Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-10-15 05:37:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix CreateLogoffSecurityAttributes. It does still not work because SetEntriesInAcl is not implemented yet.

Browse source 
svn path=/trunk/; revision=30331
This commit is contained in:
Maarten Bosma 2007-11-10 15:56:36 +00:00
parent 5800eb6a82
commit 9e1aa0ccb4
2 changed files with 37 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

56
reactos/base/system/winlogon/sas.c
View file

@ -319,7 +319,7 @@ static NTSTATUS
CreateLogoffSecurityAttributes( CreateLogoffSecurityAttributes(
OUT PSECURITY_ATTRIBUTES* ppsa) OUT PSECURITY_ATTRIBUTES* ppsa)
{ {
/* The following code is no only incomplete, it's a mess and uncompilable */ /* The following code is not working yet and messy */
/* Still, it gives some ideas about data types and functions involved and */ /* Still, it gives some ideas about data types and functions involved and */
/* required to set up a SECURITY_DESCRIPTOR for a SECURITY_ATTRIBUTES */ /* required to set up a SECURITY_DESCRIPTOR for a SECURITY_ATTRIBUTES */
/* instance for a thread, to allow that thread to ImpersonateLoggedOnUser(). */ /* instance for a thread, to allow that thread to ImpersonateLoggedOnUser(). */
@ -328,7 +328,9 @@ CreateLogoffSecurityAttributes(
PSECURITY_ATTRIBUTES psa = 0; PSECURITY_ATTRIBUTES psa = 0;
BYTE* pMem; BYTE* pMem;
PACL pACL; PACL pACL;
//EXPLICIT_ACCESS ea[2]; EXPLICIT_ACCESS Access;
PSID pEveryoneSID = NULL;
static SID_IDENTIFIER_AUTHORITY WorldAuthority = { SECURITY_WORLD_SID_AUTHORITY };
*ppsa = NULL; *ppsa = NULL;
@ -351,6 +353,16 @@ CreateLogoffSecurityAttributes(
// while the user's SID obviously must be created for each new user. // while the user's SID obviously must be created for each new user.
// Might as well store it when the user logs on? // Might as well store it when the user logs on?
if(!AllocateAndInitializeSid(&WorldAuthority,
1,
SECURITY_WORLD_RID,
0, 0, 0, 0, 0, 0, 0,
&pEveryoneSID))
{
DPRINT("Failed to initialize security descriptor for logoff thread!\n");
return STATUS_UNSUCCESSFUL;
}
/* set up the required security attributes to be able to shut down */ /* set up the required security attributes to be able to shut down */
/* To save space and time, allocate a single block of memory holding */ /* To save space and time, allocate a single block of memory holding */
/* both SECURITY_ATTRIBUTES and SECURITY_DESCRIPTOR */ /* both SECURITY_ATTRIBUTES and SECURITY_DESCRIPTOR */
@ -372,6 +384,25 @@ CreateLogoffSecurityAttributes(
SecurityDescriptor = (PSECURITY_DESCRIPTOR)(pMem + sizeof(SECURITY_ATTRIBUTES)); SecurityDescriptor = (PSECURITY_DESCRIPTOR)(pMem + sizeof(SECURITY_ATTRIBUTES));
pACL = (PACL)(((PBYTE)SecurityDescriptor) + SECURITY_DESCRIPTOR_MIN_LENGTH); pACL = (PACL)(((PBYTE)SecurityDescriptor) + SECURITY_DESCRIPTOR_MIN_LENGTH);
// Initialize an EXPLICIT_ACCESS structure for an ACE.
// The ACE will allow this thread to log off (and shut down the system, currently).
ZeroMemory(&Access, sizeof(Access));
Access.grfAccessPermissions = THREAD_SET_THREAD_TOKEN;
Access.grfAccessMode = SET_ACCESS; // GRANT_ACCESS?
Access.grfInheritance = NO_INHERITANCE;
Access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
Access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
Access.Trustee.ptstrName = pEveryoneSID;
if (SetEntriesInAcl(1, &Access, NULL, &pACL) != ERROR_SUCCESS)
{
// SetEntriesInAcl is not implemented yet
DPRINT1 ("Failed to set Access Rights for logoff thread. Logging out will most likely fail.\n");
HeapFree(GetProcessHeap(), 0, pMem);
return STATUS_UNSUCCESSFUL;
}
if (!InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION)) if (!InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
{ {
HeapFree(GetProcessHeap(), 0, pMem); HeapFree(GetProcessHeap(), 0, pMem);
@ -379,18 +410,7 @@ CreateLogoffSecurityAttributes(
return STATUS_UNSUCCESSFUL; return STATUS_UNSUCCESSFUL;
} }
// Initialize an EXPLICIT_ACCESS structure for an ACE. if (!SetSecurityDescriptorDacl(SecurityDescriptor,
// The ACE will allow this thread to log off (and shut down the system, currently).
#if 0
ZeroMemory(ea, sizeof(ea));
ea[0].grfAccessPermissions = THREAD_SET_THREAD_TOKEN;
ea[0].grfAccessMode = SET_ACCESS; // GRANT_ACCESS?
ea[0].grfInheritance= NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_USER;
ea[0].Trustee.ptstrName = (LPTSTR) pEveryoneSID;
if (!SetSecurityDescriptorDacl(pSD,
TRUE, // bDaclPresent flag TRUE, // bDaclPresent flag
pACL, pACL,
FALSE)) // not a default DACL FALSE)) // not a default DACL
@ -399,7 +419,6 @@ CreateLogoffSecurityAttributes(
HeapFree(GetProcessHeap(), 0, pMem); HeapFree(GetProcessHeap(), 0, pMem);
return STATUS_UNSUCCESSFUL; return STATUS_UNSUCCESSFUL;
} }
#endif
psa->nLength = sizeof(SECURITY_ATTRIBUTES); psa->nLength = sizeof(SECURITY_ATTRIBUTES);
psa->lpSecurityDescriptor = SecurityDescriptor; psa->lpSecurityDescriptor = SecurityDescriptor;
@ -447,14 +466,9 @@ HandleLogoff(
Status = CreateLogoffSecurityAttributes(&psa); Status = CreateLogoffSecurityAttributes(&psa);
if (!NT_SUCCESS(Status)) if (!NT_SUCCESS(Status))
{ {
WARN("Failed to create a required security descriptor. Status 0x%08x\n", Status); ERR("Failed to create a required security descriptor. Status 0x%08x\n", Status);
#if 1
WARN("Attempting to continue without it.\n");
#else
ERR("Aborting logoff\n");
HeapFree(GetProcessHeap(), 0, LSData); HeapFree(GetProcessHeap(), 0, LSData);
return Status; return Status;
#endif
} }
/* Run logoff thread */ /* Run logoff thread */

2
reactos/base/system/winlogon/winlogon.h
View file

@ -36,6 +36,8 @@
#include <exfuncs.h> #include <exfuncs.h>
#include <setypes.h> #include <setypes.h>
#include <ntsecapi.h> #include <ntsecapi.h>
#include <accctrl.h>
#include <aclapi.h>
#include <reactos/winlogon.h> #include <reactos/winlogon.h>