ReactOS  0.4.15-dev-5142-g967f5b9
sid.c
Go to the documentation of this file.
1 /*
2  * PROJECT: ReactOS Kernel
3  * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
4  * PURPOSE: Security Identifier (SID) implementation support and handling
5  * COPYRIGHT: Copyright David Welch <welch@cwcom.net>
6  */
7 
8 /* INCLUDES *******************************************************************/
9 
10 #include <ntoskrnl.h>
11 #define NDEBUG
12 #include <debug.h>
13 
14 /* GLOBALS ********************************************************************/
15 
16 #define SE_MAXIMUM_GROUP_LIMIT 0x1000
17 
23 
54 
55 typedef struct _SID_VALIDATE
56 {
60 
61 /* FUNCTIONS ******************************************************************/
62 
70 VOID
71 NTAPI
73 {
102 }
103 
112 CODE_SEG("INIT")
113 BOOLEAN
114 NTAPI
116 {
117  ULONG SidLength0;
118  ULONG SidLength1;
119  ULONG SidLength2;
120  PULONG SubAuthority;
121 
122  SidLength0 = RtlLengthRequiredSid(0);
123  SidLength1 = RtlLengthRequiredSid(1);
124  SidLength2 = RtlLengthRequiredSid(2);
125 
126  /* create NullSid */
157 
158  if (SeNullSid == NULL || SeWorldSid == NULL ||
162  SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
173  {
175  return FALSE;
176  }
177 
208 
209  SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
210  *SubAuthority = SECURITY_NULL_RID;
211  SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
212  *SubAuthority = SECURITY_WORLD_RID;
213  SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
214  *SubAuthority = SECURITY_LOCAL_RID;
215  SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
216  *SubAuthority = SECURITY_CREATOR_OWNER_RID;
217  SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
218  *SubAuthority = SECURITY_CREATOR_GROUP_RID;
219  SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
220  *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
221  SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
222  *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
223  SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
224  *SubAuthority = SECURITY_DIALUP_RID;
225  SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
226  *SubAuthority = SECURITY_NETWORK_RID;
227  SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
228  *SubAuthority = SECURITY_BATCH_RID;
229  SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
230  *SubAuthority = SECURITY_INTERACTIVE_RID;
231  SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
232  *SubAuthority = SECURITY_SERVICE_RID;
233  SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
234  *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
235  SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
236  *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
237  SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
238  *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
239  SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
240  *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
241  SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
242  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
243  SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
244  *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
245  SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
246  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
247  SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
248  *SubAuthority = DOMAIN_ALIAS_RID_USERS;
249  SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
250  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
251  SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
252  *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
253  SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
254  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
255  SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
256  *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
257  SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
258  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
259  SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
260  *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
261  SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
262  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
263  SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
264  *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
265  SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
266  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
267  SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
268  *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
269  SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
270  *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
271  SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
272  *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
273  SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
274  *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
275  SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
276  *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
277  SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
278  *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
279  SubAuthority = RtlSubAuthoritySid(SeLocalServiceSid, 0);
280  *SubAuthority = SECURITY_LOCAL_SERVICE_RID;
281  SubAuthority = RtlSubAuthoritySid(SeNetworkServiceSid, 0);
282  *SubAuthority = SECURITY_NETWORK_SERVICE_RID;
283 
284  return TRUE;
285 }
286 
312 NTSTATUS
313 NTAPI
315  _In_ PSID InputSid,
318  _In_ BOOLEAN CaptureIfKernel,
319  _Out_ PSID *CapturedSid)
320 {
321  ULONG SidSize = 0;
322  PISID NewSid, Sid = (PISID)InputSid;
323 
324  PAGED_CODE();
325 
326  if (AccessMode != KernelMode)
327  {
328  _SEH2_TRY
329  {
330  ProbeForRead(Sid, FIELD_OFFSET(SID, SubAuthority), sizeof(UCHAR));
332  ProbeForRead(Sid, SidSize, sizeof(UCHAR));
333  }
335  {
336  /* Return the exception code */
338  }
339  _SEH2_END;
340 
341  /* Allocate a SID and copy it */
343  if (!NewSid)
345 
346  _SEH2_TRY
347  {
348  RtlCopyMemory(NewSid, Sid, SidSize);
349 
350  *CapturedSid = NewSid;
351  }
353  {
354  /* Free the SID and return the exception code */
357  }
358  _SEH2_END;
359  }
360  else if (!CaptureIfKernel)
361  {
362  *CapturedSid = InputSid;
363  }
364  else
365  {
367 
368  /* Allocate a SID and copy it */
370  if (NewSid == NULL)
372 
373  RtlCopyMemory(NewSid, Sid, SidSize);
374 
375  *CapturedSid = NewSid;
376  }
377 
378  return STATUS_SUCCESS;
379 }
380 
398 VOID
399 NTAPI
401  _In_ PSID CapturedSid,
403  _In_ BOOLEAN CaptureIfKernel)
404 {
405  PAGED_CODE();
406 
407  if (CapturedSid != NULL &&
408  (AccessMode != KernelMode ||
409  (AccessMode == KernelMode && CaptureIfKernel)))
410  {
411  ExFreePoolWithTag(CapturedSid, TAG_SID);
412  }
413 }
414 
441 BOOLEAN
442 NTAPI
444  _In_ PACCESS_TOKEN _Token,
445  _In_ PSID PrincipalSelfSid,
446  _In_ PSID _Sid,
447  _In_ BOOLEAN Deny,
449 {
450  ULONG SidIndex;
451  PTOKEN Token = (PTOKEN)_Token;
452  PISID TokenSid, Sid = (PISID)_Sid;
453  PSID_AND_ATTRIBUTES SidAndAttributes;
454  ULONG SidCount, SidLength;
455  USHORT SidMetadata;
456  PAGED_CODE();
457 
458  /* Check if a principal SID was given, and this is our current SID already */
459  if ((PrincipalSelfSid) && (RtlEqualSid(SePrincipalSelfSid, Sid)))
460  {
461  /* Just use the principal SID in this case */
462  Sid = PrincipalSelfSid;
463  }
464 
465  /* Check if this is a restricted token or not */
466  if (Restricted)
467  {
468  /* Use the restricted SIDs and count */
469  SidAndAttributes = Token->RestrictedSids;
470  SidCount = Token->RestrictedSidCount;
471  }
472  else
473  {
474  /* Use the normal SIDs and count */
475  SidAndAttributes = Token->UserAndGroups;
476  SidCount = Token->UserAndGroupCount;
477  }
478 
479  /* Do checks here by hand instead of the usual 4 function calls */
480  SidLength = FIELD_OFFSET(SID,
481  SubAuthority[Sid->SubAuthorityCount]);
482  SidMetadata = *(PUSHORT)&Sid->Revision;
483 
484  /* Loop every SID */
485  for (SidIndex = 0; SidIndex < SidCount; SidIndex++)
486  {
487  TokenSid = (PISID)SidAndAttributes->Sid;
488 #if SE_SID_DEBUG
489  UNICODE_STRING sidString;
490  RtlConvertSidToUnicodeString(&sidString, TokenSid, TRUE);
491  DPRINT1("SID in Token: %wZ\n", &sidString);
492  RtlFreeUnicodeString(&sidString);
493 #endif
494  /* Check if the SID metadata matches */
495  if (*(PUSHORT)&TokenSid->Revision == SidMetadata)
496  {
497  /* Check if the SID data matches */
498  if (RtlEqualMemory(Sid, TokenSid, SidLength))
499  {
500  /*
501  * Check if the group is enabled, or used for deny only.
502  * Otherwise we have to check if this is the first user.
503  * We understand that by looking if this SID is not
504  * restricted, this is the first element we are iterating
505  * and that it doesn't have SE_GROUP_USE_FOR_DENY_ONLY
506  * attribute.
507  */
508  if ((!Restricted && (SidIndex == 0) && !(SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)) ||
509  (SidAndAttributes->Attributes & SE_GROUP_ENABLED) ||
510  ((Deny) && (SidAndAttributes->Attributes & SE_GROUP_USE_FOR_DENY_ONLY)))
511  {
512  /* SID is present */
513  return TRUE;
514  }
515  else
516  {
517  /* SID is not present */
518  return FALSE;
519  }
520  }
521  }
522 
523  /* Move to the next SID */
524  SidAndAttributes++;
525  }
526 
527  /* SID is not present */
528  return FALSE;
529 }
530 
545 BOOLEAN
546 NTAPI
548  _In_ PACCESS_TOKEN _Token,
549  _In_ PSID Sid)
550 {
551  /* Call extended API */
552  return SepSidInTokenEx(_Token, NULL, Sid, FALSE, FALSE);
553 }
554 
577 PSID
578 NTAPI
581  _In_ PACE Ace)
582 {
583  PSID Sid;
584  PAGED_CODE();
585 
586  /* Sanity check */
587  ASSERT(Ace);
588 
589  /* Initialize the SID */
590  Sid = NULL;
591 
592  /* Obtain the SID based upon ACE type */
593  switch (AceType)
594  {
596  {
597  Sid = (PSID)&((PACCESS_DENIED_ACE)Ace)->SidStart;
598  break;
599  }
600 
602  {
603  Sid = (PSID)&((PACCESS_ALLOWED_ACE)Ace)->SidStart;
604  break;
605  }
606 
608  {
609  Sid = (PSID)&((PACCESS_DENIED_OBJECT_ACE)Ace)->SidStart;
610  break;
611  }
612 
614  {
615  Sid = (PSID)&((PACCESS_ALLOWED_OBJECT_ACE)Ace)->SidStart;
616  break;
617  }
618 
619  default:
620  break;
621  }
622 
623  return Sid;
624 }
625 
694 NTSTATUS
695 NTAPI
697  _In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes,
698  _In_ ULONG AttributeCount,
700  _In_opt_ PVOID AllocatedMem,
701  _In_ ULONG AllocatedLength,
703  _In_ BOOLEAN CaptureIfKernel,
704  _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes,
706 {
707  ULONG ArraySize, RequiredLength, SidLength, i;
708  ULONG TempArrayValidate, TempLengthValidate;
709  PSID_AND_ATTRIBUTES SidAndAttributes;
710  _SEH2_VOLATILE PSID_VALIDATE ValidateArray;
711  PUCHAR CurrentDest;
712  PISID Sid;
714  PAGED_CODE();
715 
716  ValidateArray = NULL;
717  SidAndAttributes = NULL;
718  *CapturedSidAndAttributes = NULL;
719  *ResultLength = 0;
720 
721  if (AttributeCount == 0)
722  {
723  return STATUS_SUCCESS;
724  }
725 
726  if (AttributeCount > SE_MAXIMUM_GROUP_LIMIT)
727  {
728  DPRINT1("SeCaptureSidAndAttributesArray(): Maximum group limit exceeded!\n");
730  }
731 
732  if ((PreviousMode == KernelMode) && !CaptureIfKernel)
733  {
734  *CapturedSidAndAttributes = SrcSidAndAttributes;
735  return STATUS_SUCCESS;
736  }
737 
738  ArraySize = AttributeCount * sizeof(SID_AND_ATTRIBUTES);
739  RequiredLength = ALIGN_UP_BY(ArraySize, sizeof(ULONG));
740 
741  if (PreviousMode != KernelMode)
742  {
743  /* Check for user mode data */
744  _SEH2_TRY
745  {
746  /* First probe the whole array */
747  ProbeForRead(SrcSidAndAttributes, ArraySize, sizeof(ULONG));
748 
749  /* We're in user mode, set up the size for the temporary array */
750  TempArrayValidate = AttributeCount * sizeof(SID_VALIDATE);
751  TempLengthValidate = ALIGN_UP_BY(TempArrayValidate, sizeof(ULONG));
752 
753  /*
754  * Allocate a buffer for the array that we're going to
755  * temporarily hold the subauthority count and the SID
756  * elements. We'll be going to use this array to perform
757  * validation checks later.
758  */
760  TempLengthValidate,
762 
763  /* Loop the array elements */
764  for (i = 0; i < AttributeCount; i++)
765  {
766  /* Get the SID and probe the minimal structure */
767  Sid = SrcSidAndAttributes[i].Sid;
768  ProbeForRead(Sid, sizeof(*Sid), sizeof(ULONG));
769 
770  /*
771  * Capture the subauthority count and hold it
772  * into the temporary array for later validation.
773  * This way we ensure that the said count of each
774  * SID has remained the same.
775  */
776  ValidateArray[i].SubAuthorityCount = Sid->SubAuthorityCount;
777 
778  /* Capture the SID */
779  ValidateArray[i].ProbeSid = Sid;
780 
781  /* Calculate the SID length and probe the full SID */
782  SidLength = RtlLengthRequiredSid(ValidateArray[i].SubAuthorityCount);
783  ProbeForRead(ValidateArray[i].ProbeSid, SidLength, sizeof(ULONG));
784 
785  /* Add the aligned length to the required length */
786  RequiredLength += ALIGN_UP_BY(SidLength, sizeof(ULONG));
787  }
788  }
790  {
792  _SEH2_YIELD(goto Cleanup);
793  }
794  _SEH2_END;
795  }
796  else
797  {
798  /* Loop the array elements */
799  for (i = 0; i < AttributeCount; i++)
800  {
801  /* Get the SID and it's length */
802  Sid = SrcSidAndAttributes[i].Sid;
804 
805  /* Add the aligned length to the required length */
806  RequiredLength += ALIGN_UP_BY(SidLength, sizeof(ULONG));
807  }
808  }
809 
810  /* Assume success */
813 
814  /* Check if we have no buffer */
815  if (AllocatedMem == NULL)
816  {
817  /* Allocate a new buffer */
818  SidAndAttributes = ExAllocatePoolWithTag(PoolType,
821  if (SidAndAttributes == NULL)
822  {
823  DPRINT1("SeCaptureSidAndAttributesArray(): Failed to allocate memory for SID and attributes array (requested size -> %lu)!\n", RequiredLength);
825  goto Cleanup;
826  }
827  }
828  /* Otherwise check if the buffer is large enough */
829  else if (AllocatedLength >= RequiredLength)
830  {
831  /* Buffer is large enough, use it */
832  SidAndAttributes = AllocatedMem;
833  }
834  else
835  {
836  /* Buffer is too small, fail */
837  DPRINT1("SeCaptureSidAndAttributesArray(): The provided buffer is small (expected size -> %lu || current size -> %lu)!\n", RequiredLength, AllocatedLength);
839  goto Cleanup;
840  }
841 
842  *CapturedSidAndAttributes = SidAndAttributes;
843 
844  /* Check again for user mode */
845  if (PreviousMode != KernelMode)
846  {
847  _SEH2_TRY
848  {
849  /* The rest of the data starts after the array */
850  CurrentDest = (PUCHAR)SidAndAttributes;
851  CurrentDest += ALIGN_UP_BY(ArraySize, sizeof(ULONG));
852 
853  /* Loop the array elements */
854  for (i = 0; i < AttributeCount; i++)
855  {
856  /*
857  * Get the SID length from the subauthority
858  * count we've captured before.
859  */
860  SidLength = RtlLengthRequiredSid(ValidateArray[i].SubAuthorityCount);
861 
862  /* Copy attributes */
863  SidAndAttributes[i].Attributes = SrcSidAndAttributes[i].Attributes;
864 
865  /* Copy the SID to the current destination address */
866  SidAndAttributes[i].Sid = (PSID)CurrentDest;
867  RtlCopyMemory(CurrentDest, ValidateArray[i].ProbeSid, SidLength);
868 
869  /* Obtain the SID we've captured before for validation */
870  Sid = SidAndAttributes[i].Sid;
871 
872  /* Validate that the subauthority count hasn't changed */
873  if (ValidateArray[i].SubAuthorityCount !=
875  {
876  /* It's changed, bail out */
877  DPRINT1("SeCaptureSidAndAttributesArray(): The subauthority counts have changed (captured count -> %u || current count -> %u)\n",
878  ValidateArray[i].SubAuthorityCount, Sid->SubAuthorityCount);
880  goto Cleanup;
881  }
882 
883  /* Validate that the SID length is the same */
884  if (SidLength != RtlLengthSid(Sid))
885  {
886  /* They're no longer the same, bail out */
887  DPRINT1("SeCaptureSidAndAttributesArray(): The SID lengths have changed (captured length -> %lu || current length -> %lu)\n",
888  SidLength, RtlLengthSid(Sid));
890  goto Cleanup;
891  }
892 
893  /* Check that the SID is valid */
894  if (!RtlValidSid(Sid))
895  {
896  DPRINT1("SeCaptureSidAndAttributesArray(): The SID is not valid!\n");
898  goto Cleanup;
899  }
900 
901  /* Update the current destination address */
902  CurrentDest += ALIGN_UP_BY(SidLength, sizeof(ULONG));
903  }
904  }
906  {
908  }
909  _SEH2_END;
910  }
911  else
912  {
913  /* The rest of the data starts after the array */
914  CurrentDest = (PUCHAR)SidAndAttributes;
915  CurrentDest += ALIGN_UP_BY(ArraySize, sizeof(ULONG));
916 
917  /* Loop the array elements */
918  for (i = 0; i < AttributeCount; i++)
919  {
920  /* Get the SID and it's length */
921  Sid = SrcSidAndAttributes[i].Sid;
923 
924  /* Copy attributes */
925  SidAndAttributes[i].Attributes = SrcSidAndAttributes[i].Attributes;
926 
927  /* Copy the SID to the current destination address */
928  SidAndAttributes[i].Sid = (PSID)CurrentDest;
929  RtlCopyMemory(CurrentDest, SrcSidAndAttributes[i].Sid, SidLength);
930 
931  /* Update the current destination address */
932  CurrentDest += ALIGN_UP_BY(SidLength, sizeof(ULONG));
933  }
934  }
935 
936 Cleanup:
937  /* Check for failure */
938  if (!NT_SUCCESS(Status))
939  {
940  /* Check if we allocated a new array */
941  if ((SidAndAttributes != AllocatedMem) && (SidAndAttributes != NULL))
942  {
943  /* Free the array */
944  ExFreePoolWithTag(SidAndAttributes, TAG_SID_AND_ATTRIBUTES);
945  }
946 
947  /* Set returned address to NULL */
948  *CapturedSidAndAttributes = NULL;
949  }
950 
951  /* Free the temporary validation array */
952  if ((PreviousMode != KernelMode) && (ValidateArray != NULL))
953  {
954  ExFreePoolWithTag(ValidateArray, TAG_SID_VALIDATE);
955  }
956 
957  return Status;
958 }
959 
977 VOID
978 NTAPI
980  _In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes,
982  _In_ BOOLEAN CaptureIfKernel)
983 {
984  PAGED_CODE();
985 
986  if ((CapturedSidAndAttributes != NULL) &&
987  ((AccessMode != KernelMode) || CaptureIfKernel))
988  {
989  ExFreePoolWithTag(CapturedSidAndAttributes, TAG_SID_AND_ATTRIBUTES);
990  }
991 }
992 
993 /* EOF */
PSID SeLocalServiceSid
Definition: sid.c:52
_SEH2_TRY
Definition: create.c:4226
#define SECURITY_BATCH_RID
Definition: setypes.h:558
#define SE_MAXIMUM_GROUP_LIMIT
Definition: sid.c:16
#define SECURITY_AUTHENTICATED_USER_RID
Definition: setypes.h:568
#define SECURITY_LOCAL_SYSTEM_RID
Definition: setypes.h:574
#define TAG_SID_AND_ATTRIBUTES
Definition: tag.h:162
#define DOMAIN_ALIAS_RID_GUESTS
Definition: setypes.h:654
PSID SeAliasPrintOpsSid
Definition: sid.c:47
#define STATUS_INSUFFICIENT_RESOURCES
Definition: udferr_usr.h:158
#define _In_opt_
Definition: ms_sal.h:309
VOID NTAPI FreeInitializedSids(VOID)
Frees all the known initialized SIDs in the system from the memory.
Definition: sid.c:72
PSID SeAnonymousLogonSid
Definition: sid.c:51
#define _Out_
Definition: ms_sal.h:345
PSID SeBatchSid
Definition: sid.c:34
#define TRUE
Definition: types.h:120
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
PSID SeLocalSystemSid
Definition: sid.c:38
PSID SeAliasAdminsSid
Definition: sid.c:41
#define DOMAIN_ALIAS_RID_ACCOUNT_OPS
Definition: setypes.h:657
PSID SeDialupSid
Definition: sid.c:32
#define SECURITY_DIALUP_RID
Definition: setypes.h:556
unsigned char * PUCHAR
Definition: retypes.h:3
LONG NTSTATUS
Definition: precomp.h:26
VOID NTAPI SeReleaseSidAndAttributesArray(_In_ _Post_invalid_ PSID_AND_ATTRIBUTES CapturedSidAndAttributes, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID with attributes.
Definition: sid.c:979
_IRQL_requires_same_ _In_ PLSA_STRING _In_ SECURITY_LOGON_TYPE _In_ ULONG _In_ ULONG _In_opt_ PTOKEN_GROUPS _In_ PTOKEN_SOURCE _Out_ PVOID _Out_ PULONG _Inout_ PLUID _Out_ PHANDLE Token
#define SECURITY_NETWORK_RID
Definition: setypes.h:557
#define TAG_SID
Definition: sid.c:15
#define DOMAIN_ALIAS_RID_POWER_USERS
Definition: setypes.h:655
#define SECURITY_INTERACTIVE_RID
Definition: setypes.h:559
#define SECURITY_NULL_SID_AUTHORITY
Definition: setypes.h:524
_SEH2_END
Definition: create.c:4400
PSID SeAliasBackupOpsSid
Definition: sid.c:48
PISID ProbeSid
Definition: sid.c:58
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
BOOLEAN NTAPI RtlEqualSid(IN PSID Sid1_, IN PSID Sid2_)
Definition: sid.c:132
PSID SePrincipalSelfSid
Definition: sid.c:37
PULONG NTAPI RtlSubAuthoritySid(IN PSID Sid_, IN ULONG SubAuthority)
Definition: sid.c:89
#define SECURITY_PRINCIPAL_SELF_RID
Definition: setypes.h:567
PSID SeCreatorOwnerServerSid
Definition: sid.c:29
NTSTATUS NTAPI RtlConvertSidToUnicodeString(IN PUNICODE_STRING String, IN PSID Sid_, IN BOOLEAN AllocateBuffer)
Definition: sid.c:342
NTSTATUS(* NTAPI)(IN PFILE_FULL_EA_INFORMATION EaBuffer, IN ULONG EaLength, OUT PULONG ErrorOffset)
Definition: IoEaTest.cpp:117
#define FALSE
Definition: types.h:117
NTSTATUS NTAPI SepCaptureSid(_In_ PSID InputSid, _In_ KPROCESSOR_MODE AccessMode, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID *CapturedSid)
Captures a SID.
Definition: sid.c:314
struct _SID_VALIDATE SID_VALIDATE
SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
Definition: sid.c:21
#define ACCESS_DENIED_OBJECT_ACE_TYPE
Definition: setypes.h:726
#define SECURITY_LOCAL_SID_AUTHORITY
Definition: setypes.h:530
struct _SID * PISID
BOOLEAN NTAPI SepInitSecurityIDs(VOID)
Initializes all the SIDs known in the system.
Definition: sid.c:115
_In_ PEPROCESS _In_ KPROCESSOR_MODE AccessMode
Definition: mmfuncs.h:395
Definition: card.h:12
unsigned char BOOLEAN
ULONG NTAPI RtlLengthSid(IN PSID Sid_)
Definition: sid.c:150
#define _In_
Definition: ms_sal.h:308
_In_ ULONG _In_ ACCESS_MASK _In_ PSID Sid
Definition: rtlfuncs.h:1130
#define STATUS_INVALID_SID
Definition: ntstatus.h:356
#define SECURITY_LOCAL_SERVICE_RID
Definition: setypes.h:575
#define SECURITY_NT_AUTHORITY
Definition: setypes.h:554
UNICODE_STRING Restricted
Definition: utils.c:24
BOOLEAN NTAPI RtlValidSid(IN PSID Sid_)
Definition: sid.c:21
Status
Definition: gdiplustypes.h:24
_In_ KPROCESSOR_MODE PreviousMode
Definition: sefuncs.h:103
struct _SID_VALIDATE * PSID_VALIDATE
#define SECURITY_CREATOR_GROUP_SERVER_RID
Definition: setypes.h:548
#define SECURITY_BUILTIN_DOMAIN_RID
Definition: setypes.h:581
#define ASSERT(a)
Definition: mode.c:44
NTSYSAPI ULONG NTAPI RtlEqualMemory(CONST VOID *Source1, CONST VOID *Source2, ULONG Length)
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:32
#define SE_GROUP_ENABLED
Definition: setypes.h:92
#define DOMAIN_ALIAS_RID_BACKUP_OPS
Definition: setypes.h:660
#define SECURITY_WORLD_SID_AUTHORITY
Definition: setypes.h:527
INT POOL_TYPE
Definition: typedefs.h:78
PSID SeServiceSid
Definition: sid.c:36
#define EXCEPTION_EXECUTE_HANDLER
Definition: excpt.h:85
struct _SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES
BOOLEAN NTAPI SepSidInTokenEx(_In_ PACCESS_TOKEN _Token, _In_ PSID PrincipalSelfSid, _In_ PSID _Sid, _In_ BOOLEAN Deny, _In_ BOOLEAN Restricted)
Checks if a SID is present in a token.
Definition: sid.c:443
#define TAG_SID_VALIDATE
Definition: tag.h:163
#define DOMAIN_ALIAS_RID_SYSTEM_OPS
Definition: setypes.h:658
#define SECURITY_LOCAL_RID
Definition: setypes.h:542
#define for
Definition: utility.h:88
#define ACCESS_ALLOWED_ACE_TYPE
Definition: setypes.h:717
#define ACCESS_ALLOWED_OBJECT_ACE_TYPE
Definition: setypes.h:725
SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
Definition: sid.c:19
NTSYSAPI VOID NTAPI RtlFreeUnicodeString(PUNICODE_STRING UnicodeString)
CCHAR KPROCESSOR_MODE
Definition: ketypes.h:7
#define SECURITY_WORLD_RID
Definition: setypes.h:541
NTSTATUS NTAPI SeCaptureSidAndAttributesArray(_In_ PSID_AND_ATTRIBUTES SrcSidAndAttributes, _In_ ULONG AttributeCount, _In_ KPROCESSOR_MODE PreviousMode, _In_opt_ PVOID AllocatedMem, _In_ ULONG AllocatedLength, _In_ POOL_TYPE PoolType, _In_ BOOLEAN CaptureIfKernel, _Out_ PSID_AND_ATTRIBUTES *CapturedSidAndAttributes, _Out_ PULONG ResultLength)
Captures a SID with attributes.
Definition: sid.c:696
#define ACCESS_DENIED_ACE_TYPE
Definition: setypes.h:718
#define SECURITY_ANONYMOUS_LOGON_RID
Definition: setypes.h:563
PSID SeAliasUsersSid
Definition: sid.c:42
PSID SeAliasGuestsSid
Definition: sid.c:43
struct _SID * PSID
Definition: eventlog.c:35
#define SECURITY_CREATOR_OWNER_RID
Definition: setypes.h:545
#define ExAllocatePoolWithTag(hernya, size, tag)
Definition: env_spec_w32.h:350
#define SECURITY_NULL_RID
Definition: setypes.h:540
VOID NTAPI SepReleaseSid(_In_ PSID CapturedSid, _In_ KPROCESSOR_MODE AccessMode, _In_ BOOLEAN CaptureIfKernel)
Releases a captured SID.
Definition: sid.c:400
unsigned char UCHAR
Definition: xmlstorage.h:181
PSID SeAuthenticatedUserSid
Definition: sid.c:39
VOID NTAPI ProbeForRead(IN CONST VOID *Address, IN SIZE_T Length, IN ULONG Alignment)
Definition: exintrin.c:102
PSID SeWorldSid
Definition: sid.c:25
ULONG NTAPI RtlLengthRequiredSid(IN ULONG SubAuthorityCount)
Definition: sid.c:54
PSID SeLocalSid
Definition: sid.c:26
#define SE_GROUP_USE_FOR_DENY_ONLY
Definition: setypes.h:94
PSID SeAuthenticatedUsersSid
Definition: sid.c:49
_In_ PSID_IDENTIFIER_AUTHORITY _In_ UCHAR SubAuthorityCount
Definition: rtlfuncs.h:1513
static const WCHAR Cleanup[]
Definition: register.c:80
PSID SeAliasPowerUsersSid
Definition: sid.c:44
#define _Post_invalid_
Definition: ms_sal.h:695
#define SECURITY_NETWORK_SERVICE_RID
Definition: setypes.h:576
#define _SEH2_VOLATILE
Definition: pseh2_64.h:169
static const ACEFLAG AceType[]
Definition: security.c:2382
PSID SeNetworkSid
Definition: sid.c:33
SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
Definition: sid.c:18
#define SECURITY_CREATOR_GROUP_RID
Definition: setypes.h:546
BOOLEAN NTAPI SepSidInToken(_In_ PACCESS_TOKEN _Token, _In_ PSID Sid)
Checks if a SID is present in a token.
Definition: sid.c:547
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
NTSTATUS NTAPI RtlInitializeSid(IN PSID Sid_, IN PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, IN UCHAR SubAuthorityCount)
Definition: sid.c:68
#define DOMAIN_ALIAS_RID_USERS
Definition: setypes.h:653
unsigned short USHORT
Definition: pedump.c:61
struct _TOKEN * PTOKEN
#define FIELD_OFFSET(t, f)
Definition: typedefs.h:255
_In_ ULONG _Out_opt_ PULONG RequiredLength
Definition: wmifuncs.h:29
BYTE SubAuthorityCount
Definition: ms-dtyp.idl:200
unsigned int * PULONG
Definition: retypes.h:1
#define SECURITY_RESTRICTED_CODE_RID
Definition: setypes.h:569
#define NULL
Definition: types.h:112
PSID SeCreatorGroupSid
Definition: sid.c:28
PSID SeRestrictedSid
Definition: sid.c:50
PSID SeCreatorGroupServerSid
Definition: sid.c:30
PSID SeNetworkServiceSid
Definition: sid.c:53
#define DPRINT1
Definition: precomp.h:8
#define SECURITY_CREATOR_OWNER_SERVER_RID
Definition: setypes.h:547
PSID SeRestrictedCodeSid
Definition: sid.c:40
#define DOMAIN_ALIAS_RID_PRINT_OPS
Definition: setypes.h:659
#define SECURITY_SERVICE_RID
Definition: setypes.h:562
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ _Strict_type_match_ POOL_TYPE PoolType
Definition: wdfdevice.h:3810
unsigned int ULONG
Definition: retypes.h:1
UCHAR SubAuthorityCount
Definition: sid.c:57
#define ALIGN_UP_BY(size, align)
SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
Definition: sid.c:20
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
_Must_inspect_result_ _In_ WDFDEVICE _In_ DEVICE_REGISTRY_PROPERTY _In_ ULONG _Out_ PULONG ResultLength
Definition: wdfdevice.h:3776
#define _SEH2_EXCEPT(...)
Definition: pseh2_64.h:40
BYTE Revision
Definition: ms-dtyp.idl:199
PSID SeCreatorOwnerSid
Definition: sid.c:27
PSID SeAliasSystemOpsSid
Definition: sid.c:46
#define POOL_RAISE_IF_ALLOCATION_FAILURE
#define STATUS_SUCCESS
Definition: shellext.h:65
#define _SEH2_GetExceptionCode()
Definition: pseh2_64.h:165
PSID SeInteractiveSid
Definition: sid.c:35
#define _SEH2_YIELD(__stmt)
Definition: pseh2_64.h:168
PSID SeNullSid
Definition: sid.c:24
SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
Definition: sid.c:22
#define ExFreePoolWithTag(_P, _T)
Definition: module.h:1099
_In_ PSID _In_ PSID NewSid
Definition: rtlfuncs.h:2813
#define DOMAIN_ALIAS_RID_ADMINS
Definition: setypes.h:652
static CODE_SEG("PAGE")
Definition: isapnp.c:1482
Definition: rtltypes.h:992
unsigned short * PUSHORT
Definition: retypes.h:2
#define SECURITY_CREATOR_SID_AUTHORITY
Definition: setypes.h:533
PSID NTAPI SepGetSidFromAce(_In_ UCHAR AceType, _In_ PACE Ace)
Captures a security identifier from a given access control entry. This identifier is valid for the wh...
Definition: sid.c:579
PSID SeNtAuthoritySid
Definition: sid.c:31
#define PAGED_CODE()
PSID SeAliasAccountOpsSid
Definition: sid.c:45