ReactOS  0.4.14-dev-390-g34947ad
security.c
Go to the documentation of this file.
1 /*
2  * PROJECT: Local Security Authority Server DLL
3  * LICENSE: GPL - See COPYING in the top level directory
4  * FILE: dll/win32/lsasrv/security.c
5  * PURPOSE: LSA object security functions
6  * COPYRIGHT: Copyright 2012 Eric Kohl
7  */
8 
9 #include "lsasrv.h"
10 
11 /* FUNCTIONS ***************************************************************/
12 
15  PULONG PolicySdSize)
16 {
17  SECURITY_DESCRIPTOR AbsoluteSd;
18  PSECURITY_DESCRIPTOR RelativeSd = NULL;
19  ULONG RelativeSdSize = 0;
20  PSID AnonymousSid = NULL;
21  PSID AdministratorsSid = NULL;
22  PSID EveryoneSid = NULL;
26  PACL Dacl = NULL;
29 
30  if (PolicySd == NULL || PolicySdSize == NULL)
32 
33  *PolicySd = NULL;
34  *PolicySdSize = 0;
35 
36  /* Initialize the SD */
37  Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
39  if (!NT_SUCCESS(Status))
40  return Status;
41 
43  1,
45  0,
46  0,
47  0,
48  0,
49  0,
50  0,
51  0,
52  &AnonymousSid);
53  if (!NT_SUCCESS(Status))
54  goto done;
55 
57  2,
60  0,
61  0,
62  0,
63  0,
64  0,
65  0,
66  &AdministratorsSid);
67  if (!NT_SUCCESS(Status))
68  goto done;
69 
71  1,
73  0,
74  0,
75  0,
76  0,
77  0,
78  0,
79  0,
80  &EveryoneSid);
81  if (!NT_SUCCESS(Status))
82  goto done;
83 
85  1,
87  0,
88  0,
89  0,
90  0,
91  0,
92  0,
93  0,
95  if (!NT_SUCCESS(Status))
96  goto done;
97 
99  1,
101  0,
102  0,
103  0,
104  0,
105  0,
106  0,
107  0,
109  if (!NT_SUCCESS(Status))
110  goto done;
111 
113  1,
115  0,
116  0,
117  0,
118  0,
119  0,
120  0,
121  0,
122  &LocalSystemSid);
123  if (!NT_SUCCESS(Status))
124  goto done;
125 
126  /* Allocate and initialize the DACL */
127  DaclSize = sizeof(ACL) +
128  sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
129  sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
130  sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) +
131  sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
134 
135  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
137  DaclSize);
138  if (Dacl == NULL)
139  {
141  goto done;
142  }
143 
145  DaclSize,
146  ACL_REVISION);
147  if (!NT_SUCCESS(Status))
148  goto done;
149 
151  ACL_REVISION,
153  AnonymousSid);
154  if (!NT_SUCCESS(Status))
155  goto done;
156 
158  ACL_REVISION,
160  AdministratorsSid);
161  if (!NT_SUCCESS(Status))
162  goto done;
163 
165  ACL_REVISION,
167  EveryoneSid);
168  if (!NT_SUCCESS(Status))
169  goto done;
170 
172  ACL_REVISION,
174  AnonymousSid);
175  if (!NT_SUCCESS(Status))
176  goto done;
177 
179  ACL_REVISION,
182  if (!NT_SUCCESS(Status))
183  goto done;
184 
186  ACL_REVISION,
189  if (!NT_SUCCESS(Status))
190  goto done;
191 
192  Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
193  TRUE,
194  Dacl,
195  FALSE);
196  if (!NT_SUCCESS(Status))
197  goto done;
198 
201  FALSE);
202  if (!NT_SUCCESS(Status))
203  goto done;
204 
206  AdministratorsSid,
207  FALSE);
208  if (!NT_SUCCESS(Status))
209  goto done;
210 
211  Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
212  RelativeSd,
213  &RelativeSdSize);
215  goto done;
216 
217  RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
219  RelativeSdSize);
220  if (RelativeSd == NULL)
221  {
223  goto done;
224  }
225 
226  Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
227  RelativeSd,
228  &RelativeSdSize);
229  if (!NT_SUCCESS(Status))
230  goto done;
231 
232  *PolicySd = RelativeSd;
233  *PolicySdSize = RelativeSdSize;
234 
235 done:
236  if (Dacl != NULL)
237  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
238 
239  if (AnonymousSid != NULL)
240  RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid);
241 
242  if (AdministratorsSid != NULL)
243  RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
244 
245  if (EveryoneSid != NULL)
246  RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
247 
248  if (LocalServiceSid != NULL)
249  RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid);
250 
251  if (NetworkServiceSid != NULL)
252  RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid);
253 
254  if (LocalSystemSid != NULL)
255  RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
256 
257  if (!NT_SUCCESS(Status))
258  {
259  if (RelativeSd != NULL)
260  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
261  }
262 
263  return Status;
264 }
265 
266 
267 NTSTATUS
269  PULONG AccountSdSize)
270 {
271  SECURITY_DESCRIPTOR AbsoluteSd;
272  PSECURITY_DESCRIPTOR RelativeSd = NULL;
273  ULONG RelativeSdSize = 0;
274  PSID AdministratorsSid = NULL;
275  PSID EveryoneSid = NULL;
277  PACL Dacl = NULL;
278  ULONG DaclSize;
280 
281  if (AccountSd == NULL || AccountSdSize == NULL)
283 
284  *AccountSd = NULL;
285  *AccountSdSize = 0;
286 
287  /* Initialize the SD */
288  Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
290  if (!NT_SUCCESS(Status))
291  return Status;
292 
294  2,
297  0,
298  0,
299  0,
300  0,
301  0,
302  0,
303  &AdministratorsSid);
304  if (!NT_SUCCESS(Status))
305  goto done;
306 
308  1,
310  0,
311  0,
312  0,
313  0,
314  0,
315  0,
316  0,
317  &EveryoneSid);
318  if (!NT_SUCCESS(Status))
319  goto done;
320 
322  1,
324  0,
325  0,
326  0,
327  0,
328  0,
329  0,
330  0,
331  &LocalSystemSid);
332  if (!NT_SUCCESS(Status))
333  goto done;
334 
335  /* Allocate and initialize the DACL */
336  DaclSize = sizeof(ACL) +
337  sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
338  sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
339 
340  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
342  DaclSize);
343  if (Dacl == NULL)
344  {
346  goto done;
347  }
348 
350  DaclSize,
351  ACL_REVISION);
352  if (!NT_SUCCESS(Status))
353  goto done;
354 
356  ACL_REVISION,
358  AdministratorsSid);
359  if (!NT_SUCCESS(Status))
360  goto done;
361 
363  ACL_REVISION,
365  EveryoneSid);
366  if (!NT_SUCCESS(Status))
367  goto done;
368 
369  Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
370  TRUE,
371  Dacl,
372  FALSE);
373  if (!NT_SUCCESS(Status))
374  goto done;
375 
378  FALSE);
379  if (!NT_SUCCESS(Status))
380  goto done;
381 
383  AdministratorsSid,
384  FALSE);
385  if (!NT_SUCCESS(Status))
386  goto done;
387 
388  Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
389  RelativeSd,
390  &RelativeSdSize);
392  goto done;
393 
394  RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
396  RelativeSdSize);
397  if (RelativeSd == NULL)
398  {
400  goto done;
401  }
402 
403  Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
404  RelativeSd,
405  &RelativeSdSize);
406  if (!NT_SUCCESS(Status))
407  goto done;
408 
409  *AccountSd = RelativeSd;
410  *AccountSdSize = RelativeSdSize;
411 
412 done:
413  if (Dacl != NULL)
414  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
415 
416  if (AdministratorsSid != NULL)
417  RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
418 
419  if (EveryoneSid != NULL)
420  RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
421 
422  if (LocalSystemSid != NULL)
423  RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
424 
425  if (!NT_SUCCESS(Status))
426  {
427  if (RelativeSd != NULL)
428  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
429  }
430 
431  return Status;
432 }
433 
434 
435 NTSTATUS
437  PULONG SecretSdSize)
438 {
439  SECURITY_DESCRIPTOR AbsoluteSd;
440  PSECURITY_DESCRIPTOR RelativeSd = NULL;
441  ULONG RelativeSdSize = 0;
442  PSID AdministratorsSid = NULL;
443  PSID EveryoneSid = NULL;
445  PACL Dacl = NULL;
446  ULONG DaclSize;
448 
449  if (SecretSd == NULL || SecretSdSize == NULL)
451 
452  *SecretSd = NULL;
453  *SecretSdSize = 0;
454 
455  /* Initialize the SD */
456  Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
458  if (!NT_SUCCESS(Status))
459  return Status;
460 
462  2,
465  0,
466  0,
467  0,
468  0,
469  0,
470  0,
471  &AdministratorsSid);
472  if (!NT_SUCCESS(Status))
473  goto done;
474 
476  1,
478  0,
479  0,
480  0,
481  0,
482  0,
483  0,
484  0,
485  &EveryoneSid);
486  if (!NT_SUCCESS(Status))
487  goto done;
488 
490  1,
492  0,
493  0,
494  0,
495  0,
496  0,
497  0,
498  0,
499  &LocalSystemSid);
500  if (!NT_SUCCESS(Status))
501  goto done;
502 
503  /* Allocate and initialize the DACL */
504  DaclSize = sizeof(ACL) +
505  sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
506  sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
507 
508  Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
510  DaclSize);
511  if (Dacl == NULL)
512  {
514  goto done;
515  }
516 
518  DaclSize,
519  ACL_REVISION);
520  if (!NT_SUCCESS(Status))
521  goto done;
522 
524  ACL_REVISION,
526  AdministratorsSid);
527  if (!NT_SUCCESS(Status))
528  goto done;
529 
531  ACL_REVISION,
533  EveryoneSid);
534  if (!NT_SUCCESS(Status))
535  goto done;
536 
537  Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
538  TRUE,
539  Dacl,
540  FALSE);
541  if (!NT_SUCCESS(Status))
542  goto done;
543 
546  FALSE);
547  if (!NT_SUCCESS(Status))
548  goto done;
549 
551  AdministratorsSid,
552  FALSE);
553  if (!NT_SUCCESS(Status))
554  goto done;
555 
556  Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
557  RelativeSd,
558  &RelativeSdSize);
560  goto done;
561 
562  RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
564  RelativeSdSize);
565  if (RelativeSd == NULL)
566  {
568  goto done;
569  }
570 
571  Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
572  RelativeSd,
573  &RelativeSdSize);
574  if (!NT_SUCCESS(Status))
575  goto done;
576 
577  *SecretSd = RelativeSd;
578  *SecretSdSize = RelativeSdSize;
579 
580 done:
581  if (Dacl != NULL)
582  RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
583 
584  if (AdministratorsSid != NULL)
585  RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
586 
587  if (EveryoneSid != NULL)
588  RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
589 
590  if (LocalSystemSid != NULL)
591  RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
592 
593  if (!NT_SUCCESS(Status))
594  {
595  if (RelativeSd != NULL)
596  RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
597  }
598 
599  return Status;
600 }
601 
602 /* EOF */
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:546
#define TRUE
Definition: types.h:120
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
static ULONG
Definition: security.c:118
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
#define POLICY_VIEW_LOCAL_INFORMATION
Definition: ntsecapi.h:61
NTSTATUS LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd, PULONG SecretSdSize)
Definition: security.c:436
NTSTATUS LsapCreateAccountSd(PSECURITY_DESCRIPTOR *AccountSd, PULONG AccountSdSize)
Definition: security.c:268
LONG NTSTATUS
Definition: precomp.h:26
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
#define ACCOUNT_ALL_ACCESS
Definition: ntlsa.h:33
struct _ACCESS_ALLOWED_ACE ACCESS_ALLOWED_ACE
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
NTSYSAPI NTSTATUS NTAPI RtlAllocateAndInitializeSid(IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount, IN ULONG SubAuthority0, IN ULONG SubAuthority1, IN ULONG SubAuthority2, IN ULONG SubAuthority3, IN ULONG SubAuthority4, IN ULONG SubAuthority5, IN ULONG SubAuthority6, IN ULONG SubAuthority7, OUT PSID *Sid)
Definition: sid.c:290
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:15
#define ACCOUNT_EXECUTE
Definition: ntlsa.h:36
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626
struct _ACL ACL
smooth NULL
Definition: ftsmooth.c:416
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define SECURITY_LOCAL_SERVICE_RID
Definition: setypes.h:547
SID_IDENTIFIER_AUTHORITY WorldSidAuthority
Definition: database.c:16
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
NTSTATUS LsapCreatePolicySd(PSECURITY_DESCRIPTOR *PolicySd, PULONG PolicySdSize)
Definition: security.c:14
#define POLICY_LOOKUP_NAMES
Definition: ntsecapi.h:72
#define SECRET_ALL_ACCESS
Definition: ntlsa.h:41
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:553
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
PSID LocalSystemSid
Definition: globals.c:16
#define SECURITY_WORLD_RID
Definition: setypes.h:513
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:535
PSID LocalServiceSid
Definition: globals.c:16
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL Dacl
Definition: rtlfuncs.h:1553
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:548
Status
Definition: gdiplustypes.h:24
#define POLICY_EXECUTE
Definition: ntsecapi.h:76
unsigned int * PULONG
Definition: retypes.h:1
PSID NetworkServiceSid
Definition: globals.c:16
#define POLICY_ALL_ACCESS
Definition: ntsecapi.h:77
#define HEAP_ZERO_MEMORY
Definition: compat.h:123
_Out_writes_bytes_to_opt_ AbsoluteSecurityDescriptorSize PSECURITY_DESCRIPTOR _Inout_ PULONG _Out_writes_bytes_to_opt_ DaclSize PACL _Inout_ PULONG DaclSize
Definition: rtlfuncs.h:1553
#define ACL_REVISION
Definition: setypes.h:39
unsigned int ULONG
Definition: retypes.h:1
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:624
#define SECRET_EXECUTE
Definition: ntlsa.h:44
#define POLICY_NOTIFICATION
Definition: ntsecapi.h:73
NTSYSAPI NTSTATUS NTAPI RtlAddAccessDeniedAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid)