2005-02-06 21:57:44 +00:00
|
|
|
/*
|
1998-12-04 18:28:13 +00:00
|
|
|
* COPYRIGHT: See COPYING in the top level directory
|
|
|
|
|
* PROJECT: ReactOS system libraries
|
|
|
|
|
* FILE: lib/advapi32/token/token.c
|
1999-09-25 06:25:51 +00:00
|
|
|
* PURPOSE: Token functions
|
1998-12-04 18:28:13 +00:00
|
|
|
* PROGRAMMER: Ariadne ( ariadne@xs4all.nl)
|
|
|
|
|
* UPDATE HISTORY:
|
|
|
|
|
* Created 01/11/98
|
|
|
|
|
*/
|
1999-07-22 21:36:37 +00:00
|
|
|
|
2005-08-05 10:31:28 +00:00
|
|
|
#include <advapi32.h>
|
2008-02-08 17:04:39 +00:00
|
|
|
#include "wine/debug.h"
|
2004-08-15 17:03:15 +00:00
|
|
|
|
2008-02-08 17:04:39 +00:00
|
|
|
WINE_DEFAULT_DEBUG_CHANNEL(advapi);
|
1999-07-22 21:36:37 +00:00
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
2004-02-25 14:25:11 +00:00
|
|
|
AdjustTokenGroups (HANDLE TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
BOOL ResetToDefault,
|
|
|
|
|
PTOKEN_GROUPS NewState,
|
|
|
|
|
DWORD BufferLength,
|
|
|
|
|
PTOKEN_GROUPS PreviousState,
|
|
|
|
|
PDWORD ReturnLength)
|
1998-12-04 18:28:13 +00:00
|
|
|
{
|
2004-02-25 14:25:11 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
Status = NtAdjustGroupsToken (TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
ResetToDefault,
|
|
|
|
|
NewState,
|
|
|
|
|
BufferLength,
|
|
|
|
|
PreviousState,
|
|
|
|
|
(PULONG)ReturnLength);
|
2004-02-25 14:25:11 +00:00
|
|
|
if (!NT_SUCCESS (Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
1998-12-04 18:28:13 +00:00
|
|
|
}
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
2004-02-25 14:25:11 +00:00
|
|
|
AdjustTokenPrivileges (HANDLE TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
BOOL DisableAllPrivileges,
|
|
|
|
|
PTOKEN_PRIVILEGES NewState,
|
|
|
|
|
DWORD BufferLength,
|
|
|
|
|
PTOKEN_PRIVILEGES PreviousState,
|
|
|
|
|
PDWORD ReturnLength)
|
2004-02-25 14:25:11 +00:00
|
|
|
{
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
Status = NtAdjustPrivilegesToken (TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
DisableAllPrivileges,
|
|
|
|
|
NewState,
|
|
|
|
|
BufferLength,
|
|
|
|
|
PreviousState,
|
|
|
|
|
(PULONG)ReturnLength);
|
2004-07-06 22:07:26 +00:00
|
|
|
if (STATUS_NOT_ALL_ASSIGNED == Status)
|
2004-02-25 14:25:11 +00:00
|
|
|
{
|
2004-07-06 22:07:26 +00:00
|
|
|
SetLastError(ERROR_NOT_ALL_ASSIGNED);
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
if (! NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError(RtlNtStatusToDosError(Status));
|
2004-02-25 14:25:11 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2004-07-06 22:07:26 +00:00
|
|
|
SetLastError(ERROR_SUCCESS); /* AdjustTokenPrivileges is documented to do this */
|
2004-02-25 14:25:11 +00:00
|
|
|
return TRUE;
|
1998-12-04 18:28:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
2004-02-25 14:25:11 +00:00
|
|
|
GetTokenInformation (HANDLE TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
|
|
|
LPVOID TokenInformation,
|
|
|
|
|
DWORD TokenInformationLength,
|
|
|
|
|
PDWORD ReturnLength)
|
1998-12-04 18:28:13 +00:00
|
|
|
{
|
2004-02-25 14:25:11 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
Status = NtQueryInformationToken (TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
TokenInformationClass,
|
|
|
|
|
TokenInformation,
|
|
|
|
|
TokenInformationLength,
|
|
|
|
|
(PULONG)ReturnLength);
|
2004-02-25 14:25:11 +00:00
|
|
|
if (!NT_SUCCESS (Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
1998-12-04 18:28:13 +00:00
|
|
|
}
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
2004-02-25 14:25:11 +00:00
|
|
|
SetTokenInformation (HANDLE TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
TOKEN_INFORMATION_CLASS TokenInformationClass,
|
|
|
|
|
LPVOID TokenInformation,
|
|
|
|
|
DWORD TokenInformationLength)
|
1998-12-04 18:28:13 +00:00
|
|
|
{
|
2004-02-25 14:25:11 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
Status = NtSetInformationToken (TokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
TokenInformationClass,
|
|
|
|
|
TokenInformation,
|
|
|
|
|
TokenInformationLength);
|
2004-02-25 14:25:11 +00:00
|
|
|
if (!NT_SUCCESS (Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
1998-12-04 18:28:13 +00:00
|
|
|
}
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
|
|
|
|
AccessCheck (PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
2007-07-02 22:31:30 +00:00
|
|
|
HANDLE ClientToken,
|
|
|
|
|
DWORD DesiredAccess,
|
|
|
|
|
PGENERIC_MAPPING GenericMapping,
|
|
|
|
|
PPRIVILEGE_SET PrivilegeSet,
|
|
|
|
|
LPDWORD PrivilegeSetLength,
|
|
|
|
|
LPDWORD GrantedAccess,
|
|
|
|
|
LPBOOL AccessStatus)
|
1998-12-04 18:28:13 +00:00
|
|
|
{
|
2004-01-20 01:40:19 +00:00
|
|
|
NTSTATUS Status;
|
2004-07-12 12:05:49 +00:00
|
|
|
NTSTATUS AccessStat;
|
2004-01-20 01:40:19 +00:00
|
|
|
|
|
|
|
|
Status = NtAccessCheck (pSecurityDescriptor,
|
2007-07-02 22:31:30 +00:00
|
|
|
ClientToken,
|
|
|
|
|
DesiredAccess,
|
|
|
|
|
GenericMapping,
|
|
|
|
|
PrivilegeSet,
|
|
|
|
|
(PULONG)PrivilegeSetLength,
|
|
|
|
|
(PACCESS_MASK)GrantedAccess,
|
|
|
|
|
&AccessStat);
|
2004-01-20 01:40:19 +00:00
|
|
|
if (!NT_SUCCESS (Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2004-07-12 12:05:49 +00:00
|
|
|
if (!NT_SUCCESS (AccessStat))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
*AccessStatus = FALSE;
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*AccessStatus = TRUE;
|
|
|
|
|
|
2004-01-20 01:40:19 +00:00
|
|
|
return TRUE;
|
1998-12-04 18:28:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
|
|
|
|
OpenProcessToken (HANDLE ProcessHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
DWORD DesiredAccess,
|
|
|
|
|
PHANDLE TokenHandle)
|
1998-12-04 18:28:13 +00:00
|
|
|
{
|
2004-01-20 01:40:19 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
Status = NtOpenProcessToken (ProcessHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
DesiredAccess,
|
|
|
|
|
TokenHandle);
|
2004-01-20 01:40:19 +00:00
|
|
|
if (!NT_SUCCESS (Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
1998-12-04 18:28:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
|
|
|
|
OpenThreadToken (HANDLE ThreadHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
DWORD DesiredAccess,
|
|
|
|
|
BOOL OpenAsSelf,
|
|
|
|
|
PHANDLE TokenHandle)
|
1998-12-04 18:28:13 +00:00
|
|
|
{
|
2004-01-20 01:40:19 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
|
|
|
|
|
Status = NtOpenThreadToken (ThreadHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
DesiredAccess,
|
|
|
|
|
OpenAsSelf,
|
|
|
|
|
TokenHandle);
|
2004-01-20 01:40:19 +00:00
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
1998-12-04 18:28:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
2005-05-05 12:21:43 +00:00
|
|
|
SetThreadToken (IN PHANDLE ThreadHandle OPTIONAL,
|
|
|
|
|
IN HANDLE TokenHandle)
|
1999-07-22 21:36:37 +00:00
|
|
|
{
|
2004-01-20 01:40:19 +00:00
|
|
|
NTSTATUS Status;
|
|
|
|
|
HANDLE hThread;
|
|
|
|
|
|
2005-05-05 12:21:43 +00:00
|
|
|
hThread = ((ThreadHandle != NULL) ? *ThreadHandle : NtCurrentThread());
|
2004-01-20 01:40:19 +00:00
|
|
|
|
|
|
|
|
Status = NtSetInformationThread (hThread,
|
2007-07-02 22:31:30 +00:00
|
|
|
ThreadImpersonationToken,
|
|
|
|
|
&TokenHandle,
|
|
|
|
|
sizeof(HANDLE));
|
2004-01-20 01:40:19 +00:00
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError (RtlNtStatusToDosError (Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
1999-07-22 21:36:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
2005-05-05 12:21:43 +00:00
|
|
|
DuplicateTokenEx (IN HANDLE ExistingTokenHandle,
|
|
|
|
|
IN DWORD dwDesiredAccess,
|
|
|
|
|
IN LPSECURITY_ATTRIBUTES lpTokenAttributes OPTIONAL,
|
|
|
|
|
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
|
|
|
|
|
IN TOKEN_TYPE TokenType,
|
|
|
|
|
OUT PHANDLE DuplicateTokenHandle)
|
1999-07-22 21:36:37 +00:00
|
|
|
{
|
2004-01-20 01:40:19 +00:00
|
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
|
|
|
NTSTATUS Status;
|
2004-12-14 00:41:24 +00:00
|
|
|
SECURITY_QUALITY_OF_SERVICE Sqos;
|
2005-05-09 01:43:41 +00:00
|
|
|
|
2004-12-14 00:41:24 +00:00
|
|
|
Sqos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
|
|
|
|
|
Sqos.ImpersonationLevel = ImpersonationLevel;
|
|
|
|
|
Sqos.ContextTrackingMode = 0;
|
|
|
|
|
Sqos.EffectiveOnly = FALSE;
|
|
|
|
|
|
2005-05-05 12:21:43 +00:00
|
|
|
if (lpTokenAttributes != NULL)
|
|
|
|
|
{
|
|
|
|
|
InitializeObjectAttributes(&ObjectAttributes,
|
|
|
|
|
NULL,
|
|
|
|
|
lpTokenAttributes->bInheritHandle ? OBJ_INHERIT : 0,
|
|
|
|
|
NULL,
|
|
|
|
|
lpTokenAttributes->lpSecurityDescriptor);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
InitializeObjectAttributes(&ObjectAttributes,
|
|
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL);
|
|
|
|
|
}
|
1999-09-25 06:25:51 +00:00
|
|
|
|
2005-05-05 12:21:43 +00:00
|
|
|
ObjectAttributes.SecurityQualityOfService = &Sqos;
|
2005-05-09 01:43:41 +00:00
|
|
|
|
2004-01-20 01:40:19 +00:00
|
|
|
Status = NtDuplicateToken (ExistingTokenHandle,
|
2007-07-02 22:31:30 +00:00
|
|
|
dwDesiredAccess,
|
|
|
|
|
&ObjectAttributes,
|
|
|
|
|
FALSE,
|
|
|
|
|
TokenType,
|
|
|
|
|
DuplicateTokenHandle);
|
2004-01-20 01:40:19 +00:00
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError(RtlNtStatusToDosError(Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
1999-09-25 06:25:51 +00:00
|
|
|
|
2004-01-20 01:40:19 +00:00
|
|
|
return TRUE;
|
1999-07-22 21:36:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2003-07-10 15:05:55 +00:00
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2004-01-20 01:40:19 +00:00
|
|
|
BOOL STDCALL
|
2005-05-05 12:21:43 +00:00
|
|
|
DuplicateToken (IN HANDLE ExistingTokenHandle,
|
|
|
|
|
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
|
|
|
|
|
OUT PHANDLE DuplicateTokenHandle)
|
1999-09-25 06:25:51 +00:00
|
|
|
{
|
2004-01-20 01:40:19 +00:00
|
|
|
return DuplicateTokenEx (ExistingTokenHandle,
|
2005-05-05 12:21:43 +00:00
|
|
|
TOKEN_IMPERSONATE | TOKEN_QUERY,
|
2004-01-20 01:40:19 +00:00
|
|
|
NULL,
|
|
|
|
|
ImpersonationLevel,
|
|
|
|
|
TokenImpersonation,
|
|
|
|
|
DuplicateTokenHandle);
|
1999-09-25 06:25:51 +00:00
|
|
|
}
|
|
|
|
|
|
2005-02-06 21:57:44 +00:00
|
|
|
|
|
|
|
|
/*
|
2005-02-06 22:16:05 +00:00
|
|
|
* @implemented
|
2005-02-06 21:57:44 +00:00
|
|
|
*/
|
|
|
|
|
BOOL STDCALL
|
2005-10-10 11:44:37 +00:00
|
|
|
CheckTokenMembership(IN HANDLE ExistingTokenHandle,
|
|
|
|
|
IN PSID SidToCheck,
|
|
|
|
|
OUT PBOOL IsMember)
|
2005-02-06 21:57:44 +00:00
|
|
|
{
|
2005-10-10 11:44:37 +00:00
|
|
|
PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
|
|
|
|
|
ACCESS_MASK GrantedAccess;
|
|
|
|
|
struct
|
|
|
|
|
{
|
|
|
|
|
PRIVILEGE_SET PrivilegeSet;
|
|
|
|
|
LUID_AND_ATTRIBUTES Privileges[4];
|
|
|
|
|
} PrivBuffer;
|
|
|
|
|
ULONG PrivBufferSize = sizeof(PrivBuffer);
|
|
|
|
|
GENERIC_MAPPING GenericMapping =
|
|
|
|
|
{
|
|
|
|
|
STANDARD_RIGHTS_READ,
|
|
|
|
|
STANDARD_RIGHTS_WRITE,
|
|
|
|
|
STANDARD_RIGHTS_EXECUTE,
|
|
|
|
|
STANDARD_RIGHTS_ALL
|
|
|
|
|
};
|
|
|
|
|
PACL Dacl;
|
|
|
|
|
ULONG SidLen;
|
2005-10-28 14:31:38 +00:00
|
|
|
HANDLE hToken = NULL;
|
2005-10-10 11:44:37 +00:00
|
|
|
NTSTATUS Status, AccessStatus;
|
|
|
|
|
|
|
|
|
|
/* doesn't return gracefully if IsMember is NULL! */
|
|
|
|
|
*IsMember = FALSE;
|
|
|
|
|
|
|
|
|
|
SidLen = RtlLengthSid(SidToCheck);
|
|
|
|
|
|
|
|
|
|
if (ExistingTokenHandle == NULL)
|
|
|
|
|
{
|
|
|
|
|
Status = NtOpenThreadToken(NtCurrentThread(),
|
|
|
|
|
TOKEN_QUERY,
|
|
|
|
|
FALSE,
|
|
|
|
|
&hToken);
|
|
|
|
|
|
|
|
|
|
if (Status == STATUS_NO_TOKEN)
|
|
|
|
|
{
|
|
|
|
|
/* we're not impersonating, open the primary token */
|
|
|
|
|
Status = NtOpenProcessToken(NtCurrentProcess(),
|
|
|
|
|
TOKEN_QUERY | TOKEN_DUPLICATE,
|
|
|
|
|
&hToken);
|
|
|
|
|
if (NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
HANDLE hNewToken = FALSE;
|
|
|
|
|
BOOL DupRet;
|
|
|
|
|
|
|
|
|
|
/* duplicate the primary token to create an impersonation token */
|
|
|
|
|
DupRet = DuplicateTokenEx(hToken,
|
|
|
|
|
TOKEN_QUERY | TOKEN_IMPERSONATE,
|
|
|
|
|
NULL,
|
|
|
|
|
SecurityImpersonation,
|
|
|
|
|
TokenImpersonation,
|
|
|
|
|
&hNewToken);
|
|
|
|
|
|
|
|
|
|
NtClose(hToken);
|
|
|
|
|
|
|
|
|
|
if (!DupRet)
|
|
|
|
|
{
|
2008-02-08 17:04:39 +00:00
|
|
|
WARN("Failed to duplicate the primary token!\n");
|
2005-10-10 11:44:37 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hToken = hNewToken;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
goto Cleanup;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
hToken = ExistingTokenHandle;
|
|
|
|
|
}
|
2005-05-09 01:43:41 +00:00
|
|
|
|
2005-10-10 11:44:37 +00:00
|
|
|
/* create a security descriptor */
|
|
|
|
|
SecurityDescriptor = RtlAllocateHeap(RtlGetProcessHeap(),
|
|
|
|
|
0,
|
|
|
|
|
sizeof(SECURITY_DESCRIPTOR) +
|
|
|
|
|
sizeof(ACL) + SidLen +
|
|
|
|
|
sizeof(ACCESS_ALLOWED_ACE));
|
|
|
|
|
if (SecurityDescriptor == NULL)
|
|
|
|
|
{
|
|
|
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
|
|
|
goto Cleanup;
|
|
|
|
|
}
|
2005-05-09 01:43:41 +00:00
|
|
|
|
2005-10-10 11:44:37 +00:00
|
|
|
Status = RtlCreateSecurityDescriptor(SecurityDescriptor,
|
|
|
|
|
SECURITY_DESCRIPTOR_REVISION);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
2005-02-06 22:16:05 +00:00
|
|
|
{
|
2005-10-10 11:44:37 +00:00
|
|
|
goto Cleanup;
|
2005-02-06 22:16:05 +00:00
|
|
|
}
|
2005-10-10 11:44:37 +00:00
|
|
|
|
|
|
|
|
/* set the owner and group */
|
|
|
|
|
Status = RtlSetOwnerSecurityDescriptor(SecurityDescriptor,
|
|
|
|
|
SidToCheck,
|
|
|
|
|
FALSE);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
2005-02-06 22:16:05 +00:00
|
|
|
{
|
2005-10-10 11:44:37 +00:00
|
|
|
goto Cleanup;
|
2005-02-06 22:16:05 +00:00
|
|
|
}
|
2005-05-09 01:43:41 +00:00
|
|
|
|
2005-10-10 11:44:37 +00:00
|
|
|
Status = RtlSetGroupSecurityDescriptor(SecurityDescriptor,
|
|
|
|
|
SidToCheck,
|
|
|
|
|
FALSE);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
2005-02-06 22:16:05 +00:00
|
|
|
{
|
2005-10-10 11:44:37 +00:00
|
|
|
goto Cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* create the DACL */
|
|
|
|
|
Dacl = (PACL)(SecurityDescriptor + 1);
|
|
|
|
|
Status = RtlCreateAcl(Dacl,
|
|
|
|
|
sizeof(ACL) + SidLen + sizeof(ACCESS_ALLOWED_ACE),
|
|
|
|
|
ACL_REVISION);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
goto Cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Status = RtlAddAccessAllowedAce(Dacl,
|
|
|
|
|
ACL_REVISION,
|
|
|
|
|
0x1,
|
|
|
|
|
SidToCheck);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
goto Cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* assign the DACL to the security descriptor */
|
|
|
|
|
Status = RtlSetDaclSecurityDescriptor(SecurityDescriptor,
|
|
|
|
|
TRUE,
|
|
|
|
|
Dacl,
|
|
|
|
|
FALSE);
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
goto Cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* it's time to perform the access check. Just use _some_ desired access right
|
|
|
|
|
(same as for the ACE) and see if we're getting it granted. This indicates
|
|
|
|
|
our SID is a member of the token. We however can't use a generic access
|
|
|
|
|
right as those aren't mapped and return an error (STATUS_GENERIC_NOT_MAPPED). */
|
|
|
|
|
Status = NtAccessCheck(SecurityDescriptor,
|
|
|
|
|
hToken,
|
|
|
|
|
0x1,
|
|
|
|
|
&GenericMapping,
|
|
|
|
|
&PrivBuffer.PrivilegeSet,
|
|
|
|
|
&PrivBufferSize,
|
|
|
|
|
&GrantedAccess,
|
|
|
|
|
&AccessStatus);
|
|
|
|
|
|
|
|
|
|
if (NT_SUCCESS(Status) && NT_SUCCESS(AccessStatus) && (GrantedAccess == 0x1))
|
|
|
|
|
{
|
|
|
|
|
*IsMember = TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Cleanup:
|
2005-10-28 14:31:38 +00:00
|
|
|
if (hToken != NULL && hToken != ExistingTokenHandle)
|
2005-10-10 11:44:37 +00:00
|
|
|
{
|
|
|
|
|
NtClose(hToken);
|
2005-02-06 22:16:05 +00:00
|
|
|
}
|
2005-05-09 01:43:41 +00:00
|
|
|
|
2005-10-10 11:44:37 +00:00
|
|
|
if (SecurityDescriptor != NULL)
|
|
|
|
|
{
|
|
|
|
|
RtlFreeHeap(RtlGetProcessHeap(),
|
|
|
|
|
0,
|
|
|
|
|
SecurityDescriptor);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
SetLastError(RtlNtStatusToDosError(Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2005-05-09 01:43:41 +00:00
|
|
|
|
2005-10-10 11:44:37 +00:00
|
|
|
return TRUE;
|
2005-02-06 21:57:44 +00:00
|
|
|
}
|
|
|
|
|
|
2005-06-23 10:34:16 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* @implemented
|
|
|
|
|
*/
|
2005-06-17 09:46:29 +00:00
|
|
|
BOOL STDCALL
|
|
|
|
|
IsTokenRestricted(HANDLE TokenHandle)
|
|
|
|
|
{
|
|
|
|
|
ULONG RetLength;
|
|
|
|
|
PTOKEN_GROUPS lpGroups;
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
BOOL Ret = FALSE;
|
2007-10-19 23:21:45 +00:00
|
|
|
|
2005-06-17 09:46:29 +00:00
|
|
|
/* determine the required buffer size and allocate enough memory to read the
|
|
|
|
|
list of restricted SIDs */
|
|
|
|
|
|
|
|
|
|
Status = NtQueryInformationToken(TokenHandle,
|
|
|
|
|
TokenRestrictedSids,
|
|
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
&RetLength);
|
|
|
|
|
if (Status != STATUS_BUFFER_TOO_SMALL)
|
|
|
|
|
{
|
|
|
|
|
SetLastError(RtlNtStatusToDosError(Status));
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2007-10-19 23:21:45 +00:00
|
|
|
|
2005-06-17 09:46:29 +00:00
|
|
|
AllocAndReadRestrictedSids:
|
|
|
|
|
lpGroups = (PTOKEN_GROUPS)HeapAlloc(GetProcessHeap(),
|
|
|
|
|
0,
|
|
|
|
|
RetLength);
|
|
|
|
|
if (lpGroups == NULL)
|
|
|
|
|
{
|
|
|
|
|
SetLastError(ERROR_OUTOFMEMORY);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2007-10-19 23:21:45 +00:00
|
|
|
|
2005-06-17 09:46:29 +00:00
|
|
|
/* actually read the list of the restricted SIDs */
|
2007-10-19 23:21:45 +00:00
|
|
|
|
2005-06-17 09:46:29 +00:00
|
|
|
Status = NtQueryInformationToken(TokenHandle,
|
|
|
|
|
TokenRestrictedSids,
|
|
|
|
|
lpGroups,
|
|
|
|
|
RetLength,
|
|
|
|
|
&RetLength);
|
|
|
|
|
if (NT_SUCCESS(Status))
|
|
|
|
|
{
|
|
|
|
|
Ret = (lpGroups->GroupCount != 0);
|
|
|
|
|
}
|
|
|
|
|
else if (Status == STATUS_BUFFER_TOO_SMALL)
|
|
|
|
|
{
|
|
|
|
|
/* looks like the token was modified in the meanwhile, let's just try again */
|
|
|
|
|
|
|
|
|
|
HeapFree(GetProcessHeap(),
|
|
|
|
|
0,
|
|
|
|
|
lpGroups);
|
|
|
|
|
|
|
|
|
|
goto AllocAndReadRestrictedSids;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
SetLastError(RtlNtStatusToDosError(Status));
|
|
|
|
|
}
|
2007-10-19 23:21:45 +00:00
|
|
|
|
2005-06-17 09:46:29 +00:00
|
|
|
/* free allocated memory */
|
|
|
|
|
|
|
|
|
|
HeapFree(GetProcessHeap(),
|
|
|
|
|
0,
|
|
|
|
|
lpGroups);
|
|
|
|
|
|
|
|
|
|
return Ret;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-19 23:21:45 +00:00
|
|
|
BOOL STDCALL
|
2005-11-14 22:44:36 +00:00
|
|
|
CreateRestrictedToken(
|
|
|
|
|
HANDLE TokenHandle,
|
|
|
|
|
DWORD Flags,
|
|
|
|
|
DWORD DisableSidCount,
|
|
|
|
|
PSID_AND_ATTRIBUTES pSidAndAttributes,
|
|
|
|
|
DWORD DeletePrivilegeCount,
|
|
|
|
|
PLUID_AND_ATTRIBUTES pLUIDAndAttributes,
|
|
|
|
|
DWORD RestrictedSidCount,
|
|
|
|
|
PSID_AND_ATTRIBUTES pSIDAndAttributes,
|
|
|
|
|
PHANDLE NewTokenHandle
|
|
|
|
|
)
|
|
|
|
|
{
|
2007-11-14 07:53:01 +00:00
|
|
|
UNIMPLEMENTED;
|
2005-11-14 22:44:36 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2006-08-27 11:44:21 +00:00
|
|
|
/*
|
|
|
|
|
* @unimplemented
|
|
|
|
|
*/
|
2006-08-29 15:22:53 +00:00
|
|
|
PSID
|
|
|
|
|
WINAPI
|
|
|
|
|
GetSiteSidFromToken(IN HANDLE TokenHandle)
|
2006-08-27 11:44:21 +00:00
|
|
|
{
|
2006-08-29 15:22:53 +00:00
|
|
|
PTOKEN_GROUPS RestrictedSids;
|
|
|
|
|
ULONG RetLen;
|
|
|
|
|
UINT i;
|
|
|
|
|
NTSTATUS Status;
|
|
|
|
|
PSID PSiteSid = NULL;
|
|
|
|
|
SID_IDENTIFIER_AUTHORITY InternetSiteAuthority = {SECURITY_INTERNETSITE_AUTHORITY};
|
|
|
|
|
|
|
|
|
|
Status = NtQueryInformationToken(TokenHandle,
|
|
|
|
|
TokenRestrictedSids,
|
|
|
|
|
NULL,
|
|
|
|
|
0,
|
|
|
|
|
&RetLen);
|
|
|
|
|
if (Status != STATUS_BUFFER_TOO_SMALL)
|
|
|
|
|
{
|
|
|
|
|
SetLastError(RtlNtStatusToDosError(Status));
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RestrictedSids = (PTOKEN_GROUPS)RtlAllocateHeap(RtlGetProcessHeap(),
|
|
|
|
|
0,
|
|
|
|
|
RetLen);
|
|
|
|
|
if (RestrictedSids == NULL)
|
|
|
|
|
{
|
|
|
|
|
SetLastError(ERROR_OUTOFMEMORY);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Status = NtQueryInformationToken(TokenHandle,
|
|
|
|
|
TokenRestrictedSids,
|
|
|
|
|
RestrictedSids,
|
|
|
|
|
RetLen,
|
|
|
|
|
&RetLen);
|
|
|
|
|
if (NT_SUCCESS(Status))
|
|
|
|
|
{
|
2007-10-19 23:21:45 +00:00
|
|
|
for (i = 0; i < RestrictedSids->GroupCount; i++)
|
2006-08-29 15:22:53 +00:00
|
|
|
{
|
|
|
|
|
SID* RSSid = RestrictedSids->Groups[i].Sid;
|
|
|
|
|
|
|
|
|
|
if (RtlCompareMemory(&(RSSid->IdentifierAuthority),
|
|
|
|
|
&InternetSiteAuthority,
|
|
|
|
|
sizeof(SID_IDENTIFIER_AUTHORITY)) ==
|
|
|
|
|
sizeof(SID_IDENTIFIER_AUTHORITY))
|
|
|
|
|
{
|
|
|
|
|
PSiteSid = RtlAllocateHeap(RtlGetProcessHeap(),
|
|
|
|
|
0,
|
|
|
|
|
RtlLengthSid((RestrictedSids->
|
|
|
|
|
Groups[i]).Sid));
|
2007-10-19 23:21:45 +00:00
|
|
|
if (PSiteSid == NULL)
|
2006-08-29 15:22:53 +00:00
|
|
|
{
|
|
|
|
|
SetLastError(ERROR_OUTOFMEMORY);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
RtlCopySid(RtlLengthSid(RestrictedSids->Groups[i].Sid),
|
|
|
|
|
PSiteSid,
|
|
|
|
|
RestrictedSids->Groups[i].Sid);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
SetLastError(RtlNtStatusToDosError(Status));
|
|
|
|
|
}
|
2006-08-27 11:44:21 +00:00
|
|
|
|
2006-08-29 15:22:53 +00:00
|
|
|
RtlFreeHeap(RtlGetProcessHeap(), 0, RestrictedSids);
|
|
|
|
|
return PSiteSid;
|
|
|
|
|
}
|
2005-11-14 22:44:36 +00:00
|
|
|
|
2008-08-30 20:29:57 +00:00
|
|
|
BOOL
|
|
|
|
|
WINAPI
|
|
|
|
|
CreateProcessWithTokenW(IN HANDLE hToken,
|
|
|
|
|
IN DWORD dwLogonFlags,
|
|
|
|
|
IN LPCWSTR lpApplicationName OPTIONAL,
|
|
|
|
|
IN OUT LPWSTR lpCommandLine OPTIONAL,
|
|
|
|
|
IN DWORD dwCreationFlags,
|
|
|
|
|
IN LPVOID lpEnvironment OPTIONAL,
|
|
|
|
|
IN LPCWSTR lpCurrentDirectory OPTIONAL,
|
|
|
|
|
IN LPSTARTUPINFOW lpStartupInfo,
|
|
|
|
|
OUT LPPROCESS_INFORMATION lpProcessInfo)
|
|
|
|
|
{
|
|
|
|
|
UNIMPLEMENTED;
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
