Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-05-29 14:08:22 +00:00
Code Issues Projects Releases Packages Wiki Activity

[SAMSRV]

Browse source 
Add security descriptors for the account and builtin domains.

svn path=/trunk/; revision=59487
This commit is contained in:
Eric Kohl 2013-07-14 18:41:29 +00:00
parent 9ff782961b
commit 98cef13e0f
3 changed files with 612 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
reactos/dll/win32/samsrv/samsrv.h
View file

@ -306,6 +306,14 @@ NTSTATUS
SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
OUT PULONG Size);
NTSTATUS
SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
OUT PULONG Size);
NTSTATUS
SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
OUT PULONG Size);
/* setup.c */

576
reactos/dll/win32/samsrv/security.c
View file

@ -283,4 +283,580 @@ done:
return Status;
}
NTSTATUS
SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
OUT PULONG Size)
{
PSECURITY_DESCRIPTOR AbsSD = NULL;
PSECURITY_DESCRIPTOR RelSD = NULL;
PSID EveryoneSid = NULL;
PSID AnonymousSid = NULL;
PSID AdministratorsSid = NULL;
PACL Dacl = NULL;
PACL Sacl = NULL;
ULONG DaclSize;
ULONG SaclSize;
ULONG RelSDSize = 0;
NTSTATUS Status = STATUS_SUCCESS;
/* Create the Everyone SID */
Status = RtlAllocateAndInitializeSid(&WorldAuthority,
1,
SECURITY_WORLD_RID,
0,
0,
0,
0,
0,
0,
0,
&EveryoneSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Anonymous SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
1,
SECURITY_ANONYMOUS_LOGON_RID,
0,
0,
0,
0,
0,
0,
0,
&AnonymousSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Administrators SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,
0,
0,
0,
0,
0,
&AdministratorsSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Allocate a buffer for the absolute SD */
AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
sizeof(SECURITY_DESCRIPTOR));
if (AbsSD == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
/* Create the absolute SD */
Status = RtlCreateSecurityDescriptor(AbsSD,
SECURITY_DESCRIPTOR_REVISION);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* allocate and create the DACL */
DaclSize = sizeof(ACL) +
2 * sizeof(ACE) +
RtlLengthSid(EveryoneSid) +
RtlLengthSid(AdministratorsSid);
Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
DaclSize);
if (Dacl == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
Status = RtlCreateAcl(Dacl,
DaclSize,
ACL_REVISION);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
DOMAIN_READ | DOMAIN_EXECUTE,
EveryoneSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
SAM_SERVER_ALL_ACCESS,
AdministratorsSid);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the DACL */
Status = RtlSetDaclSecurityDescriptor(AbsSD,
TRUE,
Dacl,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* allocate and create the SACL */
SaclSize = sizeof(ACL) +
2 * sizeof(ACE) +
RtlLengthSid(EveryoneSid) +
RtlLengthSid(AnonymousSid);
Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
DaclSize);
if (Sacl == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
Status = RtlCreateAcl(Sacl,
SaclSize,
ACL_REVISION);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAuditAccessAce(Sacl,
ACL_REVISION,
ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
SAM_SERVER_SHUTDOWN,
EveryoneSid,
TRUE,
TRUE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAuditAccessAce(Sacl,
ACL_REVISION,
STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
AnonymousSid,
TRUE,
TRUE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the SACL */
Status = RtlSetSaclSecurityDescriptor(AbsSD,
TRUE,
Sacl,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the owner SID */
Status = RtlSetOwnerSecurityDescriptor(AbsSD,
AdministratorsSid,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the group SID */
Status = RtlSetGroupSecurityDescriptor(AbsSD,
AdministratorsSid,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Get the reqired buffer size for the self-relative SD */
Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
NULL,
&RelSDSize);
if (Status != STATUS_BUFFER_TOO_SMALL)
goto done;
/* Allocate a buffer for the self-relative SD */
RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
RelSDSize);
if (RelSD == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
/* Convert the absolute SD to self-relative format */
Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
RelSD,
&RelSDSize);
if (Status == STATUS_BUFFER_TOO_SMALL)
{
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
*ServerSd = RelSD;
*Size = RelSDSize;
done:
if (!NT_SUCCESS(Status))
{
if (RelSD != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
}
if (EveryoneSid != NULL)
RtlFreeSid(EveryoneSid);
if (AnonymousSid != NULL)
RtlFreeSid(AnonymousSid);
if (AdministratorsSid != NULL)
RtlFreeSid(AdministratorsSid);
if (Dacl != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
if (Sacl != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
if (AbsSD != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
return Status;
}
NTSTATUS
SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
OUT PULONG Size)
{
PSECURITY_DESCRIPTOR AbsSD = NULL;
PSECURITY_DESCRIPTOR RelSD = NULL;
PSID EveryoneSid = NULL;
PSID AnonymousSid = NULL;
PSID AdministratorsSid = NULL;
PSID UsersSid = NULL;
PSID GuestsSid = NULL;
PACL Dacl = NULL;
PACL Sacl = NULL;
ULONG DaclSize;
ULONG SaclSize;
ULONG RelSDSize = 0;
NTSTATUS Status = STATUS_SUCCESS;
/* Create the Everyone SID */
Status = RtlAllocateAndInitializeSid(&WorldAuthority,
1,
SECURITY_WORLD_RID,
0,
0,
0,
0,
0,
0,
0,
&EveryoneSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Anonymous SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
1,
SECURITY_ANONYMOUS_LOGON_RID,
0,
0,
0,
0,
0,
0,
0,
&AnonymousSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Administrators SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,
0,
0,
0,
0,
0,
&AdministratorsSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Users SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_USERS,
0,
0,
0,
0,
0,
0,
&UsersSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Guests SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_GUESTS,
0,
0,
0,
0,
0,
0,
&GuestsSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Allocate a buffer for the absolute SD */
AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
sizeof(SECURITY_DESCRIPTOR));
if (AbsSD == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
/* Create the absolute SD */
Status = RtlCreateSecurityDescriptor(AbsSD,
SECURITY_DESCRIPTOR_REVISION);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* allocate and create the DACL */
DaclSize = sizeof(ACL) +
4 * sizeof(ACE) +
RtlLengthSid(EveryoneSid) +
RtlLengthSid(AdministratorsSid) +
RtlLengthSid(UsersSid) +
RtlLengthSid(GuestsSid);
Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
DaclSize);
if (Dacl == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
Status = RtlCreateAcl(Dacl,
DaclSize,
ACL_REVISION);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
DOMAIN_READ | DOMAIN_EXECUTE,
EveryoneSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
DOMAIN_READ | DOMAIN_EXECUTE,
UsersSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
DOMAIN_ALL_ACCESS & ~DOMAIN_CREATE_GROUP,
AdministratorsSid);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
DOMAIN_READ | DOMAIN_EXECUTE | DOMAIN_CREATE_USER | DOMAIN_CREATE_ALIAS,
GuestsSid);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the DACL */
Status = RtlSetDaclSecurityDescriptor(AbsSD,
TRUE,
Dacl,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* allocate and create the SACL */
SaclSize = sizeof(ACL) +
2 * sizeof(ACE) +
RtlLengthSid(EveryoneSid) +
RtlLengthSid(AnonymousSid);
Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
DaclSize);
if (Sacl == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
Status = RtlCreateAcl(Sacl,
SaclSize,
ACL_REVISION);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAuditAccessAce(Sacl,
ACL_REVISION,
ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
SAM_SERVER_SHUTDOWN,
EveryoneSid,
TRUE,
TRUE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAuditAccessAce(Sacl,
ACL_REVISION,
STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
AnonymousSid,
TRUE,
TRUE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the SACL */
Status = RtlSetSaclSecurityDescriptor(AbsSD,
TRUE,
Sacl,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the owner SID */
Status = RtlSetOwnerSecurityDescriptor(AbsSD,
AdministratorsSid,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the group SID */
Status = RtlSetGroupSecurityDescriptor(AbsSD,
AdministratorsSid,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Get the reqired buffer size for the self-relative SD */
Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
NULL,
&RelSDSize);
if (Status != STATUS_BUFFER_TOO_SMALL)
goto done;
/* Allocate a buffer for the self-relative SD */
RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
RelSDSize);
if (RelSD == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
/* Convert the absolute SD to self-relative format */
Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
RelSD,
&RelSDSize);
if (Status == STATUS_BUFFER_TOO_SMALL)
{
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
*ServerSd = RelSD;
*Size = RelSDSize;
done:
if (!NT_SUCCESS(Status))
{
if (RelSD != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
}
if (EveryoneSid != NULL)
RtlFreeSid(EveryoneSid);
if (AnonymousSid != NULL)
RtlFreeSid(AnonymousSid);
if (AdministratorsSid != NULL)
RtlFreeSid(AdministratorsSid);
if (Dacl != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
if (Sacl != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
if (AbsSD != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
return Status;
}
/* EOF */

28
reactos/dll/win32/samsrv/setup.c
View file

@ -552,6 +552,7 @@ SampSetupCreateDomain(IN HANDLE hServerKey,
IN LPCWSTR lpKeyName,
IN LPCWSTR lpDomainName,
IN PSID lpDomainSid,
IN BOOLEAN bBuiltinDomain,
OUT HANDLE *lpDomainKey)
{
SAM_DOMAIN_FIXED_DATA FixedData;
@ -562,6 +563,8 @@ SampSetupCreateDomain(IN HANDLE hServerKey,
HANDLE hGroupsKey = NULL;
HANDLE hUsersKey = NULL;
HANDLE hNamesKey = NULL;
PSECURITY_DESCRIPTOR Sd = NULL;
ULONG SdSize = 0;
NTSTATUS Status;
if (lpDomainKey != NULL)
@ -690,12 +693,35 @@ SampSetupCreateDomain(IN HANDLE hServerKey,
if (!NT_SUCCESS(Status))
goto done;
/* Create the server SD */
if (bBuiltinDomain == TRUE)
Status = SampCreateBuiltinDomainSD(&Sd,
&SdSize);
else
Status = SampCreateAccountDomainSD(&Sd,
&SdSize);
if (!NT_SUCCESS(Status))
goto done;
/* Set SecDesc attribute*/
Status = SampRegSetValue(hServerKey,
L"SecDesc",
REG_BINARY,
Sd,
SdSize);
if (!NT_SUCCESS(Status))
goto done;
SampRegCloseKey(hNamesKey);
if (lpDomainKey != NULL)
*lpDomainKey = hDomainKey;
done:
if (Sd != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
if (hAliasesKey != NULL)
SampRegCloseKey(hAliasesKey);
@ -867,6 +893,7 @@ SampInitializeSAM(VOID)
L"Builtin",
szName,
pBuiltinSid,
TRUE,
&hBuiltinDomainKey);
if (!NT_SUCCESS(Status))
{
@ -936,6 +963,7 @@ SampInitializeSAM(VOID)
L"Account",
L"",
AccountDomainInfo->DomainSid,
FALSE,
&hAccountDomainKey);
if (!NT_SUCCESS(Status))
{