#include "stdafx.h" #include #include #include "iadmw.h" #include "iiscnfg.h" #include "log.h" #include "mdkey.h" #include "dcomperm.h" #include "other.h" #include "mdacl.h" #include // ConvertSidToStringSid extern int g_GlobalDebugCrypto; #ifndef _CHICAGO_ BOOL CleanAdminACL(SECURITY_DESCRIPTOR *pSD) { // iisDebugOut((LOG_TYPE_TRACE, _T("CleanAdminACL(): Start.\n"))); BOOL fSetData = FALSE; BOOL b= FALSE, bDaclPresent = FALSE, bDaclDefaulted = FALSE;; PACL pDacl = NULL; LPVOID pAce = NULL; int i = 0; ACE_HEADER *pAceHeader; ACCESS_MASK dwOldMask, dwNewMask, dwExtraMask, dwMask; dwMask = (MD_ACR_READ | MD_ACR_WRITE | MD_ACR_RESTRICTED_WRITE | MD_ACR_UNSECURE_PROPS_READ | MD_ACR_ENUM_KEYS | MD_ACR_WRITE_DAC); b = GetSecurityDescriptorDacl(pSD, &bDaclPresent, &pDacl, &bDaclDefaulted); if (NULL == pDacl) { return FALSE; } if (b) { //iisDebugOut((LOG_TYPE_TRACE, _T("CleanAdminACL:ACE count: %d\n"), (int)pDacl->AceCount)); for (i=0; i<(int)pDacl->AceCount; i++) { b = GetAce(pDacl, i, &pAce); if (b) { pAceHeader = (ACE_HEADER *)pAce; switch (pAceHeader->AceType) { case ACCESS_ALLOWED_ACE_TYPE: dwOldMask = ((ACCESS_ALLOWED_ACE *)pAce)->Mask; dwExtraMask = dwOldMask & (~dwMask); if (dwExtraMask) { fSetData = TRUE; dwNewMask = dwOldMask & dwMask; ((ACCESS_ALLOWED_ACE *)pAce)->Mask = dwNewMask; } break; case ACCESS_DENIED_ACE_TYPE: dwOldMask = ((ACCESS_DENIED_ACE *)pAce)->Mask; dwExtraMask = dwOldMask & (~dwMask); if (dwExtraMask) { fSetData = TRUE; dwNewMask = dwOldMask & dwMask; ((ACCESS_DENIED_ACE *)pAce)->Mask = dwNewMask; } break; case SYSTEM_AUDIT_ACE_TYPE: dwOldMask = ((SYSTEM_AUDIT_ACE *)pAce)->Mask; dwExtraMask = dwOldMask & (~dwMask); if (dwExtraMask) { fSetData = TRUE; dwNewMask = dwOldMask & dwMask; ((SYSTEM_AUDIT_ACE *)pAce)->Mask = dwNewMask; } break; default: break; } } else { //iisDebugOut((LOG_TYPE_TRACE, _T("CleanAdminACL:GetAce:err=%x\n"), GetLastError())); } } } else { //iisDebugOut((LOG_TYPE_TRACE, _T("CleanAdminACL:GetSecurityDescriptorDacl:err=%x\n"), GetLastError())); } //iisDebugOut_End(_T("CleanAdminACL"),LOG_TYPE_TRACE); return (fSetData); } void FixAdminACL(LPTSTR szKeyPath) { // iisDebugOutSafeParams((LOG_TYPE_TRACE, _T("FixAdminACL Path=%1!s!. Start.\n"), szKeyPath)); BOOL bFound = FALSE, b = FALSE; DWORD attr, uType, dType, cbLen; CMDKey cmdKey; BUFFER bufData; LPTSTR p, rest, token; CString csName, csValue; PBYTE pData; int BufSize; SECURITY_DESCRIPTOR *pSD; cmdKey.OpenNode(szKeyPath); if ( (METADATA_HANDLE)cmdKey ) { pData = (PBYTE)(bufData.QueryPtr()); BufSize = bufData.QuerySize(); cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); if (!bFound && (cbLen > 0)) { if ( ! (bufData.Resize(cbLen)) ) { cmdKey.Close(); return; // insufficient memory } else { pData = (PBYTE)(bufData.QueryPtr()); BufSize = cbLen; cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); } } cmdKey.Close(); if (bFound && (dType == BINARY_METADATA)) { pSD = (SECURITY_DESCRIPTOR *)pData; b = CleanAdminACL(pSD); if (b) { // need to reset the data DWORD dwLength = GetSecurityDescriptorLength(pSD); cmdKey.OpenNode(szKeyPath); if ( (METADATA_HANDLE)cmdKey ) { cmdKey.SetData(MD_ADMIN_ACL,METADATA_INHERIT | METADATA_REFERENCE | METADATA_SECURE,IIS_MD_UT_SERVER,BINARY_METADATA,dwLength,(LPBYTE)pSD); cmdKey.Close(); } } } } //iisDebugOut_End1(_T("FixAdminACL"),szKeyPath,LOG_TYPE_TRACE); return; } #endif //_CHICAGO_ #ifndef _CHICAGO_ DWORD SetAdminACL(LPCTSTR szKeyPath, DWORD dwAccessForEveryoneAccount) { iisDebugOut_Start1(_T("SetAdminACL"), szKeyPath, LOG_TYPE_TRACE); int iErr=0; DWORD dwErr=0; DWORD dwRetCode = ERROR_SUCCESS; BOOL b = FALSE; DWORD dwLength = 0; PSECURITY_DESCRIPTOR pSD = NULL; PSECURITY_DESCRIPTOR outpSD = NULL; DWORD cboutpSD = 0; PACL pACLNew = NULL; DWORD cbACL = 0; PSID pAdminsSID = NULL, pEveryoneSID = NULL; BOOL bWellKnownSID = FALSE; // Initialize a new security descriptor pSD = (PSECURITY_DESCRIPTOR) LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH); if (!pSD) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:LocalAlloc FAILED.out of memory. GetLastError()= 0x%x\n"), ERROR_NOT_ENOUGH_MEMORY)); dwRetCode = E_FAIL; goto Cleanup; } iErr = InitializeSecurityDescriptor(pSD, SECURITY_DESCRIPTOR_REVISION); if (iErr == 0) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:InitializeSecurityDescriptor FAILED. GetLastError()= 0x%x\n"), GetLastError() )); dwRetCode = E_FAIL; goto Cleanup; } // Get Local Admins Sid dwErr = GetPrincipalSID (_T("Administrators"), &pAdminsSID, &bWellKnownSID); if (dwErr != ERROR_SUCCESS) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:GetPrincipalSID(Administrators) FAILED. Return Code = 0x%x\n"), dwErr)); dwRetCode = E_FAIL; goto Cleanup; } // Get everyone Sid dwErr = GetPrincipalSID (_T("Everyone"), &pEveryoneSID, &bWellKnownSID); if (dwErr != ERROR_SUCCESS) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:GetPrincipalSID(Everyone) FAILED. Return Code = 0x%x\n"), dwErr)); dwRetCode = E_FAIL; goto Cleanup; } // Initialize a new ACL, which only contains 2 aaace cbACL = sizeof(ACL) + (sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pAdminsSID) - sizeof(DWORD)) + (sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pEveryoneSID) - sizeof(DWORD)) ; pACLNew = (PACL) LocalAlloc(LPTR, cbACL); if ( !pACLNew ) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:pACLNew LocalAlloc(LPTR, FAILED. size = %u GetLastError()= 0x%x\n"), cbACL, GetLastError())); dwRetCode = E_FAIL; goto Cleanup; } if (!InitializeAcl(pACLNew, cbACL, ACL_REVISION)) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:InitializeAcl FAILED. GetLastError()= 0x%x\n"), GetLastError)); dwRetCode = E_FAIL; goto Cleanup; } if (!AddAccessAllowedAce(pACLNew,ACL_REVISION,(MD_ACR_READ |MD_ACR_WRITE |MD_ACR_RESTRICTED_WRITE |MD_ACR_UNSECURE_PROPS_READ |MD_ACR_ENUM_KEYS |MD_ACR_WRITE_DAC),pAdminsSID)) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:AddAccessAllowedAce(pAdminsSID) FAILED. GetLastError()= 0x%x\n"), GetLastError)); dwRetCode = E_FAIL; goto Cleanup; } if (!AddAccessAllowedAce(pACLNew,ACL_REVISION,dwAccessForEveryoneAccount,pEveryoneSID)) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:AddAccessAllowedAce(pEveryoneSID) FAILED. GetLastError()= 0x%x\n"), GetLastError())); dwRetCode = E_FAIL; goto Cleanup; } // Add the ACL to the security descriptor b = SetSecurityDescriptorDacl(pSD, TRUE, pACLNew, FALSE); if (!b) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:SetSecurityDescriptorDacl(pACLNew) FAILED. GetLastError()= 0x%x\n"), GetLastError())); dwRetCode = E_FAIL; goto Cleanup; } b = SetSecurityDescriptorOwner(pSD, pAdminsSID, TRUE); if (!b) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:SetSecurityDescriptorOwner(pAdminsSID) FAILED. GetLastError()= 0x%x\n"), GetLastError())); dwRetCode = E_FAIL; goto Cleanup; } b = SetSecurityDescriptorGroup(pSD, pAdminsSID, TRUE); if (!b) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:SetSecurityDescriptorGroup(pAdminsSID) FAILED. GetLastError()= 0x%x\n"), GetLastError())); dwRetCode = E_FAIL; goto Cleanup; } // Security descriptor blob must be self relative b = MakeSelfRelativeSD(pSD, outpSD, &cboutpSD); outpSD = (PSECURITY_DESCRIPTOR)GlobalAlloc(GPTR, cboutpSD); if ( !outpSD ) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:GlobalAlloc FAILED. cboutpSD = %u GetLastError()= 0x%x\n"), cboutpSD, GetLastError())); dwRetCode = E_FAIL; goto Cleanup; } b = MakeSelfRelativeSD( pSD, outpSD, &cboutpSD ); if (!b) { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:MakeSelfRelativeSD() FAILED. cboutpSD = %u GetLastError()= 0x%x\n"),cboutpSD, GetLastError())); dwRetCode = E_FAIL; goto Cleanup; } if (outpSD) { if (IsValidSecurityDescriptor(outpSD)) { // Apply the new security descriptor to the metabase iisDebugOut_Start(_T("SetAdminACL:Write the new security descriptor to the Metabase"),LOG_TYPE_TRACE); iisDebugOut((LOG_TYPE_TRACE, _T("SetAdminACL: At this point we have already been able to write basic entries to the metabase, so..."))); iisDebugOut((LOG_TYPE_TRACE, _T("SetAdminACL: If this has a problem then there is a problem with setting up encryption for the metabase (Crypto)."))); //DoesAdminACLExist(szKeyPath); if (g_GlobalDebugCrypto == 2) { // if we want to call this over and over... do { dwRetCode = WriteSDtoMetaBase(outpSD, szKeyPath); if (FAILED(dwRetCode)) { OutputDebugString(_T("\nCalling WriteSDtoMetaBase again...Set iis!g_GlobalDebugCrypto to 0 to stop looping on failure.")); OutputDebugString(_T("\nSet iis!g_GlobalDebugCrypto to 0 to stop looping on crypto failure.\n")); } } while (FAILED(dwRetCode) && g_GlobalDebugCrypto == 2); } else { dwRetCode = WriteSDtoMetaBase(outpSD, szKeyPath); } //DoesAdminACLExist(szKeyPath); iisDebugOut_End(_T("SetAdminACL:Write the new security descriptor to the Metabase"),LOG_TYPE_TRACE); } else { iisDebugOut((LOG_TYPE_ERROR, _T("SetAdminACL:IsValidSecurityDescriptor.4.SelfRelative(%u) FAILED!"),outpSD)); } } if (outpSD){GlobalFree(outpSD);outpSD=NULL;} Cleanup: // both of Administrators and Everyone are well-known SIDs, use FreeSid() to free them. if (pAdminsSID){FreeSid(pAdminsSID);} if (pEveryoneSID){FreeSid(pEveryoneSID);} if (pSD){LocalFree((HLOCAL) pSD);} if (pACLNew){LocalFree((HLOCAL) pACLNew);} iisDebugOut_End1(_T("SetAdminACL"),szKeyPath,LOG_TYPE_TRACE); return (dwRetCode); } DWORD SetAdminACL_wrap(LPCTSTR szKeyPath, DWORD dwAccessForEveryoneAccount, BOOL bDisplayMsgOnErrFlag) { int bFinishedFlag = FALSE; UINT iMsg = NULL; DWORD dwReturn = ERROR_SUCCESS; LogHeapState(FALSE, __FILE__, __LINE__); do { dwReturn = SetAdminACL(szKeyPath, dwAccessForEveryoneAccount); LogHeapState(FALSE, __FILE__, __LINE__); if (FAILED(dwReturn)) { if (bDisplayMsgOnErrFlag == TRUE) { iMsg = MyMessageBox( NULL, IDS_RETRY, MB_ABORTRETRYIGNORE | MB_SETFOREGROUND ); switch ( iMsg ) { case IDIGNORE: dwReturn = ERROR_SUCCESS; goto SetAdminACL_wrap_Exit; case IDABORT: dwReturn = ERROR_OPERATION_ABORTED; goto SetAdminACL_wrap_Exit; case IDRETRY: break; default: break; } } else { // return whatever err happened goto SetAdminACL_wrap_Exit; } } else { break; } } while ( FAILED(dwReturn) ); SetAdminACL_wrap_Exit: return dwReturn; } #endif #ifndef _CHICAGO_ DWORD WriteSDtoMetaBase(PSECURITY_DESCRIPTOR outpSD, LPCTSTR szKeyPath) { iisDebugOut_Start(_T("WriteSDtoMetaBase"), LOG_TYPE_TRACE); DWORD dwReturn = E_FAIL; DWORD dwLength = 0; DWORD dwMDFlags = 0; CMDKey cmdKey; HRESULT hReturn = E_FAIL; int iSavedFlag = 0; dwMDFlags = METADATA_INHERIT | METADATA_REFERENCE | METADATA_SECURE,IIS_MD_UT_SERVER,BINARY_METADATA; iSavedFlag = g_GlobalDebugCrypto; if (!outpSD) { dwReturn = ERROR_INVALID_SECURITY_DESCR; goto WriteSDtoMetaBase_Exit; } // Apply the new security descriptor to the metabase dwLength = GetSecurityDescriptorLength(outpSD); // open the metabase // stick it into the metabase. warning those hoses a lot because // it uses encryption. rsabase.dll // Check for special debug flag in metabase to break right before this call! if (g_GlobalDebugCrypto != 0) { // special flag to say... hey "stop setup so that the crypto team can debug they're stuff" iisDebugOut((LOG_TYPE_TRACE, _T("Breakpoint enabled thru setup (to debug crypto api). look at debugoutput."))); OutputDebugString(_T("\n\nBreakpoint enabled thru setup (to debug crypto api)")); OutputDebugString(_T("\n1.in this process:")); OutputDebugString(_T("\n set breakpoint on admwprox!IcpGetContainerHelper")); OutputDebugString(_T("\n set breakpoint on advapi32!CryptAcquireContextW")); OutputDebugString(_T("\n IcpGetKeyHelper will call CryptAcquireContext and try to open an existing key container,")); OutputDebugString(_T("\n if it doesn't exist it will return NTE_BAD_KEYSET, and IcpGetContainerHelper will try to create the container.")); OutputDebugString(_T("\n2.in the inetinfo process:")); OutputDebugString(_T("\n set breakpoint on admwprox!IcpGetContainerHelper")); OutputDebugString(_T("\n set breakpoint on advapi32!CryptAcquireContextW\n")); } hReturn = cmdKey.CreateNode(METADATA_MASTER_ROOT_HANDLE, szKeyPath); if ( (METADATA_HANDLE)cmdKey ) { TCHAR szErrorString[50]; iisDebugOut((LOG_TYPE_TRACE, _T("WriteSDtoMetaBase:cmdKey():SetData(MD_ADMIN_ACL), dwdata = %d; outpSD = %x, Start\n"), dwLength, (DWORD_PTR) outpSD )); if (g_GlobalDebugCrypto != 0) { OutputDebugString(_T("\nCalling SetData....\n")); DebugBreak(); } dwReturn = cmdKey.SetData(MD_ADMIN_ACL,dwMDFlags,IIS_MD_UT_SERVER,BINARY_METADATA,dwLength,(LPBYTE)outpSD); if (FAILED(dwReturn)) { iisDebugOut((LOG_TYPE_ERROR, _T("WriteSDtoMetaBase:cmdKey():SetData(MD_ADMIN_ACL), FAILED. Code=0x%x.End.\n"), dwReturn)); if (g_GlobalDebugCrypto != 0) { _stprintf(szErrorString, _T("\r\nSetData Failed. code=0x%x\r\n\r\n"), dwReturn); OutputDebugString(szErrorString); } } else { dwReturn = ERROR_SUCCESS; iisDebugOut((LOG_TYPE_TRACE, _T("WriteSDtoMetaBase:cmdKey():SetData(MD_ADMIN_ACL), Success.End.\n"))); if (g_GlobalDebugCrypto != 0) { _stprintf(szErrorString, _T("\r\nSetData Succeeded. code=0x%x\r\n\r\n"), dwReturn); OutputDebugString(szErrorString); } } cmdKey.Close(); } else { dwReturn = hReturn; } WriteSDtoMetaBase_Exit: g_GlobalDebugCrypto = iSavedFlag; iisDebugOut((LOG_TYPE_TRACE, _T("WriteSDtoMetaBase:End. Return=0x%x"), dwReturn)); return dwReturn; } DWORD WriteSessiontoMetaBase(LPCTSTR szKeyPath) { iisDebugOut_Start(_T("WriteSessiontoMetaBase"), LOG_TYPE_TRACE); DWORD dwReturn = E_FAIL; CMDKey cmdKey; HRESULT hReturn = E_FAIL; hReturn = cmdKey.CreateNode(METADATA_MASTER_ROOT_HANDLE, szKeyPath); if ( (METADATA_HANDLE)cmdKey ) { dwReturn = cmdKey.SetData(9999,METADATA_NO_ATTRIBUTES,IIS_MD_UT_SERVER,BINARY_METADATA,0,(LPBYTE)""); if (FAILED(dwReturn)) { iisDebugOut((LOG_TYPE_ERROR, _T("WriteSessiontoMetaBase:cmdKey():SetData(), FAILED. Code=0x%x.End.\n"), dwReturn)); } else { dwReturn = ERROR_SUCCESS; iisDebugOut((LOG_TYPE_TRACE, _T("WriteSessiontoMetaBase:cmdKey():SetData(), Success.End.\n"))); } cmdKey.Close(); } else { dwReturn = hReturn; } iisDebugOut((LOG_TYPE_TRACE, _T("WriteSessiontoMetaBase:End. Return=0x%x"), dwReturn)); return dwReturn; } #endif //---------------------------------------------------------------------------- // Test if the given account name is an account on the local machine or not. //---------------------------------------------------------------------------- BOOL IsLocalAccount(LPCTSTR pAccnt, DWORD *dwErr ) { BOOL fIsLocalAccount = FALSE; CString csDomain, csComputer; DWORD cbDomain = 0; PSID pSid = NULL; DWORD cbSid = 0; SID_NAME_USE snu; // get the computer name cbDomain = _MAX_PATH; GetComputerName( csComputer.GetBuffer( cbDomain ), // address of name buffer &cbDomain // address of size of name buffer ); csComputer.ReleaseBuffer(); cbDomain = 0; // have security look up the account name and get the domain name. We dont' care about // the other stuff it can return, so pass in nulls BOOL fLookup = LookupAccountName( NULL, // address of string for system name pAccnt, // address of string for account name NULL, // address of security identifier &cbSid, // address of size of security identifier NULL,// address of string for referenced domain &cbDomain, // address of size of domain string &snu // address of SID-type indicator ); // check the error - it should be insufficient buffer *dwErr = GetLastError(); if (*dwErr != ERROR_INSUFFICIENT_BUFFER) return FALSE; // allocate the sid pSid = (PSID) malloc (cbSid); if (!pSid ) { *dwErr = GetLastError(); return FALSE; } // do the real lookup fLookup = LookupAccountName (NULL,pAccnt,pSid,&cbSid,csDomain.GetBuffer(cbDomain+2),&cbDomain,&snu); csDomain.ReleaseBuffer(); // free the pSid we allocated above and set the final error code *dwErr = GetLastError(); free( pSid ); pSid = NULL; // compare the domain to the machine name, if it is the same, then set the sub auth if ( fLookup && (csDomain.CompareNoCase(csComputer) == 0) ) fIsLocalAccount = TRUE; // return the answer return fIsLocalAccount; } // pDomainUserName can be one of the following: // // domainname\username <-- this function returns true // computername\username <-- this function returns false // username <-- this function returns false // int IsDomainSpecifiedOtherThanLocalMachine(LPCTSTR pDomainUserName) { int iReturn = TRUE; TCHAR szTempDomainUserName[_MAX_PATH]; iisDebugOut_Start1(_T("IsDomainSpecifiedOtherThanLocalMachine"),pDomainUserName); CString csComputer; DWORD cbDomain = 0; // Make a copy to be sure not to move the pointer around. _tcscpy(szTempDomainUserName, pDomainUserName); // Check if there is a "\" in there. LPTSTR pch = NULL; pch = _tcschr(szTempDomainUserName, _T('\\')); if (!pch) { // no '\' found so, they must be specifying only the username, return false iReturn = FALSE; goto IsDomainSpecifiedOtherThanLocalMachine_Exit; } // We have at least a '\' in there, so set default return to true. // let's check if the name is the local computername! // get the computer name cbDomain = _MAX_PATH; if (0 == GetComputerName(csComputer.GetBuffer( cbDomain ),&cbDomain) ) { // failed to get computername so, let's bail iReturn = TRUE; csComputer.ReleaseBuffer(); goto IsDomainSpecifiedOtherThanLocalMachine_Exit; } csComputer.ReleaseBuffer(); cbDomain = 0; // trim off the '\' character to leave just the domain\computername so we can check against it. *pch = _T('\0'); // Compare the domainname with the computername // if they match then it's the local system account. iReturn = TRUE; iisDebugOut((LOG_TYPE_TRACE, _T("IsDomainSpecifiedOtherThanLocalMachine(): %s -- %s.\n"), szTempDomainUserName, csComputer)); if ( 0 == csComputer.CompareNoCase(szTempDomainUserName) ) { // The domain name and the computername are the same. // it is the same place. iReturn = FALSE; } IsDomainSpecifiedOtherThanLocalMachine_Exit: iisDebugOut((LOG_TYPE_TRACE, _T("IsDomainSpecifiedOtherThanLocalMachine():%s.End.Ret=%d.\n"), pDomainUserName,iReturn)); return iReturn; } #ifndef _CHICAGO_ void DumpAdminACL(HANDLE hFile,PSECURITY_DESCRIPTOR pSD) { BOOL b= FALSE, bDaclPresent = FALSE, bDaclDefaulted = FALSE;; PACL pDacl = NULL; ACCESS_ALLOWED_ACE* pAce; ACCESS_MASK dwOldMask, dwNewMask, dwExtraMask, dwMask; iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:Start\n"))); b = GetSecurityDescriptorDacl(pSD, &bDaclPresent, &pDacl, &bDaclDefaulted); if (NULL == pDacl) { iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:No Security.\n"))); return; } if (b) { iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:ACE count: %d\n"), (int)pDacl->AceCount)); // get dacl length DWORD cbDacl = pDacl->AclSize; // now check if SID's ACE is there for (int i = 0; i < pDacl->AceCount; i++) { if (!GetAce(pDacl, i, (LPVOID *) &pAce)) { iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:GetAce failed with 0x%x\n"),GetLastError())); } if (IsValidSid( (PSID) &(pAce->SidStart) ) ) { LPTSTR pszSid; LPCTSTR ServerName = NULL; // local machine DWORD cbName = UNLEN+1; TCHAR ReferencedDomainName[200]; DWORD cbReferencedDomainName = sizeof(ReferencedDomainName); SID_NAME_USE sidNameUse = SidTypeUser; TCHAR szUserName[UNLEN + 1]; // dump out the sid in string format if (ConvertSidToStringSid( (PSID) &(pAce->SidStart) , &pszSid)) { _tcscpy(szUserName, _T("(unknown...)")); if (LookupAccountSid(ServerName, (PSID) &(pAce->SidStart), szUserName, &cbName, ReferencedDomainName, &cbReferencedDomainName, &sidNameUse)) { // Get the rights for this user. // pAce->Mask DWORD dwBytesWritten = 0; TCHAR szBuf[UNLEN+1 + 20 + 20]; memset(szBuf, 0, _tcslen(szBuf) * sizeof(TCHAR)); /* typedef struct _ACCESS_ALLOWED_ACE { ACE_HEADER Header; ACCESS_MASK Mask; ULONG SidStart; } ACCESS_ALLOWED_ACE; typedef struct _ACE_HEADER { UCHAR AceType; UCHAR AceFlags; USHORT AceSize; } ACE_HEADER; typedef ACE_HEADER *PACE_HEADER; typedef ULONG ACCESS_MASK; */ _stprintf(szBuf, _T("%s,0x%x,0x%x,0x%x,0x%x\r\n"), szUserName, pAce->Header.AceType, pAce->Header.AceFlags, pAce->Header.AceSize, pAce->Mask ); if (hFile != NULL && hFile != INVALID_HANDLE_VALUE) { if (WriteFile(hFile, szBuf, _tcslen(szBuf) * sizeof(TCHAR), &dwBytesWritten, NULL ) == FALSE ) {iisDebugOut((LOG_TYPE_WARN, _T("WriteFile Failed=0x%x.\n"), GetLastError()));} } else { // echo to logfile iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:Sid[%i]=%s,%s,0x%x,0x%x,0x%x,0x%x\n"),i, pszSid, szUserName, pAce->Header.AceType, pAce->Header.AceFlags, pAce->Header.AceSize, pAce->Mask )); } } else { iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:Sid[%i]=%s='%s'\n"),i,pszSid,szUserName)); } LocalFree(LocalHandle(pszSid)); } } else { iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:IsVAlidSid failed with 0x%x\n"),GetLastError())); } } } iisDebugOut((LOG_TYPE_TRACE, _T("DumpAdminACL:End\n"))); return; } #endif DWORD MDDumpAdminACL(CString csKeyPath) { DWORD dwReturn = E_FAIL; BOOL bFound = FALSE; DWORD attr, uType, dType, cbLen; CMDKey cmdKey; BUFFER bufData; PBYTE pData; int BufSize; PSECURITY_DESCRIPTOR pOldSd = NULL; cmdKey.OpenNode(csKeyPath); if ( (METADATA_HANDLE) cmdKey ) { pData = (PBYTE)(bufData.QueryPtr()); BufSize = bufData.QuerySize(); cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); if (!bFound) { if (cbLen > 0) { if ( ! (bufData.Resize(cbLen)) ) { iisDebugOut((LOG_TYPE_ERROR, _T("MDDumpAdminACL(): cmdKey.GetData. failed to resize to %d.!\n"), cbLen)); } else { pData = (PBYTE)(bufData.QueryPtr()); BufSize = cbLen; cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); } } } cmdKey.Close(); if (bFound) { // dump out the info // We've got the acl pOldSd = (PSECURITY_DESCRIPTOR) pData; if (IsValidSecurityDescriptor(pOldSd)) { #ifndef _CHICAGO_ DumpAdminACL(INVALID_HANDLE_VALUE,pOldSd); dwReturn = ERROR_SUCCESS; #endif } } else { // there was no acl to be found. } } return dwReturn; } DWORD AddUserToMetabaseACL(CString csKeyPath, LPTSTR szUserToAdd) { DWORD dwReturn = E_FAIL; BOOL bFound = FALSE; DWORD attr, uType, dType, cbLen; CMDKey cmdKey; BUFFER bufData; PBYTE pData; int BufSize; PSECURITY_DESCRIPTOR pOldSd = NULL; PSECURITY_DESCRIPTOR pNewSd = NULL; cmdKey.OpenNode(csKeyPath); if ( (METADATA_HANDLE) cmdKey ) { pData = (PBYTE)(bufData.QueryPtr()); BufSize = bufData.QuerySize(); cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); if (!bFound) { if (cbLen > 0) { if ( ! (bufData.Resize(cbLen)) ) { iisDebugOut((LOG_TYPE_ERROR, _T("AddUserToMetabaseACL(): cmdKey.GetData. failed to resize to %d.!\n"), cbLen)); } else { pData = (PBYTE)(bufData.QueryPtr()); BufSize = cbLen; cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); } } } cmdKey.Close(); if (bFound) { // We've got the acl // so now we want to add a user to it. pOldSd = (PSECURITY_DESCRIPTOR) pData; if (IsValidSecurityDescriptor(pOldSd)) { DWORD AccessMask = (MD_ACR_READ |MD_ACR_WRITE |MD_ACR_RESTRICTED_WRITE |MD_ACR_UNSECURE_PROPS_READ |MD_ACR_ENUM_KEYS |MD_ACR_WRITE_DAC); PSID principalSID = NULL; BOOL bWellKnownSID = FALSE; // Get the SID for the certain string (administrator or everyone or whoever) dwReturn = GetPrincipalSID(szUserToAdd, &principalSID, &bWellKnownSID); if (dwReturn != ERROR_SUCCESS) { iisDebugOut((LOG_TYPE_WARN, _T("AddUserToMetabaseACL:GetPrincipalSID(%s) FAILED. Error()= 0x%x\n"), szUserToAdd, dwReturn)); return dwReturn; } #ifndef _CHICAGO_ if (FALSE == AddUserAccessToSD(pOldSd,principalSID,AccessMask,ACCESS_ALLOWED_ACE_TYPE,&pNewSd)) { iisDebugOut((LOG_TYPE_ERROR, _T("AddUserToMetabaseACL:AddUserAccessToSD FAILED\n"))); return dwReturn; } if (pNewSd) { // We have a new self relative SD // lets write it to the metabase. if (IsValidSecurityDescriptor(pNewSd)) { dwReturn = WriteSDtoMetaBase(pNewSd, csKeyPath); } } #endif } } else { // there was no acl to be found. } } if (pNewSd){GlobalFree(pNewSd);} iisDebugOut((LOG_TYPE_TRACE, _T("AddUserToMetabaseACL():End. Return=0x%x.\n"), dwReturn)); return dwReturn; } DWORD DoesAdminACLExist(CString csKeyPath) { DWORD dwReturn = FALSE; BOOL bFound = FALSE; DWORD attr, uType, dType, cbLen; CMDKey cmdKey; BUFFER bufData; PBYTE pData; int BufSize; cmdKey.OpenNode(csKeyPath); if ( (METADATA_HANDLE) cmdKey ) { pData = (PBYTE)(bufData.QueryPtr()); BufSize = bufData.QuerySize(); cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); if (bFound) { dwReturn = TRUE; } else { if (cbLen > 0) { if ( ! (bufData.Resize(cbLen)) ) { iisDebugOut((LOG_TYPE_ERROR, _T("DoesAdminACLExist(): cmdKey.GetData. failed to resize to %d.!\n"), cbLen)); } else { pData = (PBYTE)(bufData.QueryPtr()); BufSize = cbLen; cbLen = 0; bFound = cmdKey.GetData(MD_ADMIN_ACL, &attr, &uType, &dType, &cbLen, pData, BufSize); if (bFound) { dwReturn = TRUE; } } } } cmdKey.Close(); } if (dwReturn != TRUE) { //No the acl Does not exist } iisDebugOut((LOG_TYPE_TRACE, _T("DoesAdminACLExist():End. Return=0x%x.\n"), dwReturn)); return dwReturn; }