From 66f17acd8f4e2415f41d8baad5faa4cf127a83b6 Mon Sep 17 00:00:00 2001 From: Eric Kohl Date: Sat, 3 Jul 2010 22:51:44 +0000 Subject: [PATCH] [ADVAPI32/LSASRV] - Implement LookupPrivilegeValueW and LsaLookupPrivilegeValue. - Move lookup code from LookupPrivilegeValueW to LsarLookupPrivilegeValue. svn path=/trunk/; revision=47934 --- reactos/dll/win32/advapi32/advapi32.spec | 2 +- reactos/dll/win32/advapi32/sec/lsa.c | 31 ++++++++ reactos/dll/win32/advapi32/sec/misc.c | 94 ++++++++--------------- reactos/dll/win32/lsasrv/lsarpc.c | 95 +++++++++++++++++++++--- reactos/include/psdk/ntsecapi.h | 1 + 5 files changed, 148 insertions(+), 75 deletions(-) diff --git a/reactos/dll/win32/advapi32/advapi32.spec b/reactos/dll/win32/advapi32/advapi32.spec index 7965b2fcb90..a3ade3aaa0a 100644 --- a/reactos/dll/win32/advapi32/advapi32.spec +++ b/reactos/dll/win32/advapi32/advapi32.spec @@ -374,7 +374,7 @@ @ stdcall LsaLookupNames2(ptr long long ptr ptr ptr) @ stub LsaLookupPrivilegeDisplayName @ stub LsaLookupPrivilegeName -@ stub LsaLookupPrivilegeValue +@ stdcall LsaLookupPrivilegeValue(ptr ptr ptr) @ stdcall LsaLookupSids(ptr long ptr ptr ptr) @ stdcall LsaNtStatusToWinError(long) @ stub LsaOpenAccount diff --git a/reactos/dll/win32/advapi32/sec/lsa.c b/reactos/dll/win32/advapi32/sec/lsa.c index 8a06d9d8bc0..6c34400e498 100644 --- a/reactos/dll/win32/advapi32/sec/lsa.c +++ b/reactos/dll/win32/advapi32/sec/lsa.c @@ -396,6 +396,37 @@ LsaLookupNames2( return STATUS_NONE_MAPPED; } +/* + * @implemented + */ +NTSTATUS +WINAPI +LsaLookupPrivilegeValue(IN LSA_HANDLE PolicyHandle, + IN PLSA_UNICODE_STRING Name, + OUT PLUID Value) +{ + LUID Luid; + NTSTATUS Status; + + FIXME("(%p,%p,%p) stub\n", PolicyHandle, Name, Value); + + RpcTryExcept + { + Status = LsarLookupPrivilegeValue(PolicyHandle, + (PRPC_UNICODE_STRING)Name, + &Luid); + if (Status == STATUS_SUCCESS) + *Value = Luid; + } + RpcExcept(EXCEPTION_EXECUTE_HANDLER) + { + Status = I_RpcMapWin32Status(RpcExceptionCode()); + } + RpcEndExcept; + + return Status; +} + /* * @unimplemented */ diff --git a/reactos/dll/win32/advapi32/sec/misc.c b/reactos/dll/win32/advapi32/sec/misc.c index 6d5974cfe07..f8fb3832f2e 100644 --- a/reactos/dll/win32/advapi32/sec/misc.c +++ b/reactos/dll/win32/advapi32/sec/misc.c @@ -1409,81 +1409,51 @@ LookupPrivilegeValueA(LPCSTR lpSystemName, /********************************************************************** - * LookupPrivilegeValueW EXPORTED + * LookupPrivilegeValueW * - * @unimplemented + * @implemented */ BOOL WINAPI -LookupPrivilegeValueW(LPCWSTR SystemName, - LPCWSTR PrivName, - PLUID Luid) +LookupPrivilegeValueW(LPCWSTR lpSystemName, + LPCWSTR lpPrivilegeName, + PLUID lpLuid) { - static const WCHAR * const DefaultPrivNames[] = - { - L"SeCreateTokenPrivilege", - L"SeAssignPrimaryTokenPrivilege", - L"SeLockMemoryPrivilege", - L"SeIncreaseQuotaPrivilege", - L"SeMachineAccountPrivilege", - L"SeTcbPrivilege", - L"SeSecurityPrivilege", - L"SeTakeOwnershipPrivilege", - L"SeLoadDriverPrivilege", - L"SeSystemProfilePrivilege", - L"SeSystemtimePrivilege", - L"SeProfileSingleProcessPrivilege", - L"SeIncreaseBasePriorityPrivilege", - L"SeCreatePagefilePrivilege", - L"SeCreatePermanentPrivilege", - L"SeBackupPrivilege", - L"SeRestorePrivilege", - L"SeShutdownPrivilege", - L"SeDebugPrivilege", - L"SeAuditPrivilege", - L"SeSystemEnvironmentPrivilege", - L"SeChangeNotifyPrivilege", - L"SeRemoteShutdownPrivilege", - L"SeUndockPrivilege", - L"SeSyncAgentPrivilege", - L"SeEnableDelegationPrivilege", - L"SeManageVolumePrivilege", - L"SeImpersonatePrivilege", - L"SeCreateGlobalPrivilege" - }; - unsigned Priv; + LSA_OBJECT_ATTRIBUTES ObjectAttributes = {0}; + LSA_UNICODE_STRING SystemName; + LSA_UNICODE_STRING PrivilegeName; + LSA_HANDLE PolicyHandle = NULL; + NTSTATUS Status; - if (!ADVAPI_IsLocalComputer(SystemName)) + RtlInitUnicodeString(&SystemName, + lpSystemName); + + Status = LsaOpenPolicy(lpSystemName ? &SystemName : NULL, + &ObjectAttributes, + POLICY_LOOKUP_NAMES, + &PolicyHandle); + if (!NT_SUCCESS(Status)) { - SetLastError(RPC_S_SERVER_UNAVAILABLE); - return FALSE; - } - if (!PrivName) - { - SetLastError(ERROR_NO_SUCH_PRIVILEGE); + SetLastError(LsaNtStatusToWinError(Status)); return FALSE; } - if (NULL != SystemName && L'\0' != *SystemName) + RtlInitUnicodeString(&PrivilegeName, + lpPrivilegeName); + + Status = LsaLookupPrivilegeValue(PolicyHandle, + &PrivilegeName, + lpLuid); + + LsaClose(PolicyHandle); + + if (!NT_SUCCESS(Status)) { - FIXME("LookupPrivilegeValueW: not implemented for remote system\n"); - SetLastError(ERROR_CALL_NOT_IMPLEMENTED); - return FALSE; + SetLastError(LsaNtStatusToWinError(Status)); + return FALSE; } - for (Priv = 0; Priv < sizeof(DefaultPrivNames) / sizeof(DefaultPrivNames[0]); Priv++) - { - if (0 == _wcsicmp(PrivName, DefaultPrivNames[Priv])) - { - Luid->LowPart = Priv + SE_MIN_WELL_KNOWN_PRIVILEGE; - Luid->HighPart = 0; - return TRUE; - } - } - - WARN("LookupPrivilegeValueW: no such privilege %S\n", PrivName); - SetLastError(ERROR_NO_SUCH_PRIVILEGE); - return FALSE; + return TRUE; } diff --git a/reactos/dll/win32/lsasrv/lsarpc.c b/reactos/dll/win32/lsasrv/lsarpc.c index b94615ebcd9..e7e4c1763f8 100644 --- a/reactos/dll/win32/lsasrv/lsarpc.c +++ b/reactos/dll/win32/lsasrv/lsarpc.c @@ -10,12 +10,19 @@ #include +typedef enum _LSA_DB_HANDLE_TYPE +{ + LsaDbIgnoreHandle, + LsaDbPolicyHandle, + LsaDbAccountHandle +} LSA_DB_HANDLE_TYPE, *PLSA_DB_HANDLE_TYPE; + typedef struct _LSA_DB_HANDLE { ULONG Signature; - ULONG Type; + LSA_DB_HANDLE_TYPE HandleType; LONG RefCount; - ACCESS_MASK AccessGranted; + ACCESS_MASK Access; } LSA_DB_HANDLE, *PLSA_DB_HANDLE; #define LSAP_DB_SIGNATURE 0x12345678 @@ -28,7 +35,8 @@ WINE_DEFAULT_DEBUG_CHANNEL(lsasrv); /* FUNCTIONS ***************************************************************/ static LSAPR_HANDLE -LsapCreateDbHandle(ULONG Type) +LsapCreateDbHandle(LSA_DB_HANDLE_TYPE HandleType, + ACCESS_MASK DesiredAccess) { PLSA_DB_HANDLE DbHandle; @@ -41,7 +49,8 @@ LsapCreateDbHandle(ULONG Type) { DbHandle->Signature = LSAP_DB_SIGNATURE; DbHandle->RefCount = 1; - DbHandle->Type = Type; + DbHandle->HandleType = HandleType; + DbHandle->Access = DesiredAccess; } // RtlLeaveCriticalSection(&PolicyHandleTableLock); @@ -51,7 +60,8 @@ LsapCreateDbHandle(ULONG Type) static BOOL -LsapValidateDbHandle(LSAPR_HANDLE Handle) +LsapValidateDbHandle(LSAPR_HANDLE Handle, + LSA_DB_HANDLE_TYPE HandleType) { PLSA_DB_HANDLE DbHandle = (PLSA_DB_HANDLE)Handle; BOOL bValid = FALSE; @@ -59,7 +69,12 @@ LsapValidateDbHandle(LSAPR_HANDLE Handle) _SEH2_TRY { if (DbHandle->Signature == LSAP_DB_SIGNATURE) - bValid = TRUE; + { + if (HandleType == LsaDbIgnoreHandle) + bValid = TRUE; + else if (DbHandle->HandleType == HandleType) + bValid = TRUE; + } } _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER) { @@ -81,7 +96,7 @@ LsarStartRpcServer(VOID) RtlInitializeCriticalSection(&PolicyHandleTableLock); - TRACE("LsarStartRpcServer() called"); + TRACE("LsarStartRpcServer() called\n"); Status = RpcServerUseProtseqEpW(L"ncacn_np", 10, @@ -129,7 +144,7 @@ NTSTATUS LsarClose( // RtlEnterCriticalSection(&PolicyHandleTableLock); - if (LsapValidateDbHandle(*ObjectHandle)) + if (LsapValidateDbHandle(*ObjectHandle, LsaDbIgnoreHandle)) { RtlFreeHeap(RtlGetProcessHeap(), 0, *ObjectHandle); *ObjectHandle = NULL; @@ -213,7 +228,8 @@ NTSTATUS LsarOpenPolicy( RtlEnterCriticalSection(&PolicyHandleTableLock); - *PolicyHandle = LsapCreateDbHandle(0); + *PolicyHandle = LsapCreateDbHandle(LsaDbPolicyHandle, + DesiredAccess); if (*PolicyHandle == NULL) Status = STATUS_INSUFFICIENT_RESOURCES; @@ -504,8 +520,63 @@ NTSTATUS LsarLookupPrivilegeValue( PRPC_UNICODE_STRING Name, PLUID Value) { - UNIMPLEMENTED; - return STATUS_NOT_IMPLEMENTED; + static const WCHAR * const DefaultPrivNames[] = + { + L"SeCreateTokenPrivilege", + L"SeAssignPrimaryTokenPrivilege", + L"SeLockMemoryPrivilege", + L"SeIncreaseQuotaPrivilege", + L"SeMachineAccountPrivilege", + L"SeTcbPrivilege", + L"SeSecurityPrivilege", + L"SeTakeOwnershipPrivilege", + L"SeLoadDriverPrivilege", + L"SeSystemProfilePrivilege", + L"SeSystemtimePrivilege", + L"SeProfileSingleProcessPrivilege", + L"SeIncreaseBasePriorityPrivilege", + L"SeCreatePagefilePrivilege", + L"SeCreatePermanentPrivilege", + L"SeBackupPrivilege", + L"SeRestorePrivilege", + L"SeShutdownPrivilege", + L"SeDebugPrivilege", + L"SeAuditPrivilege", + L"SeSystemEnvironmentPrivilege", + L"SeChangeNotifyPrivilege", + L"SeRemoteShutdownPrivilege", + L"SeUndockPrivilege", + L"SeSyncAgentPrivilege", + L"SeEnableDelegationPrivilege", + L"SeManageVolumePrivilege", + L"SeImpersonatePrivilege", + L"SeCreateGlobalPrivilege" + }; + ULONG Priv; + + + TRACE("LsarLookupPrivilegeValue(%p, %wZ, %p)\n", + PolicyHandle, Name, Value); + + if (!LsapValidateDbHandle(PolicyHandle, LsaDbPolicyHandle)) + { + ERR("Invalid handle\n"); + return STATUS_INVALID_HANDLE; + } + + for (Priv = 0; Priv < sizeof(DefaultPrivNames) / sizeof(DefaultPrivNames[0]); Priv++) + { + if (0 == _wcsicmp(Name->Buffer, DefaultPrivNames[Priv])) + { + Value->LowPart = Priv + SE_MIN_WELL_KNOWN_PRIVILEGE; + Value->HighPart = 0; + return STATUS_SUCCESS; + } + } + + WARN("LsarLookupPrivilegeValue: no such privilege %wZ\n", Name); + + return STATUS_NO_SUCH_PRIVILEGE; } @@ -562,7 +633,7 @@ NTSTATUS LsarEnmuerateAccountRights( { FIXME("(%p,%p,%p) stub\n", PolicyHandle, AccountSid, UserRights); - if (!LsapValidateDbHandle(PolicyHandle)) + if (!LsapValidateDbHandle(PolicyHandle, LsaDbPolicyHandle)) return STATUS_INVALID_HANDLE; UserRights->Entries = 0; diff --git a/reactos/include/psdk/ntsecapi.h b/reactos/include/psdk/ntsecapi.h index 4f47573ecd1..2aed58d277b 100644 --- a/reactos/include/psdk/ntsecapi.h +++ b/reactos/include/psdk/ntsecapi.h @@ -698,6 +698,7 @@ NTSTATUS NTAPI LsaLookupNames(LSA_HANDLE,ULONG,PLSA_UNICODE_STRING, PLSA_REFERENCED_DOMAIN_LIST*,PLSA_TRANSLATED_SID*); NTSTATUS NTAPI LsaLookupNames2(LSA_HANDLE,ULONG,ULONG,PLSA_UNICODE_STRING, PLSA_REFERENCED_DOMAIN_LIST*,PLSA_TRANSLATED_SID2*); +NTSTATUS NTAPI LsaLookupPrivilegeValue(LSA_HANDLE, PLSA_UNICODE_STRING, PLUID); NTSTATUS NTAPI LsaLookupSids(LSA_HANDLE,ULONG,PSID*, PLSA_REFERENCED_DOMAIN_LIST*,PLSA_TRANSLATED_NAME*); ULONG NTAPI LsaNtStatusToWinError(NTSTATUS);