ReactOS  0.4.14-dev-55-g2da92ac
security.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Service Control Manager
3  * LICENSE: GPL - See COPYING in the top level directory
4  * FILE: base/system/services/security.c
5  * PURPOSE: Security functions
6  * COPYRIGHT: Eric Kohl
7  */
8 
9 /* INCLUDES *****************************************************************/
10 
11 #include "services.h"
12 
13 #define NDEBUG
14 #include <debug.h>
15 
16 static PSID pNullSid = NULL;
17 static PSID pWorldSid = NULL;
21 
24 static PACL pPipeDacl = NULL;
25 
28 
29 
30 /* FUNCTIONS ****************************************************************/
31 
32 static
33 VOID
35 {
36  if (pNullSid != NULL)
37  RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid);
38 
39  if (pWorldSid != NULL)
40  RtlFreeHeap(RtlGetProcessHeap(), 0, pWorldSid);
41 
42  if (pLocalSystemSid != NULL)
43  RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid);
44 
46  RtlFreeHeap(RtlGetProcessHeap(), 0, pAuthenticatedUserSid);
47 
48  if (pAliasAdminsSid != NULL)
49  RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid);
50 }
51 
52 
53 static
54 DWORD
56 {
59  PULONG pSubAuthority;
60  ULONG ulLength1 = RtlLengthRequiredSid(1);
61  ULONG ulLength2 = RtlLengthRequiredSid(2);
62 
63  /* Create the Null SID */
64  pNullSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
65  if (pNullSid == NULL)
66  {
67  return ERROR_OUTOFMEMORY;
68  }
69 
70  RtlInitializeSid(pNullSid, &NullAuthority, 1);
71  pSubAuthority = RtlSubAuthoritySid(pNullSid, 0);
72  *pSubAuthority = SECURITY_NULL_RID;
73 
74  /* Create the World SID */
75  pWorldSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
76  if (pWorldSid == NULL)
77  {
78  return ERROR_OUTOFMEMORY;
79  }
80 
81  RtlInitializeSid(pWorldSid, &NullAuthority, 1);
82  pSubAuthority = RtlSubAuthoritySid(pWorldSid, 0);
83  *pSubAuthority = SECURITY_WORLD_RID;
84 
85  /* Create the LocalSystem SID */
86  pLocalSystemSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
87  if (pLocalSystemSid == NULL)
88  {
89  return ERROR_OUTOFMEMORY;
90  }
91 
93  pSubAuthority = RtlSubAuthoritySid(pLocalSystemSid, 0);
94  *pSubAuthority = SECURITY_LOCAL_SYSTEM_RID;
95 
96  /* Create the AuthenticatedUser SID */
97  pAuthenticatedUserSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
99  {
100  return ERROR_OUTOFMEMORY;
101  }
102 
104  pSubAuthority = RtlSubAuthoritySid(pAuthenticatedUserSid, 0);
105  *pSubAuthority = SECURITY_AUTHENTICATED_USER_RID;
106 
107  /* Create the AliasAdmins SID */
108  pAliasAdminsSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength2);
109  if (pAliasAdminsSid == NULL)
110  {
111  return ERROR_OUTOFMEMORY;
112  }
113 
115  pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 0);
116  *pSubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
117  pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 1);
118  *pSubAuthority = DOMAIN_ALIAS_RID_ADMINS;
119 
120  return ERROR_SUCCESS;
121 }
122 
123 
124 static
125 DWORD
127 {
128  ULONG ulLength;
129 
130  /* Create DACL */
131  ulLength = sizeof(ACL) +
132  (sizeof(ACE) + RtlLengthSid(pLocalSystemSid)) +
133  (sizeof(ACE) + RtlLengthSid(pAliasAdminsSid)) +
135 
136  pDefaultDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
137  if (pDefaultDacl == NULL)
138  return ERROR_OUTOFMEMORY;
139 
141 
143  ACL_REVISION,
148 
150  ACL_REVISION,
153 
155  ACL_REVISION,
159 
160  /* Create SACL */
161  ulLength = sizeof(ACL) +
162  (sizeof(ACE) + RtlLengthSid(pNullSid));
163 
164  pDefaultSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
165  if (pDefaultSacl == NULL)
166  return ERROR_OUTOFMEMORY;
167 
169 
171  ACL_REVISION,
173  pNullSid,
174  FALSE,
175  TRUE);
176 
177  /* Create the pipe DACL */
178  ulLength = sizeof(ACL) +
179  (sizeof(ACE) + RtlLengthSid(pWorldSid));
180 
181  pPipeDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
182  if (pPipeDacl == NULL)
183  return ERROR_OUTOFMEMORY;
184 
185  RtlCreateAcl(pPipeDacl, ulLength, ACL_REVISION);
186 
188  ACL_REVISION,
189  GENERIC_ALL,
190  pWorldSid);
191 
192  return ERROR_SUCCESS;
193 }
194 
195 
196 static
197 VOID
199 {
200  if (pDefaultDacl != NULL)
201  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl);
202 
203  if (pDefaultSacl != NULL)
204  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
205 
206  if (pPipeDacl != NULL)
207  RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeDacl);
208 }
209 
210 
211 static
212 DWORD
214 {
216 
217  /* Create the absolute security descriptor */
218  pDefaultSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
219  if (pDefaultSD == NULL)
220  return ERROR_OUTOFMEMORY;
221 
222  DPRINT("pDefaultSD %p\n", pDefaultSD);
223 
226  if (!NT_SUCCESS(Status))
228 
231  FALSE);
232  if (!NT_SUCCESS(Status))
234 
237  FALSE);
238  if (!NT_SUCCESS(Status))
240 
242  TRUE,
243  pDefaultDacl,
244  FALSE);
245  if (!NT_SUCCESS(Status))
247 
249  TRUE,
250  pDefaultSacl,
251  FALSE);
252  if (!NT_SUCCESS(Status))
254 
255  return ERROR_SUCCESS;
256 }
257 
258 
259 static
260 VOID
262 {
263  if (pDefaultSD != NULL)
264  RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD);
265 }
266 
267 
268 static
269 DWORD
271 {
273 
274  /* Create the absolute security descriptor */
275  pPipeSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
276  if (pPipeSD == NULL)
277  return ERROR_OUTOFMEMORY;
278 
279  DPRINT("pPipeSD %p\n", pDefaultSD);
280 
283  if (!NT_SUCCESS(Status))
285 
288  FALSE);
289  if (!NT_SUCCESS(Status))
291 
294  FALSE);
295  if (!NT_SUCCESS(Status))
297 
299  TRUE,
300  pPipeDacl,
301  FALSE);
302  if (!NT_SUCCESS(Status))
304 
305  return ERROR_SUCCESS;
306 }
307 
308 
309 static
310 VOID
312 {
313  if (pPipeSD != NULL)
314  RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeSD);
315 }
316 
317 
318 DWORD
320  PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
321 {
322  PSECURITY_DESCRIPTOR pRelativeSD = NULL;
323  DWORD dwBufferLength = 0;
325  DWORD dwError = ERROR_SUCCESS;
326 
327  /* Convert the absolute SD to a self-relative SD */
329  NULL,
330  &dwBufferLength);
332  {
333  dwError = RtlNtStatusToDosError(Status);
334  goto done;
335  }
336 
337  DPRINT("BufferLength %lu\n", dwBufferLength);
338 
339  pRelativeSD = RtlAllocateHeap(RtlGetProcessHeap(),
341  dwBufferLength);
342  if (pRelativeSD == NULL)
343  {
344  dwError = ERROR_OUTOFMEMORY;
345  goto done;
346  }
347  DPRINT("pRelativeSD %p\n", pRelativeSD);
348 
350  pRelativeSD,
351  &dwBufferLength);
352  if (!NT_SUCCESS(Status))
353  {
354  dwError = RtlNtStatusToDosError(Status);
355  goto done;
356  }
357 
358  *ppSecurityDescriptor = pRelativeSD;
359 
360 done:
361  if (dwError != ERROR_SUCCESS)
362  {
363  if (pRelativeSD != NULL)
364  RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD);
365  }
366 
367  return dwError;
368 }
369 
370 
371 DWORD
373 {
374  DWORD dwError;
375 
376  dwError = ScmCreateSids();
377  if (dwError != ERROR_SUCCESS)
378  return dwError;
379 
380  dwError = ScmCreateAcls();
381  if (dwError != ERROR_SUCCESS)
382  return dwError;
383 
384  dwError = ScmCreateDefaultSD();
385  if (dwError != ERROR_SUCCESS)
386  return dwError;
387 
388  dwError = ScmCreatePipeSD();
389  if (dwError != ERROR_SUCCESS)
390  return dwError;
391 
392  return ERROR_SUCCESS;
393 }
394 
395 
396 VOID
398 {
399  ScmFreePipeSD();
401  ScmFreeAcls();
402  ScmFreeSids();
403 }
404 
405 /* EOF */
static PACL pPipeDacl
Definition: security.c:24
#define SECURITY_AUTHENTICATED_USER_RID
Definition: setypes.h:540
#define GENERIC_ALL
Definition: nt_native.h:92
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:546
#define TRUE
Definition: types.h:120
static VOID ScmFreeAcls(VOID)
Definition: security.c:198
NTSYSAPI NTSTATUS NTAPI RtlSetGroupSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN PSID Group, IN BOOLEAN GroupDefaulted)
Definition: sd.c:410
#define ERROR_SUCCESS
Definition: deptool.c:10
static PSID pAuthenticatedUserSid
Definition: security.c:19
LONG NTSTATUS
Definition: precomp.h:26
BOOLEAN NTAPI RtlFreeHeap(IN PVOID HeapHandle, IN ULONG Flags, IN PVOID HeapBase)
Definition: heap.c:606
static PSID pNullSid
Definition: security.c:16
#define SERVICE_INTERROGATE
Definition: winsvc.h:60
NTSYSAPI PULONG NTAPI RtlSubAuthoritySid(_In_ PSID Sid, _In_ ULONG SubAuthority)
static PSID pAliasAdminsSid
Definition: security.c:20
NTSYSAPI NTSTATUS NTAPI RtlCreateSecurityDescriptor(_Out_ PSECURITY_DESCRIPTOR SecurityDescriptor, _In_ ULONG Revision)
#define SECURITY_NULL_SID_AUTHORITY
Definition: setypes.h:496
#define SERVICE_ALL_ACCESS
Definition: winsvc.h:62
static PACL pDefaultSacl
Definition: security.c:23
#define SERVICE_ENUMERATE_DEPENDENTS
Definition: winsvc.h:56
DWORD ScmInitializeSecurity(VOID)
Definition: security.c:372
NTSYSAPI NTSTATUS WINAPI RtlAddAccessAllowedAce(PACL, DWORD, DWORD, PSID)
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:64
NTSYSAPI NTSTATUS NTAPI RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision)
#define SECURITY_DESCRIPTOR_REVISION
Definition: setypes.h:58
static SID_IDENTIFIER_AUTHORITY NtAuthority
Definition: security.c:15
NTSYSAPI NTSTATUS NTAPI RtlInitializeSid(IN OUT PSID Sid, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
static DWORD ScmCreatePipeSD(VOID)
Definition: security.c:270
NTSYSAPI NTSTATUS NTAPI RtlAbsoluteToSelfRelativeSD(IN PSECURITY_DESCRIPTOR AbsoluteSecurityDescriptor, IN OUT PSECURITY_DESCRIPTOR SelfRelativeSecurityDescriptor, IN PULONG BufferLength)
Definition: sd.c:626
static DWORD ScmCreateSids(VOID)
Definition: security.c:55
struct _ACL ACL
smooth NULL
Definition: ftsmooth.c:416
NTSYSAPI NTSTATUS WINAPI RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR, BOOLEAN, PACL, BOOLEAN)
void DPRINT(...)
Definition: polytest.cpp:61
NTSYSAPI ULONG NTAPI RtlLengthSid(IN PSID Sid)
Definition: sid.c:150
#define SERVICE_QUERY_STATUS
Definition: winsvc.h:55
NTSYSAPI NTSTATUS NTAPI RtlSetSaclSecurityDescriptor(IN OUT PSECURITY_DESCRIPTOR SecurityDescriptor, IN BOOLEAN SaclPresent, IN PACL Sacl, IN BOOLEAN SaclDefaulted)
Definition: sd.c:342
static PACL pDefaultDacl
Definition: security.c:22
static PSID pWorldSid
Definition: security.c:17
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:526
PVOID NTAPI RtlAllocateHeap(IN PVOID HeapHandle, IN ULONG Flags, IN SIZE_T Size)
Definition: heap.c:588
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:553
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SERVICE_USER_DEFINED_CONTROL
Definition: winsvc.h:61
static VOID ScmFreePipeSD(VOID)
Definition: security.c:311
unsigned long DWORD
Definition: ntddk_ex.h:95
#define SECURITY_WORLD_RID
Definition: setypes.h:513
#define READ_CONTROL
Definition: nt_native.h:58
#define SECURITY_NULL_RID
Definition: setypes.h:512
static VOID ScmFreeDefaultSD(VOID)
Definition: security.c:261
NTSYSAPI NTSTATUS WINAPI RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR, PSID, BOOLEAN)
#define SERVICE_START
Definition: winsvc.h:57
static DWORD ScmCreateDefaultSD(VOID)
Definition: security.c:213
Status
Definition: gdiplustypes.h:24
static PSECURITY_DESCRIPTOR pDefaultSD
Definition: security.c:26
NTSYSAPI ULONG WINAPI RtlNtStatusToDosError(NTSTATUS)
static PSID pLocalSystemSid
Definition: security.c:18
NTSYSAPI NTSTATUS NTAPI RtlAddAuditAccessAce(_Inout_ PACL Acl, _In_ ULONG Revision, _In_ ACCESS_MASK AccessMask, _In_ PSID Sid, _In_ BOOLEAN Success, _In_ BOOLEAN Failure)
#define SERVICE_STOP
Definition: winsvc.h:58
unsigned int * PULONG
Definition: retypes.h:1
#define HEAP_ZERO_MEMORY
Definition: compat.h:123
#define ACL_REVISION
Definition: setypes.h:39
static DWORD ScmCreateAcls(VOID)
Definition: security.c:126
unsigned int ULONG
Definition: retypes.h:1
PSECURITY_DESCRIPTOR pPipeSD
Definition: security.c:27
#define SERVICE_QUERY_CONFIG
Definition: winsvc.h:53
DWORD ScmCreateDefaultServiceSD(PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
Definition: security.c:319
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:624
#define SERVICE_PAUSE_CONTINUE
Definition: winsvc.h:59
Definition: rtltypes.h:988
VOID ScmShutdownSecurity(VOID)
Definition: security.c:397
static VOID ScmFreeSids(VOID)
Definition: security.c:34
#define ERROR_OUTOFMEMORY
Definition: deptool.c:13
NTSYSAPI ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54