From 3dc69167c99d682687a6a0628a3568c856e105ca Mon Sep 17 00:00:00 2001 From: Eric Kohl Date: Wed, 25 Dec 2013 18:15:53 +0000 Subject: [PATCH] [][LSASRV][MSV1_0] - Move the creation of the token owner SID from msv1_0 to lsasrv. - If the user is a member of the administrators group, the adminstrators group becomes the owner of the token. Otheriwse, the user is the owner of the token. svn path=/trunk/; revision=61415 --- reactos/dll/win32/lsasrv/authpackage.c | 48 ++++++++++++++++++++++++++ reactos/dll/win32/lsasrv/lookup.c | 3 +- reactos/dll/win32/lsasrv/lsasrv.h | 1 + reactos/dll/win32/msv1_0/msv1_0.c | 41 ++-------------------- 4 files changed, 53 insertions(+), 40 deletions(-) diff --git a/reactos/dll/win32/lsasrv/authpackage.c b/reactos/dll/win32/lsasrv/authpackage.c index 6eea470e30e..c649d78aa2a 100644 --- a/reactos/dll/win32/lsasrv/authpackage.c +++ b/reactos/dll/win32/lsasrv/authpackage.c @@ -643,6 +643,47 @@ done: } +static +NTSTATUS +LsapSetTokenOwner( + IN PVOID TokenInformation, + IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType) +{ + PLSA_TOKEN_INFORMATION_V1 TokenInfo1; + PSID OwnerSid = NULL; + ULONG i, Length; + + if (TokenInformationType == LsaTokenInformationV1) + { + TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation; + + if (TokenInfo1->Owner.Owner != NULL) + return STATUS_SUCCESS; + + OwnerSid = TokenInfo1->User.User.Sid; + for (i = 0; i < TokenInfo1->Groups->GroupCount; i++) + { + if (EqualSid(TokenInfo1->Groups->Groups[i].Sid, LsapAdministratorsSid)) + { + OwnerSid = LsapAdministratorsSid; + break; + } + } + + Length = RtlLengthSid(OwnerSid); + TokenInfo1->Owner.Owner = DispatchTable.AllocateLsaHeap(Length); + if (TokenInfo1->Owner.Owner == NULL) + return STATUS_INSUFFICIENT_RESOURCES; + + RtlCopyMemory(TokenInfo1->Owner.Owner, + OwnerSid, + Length); + } + + return STATUS_SUCCESS; +} + + static NTSTATUS LsapAddTokenDefaultDacl( @@ -821,6 +862,13 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, goto done; } + Status = LsapSetTokenOwner(TokenInformation, + TokenInformationType); + if (!NT_SUCCESS(Status)) + { + ERR("LsapSetTokenOwner() failed (Status 0x%08lx)\n", Status); + goto done; + } Status = LsapAddTokenDefaultDacl(TokenInformation, TokenInformationType); diff --git a/reactos/dll/win32/lsasrv/lookup.c b/reactos/dll/win32/lsasrv/lookup.c index d7f6f2f1072..937594d1ac1 100644 --- a/reactos/dll/win32/lsasrv/lookup.c +++ b/reactos/dll/win32/lsasrv/lookup.c @@ -81,6 +81,7 @@ typedef struct _WELL_KNOWN_SID LIST_ENTRY WellKnownSidListHead; PSID LsapLocalSystemSid = NULL; +PSID LsapAdministratorsSid = NULL; /* FUNCTIONS ***************************************************************/ @@ -521,7 +522,7 @@ LsapInitSids(VOID) szAccountName, szDomainName, SidTypeAlias, - NULL); + &LsapAdministratorsSid); /* Users Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_USERS, szAccountName, 80); diff --git a/reactos/dll/win32/lsasrv/lsasrv.h b/reactos/dll/win32/lsasrv/lsasrv.h index 16c7b3c7db4..50a449e64d3 100644 --- a/reactos/dll/win32/lsasrv/lsasrv.h +++ b/reactos/dll/win32/lsasrv/lsasrv.h @@ -92,6 +92,7 @@ extern PSID AccountDomainSid; extern UNICODE_STRING AccountDomainName; extern PSID LsapLocalSystemSid; +extern PSID LsapAdministratorsSid; /* authpackage.c */ diff --git a/reactos/dll/win32/msv1_0/msv1_0.c b/reactos/dll/win32/msv1_0/msv1_0.c index 921aa6f7b5f..7b152843bc4 100644 --- a/reactos/dll/win32/msv1_0/msv1_0.c +++ b/reactos/dll/win32/msv1_0/msv1_0.c @@ -271,8 +271,7 @@ NTSTATUS BuildTokenGroups(IN PSID AccountDomainSid, IN PLUID LogonId, OUT PTOKEN_GROUPS *Groups, - OUT PSID *PrimaryGroupSid, - OUT PSID *OwnerSid) + OUT PSID *PrimaryGroupSid) { SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY}; SID_IDENTIFIER_AUTHORITY LocalAuthority = {SECURITY_LOCAL_SID_AUTHORITY}; @@ -374,7 +373,6 @@ BuildTokenGroups(IN PSID AccountDomainSid, TokenGroups->Groups[GroupCount].Attributes = SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY | SE_GROUP_LOGON_ID; GroupCount++; - *OwnerSid = Sid; /* Member of 'Local users */ RtlAllocateAndInitializeSid(&LocalAuthority, @@ -546,31 +544,6 @@ done: } -static -NTSTATUS -BuildTokenOwner(PTOKEN_OWNER Owner, - PSID OwnerSid) -{ - ULONG RidCount; - ULONG Size; - - RidCount = *RtlSubAuthorityCountSid(OwnerSid); - Size = RtlLengthRequiredSid(RidCount); - - Owner->Owner = DispatchTable.AllocateLsaHeap(Size); - if (Owner->Owner == NULL) - { - return STATUS_INSUFFICIENT_RESOURCES; - } - - RtlCopyMemory(Owner->Owner, - OwnerSid, - Size); - - return STATUS_SUCCESS; -} - - static NTSTATUS BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation, @@ -579,7 +552,6 @@ BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation, PLUID LogonId) { PLSA_TOKEN_INFORMATION_V1 Buffer = NULL; - PSID OwnerSid = NULL; PSID PrimaryGroupSid = NULL; ULONG i; NTSTATUS Status = STATUS_SUCCESS; @@ -604,8 +576,7 @@ BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation, Status = BuildTokenGroups((PSID)AccountDomainSid, LogonId, &Buffer->Groups, - &PrimaryGroupSid, - &OwnerSid); + &PrimaryGroupSid); if (!NT_SUCCESS(Status)) goto done; @@ -618,11 +589,6 @@ BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation, if (!NT_SUCCESS(Status)) goto done; - Status = BuildTokenOwner(&Buffer->Owner, - OwnerSid); - if (!NT_SUCCESS(Status)) - goto done; - *TokenInformation = Buffer; done: @@ -650,9 +616,6 @@ done: if (Buffer->Privileges != NULL) DispatchTable.FreeLsaHeap(Buffer->Privileges); - if (Buffer->Owner.Owner != NULL) - DispatchTable.FreeLsaHeap(Buffer->Owner.Owner); - if (Buffer->DefaultDacl.DefaultDacl != NULL) DispatchTable.FreeLsaHeap(Buffer->DefaultDacl.DefaultDacl);