ReactOS 0.4.15-dev-8127-g6338913
security.c
Go to the documentation of this file.
1/*
2 * PROJECT: ReactOS Service Control Manager
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: base/system/services/security.c
5 * PURPOSE: Security functions
6 * COPYRIGHT: Eric Kohl
7 */
8
9/* INCLUDES *****************************************************************/
10
11#include "services.h"
12
13#define NDEBUG
14#include <debug.h>
15
21
25
28
29
30/* FUNCTIONS ****************************************************************/
31
32static
33VOID
35{
36 if (pNullSid != NULL)
37 RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid);
38
39 if (pWorldSid != NULL)
40 RtlFreeHeap(RtlGetProcessHeap(), 0, pWorldSid);
41
42 if (pLocalSystemSid != NULL)
43 RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid);
44
46 RtlFreeHeap(RtlGetProcessHeap(), 0, pAuthenticatedUserSid);
47
48 if (pAliasAdminsSid != NULL)
49 RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid);
50}
51
52
53static
56{
60 PULONG pSubAuthority;
61 ULONG ulLength1 = RtlLengthRequiredSid(1);
62 ULONG ulLength2 = RtlLengthRequiredSid(2);
63
64 /* Create the Null SID */
65 pNullSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
66 if (pNullSid == NULL)
67 {
68 return ERROR_OUTOFMEMORY;
69 }
70
71 RtlInitializeSid(pNullSid, &NullAuthority, 1);
72 pSubAuthority = RtlSubAuthoritySid(pNullSid, 0);
73 *pSubAuthority = SECURITY_NULL_RID;
74
75 /* Create the World SID */
76 pWorldSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
77 if (pWorldSid == NULL)
78 {
79 return ERROR_OUTOFMEMORY;
80 }
81
83 pSubAuthority = RtlSubAuthoritySid(pWorldSid, 0);
84 *pSubAuthority = SECURITY_WORLD_RID;
85
86 /* Create the LocalSystem SID */
87 pLocalSystemSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
88 if (pLocalSystemSid == NULL)
89 {
90 return ERROR_OUTOFMEMORY;
91 }
92
94 pSubAuthority = RtlSubAuthoritySid(pLocalSystemSid, 0);
95 *pSubAuthority = SECURITY_LOCAL_SYSTEM_RID;
96
97 /* Create the AuthenticatedUser SID */
98 pAuthenticatedUserSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
100 {
101 return ERROR_OUTOFMEMORY;
102 }
103
105 pSubAuthority = RtlSubAuthoritySid(pAuthenticatedUserSid, 0);
106 *pSubAuthority = SECURITY_AUTHENTICATED_USER_RID;
107
108 /* Create the AliasAdmins SID */
109 pAliasAdminsSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength2);
110 if (pAliasAdminsSid == NULL)
111 {
112 return ERROR_OUTOFMEMORY;
113 }
114
116 pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 0);
117 *pSubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
118 pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 1);
119 *pSubAuthority = DOMAIN_ALIAS_RID_ADMINS;
120
121 return ERROR_SUCCESS;
122}
123
124
125static
126DWORD
128{
129 ULONG ulLength;
130
131 /* Create DACL */
132 ulLength = sizeof(ACL) +
133 (sizeof(ACE) + RtlLengthSid(pLocalSystemSid)) +
134 (sizeof(ACE) + RtlLengthSid(pAliasAdminsSid)) +
136
137 pDefaultDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
138 if (pDefaultDacl == NULL)
139 return ERROR_OUTOFMEMORY;
140
142
149
154
160
161 /* Create SACL */
162 ulLength = sizeof(ACL) +
163 (sizeof(ACE) + RtlLengthSid(pNullSid));
164
165 pDefaultSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
166 if (pDefaultSacl == NULL)
167 return ERROR_OUTOFMEMORY;
168
170
174 pNullSid,
175 FALSE,
176 TRUE);
177
178 /* Create the pipe DACL */
179 ulLength = sizeof(ACL) +
180 (sizeof(ACE) + RtlLengthSid(pWorldSid));
181
182 pPipeDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
183 if (pPipeDacl == NULL)
184 return ERROR_OUTOFMEMORY;
185
187
191 pWorldSid);
192
193 return ERROR_SUCCESS;
194}
195
196
197static
198VOID
200{
201 if (pDefaultDacl != NULL)
202 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl);
203
204 if (pDefaultSacl != NULL)
205 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
206
207 if (pPipeDacl != NULL)
208 RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeDacl);
209}
210
211
212static
213DWORD
215{
217
218 /* Create the absolute security descriptor */
219 pDefaultSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
220 if (pDefaultSD == NULL)
221 return ERROR_OUTOFMEMORY;
222
223 DPRINT("pDefaultSD %p\n", pDefaultSD);
224
227 if (!NT_SUCCESS(Status))
229
232 FALSE);
233 if (!NT_SUCCESS(Status))
235
238 FALSE);
239 if (!NT_SUCCESS(Status))
241
243 TRUE,
245 FALSE);
246 if (!NT_SUCCESS(Status))
248
250 TRUE,
252 FALSE);
253 if (!NT_SUCCESS(Status))
255
256 return ERROR_SUCCESS;
257}
258
259
260static
261VOID
263{
264 if (pDefaultSD != NULL)
265 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD);
266}
267
268
269static
270DWORD
272{
274
275 /* Create the absolute security descriptor */
276 pPipeSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
277 if (pPipeSD == NULL)
278 return ERROR_OUTOFMEMORY;
279
280 DPRINT("pPipeSD %p\n", pDefaultSD);
281
284 if (!NT_SUCCESS(Status))
286
289 FALSE);
290 if (!NT_SUCCESS(Status))
292
295 FALSE);
296 if (!NT_SUCCESS(Status))
298
300 TRUE,
301 pPipeDacl,
302 FALSE);
303 if (!NT_SUCCESS(Status))
305
306 return ERROR_SUCCESS;
307}
308
309
310static
311VOID
313{
314 if (pPipeSD != NULL)
315 RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeSD);
316}
317
318
319DWORD
321 PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
322{
323 PSECURITY_DESCRIPTOR pRelativeSD = NULL;
324 DWORD dwBufferLength = 0;
326 DWORD dwError = ERROR_SUCCESS;
327
328 /* Convert the absolute SD to a self-relative SD */
330 NULL,
331 &dwBufferLength);
333 {
334 dwError = RtlNtStatusToDosError(Status);
335 goto done;
336 }
337
338 DPRINT("BufferLength %lu\n", dwBufferLength);
339
340 pRelativeSD = RtlAllocateHeap(RtlGetProcessHeap(),
342 dwBufferLength);
343 if (pRelativeSD == NULL)
344 {
345 dwError = ERROR_OUTOFMEMORY;
346 goto done;
347 }
348 DPRINT("pRelativeSD %p\n", pRelativeSD);
349
351 pRelativeSD,
352 &dwBufferLength);
353 if (!NT_SUCCESS(Status))
354 {
355 dwError = RtlNtStatusToDosError(Status);
356 goto done;
357 }
358
359 *ppSecurityDescriptor = pRelativeSD;
360
361done:
362 if (dwError != ERROR_SUCCESS)
363 {
364 if (pRelativeSD != NULL)
365 RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD);
366 }
367
368 return dwError;
369}
370
371
372DWORD
374{
375 DWORD dwError;
376
377 dwError = ScmCreateSids();
378 if (dwError != ERROR_SUCCESS)
379 return dwError;
380
381 dwError = ScmCreateAcls();
382 if (dwError != ERROR_SUCCESS)
383 return dwError;
384
385 dwError = ScmCreateDefaultSD();
386 if (dwError != ERROR_SUCCESS)
387 return dwError;
388
389 dwError = ScmCreatePipeSD();
390 if (dwError != ERROR_SUCCESS)
391 return dwError;
392
393 return ERROR_SUCCESS;
394}
395
396
397VOID
399{
402 ScmFreeAcls();
403 ScmFreeSids();
404}
405
406/* EOF */
LONG NTSTATUS
Definition: precomp.h:26
static PSID pNullSid
Definition: security.c:16
static DWORD ScmCreatePipeSD(VOID)
Definition: security.c:271
static DWORD ScmCreateSids(VOID)
Definition: security.c:55
VOID ScmShutdownSecurity(VOID)
Definition: security.c:398
static DWORD ScmCreateAcls(VOID)
Definition: security.c:127
static PSID pAuthenticatedUserSid
Definition: security.c:19
static VOID ScmFreePipeSD(VOID)
Definition: security.c:312
static PSID pWorldSid
Definition: security.c:17
static VOID ScmFreeAcls(VOID)
Definition: security.c:199
static PSID pAliasAdminsSid
Definition: security.c:20
static VOID ScmFreeDefaultSD(VOID)
Definition: security.c:262
static PACL pDefaultSacl
Definition: security.c:23
static VOID ScmFreeSids(VOID)
Definition: security.c:34
DWORD ScmInitializeSecurity(VOID)
Definition: security.c:373
PSECURITY_DESCRIPTOR pPipeSD
Definition: security.c:27
static DWORD ScmCreateDefaultSD(VOID)
Definition: security.c:214
static PACL pDefaultDacl
Definition: security.c:22
static PACL pPipeDacl
Definition: security.c:24
static PSECURITY_DESCRIPTOR pDefaultSD
Definition: security.c:26
static PSID pLocalSystemSid
Definition: security.c:18
DWORD ScmCreateDefaultServiceSD(PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
Definition: security.c:320
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:40
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:590
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:608
#define ERROR_OUTOFMEMORY
Definition: deptool.c:13
#define ERROR_SUCCESS
Definition: deptool.c:10
#define NULL
Definition: types.h:112
#define TRUE
Definition: types.h:120
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
static SID_IDENTIFIER_AUTHORITY WorldAuthority
Definition: security.c:14
unsigned long DWORD
Definition: ntddk_ex.h:95
Status
Definition: gdiplustypes.h:25
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
NTSYSAPI ULONG WINAPI RtlNtStatusToDosError(NTSTATUS)
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
struct _ACL ACL
NTSYSAPI PULONG NTAPI RtlSubAuthoritySid(_In_ PSID Sid, _In_ ULONG SubAuthority)
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
#define GENERIC_ALL
Definition: nt_native.h:92
#define READ_CONTROL
Definition: nt_native.h:58
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626
NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(IN OUT PSID Sid, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
#define DPRINT
Definition: sndvol32.h:73
Definition: rtltypes.h:993
uint32_t * PULONG
Definition: typedefs.h:59
uint32_t ULONG
Definition: typedefs.h:59
#define SERVICE_START
Definition: winsvc.h:57
#define SERVICE_QUERY_STATUS
Definition: winsvc.h:55
#define SERVICE_USER_DEFINED_CONTROL
Definition: winsvc.h:61
#define SERVICE_ALL_ACCESS
Definition: winsvc.h:62
#define SERVICE_PAUSE_CONTINUE
Definition: winsvc.h:59
#define SERVICE_INTERROGATE
Definition: winsvc.h:60
#define SERVICE_STOP
Definition: winsvc.h:58
#define SERVICE_ENUMERATE_DEPENDENTS
Definition: winsvc.h:56
#define SERVICE_QUERY_CONFIG
Definition: winsvc.h:53
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527
#define SECURITY_WORLD_RID
Definition: setypes.h:541
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
#define SECURITY_AUTHENTICATED_USER_RID
Definition: setypes.h:568
#define SECURITY_NULL_RID
Definition: setypes.h:540
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
#define SECURITY_NULL_SID_AUTHORITY
Definition: setypes.h:524
#define ACL_REVISION
Definition: setypes.h:39
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652