Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2024-06-29 01:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[SAMSRV]

Browse source 
Create and set a security descriptor for new alias account objects.

svn path=/trunk/; revision=60729
This commit is contained in:
Eric Kohl 2013-10-21 18:53:26 +00:00
parent 89f9c12117
commit ab4c296d0f
4 changed files with 339 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
reactos/dll/win32/samsrv/samrpc.c
View file

@ -2714,6 +2714,8 @@ SamrCreateAliasInDomain(IN SAMPR_HANDLE DomainHandle,
SAM_DOMAIN_FIXED_DATA FixedDomainData;
PSAM_DB_OBJECT DomainObject;
PSAM_DB_OBJECT AliasObject;
PSECURITY_DESCRIPTOR Sd = NULL;
ULONG SdSize = 0;
ULONG ulSize;
ULONG ulRid;
WCHAR szRid[9];
@ -2758,6 +2760,15 @@ SamrCreateAliasInDomain(IN SAMPR_HANDLE DomainHandle,
goto done;
}
/* Create the security descriptor */
Status = SampCreateAliasSD(&Sd,
&SdSize);
if (!NT_SUCCESS(Status))
{
TRACE("SampCreateAliasSD failed (Status 0x%08lx)\n", Status);
goto done;
}
/* Get the fixed domain attributes */
ulSize = sizeof(SAM_DOMAIN_FIXED_DATA);
Status = SampGetObjectAttribute(DomainObject,
@ -2837,6 +2848,18 @@ SamrCreateAliasInDomain(IN SAMPR_HANDLE DomainHandle,
goto done;
}
/* Set SecDesc attribute*/
Status = SampSetObjectAttribute(AliasObject,
L"SecDesc",
REG_BINARY,
Sd,
SdSize);
if (!NT_SUCCESS(Status))
{
TRACE("failed with status 0x%08lx\n", Status);
goto done;
}
if (NT_SUCCESS(Status))
{
*AliasHandle = (SAMPR_HANDLE)AliasObject;
@ -2844,6 +2867,9 @@ SamrCreateAliasInDomain(IN SAMPR_HANDLE DomainHandle,
}
done:
if (Sd != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);

8
reactos/dll/win32/samsrv/samsrv.h
View file

@ -321,13 +321,17 @@ SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
OUT PULONG Size);
NTSTATUS
SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *DomainSd,
OUT PULONG Size);
NTSTATUS
SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *DomainSd,
OUT PULONG Size);
NTSTATUS
SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd,
OUT PULONG Size);
/* setup.c */

288
reactos/dll/win32/samsrv/security.c
View file

@ -859,4 +859,292 @@ done:
return Status;
}
NTSTATUS
SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd,
OUT PULONG Size)
{
PSECURITY_DESCRIPTOR AbsSD = NULL;
PSECURITY_DESCRIPTOR RelSD = NULL;
PSID EveryoneSid = NULL;
PSID AnonymousSid = NULL;
PSID AdministratorsSid = NULL;
PSID AccountOperatorsSid = NULL;
PACL Dacl = NULL;
PACL Sacl = NULL;
ULONG DaclSize;
ULONG SaclSize;
ULONG RelSDSize = 0;
NTSTATUS Status = STATUS_SUCCESS;
/* Create the Everyone SID */
Status = RtlAllocateAndInitializeSid(&WorldAuthority,
1,
SECURITY_WORLD_RID,
0,
0,
0,
0,
0,
0,
0,
&EveryoneSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Anonymous SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
1,
SECURITY_ANONYMOUS_LOGON_RID,
0,
0,
0,
0,
0,
0,
0,
&AnonymousSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Administrators SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,
0,
0,
0,
0,
0,
&AdministratorsSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Create the Account Operators SID */
Status = RtlAllocateAndInitializeSid(&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ACCOUNT_OPS,
0,
0,
0,
0,
0,
0,
&AccountOperatorsSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* Allocate a buffer for the absolute SD */
AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
sizeof(SECURITY_DESCRIPTOR));
if (AbsSD == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
/* Create the absolute SD */
Status = RtlCreateSecurityDescriptor(AbsSD,
SECURITY_DESCRIPTOR_REVISION);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
/* allocate and create the DACL */
DaclSize = sizeof(ACL) +
3 * sizeof(ACE) +
RtlLengthSid(EveryoneSid) +
RtlLengthSid(AdministratorsSid) +
RtlLengthSid(AccountOperatorsSid);
Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
DaclSize);
if (Dacl == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
Status = RtlCreateAcl(Dacl,
DaclSize,
ACL_REVISION);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
READ_CONTROL | ALIAS_READ_INFORMATION | ALIAS_LIST_MEMBERS,
EveryoneSid);
ASSERT(NT_SUCCESS(Status));
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
ALIAS_ALL_ACCESS,
AdministratorsSid);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAccessAllowedAce(Dacl,
ACL_REVISION,
ALIAS_ALL_ACCESS,
AccountOperatorsSid);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the DACL */
Status = RtlSetDaclSecurityDescriptor(AbsSD,
TRUE,
Dacl,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* allocate and create the SACL */
SaclSize = sizeof(ACL) +
2 * sizeof(ACE) +
RtlLengthSid(EveryoneSid) +
RtlLengthSid(AnonymousSid);
Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
DaclSize);
if (Sacl == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
Status = RtlCreateAcl(Sacl,
SaclSize,
ACL_REVISION);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAuditAccessAce(Sacl,
ACL_REVISION,
ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
ALIAS_WRITE_ACCOUNT | ALIAS_REMOVE_MEMBER |
ALIAS_ADD_MEMBER,
EveryoneSid,
TRUE,
TRUE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
Status = RtlAddAuditAccessAce(Sacl,
ACL_REVISION,
STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
AnonymousSid,
TRUE,
TRUE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the SACL */
Status = RtlSetSaclSecurityDescriptor(AbsSD,
TRUE,
Sacl,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the owner SID */
Status = RtlSetOwnerSecurityDescriptor(AbsSD,
AdministratorsSid,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Set the group SID */
Status = RtlSetGroupSecurityDescriptor(AbsSD,
AdministratorsSid,
FALSE);
ASSERT(Status == STATUS_SUCCESS);
if (!NT_SUCCESS(Status))
goto done;
/* Get the reqired buffer size for the self-relative SD */
Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
NULL,
&RelSDSize);
if (Status != STATUS_BUFFER_TOO_SMALL)
goto done;
/* Allocate a buffer for the self-relative SD */
RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
HEAP_ZERO_MEMORY,
RelSDSize);
if (RelSD == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
/* Convert the absolute SD to self-relative format */
Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
RelSD,
&RelSDSize);
if (Status == STATUS_BUFFER_TOO_SMALL)
{
ASSERT(Status == STATUS_SUCCESS);
goto done;
}
*AliasSd = RelSD;
*Size = RelSDSize;
done:
if (!NT_SUCCESS(Status))
{
if (RelSD != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
}
if (EveryoneSid != NULL)
RtlFreeSid(EveryoneSid);
if (AnonymousSid != NULL)
RtlFreeSid(AnonymousSid);
if (AdministratorsSid != NULL)
RtlFreeSid(AdministratorsSid);
if (Dacl != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
if (Sacl != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
if (AbsSD != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
return Status;
}
/* EOF */

19
reactos/dll/win32/samsrv/setup.c
View file

@ -98,6 +98,8 @@ SampSetupCreateAliasAccount(HANDLE hDomainKey,
WCHAR szAccountKeyName[32];
HANDLE hAccountKey = NULL;
HANDLE hNamesKey = NULL;
PSECURITY_DESCRIPTOR Sd = NULL;
ULONG SdSize = 0;
NTSTATUS Status;
swprintf(szAccountKeyName, L"Aliases\\%08lX", ulRelativeId);
@ -125,6 +127,20 @@ SampSetupCreateAliasAccount(HANDLE hDomainKey,
if (!NT_SUCCESS(Status))
goto done;
/* Create the server SD */
Status = SampCreateAliasSD(&Sd,
&SdSize);
if (!NT_SUCCESS(Status))
goto done;
/* Set SecDesc attribute*/
Status = SampRegSetValue(hAccountKey,
L"SecDesc",
REG_BINARY,
Sd,
SdSize);
if (!NT_SUCCESS(Status))
goto done;
Status = SampRegOpenKey(hDomainKey,
L"Aliases\\Names",
@ -142,6 +158,9 @@ SampSetupCreateAliasAccount(HANDLE hDomainKey,
done:
SampRegCloseKey(&hNamesKey);
if (Sd != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
if (hAccountKey != NULL)
{
SampRegCloseKey(&hAccountKey);