsapCreateTokenSd (_In_ const TOKEN_USER *User, _Outptr_ PSECURITY_DESCRIPTOR *TokenSd, _Out_ PULONG TokenSdSize)
 Creates a security descriptor for the token object.
 

Function Documentation

◆ LsapCreateAccountSd()

NTSTATUS LsapCreateAccountSd ( PSECURITY_DESCRIPTOR AccountSd,
PULONG  AccountSdSize 
)

Definition at line 268 of file security.c.

270{
271 SECURITY_DESCRIPTOR AbsoluteSd;
272 PSECURITY_DESCRIPTOR RelativeSd = NULL;
273 ULONG RelativeSdSize = 0;
274 PSID AdministratorsSid = NULL;
275 PSID EveryoneSid = NULL;
276 PSID LocalSystemSid = NULL;
277 PACL Dacl = NULL;
278 ULONG DaclSize;
279 NTSTATUS Status;
280
281 if (AccountSd == NULL || AccountSdSize == NULL)
282 return STATUS_INVALID_PARAMETER;
283
284 *AccountSd = NULL;
285 *AccountSdSize = 0;
286
287 /* Initialize the SD */
288 Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
289 SECURITY_DESCRIPTOR_REVISION);
290 if (!NT_SUCCESS(Status))
291 return Status;
292
293 Status = RtlAllocateAndInitializeSid(&NtAuthority,
294 2,
295 SECURITY_BUILTIN_DOMAIN_RID,
296 DOMAIN_ALIAS_RID_ADMINS,
297 0,
298 0,
299 0,
300 0,
301 0,
302 0,
303 &AdministratorsSid);
304 if (!NT_SUCCESS(Status))
305 goto done;
306
307 Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
308 1,
309 SECURITY_WORLD_RID,
310 0,
311 0,
312 0,
313 0,
314 0,
315 0,
316 0,
317 &EveryoneSid);
318 if (!NT_SUCCESS(Status))
319 goto done;
320
321 Status = RtlAllocateAndInitializeSid(&NtAuthority,
322 1,
323 SECURITY_LOCAL_SYSTEM_RID,
324 0,
325 0,
326 0,
327 0,
328 0,
329 0,
330 0,
331 &LocalSystemSid);
332 if (!NT_SUCCESS(Status))
333 goto done;
334
335 /* Allocate and initialize the DACL */
336 DaclSize = sizeof(ACL) +
337 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
338 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
339
340 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
341 HEAP_ZERO_MEMORY,
342 DaclSize);
343 if (Dacl == NULL)
344 {
345 Status = STATUS_INSUFFICIENT_RESOURCES;
346 goto done;
347 }
348
349 Status = RtlCreateAcl(Dacl,
350 DaclSize,
351 ACL_REVISION);
352 if (!NT_SUCCESS(Status))
353 goto done;
354
355 Status = RtlAddAccessAllowedAce(Dacl,
356 ACL_REVISION,
357 ACCOUNT_ALL_ACCESS,
358 AdministratorsSid);
359 if (!NT_SUCCESS(Status))
360 goto done;
361
362 Status = RtlAddAccessAllowedAce(Dacl,
363 ACL_REVISION,
364 ACCOUNT_EXECUTE,
365 EveryoneSid);
366 if (!NT_SUCCESS(Status))
367 goto done;
368
369 Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
370 TRUE,
371 Dacl,
372 FALSE);
373 if (!NT_SUCCESS(Status))
374 goto done;
375
376 Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
377 LocalSystemSid,
378 FALSE);
379 if (!NT_SUCCESS(Status))
380 goto done;
381
382 Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
383 AdministratorsSid,
384 FALSE);
385 if (!NT_SUCCESS(Status))
386 goto done;
387
388 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
389 RelativeSd,
390 &RelativeSdSize);
391 if (Status != STATUS_BUFFER_TOO_SMALL)
392 goto done;
393
394 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
395 HEAP_ZERO_MEMORY,
396 RelativeSdSize);
397 if (RelativeSd == NULL)
398 {
399 Status = STATUS_INSUFFICIENT_RESOURCES;
400 goto done;
401 }
402
403 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
404 RelativeSd,
405 &RelativeSdSize);
406 if (!NT_SUCCESS(Status))
407 goto done;
408
409 *AccountSd = RelativeSd;
410 *AccountSdSize = RelativeSdSize;
411
412done:
413 if (Dacl != NULL)
414 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
415
416 if (AdministratorsSid != NULL)
417 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
418
419 if (EveryoneSid != NULL)
420 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
421
422 if (LocalSystemSid != NULL)
423 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
424
425 if (!NT_SUCCESS(Status))
426 {
427 if (RelativeSd != NULL)
428 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
429 }
430
431 return Status;
432}
NTSTATUS
LONG NTSTATUS
Definition: precomp.h:26
LocalSystemSid
PSID LocalSystemSid
Definition: globals.c:16
NtAuthority
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
RtlAllocateHeap
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:616
RtlFreeHeap
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:634
NULL
#define NULL
Definition: types.h:112
TRUE
#define TRUE
Definition: types.h:120
FALSE
#define FALSE
Definition: types.h:117
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
WorldSidAuthority
SID_IDENTIFIER_AUTHORITY WorldSidAuthority
Definition: database.c:18
Status
Status
Definition: gdiplustypes.h:25
RtlAddAccessAllowedAce
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
RtlSetOwnerSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
RtlSetDaclSecurityDescriptor
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
ACL
struct _ACL ACL
ACCESS_ALLOWED_ACE
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
Dacl
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1625
RtlCreateAcl
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
RtlLengthSid
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
RtlCreateSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
DaclSize
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1626
RtlAllocateAndInitializeSid
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
RtlSetGroupSecurityDescriptor
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
RtlAbsoluteToSelfRelativeSD
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626
ACCOUNT_EXECUTE
#define ACCOUNT_EXECUTE
Definition: ntlsa.h:36
ACCOUNT_ALL_ACCESS
#define ACCOUNT_ALL_ACCESS
Definition: ntlsa.h:33
STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_ACCESS_ALLOWED_ACE
Definition: ms-dtyp.idl:215
_ACL
Definition: ms-dtyp.idl:293
_SECURITY_DESCRIPTOR
Definition: ms-dtyp.idl:301
_SID
Definition: ms-dtyp.idl:198
ULONG
uint32_t ULONG
Definition: typedefs.h:59
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
STATUS_INSUFFICIENT_RESOURCES
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
SECURITY_BUILTIN_DOMAIN_RID
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
SECURITY_WORLD_RID
#define SECURITY_WORLD_RID
Definition: setypes.h:541
SECURITY_LOCAL_SYSTEM_RID
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
SECURITY_DESCRIPTOR_REVISION
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
ACL_REVISION
#define ACL_REVISION
Definition: setypes.h:39
DOMAIN_ALIAS_RID_ADMINS
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652

Referenced by LsarpCreateAccount().

◆ LsapCreatePolicySd()

NTSTATUS LsapCreatePolicySd ( PSECURITY_DESCRIPTOR PolicySd,
PULONG  PolicySdSize 
)

Definition at line 14 of file security.c.

16{
17 SECURITY_DESCRIPTOR AbsoluteSd;
18 PSECURITY_DESCRIPTOR RelativeSd = NULL;
19 ULONG RelativeSdSize = 0;
20 PSID AnonymousSid = NULL;
21 PSID AdministratorsSid = NULL;
22 PSID EveryoneSid = NULL;
23 PSID LocalServiceSid = NULL;
24 PSID NetworkServiceSid = NULL;
25 PSID LocalSystemSid = NULL;
26 PACL Dacl = NULL;
27 ULONG DaclSize;
28 NTSTATUS Status;
29
30 if (PolicySd == NULL || PolicySdSize == NULL)
31 return STATUS_INVALID_PARAMETER;
32
33 *PolicySd = NULL;
34 *PolicySdSize = 0;
35
36 /* Initialize the SD */
37 Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
38 SECURITY_DESCRIPTOR_REVISION);
39 if (!NT_SUCCESS(Status))
40 return Status;
41
42 Status = RtlAllocateAndInitializeSid(&NtAuthority,
43 1,
44 SECURITY_ANONYMOUS_LOGON_RID,
45 0,
46 0,
47 0,
48 0,
49 0,
50 0,
51 0,
52 &AnonymousSid);
53 if (!NT_SUCCESS(Status))
54 goto done;
55
56 Status = RtlAllocateAndInitializeSid(&NtAuthority,
57 2,
58 SECURITY_BUILTIN_DOMAIN_RID,
59 DOMAIN_ALIAS_RID_ADMINS,
60 0,
61 0,
62 0,
63 0,
64 0,
65 0,
66 &AdministratorsSid);
67 if (!NT_SUCCESS(Status))
68 goto done;
69
70 Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
71 1,
72 SECURITY_WORLD_RID,
73 0,
74 0,
75 0,
76 0,
77 0,
78 0,
79 0,
80 &EveryoneSid);
81 if (!NT_SUCCESS(Status))
82 goto done;
83
84 Status = RtlAllocateAndInitializeSid(&NtAuthority,
85 1,
86 SECURITY_LOCAL_SERVICE_RID,
87 0,
88 0,
89 0,
90 0,
91 0,
92 0,
93 0,
94 &LocalServiceSid);
95 if (!NT_SUCCESS(Status))
96 goto done;
97
98 Status = RtlAllocateAndInitializeSid(&NtAuthority,
99 1,
100 SECURITY_NETWORK_SERVICE_RID,
101 0,
102 0,
103 0,
104 0,
105 0,
106 0,
107 0,
108 &NetworkServiceSid);
109 if (!NT_SUCCESS(Status))
110 goto done;
111
112 Status = RtlAllocateAndInitializeSid(&NtAuthority,
113 1,
114 SECURITY_LOCAL_SYSTEM_RID,
115 0,
116 0,
117 0,
118 0,
119 0,
120 0,
121 0,
122 &LocalSystemSid);
123 if (!NT_SUCCESS(Status))
124 goto done;
125
126 /* Allocate and initialize the DACL */
127 DaclSize = sizeof(ACL) +
128 sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
129 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
130 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) +
131 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
132 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(LocalServiceSid) +
133 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(NetworkServiceSid);
134
135 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
136 HEAP_ZERO_MEMORY,
137 DaclSize);
138 if (Dacl == NULL)
139 {
140 Status = STATUS_INSUFFICIENT_RESOURCES;
141 goto done;
142 }
143
144 Status = RtlCreateAcl(Dacl,
145 DaclSize,
146 ACL_REVISION);
147 if (!NT_SUCCESS(Status))
148 goto done;
149
150 Status = RtlAddAccessDeniedAce(Dacl,
151 ACL_REVISION,
152 POLICY_LOOKUP_NAMES,
153 AnonymousSid);
154 if (!NT_SUCCESS(Status))
155 goto done;
156
157 Status = RtlAddAccessAllowedAce(Dacl,
158 ACL_REVISION,
159 POLICY_ALL_ACCESS | POLICY_NOTIFICATION,
160 AdministratorsSid);
161 if (!NT_SUCCESS(Status))
162 goto done;
163
164 Status = RtlAddAccessAllowedAce(Dacl,
165 ACL_REVISION,
166 POLICY_EXECUTE,
167 EveryoneSid);
168 if (!NT_SUCCESS(Status))
169 goto done;
170
171 Status = RtlAddAccessAllowedAce(Dacl,
172 ACL_REVISION,
173 POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,
174 AnonymousSid);
175 if (!NT_SUCCESS(Status))
176 goto done;
177
178 Status = RtlAddAccessAllowedAce(Dacl,
179 ACL_REVISION,
180 POLICY_NOTIFICATION,
181 LocalServiceSid);
182 if (!NT_SUCCESS(Status))
183 goto done;
184
185 Status = RtlAddAccessAllowedAce(Dacl,
186 ACL_REVISION,
187 POLICY_NOTIFICATION,
188 NetworkServiceSid);
189 if (!NT_SUCCESS(Status))
190 goto done;
191
192 Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
193 TRUE,
194 Dacl,
195 FALSE);
196 if (!NT_SUCCESS(Status))
197 goto done;
198
199 Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
200 LocalSystemSid,
201 FALSE);
202 if (!NT_SUCCESS(Status))
203 goto done;
204
205 Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
206 AdministratorsSid,
207 FALSE);
208 if (!NT_SUCCESS(Status))
209 goto done;
210
211 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
212 RelativeSd,
213 &RelativeSdSize);
214 if (Status != STATUS_BUFFER_TOO_SMALL)
215 goto done;
216
217 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
218 HEAP_ZERO_MEMORY,
219 RelativeSdSize);
220 if (RelativeSd == NULL)
221 {
222 Status = STATUS_INSUFFICIENT_RESOURCES;
223 goto done;
224 }
225
226 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
227 RelativeSd,
228 &RelativeSdSize);
229 if (!NT_SUCCESS(Status))
230 goto done;
231
232 *PolicySd = RelativeSd;
233 *PolicySdSize = RelativeSdSize;
234
235done:
236 if (Dacl != NULL)
237 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
238
239 if (AnonymousSid != NULL)
240 RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid);
241
242 if (AdministratorsSid != NULL)
243 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
244
245 if (EveryoneSid != NULL)
246 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
247
248 if (LocalServiceSid != NULL)
249 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid);
250
251 if (NetworkServiceSid != NULL)
252 RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid);
253
254 if (LocalSystemSid != NULL)
255 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
256
257 if (!NT_SUCCESS(Status))
258 {
259 if (RelativeSd != NULL)
260 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
261 }
262
263 return Status;
264}
NetworkServiceSid
PSID NetworkServiceSid
Definition: globals.c:16
LocalServiceSid
PSID LocalServiceSid
Definition: globals.c:16
RtlAddAccessDeniedAce
NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid)
POLICY_EXECUTE
#define POLICY_EXECUTE
Definition: ntsecapi.h:76
POLICY_NOTIFICATION
#define POLICY_NOTIFICATION
Definition: ntsecapi.h:73
POLICY_VIEW_LOCAL_INFORMATION
#define POLICY_VIEW_LOCAL_INFORMATION
Definition: ntsecapi.h:61
POLICY_ALL_ACCESS
#define POLICY_ALL_ACCESS
Definition: ntsecapi.h:77
POLICY_LOOKUP_NAMES
#define POLICY_LOOKUP_NAMES
Definition: ntsecapi.h:72
_ACCESS_DENIED_ACE
Definition: ms-dtyp.idl:230
SECURITY_ANONYMOUS_LOGON_RID
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:563
SECURITY_LOCAL_SERVICE_RID
#define SECURITY_LOCAL_SERVICE_RID
Definition: setypes.h:575
SECURITY_NETWORK_SERVICE_RID
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576

Referenced by LsapCreateDatabaseObjects().

◆ LsapCreateSecretSd()

NTSTATUS LsapCreateSecretSd ( PSECURITY_DESCRIPTOR SecretSd,
PULONG  SecretSdSize 
)

Definition at line 436 of file security.c.

438{
439 SECURITY_DESCRIPTOR AbsoluteSd;
440 PSECURITY_DESCRIPTOR RelativeSd = NULL;
441 ULONG RelativeSdSize = 0;
442 PSID AdministratorsSid = NULL;
443 PSID EveryoneSid = NULL;
444 PSID LocalSystemSid = NULL;
445 PACL Dacl = NULL;
446 ULONG DaclSize;
447 NTSTATUS Status;
448
449 if (SecretSd == NULL || SecretSdSize == NULL)
450 return STATUS_INVALID_PARAMETER;
451
452 *SecretSd = NULL;
453 *SecretSdSize = 0;
454
455 /* Initialize the SD */
456 Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
457 SECURITY_DESCRIPTOR_REVISION);
458 if (!NT_SUCCESS(Status))
459 return Status;
460
461 Status = RtlAllocateAndInitializeSid(&NtAuthority,
462 2,
463 SECURITY_BUILTIN_DOMAIN_RID,
464 DOMAIN_ALIAS_RID_ADMINS,
465 0,
466 0,
467 0,
468 0,
469 0,
470 0,
471 &AdministratorsSid);
472 if (!NT_SUCCESS(Status))
473 goto done;
474
475 Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
476 1,
477 SECURITY_WORLD_RID,
478 0,
479 0,
480 0,
481 0,
482 0,
483 0,
484 0,
485 &EveryoneSid);
486 if (!NT_SUCCESS(Status))
487 goto done;
488
489 Status = RtlAllocateAndInitializeSid(&NtAuthority,
490 1,
491 SECURITY_LOCAL_SYSTEM_RID,
492 0,
493 0,
494 0,
495 0,
496 0,
497 0,
498 0,
499 &LocalSystemSid);
500 if (!NT_SUCCESS(Status))
501 goto done;
502
503 /* Allocate and initialize the DACL */
504 DaclSize = sizeof(ACL) +
505 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
506 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
507
508 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
509 HEAP_ZERO_MEMORY,
510 DaclSize);
511 if (Dacl == NULL)
512 {
513 Status = STATUS_INSUFFICIENT_RESOURCES;
514 goto done;
515 }
516
517 Status = RtlCreateAcl(Dacl,
518 DaclSize,
519 ACL_REVISION);
520 if (!NT_SUCCESS(Status))
521 goto done;
522
523 Status = RtlAddAccessAllowedAce(Dacl,
524 ACL_REVISION,
525 SECRET_ALL_ACCESS,
526 AdministratorsSid);
527 if (!NT_SUCCESS(Status))
528 goto done;
529
530 Status = RtlAddAccessAllowedAce(Dacl,
531 ACL_REVISION,
532 SECRET_EXECUTE,
533 EveryoneSid);
534 if (!NT_SUCCESS(Status))
535 goto done;
536
537 Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
538 TRUE,
539 Dacl,
540 FALSE);
541 if (!NT_SUCCESS(Status))
542 goto done;
543
544 Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
545 LocalSystemSid,
546 FALSE);
547 if (!NT_SUCCESS(Status))
548 goto done;
549
550 Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
551 AdministratorsSid,
552 FALSE);
553 if (!NT_SUCCESS(Status))
554 goto done;
555
556 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
557 RelativeSd,
558 &RelativeSdSize);
559 if (Status != STATUS_BUFFER_TOO_SMALL)
560 goto done;
561
562 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
563 HEAP_ZERO_MEMORY,
564 RelativeSdSize);
565 if (RelativeSd == NULL)
566 {
567 Status = STATUS_INSUFFICIENT_RESOURCES;
568 goto done;
569 }
570
571 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
572 RelativeSd,
573 &RelativeSdSize);
574 if (!NT_SUCCESS(Status))
575 goto done;
576
577 *SecretSd = RelativeSd;
578 *SecretSdSize = RelativeSdSize;
579
580done:
581 if (Dacl != NULL)
582 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
583
584 if (AdministratorsSid != NULL)
585 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
586
587 if (EveryoneSid != NULL)
588 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
589
590 if (LocalSystemSid != NULL)
591 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
592
593 if (!NT_SUCCESS(Status))
594 {
595 if (RelativeSd != NULL)
596 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
597 }
598
599 return Status;
600}
SECRET_ALL_ACCESS
#define SECRET_ALL_ACCESS
Definition: ntlsa.h:41
SECRET_EXECUTE
#define SECRET_EXECUTE
Definition: ntlsa.h:44

Referenced by LsarCreateSecret().

◆ LsapCreateTokenSd()

NTSTATUS LsapCreateTokenSd ( _In_ const TOKEN_USER User,
_Outptr_ PSECURITY_DESCRIPTOR TokenSd,
_Out_ PULONG  TokenSdSize 
)

Creates a security descriptor for the token object.

Parameters
[in]UserA primary user to be given to the function. This user represents the owner that is in charge of this object.
[out]TokenSdA pointer to an allocated security descriptor for the token object.
[out]TokenSdSizeA pointer to a returned size of the descriptor.
Returns
STATUS_SUCCESS is returned if the function has successfully created the security descriptor. STATUS_INVALID_PARAMETER is returned if one of the parameters are not valid. STATUS_INSUFFICIENT_RESOURCES is returned if memory heap allocation for specific security buffers couldn't be done. A NTSTATUS status code is returned otherwise.
Remarks
Bot the local system and user are given full access rights for the token (they can open it, read and write into it, etc.) whereas admins can only read from the token. This security descriptor is TO NOT BE confused with the default DACL of the token which is another thing that serves different purpose.

Definition at line 637 of file security.c.

641{
642 SECURITY_DESCRIPTOR AbsoluteSd;
643 PSECURITY_DESCRIPTOR RelativeSd = NULL;
644 ULONG RelativeSdSize = 0;
645 PSID AdministratorsSid = NULL;
646 PSID LocalSystemSid = NULL;
647 PACL Dacl = NULL;
648 ULONG DaclSize;
649 NTSTATUS Status;
650
651 if (TokenSd == NULL || TokenSdSize == NULL)
652 return STATUS_INVALID_PARAMETER;
653
654 *TokenSd = NULL;
655 *TokenSdSize = 0;
656
657 /* Initialize the SD */
658 Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
659 SECURITY_DESCRIPTOR_REVISION);
660 if (!NT_SUCCESS(Status))
661 return Status;
662
663 Status = RtlAllocateAndInitializeSid(&NtAuthority,
664 1,
665 SECURITY_LOCAL_SYSTEM_RID,
666 0, 0, 0, 0, 0, 0, 0,
667 &LocalSystemSid);
668 if (!NT_SUCCESS(Status))
669 goto done;
670
671 Status = RtlAllocateAndInitializeSid(&NtAuthority,
672 2,
673 SECURITY_BUILTIN_DOMAIN_RID,
674 DOMAIN_ALIAS_RID_ADMINS,
675 0, 0, 0, 0, 0, 0,
676 &AdministratorsSid);
677 if (!NT_SUCCESS(Status))
678 goto done;
679
680 /* Allocate and initialize the DACL */
681 DaclSize = sizeof(ACL) +
682 sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(LocalSystemSid) +
683 sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(AdministratorsSid) +
684 sizeof(ACCESS_ALLOWED_ACE) + RtlLengthSid(User->User.Sid);
685
686 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
687 HEAP_ZERO_MEMORY,
688 DaclSize);
689 if (Dacl == NULL)
690 {
691 Status = STATUS_INSUFFICIENT_RESOURCES;
692 goto done;
693 }
694
695 Status = RtlCreateAcl(Dacl,
696 DaclSize,
697 ACL_REVISION);
698 if (!NT_SUCCESS(Status))
699 goto done;
700
701 Status = RtlAddAccessAllowedAce(Dacl,
702 ACL_REVISION,
703 TOKEN_ALL_ACCESS,
704 LocalSystemSid);
705 if (!NT_SUCCESS(Status))
706 goto done;
707
708 Status = RtlAddAccessAllowedAce(Dacl,
709 ACL_REVISION,
710 TOKEN_READ,
711 AdministratorsSid);
712 if (!NT_SUCCESS(Status))
713 goto done;
714
715 Status = RtlAddAccessAllowedAce(Dacl,
716 ACL_REVISION,
717 TOKEN_ALL_ACCESS,
718 User->User.Sid);
719 if (!NT_SUCCESS(Status))
720 goto done;
721
722 Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
723 TRUE,
724 Dacl,
725 FALSE);
726 if (!NT_SUCCESS(Status))
727 goto done;
728
729 Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
730 AdministratorsSid,
731 FALSE);
732 if (!NT_SUCCESS(Status))
733 goto done;
734
735 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
736 RelativeSd,
737 &RelativeSdSize);
738 if (Status != STATUS_BUFFER_TOO_SMALL)
739 goto done;
740
741 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
742 HEAP_ZERO_MEMORY,
743 RelativeSdSize);
744 if (RelativeSd == NULL)
745 {
746 Status = STATUS_INSUFFICIENT_RESOURCES;
747 goto done;
748 }
749
750 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
751 RelativeSd,
752 &RelativeSdSize);
753 if (!NT_SUCCESS(Status))
754 goto done;
755
756 *TokenSd = RelativeSd;
757 *TokenSdSize = RelativeSdSize;
758
759done:
760 if (Dacl != NULL)
761 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
762
763 if (AdministratorsSid != NULL)
764 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
765
766 if (LocalSystemSid != NULL)
767 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
768
769 if (!NT_SUCCESS(Status))
770 {
771 if (RelativeSd != NULL)
772 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
773 }
774
775 return Status;
776}
TOKEN_READ
#define TOKEN_READ
Definition: setypes.h:963
TOKEN_ALL_ACCESS
#define TOKEN_ALL_ACCESS
Definition: setypes.h:958

Referenced by LsapLogonUser().