windows-nt/Source/XPSP1/NT/net/rras/cm/cmcontbl/setacl.cpp

188 lines
4.3 KiB
C++
Raw Normal View History

2020-09-26 03:20:57 -05:00
//+----------------------------------------------------------------------------
//
// File: setacl.cpp
//
// Module: PBSERVER.DLL
//
// Synopsis: Security/SID/ACL stuff for CM
//
// Copyright (c) 1998-2000 Microsoft Corporation
//
// Author: 09-Mar-2000 SumitC Created
//
//+----------------------------------------------------------------------------
#include <windows.h>
#include "cmdebug.h"
#include "cmutil.h"
//+----------------------------------------------------------------------------
//
// Func: SetAclPerms
//
// Desc: Sets appropriate permissions for CM/CPS's shared objects
//
// Args: [ppAcl] - location to return an allocated ACL
//
// Return: BOOL, TRUE for success, FALSE for failure
//
// Notes: fix for 30991: Security issue, don't use NULL DACLs.
//
// History: 09-Mar-2000 SumitC Created
// 04-Apr-2000 SumitC Give perms to Authenticated_Users as well
//
//-----------------------------------------------------------------------------
BOOL
SetAclPerms(PACL * ppAcl)
{
DWORD dwError = 0;
SID_IDENTIFIER_AUTHORITY siaWorld = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY siaNtAuth = SECURITY_NT_AUTHORITY;
PSID psidWorldSid = NULL;
PSID psidAdminSid = NULL;
PSID psidUserSid = NULL;
int cbAcl;
PACL pAcl = NULL;
MYDBGASSERT(OS_NT);
// Create a SID for all users
if ( !AllocateAndInitializeSid(
&siaWorld,
1,
SECURITY_WORLD_RID,
0,
0,
0,
0,
0,
0,
0,
&psidWorldSid))
{
dwError = GetLastError();
goto Cleanup;
}
// Create a SID for Authenticated Users
if ( !AllocateAndInitializeSid(
&siaNtAuth,
1,
SECURITY_AUTHENTICATED_USER_RID,
0,
0,
0,
0,
0,
0,
0,
&psidUserSid))
{
dwError = GetLastError();
goto Cleanup;
}
// Create a SID for Local System account
if ( !AllocateAndInitializeSid(
&siaNtAuth,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,
0,
0,
0,
0,
0,
&psidAdminSid))
{
dwError = GetLastError();
goto Cleanup;
}
// Calculate the length of required ACL buffer
// with 3 ACEs.
cbAcl = sizeof(ACL)
+ 3 * sizeof(ACCESS_ALLOWED_ACE)
+ GetLengthSid(psidWorldSid)
+ GetLengthSid(psidAdminSid)
+ GetLengthSid(psidUserSid);
pAcl = (PACL) LocalAlloc(0, cbAcl);
if (NULL == pAcl)
{
dwError = ERROR_OUTOFMEMORY;
goto Cleanup;
}
if ( ! InitializeAcl(pAcl, cbAcl, ACL_REVISION2))
{
dwError = GetLastError();
goto Cleanup;
}
// Add ACE with EVENT_ALL_ACCESS for all users
if ( ! AddAccessAllowedAce(pAcl,
ACL_REVISION2,
GENERIC_READ | GENERIC_EXECUTE,
psidWorldSid))
{
dwError = GetLastError();
goto Cleanup;
}
// Add ACE with EVENT_ALL_ACCESS for Authenticated Users
if ( ! AddAccessAllowedAce(pAcl,
ACL_REVISION2,
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
psidUserSid))
{
dwError = GetLastError();
goto Cleanup;
}
// Add ACE with EVENT_ALL_ACCESS for Admins
if ( ! AddAccessAllowedAce(pAcl,
ACL_REVISION2,
GENERIC_ALL,
psidAdminSid))
{
dwError = GetLastError();
goto Cleanup;
}
Cleanup:
if (dwError)
{
if (pAcl)
{
LocalFree(pAcl);
}
}
else
{
*ppAcl = pAcl;
}
if (psidWorldSid)
{
FreeSid(psidWorldSid);
}
if (psidUserSid)
{
FreeSid(psidUserSid);
}
if (psidAdminSid)
{
FreeSid(psidAdminSid);
}
return dwError ? FALSE : TRUE;
}