[LSASRV]

- Create and set a security descriptor for newly created secrets. svn path=/trunk/; revision=57742
2024-07-02 18:54:25 +00:00 · 2012-11-20 22:34:00 +00:00 · 2012-11-20 22:34:00 +00:00 · 949d0c4bed
parent bf98c11bae
commit 949d0c4bed
3 changed files with 197 additions and 0 deletions
--- a/reactos/dll/win32/lsasrv/lsarpc.c
+++ b/reactos/dll/win32/lsasrv/lsarpc.c
@ -767,6 +767,8 @@ NTSTATUS WINAPI LsarCreateSecret(
    PLSA_DB_OBJECT PolicyObject;
    PLSA_DB_OBJECT SecretObject = NULL;
    LARGE_INTEGER Time;
+    PSECURITY_DESCRIPTOR SecretSd = NULL;
+    ULONG SecretSdSize;
    NTSTATUS Status = STATUS_SUCCESS;

    /* Validate the PolicyHandle */
@ -788,6 +790,15 @@ NTSTATUS WINAPI LsarCreateSecret(
        goto done;
    }

+    /* Create a security descriptor for the secret */
+    Status = LsapCreateSecretSd(&SecretSd,
+                                &SecretSdSize);
+    if (!NT_SUCCESS(Status))
+    {
+        ERR("LsapCreateAccountSd returned 0x%08lx\n", Status);
+        return Status;
+    }
+
    /* Create the Secret object */
    Status = LsapCreateDbObject(PolicyObject,
                                L"Secrets",
@ -817,8 +828,22 @@ NTSTATUS WINAPI LsarCreateSecret(
                                    L"OldTime",
                                    (PVOID)&Time,
                                    sizeof(LARGE_INTEGER));
+    if (!NT_SUCCESS(Status))
+    {
+        ERR("LsapSetObjectAttribute (OldTime) failed (Status 0x%08lx)\n", Status);
+        goto done;
+    }
+
+    /* Set the SecDesc attribute */
+    Status = LsapSetObjectAttribute(SecretObject,
+                                    L"SecDesc",
+                                    SecretSd,
+                                    SecretSdSize);

 done:
+    if (SecretSd != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, SecretSd);
+
    if (!NT_SUCCESS(Status))
    {
        if (SecretObject != NULL)
--- a/reactos/dll/win32/lsasrv/lsasrv.h
+++ b/reactos/dll/win32/lsasrv/lsasrv.h
@ -236,4 +236,8 @@ NTSTATUS
 LsapCreateAccountSd(PSECURITY_DESCRIPTOR *AccountSd,
                    PULONG AccountSdSize);

+NTSTATUS
+LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd,
+                   PULONG SecretSdSize);
+
 /* EOF */
--- a/reactos/dll/win32/lsasrv/security.c
+++ b/reactos/dll/win32/lsasrv/security.c
@ -436,4 +436,172 @@ done:
    return Status;
 }

+
+NTSTATUS
+LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd,
+                   PULONG SecretSdSize)
+{
+    SECURITY_DESCRIPTOR AbsoluteSd;
+    PSECURITY_DESCRIPTOR RelativeSd = NULL;
+    ULONG RelativeSdSize = 0;
+    PSID AdministratorsSid = NULL;
+    PSID EveryoneSid = NULL;
+    PSID LocalSystemSid = NULL;
+    PACL Dacl = NULL;
+    ULONG DaclSize;
+    NTSTATUS Status;
+
+    if (SecretSd == NULL || SecretSdSize == NULL)
+        return STATUS_INVALID_PARAMETER;
+
+    *SecretSd = NULL;
+    *SecretSdSize = 0;
+
+    /* Initialize the SD */
+    Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    if (!NT_SUCCESS(Status))
+        return Status;
+
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         2,
+                                         SECURITY_BUILTIN_DOMAIN_RID,
+                                         DOMAIN_ALIAS_RID_ADMINS,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AdministratorsSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
+                                         1,
+                                         SECURITY_WORLD_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &EveryoneSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         1,
+                                         SECURITY_LOCAL_SYSTEM_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &LocalSystemSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Allocate and initialize the DACL */
+    DaclSize = sizeof(ACL) +
+               sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
+               sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
+
+    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Dacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Dacl,
+                          DaclSize,
+                          ACL_REVISION);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    SECRET_ALL_ACCESS,
+                                    AdministratorsSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    SECRET_EXECUTE,
+                                    EveryoneSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
+                                          TRUE,
+                                          Dacl,
+                                          FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
+                                           LocalSystemSid,
+                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
+                                           AdministratorsSid,
+                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+                                         RelativeSd,
+                                         &RelativeSdSize);
+    if (Status != STATUS_BUFFER_TOO_SMALL)
+        goto done;
+
+    RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
+                                 HEAP_ZERO_MEMORY,
+                                 RelativeSdSize);
+    if (RelativeSd == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+        goto done;
+    }
+
+    Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+                                         RelativeSd,
+                                         &RelativeSdSize);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    *SecretSd = RelativeSd;
+    *SecretSdSize = RelativeSdSize;
+
+done:
+    if (Dacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+    if (AdministratorsSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
+
+    if (EveryoneSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
+
+    if (LocalSystemSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
+
+    if (!NT_SUCCESS(Status))
+    {
+        if (RelativeSd != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
+    }
+
+    return Status;
+}
+
 /* EOF */