Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-07-05 04:06:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

[LSASRV]

Browse source 
Create a security descriptor for the policy object and store as attribute "SecDesc".

svn path=/trunk/; revision=57733
This commit is contained in:
Eric Kohl 2012-11-18 15:19:14 +00:00
parent 59ce999f95
commit 4a3e29dc6c
1 changed files with 271 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

272
reactos/dll/win32/lsasrv/database.c
View file

@ -233,6 +233,260 @@ LsapCreateRandomDomainSid(OUT PSID *Sid)
}
static NTSTATUS
LsapCreatePolicySd(PSECURITY_DESCRIPTOR *PolicySd,
PULONG PolicySdSize)
{
SECURITY_DESCRIPTOR AbsoluteSd;
PSECURITY_DESCRIPTOR RelativeSd = NULL;
ULONG RelativeSdSize = 0;
PSID AnonymousSid = NULL;
PSID AdministratorsSid = NULL;
PSID EveryoneSid = NULL;
PSID LocalServiceSid = NULL;
PSID NetworkServiceSid = NULL;
PSID LocalSystemSid = NULL;
PACL Dacl = NULL;
ULONG DaclSize;
NTSTATUS Status;
if (PolicySd == NULL || PolicySdSize == NULL)
return STATUS_INVALID_PARAMETER;
*PolicySd = NULL;
*PolicySdSize = 0;
/* Initialize the SD */
Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
SECURITY_DESCRIPTOR_REVISION);
if (!NT_SUCCESS(Status))
return Status;
Status = RtlAllocateAndInitializeSid(&NtAuthority,
1,
SECURITY_ANONYMOUS_LOGON_RID,
0,
0,
0,
0,
0,
0,
0,
&AnonymousSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAllocateAndInitializeSid(&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,
0,
0,
0,
0,
0,
&AdministratorsSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
1,
SECURITY_WORLD_RID,
0,
0,
0,
0,
0,
0,
0,
&EveryoneSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAllocateAndInitializeSid(&NtAuthority,
1,
SECURITY_LOCAL_SERVICE_RID,
0,
0,
0,
0,
0,
0,
0,
&LocalServiceSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAllocateAndInitializeSid(&NtAuthority,
1,
SECURITY_NETWORK_SERVICE_RID,
0,
0,
0,
0,
0,
0,
0,
&NetworkServiceSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAllocateAndInitializeSid(&NtAuthority,
1,
SECURITY_LOCAL_SYSTEM_RID,
0,
0,
0,
0,
0,
0,
0,
&LocalSystemSid);
if (!NT_SUCCESS(Status))
goto done;
/* Allocate and initialize the DACL */
DaclSize = sizeof(ACL) +
sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) +
sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(LocalServiceSid) +
sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(NetworkServiceSid);
Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
DaclSize);
if (Dacl == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto done;
}
Status = RtlCreateAcl(Dacl,
DaclSize,
ACL_REVISION);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessDeniedAce(Dacl,
ACL_REVISION,
POLICY_LOOKUP_NAMES,
AnonymousSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
POLICY_ALL_ACCESS | POLICY_NOTIFICATION,
AdministratorsSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
POLICY_EXECUTE,
EveryoneSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,
AnonymousSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
POLICY_NOTIFICATION,
LocalServiceSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
POLICY_NOTIFICATION,
NetworkServiceSid);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
TRUE,
Dacl,
FALSE);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
LocalSystemSid,
FALSE);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
AdministratorsSid,
FALSE);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
RelativeSd,
&RelativeSdSize);
if (Status != STATUS_BUFFER_TOO_SMALL)
goto done;
RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
RelativeSdSize);
if (RelativeSd == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto done;
}
Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
RelativeSd,
&RelativeSdSize);
if (!NT_SUCCESS(Status))
goto done;
*PolicySd = RelativeSd;
*PolicySdSize = RelativeSdSize;
done:
if (Dacl != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
if (AnonymousSid != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid);
if (AdministratorsSid != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
if (EveryoneSid != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
if (LocalServiceSid != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid);
if (NetworkServiceSid != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid);
if (LocalSystemSid != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
if (!NT_SUCCESS(Status))
{
if (RelativeSd != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
}
return Status;
}
static NTSTATUS
LsapCreateDatabaseObjects(VOID)
{
@ -244,6 +498,8 @@ LsapCreateDatabaseObjects(VOID)
GUID DnsDomainGuid;
PLSA_DB_OBJECT PolicyObject = NULL;
PSID AccountDomainSid = NULL;
PSECURITY_DESCRIPTOR PolicySd = NULL;
ULONG PolicySdSize = 0;
ULONG AuditEventsCount;
ULONG AuditEventsSize;
ULONG i;
@ -269,7 +525,7 @@ LsapCreateDatabaseObjects(VOID)
AuditEventsCount = AuditCategoryAccountLogon - AuditCategorySystem + 1;
AuditEventsSize = sizeof(LSAP_POLICY_AUDIT_EVENTS_DATA) + AuditEventsCount * sizeof(DWORD);
AuditEventsInfo = RtlAllocateHeap(RtlGetProcessHeap(),
0,
HEAP_ZERO_MEMORY,
AuditEventsSize);
if (AuditEventsInfo == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
@ -291,6 +547,11 @@ LsapCreateDatabaseObjects(VOID)
if (!NT_SUCCESS(Status))
goto done;
Status = LsapCreatePolicySd(&PolicySd,
&PolicySdSize);
if (!NT_SUCCESS(Status))
goto done;
/* Open the 'Policy' object */
Status = LsapOpenDbObject(NULL,
NULL,
@ -369,6 +630,12 @@ LsapCreateDatabaseObjects(VOID)
&DnsDomainGuid,
sizeof(GUID));
/* Set the Sceurity Descriptor */
LsapSetObjectAttribute(PolicyObject,
L"SecDesc",
PolicySd,
PolicySdSize);
done:
if (AuditEventsInfo != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AuditEventsInfo);
@ -379,6 +646,9 @@ done:
if (AccountDomainSid != NULL)
RtlFreeSid(AccountDomainSid);
if (PolicySd != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, PolicySd);
return Status;
}