diff --git a/reactos/dll/win32/lsasrv/database.c b/reactos/dll/win32/lsasrv/database.c index 2ea60f6b3dc..a196800432d 100644 --- a/reactos/dll/win32/lsasrv/database.c +++ b/reactos/dll/win32/lsasrv/database.c @@ -233,6 +233,260 @@ LsapCreateRandomDomainSid(OUT PSID *Sid) } +static NTSTATUS +LsapCreatePolicySd(PSECURITY_DESCRIPTOR *PolicySd, + PULONG PolicySdSize) +{ + SECURITY_DESCRIPTOR AbsoluteSd; + PSECURITY_DESCRIPTOR RelativeSd = NULL; + ULONG RelativeSdSize = 0; + PSID AnonymousSid = NULL; + PSID AdministratorsSid = NULL; + PSID EveryoneSid = NULL; + PSID LocalServiceSid = NULL; + PSID NetworkServiceSid = NULL; + PSID LocalSystemSid = NULL; + PACL Dacl = NULL; + ULONG DaclSize; + NTSTATUS Status; + + if (PolicySd == NULL || PolicySdSize == NULL) + return STATUS_INVALID_PARAMETER; + + *PolicySd = NULL; + *PolicySdSize = 0; + + /* Initialize the SD */ + Status = RtlCreateSecurityDescriptor(&AbsoluteSd, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + return Status; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_ANONYMOUS_LOGON_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &AnonymousSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 2, + SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ADMINS, + 0, + 0, + 0, + 0, + 0, + 0, + &AdministratorsSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&WorldSidAuthority, + 1, + SECURITY_WORLD_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &EveryoneSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_LOCAL_SERVICE_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &LocalServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_NETWORK_SERVICE_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &NetworkServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_LOCAL_SYSTEM_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &LocalSystemSid); + if (!NT_SUCCESS(Status)) + goto done; + + /* Allocate and initialize the DACL */ + DaclSize = sizeof(ACL) + + sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(LocalServiceSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(NetworkServiceSid); + + Dacl = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + DaclSize); + if (Dacl == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + goto done; + } + + Status = RtlCreateAcl(Dacl, + DaclSize, + ACL_REVISION); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessDeniedAce(Dacl, + ACL_REVISION, + POLICY_LOOKUP_NAMES, + AnonymousSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_ALL_ACCESS | POLICY_NOTIFICATION, + AdministratorsSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_EXECUTE, + EveryoneSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION, + AnonymousSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_NOTIFICATION, + LocalServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_NOTIFICATION, + NetworkServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd, + TRUE, + Dacl, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd, + LocalSystemSid, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd, + AdministratorsSid, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd, + RelativeSd, + &RelativeSdSize); + if (Status != STATUS_BUFFER_TOO_SMALL) + goto done; + + RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + RelativeSdSize); + if (RelativeSd == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + goto done; + } + + Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd, + RelativeSd, + &RelativeSdSize); + if (!NT_SUCCESS(Status)) + goto done; + + *PolicySd = RelativeSd; + *PolicySdSize = RelativeSdSize; + +done: + if (Dacl != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl); + + if (AnonymousSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid); + + if (AdministratorsSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid); + + if (EveryoneSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid); + + if (LocalServiceSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid); + + if (NetworkServiceSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid); + + if (LocalSystemSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid); + + if (!NT_SUCCESS(Status)) + { + if (RelativeSd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd); + } + + return Status; +} + + static NTSTATUS LsapCreateDatabaseObjects(VOID) { @@ -244,6 +498,8 @@ LsapCreateDatabaseObjects(VOID) GUID DnsDomainGuid; PLSA_DB_OBJECT PolicyObject = NULL; PSID AccountDomainSid = NULL; + PSECURITY_DESCRIPTOR PolicySd = NULL; + ULONG PolicySdSize = 0; ULONG AuditEventsCount; ULONG AuditEventsSize; ULONG i; @@ -269,7 +525,7 @@ LsapCreateDatabaseObjects(VOID) AuditEventsCount = AuditCategoryAccountLogon - AuditCategorySystem + 1; AuditEventsSize = sizeof(LSAP_POLICY_AUDIT_EVENTS_DATA) + AuditEventsCount * sizeof(DWORD); AuditEventsInfo = RtlAllocateHeap(RtlGetProcessHeap(), - 0, + HEAP_ZERO_MEMORY, AuditEventsSize); if (AuditEventsInfo == NULL) return STATUS_INSUFFICIENT_RESOURCES; @@ -291,6 +547,11 @@ LsapCreateDatabaseObjects(VOID) if (!NT_SUCCESS(Status)) goto done; + Status = LsapCreatePolicySd(&PolicySd, + &PolicySdSize); + if (!NT_SUCCESS(Status)) + goto done; + /* Open the 'Policy' object */ Status = LsapOpenDbObject(NULL, NULL, @@ -369,6 +630,12 @@ LsapCreateDatabaseObjects(VOID) &DnsDomainGuid, sizeof(GUID)); + /* Set the Sceurity Descriptor */ + LsapSetObjectAttribute(PolicyObject, + L"SecDesc", + PolicySd, + PolicySdSize); + done: if (AuditEventsInfo != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, AuditEventsInfo); @@ -379,6 +646,9 @@ done: if (AccountDomainSid != NULL) RtlFreeSid(AccountDomainSid); + if (PolicySd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, PolicySd); + return Status; }