ReactOS  0.4.13-dev-651-g5dbc677
security.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Service Control Manager
3  * LICENSE: GPL - See COPYING in the top level directory
4  * FILE: base/system/services/security.c
5  * PURPOSE: Security functions
6  * COPYRIGHT: Eric Kohl
7  */
8 
9 /* INCLUDES *****************************************************************/
10 
11 #include "services.h"
12 
13 #define NDEBUG
14 #include <debug.h>
15 
16 static PSID pNullSid = NULL;
20 
23 
25 
26 
27 /* FUNCTIONS ****************************************************************/
28 
29 static
30 VOID
32 {
33  if (pNullSid != NULL)
34  RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid);
35 
36  if (pLocalSystemSid != NULL)
37  RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid);
38 
40  RtlFreeHeap(RtlGetProcessHeap(), 0, pAuthenticatedUserSid);
41 
42  if (pAliasAdminsSid != NULL)
43  RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid);
44 
45 }
46 
47 
48 static
49 DWORD
51 {
54  PULONG pSubAuthority;
55  ULONG ulLength1 = RtlLengthRequiredSid(1);
56  ULONG ulLength2 = RtlLengthRequiredSid(2);
57 
58  /* Create the Null SID */
59  pNullSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
60  if (pNullSid == NULL)
61  {
62  return ERROR_OUTOFMEMORY;
63  }
64 
65  RtlInitializeSid(pNullSid, &NullAuthority, 1);
66  pSubAuthority = RtlSubAuthoritySid(pNullSid, 0);
67  *pSubAuthority = SECURITY_NULL_RID;
68 
69  /* Create the LocalSystem SID */
70  pLocalSystemSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
71  if (pLocalSystemSid == NULL)
72  {
73  return ERROR_OUTOFMEMORY;
74  }
75 
77  pSubAuthority = RtlSubAuthoritySid(pLocalSystemSid, 0);
78  *pSubAuthority = SECURITY_LOCAL_SYSTEM_RID;
79 
80  /* Create the AuthenticatedUser SID */
81  pAuthenticatedUserSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
83  {
84  return ERROR_OUTOFMEMORY;
85  }
86 
88  pSubAuthority = RtlSubAuthoritySid(pAuthenticatedUserSid, 0);
89  *pSubAuthority = SECURITY_AUTHENTICATED_USER_RID;
90 
91  /* Create the AliasAdmins SID */
92  pAliasAdminsSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength2);
93  if (pAliasAdminsSid == NULL)
94  {
95  return ERROR_OUTOFMEMORY;
96  }
97 
99  pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 0);
100  *pSubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
101  pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 1);
102  *pSubAuthority = DOMAIN_ALIAS_RID_ADMINS;
103 
104  return ERROR_SUCCESS;
105 }
106 
107 
108 static
109 DWORD
111 {
112  ULONG ulLength;
113 
114  /* Create DACL */
115  ulLength = sizeof(ACL) +
116  (sizeof(ACE) + RtlLengthSid(pLocalSystemSid)) +
117  (sizeof(ACE) + RtlLengthSid(pAliasAdminsSid)) +
119 
120  pDefaultDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
121  if (pDefaultDacl == NULL)
122  return ERROR_OUTOFMEMORY;
123 
125 
127  ACL_REVISION,
132 
134  ACL_REVISION,
137 
139  ACL_REVISION,
143 
144  /* Create SACL */
145  ulLength = sizeof(ACL) +
146  (sizeof(ACE) + RtlLengthSid(pNullSid));
147 
148  pDefaultSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
149  if (pDefaultSacl == NULL)
150  return ERROR_OUTOFMEMORY;
151 
153 
155  ACL_REVISION,
157  pNullSid,
158  FALSE,
159  TRUE);
160 
161  return ERROR_SUCCESS;
162 }
163 
164 
165 static
166 VOID
168 {
169  if (pDefaultDacl != NULL)
170  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl);
171 
172  if (pDefaultSacl != NULL)
173  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
174 }
175 
176 
177 static
178 DWORD
180 {
182 
183  /* Create the absolute security descriptor */
184  pDefaultSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
185  if (pDefaultSD == NULL)
186  return ERROR_OUTOFMEMORY;
187 
188  DPRINT("pDefaultSD %p\n", pDefaultSD);
189 
192  if (!NT_SUCCESS(Status))
194 
197  FALSE);
198  if (!NT_SUCCESS(Status))
200 
203  FALSE);
204  if (!NT_SUCCESS(Status))
206 
208  TRUE,
209  pDefaultDacl,
210  FALSE);
211  if (!NT_SUCCESS(Status))
213 
215  TRUE,
216  pDefaultSacl,
217  FALSE);
218  if (!NT_SUCCESS(Status))
220 
221  return ERROR_SUCCESS;
222 }
223 
224 
225 static
226 VOID
228 {
229  if (pDefaultSD != NULL)
230  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD);
231 }
232 
233 
234 DWORD
236  PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
237 {
238  PSECURITY_DESCRIPTOR pRelativeSD = NULL;
239  DWORD dwBufferLength = 0;
241  DWORD dwError = ERROR_SUCCESS;
242 
243  /* Convert the absolute SD to a self-relative SD */
245  NULL,
246  &dwBufferLength);
248  {
249  dwError = RtlNtStatusToDosError(Status);
250  goto done;
251  }
252 
253  DPRINT("BufferLength %lu\n", dwBufferLength);
254 
255  pRelativeSD = RtlAllocateHeap(RtlGetProcessHeap(),
257  dwBufferLength);
258  if (pRelativeSD == NULL)
259  {
260  dwError = ERROR_OUTOFMEMORY;
261  goto done;
262  }
263  DPRINT("pRelativeSD %p\n", pRelativeSD);
264 
266  pRelativeSD,
267  &dwBufferLength);
268  if (!NT_SUCCESS(Status))
269  {
270  dwError = RtlNtStatusToDosError(Status);
271  goto done;
272  }
273 
274  *ppSecurityDescriptor = pRelativeSD;
275 
276 done:
277  if (dwError != ERROR_SUCCESS)
278  {
279  if (pRelativeSD != NULL)
280  RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD);
281  }
282 
283  return dwError;
284 }
285 
286 
287 DWORD
289 {
290  DWORD dwError;
291 
292  dwError = ScmCreateSids();
293  if (dwError != ERROR_SUCCESS)
294  return dwError;
295 
296  dwError = ScmCreateAcls();
297  if (dwError != ERROR_SUCCESS)
298  return dwError;
299 
300  dwError = ScmCreateDefaultSD();
301  if (dwError != ERROR_SUCCESS)
302  return dwError;
303 
304  return ERROR_SUCCESS;
305 }
306 
307 
308 VOID
310 {
312  ScmFreeAcls();
313  ScmFreeSids();
314 }
315 
316 /* EOF */
#define SECURITY_AUTHENTICATED_USER_RID
Definition: setypes.h:540
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:546
#define TRUE
Definition: types.h:120
static VOID ScmFreeAcls(VOID)
Definition: security.c:167
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
#define ERROR_SUCCESS
Definition: deptool.c:10
static PSID pAuthenticatedUserSid
Definition: security.c:18
LONG NTSTATUS
Definition: precomp.h:26
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
static PSID pNullSid
Definition: security.c:16
#define SERVICE_INTERROGATE
Definition: winsvc.h:60
NTSYSAPI PULONG NTAPI RtlSubAuthoritySid(_In_ PSID Sid, _In_ ULONG SubAuthority)
static PSID pAliasAdminsSid
Definition: security.c:19
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
#define SECURITY_NULL_SID_AUTHORITY
Definition: setypes.h:496
#define SERVICE_ALL_ACCESS
Definition: winsvc.h:62
static PACL pDefaultSacl
Definition: security.c:22
#define SERVICE_ENUMERATE_DEPENDENTS
Definition: winsvc.h:56
DWORD ScmInitializeSecurity(VOID)
Definition: security.c:288
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:64
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:15
NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(IN OUT PSID Sid, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626
static DWORD ScmCreateSids(VOID)
Definition: security.c:50
struct _ACL ACL
smooth NULL
Definition: ftsmooth.c:416
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
void DPRINT(...)
Definition: polytest.cpp:61
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define SERVICE_QUERY_STATUS
Definition: winsvc.h:55
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342
static PACL pDefaultDacl
Definition: security.c:21
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:526
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:553
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SERVICE_USER_DEFINED_CONTROL
Definition: winsvc.h:61
unsigned long DWORD
Definition: ntddk_ex.h:95
#define READ_CONTROL
Definition: nt_native.h:58
#define SECURITY_NULL_RID
Definition: setypes.h:512
static VOID ScmFreeDefaultSD(VOID)
Definition: security.c:227
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
#define SERVICE_START
Definition: winsvc.h:57
static DWORD ScmCreateDefaultSD(VOID)
Definition: security.c:179
Status
Definition: gdiplustypes.h:24
static PSECURITY_DESCRIPTOR pDefaultSD
Definition: security.c:24
NTSYSAPI ULONG WINAPI RtlNtStatusToDosError(NTSTATUS)
static PSID pLocalSystemSid
Definition: security.c:17
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
#define SERVICE_STOP
Definition: winsvc.h:58
unsigned int * PULONG
Definition: retypes.h:1
#define HEAP_ZERO_MEMORY
Definition: compat.h:123
#define ACL_REVISION
Definition: setypes.h:39
static DWORD ScmCreateAcls(VOID)
Definition: security.c:110
unsigned int ULONG
Definition: retypes.h:1
#define SERVICE_QUERY_CONFIG
Definition: winsvc.h:53
DWORD ScmCreateDefaultServiceSD(PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
Definition: security.c:235
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:624
#define SERVICE_PAUSE_CONTINUE
Definition: winsvc.h:59
Definition: rtltypes.h:988
VOID ScmShutdownSecurity(VOID)
Definition: security.c:309
static VOID ScmFreeSids(VOID)
Definition: security.c:31
#define ERROR_OUTOFMEMORY
Definition: deptool.c:13
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54