diff --git a/reactos/include/ddk/rtl.h b/reactos/include/ddk/rtl.h index 59f394b3892..1557069f89b 100644 --- a/reactos/include/ddk/rtl.h +++ b/reactos/include/ddk/rtl.h @@ -1,4 +1,4 @@ -/* $Id: rtl.h,v 1.59 2002/01/14 01:41:08 ekohl Exp $ +/* $Id: rtl.h,v 1.60 2002/02/20 20:09:52 ekohl Exp $ * */ @@ -1780,6 +1780,9 @@ RtlValidSecurityDescriptor ( PSECURITY_DESCRIPTOR SecurityDescriptor ); +BOOLEAN STDCALL +RtlValidSid(IN PSID Sid); + NTSTATUS STDCALL RtlWriteRegistryValue ( diff --git a/reactos/include/ddk/sefuncs.h b/reactos/include/ddk/sefuncs.h index 0c5022da01a..f27d8adf6b3 100644 --- a/reactos/include/ddk/sefuncs.h +++ b/reactos/include/ddk/sefuncs.h @@ -1,47 +1,52 @@ #ifndef _INCLUDE_DDK_SEFUNCS_H #define _INCLUDE_DDK_SEFUNCS_H -/* $Id: sefuncs.h,v 1.14 2001/07/06 21:32:43 ekohl Exp $ */ +/* $Id: sefuncs.h,v 1.15 2002/02/20 20:09:52 ekohl Exp $ */ -BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, - IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, - IN BOOLEAN SubjectContextLocked, - IN ACCESS_MASK DesiredAccess, - IN ACCESS_MASK PreviouslyGrantedAccess, - OUT PPRIVILEGE_SET* Privileges, - IN PGENERIC_MAPPING GenericMapping, - IN KPROCESSOR_MODE AccessMode, - OUT PACCESS_MODE GrantedAccess, - OUT PNTSTATUS AccessStatus); -NTSTATUS STDCALL SeAssignSecurity (PSECURITY_DESCRIPTOR ParentDescriptor, - PSECURITY_DESCRIPTOR ExplicitDescriptor, - PSECURITY_DESCRIPTOR* NewDescriptor, - BOOLEAN IsDirectoryObject, - PSECURITY_SUBJECT_CONTEXT SubjectContext, - PGENERIC_MAPPING GenericMapping, - POOL_TYPE PoolType); -NTSTATUS STDCALL SeDeassignSecurity (PSECURITY_DESCRIPTOR* SecurityDescriptor); -BOOLEAN STDCALL SeSinglePrivilegeCheck (LUID PrivilegeValue, KPROCESSOR_MODE PreviousMode); -VOID STDCALL SeImpersonateClient(PSE_SOME_STRUCT2 a, - struct _ETHREAD* Thread); +BOOLEAN STDCALL +SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, + IN BOOLEAN SubjectContextLocked, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK PreviouslyGrantedAccess, + OUT PPRIVILEGE_SET* Privileges, + IN PGENERIC_MAPPING GenericMapping, + IN KPROCESSOR_MODE AccessMode, + OUT PACCESS_MODE GrantedAccess, + OUT PNTSTATUS AccessStatus); -NTSTATUS STDCALL SeCreateClientSecurity(struct _ETHREAD* Thread, - PSECURITY_QUALITY_OF_SERVICE Qos, - ULONG e, - PSE_SOME_STRUCT2 f); -NTSTATUS SeExchangePrimaryToken(struct _EPROCESS* Process, - PACCESS_TOKEN NewToken, - PACCESS_TOKEN* OldTokenP); -VOID STDCALL SeReleaseSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext); -VOID STDCALL SeCaptureSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext); -NTSTATUS SeCaptureLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Src, - ULONG PrivilegeCount, - KPROCESSOR_MODE PreviousMode, - PLUID_AND_ATTRIBUTES AllocatedMem, - ULONG AllocatedLength, - POOL_TYPE PoolType, - ULONG d, - PLUID_AND_ATTRIBUTES* Dest, - PULONG Length); +NTSTATUS STDCALL +SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor, + PSECURITY_DESCRIPTOR ExplicitDescriptor, + PSECURITY_DESCRIPTOR* NewDescriptor, + BOOLEAN IsDirectoryObject, + PSECURITY_SUBJECT_CONTEXT SubjectContext, + PGENERIC_MAPPING GenericMapping, + POOL_TYPE PoolType); +VOID STDCALL +SeCaptureSubjectContext(OUT PSECURITY_SUBJECT_CONTEXT SubjectContext); + +NTSTATUS STDCALL +SeCreateClientSecurity(IN struct _ETHREAD *Thread, + IN PSECURITY_QUALITY_OF_SERVICE Qos, + IN BOOLEAN RemoteClient, + OUT PSECURITY_CLIENT_CONTEXT ClientContext); + +NTSTATUS STDCALL +SeDeassignSecurity(PSECURITY_DESCRIPTOR* SecurityDescriptor); + +VOID STDCALL +SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, + IN struct _ETHREAD *ServerThread OPTIONAL); + +VOID STDCALL +SeReleaseSubjectContext(IN PSECURITY_SUBJECT_CONTEXT SubjectContext); + +BOOLEAN STDCALL +SeSinglePrivilegeCheck(LUID PrivilegeValue, + KPROCESSOR_MODE PreviousMode); + +TOKEN_TYPE STDCALL +SeTokenType(IN PACCESS_TOKEN Token); #endif /* ndef _INCLUDE_DDK_SEFUNCS_H */ diff --git a/reactos/include/ddk/setypes.h b/reactos/include/ddk/setypes.h index 93a2dcb550d..4688a5e1b2b 100644 --- a/reactos/include/ddk/setypes.h +++ b/reactos/include/ddk/setypes.h @@ -1,4 +1,4 @@ -/* $Id: setypes.h,v 1.5 2000/06/29 23:35:12 dwelch Exp $ +/* $Id: setypes.h,v 1.6 2002/02/20 20:09:52 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory for details * PROJECT: ReactOS kernel @@ -14,35 +14,6 @@ #include -/* SID */ -#define SECURITY_NULL_RID (0L) -#define SECURITY_WORLD_RID (0L) -#define SECURITY_LOCAL_RID (0L) -#define SECURITY_CREATOR_OWNER_RID (0L) -#define SECURITY_CREATOR_GROUP_RID (0x1L) -#define SECURITY_DIALUP_RID (0x1L) -#define SECURITY_NETWORK_RID (0x2L) -#define SECURITY_BATCH_RID (0x3L) -#define SECURITY_INTERACTIVE_RID (0x4L) -#define SECURITY_LOGON_IDS_RID (0x5L) -#define SECURITY_LOGON_IDS_RID_COUNT (0x3L) -#define SECURITY_SERVICE_RID (0x6L) -#define SECURITY_LOCAL_SYSTEM_RID (0x12L) -#define SECURITY_BUILTIN_DOMAIN_RID (0x20L) -#define DOMAIN_USER_RID_ADMIN (0x1f4L) -#define DOMAIN_USER_RID_GUEST (0x1f5L) -#define DOMAIN_GROUP_RID_ADMINS (0x200L) -#define DOMAIN_GROUP_RID_USERS (0x201L) -#define DOMAIN_ALIAS_RID_ADMINS (0x220L) -#define DOMAIN_ALIAS_RID_USERS (0x221L) -#define DOMAIN_ALIAS_RID_GUESTS (0x222L) -#define DOMAIN_ALIAS_RID_POWER_USERS (0x223L) -#define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x224L) -#define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x225L) -#define DOMAIN_ALIAS_RID_PRINT_OPS (0x226L) -#define DOMAIN_ALIAS_RID_BACKUP_OPS (0x227L) -#define DOMAIN_ALIAS_RID_REPLICATOR (0x228L) - /* TOKEN_GROUPS structure */ #define SE_GROUP_MANDATORY (0x1L) #define SE_GROUP_ENABLED_BY_DEFAULT (0x2L) @@ -84,65 +55,106 @@ #define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L) #define PRIVILEGE_SET_ALL_NECESSARY (0x1) -typedef struct _ACCESS_TOKEN +typedef struct _ACCESS_TOKEN { - TOKEN_SOURCE TokenSource; // 0x00 - LUID TokenId; // 0x10 - LUID AuthenticationId; // 0x18 - LARGE_INTEGER ExpirationTime; // 0x20 - LUID ModifiedId; // 0x28 - ULONG UserAndGroupCount; // 0x30 - ULONG PrivilegeCount; // 0x34 - ULONG VariableLength; // 0x38 - ULONG DynamicCharged; // 0x3C - ULONG DynamicAvailable; // 0x40 - ULONG DefaultOwnerIndex; // 0x44 - PSID_AND_ATTRIBUTES UserAndGroups; // 0x48 - PSID PrimaryGroup; // 0x4C - PLUID_AND_ATTRIBUTES Privileges; // 0x50 - ULONG Unknown1; // 0x54 - PACL DefaultDacl; // 0x58 - TOKEN_TYPE TokenType; // 0x5C - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // 0x60 - UCHAR TokenFlags; // 0x64 - UCHAR TokenInUse; // 0x65 - UCHAR Unused[2]; // 0x66 - PVOID ProxyData; // 0x68 - PVOID AuditData; // 0x6c - UCHAR VariablePart[0]; // 0x70 + TOKEN_SOURCE TokenSource; // 0x00 + LUID TokenId; // 0x10 + LUID AuthenticationId; // 0x18 + LARGE_INTEGER ExpirationTime; // 0x20 + LUID ModifiedId; // 0x28 + ULONG UserAndGroupCount; // 0x30 + ULONG PrivilegeCount; // 0x34 + ULONG VariableLength; // 0x38 + ULONG DynamicCharged; // 0x3C + ULONG DynamicAvailable; // 0x40 + ULONG DefaultOwnerIndex; // 0x44 + PSID_AND_ATTRIBUTES UserAndGroups; // 0x48 + PSID PrimaryGroup; // 0x4C + PLUID_AND_ATTRIBUTES Privileges; // 0x50 + ULONG Unknown1; // 0x54 + PACL DefaultDacl; // 0x58 + TOKEN_TYPE TokenType; // 0x5C + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // 0x60 + UCHAR TokenFlags; // 0x64 + UCHAR TokenInUse; // 0x65 + UCHAR Unused[2]; // 0x66 + PVOID ProxyData; // 0x68 + PVOID AuditData; // 0x6c + UCHAR VariablePart[0]; // 0x70 } ACCESS_TOKEN, *PACCESS_TOKEN; typedef struct _SECURITY_SUBJECT_CONTEXT { - PACCESS_TOKEN ClientToken; // 0x0 - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // 0x4 - PACCESS_TOKEN PrimaryToken; // 0x8 - PVOID ProcessAuditId; // 0xC + PACCESS_TOKEN ClientToken; // 0x0 + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // 0x4 + PACCESS_TOKEN PrimaryToken; // 0x8 + PVOID ProcessAuditId; // 0xC } SECURITY_SUBJECT_CONTEXT, *PSECURITY_SUBJECT_CONTEXT; -BOOLEAN STDCALL RtlValidSid (PSID Sid); -/* - * from ntoskrnl/se/token.c: - */ -extern struct _OBJECT_TYPE* SeTokenType; -typedef struct +typedef struct _SECURITY_CLIENT_CONTEXT { - ULONG Unknown1; // 0x0 - SECURITY_IMPERSONATION_LEVEL Level; // 0x4 - UCHAR ContextTrackingMode; // 0x8 - UCHAR EffectiveOnly; // 0x9 - UCHAR Unknown5; // 0xa - UCHAR Unknown6; // 0xb - PACCESS_TOKEN Token; // 0xc - UCHAR Unknown8; // 0x10 - UCHAR Unknown9; // 0x11 - UCHAR Unknown10; // 0x12 - UCHAR Pad[1]; // 0x13 - ULONG Unknown11; // 0x14 -} SE_SOME_STRUCT2, *PSE_SOME_STRUCT2; + SECURITY_QUALITY_OF_SERVICE SecurityQos; // 0x00 + PACCESS_TOKEN Token; // 0x0C + BOOLEAN DirectlyAccessClientToken; // 0x10 + BOOLEAN DirectAccessEffectiveOnly; // 0x11 + BOOLEAN ServerIsRemote; // 0x12 + TOKEN_CONTROL ClientTokenControl; // 0x14 +} SECURITY_CLIENT_CONTEXT, *PSECURITY_CLIENT_CONTEXT; +typedef struct _SE_EXPORTS +{ + /* Privilege values */ + LUID SeCreateTokenPrivilege; + LUID SeAssignPrimaryTokenPrivilege; + LUID SeLockMemoryPrivilege; + LUID SeIncreaseQuotaPrivilege; + LUID SeUnsolicitedInputPrivilege; + LUID SeTcbPrivilege; + LUID SeSecurityPrivilege; + LUID SeTakeOwnershipPrivilege; + LUID SeLoadDriverPrivilege; + LUID SeCreatePagefilePrivilege; + LUID SeIncreaseBasePriorityPrivilege; + LUID SeSystemProfilePrivilege; + LUID SeSystemtimePrivilege; + LUID SeProfileSingleProcessPrivilege; + LUID SeCreatePermanentPrivilege; + LUID SeBackupPrivilege; + LUID SeRestorePrivilege; + LUID SeShutdownPrivilege; + LUID SeDebugPrivilege; + LUID SeAuditPrivilege; + LUID SeSystemEnvironmentPrivilege; + LUID SeChangeNotifyPrivilege; + LUID SeRemoteShutdownPrivilege; + + /* Universally defined SIDs */ + PSID SeNullSid; + PSID SeWorldSid; + PSID SeLocalSid; + PSID SeCreatorOwnerSid; + PSID SeCreatorGroupSid; + + /* Nt defined SIDs */ + PSID SeNtAuthoritySid; + PSID SeDialupSid; + PSID SeNetworkSid; + PSID SeBatchSid; + PSID SeInteractiveSid; + PSID SeLocalSystemSid; + PSID SeAliasAdminsSid; + PSID SeAliasUsersSid; + PSID SeAliasGuestsSid; + PSID SeAliasPowerUsersSid; + PSID SeAliasAccountOpsSid; + PSID SeAliasSystemOpsSid; + PSID SeAliasPrintOpsSid; + PSID SeAliasBackupOpsSid; +} SE_EXPORTS, *PSE_EXPORTS; #endif + +/* EOF */ diff --git a/reactos/include/ntos/security.h b/reactos/include/ntos/security.h index 4581e673ea7..00af3160a5c 100644 --- a/reactos/include/ntos/security.h +++ b/reactos/include/ntos/security.h @@ -4,6 +4,81 @@ #include #include +/* SID Auhority */ +#define SECURITY_NULL_SID_AUTHORITY {0,0,0,0,0,0} +#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} +#define SECURITY_LOCAL_SID_AUTHORITY {0,0,0,0,0,2} +#define SECURITY_CREATOR_SID_AUTHORITY {0,0,0,0,0,3} +#define SECURITY_NON_UNIQUE_AUTHORITY {0,0,0,0,0,4} +#define SECURITY_NT_AUTHORITY {0,0,0,0,0,5} + +/* SID */ +#define SECURITY_NULL_RID (0L) +#define SECURITY_WORLD_RID (0L) +#define SECURITY_LOCAL_RID (0L) +#define SECURITY_CREATOR_OWNER_RID (0L) +#define SECURITY_CREATOR_GROUP_RID (0x1L) +#define SECURITY_CREATOR_OWNER_SERVER_RID (0x2L) +#define SECURITY_CREATOR_GROUP_SERVER_RID (0x3L) +#define SECURITY_DIALUP_RID (0x1L) +#define SECURITY_NETWORK_RID (0x2L) +#define SECURITY_BATCH_RID (0x3L) +#define SECURITY_INTERACTIVE_RID (0x4L) +#define SECURITY_LOGON_IDS_RID (0x5L) +#define SECURITY_LOGON_IDS_RID_COUNT (0x3L) +#define SECURITY_SERVICE_RID (0x6L) +#define SECURITY_ANONYMOUS_LOGON_RID (0x7L) +#define SECURITY_PROXY_RID (0x8L) +#define SECURITY_ENTERPRISE_CONTROLLERS_RID (0x9L) +#define SECURITY_SERVER_LOGON_RID SECURITY_ENTERPRISE_CONTROLLERS_RID +#define SECURITY_PRINCIPAL_SELF_RID (0xAL) +#define SECURITY_AUTHENTICATED_USER_RID (0xBL) +#define SECURITY_RESTRICTED_CODE_RID (0xCL) +#define SECURITY_LOCAL_SYSTEM_RID (0x12L) +#define SECURITY_NT_NON_UNIQUE_RID (0x15L) +#define SECURITY_BUILTIN_DOMAIN_RID (0x20L) +#define DOMAIN_USER_RID_ADMIN (0x1F4L) +#define DOMAIN_USER_RID_GUEST (0x1F5L) +#define DOMAIN_GROUP_RID_ADMINS (0x200L) +#define DOMAIN_GROUP_RID_USERS (0x201L) +#define DOMAIN_ALIAS_RID_ADMINS (0x220L) +#define DOMAIN_ALIAS_RID_USERS (0x221L) +#define DOMAIN_ALIAS_RID_GUESTS (0x222L) +#define DOMAIN_ALIAS_RID_POWER_USERS (0x223L) +#define DOMAIN_ALIAS_RID_ACCOUNT_OPS (0x224L) +#define DOMAIN_ALIAS_RID_SYSTEM_OPS (0x225L) +#define DOMAIN_ALIAS_RID_PRINT_OPS (0x226L) +#define DOMAIN_ALIAS_RID_BACKUP_OPS (0x227L) +#define DOMAIN_ALIAS_RID_REPLICATOR (0x228L) + +/* Privileges */ +#define SE_MIN_WELL_KNOWN_PRIVILEGE (2L) +#define SE_CREATE_TOKEN_PRIVILEGE (2L) +#define SE_ASSIGNPRIMARYTOKEN_PRIVILEGE (3L) +#define SE_LOCK_MEMORY_PRIVILEGE (4L) +#define SE_INCREASE_QUOTA_PRIVILEGE (5L) +#define SE_UNSOLICITED_INPUT_PRIVILEGE (6L) /* unused */ +#define SE_MACHINE_ACCOUNT_PRIVILEGE (6L) +#define SE_TCB_PRIVILEGE (7L) +#define SE_SECURITY_PRIVILEGE (8L) +#define SE_TAKE_OWNERSHIP_PRIVILEGE (9L) +#define SE_LOAD_DRIVER_PRIVILEGE (10L) +#define SE_SYSTEM_PROFILE_PRIVILEGE (11L) +#define SE_SYSTEMTIME_PRIVILEGE (12L) +#define SE_PROF_SINGLE_PROCESS_PRIVILEGE (13L) +#define SE_INC_BASE_PRIORITY_PRIVILEGE (14L) +#define SE_CREATE_PAGEFILE_PRIVILEGE (15L) +#define SE_CREATE_PERMANENT_PRIVILEGE (16L) +#define SE_BACKUP_PRIVILEGE (17L) +#define SE_RESTORE_PRIVILEGE (18L) +#define SE_SHUTDOWN_PRIVILEGE (19L) +#define SE_DEBUG_PRIVILEGE (20L) +#define SE_AUDIT_PRIVILEGE (21L) +#define SE_SYSTEM_ENVIRONMENT_PRIVILEGE (22L) +#define SE_CHANGE_NOTIFY_PRIVILEGE (23L) +#define SE_REMOTE_SHUTDOWN_PRIVILEGE (24L) +#define SE_MAX_WELL_KNOWN_PRIVILEGE SE_REMOTE_SHUTDOWN_PRIVILEGE + #if 0 /* Security descriptor control. */ #define SECURITY_DESCRIPTOR_REVISION (1) @@ -52,18 +127,19 @@ typedef BOOL SECURITY_CONTEXT_TRACKING_MODE; typedef ULONG SECURITY_INFORMATION, *PSECURITY_INFORMATION; -typedef enum _TOKEN_INFORMATION_CLASS { - TokenUser = 1, - TokenGroups, - TokenPrivileges, - TokenOwner, - TokenPrimaryGroup, - TokenDefaultDacl, - TokenSource, - TokenType, - TokenImpersonationLevel, - TokenStatistics -} TOKEN_INFORMATION_CLASS; +typedef enum _TOKEN_INFORMATION_CLASS +{ + TokenUser = 1, + TokenGroups, + TokenPrivileges, + TokenOwner, + TokenPrimaryGroup, + TokenDefaultDacl, + TokenSource, + TokenType, + TokenImpersonationLevel, + TokenStatistics +} TOKEN_INFORMATION_CLASS; typedef ULONG SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL; @@ -85,8 +161,9 @@ typedef ULONG TOKEN_TYPE, *PTOKEN_TYPE; typedef ULONG ACCESS_MASK, *PACCESS_MASK; typedef ULONG ACCESS_MODE, *PACCESS_MODE; -typedef struct _SECURITY_QUALITY_OF_SERVICE { - DWORD Length; +typedef struct _SECURITY_QUALITY_OF_SERVICE +{ + ULONG Length; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; BOOLEAN EffectiveOnly; @@ -96,39 +173,38 @@ typedef SECURITY_QUALITY_OF_SERVICE* PSECURITY_QUALITY_OF_SERVICE; typedef struct _ACE_HEADER { - CHAR AceType; - CHAR AceFlags; - USHORT AceSize; - ACCESS_MASK AccessMask; + CHAR AceType; + CHAR AceFlags; + USHORT AceSize; + ACCESS_MASK AccessMask; } ACE_HEADER, *PACE_HEADER; typedef struct { - ACE_HEADER Header; + ACE_HEADER Header; } ACE, *PACE; typedef struct _SID_IDENTIFIER_AUTHORITY { - BYTE Value[6]; + BYTE Value[6]; } SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; -#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} - typedef struct _SID { - UCHAR Revision; - UCHAR SubAuthorityCount; - SID_IDENTIFIER_AUTHORITY IdentifierAuthority; - ULONG SubAuthority[1]; + UCHAR Revision; + UCHAR SubAuthorityCount; + SID_IDENTIFIER_AUTHORITY IdentifierAuthority; + ULONG SubAuthority[1]; } SID, *PSID; -typedef struct _ACL { - UCHAR AclRevision; - UCHAR Sbz1; - USHORT AclSize; - USHORT AceCount; - USHORT Sbz2; -} ACL, *PACL; +typedef struct _ACL +{ + UCHAR AclRevision; + UCHAR Sbz1; + USHORT AclSize; + USHORT AceCount; + USHORT Sbz2; +} ACL, *PACL; typedef USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL; @@ -138,7 +214,8 @@ typedef struct _SECURITY_DESCRIPTOR_CONTEXT typedef LARGE_INTEGER LUID, *PLUID; -typedef struct _SECURITY_DESCRIPTOR { +typedef struct _SECURITY_DESCRIPTOR +{ UCHAR Revision; UCHAR Sbz1; SECURITY_DESCRIPTOR_CONTROL Control; @@ -148,87 +225,108 @@ typedef struct _SECURITY_DESCRIPTOR { PACL Dacl; } SECURITY_DESCRIPTOR, *PSECURITY_DESCRIPTOR; -typedef struct _LUID_AND_ATTRIBUTES -{ - LUID Luid; - DWORD Attributes; +typedef struct _LUID_AND_ATTRIBUTES +{ + LUID Luid; + DWORD Attributes; } LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES; -typedef struct _TOKEN_SOURCE { - CHAR SourceName[8]; - LUID SourceIdentifier; -} TOKEN_SOURCE, *PTOKEN_SOURCE; +typedef struct _TOKEN_SOURCE +{ + CHAR SourceName[8]; + LUID SourceIdentifier; +} TOKEN_SOURCE, *PTOKEN_SOURCE; -typedef struct _SID_AND_ATTRIBUTES { - PSID Sid; - DWORD Attributes; +typedef struct _TOKEN_CONTROL +{ + LUID TokenId; + LUID AuthenticationId; + LUID ModifiedId; + TOKEN_SOURCE TokenSource; +} TOKEN_CONTROL, *PTOKEN_CONTROL; + +typedef struct _SID_AND_ATTRIBUTES +{ + PSID Sid; + DWORD Attributes; } SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES; - + typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY; -typedef struct _TOKEN_USER { - SID_AND_ATTRIBUTES User; -} TOKEN_USER, *PTOKEN_USER; +typedef struct _TOKEN_USER +{ + SID_AND_ATTRIBUTES User; +} TOKEN_USER, *PTOKEN_USER; -typedef struct _TOKEN_PRIMARY_GROUP { - PSID PrimaryGroup; -} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; +typedef struct _TOKEN_PRIMARY_GROUP +{ + PSID PrimaryGroup; +} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; -typedef struct _TOKEN_GROUPS { - DWORD GroupCount; - SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; -} TOKEN_GROUPS, *PTOKEN_GROUPS, *LPTOKEN_GROUPS; +typedef struct _TOKEN_GROUPS +{ + DWORD GroupCount; + SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; +} TOKEN_GROUPS, *PTOKEN_GROUPS, *LPTOKEN_GROUPS; -typedef struct _TOKEN_PRIVILEGES { - DWORD PrivilegeCount; - LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; -} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES, *LPTOKEN_PRIVILEGES; +typedef struct _TOKEN_PRIVILEGES +{ + DWORD PrivilegeCount; + LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; +} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES, *LPTOKEN_PRIVILEGES; -typedef struct _TOKEN_OWNER { - PSID Owner; -} TOKEN_OWNER, *PTOKEN_OWNER; +typedef struct _TOKEN_OWNER +{ + PSID Owner; +} TOKEN_OWNER, *PTOKEN_OWNER; -typedef struct _TOKEN_DEFAULT_DACL { - PACL DefaultDacl; +typedef struct _TOKEN_DEFAULT_DACL +{ + PACL DefaultDacl; } TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; -typedef struct _TOKEN_STATISTICS { - LUID TokenId; - LUID AuthenticationId; - LARGE_INTEGER ExpirationTime; - TOKEN_TYPE TokenType; - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; - DWORD DynamicCharged; - DWORD DynamicAvailable; - DWORD GroupCount; - DWORD PrivilegeCount; - LUID ModifiedId; -} TOKEN_STATISTICS, *PTOKEN_STATISTICS; +typedef struct _TOKEN_STATISTICS +{ + LUID TokenId; + LUID AuthenticationId; + LARGE_INTEGER ExpirationTime; + TOKEN_TYPE TokenType; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + DWORD DynamicCharged; + DWORD DynamicAvailable; + DWORD GroupCount; + DWORD PrivilegeCount; + LUID ModifiedId; +} TOKEN_STATISTICS, *PTOKEN_STATISTICS; -typedef struct _GENERIC_MAPPING { +typedef struct _GENERIC_MAPPING +{ ACCESS_MASK GenericRead; ACCESS_MASK GenericWrite; ACCESS_MASK GenericExecute; ACCESS_MASK GenericAll; } GENERIC_MAPPING, *PGENERIC_MAPPING; -typedef struct _PRIVILEGE_SET { +typedef struct _PRIVILEGE_SET +{ DWORD PrivilegeCount; DWORD Control; LUID_AND_ATTRIBUTES Privilege[ANYSIZE_ARRAY]; } PRIVILEGE_SET, *PPRIVILEGE_SET, *LPPRIVILEGE_SET; -typedef enum _ACL_INFORMATION_CLASS { - AclRevisionInformation = 1, - AclSizeInformation -} ACL_INFORMATION_CLASS; +typedef enum _ACL_INFORMATION_CLASS +{ + AclRevisionInformation = 1, + AclSizeInformation +} ACL_INFORMATION_CLASS; -typedef struct _SECURITY_ATTRIBUTES { - DWORD nLength; - LPVOID lpSecurityDescriptor; - BOOL bInheritHandle; -} SECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES; +typedef struct _SECURITY_ATTRIBUTES +{ + DWORD nLength; + LPVOID lpSecurityDescriptor; + BOOL bInheritHandle; +} SECURITY_ATTRIBUTES, *LPSECURITY_ATTRIBUTES; #endif /* __INCLUDE_SECURITY_H */ diff --git a/reactos/ntoskrnl/include/internal/se.h b/reactos/ntoskrnl/include/internal/se.h new file mode 100644 index 00000000000..379aba54af1 --- /dev/null +++ b/reactos/ntoskrnl/include/internal/se.h @@ -0,0 +1,122 @@ +/* + * ReactOS kernel + * Copyright (C) 2002 ReactOS Team + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#ifndef __NTOSKRNL_INCLUDE_INTERNAL_SE_H +#define __NTOSKRNL_INCLUDE_INTERNAL_SE_H + + +extern POBJECT_TYPE SepTokenObjectType; + +/* SID Authorities */ +extern SID_IDENTIFIER_AUTHORITY SeNullSidAuthority; +extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; +extern SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority; +extern SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority; +extern SID_IDENTIFIER_AUTHORITY SeNtSidAuthority; + +/* SIDs */ +extern PSID SeNullSid; +extern PSID SeWorldSid; +extern PSID SeLocalSid; +extern PSID SeCreatorOwnerSid; +extern PSID SeCreatorGroupSid; +extern PSID SeCreatorOwnerServerSid; +extern PSID SeCreatorGroupServerSid; +extern PSID SeNtAuthoritySid; +extern PSID SeDialupSid; +extern PSID SeNetworkSid; +extern PSID SeBatchSid; +extern PSID SeInteractiveSid; +extern PSID SeServiceSid; +extern PSID SeAnonymousLogonSid; +extern PSID SePrincipalSelfSid; +extern PSID SeLocalSystemSid; +extern PSID SeAuthenticatedUserSid; +extern PSID SeRestrictedCodeSid; +extern PSID SeAliasAdminsSid; +extern PSID SeAliasUsersSid; +extern PSID SeAliasGuestsSid; +extern PSID SeAliasPowerUsersSid; +extern PSID SeAliasAccountOpsSid; +extern PSID SeAliasSystemOpsSid; +extern PSID SeAliasPrintOpsSid; +extern PSID SeAliasBackupOpsSid; + +/* Privileges */ +extern LUID SeCreateTokenPrivilege; +extern LUID SeAssignPrimaryTokenPrivilege; +extern LUID SeLockMemoryPrivilege; +extern LUID SeIncreaseQuotaPrivilege; +extern LUID SeUnsolicitedInputPrivilege; +extern LUID SeTcbPrivilege; +extern LUID SeSecurityPrivilege; +extern LUID SeTakeOwnershipPrivilege; +extern LUID SeLoadDriverPrivilege; +extern LUID SeCreatePagefilePrivilege; +extern LUID SeIncreaseBasePriorityPrivilege; +extern LUID SeSystemProfilePrivilege; +extern LUID SeSystemtimePrivilege; +extern LUID SeProfileSingleProcessPrivilege; +extern LUID SeCreatePermanentPrivilege; +extern LUID SeBackupPrivilege; +extern LUID SeRestorePrivilege; +extern LUID SeShutdownPrivilege; +extern LUID SeDebugPrivilege; +extern LUID SeAuditPrivilege; +extern LUID SeSystemEnvironmentPrivilege; +extern LUID SeChangeNotifyPrivilege; +extern LUID SeRemoteShutdownPrivilege; + +/* DACLs */ +extern PACL SePublicDefaultUnrestrictedDacl; +extern PACL SePublicOpenDacl; +extern PACL SePublicOpenUnrestrictedDacl; +extern PACL SeUnrestrictedDacl; + + +/* Functions */ + +BOOLEAN SeInit1(VOID); +BOOLEAN SeInit2(VOID); + +VOID SepInitLuid(VOID); +VOID SepInitPrivileges(VOID); +BOOLEAN SepInitSecurityIDs(VOID); +BOOLEAN SepInitDACLs(VOID); +BOOLEAN SepInitSDs(VOID); + + +NTSTATUS SeExchangePrimaryToken(struct _EPROCESS* Process, + PACCESS_TOKEN NewToken, + PACCESS_TOKEN* OldTokenP); + +NTSTATUS SeCaptureLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Src, + ULONG PrivilegeCount, + KPROCESSOR_MODE PreviousMode, + PLUID_AND_ATTRIBUTES AllocatedMem, + ULONG AllocatedLength, + POOL_TYPE PoolType, + ULONG d, + PLUID_AND_ATTRIBUTES* Dest, + PULONG Length); + + +#endif /* __NTOSKRNL_INCLUDE_INTERNAL_SE_H */ + +/* EOF */ \ No newline at end of file diff --git a/reactos/ntoskrnl/ke/main.c b/reactos/ntoskrnl/ke/main.c index 86ed648d1e3..ff072047f18 100644 --- a/reactos/ntoskrnl/ke/main.c +++ b/reactos/ntoskrnl/ke/main.c @@ -16,7 +16,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */ -/* $Id: main.c,v 1.113 2002/02/08 02:57:06 chorns Exp $ +/* $Id: main.c,v 1.114 2002/02/20 20:14:22 ekohl Exp $ * * PROJECT: ReactOS kernel * FILE: ntoskrnl/ke/main.c @@ -40,13 +40,14 @@ #include #include #include -//#include +#include #include #include #include #include #include "../dbg/kdb.h" #include +#include #ifdef HALDBG #include @@ -959,6 +960,9 @@ ExpInitializeExecutive(VOID) KeLowerIrql(PASSIVE_LEVEL); + if (!SeInit1()) + KeBugCheck(SECURITY_INITIALIZATION_FAILED); + ObInit(); PiInitProcessManager(); @@ -1170,6 +1174,9 @@ ExpInitializeExecutive(VOID) */ InitSystemSharedUserPage ((PUCHAR)KeLoaderBlock.CommandLine); + if (!SeInit2()) + KeBugCheck(SECURITY1_INITIALIZATION_FAILED); + /* * Launch initial process */ diff --git a/reactos/ntoskrnl/ntoskrnl.def b/reactos/ntoskrnl/ntoskrnl.def index bb72f51b771..c396a37d844 100644 --- a/reactos/ntoskrnl/ntoskrnl.def +++ b/reactos/ntoskrnl/ntoskrnl.def @@ -1,4 +1,4 @@ -; $Id: ntoskrnl.def,v 1.127 2002/02/19 00:09:21 ekohl Exp $ +; $Id: ntoskrnl.def,v 1.128 2002/02/20 20:16:49 ekohl Exp $ ; ; reactos/ntoskrnl/ntoskrnl.def ; @@ -344,7 +344,7 @@ KeGetPreviousMode@0 ;KeI386Call16BitFunction ;KeI386FlatToGdtSelector ;KeI386GetLid -;KeI386MachineType +;KeI386MachineType DATA ;KeI386ReleaseGdtSelectors ;KeI386ReleaseLid ;KeI386SetGdtSelector @@ -829,7 +829,7 @@ SeCreateClientSecurity@16 SeDeassignSecurity@4 ;SeDeleteAccessState@4 ;SeDeleteObjectAuditAlarm@8 -;SeExports DATA ??? +SeExports DATA ;SeFreePrivileges@4 SeImpersonateClient@8 ;SeLockSubjectContext@4 @@ -838,7 +838,7 @@ SeImpersonateClient@8 ;SeOpenObjectForDeleteAuditAlarm@36 SePrivilegeCheck@12 ;SePrivilegeObjectAuditAlarm@24 -;SePublicDefaultDacl DATA +SePublicDefaultDacl DATA ;SeQueryAuthenticationIdToken@8 ;SeQuerySecurityDescriptorInfo@16 ;SeRegisterLogonSessionTerminatedRoutine@4 @@ -847,9 +847,9 @@ SeReleaseSubjectContext@4 ;SeSetAccessStateGenericMapping@8 ;SeSetSecurityDescriptorInfo@24 ;SeSinglePrivilegeCheck@12 -;SeSystemDefaultDacl DATA +SeSystemDefaultDacl DATA ;SeTokenImpersonationLevel@4 -SeTokenType DATA +SeTokenType@4 ;SeUnlockSubjectContext@4 ;SeUnregisterLogonSessionTerminatedRoutine@4 ;SeValidSecurityDescriptor@8 diff --git a/reactos/ntoskrnl/ntoskrnl.edf b/reactos/ntoskrnl/ntoskrnl.edf index 4fd7fd01612..e150e48f74c 100644 --- a/reactos/ntoskrnl/ntoskrnl.edf +++ b/reactos/ntoskrnl/ntoskrnl.edf @@ -1,4 +1,4 @@ -; $Id: ntoskrnl.edf,v 1.113 2002/02/19 00:09:21 ekohl Exp $ +; $Id: ntoskrnl.edf,v 1.114 2002/02/20 20:16:49 ekohl Exp $ ; ; reactos/ntoskrnl/ntoskrnl.def ; @@ -344,7 +344,7 @@ KeGetPreviousMode=KeGetPreviousMode@0 ;KeI386Call16BitFunction ;KeI386FlatToGdtSelector ;KeI386GetLid -;KeI386MachineType +;KeI386MachineType DATA ;KeI386ReleaseGdtSelectors ;KeI386ReleaseLid ;KeI386SetGdtSelector @@ -828,7 +828,7 @@ SeCreateClientSecurity=SeCreateClientSecurity@16 SeDeassignSecurity=SeDeassignSecurity@4 ;SeDeleteAccessState=SeDeleteAccessState@4 ;SeDeleteObjectAuditAlarm=SeDeleteObjectAuditAlarm@8 -;SeExports DATA +SeExports DATA ;SeFreePrivileges=SeFreePrivileges@4 SeImpersonateClient=SeImpersonateClient@8 ;SeLockSubjectContext=SeLockSubjectContext@4 @@ -837,7 +837,7 @@ SeImpersonateClient=SeImpersonateClient@8 ;SeOpenObjectForDeleteAuditAlarm=SeOpenObjectForDeleteAuditAlarm@36 SePrivilegeCheck=SePrivilegeCheck@12 ;SePrivilegeObjectAuditAlarm=SePrivilegeObjectAuditAlarm@24 -;SePublicDefaultDacl DATA +SePublicDefaultDacl DATA ;SeQueryAuthenticationIdToken=SeQueryAuthenticationIdToken@8 ;SeQuerySecurityDescriptorInfo=SeQuerySecurityDescriptorInfo@16 ;SeRegisterLogonSessionTerminatedRoutine=SeRegisterLogonSessionTerminatedRoutine@4 @@ -846,9 +846,9 @@ SeReleaseSubjectContext=SeReleaseSubjectContext@4 ;SeSetAccessStateGenericMapping=SeSetAccessStateGenericMapping@8 ;SeSetSecurityDescriptorInfo=SeSetSecurityDescriptorInfo@24 ;SeSinglePrivilegeCheck=SeSinglePrivilegeCheck@12 -;SeSystemDefaultDacl DATA +SeSystemDefaultDacl DATA ;SeTokenImpersonationLevel=SeTokenImpersonationLevel@4 -SeTokenType DATA +SeTokenType=SeTokenType@4 ;SeUnlockSubjectContext=SeUnlockSubjectContext@4 ;SeUnregisterLogonSessionTerminatedRoutine=SeUnregisterLogonSessionTerminatedRoutine@4 ;SeValidSecurityDescriptor=SeValidSecurityDescriptor@8 diff --git a/reactos/ntoskrnl/ps/create.c b/reactos/ntoskrnl/ps/create.c index 85340b7885d..3ce1ba1a485 100644 --- a/reactos/ntoskrnl/ps/create.c +++ b/reactos/ntoskrnl/ps/create.c @@ -1,4 +1,4 @@ -/* $Id: create.c,v 1.44 2002/02/15 14:47:55 ekohl Exp $ +/* $Id: create.c,v 1.45 2002/02/20 20:15:07 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -24,7 +24,7 @@ #include #include #include -#include +#include #include #include @@ -60,7 +60,7 @@ PsAssignImpersonationToken(PETHREAD Thread, { Status = ObReferenceObjectByHandle(TokenHandle, 0, - SeTokenType, + SepTokenObjectType, UserMode, (PVOID*)&Token, NULL); @@ -133,7 +133,7 @@ PsImpersonateClient(PETHREAD Thread, Thread->ImpersonationInfo->Token = Token; ObReferenceObjectByPointer(Token, 0, - SeTokenType, + SepTokenObjectType, KernelMode); Thread->ActiveImpersonationInfo = 1; } @@ -164,16 +164,15 @@ PsReferenceEffectiveToken(PETHREAD Thread, return(Token); } -NTSTATUS STDCALL -NtImpersonateThread (IN HANDLE ThreadHandle, - IN HANDLE ThreadToImpersonateHandle, - IN PSECURITY_QUALITY_OF_SERVICE - SecurityQualityOfService) +NTSTATUS STDCALL +NtImpersonateThread(IN HANDLE ThreadHandle, + IN HANDLE ThreadToImpersonateHandle, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService) { PETHREAD Thread; PETHREAD ThreadToImpersonate; NTSTATUS Status; - SE_SOME_STRUCT2 b; + SECURITY_CLIENT_CONTEXT ClientContext; Status = ObReferenceObjectByHandle(ThreadHandle, 0, @@ -201,7 +200,7 @@ NtImpersonateThread (IN HANDLE ThreadHandle, Status = SeCreateClientSecurity(ThreadToImpersonate, SecurityQualityOfService, 0, - &b); + &ClientContext); if (!NT_SUCCESS(Status)) { ObDereferenceObject(Thread); @@ -209,15 +208,15 @@ NtImpersonateThread (IN HANDLE ThreadHandle, return(Status); } - SeImpersonateClient(&b, Thread); - if (b.Token != NULL) + SeImpersonateClient(&ClientContext, Thread); + if (ClientContext.Token != NULL) { - ObDereferenceObject(b.Token); + ObDereferenceObject(ClientContext.Token); } return(STATUS_SUCCESS); } -NTSTATUS STDCALL +NTSTATUS STDCALL NtOpenThreadToken(IN HANDLE ThreadHandle, IN ACCESS_MASK DesiredAccess, IN BOOLEAN OpenAsSelf, @@ -261,7 +260,7 @@ PsReferenceImpersonationToken(PETHREAD Thread, *Unknown2 = Thread->ImpersonationInfo->Unknown2; ObReferenceObjectByPointer(Thread->ImpersonationInfo->Token, TOKEN_ALL_ACCESS, - SeTokenType, + SepTokenObjectType, KernelMode); return(Thread->ImpersonationInfo->Token); } diff --git a/reactos/ntoskrnl/ps/process.c b/reactos/ntoskrnl/ps/process.c index 225032f78b2..9952f85e12c 100644 --- a/reactos/ntoskrnl/ps/process.c +++ b/reactos/ntoskrnl/ps/process.c @@ -1,4 +1,4 @@ -/* $Id: process.c,v 1.77 2002/02/08 02:57:07 chorns Exp $ +/* $Id: process.c,v 1.78 2002/02/20 20:15:07 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -17,6 +17,7 @@ #include #include #include +#include #include #include #include @@ -132,7 +133,7 @@ PsReferencePrimaryToken(PEPROCESS Process) { ObReferenceObjectByPointer(Process->Token, TOKEN_ALL_ACCESS, - SeTokenType, + SepTokenObjectType, UserMode); return(Process->Token); } @@ -863,7 +864,7 @@ PspAssignPrimaryToken(PEPROCESS Process, Status = ObReferenceObjectByHandle(TokenHandle, 0, - SeTokenType, + SepTokenObjectType, UserMode, (PVOID*)&Token, NULL); diff --git a/reactos/ntoskrnl/se/acl.c b/reactos/ntoskrnl/se/acl.c index 5b5e0e641a6..c862ac6aa19 100644 --- a/reactos/ntoskrnl/se/acl.c +++ b/reactos/ntoskrnl/se/acl.c @@ -1,4 +1,4 @@ -/* $Id: acl.c,v 1.4 2000/04/05 15:52:23 ekohl Exp $ +/* $Id: acl.c,v 1.5 2002/02/20 20:15:38 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -12,10 +12,123 @@ /* INCLUDES *****************************************************************/ #include +#include #include -/* FUNCTIONS ***************************************************************/ +#define TAG_ACL TAG('A', 'C', 'L', 'T') + + +/* GLOBALS ******************************************************************/ + +PACL EXPORTED SePublicDefaultDacl = NULL; +PACL EXPORTED SeSystemDefaultDacl = NULL; + +PACL SePublicDefaultUnrestrictedDacl = NULL; +PACL SePublicOpenDacl = NULL; +PACL SePublicOpenUnrestrictedDacl = NULL; +PACL SeUnrestrictedDacl = NULL; + + +/* FUNCTIONS ****************************************************************/ + +BOOLEAN +SepInitDACLs(VOID) +{ + ULONG AclLength2; + ULONG AclLength3; + ULONG AclLength4; + + AclLength2 = sizeof(ACL) + + 2 * (RtlLengthRequiredSid(1) + sizeof(ACE_HEADER)); + AclLength3 = sizeof(ACL) + + 3 * (RtlLengthRequiredSid(1) + sizeof(ACE_HEADER)); + AclLength4 = sizeof(ACL) + + 4 * (RtlLengthRequiredSid(1) + sizeof(ACE_HEADER)); + + /* create PublicDefaultDacl */ + SePublicDefaultDacl = ExAllocatePoolWithTag(NonPagedPool, + AclLength2, + TAG_ACL); + if (SePublicDefaultDacl == NULL) + return(FALSE); + + RtlCreateAcl(SePublicDefaultDacl, + AclLength2, + 2); + + RtlAddAccessAllowedAce(SePublicDefaultDacl, + 2, + GENERIC_EXECUTE, + SeWorldSid); + + RtlAddAccessAllowedAce(SePublicDefaultDacl, + 2, + GENERIC_ALL, + SeLocalSystemSid); + + + /* create PublicDefaultUnrestrictedDacl */ + SePublicDefaultUnrestrictedDacl = ExAllocatePoolWithTag(NonPagedPool, + AclLength4, + TAG_ACL); + if (SePublicDefaultUnrestrictedDacl == NULL) + return(FALSE); + + RtlCreateAcl(SePublicDefaultUnrestrictedDacl, + AclLength4, + 2); + + RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, + 4, + GENERIC_EXECUTE, + SeWorldSid); + + RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, + 4, + GENERIC_ALL, + SeLocalSystemSid); + + RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, + 4, + GENERIC_ALL, + SeAliasAdminsSid); + + RtlAddAccessAllowedAce(SePublicDefaultUnrestrictedDacl, + 4, + GENERIC_READ | GENERIC_EXECUTE | STANDARD_RIGHTS_READ, + SeRestrictedCodeSid); + + /* create PublicOpenDacl */ + SePublicOpenDacl = ExAllocatePoolWithTag(NonPagedPool, + AclLength3, + TAG_ACL); + if (SePublicOpenDacl == NULL) + return(FALSE); + + RtlCreateAcl(SePublicOpenDacl, + AclLength3, + 3); + + RtlAddAccessAllowedAce(SePublicOpenDacl, + 2, + GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE, + SeWorldSid); + + RtlAddAccessAllowedAce(SePublicOpenDacl, + 2, + GENERIC_ALL, + SeLocalSystemSid); + + RtlAddAccessAllowedAce(SePublicOpenDacl, + 2, + GENERIC_ALL, + SeAliasAdminsSid); + + + return(TRUE); +} + BOOLEAN STDCALL @@ -102,8 +215,7 @@ NTSTATUS RtlpAddKnownAce(PACL Acl, return(STATUS_SUCCESS); } -NTSTATUS -STDCALL +NTSTATUS STDCALL RtlAddAccessAllowedAce(PACL Acl, ULONG Revision, ACCESS_MASK AccessMask, @@ -112,8 +224,7 @@ RtlAddAccessAllowedAce(PACL Acl, return(RtlpAddKnownAce(Acl, Revision, AccessMask, Sid, 0)); } -NTSTATUS -STDCALL +NTSTATUS STDCALL RtlAddAce(PACL Acl, ULONG AclRevision, ULONG StartingIndex, @@ -179,9 +290,11 @@ RtlAddAce(PACL Acl, return(TRUE); } -NTSTATUS -STDCALL -RtlCreateAcl(PACL Acl, ULONG AclSize, ULONG AclRevision) + +NTSTATUS STDCALL +RtlCreateAcl(PACL Acl, + ULONG AclSize, + ULONG AclRevision) { if (AclSize < 8) { diff --git a/reactos/ntoskrnl/se/luid.c b/reactos/ntoskrnl/se/luid.c index 108655995a9..0589a977eb2 100644 --- a/reactos/ntoskrnl/se/luid.c +++ b/reactos/ntoskrnl/se/luid.c @@ -1,4 +1,4 @@ -/* $Id: luid.c,v 1.3 1999/12/29 01:36:06 ekohl Exp $ +/* $Id: luid.c,v 1.4 2002/02/20 20:15:38 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -23,37 +23,47 @@ static LUID Luid; /* FUNCTIONS *****************************************************************/ -NTSTATUS STDCALL NtAllocateLocallyUniqueId(OUT LUID* LocallyUniqueId) -{ - KIRQL oldIrql; - LUID ReturnedLuid; - - KeAcquireSpinLock(&LuidLock, &oldIrql); - ReturnedLuid = Luid; - Luid = RtlLargeIntegerAdd(Luid, LuidIncrement); - KeReleaseSpinLock(&LuidLock, oldIrql); - *LocallyUniqueId = ReturnedLuid; - return(STATUS_SUCCESS); -} - VOID -STDCALL -RtlCopyLuid ( - PLUID LuidDest, - PLUID LuidSrc - ) +SepInitLuid(VOID) { - LuidDest->QuadPart = LuidSrc->QuadPart; + KeInitializeSpinLock(&LuidLock); + Luid.QuadPart = 999; /* SYSTEM_LUID */ + LuidIncrement.QuadPart = 1; } -BOOLEAN -STDCALL -RtlEqualLuid ( - PLUID Luid1, - PLUID Luid2 - ) + +NTSTATUS STDCALL +NtAllocateLocallyUniqueId(OUT LUID* LocallyUniqueId) { - return ((Luid1->QuadPart == Luid2->QuadPart) ? TRUE : FALSE); + KIRQL oldIrql; + LUID ReturnedLuid; + + KeAcquireSpinLock(&LuidLock, + &oldIrql); + ReturnedLuid = Luid; + Luid = RtlLargeIntegerAdd(Luid, + LuidIncrement); + KeReleaseSpinLock(&LuidLock, + oldIrql); + *LocallyUniqueId = ReturnedLuid; + + return(STATUS_SUCCESS); +} + + +VOID STDCALL +RtlCopyLuid(IN PLUID LuidDest, + IN PLUID LuidSrc) +{ + LuidDest->QuadPart = LuidSrc->QuadPart; +} + + +BOOLEAN STDCALL +RtlEqualLuid(IN PLUID Luid1, + IN PLUID Luid2) +{ + return((Luid1->QuadPart == Luid2->QuadPart) ? TRUE : FALSE); } /* EOF */ diff --git a/reactos/ntoskrnl/se/priv.c b/reactos/ntoskrnl/se/priv.c index cf8c50bc1b5..9fe360e7e06 100644 --- a/reactos/ntoskrnl/se/priv.c +++ b/reactos/ntoskrnl/se/priv.c @@ -1,4 +1,4 @@ -/* $Id: priv.c,v 1.1 2000/01/26 10:07:30 dwelch Exp $ +/* $Id: priv.c,v 1.2 2002/02/20 20:15:38 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -12,11 +12,69 @@ /* INCLUDES *****************************************************************/ #include +#include #include + +/* GLOBALS *******************************************************************/ + +LUID SeCreateTokenPrivilege; +LUID SeAssignPrimaryTokenPrivilege; +LUID SeLockMemoryPrivilege; +LUID SeIncreaseQuotaPrivilege; +LUID SeUnsolicitedInputPrivilege; +LUID SeTcbPrivilege; +LUID SeSecurityPrivilege; +LUID SeTakeOwnershipPrivilege; +LUID SeLoadDriverPrivilege; +LUID SeCreatePagefilePrivilege; +LUID SeIncreaseBasePriorityPrivilege; +LUID SeSystemProfilePrivilege; +LUID SeSystemtimePrivilege; +LUID SeProfileSingleProcessPrivilege; +LUID SeCreatePermanentPrivilege; +LUID SeBackupPrivilege; +LUID SeRestorePrivilege; +LUID SeShutdownPrivilege; +LUID SeDebugPrivilege; +LUID SeAuditPrivilege; +LUID SeSystemEnvironmentPrivilege; +LUID SeChangeNotifyPrivilege; +LUID SeRemoteShutdownPrivilege; + + /* FUNCTIONS ***************************************************************/ +VOID +SepInitPrivileges(VOID) +{ + SeCreateTokenPrivilege.QuadPart = SE_CREATE_TOKEN_PRIVILEGE; + SeAssignPrimaryTokenPrivilege.QuadPart = SE_ASSIGNPRIMARYTOKEN_PRIVILEGE; + SeLockMemoryPrivilege.QuadPart = SE_LOCK_MEMORY_PRIVILEGE; + SeIncreaseQuotaPrivilege.QuadPart = SE_INCREASE_QUOTA_PRIVILEGE; + SeUnsolicitedInputPrivilege.QuadPart = SE_UNSOLICITED_INPUT_PRIVILEGE; + SeTcbPrivilege.QuadPart = SE_TCB_PRIVILEGE; + SeSecurityPrivilege.QuadPart = SE_SECURITY_PRIVILEGE; + SeTakeOwnershipPrivilege.QuadPart = SE_TAKE_OWNERSHIP_PRIVILEGE; + SeLoadDriverPrivilege.QuadPart = SE_LOAD_DRIVER_PRIVILEGE; + SeSystemProfilePrivilege.QuadPart = SE_SYSTEM_PROFILE_PRIVILEGE; + SeSystemtimePrivilege.QuadPart = SE_SYSTEMTIME_PRIVILEGE; + SeProfileSingleProcessPrivilege.QuadPart = SE_PROF_SINGLE_PROCESS_PRIVILEGE; + SeIncreaseBasePriorityPrivilege.QuadPart = SE_INC_BASE_PRIORITY_PRIVILEGE; + SeCreatePagefilePrivilege.QuadPart = SE_CREATE_PAGEFILE_PRIVILEGE; + SeCreatePermanentPrivilege.QuadPart = SE_CREATE_PERMANENT_PRIVILEGE; + SeBackupPrivilege.QuadPart = SE_BACKUP_PRIVILEGE; + SeRestorePrivilege.QuadPart = SE_RESTORE_PRIVILEGE; + SeShutdownPrivilege.QuadPart = SE_SHUTDOWN_PRIVILEGE; + SeDebugPrivilege.QuadPart = SE_DEBUG_PRIVILEGE; + SeAuditPrivilege.QuadPart = SE_AUDIT_PRIVILEGE; + SeSystemEnvironmentPrivilege.QuadPart = SE_SYSTEM_ENVIRONMENT_PRIVILEGE; + SeChangeNotifyPrivilege.QuadPart = SE_CHANGE_NOTIFY_PRIVILEGE; + SeRemoteShutdownPrivilege.QuadPart = SE_REMOTE_SHUTDOWN_PRIVILEGE; +} + + BOOLEAN SepPrivilegeCheck(PACCESS_TOKEN Token, PLUID_AND_ATTRIBUTES Privileges, ULONG PrivilegeCount, @@ -122,17 +180,19 @@ NTSTATUS SeCaptureLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Src, memmove(*Dest, Src, SrcLength); return(STATUS_SUCCESS); } - -VOID SeReleaseLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Privilege, - KPROCESSOR_MODE PreviousMode, - ULONG a) + +VOID +SeReleaseLuidAndAttributesArray(PLUID_AND_ATTRIBUTES Privilege, + KPROCESSOR_MODE PreviousMode, + ULONG a) { ExFreePool(Privilege); } -NTSTATUS STDCALL NtPrivilegeCheck (IN HANDLE ClientToken, - IN PPRIVILEGE_SET RequiredPrivileges, - IN PBOOLEAN Result) +NTSTATUS STDCALL +NtPrivilegeCheck(IN HANDLE ClientToken, + IN PPRIVILEGE_SET RequiredPrivileges, + IN PBOOLEAN Result) { NTSTATUS Status; PACCESS_TOKEN Token; @@ -144,7 +204,7 @@ NTSTATUS STDCALL NtPrivilegeCheck (IN HANDLE ClientToken, Status = ObReferenceObjectByHandle(ClientToken, 0, - SeTokenType, + SepTokenObjectType, UserMode, (PVOID*)&Token, NULL); @@ -186,9 +246,10 @@ NTSTATUS STDCALL NtPrivilegeCheck (IN HANDLE ClientToken, return(STATUS_SUCCESS); } -BOOLEAN STDCALL SePrivilegeCheck(PPRIVILEGE_SET Privileges, - PSECURITY_SUBJECT_CONTEXT SubjectContext, - KPROCESSOR_MODE PreviousMode) +BOOLEAN STDCALL +SePrivilegeCheck(PPRIVILEGE_SET Privileges, + PSECURITY_SUBJECT_CONTEXT SubjectContext, + KPROCESSOR_MODE PreviousMode) { PACCESS_TOKEN Token = NULL; @@ -209,11 +270,12 @@ BOOLEAN STDCALL SePrivilegeCheck(PPRIVILEGE_SET Privileges, Privileges->Privilege, Privileges->PrivilegeCount, Privileges->Control, - PreviousMode)); + PreviousMode)); } -BOOLEAN STDCALL SeSinglePrivilegeCheck(LUID PrivilegeValue, - KPROCESSOR_MODE PreviousMode) +BOOLEAN STDCALL +SeSinglePrivilegeCheck(LUID PrivilegeValue, + KPROCESSOR_MODE PreviousMode) { SECURITY_SUBJECT_CONTEXT SubjectContext; BOOLEAN r; diff --git a/reactos/ntoskrnl/se/sd.c b/reactos/ntoskrnl/se/sd.c index 6665dacd2e8..ee80874b5a0 100644 --- a/reactos/ntoskrnl/se/sd.c +++ b/reactos/ntoskrnl/se/sd.c @@ -1,4 +1,4 @@ -/* $Id: sd.c,v 1.5 2001/12/05 01:40:25 dwelch Exp $ +/* $Id: sd.c,v 1.6 2002/02/20 20:15:38 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -12,11 +12,20 @@ /* INCLUDES *****************************************************************/ #include +#include #include + /* FUNCTIONS ***************************************************************/ +BOOLEAN +SepInitSDs(VOID) +{ + return(TRUE); +} + + NTSTATUS STDCALL RtlCreateSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG Revision) diff --git a/reactos/ntoskrnl/se/semgr.c b/reactos/ntoskrnl/se/semgr.c index f1e8784b9a6..0bc0861a521 100644 --- a/reactos/ntoskrnl/se/semgr.c +++ b/reactos/ntoskrnl/se/semgr.c @@ -1,4 +1,4 @@ -/* $Id: semgr.c,v 1.17 2000/09/03 14:53:13 ekohl Exp $ +/* $Id: semgr.c,v 1.18 2002/02/20 20:15:38 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -13,10 +13,111 @@ #include #include +#include #include -/* FUNCTIONS ***************************************************************/ +#define TAG_SXPT TAG('S', 'X', 'P', 'T') + + +/* GLOBALS ******************************************************************/ + +PSE_EXPORTS EXPORTED SeExports = NULL; + + +/* PROTOTYPES ***************************************************************/ + +static BOOLEAN SepInitExports(VOID); + +/* FUNCTIONS ****************************************************************/ + + +BOOLEAN +SeInit1(VOID) +{ + SepInitLuid(); + + if (!SepInitSecurityIDs()) + return(FALSE); + + if (!SepInitDACLs()) + return(FALSE); + + if (!SepInitSDs()) + return(FALSE); + + SepInitPrivileges(); + + if (!SepInitExports()) + return(FALSE); + + return(TRUE); +} + + +BOOLEAN +SeInit2(VOID) +{ + return TRUE; +} + + +static BOOLEAN +SepInitExports(VOID) +{ + SeExports = ExAllocatePoolWithTag(NonPagedPool, + sizeof(SE_EXPORTS), + TAG_SXPT); + if (SeExports == NULL) + return(FALSE); + + SeExports->SeCreateTokenPrivilege = SeCreateTokenPrivilege; + SeExports->SeAssignPrimaryTokenPrivilege = SeAssignPrimaryTokenPrivilege; + SeExports->SeLockMemoryPrivilege = SeLockMemoryPrivilege; + SeExports->SeIncreaseQuotaPrivilege = SeIncreaseQuotaPrivilege; + SeExports->SeUnsolicitedInputPrivilege = SeUnsolicitedInputPrivilege; + SeExports->SeTcbPrivilege = SeTcbPrivilege; + SeExports->SeSecurityPrivilege = SeSecurityPrivilege; + SeExports->SeTakeOwnershipPrivilege = SeTakeOwnershipPrivilege; + SeExports->SeLoadDriverPrivilege = SeLoadDriverPrivilege; + SeExports->SeCreatePagefilePrivilege = SeCreatePagefilePrivilege; + SeExports->SeIncreaseBasePriorityPrivilege = SeIncreaseBasePriorityPrivilege; + SeExports->SeSystemProfilePrivilege = SeSystemProfilePrivilege; + SeExports->SeSystemtimePrivilege = SeSystemtimePrivilege; + SeExports->SeProfileSingleProcessPrivilege = SeProfileSingleProcessPrivilege; + SeExports->SeCreatePermanentPrivilege = SeCreatePermanentPrivilege; + SeExports->SeBackupPrivilege = SeBackupPrivilege; + SeExports->SeRestorePrivilege = SeRestorePrivilege; + SeExports->SeShutdownPrivilege = SeShutdownPrivilege; + SeExports->SeDebugPrivilege = SeDebugPrivilege; + SeExports->SeAuditPrivilege = SeAuditPrivilege; + SeExports->SeSystemEnvironmentPrivilege = SeSystemEnvironmentPrivilege; + SeExports->SeChangeNotifyPrivilege = SeChangeNotifyPrivilege; + SeExports->SeRemoteShutdownPrivilege = SeRemoteShutdownPrivilege; + + SeExports->SeNullSid = SeNullSid; + SeExports->SeWorldSid = SeWorldSid; + SeExports->SeLocalSid = SeLocalSid; + SeExports->SeCreatorOwnerSid = SeCreatorOwnerSid; + SeExports->SeCreatorGroupSid = SeCreatorGroupSid; + SeExports->SeNtAuthoritySid = SeNtAuthoritySid; + SeExports->SeDialupSid = SeDialupSid; + SeExports->SeNetworkSid = SeNetworkSid; + SeExports->SeBatchSid = SeBatchSid; + SeExports->SeInteractiveSid = SeInteractiveSid; + SeExports->SeLocalSystemSid = SeLocalSystemSid; + SeExports->SeAliasAdminsSid = SeAliasAdminsSid; + SeExports->SeAliasUsersSid = SeAliasUsersSid; + SeExports->SeAliasGuestsSid = SeAliasGuestsSid; + SeExports->SeAliasPowerUsersSid = SeAliasPowerUsersSid; + SeExports->SeAliasAccountOpsSid = SeAliasAccountOpsSid; + SeExports->SeAliasSystemOpsSid = SeAliasSystemOpsSid; + SeExports->SeAliasPrintOpsSid = SeAliasPrintOpsSid; + SeExports->SeAliasBackupOpsSid = SeAliasBackupOpsSid; + + return(TRUE); +} + VOID SepReferenceLogonSession(PLUID AuthenticationId) { @@ -28,109 +129,99 @@ VOID SepDeReferenceLogonSession(PLUID AuthenticationId) UNIMPLEMENTED; } -NTSTATUS STDCALL NtPrivilegedServiceAuditAlarm( - IN PUNICODE_STRING SubsystemName, - IN PUNICODE_STRING ServiceName, - IN HANDLE ClientToken, - IN PPRIVILEGE_SET Privileges, - IN BOOLEAN AccessGranted) +NTSTATUS STDCALL +NtPrivilegedServiceAuditAlarm(IN PUNICODE_STRING SubsystemName, + IN PUNICODE_STRING ServiceName, + IN HANDLE ClientToken, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted) { - UNIMPLEMENTED; + UNIMPLEMENTED; } -NTSTATUS -STDCALL -NtPrivilegeObjectAuditAlarm ( - IN PUNICODE_STRING SubsystemName, - IN PVOID HandleId, - IN HANDLE ClientToken, - IN ULONG DesiredAccess, - IN PPRIVILEGE_SET Privileges, - IN BOOLEAN AccessGranted +NTSTATUS STDCALL +NtPrivilegeObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN HANDLE ClientToken, + IN ULONG DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted) +{ + UNIMPLEMENTED; +} + + +NTSTATUS STDCALL +NtOpenObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ClientToken, + IN ULONG DesiredAccess, + IN ULONG GrantedAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN ObjectCreation, + IN BOOLEAN AccessGranted, + OUT PBOOLEAN GenerateOnClose) +{ + UNIMPLEMENTED; +} + + +NTSTATUS STDCALL +NtAccessCheckAndAuditAlarm(IN PUNICODE_STRING SubsystemName, + IN PHANDLE ObjectHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PULONG GrantedAccess, + OUT PBOOLEAN AccessStatus, + OUT PBOOLEAN GenerateOnClose ) { - UNIMPLEMENTED; + UNIMPLEMENTED; } -NTSTATUS -STDCALL -NtOpenObjectAuditAlarm ( - IN PUNICODE_STRING SubsystemName, - IN PVOID HandleId, - IN POBJECT_ATTRIBUTES ObjectAttributes, - IN HANDLE ClientToken, - IN ULONG DesiredAccess, - IN ULONG GrantedAccess, - IN PPRIVILEGE_SET Privileges, - IN BOOLEAN ObjectCreation, - IN BOOLEAN AccessGranted, - OUT PBOOLEAN GenerateOnClose - ) +NTSTATUS STDCALL +NtAllocateUuids(PULARGE_INTEGER Time, + PULONG Range, + PULONG Sequence) { - UNIMPLEMENTED; -} - -NTSTATUS -STDCALL -NtAccessCheckAndAuditAlarm ( - IN PUNICODE_STRING SubsystemName, - IN PHANDLE ObjectHandle, - IN POBJECT_ATTRIBUTES ObjectAttributes, - IN ACCESS_MASK DesiredAccess, - IN PGENERIC_MAPPING GenericMapping, - IN BOOLEAN ObjectCreation, - OUT PULONG GrantedAccess, - OUT PBOOLEAN AccessStatus, - OUT PBOOLEAN GenerateOnClose - ) -{ - UNIMPLEMENTED; + UNIMPLEMENTED; } -NTSTATUS -STDCALL -NtAllocateUuids ( - PULARGE_INTEGER Time, - PULONG Range, - PULONG Sequence - ) +NTSTATUS STDCALL +NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN BOOLEAN GenerateOnClose) { - UNIMPLEMENTED; + UNIMPLEMENTED; } -NTSTATUS STDCALL NtCloseObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, - IN PVOID HandleId, - IN BOOLEAN GenerateOnClose) +NTSTATUS STDCALL +NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + OUT PULONG ReturnLength, + OUT PULONG GrantedAccess, + OUT PBOOLEAN AccessStatus) { - UNIMPLEMENTED; -} - -NTSTATUS STDCALL NtAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, - IN HANDLE ClientToken, - IN ACCESS_MASK DesiredAccess, - IN PGENERIC_MAPPING GenericMapping, - OUT PPRIVILEGE_SET PrivilegeSet, - OUT PULONG ReturnLength, - OUT PULONG GrantedAccess, - OUT PBOOLEAN AccessStatus) -{ - UNIMPLEMENTED; + UNIMPLEMENTED; } -NTSTATUS -STDCALL -NtDeleteObjectAuditAlarm ( - IN PUNICODE_STRING SubsystemName, - IN PVOID HandleId, - IN BOOLEAN GenerateOnClose - ) +NTSTATUS STDCALL +NtDeleteObjectAuditAlarm(IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId, + IN BOOLEAN GenerateOnClose) { - UNIMPLEMENTED; + UNIMPLEMENTED; } @@ -160,17 +251,20 @@ VOID STDCALL SeCaptureSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext) &SubjectContext->ImpersonationLevel); SubjectContext->PrimaryToken = PsReferencePrimaryToken(Process); } - -NTSTATUS STDCALL SeDeassignSecurity(PSECURITY_DESCRIPTOR* SecurityDescriptor) + + +NTSTATUS STDCALL +SeDeassignSecurity(PSECURITY_DESCRIPTOR* SecurityDescriptor) { - if ((*SecurityDescriptor) != NULL) - { - ExFreePool(*SecurityDescriptor); - (*SecurityDescriptor) = NULL; - } - return(STATUS_SUCCESS); + if ((*SecurityDescriptor) != NULL) + { + ExFreePool(*SecurityDescriptor); + (*SecurityDescriptor) = NULL; + } + return(STATUS_SUCCESS); } + #if 0 VOID SepGetDefaultsSubjectContext(PSECURITY_SUBJECT_CONTEXT SubjectContext, PSID* Owner, @@ -219,13 +313,14 @@ NTSTATUS SepInheritAcl(PACL Acl, } #endif -NTSTATUS STDCALL SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor, - PSECURITY_DESCRIPTOR ExplicitDescriptor, - PSECURITY_DESCRIPTOR* NewDescriptor, - BOOLEAN IsDirectoryObject, - PSECURITY_SUBJECT_CONTEXT SubjectContext, - PGENERIC_MAPPING GenericMapping, - POOL_TYPE PoolType) +NTSTATUS STDCALL +SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor, + PSECURITY_DESCRIPTOR ExplicitDescriptor, + PSECURITY_DESCRIPTOR* NewDescriptor, + BOOLEAN IsDirectoryObject, + PSECURITY_SUBJECT_CONTEXT SubjectContext, + PGENERIC_MAPPING GenericMapping, + POOL_TYPE PoolType) { #if 0 PSECURITY_DESCRIPTOR Descriptor; @@ -308,16 +403,18 @@ BOOLEAN SepSidInToken(PACCESS_TOKEN Token, return(FALSE); } -BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, - IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, - IN BOOLEAN SubjectContextLocked, - IN ACCESS_MASK DesiredAccess, - IN ACCESS_MASK PreviouslyGrantedAccess, - OUT PPRIVILEGE_SET* Privileges, - IN PGENERIC_MAPPING GenericMapping, - IN KPROCESSOR_MODE AccessMode, - OUT PACCESS_MODE GrantedAccess, - OUT PNTSTATUS AccessStatus) + +BOOLEAN STDCALL +SeAccessCheck(IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, + IN BOOLEAN SubjectContextLocked, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK PreviouslyGrantedAccess, + OUT PPRIVILEGE_SET* Privileges, + IN PGENERIC_MAPPING GenericMapping, + IN KPROCESSOR_MODE AccessMode, + OUT PACCESS_MODE GrantedAccess, + OUT PNTSTATUS AccessStatus) /* * FUNCTION: Determines whether the requested access rights can be granted * to an object protected by a security descriptor and an object owner @@ -380,7 +477,7 @@ BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, if (SepSidInToken(SubjectSecurityContext->ClientToken, Sid)) { CurrentAccess = CurrentAccess | - CurrentAce->Header.AccessMask; + CurrentAce->Header.AccessMask; } } } diff --git a/reactos/ntoskrnl/se/sid.c b/reactos/ntoskrnl/se/sid.c index 3d84bce1435..7a65fed36b9 100644 --- a/reactos/ntoskrnl/se/sid.c +++ b/reactos/ntoskrnl/se/sid.c @@ -1,4 +1,4 @@ -/* $Id: sid.c,v 1.7 2001/02/19 15:04:51 dwelch Exp $ +/* $Id: sid.c,v 1.8 2002/02/20 20:15:38 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -12,13 +12,464 @@ /* INCLUDES *****************************************************************/ #include -#include +#include #include -/* FUNCTIONS ***************************************************************/ +#define TAG_SID TAG('S', 'I', 'D', 'T') -BOOLEAN STDCALL RtlValidSid (PSID Sid) + +/* GLOBALS ******************************************************************/ + +SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY}; +SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY}; +SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY}; +SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY}; +SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY}; + +PSID SeNullSid = NULL; +PSID SeWorldSid = NULL; +PSID SeLocalSid = NULL; +PSID SeCreatorOwnerSid = NULL; +PSID SeCreatorGroupSid = NULL; +PSID SeCreatorOwnerServerSid = NULL; +PSID SeCreatorGroupServerSid = NULL; +PSID SeNtAuthoritySid = NULL; +PSID SeDialupSid = NULL; +PSID SeNetworkSid = NULL; +PSID SeBatchSid = NULL; +PSID SeInteractiveSid = NULL; +PSID SeServiceSid = NULL; +PSID SeAnonymousLogonSid = NULL; +PSID SePrincipalSelfSid = NULL; +PSID SeLocalSystemSid = NULL; +PSID SeAuthenticatedUserSid = NULL; +PSID SeRestrictedCodeSid = NULL; +PSID SeAliasAdminsSid = NULL; +PSID SeAliasUsersSid = NULL; +PSID SeAliasGuestsSid = NULL; +PSID SeAliasPowerUsersSid = NULL; +PSID SeAliasAccountOpsSid = NULL; +PSID SeAliasSystemOpsSid = NULL; +PSID SeAliasPrintOpsSid = NULL; +PSID SeAliasBackupOpsSid = NULL; + + +/* FUNCTIONS ****************************************************************/ + + +BOOLEAN +SepInitSecurityIDs(VOID) +{ + ULONG SidLength0; + ULONG SidLength1; + ULONG SidLength2; + PULONG SubAuthority; + + SidLength0 = RtlLengthRequiredSid(0); + SidLength1 = RtlLengthRequiredSid(1); + SidLength2 = RtlLengthRequiredSid(2); + + /* create NullSid */ + SeNullSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeNullSid == NULL) + return(FALSE); + + RtlInitializeSid(SeNullSid, + &SeNullSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeNullSid, + 0); + *SubAuthority = SECURITY_NULL_RID; + + /* create WorldSid */ + SeWorldSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeWorldSid == NULL) + return(FALSE); + + RtlInitializeSid(SeWorldSid, + &SeWorldSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeWorldSid, + 0); + *SubAuthority = SECURITY_WORLD_RID; + + /* create LocalSid */ + SeLocalSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeLocalSid == NULL) + return(FALSE); + + RtlInitializeSid(SeLocalSid, + &SeLocalSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeLocalSid, + 0); + *SubAuthority = SECURITY_LOCAL_RID; + + /* create CreatorOwnerSid */ + SeCreatorOwnerSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeCreatorOwnerSid == NULL) + return(FALSE); + + RtlInitializeSid(SeCreatorOwnerSid, + &SeCreatorSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, + 0); + *SubAuthority = SECURITY_CREATOR_OWNER_RID; + + /* create CreatorGroupSid */ + SeCreatorGroupSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeCreatorGroupSid == NULL) + return(FALSE); + + RtlInitializeSid(SeCreatorGroupSid, + &SeCreatorSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, + 0); + *SubAuthority = SECURITY_CREATOR_GROUP_RID; + + /* create CreatorOwnerServerSid */ + SeCreatorOwnerServerSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeCreatorOwnerServerSid == NULL) + return(FALSE); + + RtlInitializeSid(SeCreatorOwnerServerSid, + &SeCreatorSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, + 0); + *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID; + + /* create CreatorGroupServerSid */ + SeCreatorGroupServerSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeCreatorGroupServerSid == NULL) + return(FALSE); + + RtlInitializeSid(SeCreatorGroupServerSid, + &SeCreatorSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, + 0); + *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID; + + + /* create NtAuthoritySid */ + SeNtAuthoritySid = ExAllocatePoolWithTag(NonPagedPool, + SidLength0, + TAG_SID); + if (SeNtAuthoritySid == NULL) + return(FALSE); + + RtlInitializeSid(SeNtAuthoritySid, + &SeNtSidAuthority, + 0); + + /* create DialupSid */ + SeDialupSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeDialupSid == NULL) + return(FALSE); + + RtlInitializeSid(SeDialupSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeDialupSid, + 0); + *SubAuthority = SECURITY_DIALUP_RID; + + /* create NetworkSid */ + SeNetworkSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeNetworkSid == NULL) + return(FALSE); + + RtlInitializeSid(SeNetworkSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeNetworkSid, + 0); + *SubAuthority = SECURITY_NETWORK_RID; + + /* create BatchSid */ + SeBatchSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeBatchSid == NULL) + return(FALSE); + + RtlInitializeSid(SeBatchSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeBatchSid, + 0); + *SubAuthority = SECURITY_BATCH_RID; + + /* create InteractiveSid */ + SeInteractiveSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeInteractiveSid == NULL) + return(FALSE); + + RtlInitializeSid(SeInteractiveSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, + 0); + *SubAuthority = SECURITY_INTERACTIVE_RID; + + /* create ServiceSid */ + SeServiceSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeServiceSid == NULL) + return(FALSE); + + RtlInitializeSid(SeServiceSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeServiceSid, + 0); + *SubAuthority = SECURITY_SERVICE_RID; + + /* create AnonymousLogonSid */ + SeAnonymousLogonSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeAnonymousLogonSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAnonymousLogonSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, + 0); + *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID; + + /* create PrincipalSelfSid */ + SePrincipalSelfSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SePrincipalSelfSid == NULL) + return(FALSE); + + RtlInitializeSid(SePrincipalSelfSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, + 0); + *SubAuthority = SECURITY_PRINCIPAL_SELF_RID; + + /* create LocalSystemSid */ + SeLocalSystemSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeLocalSystemSid == NULL) + return(FALSE); + + RtlInitializeSid(SeLocalSystemSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, + 0); + *SubAuthority = SECURITY_LOCAL_SYSTEM_RID; + + /* create AuthenticatedUserSid */ + SeAuthenticatedUserSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeAuthenticatedUserSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAuthenticatedUserSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, + 0); + *SubAuthority = SECURITY_AUTHENTICATED_USER_RID; + + /* create RestrictedCodeSid */ + SeRestrictedCodeSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength1, + TAG_SID); + if (SeRestrictedCodeSid == NULL) + return(FALSE); + + RtlInitializeSid(SeRestrictedCodeSid, + &SeNtSidAuthority, + 1); + SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, + 0); + *SubAuthority = SECURITY_RESTRICTED_CODE_RID; + + /* create AliasAdminsSid */ + SeAliasAdminsSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasAdminsSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasAdminsSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_ADMINS; + + /* create AliasUsersSid */ + SeAliasUsersSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasUsersSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasUsersSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_USERS; + + /* create AliasGuestsSid */ + SeAliasGuestsSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasGuestsSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasGuestsSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_GUESTS; + + /* create AliasPowerUsersSid */ + SeAliasPowerUsersSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasPowerUsersSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasPowerUsersSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS; + + /* create AliasAccountOpsSid */ + SeAliasAccountOpsSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasAccountOpsSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasAccountOpsSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS; + + /* create AliasSystemOpsSid */ + SeAliasSystemOpsSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasSystemOpsSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasSystemOpsSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS; + + /* create AliasPrintOpsSid */ + SeAliasPrintOpsSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasPrintOpsSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasPrintOpsSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS; + + /* create AliasBackupOpsSid */ + SeAliasBackupOpsSid = ExAllocatePoolWithTag(NonPagedPool, + SidLength2, + TAG_SID); + if (SeAliasBackupOpsSid == NULL) + return(FALSE); + + RtlInitializeSid(SeAliasBackupOpsSid, + &SeNtSidAuthority, + 2); + SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, + 0); + *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID; + + SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, + 1); + *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS; + + return(TRUE); +} + + +BOOLEAN STDCALL +RtlValidSid(PSID Sid) { if ((Sid->Revision & 0xf) != 1) { @@ -31,33 +482,46 @@ BOOLEAN STDCALL RtlValidSid (PSID Sid) return(TRUE); } -ULONG STDCALL RtlLengthRequiredSid (UCHAR SubAuthorityCount) + +ULONG STDCALL +RtlLengthRequiredSid(UCHAR SubAuthorityCount) { - return(sizeof(SID) + (SubAuthorityCount - 1) * sizeof(ULONG)); + return(sizeof(SID) + (SubAuthorityCount - 1) * sizeof(ULONG)); } -NTSTATUS STDCALL RtlInitializeSid (PSID Sid, - PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, - UCHAR SubAuthorityCount) + +NTSTATUS STDCALL +RtlInitializeSid(PSID Sid, + PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, + UCHAR SubAuthorityCount) { - Sid->Revision = 1; - Sid->SubAuthorityCount = SubAuthorityCount; - memcpy(&Sid->IdentifierAuthority, IdentifierAuthority, - sizeof(SID_IDENTIFIER_AUTHORITY)); - return(STATUS_SUCCESS); + Sid->Revision = 1; + Sid->SubAuthorityCount = SubAuthorityCount; + RtlCopyMemory(&Sid->IdentifierAuthority, + IdentifierAuthority, + sizeof(SID_IDENTIFIER_AUTHORITY)); + return(STATUS_SUCCESS); } -PULONG STDCALL RtlSubAuthoritySid (PSID Sid, ULONG SubAuthority) + +PULONG STDCALL +RtlSubAuthoritySid(PSID Sid, + ULONG SubAuthority) { - return(&Sid->SubAuthority[SubAuthority]); + return(&Sid->SubAuthority[SubAuthority]); } -PUCHAR STDCALL RtlSubAuthorityCountSid (PSID Sid) + +PUCHAR STDCALL +RtlSubAuthorityCountSid (PSID Sid) { - return(&Sid->SubAuthorityCount); + return(&Sid->SubAuthorityCount); } -BOOLEAN STDCALL RtlEqualSid (PSID Sid1, PSID Sid2) + +BOOLEAN STDCALL +RtlEqualSid(PSID Sid1, + PSID Sid2) { if (Sid1->Revision != Sid2->Revision) { @@ -75,12 +539,18 @@ BOOLEAN STDCALL RtlEqualSid (PSID Sid1, PSID Sid2) return(TRUE); } -ULONG STDCALL RtlLengthSid (PSID Sid) + +ULONG STDCALL +RtlLengthSid(PSID Sid) { - return(sizeof(SID) + (Sid->SubAuthorityCount-1)*4); + return(sizeof(SID) + (Sid->SubAuthorityCount-1)*4); } -NTSTATUS STDCALL RtlCopySid (ULONG BufferLength, PSID Dest, PSID Src) + +NTSTATUS STDCALL +RtlCopySid(ULONG BufferLength, + PSID Dest, + PSID Src) { if (BufferLength < RtlLengthSid(Src)) { @@ -90,6 +560,7 @@ NTSTATUS STDCALL RtlCopySid (ULONG BufferLength, PSID Dest, PSID Src) return(STATUS_SUCCESS); } + NTSTATUS STDCALL RtlConvertSidToUnicodeString(PUNICODE_STRING String, PSID Sid, diff --git a/reactos/ntoskrnl/se/token.c b/reactos/ntoskrnl/se/token.c index b657595be38..1ec3390d345 100644 --- a/reactos/ntoskrnl/se/token.c +++ b/reactos/ntoskrnl/se/token.c @@ -1,4 +1,4 @@ -/* $Id: token.c,v 1.12 2001/12/05 01:40:25 dwelch Exp $ +/* $Id: token.c,v 1.13 2002/02/20 20:15:38 ekohl Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -14,13 +14,13 @@ #include #include #include -#include +#include #include /* GLOBALS *******************************************************************/ -POBJECT_TYPE EXPORTED SeTokenType = NULL; +POBJECT_TYPE SepTokenObjectType = NULL; static GENERIC_MAPPING SepTokenMapping = {TOKEN_READ, TOKEN_WRITE, @@ -58,7 +58,7 @@ NTSTATUS SeExchangePrimaryToken(PEPROCESS Process, NewToken->TokenInUse = 1; ObReferenceObjectByPointer(NewToken, TOKEN_ALL_ACCESS, - SeTokenType, + SepTokenObjectType, KernelMode); OldToken->TokenInUse = 0; *OldTokenP = OldToken; @@ -99,20 +99,18 @@ NTSTATUS SeCopyClientToken(PACCESS_TOKEN Token, return(Status); } -NTSTATUS -STDCALL -SeCreateClientSecurity ( - PETHREAD Thread, - PSECURITY_QUALITY_OF_SERVICE Qos, - ULONG e, - PSE_SOME_STRUCT2 f - ) + +NTSTATUS STDCALL +SeCreateClientSecurity(IN struct _ETHREAD *Thread, + IN PSECURITY_QUALITY_OF_SERVICE Qos, + IN BOOLEAN RemoteClient, + OUT PSECURITY_CLIENT_CONTEXT ClientContext) { TOKEN_TYPE TokenType; UCHAR b; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; PACCESS_TOKEN Token; - ULONG g; + ULONG g; PACCESS_TOKEN NewToken; Token = PsReferenceEffectiveToken(Thread, @@ -121,7 +119,7 @@ SeCreateClientSecurity ( &ImpersonationLevel); if (TokenType != 2) { - f->Unknown9 = Qos->EffectiveOnly; + ClientContext->DirectAccessEffectiveOnly = Qos->EffectiveOnly; } else { @@ -135,7 +133,7 @@ SeCreateClientSecurity ( } if (ImpersonationLevel == 0 || ImpersonationLevel == 1 || - (e != 0 && ImpersonationLevel != 3)) + (RemoteClient != FALSE && ImpersonationLevel != 3)) { if (Token != NULL) { @@ -146,23 +144,23 @@ SeCreateClientSecurity ( if (b != 0 || Qos->EffectiveOnly != 0) { - f->Unknown9 = 1; + ClientContext->DirectAccessEffectiveOnly = TRUE; } else { - f->Unknown9 = 0; - } + ClientContext->DirectAccessEffectiveOnly = FALSE; + } } if (Qos->ContextTrackingMode == 0) { - f->Unknown8 = 0; + ClientContext->DirectlyAccessClientToken = FALSE; g = SeCopyClientToken(Token, ImpersonationLevel, 0, &NewToken); if (g >= 0) { // ObDeleteCapturedInsertInfo(NewToken); } - if (TokenType == TokenPrimary || Token != NULL) + if (TokenType == TokenPrimary || Token != NULL) { ObDereferenceObject(Token); } @@ -170,90 +168,88 @@ SeCreateClientSecurity ( { return(g); } - } - else - { - f->Unknown8 = 1; - if (e != 0) + } + else + { + ClientContext->DirectlyAccessClientToken = TRUE; + if (RemoteClient != FALSE) { -// SeGetTokenControlInformation(Token, &f->Unknown11); +// SeGetTokenControlInformation(Token, &ClientContext->Unknown11); } NewToken = Token; - } - f->Unknown1 = 0xc; - f->Level = Qos->ImpersonationLevel; - f->ContextTrackingMode = Qos->ContextTrackingMode; - f->EffectiveOnly = Qos->EffectiveOnly; - f->Unknown10 = e; - f->Token = NewToken; - - return(STATUS_SUCCESS); + } + ClientContext->SecurityQos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE); + ClientContext->SecurityQos.ImpersonationLevel = Qos->ImpersonationLevel; + ClientContext->SecurityQos.ContextTrackingMode = Qos->ContextTrackingMode; + ClientContext->SecurityQos.EffectiveOnly = Qos->EffectiveOnly; + ClientContext->ServerIsRemote = RemoteClient; + ClientContext->Token = NewToken; + + return(STATUS_SUCCESS); +} + + +VOID STDCALL +SeImpersonateClient(IN PSECURITY_CLIENT_CONTEXT ClientContext, + IN PETHREAD ServerThread OPTIONAL) +{ + UCHAR b; + + if (ClientContext->DirectlyAccessClientToken == FALSE) + { + b = ClientContext->SecurityQos.EffectiveOnly; + } + else + { + b = ClientContext->DirectAccessEffectiveOnly; + } + if (ServerThread == NULL) + { + ServerThread = PsGetCurrentThread(); + } + PsImpersonateClient(ServerThread, + ClientContext->Token, + 1, + (ULONG)b, + ClientContext->SecurityQos.ImpersonationLevel); } VOID -STDCALL -SeImpersonateClient ( - PSE_SOME_STRUCT2 a, - PETHREAD Thread - ) +SeInitializeTokenManager(VOID) { - UCHAR b; - - if (a->Unknown8 == 0) - { - b = a->EffectiveOnly; - } - else - { - b = a->Unknown9; - } - if (Thread == NULL) - { - Thread = PsGetCurrentThread(); - } - PsImpersonateClient(Thread, - a->Token, - 1, - (ULONG)b, - a->Level); + SepTokenObjectType = ExAllocatePool(NonPagedPool, sizeof(OBJECT_TYPE)); + + SepTokenObjectType->Tag = TAG('T', 'O', 'K', 'T'); + SepTokenObjectType->MaxObjects = ULONG_MAX; + SepTokenObjectType->MaxHandles = ULONG_MAX; + SepTokenObjectType->TotalObjects = 0; + SepTokenObjectType->TotalHandles = 0; + SepTokenObjectType->PagedPoolCharge = 0; + SepTokenObjectType->NonpagedPoolCharge = sizeof(ACCESS_TOKEN); + SepTokenObjectType->Mapping = &SepTokenMapping; + SepTokenObjectType->Dump = NULL; + SepTokenObjectType->Open = NULL; + SepTokenObjectType->Close = NULL; + SepTokenObjectType->Delete = NULL; + SepTokenObjectType->Parse = NULL; + SepTokenObjectType->Security = NULL; + SepTokenObjectType->QueryName = NULL; + SepTokenObjectType->OkayToClose = NULL; + SepTokenObjectType->Create = NULL; + SepTokenObjectType->DuplicationNotify = NULL; + RtlCreateUnicodeString(&SepTokenObjectType->TypeName, + L"Token"); } -VOID SeInitializeTokenManager(VOID) -{ - UNICODE_STRING TypeName; - - RtlInitUnicodeString(&TypeName, L"Token"); - - SeTokenType = ExAllocatePool(NonPagedPool, sizeof(OBJECT_TYPE)); - - SeTokenType->Tag = TAG('T', 'O', 'K', 'T'); - SeTokenType->MaxObjects = ULONG_MAX; - SeTokenType->MaxHandles = ULONG_MAX; - SeTokenType->TotalObjects = 0; - SeTokenType->TotalHandles = 0; - SeTokenType->PagedPoolCharge = 0; - SeTokenType->NonpagedPoolCharge = 0; - SeTokenType->Mapping = &SepTokenMapping; - SeTokenType->Dump = NULL; - SeTokenType->Open = NULL; - SeTokenType->Close = NULL; - SeTokenType->Delete = NULL; - SeTokenType->Parse = NULL; - SeTokenType->Security = NULL; - SeTokenType->QueryName = NULL; - SeTokenType->OkayToClose = NULL; - SeTokenType->Create = NULL; - SeTokenType->DuplicationNotify = NULL; -} - -NTSTATUS RtlCopySidAndAttributesArray(ULONG Count, // ebp + 8 - PSID_AND_ATTRIBUTES Src, // ebp + C - ULONG MaxLength, // ebp + 10 - PSID_AND_ATTRIBUTES Dest, // ebp + 14 - PVOID e, // ebp + 18 - PVOID* f, // ebp + 1C - PULONG g) // ebp + 20 +NTSTATUS +RtlCopySidAndAttributesArray(ULONG Count, // ebp + 8 + PSID_AND_ATTRIBUTES Src, // ebp + C + ULONG MaxLength, // ebp + 10 + PSID_AND_ATTRIBUTES Dest, // ebp + 14 + PVOID e, // ebp + 18 + PVOID* f, // ebp + 1C + PULONG g) // ebp + 20 { ULONG Length; // ebp - 4 ULONG i; @@ -277,12 +273,13 @@ NTSTATUS RtlCopySidAndAttributesArray(ULONG Count, // ebp + 8 return(STATUS_SUCCESS); } -NTSTATUS STDCALL NtQueryInformationToken(IN HANDLE TokenHandle, - IN TOKEN_INFORMATION_CLASS - TokenInformationClass, - OUT PVOID TokenInformation, - IN ULONG TokenInformationLength, - OUT PULONG ReturnLength) + +NTSTATUS STDCALL +NtQueryInformationToken(IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength) { NTSTATUS Status; PACCESS_TOKEN Token; @@ -294,7 +291,7 @@ NTSTATUS STDCALL NtQueryInformationToken(IN HANDLE TokenHandle, Status = ObReferenceObjectByHandle(TokenHandle, 0, - SeTokenType, + SepTokenObjectType, UserMode, (PVOID*)&Token, NULL); @@ -340,7 +337,7 @@ NTSTATUS STDCALL NtQueryInformationToken(IN HANDLE TokenHandle, } break; - case TokenPrivileges: + case TokenPrivileges: break; case TokenOwner: @@ -400,27 +397,23 @@ NTSTATUS STDCALL NtQueryInformationToken(IN HANDLE TokenHandle, } - - -NTSTATUS -STDCALL -NtSetInformationToken( - IN HANDLE TokenHandle, - IN TOKEN_INFORMATION_CLASS TokenInformationClass, - OUT PVOID TokenInformation, - IN ULONG TokenInformationLength - ) +NTSTATUS STDCALL +NtSetInformationToken(IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength) { - UNIMPLEMENTED; + UNIMPLEMENTED; } -NTSTATUS STDCALL NtDuplicateToken(IN HANDLE ExistingTokenHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes, - IN SECURITY_IMPERSONATION_LEVEL - ImpersonationLevel, - IN TOKEN_TYPE TokenType, - OUT PHANDLE NewTokenHandle) + +NTSTATUS STDCALL +NtDuplicateToken(IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle) { #if 0 PACCESS_TOKEN Token; @@ -430,7 +423,7 @@ NTSTATUS STDCALL NtDuplicateToken(IN HANDLE ExistingTokenHandle, Status = ObReferenceObjectByHandle(ExistingTokenHandle, ?, - SeTokenType, + SepTokenObjectType, UserMode, (PVOID*)&Token, NULL); @@ -462,12 +455,14 @@ VOID SepAdjustGroups(PACCESS_TOKEN Token, UNIMPLEMENTED; } -NTSTATUS STDCALL NtAdjustGroupsToken(IN HANDLE TokenHandle, - IN BOOLEAN ResetToDefault, - IN PTOKEN_GROUPS NewState, - IN ULONG BufferLength, - OUT PTOKEN_GROUPS PreviousState OPTIONAL, - OUT PULONG ReturnLength) + +NTSTATUS STDCALL +NtAdjustGroupsToken(IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState, + IN ULONG BufferLength, + OUT PTOKEN_GROUPS PreviousState OPTIONAL, + OUT PULONG ReturnLength) { #if 0 NTSTATUS Status; @@ -478,7 +473,7 @@ NTSTATUS STDCALL NtAdjustGroupsToken(IN HANDLE TokenHandle, Status = ObReferenceObjectByHandle(TokenHandle, ?, - SeTokenType, + SepTokenObjectType, UserMode, (PVOID*)&Token, NULL); @@ -499,6 +494,7 @@ NTSTATUS STDCALL NtAdjustGroupsToken(IN HANDLE TokenHandle, #endif } + #if 0 NTSTATUS SepAdjustPrivileges(PACCESS_TOKEN Token, // 0x8 ULONG a, // 0xC @@ -552,13 +548,15 @@ NTSTATUS SepAdjustPrivileges(PACCESS_TOKEN Token, // 0x8 if ( } #endif - -NTSTATUS STDCALL NtAdjustPrivilegesToken(IN HANDLE TokenHandle, - IN BOOLEAN DisableAllPrivileges, - IN PTOKEN_PRIVILEGES NewState, - IN ULONG BufferLength, - OUT PTOKEN_PRIVILEGES PreviousState, - OUT PULONG ReturnLength) + + +NTSTATUS STDCALL +NtAdjustPrivilegesToken(IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN PTOKEN_PRIVILEGES NewState, + IN ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState, + OUT PULONG ReturnLength) { #if 0 ULONG PrivilegeCount; @@ -593,19 +591,20 @@ NTSTATUS STDCALL NtAdjustPrivilegesToken(IN HANDLE TokenHandle, #endif } -NTSTATUS STDCALL NtCreateToken(OUT PHANDLE TokenHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes, - IN TOKEN_TYPE TokenType, - IN PLUID AuthenticationId, - IN PLARGE_INTEGER ExpirationTime, - IN PTOKEN_USER TokenUser, - IN PTOKEN_GROUPS TokenGroups, - IN PTOKEN_PRIVILEGES TokenPrivileges, - IN PTOKEN_OWNER TokenOwner, - IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup, - IN PTOKEN_DEFAULT_DACL TokenDefaultDacl, - IN PTOKEN_SOURCE TokenSource) +NTSTATUS STDCALL +NtCreateToken(OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER TokenUser, + IN PTOKEN_GROUPS TokenGroups, + IN PTOKEN_PRIVILEGES TokenPrivileges, + IN PTOKEN_OWNER TokenOwner, + IN PTOKEN_PRIMARY_GROUP TokenPrimaryGroup, + IN PTOKEN_DEFAULT_DACL TokenDefaultDacl, + IN PTOKEN_SOURCE TokenSource) { #if 0 PACCESS_TOKEN AccessToken; @@ -628,5 +627,10 @@ NTSTATUS STDCALL NtCreateToken(OUT PHANDLE TokenHandle, UNIMPLEMENTED; } +TOKEN_TYPE STDCALL +SeTokenType(IN PACCESS_TOKEN Token) +{ + return(Token->TokenType); +} /* EOF */