ReactOS  0.4.15-dev-5146-g069b08d
security.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Service Control Manager
3  * LICENSE: GPL - See COPYING in the top level directory
4  * FILE: base/system/services/security.c
5  * PURPOSE: Security functions
6  * COPYRIGHT: Eric Kohl
7  */
8 
9 /* INCLUDES *****************************************************************/
10 
11 #include "services.h"
12 
13 #define NDEBUG
14 #include <debug.h>
15 
16 static PSID pNullSid = NULL;
17 static PSID pWorldSid = NULL;
21 
24 static PACL pPipeDacl = NULL;
25 
28 
29 
30 /* FUNCTIONS ****************************************************************/
31 
32 static
33 VOID
35 {
36  if (pNullSid != NULL)
37  RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid);
38 
39  if (pWorldSid != NULL)
40  RtlFreeHeap(RtlGetProcessHeap(), 0, pWorldSid);
41 
42  if (pLocalSystemSid != NULL)
43  RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid);
44 
46  RtlFreeHeap(RtlGetProcessHeap(), 0, pAuthenticatedUserSid);
47 
48  if (pAliasAdminsSid != NULL)
49  RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid);
50 }
51 
52 
53 static
54 DWORD
56 {
60  PULONG pSubAuthority;
61  ULONG ulLength1 = RtlLengthRequiredSid(1);
62  ULONG ulLength2 = RtlLengthRequiredSid(2);
63 
64  /* Create the Null SID */
65  pNullSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
66  if (pNullSid == NULL)
67  {
68  return ERROR_OUTOFMEMORY;
69  }
70 
71  RtlInitializeSid(pNullSid, &NullAuthority, 1);
72  pSubAuthority = RtlSubAuthoritySid(pNullSid, 0);
73  *pSubAuthority = SECURITY_NULL_RID;
74 
75  /* Create the World SID */
76  pWorldSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
77  if (pWorldSid == NULL)
78  {
79  return ERROR_OUTOFMEMORY;
80  }
81 
83  pSubAuthority = RtlSubAuthoritySid(pWorldSid, 0);
84  *pSubAuthority = SECURITY_WORLD_RID;
85 
86  /* Create the LocalSystem SID */
87  pLocalSystemSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
88  if (pLocalSystemSid == NULL)
89  {
90  return ERROR_OUTOFMEMORY;
91  }
92 
94  pSubAuthority = RtlSubAuthoritySid(pLocalSystemSid, 0);
95  *pSubAuthority = SECURITY_LOCAL_SYSTEM_RID;
96 
97  /* Create the AuthenticatedUser SID */
98  pAuthenticatedUserSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
100  {
101  return ERROR_OUTOFMEMORY;
102  }
103 
105  pSubAuthority = RtlSubAuthoritySid(pAuthenticatedUserSid, 0);
106  *pSubAuthority = SECURITY_AUTHENTICATED_USER_RID;
107 
108  /* Create the AliasAdmins SID */
109  pAliasAdminsSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength2);
110  if (pAliasAdminsSid == NULL)
111  {
112  return ERROR_OUTOFMEMORY;
113  }
114 
116  pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 0);
117  *pSubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
118  pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 1);
119  *pSubAuthority = DOMAIN_ALIAS_RID_ADMINS;
120 
121  return ERROR_SUCCESS;
122 }
123 
124 
125 static
126 DWORD
128 {
129  ULONG ulLength;
130 
131  /* Create DACL */
132  ulLength = sizeof(ACL) +
133  (sizeof(ACE) + RtlLengthSid(pLocalSystemSid)) +
134  (sizeof(ACE) + RtlLengthSid(pAliasAdminsSid)) +
136 
137  pDefaultDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
138  if (pDefaultDacl == NULL)
139  return ERROR_OUTOFMEMORY;
140 
142 
144  ACL_REVISION,
149 
151  ACL_REVISION,
154 
156  ACL_REVISION,
160 
161  /* Create SACL */
162  ulLength = sizeof(ACL) +
163  (sizeof(ACE) + RtlLengthSid(pNullSid));
164 
165  pDefaultSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
166  if (pDefaultSacl == NULL)
167  return ERROR_OUTOFMEMORY;
168 
170 
172  ACL_REVISION,
174  pNullSid,
175  FALSE,
176  TRUE);
177 
178  /* Create the pipe DACL */
179  ulLength = sizeof(ACL) +
180  (sizeof(ACE) + RtlLengthSid(pWorldSid));
181 
182  pPipeDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
183  if (pPipeDacl == NULL)
184  return ERROR_OUTOFMEMORY;
185 
186  RtlCreateAcl(pPipeDacl, ulLength, ACL_REVISION);
187 
189  ACL_REVISION,
190  GENERIC_ALL,
191  pWorldSid);
192 
193  return ERROR_SUCCESS;
194 }
195 
196 
197 static
198 VOID
200 {
201  if (pDefaultDacl != NULL)
202  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl);
203 
204  if (pDefaultSacl != NULL)
205  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
206 
207  if (pPipeDacl != NULL)
208  RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeDacl);
209 }
210 
211 
212 static
213 DWORD
215 {
217 
218  /* Create the absolute security descriptor */
219  pDefaultSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
220  if (pDefaultSD == NULL)
221  return ERROR_OUTOFMEMORY;
222 
223  DPRINT("pDefaultSD %p\n", pDefaultSD);
224 
227  if (!NT_SUCCESS(Status))
229 
232  FALSE);
233  if (!NT_SUCCESS(Status))
235 
238  FALSE);
239  if (!NT_SUCCESS(Status))
241 
243  TRUE,
244  pDefaultDacl,
245  FALSE);
246  if (!NT_SUCCESS(Status))
248 
250  TRUE,
251  pDefaultSacl,
252  FALSE);
253  if (!NT_SUCCESS(Status))
255 
256  return ERROR_SUCCESS;
257 }
258 
259 
260 static
261 VOID
263 {
264  if (pDefaultSD != NULL)
265  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD);
266 }
267 
268 
269 static
270 DWORD
272 {
274 
275  /* Create the absolute security descriptor */
276  pPipeSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
277  if (pPipeSD == NULL)
278  return ERROR_OUTOFMEMORY;
279 
280  DPRINT("pPipeSD %p\n", pDefaultSD);
281 
284  if (!NT_SUCCESS(Status))
286 
289  FALSE);
290  if (!NT_SUCCESS(Status))
292 
295  FALSE);
296  if (!NT_SUCCESS(Status))
298 
300  TRUE,
301  pPipeDacl,
302  FALSE);
303  if (!NT_SUCCESS(Status))
305 
306  return ERROR_SUCCESS;
307 }
308 
309 
310 static
311 VOID
313 {
314  if (pPipeSD != NULL)
315  RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeSD);
316 }
317 
318 
319 DWORD
321  PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
322 {
323  PSECURITY_DESCRIPTOR pRelativeSD = NULL;
324  DWORD dwBufferLength = 0;
326  DWORD dwError = ERROR_SUCCESS;
327 
328  /* Convert the absolute SD to a self-relative SD */
330  NULL,
331  &dwBufferLength);
333  {
334  dwError = RtlNtStatusToDosError(Status);
335  goto done;
336  }
337 
338  DPRINT("BufferLength %lu\n", dwBufferLength);
339 
340  pRelativeSD = RtlAllocateHeap(RtlGetProcessHeap(),
342  dwBufferLength);
343  if (pRelativeSD == NULL)
344  {
345  dwError = ERROR_OUTOFMEMORY;
346  goto done;
347  }
348  DPRINT("pRelativeSD %p\n", pRelativeSD);
349 
351  pRelativeSD,
352  &dwBufferLength);
353  if (!NT_SUCCESS(Status))
354  {
355  dwError = RtlNtStatusToDosError(Status);
356  goto done;
357  }
358 
359  *ppSecurityDescriptor = pRelativeSD;
360 
361 done:
362  if (dwError != ERROR_SUCCESS)
363  {
364  if (pRelativeSD != NULL)
365  RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD);
366  }
367 
368  return dwError;
369 }
370 
371 
372 DWORD
374 {
375  DWORD dwError;
376 
377  dwError = ScmCreateSids();
378  if (dwError != ERROR_SUCCESS)
379  return dwError;
380 
381  dwError = ScmCreateAcls();
382  if (dwError != ERROR_SUCCESS)
383  return dwError;
384 
385  dwError = ScmCreateDefaultSD();
386  if (dwError != ERROR_SUCCESS)
387  return dwError;
388 
389  dwError = ScmCreatePipeSD();
390  if (dwError != ERROR_SUCCESS)
391  return dwError;
392 
393  return ERROR_SUCCESS;
394 }
395 
396 
397 VOID
399 {
400  ScmFreePipeSD();
402  ScmFreeAcls();
403  ScmFreeSids();
404 }
405 
406 /* EOF */
static PACL pPipeDacl
Definition: security.c:24
#define SECURITY_AUTHENTICATED_USER_RID
Definition: setypes.h:568
#define GENERIC_ALL
Definition: nt_native.h:92
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
static VOID ScmFreeAcls(VOID)
Definition: security.c:199
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
#define ERROR_SUCCESS
Definition: deptool.c:10
#define TRUE
Definition: types.h:120
static PSID pAuthenticatedUserSid
Definition: security.c:19
LONG NTSTATUS
Definition: precomp.h:26
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: security.c:14
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
static PSID pNullSid
Definition: security.c:16
#define SERVICE_INTERROGATE
Definition: winsvc.h:60
NTSYSAPI PULONG NTAPI RtlSubAuthoritySid(_In_ PSID Sid, _In_ ULONG SubAuthority)
static PSID pAliasAdminsSid
Definition: security.c:20
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
#define SECURITY_NULL_SID_AUTHORITY
Definition: setypes.h:524
#define SERVICE_ALL_ACCESS
Definition: winsvc.h:62
static PACL pDefaultSacl
Definition: security.c:23
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
#define SERVICE_ENUMERATE_DEPENDENTS
Definition: winsvc.h:56
DWORD ScmInitializeSecurity(VOID)
Definition: security.c:373
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:15
NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(IN OUT PSID Sid, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
NTSYSAPI ULONG WINAPI RtlNtStatusToDosError(NTSTATUS)
static DWORD ScmCreatePipeSD(VOID)
Definition: security.c:271
#define FALSE
Definition: types.h:117
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626
static DWORD ScmCreateSids(VOID)
Definition: security.c:55
struct _ACL ACL
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define SERVICE_QUERY_STATUS
Definition: winsvc.h:55
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342
static PACL pDefaultDacl
Definition: security.c:22
static PSID pWorldSid
Definition: security.c:17
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
Status
Definition: gdiplustypes.h:24
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527
#define SERVICE_USER_DEFINED_CONTROL
Definition: winsvc.h:61
static VOID ScmFreePipeSD(VOID)
Definition: security.c:312
unsigned long DWORD
Definition: ntddk_ex.h:95
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define READ_CONTROL
Definition: nt_native.h:58
#define SECURITY_NULL_RID
Definition: setypes.h:540
static VOID ScmFreeDefaultSD(VOID)
Definition: security.c:262
#define SERVICE_START
Definition: winsvc.h:57
static DWORD ScmCreateDefaultSD(VOID)
Definition: security.c:214
static PSECURITY_DESCRIPTOR pDefaultSD
Definition: security.c:26
static PSID pLocalSystemSid
Definition: security.c:18
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
#define SERVICE_STOP
Definition: winsvc.h:58
unsigned int * PULONG
Definition: retypes.h:1
#define NULL
Definition: types.h:112
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
#define ACL_REVISION
Definition: setypes.h:39
static DWORD ScmCreateAcls(VOID)
Definition: security.c:127
unsigned int ULONG
Definition: retypes.h:1
PSECURITY_DESCRIPTOR pPipeSD
Definition: security.c:27
#define SERVICE_QUERY_CONFIG
Definition: winsvc.h:53
DWORD ScmCreateDefaultServiceSD(PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
Definition: security.c:320
#define DPRINT
Definition: sndvol32.h:71
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
#define SERVICE_PAUSE_CONTINUE
Definition: winsvc.h:59
Definition: rtltypes.h:992
VOID ScmShutdownSecurity(VOID)
Definition: security.c:398
static VOID ScmFreeSids(VOID)
Definition: security.c:34
#define ERROR_OUTOFMEMORY
Definition: deptool.c:13
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54