mirror of
https://github.com/reactos/reactos.git
synced 2025-01-04 21:38:43 +00:00
[LSASRV][MSV1_0]
- Add default group SIDs to the token groups list (WorldSID aka Everyone and the logon type SID). - Remove these SIDs from the hard-coded list. svn path=/trunk/; revision=61457
This commit is contained in:
parent
8313d9bf2b
commit
20ef076be6
4 changed files with 149 additions and 39 deletions
|
@ -726,6 +726,128 @@ LsapAddLocalGroups(
|
||||||
return STATUS_SUCCESS;
|
return STATUS_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static
|
||||||
|
NTSTATUS
|
||||||
|
LsapAddDefaultGroups(
|
||||||
|
IN PVOID TokenInformation,
|
||||||
|
IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
|
||||||
|
IN SECURITY_LOGON_TYPE LogonType)
|
||||||
|
{
|
||||||
|
PLSA_TOKEN_INFORMATION_V1 TokenInfo1;
|
||||||
|
PTOKEN_GROUPS Groups;
|
||||||
|
ULONG i, Length;
|
||||||
|
PSID SrcSid;
|
||||||
|
|
||||||
|
if (TokenInformationType == LsaTokenInformationV1)
|
||||||
|
{
|
||||||
|
TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation;
|
||||||
|
|
||||||
|
if (TokenInfo1->Groups != NULL)
|
||||||
|
{
|
||||||
|
Length = sizeof(TOKEN_GROUPS) +
|
||||||
|
(TokenInfo1->Groups->GroupCount + 2 - ANYSIZE_ARRAY) * sizeof(SID_AND_ATTRIBUTES);
|
||||||
|
|
||||||
|
Groups = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, Length);
|
||||||
|
if (Groups == NULL)
|
||||||
|
{
|
||||||
|
ERR("Group buffer allocation failed!\n");
|
||||||
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
|
}
|
||||||
|
|
||||||
|
Groups->GroupCount = TokenInfo1->Groups->GroupCount;
|
||||||
|
|
||||||
|
for (i = 0; i < TokenInfo1->Groups->GroupCount; i++)
|
||||||
|
{
|
||||||
|
Groups->Groups[i].Sid = TokenInfo1->Groups->Groups[i].Sid;
|
||||||
|
Groups->Groups[i].Attributes = TokenInfo1->Groups->Groups[i].Attributes;
|
||||||
|
}
|
||||||
|
|
||||||
|
RtlFreeHeap(RtlGetProcessHeap(), 0, TokenInfo1->Groups);
|
||||||
|
|
||||||
|
TokenInfo1->Groups = Groups;
|
||||||
|
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
Length = sizeof(TOKEN_GROUPS) +
|
||||||
|
(2 - ANYSIZE_ARRAY) * sizeof(SID_AND_ATTRIBUTES);
|
||||||
|
|
||||||
|
Groups = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, Length);
|
||||||
|
if (Groups == NULL)
|
||||||
|
{
|
||||||
|
ERR("Group buffer allocation failed!\n");
|
||||||
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
|
}
|
||||||
|
|
||||||
|
TokenInfo1->Groups = Groups;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Append the World SID (aka Everyone) */
|
||||||
|
Length = RtlLengthSid(LsapWorldSid);
|
||||||
|
Groups->Groups[Groups->GroupCount].Sid = RtlAllocateHeap(RtlGetProcessHeap(),
|
||||||
|
HEAP_ZERO_MEMORY,
|
||||||
|
Length);
|
||||||
|
if (Groups->Groups[Groups->GroupCount].Sid == NULL)
|
||||||
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
|
|
||||||
|
RtlCopyMemory(Groups->Groups[Groups->GroupCount].Sid,
|
||||||
|
LsapWorldSid,
|
||||||
|
Length);
|
||||||
|
|
||||||
|
Groups->Groups[Groups->GroupCount].Attributes =
|
||||||
|
SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
|
||||||
|
|
||||||
|
Groups->GroupCount++;
|
||||||
|
|
||||||
|
/* Append the logon type SID */
|
||||||
|
switch (LogonType)
|
||||||
|
{
|
||||||
|
case Interactive:
|
||||||
|
SrcSid = LsapInteractiveSid;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Network:
|
||||||
|
SrcSid = LsapNetworkSid;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Batch:
|
||||||
|
SrcSid = LsapBatchSid;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case Service:
|
||||||
|
SrcSid = LsapServiceSid;
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
FIXME("LogonType %d is not supported!\n", LogonType);
|
||||||
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
Length = RtlLengthSid(SrcSid);
|
||||||
|
Groups->Groups[Groups->GroupCount].Sid = RtlAllocateHeap(RtlGetProcessHeap(),
|
||||||
|
HEAP_ZERO_MEMORY,
|
||||||
|
Length);
|
||||||
|
if (Groups->Groups[Groups->GroupCount].Sid == NULL)
|
||||||
|
return STATUS_INSUFFICIENT_RESOURCES;
|
||||||
|
|
||||||
|
RtlCopyMemory(Groups->Groups[Groups->GroupCount].Sid,
|
||||||
|
SrcSid,
|
||||||
|
Length);
|
||||||
|
|
||||||
|
Groups->Groups[Groups->GroupCount].Attributes =
|
||||||
|
SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
|
||||||
|
|
||||||
|
Groups->GroupCount++;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
FIXME("TokenInformationType %d is not supported!\n", TokenInformationType);
|
||||||
|
return STATUS_NOT_IMPLEMENTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
return STATUS_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static
|
static
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
|
@ -832,11 +954,13 @@ LsapLogonUser(PLSA_API_MSG RequestMsg,
|
||||||
HANDLE TokenHandle = NULL;
|
HANDLE TokenHandle = NULL;
|
||||||
ULONG i;
|
ULONG i;
|
||||||
ULONG PackageId;
|
ULONG PackageId;
|
||||||
|
SECURITY_LOGON_TYPE LogonType;
|
||||||
NTSTATUS Status;
|
NTSTATUS Status;
|
||||||
|
|
||||||
TRACE("(%p %p)\n", RequestMsg, LogonContext);
|
TRACE("(%p %p)\n", RequestMsg, LogonContext);
|
||||||
|
|
||||||
PackageId = RequestMsg->LogonUser.Request.AuthenticationPackage;
|
PackageId = RequestMsg->LogonUser.Request.AuthenticationPackage;
|
||||||
|
LogonType = RequestMsg->LogonUser.Request.LogonType;
|
||||||
|
|
||||||
/* Get the right authentication package */
|
/* Get the right authentication package */
|
||||||
Package = LsapGetAuthenticationPackage(PackageId);
|
Package = LsapGetAuthenticationPackage(PackageId);
|
||||||
|
@ -959,6 +1083,15 @@ LsapLogonUser(PLSA_API_MSG RequestMsg,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Status = LsapAddDefaultGroups(TokenInformation,
|
||||||
|
TokenInformationType,
|
||||||
|
LogonType);
|
||||||
|
if (!NT_SUCCESS(Status))
|
||||||
|
{
|
||||||
|
ERR("LsapAddDefaultGroups() failed (Status 0x%08lx)\n", Status);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
Status = LsapSetTokenOwner(TokenInformation,
|
Status = LsapSetTokenOwner(TokenInformation,
|
||||||
TokenInformationType);
|
TokenInformationType);
|
||||||
if (!NT_SUCCESS(Status))
|
if (!NT_SUCCESS(Status))
|
||||||
|
|
|
@ -80,6 +80,11 @@ typedef struct _WELL_KNOWN_SID
|
||||||
|
|
||||||
|
|
||||||
LIST_ENTRY WellKnownSidListHead;
|
LIST_ENTRY WellKnownSidListHead;
|
||||||
|
PSID LsapWorldSid = NULL;
|
||||||
|
PSID LsapNetworkSid = NULL;
|
||||||
|
PSID LsapBatchSid = NULL;
|
||||||
|
PSID LsapInteractiveSid = NULL;
|
||||||
|
PSID LsapServiceSid = NULL;
|
||||||
PSID LsapLocalSystemSid = NULL;
|
PSID LsapLocalSystemSid = NULL;
|
||||||
PSID LsapAdministratorsSid = NULL;
|
PSID LsapAdministratorsSid = NULL;
|
||||||
|
|
||||||
|
@ -215,7 +220,7 @@ LsapInitSids(VOID)
|
||||||
szAccountName,
|
szAccountName,
|
||||||
L"",
|
L"",
|
||||||
SidTypeWellKnownGroup,
|
SidTypeWellKnownGroup,
|
||||||
NULL);
|
&LsapWorldSid);
|
||||||
|
|
||||||
/* Local Sid */
|
/* Local Sid */
|
||||||
LsapLoadString(hInstance, IDS_LOCAL_RID, szAccountName, 80);
|
LsapLoadString(hInstance, IDS_LOCAL_RID, szAccountName, 80);
|
||||||
|
@ -300,7 +305,7 @@ LsapInitSids(VOID)
|
||||||
szAccountName,
|
szAccountName,
|
||||||
szDomainName,
|
szDomainName,
|
||||||
SidTypeWellKnownGroup,
|
SidTypeWellKnownGroup,
|
||||||
NULL);
|
&LsapNetworkSid);
|
||||||
|
|
||||||
/* Batch Sid*/
|
/* Batch Sid*/
|
||||||
LsapLoadString(hInstance, IDS_BATCH_RID, szAccountName, 80);
|
LsapLoadString(hInstance, IDS_BATCH_RID, szAccountName, 80);
|
||||||
|
@ -312,7 +317,7 @@ LsapInitSids(VOID)
|
||||||
szAccountName,
|
szAccountName,
|
||||||
szDomainName,
|
szDomainName,
|
||||||
SidTypeWellKnownGroup,
|
SidTypeWellKnownGroup,
|
||||||
NULL);
|
&LsapBatchSid);
|
||||||
|
|
||||||
/* Interactive Sid */
|
/* Interactive Sid */
|
||||||
LsapLoadString(hInstance, IDS_INTERACTIVE_RID, szAccountName, 80);
|
LsapLoadString(hInstance, IDS_INTERACTIVE_RID, szAccountName, 80);
|
||||||
|
@ -324,7 +329,7 @@ LsapInitSids(VOID)
|
||||||
szAccountName,
|
szAccountName,
|
||||||
szDomainName,
|
szDomainName,
|
||||||
SidTypeWellKnownGroup,
|
SidTypeWellKnownGroup,
|
||||||
NULL);
|
&LsapInteractiveSid);
|
||||||
|
|
||||||
/* Service Sid */
|
/* Service Sid */
|
||||||
LsapLoadString(hInstance, IDS_SERVICE_RID, szAccountName, 80);
|
LsapLoadString(hInstance, IDS_SERVICE_RID, szAccountName, 80);
|
||||||
|
@ -336,7 +341,7 @@ LsapInitSids(VOID)
|
||||||
szAccountName,
|
szAccountName,
|
||||||
szDomainName,
|
szDomainName,
|
||||||
SidTypeWellKnownGroup,
|
SidTypeWellKnownGroup,
|
||||||
NULL);
|
&LsapServiceSid);
|
||||||
|
|
||||||
/* Anonymous Logon Sid */
|
/* Anonymous Logon Sid */
|
||||||
LsapLoadString(hInstance, IDS_ANONYMOUS_LOGON_RID, szAccountName, 80);
|
LsapLoadString(hInstance, IDS_ANONYMOUS_LOGON_RID, szAccountName, 80);
|
||||||
|
|
|
@ -91,6 +91,11 @@ extern UNICODE_STRING BuiltinDomainName;
|
||||||
extern PSID AccountDomainSid;
|
extern PSID AccountDomainSid;
|
||||||
extern UNICODE_STRING AccountDomainName;
|
extern UNICODE_STRING AccountDomainName;
|
||||||
|
|
||||||
|
extern PSID LsapWorldSid;
|
||||||
|
extern PSID LsapNetworkSid;
|
||||||
|
extern PSID LsapBatchSid;
|
||||||
|
extern PSID LsapInteractiveSid;
|
||||||
|
extern PSID LsapServiceSid;
|
||||||
extern PSID LsapLocalSystemSid;
|
extern PSID LsapLocalSystemSid;
|
||||||
extern PSID LsapAdministratorsSid;
|
extern PSID LsapAdministratorsSid;
|
||||||
|
|
||||||
|
|
|
@ -273,10 +273,9 @@ BuildTokenGroups(IN PSID AccountDomainSid,
|
||||||
OUT PTOKEN_GROUPS *Groups,
|
OUT PTOKEN_GROUPS *Groups,
|
||||||
OUT PSID *PrimaryGroupSid)
|
OUT PSID *PrimaryGroupSid)
|
||||||
{
|
{
|
||||||
SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY};
|
|
||||||
SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY};
|
SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY};
|
||||||
PTOKEN_GROUPS TokenGroups;
|
PTOKEN_GROUPS TokenGroups;
|
||||||
#define MAX_GROUPS 6
|
#define MAX_GROUPS 4
|
||||||
DWORD GroupCount = 0;
|
DWORD GroupCount = 0;
|
||||||
PSID Sid;
|
PSID Sid;
|
||||||
NTSTATUS Status = STATUS_SUCCESS;
|
NTSTATUS Status = STATUS_SUCCESS;
|
||||||
|
@ -301,22 +300,6 @@ BuildTokenGroups(IN PSID AccountDomainSid,
|
||||||
*PrimaryGroupSid = Sid;
|
*PrimaryGroupSid = Sid;
|
||||||
GroupCount++;
|
GroupCount++;
|
||||||
|
|
||||||
/* Member of 'Everyone' */
|
|
||||||
RtlAllocateAndInitializeSid(&WorldAuthority,
|
|
||||||
1,
|
|
||||||
SECURITY_WORLD_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
&Sid);
|
|
||||||
TokenGroups->Groups[GroupCount].Sid = Sid;
|
|
||||||
TokenGroups->Groups[GroupCount].Attributes =
|
|
||||||
SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
|
|
||||||
GroupCount++;
|
|
||||||
|
|
||||||
#if 1
|
#if 1
|
||||||
/* Member of 'Administrators' */
|
/* Member of 'Administrators' */
|
||||||
|
@ -356,22 +339,6 @@ BuildTokenGroups(IN PSID AccountDomainSid,
|
||||||
SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
|
SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
|
||||||
GroupCount++;
|
GroupCount++;
|
||||||
|
|
||||||
/* Member of 'Interactive users' */
|
|
||||||
RtlAllocateAndInitializeSid(&SystemAuthority,
|
|
||||||
1,
|
|
||||||
SECURITY_INTERACTIVE_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
SECURITY_NULL_RID,
|
|
||||||
&Sid);
|
|
||||||
TokenGroups->Groups[GroupCount].Sid = Sid;
|
|
||||||
TokenGroups->Groups[GroupCount].Attributes =
|
|
||||||
SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
|
|
||||||
GroupCount++;
|
|
||||||
|
|
||||||
/* Member of 'Authenticated users' */
|
/* Member of 'Authenticated users' */
|
||||||
RtlAllocateAndInitializeSid(&SystemAuthority,
|
RtlAllocateAndInitializeSid(&SystemAuthority,
|
||||||
|
|
Loading…
Reference in a new issue