3416 lines
99 KiB
C++
3416 lines
99 KiB
C++
//******************************************************************************
|
|
//
|
|
// Microsoft Confidential. Copyright (c) Microsoft Corporation 1999. All rights reserved
|
|
//
|
|
// File: ChkAcc.cpp
|
|
//
|
|
// Description: RSOP Security functions
|
|
//
|
|
// History: 31-Jul-99 leonardm Created
|
|
//
|
|
//******************************************************************************
|
|
|
|
#include "uenv.h"
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
#include <Windows.h>
|
|
#include <DsGetDC.h>
|
|
#include "ChkAcc.h"
|
|
#include "smartptr.h"
|
|
#include "RsopUtil.h"
|
|
#include "RsopDbg.h"
|
|
|
|
|
|
CDebug dbgAccessCheck( L"Software\\Microsoft\\Windows NT\\CurrentVersion\\winlogon",
|
|
L"ChkAccDebugLevel",
|
|
L"ChkAcc.log",
|
|
L"ChkAcc.bak",
|
|
TRUE );
|
|
|
|
#undef dbg
|
|
#define dbg dbgAccessCheck
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Class: CSid
|
|
//
|
|
// Description: Objects of this class encapsulate and simplify manipulation of
|
|
// SIDs for the purposes of access control checks.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
class CSid
|
|
{
|
|
private:
|
|
bool m_bState; // Flag to indicate whether the object is currently
|
|
// associated with a valid SID.
|
|
|
|
PSID m_pSid; // Pointer to the SID encapsulated by thi class.
|
|
|
|
CWString m_sUser; // User name
|
|
CWString m_sDomain; // Domain where the user account resides.
|
|
CWString m_sComputer; // Computer in the domain where the user account exists
|
|
|
|
CWString m_sSidString; // String representation of the encapsulated SID.
|
|
|
|
SID_NAME_USE m_eUse; // SID type.
|
|
|
|
public:
|
|
|
|
//
|
|
// Overloaded constructors
|
|
//
|
|
|
|
CSid() : m_bState(false), m_pSid(NULL), m_eUse(SidTypeUnknown){}
|
|
|
|
CSid(const PSID pSid, const WCHAR* szComputer = NULL ) :
|
|
m_bState(false),
|
|
m_pSid(NULL),
|
|
m_eUse(SidTypeUnknown)
|
|
{
|
|
Initialize(pSid, szComputer);
|
|
}
|
|
|
|
CSid(const WCHAR* szUser, const WCHAR* szComputer = NULL ) :
|
|
m_bState(false),
|
|
m_pSid(NULL),
|
|
m_eUse(SidTypeUnknown)
|
|
{
|
|
Initialize(szUser, szComputer);
|
|
}
|
|
|
|
CSid(const CSid& otherSid) :
|
|
m_bState(false),
|
|
m_pSid(NULL),
|
|
m_eUse(SidTypeUnknown)
|
|
{
|
|
Initialize(otherSid.User(), otherSid.Computer());
|
|
}
|
|
|
|
~CSid()
|
|
{
|
|
Reset();
|
|
}
|
|
|
|
|
|
//
|
|
// Attempts to initialize an object of this class by associating it with
|
|
// an existing user represented in the SID pointed to by pSid.
|
|
//
|
|
|
|
bool Initialize(PSID pSid, const WCHAR* szComputer = NULL);
|
|
|
|
|
|
//
|
|
// Attempts to initialize an object of this class by associating it with
|
|
// an existing user represented by szUser.
|
|
//
|
|
|
|
bool Initialize(const WCHAR* szUser, const WCHAR* szComputer = NULL);
|
|
|
|
|
|
//
|
|
// Indicates whether this object is currently associated with a valid user.
|
|
//
|
|
|
|
bool IsValid() const{ return m_bState; }
|
|
|
|
|
|
//
|
|
// Overload of assignment operator. Copies one CSid to another.
|
|
// After a this call two objects encapsulate the same SID.
|
|
// However, each owns its own memory. So the destructor of
|
|
// one object can be called without invalidating resources used by the other.
|
|
//
|
|
|
|
CSid& operator = (CSid otherSid);
|
|
|
|
|
|
//
|
|
// Overload of assignment operator. Initializes
|
|
// the current object with an existing SID.
|
|
//
|
|
|
|
CSid& operator = (PSID pSid);
|
|
|
|
|
|
//
|
|
// Returns a pointer to the SID encapsulated by this object.
|
|
//
|
|
|
|
PSID GetSidPtr() const{ return m_pSid; }
|
|
|
|
|
|
//
|
|
// Returns the name of the user associated with this object.
|
|
//
|
|
|
|
const WCHAR* User() const{ return m_sUser; }
|
|
|
|
|
|
//
|
|
// Returns the name of the computer used to Initialize this object with a user.
|
|
//
|
|
|
|
const WCHAR* Computer() const{ return m_sComputer; }
|
|
|
|
|
|
//
|
|
// Returns the name of the domain of which the user is a member.
|
|
//
|
|
|
|
const WCHAR* Domain() const{ return m_sDomain; }
|
|
|
|
|
|
//
|
|
// Returns a the SID associated with object in
|
|
// a string format suitable for display
|
|
//
|
|
|
|
const WCHAR* SidString() const{ return m_sSidString; }
|
|
|
|
|
|
//
|
|
// Returns the type as it was found in the SID associated
|
|
// with this object during processing of Initialize.
|
|
//
|
|
|
|
SID_NAME_USE SidType() const{ return m_eUse; }
|
|
|
|
|
|
//
|
|
// Breaks the association of this object with an exisitng SID. Releases
|
|
// memory allocate during Initialize and set the internal state to Invalid.
|
|
// This call is safe even if the object is not initialized.
|
|
//
|
|
|
|
void Reset();
|
|
};
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSid::Initialize
|
|
//
|
|
// Description: Attempts to initialize an object of this class by associating it with
|
|
// an existing user represented in the SID pointed to by pSid.
|
|
//
|
|
// Parameters: - pSid: Pointer to an exisitng SID. The memory pointed to
|
|
// by this parameter may be released after a call to
|
|
// this function since objects of this class allocate
|
|
// and release their own memory for the associated SID.
|
|
// - szComputer: Pointer to a string naming the computer where the
|
|
// lookup of the account is to take place. If NULL, the
|
|
// curent computer is used.
|
|
//
|
|
// Return: true on success. false otherwise.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
bool CSid::Initialize(const PSID pSid, const WCHAR* szComputer/* = NULL */)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CSid::Initialize - Entering...");
|
|
|
|
Reset();
|
|
|
|
if(!IsValidSid(pSid))
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CSid::Initialize - IsValidSid returned false!");
|
|
return m_bState;
|
|
}
|
|
|
|
m_pSid = new BYTE[GetLengthSid(pSid)];
|
|
|
|
if(!m_pSid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CSid::Initialize - call to new failed!");
|
|
return m_bState;
|
|
}
|
|
|
|
BOOL bRes = CopySid(GetLengthSid(pSid), m_pSid, pSid);
|
|
if(!bRes)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CSid::Initialize - Call to CopySid returned FALSE!");
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
|
|
DWORD cbUser = 0;
|
|
DWORD cbDomain = 0;
|
|
|
|
LookupAccountSid(szComputer, m_pSid, NULL, &cbUser, NULL, &cbDomain, &m_eUse);
|
|
if(cbUser && cbDomain)
|
|
{
|
|
XPtrST<WCHAR>xpszUser = new WCHAR[cbUser];
|
|
|
|
if(!xpszUser)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CSid::Initialize - call to new failed!");
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
XPtrST<WCHAR>xpszDomain = new WCHAR[cbDomain];
|
|
|
|
if(!xpszDomain)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CSid::Initialize - call to new failed!");
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
bRes = LookupAccountSid(szComputer, m_pSid, xpszUser, &cbUser, xpszDomain, &cbDomain, &m_eUse);
|
|
|
|
if(!bRes)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CSid::Initialize - call to LookupAccountSid returned FALSE!");
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_sUser = xpszUser;
|
|
if(!m_sUser.ValidString())
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_sDomain = xpszDomain;
|
|
if(!m_sDomain.ValidString())
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
XPtrLF<WCHAR>szSidString = NULL;
|
|
BOOL bRes = ConvertSidToStringSid(m_pSid, &szSidString);
|
|
if(!bRes)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CSid::Initialize - call to ConvertSidToStringSid returned false!");
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_sSidString = szSidString;
|
|
if(!m_sSidString.ValidString())
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_bState = true;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CSid::Initialize - Leaving successfully.");
|
|
return m_bState;
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSid::Initialize
|
|
//
|
|
// Description: Attempts to initialize an object of this class by associating it with
|
|
// an existing user represented by szUser.
|
|
//
|
|
// Parameters: - szUser: Name of an existing user.
|
|
// - szComputer: Pointer to a string naming the computer where the
|
|
// lookup of the account is to take place. If NULL, the
|
|
// curent computer is used.
|
|
//
|
|
// Return: true on success. false otherwise.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
bool CSid::Initialize(const WCHAR* szUser, const WCHAR* szComputer/* = NULL */)
|
|
{
|
|
Reset();
|
|
|
|
if(!szUser)
|
|
{
|
|
return m_bState;
|
|
}
|
|
|
|
m_sUser = szUser;
|
|
if(!m_sUser.ValidString())
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_sComputer = szComputer ? szComputer : L"";
|
|
if(!m_sComputer.ValidString())
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
DWORD cSid = 0;
|
|
|
|
DWORD cDomain = 0;
|
|
|
|
LookupAccountName(szComputer, szUser, NULL, &cSid, NULL, &cDomain, &m_eUse);
|
|
|
|
if(cSid && cDomain)
|
|
{
|
|
m_pSid = new BYTE[cSid];
|
|
if(!m_pSid)
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
XPtrST<WCHAR>xpszDomain = new WCHAR[cDomain];
|
|
|
|
if(!xpszDomain)
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
BOOL bRes = LookupAccountName(szComputer, szUser, m_pSid, &cSid, xpszDomain, &cDomain, &m_eUse);
|
|
|
|
if(!bRes)
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_sDomain = xpszDomain;
|
|
if(!m_sDomain.ValidString())
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
XPtrLF<WCHAR>szSidString = NULL;
|
|
bRes = ConvertSidToStringSid(m_pSid, &szSidString);
|
|
if(!bRes)
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_sSidString = szSidString;
|
|
if(!m_sSidString.ValidString())
|
|
{
|
|
Reset();
|
|
return m_bState;
|
|
}
|
|
|
|
m_bState = true;
|
|
}
|
|
|
|
return m_bState;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: Reset
|
|
//
|
|
// Description: Breaks the association of this object with an exisitng SID. Releases
|
|
// memory allocate during Initialize and set the internal state to Invalid.
|
|
// This call is safe even if the object is not initialized.
|
|
//
|
|
// Parameters: None.
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
void CSid::Reset()
|
|
{
|
|
delete[] (BYTE*)m_pSid;
|
|
|
|
m_pSid = NULL;
|
|
|
|
m_sUser = m_sDomain = m_sComputer = m_sSidString = L"";
|
|
|
|
m_eUse = SidTypeUnknown;
|
|
|
|
m_bState = false;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: operator =
|
|
//
|
|
// Description: Overload of assignment operator. Copies one CSid to another.
|
|
// After a this call two objects encapsulate the same SID.
|
|
// However, each owns its own memory. So the destructor of
|
|
// one object can be called without invalidating resources used by the other.
|
|
//
|
|
// Parameters: - otherSid: The CSid whose value is to be copied.
|
|
//
|
|
// Return: A reference to the object on which the call is invoked.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
CSid& CSid::operator = (CSid otherSid)
|
|
{
|
|
if(this == &otherSid)
|
|
{
|
|
return *this;
|
|
}
|
|
|
|
Reset();
|
|
|
|
if(!IsValidSid(otherSid.GetSidPtr()))
|
|
{
|
|
return *this;
|
|
}
|
|
|
|
Initialize(otherSid.User(), otherSid.Computer());
|
|
|
|
return *this;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: operator =
|
|
//
|
|
// Description: Overload of assignment operator. Initializes the current object with
|
|
// an existing SID.
|
|
//
|
|
// Parameters: - otherSid: The CSid whose value is to be copied.
|
|
//
|
|
// Return: A reference to the object on which the call is invoked.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
CSid& CSid::operator = (PSID pSid)
|
|
{
|
|
Reset();
|
|
|
|
if(!IsValidSid(pSid))
|
|
{
|
|
return *this;
|
|
}
|
|
|
|
Initialize(pSid);
|
|
|
|
return *this;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Structure: CTLink
|
|
//
|
|
// Description:
|
|
//
|
|
// History: 8/02/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
template<typename T> struct CTLink
|
|
{
|
|
T* m_pData;
|
|
CTLink* m_pNext;
|
|
CTLink* m_pPrev;
|
|
CTLink(T* pData) : m_pData(pData), m_pNext(NULL), m_pPrev(NULL){}
|
|
~CTLink()
|
|
{
|
|
delete m_pData;
|
|
}
|
|
};
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Structure: CRsopToken
|
|
//
|
|
// Description: This reprents a pseudo-token containing an arbitrary
|
|
// combination of SIDs which
|
|
// can be used to check access to objects protected with security descriptors.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
struct CRsopToken
|
|
{
|
|
CTLink<CSid>* m_pSidsHead;
|
|
CTLink<CSid>* m_pSidsTail;
|
|
|
|
|
|
//
|
|
// Default constructor. Constructs an object with no sids. Access checks
|
|
// against an CRsopToken with no SIDs will always fail; even on objects
|
|
// with no DACL.
|
|
//
|
|
|
|
CRsopToken() : m_pSidsHead(NULL), m_pSidsTail(NULL) {}
|
|
|
|
|
|
//
|
|
// Destructor. Releases the memory pointed
|
|
// to by each of the elements of m_pSidsHead.
|
|
//
|
|
|
|
~CRsopToken();
|
|
|
|
|
|
//
|
|
// Adds a CSid to this object. The client of this class allocates the memory
|
|
// for the CSid and this class releases the memory in the destructor.
|
|
//
|
|
|
|
HRESULT AddSid(CSid* pSid);
|
|
};
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CRsopToken::~CRsopToken
|
|
//
|
|
// Description: Destructor. Releases the memory pointed to by each of the elements of
|
|
// m_pSidsHead.
|
|
//
|
|
// Parameters: None.
|
|
//
|
|
// Return: N/A
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
CRsopToken::~CRsopToken()
|
|
{
|
|
CTLink<CSid>* pLinkIterator = m_pSidsHead;
|
|
while(pLinkIterator)
|
|
{
|
|
CTLink<CSid>* pLinkToDelete = pLinkIterator;
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
delete pLinkToDelete;
|
|
}
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CRsopToken::AddSid
|
|
//
|
|
// Description: Adds a CSid to this object. The client of this class allocates the
|
|
// memory for the CSid and this class releases the memory in the destructor.
|
|
//
|
|
// Parameters: - pSid: A pointer to a CSid. The memory pointed to by pSid will be released by
|
|
// in the destructor.
|
|
//
|
|
// Return: On success it returns S_OK.
|
|
// On failure it returns E_OUTOFMEMORY.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT CRsopToken::AddSid(CSid* pSid)
|
|
{
|
|
|
|
//
|
|
// first check if the Sid is already in there
|
|
//
|
|
for(CTLink<CSid>* pTraverseLink = m_pSidsHead; pTraverseLink; pTraverseLink = pTraverseLink->m_pNext)
|
|
{
|
|
//
|
|
// If one of the SIDs in the RsopToken matches
|
|
// this Sid, return
|
|
//
|
|
|
|
if (EqualSid(pSid->GetSidPtr(), pTraverseLink->m_pData->GetSidPtr()))
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
//
|
|
// Allocate a new link using the pSid passed in.
|
|
//
|
|
|
|
CTLink<CSid>* pLink = new CTLink<CSid>(pSid);
|
|
if(!pLink)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
if(!m_pSidsHead)
|
|
{
|
|
m_pSidsHead = pLink;
|
|
}
|
|
else
|
|
{
|
|
m_pSidsTail->m_pNext = pLink;
|
|
}
|
|
|
|
m_pSidsTail = pLink;
|
|
|
|
return S_OK;
|
|
}
|
|
//******************************************************************************
|
|
//
|
|
// Function: GetUserInfo
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: S_OK if successful. An HRESULT error code on failure.
|
|
//
|
|
// History: 8/7/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT GetUserInfo(const CWString& sUser,
|
|
CWString& sUserName,
|
|
CWString& sUserDomain,
|
|
CWString& sUserDC)
|
|
{
|
|
if(!sUser.ValidString())
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
NET_API_STATUS status;
|
|
|
|
XPtrST<WCHAR>xpUserName = NULL;
|
|
XPtrST<WCHAR>xpUserDomain = NULL;
|
|
|
|
size_t len = sUser.length();
|
|
|
|
WCHAR* backslashPos = wcschr(sUser, L'\\');
|
|
if(backslashPos)
|
|
{
|
|
size_t index = backslashPos - sUser;
|
|
xpUserDomain = new WCHAR[index + 1];
|
|
if(!xpUserDomain )
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
wcsncpy(xpUserDomain, sUser, index);
|
|
xpUserDomain[index] = L'\0';
|
|
|
|
xpUserName = new WCHAR[len - index];
|
|
if(!xpUserName)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
wcsncpy(xpUserName, backslashPos + 1, len - index - 1);
|
|
xpUserName[len - index - 1] = L'\0';
|
|
}
|
|
|
|
sUserName = xpUserName ? CWString(xpUserName) : sUser;
|
|
if(!sUserName.ValidString())
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
if(xpUserDomain)
|
|
{
|
|
// Use supplied domain.
|
|
sUserDomain = xpUserDomain;
|
|
}
|
|
else
|
|
{
|
|
// Use current domain
|
|
WKSTA_INFO_100* pWkstaInfo = NULL;
|
|
status = NetWkstaGetInfo(NULL,100,(LPBYTE*)&pWkstaInfo);
|
|
if(status != NERR_Success)
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
sUserDomain = pWkstaInfo->wki100_langroup;
|
|
NetApiBufferFree(pWkstaInfo);
|
|
}
|
|
|
|
if(!sUserDomain.ValidString())
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
PDOMAIN_CONTROLLER_INFO pDCInfo = 0;
|
|
|
|
DWORD dwError = DsGetDcName(0,
|
|
sUserDomain,
|
|
0,
|
|
0,
|
|
0,
|
|
&pDCInfo );
|
|
if ( dwError != NO_ERROR )
|
|
{
|
|
return HRESULT_FROM_WIN32( dwError );
|
|
}
|
|
|
|
sUserDC = pDCInfo->DomainControllerName;
|
|
|
|
NetApiBufferFree(pDCInfo);
|
|
|
|
if ( !sUserDC.ValidString() )
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: AddSpecialGroup
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: S_OK if successful. An HRESULT error code on failure.
|
|
//
|
|
// History: 8/7/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT AddSpecialGroup(PRSOPTOKEN pRsopToken, PSID pSid)
|
|
{
|
|
CRsopToken* pToken = static_cast<CRsopToken*>(pRsopToken);
|
|
|
|
XPtrST<CSid> xpCSid = new CSid(pSid);
|
|
|
|
if(!xpCSid)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
if(!xpCSid->IsValid())
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
HRESULT hr = pToken->AddSid(xpCSid);
|
|
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
xpCSid.Acquire();
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: AddSpecialGroups
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: S_OK if successful. An HRESULT error code on failure.
|
|
//
|
|
// History: 8/7/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT AddSpecialGroups(PRSOPTOKEN pRsopToken )
|
|
{
|
|
BOOL bRes;
|
|
PSID pSid;
|
|
HRESULT hr;
|
|
|
|
//
|
|
// Everyone
|
|
//
|
|
|
|
SID_IDENTIFIER_AUTHORITY IdentifierAuthority_World = SECURITY_WORLD_SID_AUTHORITY;
|
|
|
|
bRes = AllocateAndInitializeSid(&IdentifierAuthority_World, 1,
|
|
SECURITY_WORLD_RID,
|
|
0, 0, 0, 0, 0, 0, 0,
|
|
&pSid);
|
|
|
|
if(!bRes)
|
|
{
|
|
DWORD dwLastError = GetLastError();
|
|
return E_FAIL;
|
|
}
|
|
|
|
hr = AddSpecialGroup(pRsopToken, pSid);
|
|
|
|
FreeSid(pSid);
|
|
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
//
|
|
// Authenticated users
|
|
//
|
|
|
|
SID_IDENTIFIER_AUTHORITY IdentifierAuthority_NT = SECURITY_NT_AUTHORITY;
|
|
|
|
bRes = AllocateAndInitializeSid(&IdentifierAuthority_NT, 1,
|
|
SECURITY_AUTHENTICATED_USER_RID,
|
|
0, 0, 0, 0, 0, 0, 0,
|
|
&pSid);
|
|
|
|
if(!bRes)
|
|
{
|
|
DWORD dwLastError = GetLastError();
|
|
return E_FAIL;
|
|
}
|
|
|
|
hr = AddSpecialGroup(pRsopToken, pSid);
|
|
|
|
FreeSid(pSid);
|
|
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: AddGlobalGroups
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: S_OK if successful. An HRESULT error code on failure.
|
|
//
|
|
// History: 8/7/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT AddGlobalGroups(const CWString& sUserName,
|
|
const CWString& sUserDC,
|
|
PRSOPTOKEN pRsopToken)
|
|
{
|
|
if(!sUserName.ValidString())
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
CRsopToken* pToken = static_cast<CRsopToken*>(pRsopToken);
|
|
|
|
BYTE* pBuffer = NULL;
|
|
DWORD dwEntriesread;
|
|
DWORD dwTotalentries;
|
|
|
|
NET_API_STATUS result = NetUserGetGroups( sUserDC,
|
|
sUserName,
|
|
0,
|
|
&pBuffer,
|
|
MAX_PREFERRED_LENGTH,
|
|
&dwEntriesread,
|
|
&dwTotalentries);
|
|
|
|
if(result != NERR_Success)
|
|
{
|
|
return HRESULT_FROM_WIN32(result);
|
|
}
|
|
|
|
HRESULT hr = S_OK;
|
|
|
|
GROUP_USERS_INFO_0* pGui = (GROUP_USERS_INFO_0*)pBuffer;
|
|
|
|
XPtrST<CSid> xpCSid;
|
|
|
|
for(DWORD dwi = 0; dwi < dwEntriesread; dwi++)
|
|
{
|
|
xpCSid = new CSid((pGui[dwi]).grui0_name);
|
|
|
|
if(!xpCSid)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
break;
|
|
}
|
|
|
|
if(!xpCSid->IsValid())
|
|
{
|
|
hr = E_FAIL;
|
|
break;
|
|
}
|
|
|
|
hr = pToken->AddSid(xpCSid);
|
|
if(FAILED(hr))
|
|
{
|
|
break;
|
|
}
|
|
|
|
xpCSid.Acquire();
|
|
}
|
|
|
|
NetApiBufferFree(pBuffer);
|
|
|
|
return hr;
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: AddLocalGroups
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: S_OK if successful. An HRESULT error code on failure.
|
|
//
|
|
//
|
|
//******************************************************************************
|
|
HRESULT AddLocalGroups(const CWString& sUserName,
|
|
const CWString& sUserDC,
|
|
PRSOPTOKEN pRsopToken)
|
|
{
|
|
if(!sUserName.ValidString())
|
|
{
|
|
return E_FAIL;
|
|
}
|
|
|
|
CRsopToken* pToken = static_cast<CRsopToken*>(pRsopToken);
|
|
|
|
BYTE* pBuffer = NULL;
|
|
DWORD dwEntriesread;
|
|
DWORD dwTotalentries;
|
|
|
|
NET_API_STATUS result = NetUserGetLocalGroups(
|
|
sUserDC,
|
|
sUserName,
|
|
0,
|
|
LG_INCLUDE_INDIRECT,
|
|
&pBuffer,
|
|
MAX_PREFERRED_LENGTH,
|
|
&dwEntriesread,
|
|
&dwTotalentries);
|
|
|
|
if(result != NERR_Success)
|
|
{
|
|
HRESULT_FROM_WIN32(result);
|
|
}
|
|
|
|
HRESULT hr = S_OK;
|
|
|
|
LPLOCALGROUP_USERS_INFO_0 pLui = (LPLOCALGROUP_USERS_INFO_0)pBuffer;
|
|
|
|
XPtrST<CSid> xpCSid;
|
|
|
|
for(DWORD dwi = 0; dwi < dwEntriesread; dwi++)
|
|
{
|
|
xpCSid = new CSid((pLui[dwi]).lgrui0_name);
|
|
|
|
if(!xpCSid)
|
|
{
|
|
hr = E_OUTOFMEMORY;
|
|
break;
|
|
}
|
|
|
|
if(!xpCSid->IsValid())
|
|
{
|
|
hr = E_FAIL;
|
|
break;
|
|
}
|
|
|
|
hr = pToken->AddSid(xpCSid);
|
|
if(FAILED(hr))
|
|
{
|
|
break;
|
|
}
|
|
|
|
xpCSid.Acquire();
|
|
}
|
|
|
|
NetApiBufferFree(pBuffer);
|
|
|
|
return hr;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: ExpandGroup
|
|
//
|
|
// Description: Expands a given group by expanding to include all the member subgroups etc..
|
|
//
|
|
// Parameters: - pRsopToken: Rsop token
|
|
// hAuthz: A pointer to the Authz resource manager
|
|
// (that we are using to expand the grps)
|
|
// pCSid: Sid of the group
|
|
//
|
|
//
|
|
// Return: S_OK if successful. An HRESULT error code on failure.
|
|
//
|
|
//******************************************************************************
|
|
|
|
HRESULT ExpandGroup(CRsopToken *pRsopToken, AUTHZ_RESOURCE_MANAGER_HANDLE hAuthz,
|
|
CSid *pCSid )
|
|
{
|
|
AUTHZ_CLIENT_CONTEXT_HANDLE hAuthzContext=0;
|
|
LUID luid = {0};
|
|
HRESULT hrRet = S_OK;
|
|
DWORD dwSize=0;
|
|
XPtrLF<TOKEN_GROUPS> xGrps;
|
|
XPtrST<CSid> xpCSid;
|
|
|
|
|
|
if (!AuthzInitializeContextFromSid(0,
|
|
pCSid->GetSidPtr(),
|
|
hAuthz,
|
|
NULL,
|
|
luid, // we are not using it
|
|
NULL,
|
|
&hAuthzContext)) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - AuthzInitializeContextFromSid failed. Error - %d", GetLastError());
|
|
hrRet = HRESULT_FROM_WIN32(GetLastError());
|
|
goto Exit;
|
|
}
|
|
|
|
|
|
//
|
|
// Now get the list of expanded sids
|
|
// find the size first
|
|
//
|
|
|
|
if (!AuthzGetInformationFromContext(hAuthzContext,
|
|
AuthzContextInfoGroupsSids,
|
|
NULL,
|
|
&dwSize,
|
|
0)) {
|
|
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - AuthzGetInformationFromContext failed. Error - %d", GetLastError());
|
|
hrRet = HRESULT_FROM_WIN32(GetLastError());
|
|
goto Exit;
|
|
}
|
|
}
|
|
|
|
xGrps = (PTOKEN_GROUPS)LocalAlloc(LPTR, dwSize);
|
|
|
|
if (!xGrps) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - Couldn't allocate memory for the token grps. Error - %d", GetLastError());
|
|
hrRet = HRESULT_FROM_WIN32(GetLastError());
|
|
goto Exit;
|
|
}
|
|
|
|
if (!AuthzGetInformationFromContext(hAuthzContext,
|
|
AuthzContextInfoGroupsSids,
|
|
dwSize,
|
|
&dwSize,
|
|
xGrps)) {
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - AuthzGetInformationFromContext(2) failed. Error - %d", GetLastError());
|
|
hrRet = HRESULT_FROM_WIN32(GetLastError());
|
|
goto Exit;
|
|
}
|
|
|
|
for (DWORD i = 0; i < xGrps->GroupCount; i++) {
|
|
xpCSid = new CSid(xGrps->Groups[i].Sid, NULL);
|
|
|
|
if (!xpCSid) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - couldn't allocate memory(2). Error - %d", GetLastError());
|
|
hrRet = HRESULT_FROM_WIN32(GetLastError());
|
|
goto Exit;
|
|
}
|
|
|
|
hrRet = pRsopToken->AddSid(xpCSid);
|
|
if(FAILED(hrRet)) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - AddSid failed. Error - 0x%x", hrRet);
|
|
goto Exit;
|
|
}
|
|
|
|
xpCSid.Acquire();
|
|
}
|
|
|
|
hrRet = S_OK;
|
|
|
|
Exit:
|
|
if (hAuthzContext)
|
|
AuthzFreeContext(hAuthzContext);
|
|
|
|
return hrRet;
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: RsopCreateToken
|
|
//
|
|
// Description: Creates a pseudo-token using an exisitng user or machine account plus
|
|
// the accounts of which that user is currently a member of.
|
|
// The returned pseudo-token can be used subsequently in call
|
|
// to other RSOP security functions to check access to
|
|
// objects protected by security descriptors.
|
|
//
|
|
// Parameters: - szaccountName: Pointer to a user or machine account name.
|
|
// - psaUserSecurityGroups: Pointer ta SAFEARRAY of BSTRs representing
|
|
// security groups.
|
|
// If NULL, then all the current security groups for the
|
|
// szaccountName are added to the RsopToken.
|
|
// If not NULL but pointing to an empty array,
|
|
// only the szaccountName is added to the RsopToken.
|
|
// - ppRsopToken: Address of a PRSOPTOKEN that receives the newly
|
|
// created pseudo-token
|
|
//
|
|
//
|
|
// Return: S_OK if successful. An HRESULT error code on failure.
|
|
//
|
|
// History: 8/7/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT RsopCreateToken(WCHAR* szAccountName,
|
|
SAFEARRAY* psaUserSecurityGroups,
|
|
PRSOPTOKEN* ppRsopToken )
|
|
{
|
|
|
|
|
|
dbg.Initialize( L"Software\\Microsoft\\Windows NT\\CurrentVersion\\winlogon",
|
|
L"ChkAccDebugLevel",
|
|
L"ChkAcc.log",
|
|
L"ChkAcc.bak");
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopCreateToken - Entering...");
|
|
|
|
HRESULT hr = E_FAIL;
|
|
|
|
|
|
//
|
|
// Instantiate a new CRsopToken
|
|
//
|
|
|
|
*ppRsopToken = NULL;
|
|
|
|
XPtrST<CRsopToken>xpRsopToken = new CRsopToken();
|
|
|
|
if(!xpRsopToken)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - Operator new returned NULL. Creation of a CRsopToken failed.");
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
//
|
|
// Add to the new CRsopToken a CSid corresponding to the
|
|
// principal represented by parameter szAccountName. For
|
|
// dummy target the szAccountName will be null.
|
|
//
|
|
|
|
XPtrST<CSid>xpCSid;
|
|
|
|
if ( szAccountName )
|
|
{
|
|
xpCSid = new CSid(szAccountName);
|
|
|
|
if(!xpCSid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - Operator new returned NULL. Creation of a CSid failed.");
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
if(!xpCSid->IsValid())
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - Call to CSid::IsValid failed.");
|
|
return E_FAIL;
|
|
}
|
|
|
|
hr = xpRsopToken->AddSid(xpCSid);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
xpCSid.Acquire();
|
|
}
|
|
|
|
//
|
|
// If the parameter is NULL, that means we are to add the security
|
|
// groups to which the user currently belongs.
|
|
//
|
|
|
|
if(!psaUserSecurityGroups)
|
|
{
|
|
if (szAccountName) {
|
|
CWString sUser = szAccountName;
|
|
CWString sUserName;
|
|
CWString sUserDomain;
|
|
CWString sUserDC;
|
|
|
|
hr = GetUserInfo(sUser, sUserName, sUserDomain, sUserDC);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
/* for cross domain cases this fails
|
|
|
|
//
|
|
// Get Global group membership
|
|
//
|
|
hr = AddGlobalGroups(sUserName, sUserDC, xpRsopToken);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
*/
|
|
|
|
hr = AddLocalGroups(sUserName, sUserDC, xpRsopToken);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
//
|
|
// Universal groups across domains cannot be retrieved by
|
|
// NetUserGetGroups but can be fetched by authz functions.
|
|
//
|
|
|
|
xpCSid = new CSid(szAccountName);
|
|
|
|
AUTHZ_RESOURCE_MANAGER_HANDLE hAuthz;
|
|
|
|
if (!AuthzInitializeResourceManager(NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
0,
|
|
&hAuthz)) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - AuthzInitializeResourceManager failed. Error - %d", GetLastError());
|
|
return HRESULT_FROM_WIN32(GetLastError());
|
|
}
|
|
|
|
HRESULT hr = ExpandGroup(xpRsopToken, hAuthz, xpCSid);
|
|
if (FAILED(hr)) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - ExpandGrp failed for user. Error - 0x%x", hr);
|
|
AuthzFreeResourceManager(hAuthz);
|
|
return hr;
|
|
}
|
|
|
|
AuthzFreeResourceManager(hAuthz);
|
|
// xpCSid will be freed automatically.
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Otherwise, we add only those groups named in the SAFERARRAY.
|
|
//
|
|
|
|
else
|
|
{
|
|
BSTR* pbstr;
|
|
AUTHZ_RESOURCE_MANAGER_HANDLE hAuthz;
|
|
|
|
if (!AuthzInitializeResourceManager(NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
0,
|
|
&hAuthz)) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - AuthzInitializeResourceManager failed. Error - %d", GetLastError());
|
|
return HRESULT_FROM_WIN32(GetLastError());
|
|
}
|
|
|
|
|
|
// Get a pointer to the elements of the array.
|
|
HRESULT hr = SafeArrayAccessData(psaUserSecurityGroups, (void**)&pbstr);
|
|
if(FAILED(hr))
|
|
{
|
|
AuthzFreeResourceManager(hAuthz);
|
|
return hr;
|
|
}
|
|
|
|
int count = psaUserSecurityGroups->rgsabound[0].cElements;
|
|
for (int i = 0; i < count; i++)
|
|
{
|
|
xpCSid = new CSid(pbstr[i]);
|
|
|
|
if(!xpCSid)
|
|
{
|
|
AuthzFreeResourceManager(hAuthz);
|
|
SafeArrayUnaccessData(psaUserSecurityGroups);
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
if(!xpCSid->IsValid())
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - %s is invalid", pbstr[i]);
|
|
AuthzFreeResourceManager(hAuthz);
|
|
SafeArrayUnaccessData(psaUserSecurityGroups);
|
|
return HRESULT_FROM_WIN32(ERROR_INVALID_ACCOUNT_NAME);
|
|
}
|
|
|
|
HRESULT hr = ExpandGroup(xpRsopToken, hAuthz, xpCSid);
|
|
if (FAILED(hr)) {
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopCreateToken - ExpandGrp failed. Error - 0x%x", hr);
|
|
AuthzFreeResourceManager(hAuthz);
|
|
SafeArrayUnaccessData(psaUserSecurityGroups);
|
|
return hr;
|
|
}
|
|
|
|
hr = xpRsopToken->AddSid(xpCSid);
|
|
if(FAILED(hr))
|
|
{
|
|
AuthzFreeResourceManager(hAuthz);
|
|
SafeArrayUnaccessData(psaUserSecurityGroups);
|
|
return hr;
|
|
}
|
|
|
|
xpCSid.Acquire();
|
|
|
|
}
|
|
|
|
AuthzFreeResourceManager(hAuthz);
|
|
SafeArrayUnaccessData(psaUserSecurityGroups);
|
|
|
|
|
|
}
|
|
|
|
hr = AddSpecialGroups(xpRsopToken);
|
|
if(FAILED(hr))
|
|
{
|
|
return hr;
|
|
}
|
|
|
|
*ppRsopToken = xpRsopToken;
|
|
|
|
xpRsopToken.Acquire();
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: RsopDeleteToken
|
|
//
|
|
// Description: Destroys a pseudo-token previously created by any of the overloaded
|
|
// forms of RSOPCreateRsopToken
|
|
//
|
|
// Parameters: - pRsopToken: Pointer to a valid PRSOPTOKEN
|
|
//
|
|
// Return: S_OK on success. An HRESULT error code on failure.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT RsopDeleteToken(PRSOPTOKEN pRsopToken)
|
|
{
|
|
CRsopToken* pToken = static_cast<CRsopToken*>(pRsopToken);
|
|
delete pToken;
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: GetAceSid
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 10/19/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
PISID GetAceSid(PACE_HEADER pAceHeader)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"GetAceSid - Entering.");
|
|
|
|
|
|
//
|
|
// Check for invalid argument
|
|
//
|
|
|
|
if(!pAceHeader)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"GetAceSid - Invalid parameter: pAceHeader is NULL");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"GetAceSid - Leaving.");
|
|
return NULL;
|
|
}
|
|
|
|
PISID pSid = NULL;
|
|
|
|
PACCESS_ALLOWED_ACE pACCESS_ALLOWED_ACE;
|
|
PACCESS_ALLOWED_OBJECT_ACE pACCESS_ALLOWED_OBJECT_ACE;
|
|
PACCESS_DENIED_ACE pACCESS_DENIED_ACE;
|
|
PACCESS_DENIED_OBJECT_ACE pACCESS_DENIED_OBJECT_ACE;
|
|
|
|
//
|
|
// Cast the ACE header to the appropriate ACE type based on the 'Acetype' member of the
|
|
// ACE header.
|
|
//
|
|
|
|
switch(pAceHeader->AceType)
|
|
{
|
|
case ACCESS_ALLOWED_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"GetAceSid - ACE type: ACCESS_ALLOWED_ACE_TYPE");
|
|
pACCESS_ALLOWED_ACE = reinterpret_cast<PACCESS_ALLOWED_ACE>(pAceHeader);
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_ALLOWED_ACE->SidStart));
|
|
break;
|
|
|
|
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"GetAceSid - ACE type: ACCESS_ALLOWED_OBJECT_ACE_TYPE");
|
|
pACCESS_ALLOWED_OBJECT_ACE = reinterpret_cast<PACCESS_ALLOWED_OBJECT_ACE>(pAceHeader);
|
|
|
|
if( (pACCESS_ALLOWED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT) &&
|
|
(pACCESS_ALLOWED_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT))
|
|
{
|
|
//
|
|
// If both ACE_OBJECT_TYPE_PRESENT and ACE_INHERITED_OBJECT_TYPE_PRESENT are set in
|
|
// the ACE flags, the SID starts at the offset specified by 'SidStart'.
|
|
//
|
|
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_ALLOWED_OBJECT_ACE->SidStart));
|
|
}
|
|
else if((pACCESS_ALLOWED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT) ||
|
|
(pACCESS_ALLOWED_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT))
|
|
{
|
|
//
|
|
// If either ACE_OBJECT_TYPE_PRESENT or ACE_INHERITED_OBJECT_TYPE_PRESENT is set in
|
|
// the ACE flags, the SID starts at the offset specified by 'InheritedObjectType'.
|
|
//
|
|
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_ALLOWED_OBJECT_ACE->InheritedObjectType));
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// If neither ACE_OBJECT_TYPE_PRESENT nor ACE_INHERITED_OBJECT_TYPE_PRESENT is set in
|
|
// the ACE flags, the SID starts at the offset specified by 'ObjectType'.
|
|
//
|
|
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_ALLOWED_OBJECT_ACE->ObjectType));
|
|
}
|
|
break;
|
|
|
|
case ACCESS_DENIED_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"GetAceSid - ACE type: ACCESS_DENIED_ACE_TYPE");
|
|
pACCESS_DENIED_ACE = reinterpret_cast<PACCESS_DENIED_ACE>(pAceHeader);
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_DENIED_ACE->SidStart));
|
|
break;
|
|
|
|
case ACCESS_DENIED_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"GetAceSid - ACE type: ACCESS_DENIED_OBJECT_ACE_TYPE");
|
|
pACCESS_DENIED_OBJECT_ACE = reinterpret_cast<PACCESS_DENIED_OBJECT_ACE>(pAceHeader);
|
|
if( (pACCESS_DENIED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT) &&
|
|
(pACCESS_DENIED_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT))
|
|
{
|
|
//
|
|
// If both ACE_OBJECT_TYPE_PRESENT and ACE_INHERITED_OBJECT_TYPE_PRESENT are set in
|
|
// the ACE flags, the SID starts at the offset specified by 'SidStart'.
|
|
//
|
|
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_DENIED_OBJECT_ACE->SidStart));
|
|
}
|
|
else if((pACCESS_DENIED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT) ||
|
|
(pACCESS_DENIED_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT))
|
|
{
|
|
//
|
|
// If either ACE_OBJECT_TYPE_PRESENT or ACE_INHERITED_OBJECT_TYPE_PRESENT is set in
|
|
// the ACE flags, the SID starts at the offset specified by 'InheritedObjectType'.
|
|
//
|
|
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_DENIED_OBJECT_ACE->InheritedObjectType));
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// If neither ACE_OBJECT_TYPE_PRESENT nor ACE_INHERITED_OBJECT_TYPE_PRESENT is set in
|
|
// the ACE flags, the SID starts at the offset specified by 'ObjectType'.
|
|
//
|
|
|
|
pSid = reinterpret_cast<PISID>(&(pACCESS_DENIED_OBJECT_ACE->ObjectType));
|
|
}
|
|
break;
|
|
|
|
default:
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"GetAceSid - Unexpected ACE type found. Type: 0x%08X", pAceHeader->AceType);
|
|
break;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"GetAceSid - Leaving.");
|
|
|
|
return pSid;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CheckAceApplies
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: S_OK on success. An HRESULT error code on failure.
|
|
//
|
|
// History: 8/8/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT CheckAceApplies(PACE_HEADER pAceHeader, PRSOPTOKEN pRsopToken, bool* pbAceApplies)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CheckAceApplies - Entering.");
|
|
|
|
//
|
|
// Get the SID from the ACE associated with this Ace Header.
|
|
//
|
|
|
|
PISID pSid = GetAceSid(pAceHeader);
|
|
if(!pSid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"CheckAceApplies - GetAceSid failed.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CheckAceApplies - Leaving.");
|
|
return E_FAIL;
|
|
}
|
|
|
|
*pbAceApplies = false;
|
|
|
|
//
|
|
// Compare the SID from the ACE with all the SIDs in the RsopToken.
|
|
//
|
|
|
|
CRsopToken* pToken = static_cast<CRsopToken*>(pRsopToken);
|
|
for(CTLink<CSid>* pLink = pToken->m_pSidsHead; pLink; pLink = pLink->m_pNext)
|
|
{
|
|
//
|
|
// If one of the SIDs in the RsopToken matches
|
|
// the SID in the ACE, this ACE applies.
|
|
//
|
|
|
|
if(EqualSid(pSid, pLink->m_pData->GetSidPtr()))
|
|
{
|
|
*pbAceApplies = true;
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CheckAceApplies - One of the SIDs in the RsopToken matches the SID in the ACE. The ACE applies.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CheckAceApplies - Leaving.");
|
|
return S_OK;
|
|
}
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CheckAceApplies - None of the SIDs in the RsopToken matches the SID in the ACE. The ACE does not apply.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"CheckAceApplies - Leaving.");
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
const DWORD MAX_PERM_BITS=25;
|
|
|
|
//******************************************************************************
|
|
enum EPermission{ PERMISSION_DENIED, PERMISSION_ALLOWED, PERMISSION_NOT_SET};
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Class: CSubObjectPerm
|
|
//
|
|
// Description:
|
|
//
|
|
// History: 11/09/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
class CSubObjectPerm
|
|
{
|
|
private:
|
|
|
|
CTLink<GUID>* m_pGuidsHead;
|
|
CTLink<GUID>* m_pGuidsTail;
|
|
|
|
EPermission permissionBits[MAX_PERM_BITS];
|
|
|
|
public:
|
|
|
|
CSubObjectPerm();
|
|
~CSubObjectPerm();
|
|
|
|
HRESULT AddGuid(GUID* pGuid);
|
|
|
|
void ProcessAceMask(DWORD dwMask, EPermission permission, GUID* pGuid);
|
|
DWORD GetAccumulatedPermissions();
|
|
bool AnyDenied();
|
|
};
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSubObjectPerm::CSubObjectPerm
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 11/09/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
CSubObjectPerm::CSubObjectPerm() : m_pGuidsHead(NULL), m_pGuidsTail(NULL)
|
|
{
|
|
for (int i = 0; i < MAX_PERM_BITS; i++)
|
|
{
|
|
permissionBits[i] = PERMISSION_NOT_SET;
|
|
}
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSubObjectPerm::~CSubObjectPerm
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 11/09/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
CSubObjectPerm::~CSubObjectPerm()
|
|
{
|
|
CTLink<GUID>* pLinkIterator = m_pGuidsHead;
|
|
while(pLinkIterator)
|
|
{
|
|
CTLink<GUID>* pLinkToDelete = pLinkIterator;
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
delete pLinkToDelete;
|
|
}
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSubObjectPerm::AddGuid
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 11/09/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT CSubObjectPerm::AddGuid(GUID* pGuid)
|
|
{
|
|
CTLink<GUID>* pLink = new CTLink<GUID>(pGuid);
|
|
if(!pLink)
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
if(!m_pGuidsHead)
|
|
{
|
|
m_pGuidsHead = pLink;
|
|
}
|
|
else
|
|
{
|
|
m_pGuidsTail->m_pNext = pLink;
|
|
}
|
|
|
|
m_pGuidsTail = pLink;
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSubObjectPerm::ProcessAceMask
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 11/09/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
void CSubObjectPerm::ProcessAceMask(DWORD dwMask, EPermission permission, GUID* pGuid)
|
|
{
|
|
bool bAceApplies = false;
|
|
|
|
if(!pGuid)
|
|
{
|
|
bAceApplies = true;
|
|
}
|
|
|
|
else if(pGuid && m_pGuidsHead)
|
|
{
|
|
CTLink<GUID>* pLinkIterator = m_pGuidsHead;
|
|
|
|
while(pLinkIterator)
|
|
{
|
|
if(*(pLinkIterator->m_pData) == *pGuid)
|
|
{
|
|
bAceApplies = true;
|
|
break;
|
|
}
|
|
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
}
|
|
}
|
|
|
|
if(bAceApplies)
|
|
{
|
|
DWORD dwTemp = 0x00000001;
|
|
|
|
for(int i = 0; i < MAX_PERM_BITS; i++)
|
|
{
|
|
if((dwMask & dwTemp) && (permissionBits[i] == PERMISSION_NOT_SET))
|
|
{
|
|
permissionBits[i] = permission;
|
|
}
|
|
|
|
dwTemp <<= 1;
|
|
}
|
|
}
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSubObjectPerm::AccumulatedPermissions
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 11/09/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
DWORD CSubObjectPerm::GetAccumulatedPermissions()
|
|
{
|
|
DWORD dwAccumulatedPermissions = 0;
|
|
|
|
for(int i = MAX_PERM_BITS - 1; i >= 0; i--)
|
|
{
|
|
dwAccumulatedPermissions <<= 1;
|
|
if(permissionBits[i] == PERMISSION_ALLOWED)
|
|
{
|
|
dwAccumulatedPermissions |= 0x00000001;
|
|
}
|
|
}
|
|
|
|
return dwAccumulatedPermissions;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CSubObjectPerm::AnyDenied
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 11/09/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
bool CSubObjectPerm::AnyDenied()
|
|
{
|
|
for(int i = 0; i < MAX_PERM_BITS; i++)
|
|
{
|
|
if(permissionBits[i] == PERMISSION_DENIED)
|
|
{
|
|
return true;
|
|
}
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Struct: CDSObject
|
|
//
|
|
// Description:
|
|
//
|
|
//
|
|
// History: 10/25/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
struct CDSObject
|
|
{
|
|
DWORD m_dwLevel;
|
|
GUID* m_pGuid;
|
|
|
|
CDSObject() : m_pGuid(NULL){}
|
|
~CDSObject()
|
|
{
|
|
delete m_pGuid;
|
|
}
|
|
};
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Class: CAccumulatedPermissions
|
|
//
|
|
// Description:
|
|
//
|
|
//
|
|
// History: 10/25/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
class CAccumulatedPermissions
|
|
{
|
|
CTLink<CSubObjectPerm>* m_pSubObjectsHead;
|
|
CTLink<CSubObjectPerm>* m_pSubObjectsTail;
|
|
|
|
CTLink<CDSObject>* m_pDSObjectsHead;
|
|
CTLink<CDSObject>* m_pDSObjectsTail;
|
|
|
|
bool m_bInitialized;
|
|
|
|
public:
|
|
CAccumulatedPermissions(POBJECT_TYPE_LIST pObjectTypeList,
|
|
DWORD ObjectTypeListLength);
|
|
~CAccumulatedPermissions();
|
|
void ProcessAceMask(DWORD dwMask, EPermission permission, GUID* pGuid);
|
|
DWORD GetAccumulatedPermissions();
|
|
bool AnyDenied();
|
|
|
|
bool Initialized(){return m_bInitialized;}
|
|
};
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CAccumulatedPermissions::CAccumulatedPermissions
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 10/25/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
CAccumulatedPermissions::CAccumulatedPermissions( POBJECT_TYPE_LIST pObjectTypeList,
|
|
DWORD ObjectTypeListLength) :
|
|
m_pSubObjectsHead(NULL),
|
|
m_pSubObjectsTail(NULL),
|
|
m_bInitialized(false),
|
|
m_pDSObjectsHead(NULL),
|
|
m_pDSObjectsTail(NULL)
|
|
{
|
|
|
|
if(!pObjectTypeList || ObjectTypeListLength == 0)
|
|
{
|
|
XPtrST<CSubObjectPerm>xpSubObjectPerm = new CSubObjectPerm;
|
|
if(!xpSubObjectPerm)
|
|
{
|
|
return;
|
|
}
|
|
|
|
m_pSubObjectsHead = new CTLink<CSubObjectPerm>(xpSubObjectPerm);
|
|
if(!m_pSubObjectsHead)
|
|
{
|
|
return;
|
|
}
|
|
xpSubObjectPerm.Acquire();
|
|
|
|
m_pSubObjectsTail = m_pSubObjectsHead;
|
|
|
|
m_bInitialized = true;
|
|
|
|
return;
|
|
}
|
|
|
|
|
|
DWORD dwCurrentLevel;
|
|
|
|
for(DWORD i = 0; i < ObjectTypeListLength; i++)
|
|
{
|
|
if( i==0 )
|
|
{
|
|
//
|
|
// This assumes that the first element in the list of
|
|
// OBJECT_TYPEs pointed to by pObjectTypeList is at
|
|
// level ACCESS_OBJECT_GUID.
|
|
//
|
|
|
|
dwCurrentLevel = pObjectTypeList[i].Level;
|
|
|
|
XPtrST<CDSObject>xpDSObject = new CDSObject;
|
|
if(!xpDSObject)
|
|
{
|
|
return;
|
|
}
|
|
|
|
XPtrST<GUID>xpGuid = new GUID(*(pObjectTypeList[i].ObjectType));
|
|
if(!xpGuid)
|
|
{
|
|
return;
|
|
}
|
|
|
|
m_pDSObjectsHead = new CTLink<CDSObject>(xpDSObject);
|
|
if(!m_pDSObjectsHead)
|
|
{
|
|
return;
|
|
}
|
|
|
|
xpDSObject.Acquire();
|
|
|
|
m_pDSObjectsHead->m_pData->m_pGuid = xpGuid.Acquire();
|
|
|
|
m_pDSObjectsHead->m_pData->m_dwLevel = pObjectTypeList[i].Level;
|
|
|
|
m_pDSObjectsTail = m_pDSObjectsHead;
|
|
|
|
continue;
|
|
}
|
|
|
|
else if(pObjectTypeList[i].Level > dwCurrentLevel)
|
|
{
|
|
dwCurrentLevel = pObjectTypeList[i].Level;
|
|
|
|
XPtrST<CDSObject> xpDSObject = new CDSObject;
|
|
if(!xpDSObject)
|
|
{
|
|
return;
|
|
}
|
|
|
|
XPtrST<GUID>xpGuid = new GUID(*(pObjectTypeList[i].ObjectType));
|
|
if(!xpGuid)
|
|
{
|
|
return;
|
|
}
|
|
|
|
CTLink<CDSObject>* pDSObjectLink = new CTLink<CDSObject>(xpDSObject);
|
|
if(!pDSObjectLink)
|
|
{
|
|
return;
|
|
}
|
|
|
|
xpDSObject.Acquire();
|
|
|
|
pDSObjectLink->m_pData->m_pGuid = xpGuid.Acquire();
|
|
pDSObjectLink->m_pData->m_dwLevel = pObjectTypeList[i].Level;
|
|
|
|
pDSObjectLink->m_pPrev = m_pDSObjectsTail;
|
|
m_pDSObjectsTail->m_pNext = pDSObjectLink;
|
|
m_pDSObjectsTail = pDSObjectLink;
|
|
}
|
|
|
|
else
|
|
{
|
|
XPtrST<CSubObjectPerm>xpSubObjectPerm = new CSubObjectPerm;
|
|
if(!xpSubObjectPerm)
|
|
{
|
|
return;
|
|
}
|
|
|
|
CTLink<CSubObjectPerm>* pSubObjectLink = new CTLink<CSubObjectPerm>(xpSubObjectPerm);
|
|
if(!pSubObjectLink)
|
|
{
|
|
return;
|
|
}
|
|
|
|
xpSubObjectPerm.Acquire();
|
|
|
|
|
|
CTLink<CDSObject>* pLinkIterator = m_pDSObjectsHead;
|
|
while(pLinkIterator)
|
|
{
|
|
XPtrST<GUID>xpGuid = new GUID(*(pLinkIterator->m_pData->m_pGuid));
|
|
if(!xpGuid)
|
|
{
|
|
delete pSubObjectLink;
|
|
return;
|
|
}
|
|
|
|
if(FAILED(pSubObjectLink->m_pData->AddGuid(xpGuid)))
|
|
{
|
|
delete pSubObjectLink;
|
|
return;
|
|
}
|
|
|
|
xpGuid.Acquire();
|
|
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
}
|
|
|
|
if(!m_pSubObjectsHead)
|
|
{
|
|
m_pSubObjectsHead = pSubObjectLink;
|
|
}
|
|
else
|
|
{
|
|
m_pSubObjectsTail->m_pNext = pSubObjectLink;
|
|
}
|
|
m_pSubObjectsTail = pSubObjectLink;
|
|
|
|
|
|
pLinkIterator = m_pDSObjectsTail;
|
|
|
|
if(pLinkIterator)
|
|
{
|
|
while(pLinkIterator->m_pData->m_dwLevel >= pObjectTypeList[i].Level)
|
|
{
|
|
CTLink<CDSObject>* pLinkToDelete = pLinkIterator;
|
|
pLinkIterator = pLinkIterator->m_pPrev;
|
|
delete pLinkToDelete;
|
|
m_pDSObjectsTail = pLinkIterator;
|
|
if(m_pDSObjectsTail)
|
|
{
|
|
m_pDSObjectsTail->m_pNext = NULL;
|
|
}
|
|
}
|
|
}
|
|
|
|
XPtrST<CDSObject>xpDSObject = new CDSObject;
|
|
if(!xpDSObject)
|
|
{
|
|
return;
|
|
}
|
|
|
|
XPtrST<GUID>xpGuid = new GUID(*(pObjectTypeList[i].ObjectType));
|
|
if(!xpGuid)
|
|
{
|
|
return;
|
|
}
|
|
|
|
CTLink<CDSObject>* pLink = new CTLink<CDSObject>(xpDSObject);
|
|
if(!pLink)
|
|
{
|
|
return;
|
|
}
|
|
|
|
xpDSObject.Acquire();
|
|
|
|
pLink->m_pData->m_pGuid = xpGuid.Acquire();
|
|
pLink->m_pData->m_dwLevel = pObjectTypeList[i].Level;
|
|
|
|
pLink->m_pPrev = m_pDSObjectsTail;
|
|
m_pDSObjectsTail->m_pNext = pLink;
|
|
m_pDSObjectsTail = pLink;
|
|
}
|
|
}
|
|
|
|
CTLink<CDSObject>* pLinkIterator = m_pDSObjectsHead;
|
|
|
|
if(pLinkIterator)
|
|
{
|
|
XPtrST<CSubObjectPerm>xpSubObject = new CSubObjectPerm;
|
|
if(!xpSubObject)
|
|
{
|
|
return;
|
|
}
|
|
|
|
CTLink<CSubObjectPerm>* pSubObjectLink = new CTLink<CSubObjectPerm>(xpSubObject);
|
|
if(!pSubObjectLink)
|
|
{
|
|
return;
|
|
}
|
|
|
|
xpSubObject.Acquire();
|
|
|
|
while(pLinkIterator)
|
|
{
|
|
XPtrST<GUID>xpGuid = new GUID(*(pLinkIterator->m_pData->m_pGuid));
|
|
if(!xpGuid)
|
|
{
|
|
delete pSubObjectLink;
|
|
return;
|
|
}
|
|
|
|
if(FAILED(pSubObjectLink->m_pData->AddGuid(xpGuid)))
|
|
{
|
|
delete pSubObjectLink;
|
|
return;
|
|
}
|
|
|
|
xpGuid.Acquire();
|
|
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
}
|
|
|
|
if(!m_pSubObjectsHead)
|
|
{
|
|
m_pSubObjectsHead = pSubObjectLink;
|
|
}
|
|
else
|
|
{
|
|
m_pSubObjectsTail->m_pNext = pSubObjectLink;
|
|
}
|
|
m_pSubObjectsTail = pSubObjectLink;
|
|
}
|
|
|
|
pLinkIterator = m_pDSObjectsHead;
|
|
|
|
while(pLinkIterator)
|
|
{
|
|
CTLink<CDSObject>* pLinkToDelete = pLinkIterator;
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
delete pLinkToDelete;
|
|
}
|
|
|
|
m_pDSObjectsHead = m_pDSObjectsTail = NULL;
|
|
|
|
m_bInitialized = true;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CAccumulatedPermissions::~CAccumulatedPermissions
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 10/25/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
CAccumulatedPermissions::~CAccumulatedPermissions()
|
|
{
|
|
CTLink<CSubObjectPerm>* pSubObjectLinkIterator = m_pSubObjectsHead;
|
|
while(pSubObjectLinkIterator)
|
|
{
|
|
CTLink<CSubObjectPerm>* pSubObjectLinkToDelete = pSubObjectLinkIterator;
|
|
pSubObjectLinkIterator = pSubObjectLinkIterator->m_pNext;
|
|
delete pSubObjectLinkToDelete;
|
|
}
|
|
|
|
CTLink<CDSObject>* pDSObjectLinkIterator = m_pDSObjectsHead;
|
|
|
|
while(pDSObjectLinkIterator)
|
|
{
|
|
CTLink<CDSObject>* pDSObjectLinkToDelete = pDSObjectLinkIterator;
|
|
pDSObjectLinkIterator = pDSObjectLinkIterator->m_pNext;
|
|
delete pDSObjectLinkToDelete;
|
|
}
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CAccumulatedPermissions::ProcessAceMask
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8/8/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
void CAccumulatedPermissions::ProcessAceMask(DWORD dwMask, EPermission permission, GUID* pGuid)
|
|
{
|
|
CTLink<CSubObjectPerm>* pLinkIterator = m_pSubObjectsHead;
|
|
while(pLinkIterator)
|
|
{
|
|
pLinkIterator->m_pData->ProcessAceMask(dwMask, permission, pGuid);
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
}
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CAccumulatedPermissions::AccumulatedPermissions
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8/8/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
DWORD CAccumulatedPermissions::GetAccumulatedPermissions()
|
|
{
|
|
|
|
DWORD dwAccumulatedPermissions = 0x01FFFFFF;
|
|
|
|
CTLink<CSubObjectPerm>* pLinkIterator = m_pSubObjectsHead;
|
|
while(pLinkIterator)
|
|
{
|
|
dwAccumulatedPermissions &= pLinkIterator->m_pData->GetAccumulatedPermissions();
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
}
|
|
|
|
return dwAccumulatedPermissions;
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: CAccumulatedPermissions::AnyDenied
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return:
|
|
//
|
|
// History: 8/8/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
bool CAccumulatedPermissions::AnyDenied()
|
|
{
|
|
CTLink<CSubObjectPerm>* pLinkIterator = m_pSubObjectsHead;
|
|
while(pLinkIterator)
|
|
{
|
|
if(pLinkIterator->m_pData->AnyDenied())
|
|
{
|
|
return true;
|
|
}
|
|
|
|
pLinkIterator = pLinkIterator->m_pNext;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: LogGuid
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: void
|
|
//
|
|
// History: 10/26/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
void LogGuid(GUID& guid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogGuid - Entering.");
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogGuid - {0x%08x 0x%04x 0x%04x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x}",
|
|
guid.Data1,
|
|
guid.Data2,
|
|
guid.Data3,
|
|
guid.Data4[0],
|
|
guid.Data4[1],
|
|
guid.Data4[2],
|
|
guid.Data4[3],
|
|
guid.Data4[4],
|
|
guid.Data4[5],
|
|
guid.Data4[6],
|
|
guid.Data4[7]);
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogGuid - (%08x-%04x-%04x-%02x%02x%02x%02x%02x%02x%02x%02x)",
|
|
guid.Data1,
|
|
guid.Data2,
|
|
guid.Data3,
|
|
guid.Data4[0],
|
|
guid.Data4[1],
|
|
guid.Data4[2],
|
|
guid.Data4[3],
|
|
guid.Data4[4],
|
|
guid.Data4[5],
|
|
guid.Data4[6],
|
|
guid.Data4[7]);
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogGuid - Leaving.");
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: LogSid
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: void
|
|
//
|
|
// History: 10/26/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
void LogSid(PSID pSid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Entering.");
|
|
|
|
XPtrST<CSid>xpCSid = new CSid(pSid);
|
|
|
|
if(!xpCSid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"LogSid - Call to operator new failed.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Leaving.");
|
|
return;
|
|
}
|
|
|
|
if(!(xpCSid->IsValid()))
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"LogSid - call to CSid::IsValid returned false.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Leaving.");
|
|
return;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid string: %s.", xpCSid->SidString());
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid User: %s.", xpCSid->User());
|
|
|
|
if(xpCSid->SidType() == SidTypeUser)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeUser.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeGroup)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeGroup.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeDomain)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeDomain.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeAlias)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeAlias.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeWellKnownGroup)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeWellKnownGroup.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeDeletedAccount)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeDeletedAccount.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeInvalid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeInvalid.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeUnknown)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeUnknown.");
|
|
}
|
|
else if(xpCSid->SidType() == SidTypeComputer)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid type: SidTypeComputer.");
|
|
}
|
|
else
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"LogSid - Sid type: UNKNOWN SID type.");
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid Domain: %s.", xpCSid->Domain());
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Sid Computer: %s.", xpCSid->Computer());
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogSid - Leaving.");
|
|
}
|
|
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: LogAce
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: void
|
|
//
|
|
// History: 10/26/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
void LogAce(PACE_HEADER pAceHeader)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Entering.");
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - AceType = 0x%08X.", pAceHeader->AceType);
|
|
|
|
|
|
PACCESS_ALLOWED_ACE pACCESS_ALLOWED_ACE = NULL;
|
|
PACCESS_ALLOWED_OBJECT_ACE pACCESS_ALLOWED_OBJECT_ACE = NULL;
|
|
|
|
PACCESS_DENIED_ACE pACCESS_DENIED_ACE = NULL;
|
|
PACCESS_DENIED_OBJECT_ACE pACCESS_DENIED_OBJECT_ACE = NULL;
|
|
|
|
PSYSTEM_AUDIT_ACE pSYSTEM_AUDIT_ACE = NULL;
|
|
PSYSTEM_AUDIT_OBJECT_ACE pSYSTEM_AUDIT_OBJECT_ACE = NULL;
|
|
|
|
PSYSTEM_ALARM_ACE pSYSTEM_ALARM_ACE = NULL;
|
|
PSYSTEM_ALARM_OBJECT_ACE pSYSTEM_ALARM_OBJECT_ACE = NULL;
|
|
|
|
switch(pAceHeader->AceType)
|
|
{
|
|
case ACCESS_ALLOWED_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: ACCESS_ALLOWED_ACE_TYPE");
|
|
pACCESS_ALLOWED_ACE = reinterpret_cast<PACCESS_ALLOWED_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pACCESS_ALLOWED_ACE->Mask);
|
|
break;
|
|
|
|
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: ACCESS_ALLOWED_OBJECT_ACE_TYPE");
|
|
pACCESS_ALLOWED_OBJECT_ACE = reinterpret_cast<PACCESS_ALLOWED_OBJECT_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pACCESS_ALLOWED_OBJECT_ACE->Mask);
|
|
|
|
if(pACCESS_ALLOWED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pACCESS_ALLOWED_OBJECT_ACE->ObjectType);
|
|
}
|
|
|
|
if(pACCESS_ALLOWED_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_INHERITED_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pACCESS_ALLOWED_OBJECT_ACE->InheritedObjectType);
|
|
}
|
|
break;
|
|
|
|
case ACCESS_DENIED_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: ACCESS_DENIED_ACE_TYPE");
|
|
pACCESS_DENIED_ACE = reinterpret_cast<PACCESS_DENIED_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pACCESS_DENIED_ACE->Mask);
|
|
break;
|
|
|
|
case ACCESS_DENIED_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: ACCESS_DENIED_OBJECT_ACE_TYPE");
|
|
pACCESS_DENIED_OBJECT_ACE = reinterpret_cast<PACCESS_DENIED_OBJECT_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pACCESS_DENIED_OBJECT_ACE->Mask);
|
|
|
|
if(pACCESS_DENIED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pACCESS_DENIED_OBJECT_ACE->ObjectType);
|
|
}
|
|
|
|
if(pACCESS_DENIED_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_INHERITED_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pACCESS_DENIED_OBJECT_ACE->InheritedObjectType);
|
|
}
|
|
break;
|
|
|
|
case SYSTEM_AUDIT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: SYSTEM_AUDIT_ACE_TYPE");
|
|
pSYSTEM_AUDIT_ACE = reinterpret_cast<PSYSTEM_AUDIT_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pSYSTEM_AUDIT_ACE->Mask);
|
|
break;
|
|
|
|
case SYSTEM_AUDIT_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: SYSTEM_AUDIT_OBJECT_ACE_TYPE");
|
|
pSYSTEM_AUDIT_OBJECT_ACE = reinterpret_cast<PSYSTEM_AUDIT_OBJECT_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pSYSTEM_AUDIT_OBJECT_ACE->Mask);
|
|
|
|
if(pSYSTEM_AUDIT_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pSYSTEM_AUDIT_OBJECT_ACE->ObjectType);
|
|
}
|
|
|
|
if(pSYSTEM_AUDIT_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_INHERITED_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pSYSTEM_AUDIT_OBJECT_ACE->InheritedObjectType);
|
|
}
|
|
break;
|
|
|
|
case SYSTEM_ALARM_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: SYSTEM_ALARM_ACE_TYPE");
|
|
pSYSTEM_ALARM_ACE = reinterpret_cast<PSYSTEM_ALARM_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pSYSTEM_ALARM_ACE->Mask);
|
|
break;
|
|
|
|
case SYSTEM_ALARM_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE type: SYSTEM_ALARM_OBJECT_ACE_TYPE");
|
|
pSYSTEM_ALARM_OBJECT_ACE = reinterpret_cast<PSYSTEM_ALARM_OBJECT_ACE>(pAceHeader);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - ACE Mask: 0x%08X", pSYSTEM_ALARM_OBJECT_ACE->Mask);
|
|
|
|
if(pSYSTEM_ALARM_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pSYSTEM_ALARM_OBJECT_ACE->ObjectType);
|
|
}
|
|
|
|
if(pSYSTEM_ALARM_OBJECT_ACE->Flags & ACE_INHERITED_OBJECT_TYPE_PRESENT)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Flag is on: ACE_INHERITED_OBJECT_TYPE_PRESENT.");
|
|
LogGuid(pSYSTEM_ALARM_OBJECT_ACE->InheritedObjectType);
|
|
}
|
|
break;
|
|
|
|
default:
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"LogAce - ACE type: UNKNOWN ACE type.");
|
|
break;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - AceFlags = 0x%08X.", pAceHeader->AceFlags);
|
|
|
|
if(pAceHeader->AceFlags & OBJECT_INHERIT_ACE)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - The Following ACE header flag is on: OBJECT_INHERIT_ACE.");
|
|
}
|
|
|
|
if(pAceHeader->AceFlags & CONTAINER_INHERIT_ACE)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - The Following ACE header flag is on: CONTAINER_INHERIT_ACE.");
|
|
}
|
|
|
|
if(pAceHeader->AceFlags & NO_PROPAGATE_INHERIT_ACE)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - The Following ACE header flag is on: NO_PROPAGATE_INHERIT_ACE.");
|
|
}
|
|
|
|
if(pAceHeader->AceFlags & INHERIT_ONLY_ACE)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - The Following ACE header flag is on: INHERIT_ONLY_ACE.");
|
|
}
|
|
|
|
if(pAceHeader->AceFlags & INHERITED_ACE)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - The Following ACE header flag is on: INHERITED_ACE.");
|
|
}
|
|
|
|
if(pAceHeader->AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - The Following ACE header flag is on: SUCCESSFUL_ACCESS_ACE_FLAG.");
|
|
}
|
|
|
|
if(pAceHeader->AceFlags & FAILED_ACCESS_ACE_FLAG)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - The Following ACE header flag is on: FAILED_ACCESS_ACE_FLAG.");
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - AceSize = 0x%08X.", pAceHeader->AceSize);
|
|
|
|
|
|
PISID pSid = GetAceSid(pAceHeader);
|
|
if(!pSid)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"LogAce - Call to GetAceSid failed.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Leaving.");
|
|
return;
|
|
}
|
|
|
|
LogSid(pSid);
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"LogAce - Leaving.");
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: ProcessAce
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters:
|
|
//
|
|
// Return: S_OK on success. An HRESULT error code on failure.
|
|
//
|
|
// History: 8/8/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT ProcessAce( PACE_HEADER pAceHeader,
|
|
PRSOPTOKEN pRsopToken,
|
|
POBJECT_TYPE_LIST pObjectTypeList,
|
|
DWORD ObjectTypeListLength,
|
|
DWORD dwDesiredAccessMask,
|
|
CAccumulatedPermissions& accumulatedPermissions,
|
|
bool* pbAccessExplicitlyDenied)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Entering.");
|
|
|
|
//
|
|
// Check parameters.
|
|
//
|
|
|
|
if( !pAceHeader || !pRsopToken ||
|
|
(ObjectTypeListLength && !pObjectTypeList) ||
|
|
!pbAccessExplicitlyDenied)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"ProcessAce - Invalid argument(s).");
|
|
return E_FAIL;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Desired Access Mask: 0x%08X.", dwDesiredAccessMask);
|
|
if(dwDesiredAccessMask == MAXIMUM_ALLOWED)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Desired Access Mask == MAXIMUM_ALLOWED.");
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Accumulated Permissions BEFORE Processing Ace: 0x%08X.", accumulatedPermissions.GetAccumulatedPermissions());
|
|
|
|
|
|
//
|
|
// Log ACE information
|
|
//
|
|
|
|
LogAce(pAceHeader);
|
|
|
|
*pbAccessExplicitlyDenied = false;
|
|
|
|
//
|
|
// ACEs with INHERIT_ONLY_ACE flag do no control access to the current object.
|
|
// Therefore, we ignore them.
|
|
//
|
|
|
|
if(pAceHeader->AceFlags & INHERIT_ONLY_ACE)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Found ACE with INHERIT_ONLY_ACE flag. Ace does not apply.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Leaving.");
|
|
return S_OK;
|
|
}
|
|
|
|
//
|
|
// If this ACE does not reference any of the SIDs contained in the RsopToken,
|
|
// we ignore it.
|
|
//
|
|
|
|
bool bAceApplies;
|
|
HRESULT hr = CheckAceApplies(pAceHeader, pRsopToken, &bAceApplies);
|
|
if(FAILED(hr))
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"ProcessAce - CheckAceApplies failed. Return code: 0x%08X", hr);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Leaving.");
|
|
return hr;
|
|
}
|
|
|
|
if(!bAceApplies)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - ACE does not apply.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Leaving.");
|
|
return S_OK;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - ACE aplies.");
|
|
|
|
PACCESS_ALLOWED_ACE pACCESS_ALLOWED_ACE;
|
|
PACCESS_ALLOWED_OBJECT_ACE pACCESS_ALLOWED_OBJECT_ACE;
|
|
PACCESS_DENIED_ACE pACCESS_DENIED_ACE;
|
|
PACCESS_DENIED_OBJECT_ACE pACCESS_DENIED_OBJECT_ACE;
|
|
|
|
DWORD i;
|
|
DWORD dwMask;
|
|
switch(pAceHeader->AceType)
|
|
{
|
|
case ACCESS_ALLOWED_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - ACE type: ACCESS_ALLOWED_ACE_TYPE");
|
|
pACCESS_ALLOWED_ACE = reinterpret_cast<PACCESS_ALLOWED_ACE>(pAceHeader);
|
|
|
|
//
|
|
// If the requested access is MAXIMUM_ALLOWED, consider all bits in the Mask
|
|
// controlled by this ACE.
|
|
// Otherwise, consider only those bits that are also specified in the
|
|
// desired access mask.
|
|
//
|
|
|
|
if(dwDesiredAccessMask == MAXIMUM_ALLOWED)
|
|
{
|
|
dwMask = pACCESS_ALLOWED_ACE->Mask;
|
|
}
|
|
else
|
|
{
|
|
dwMask = dwDesiredAccessMask & pACCESS_ALLOWED_ACE->Mask;
|
|
}
|
|
|
|
accumulatedPermissions.ProcessAceMask( dwMask,
|
|
PERMISSION_ALLOWED,
|
|
NULL);
|
|
|
|
break;
|
|
|
|
case ACCESS_ALLOWED_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - ACE type: ACCESS_ALLOWED_OBJECT_ACE_TYPE");
|
|
pACCESS_ALLOWED_OBJECT_ACE = reinterpret_cast<PACCESS_ALLOWED_OBJECT_ACE>(pAceHeader);
|
|
|
|
|
|
//
|
|
// We have chosen to process only those object ACEs that have
|
|
// the flag ACE_OBJECT_TYPE_PRESENT set.
|
|
//
|
|
|
|
if(pACCESS_ALLOWED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT)
|
|
{
|
|
|
|
|
|
//
|
|
// Notice that if this function is invoked with no
|
|
// ObjectTypeList, object ACEs are disregarded.
|
|
//
|
|
|
|
for(i = 0; i < ObjectTypeListLength; i++)
|
|
{
|
|
POBJECT_TYPE_LIST pObjectType = &(pObjectTypeList[i]);
|
|
if(*(pObjectType->ObjectType) == pACCESS_ALLOWED_OBJECT_ACE->ObjectType)
|
|
{
|
|
//
|
|
// If the requested access is MAXIMUM_ALLOWED, consider all bits in the Mask
|
|
// controlled by this ACE.
|
|
// Otherwise, consider only those bits that are also specified in the
|
|
// desired access mask.
|
|
//
|
|
|
|
if(dwDesiredAccessMask == MAXIMUM_ALLOWED)
|
|
{
|
|
dwMask = pACCESS_ALLOWED_OBJECT_ACE->Mask;
|
|
}
|
|
else
|
|
{
|
|
dwMask = dwDesiredAccessMask & pACCESS_ALLOWED_OBJECT_ACE->Mask;
|
|
}
|
|
|
|
accumulatedPermissions.ProcessAceMask( dwMask,
|
|
PERMISSION_ALLOWED,
|
|
&(pACCESS_ALLOWED_OBJECT_ACE->ObjectType));
|
|
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
break;
|
|
|
|
case ACCESS_DENIED_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - ACE type: ACCESS_DENIED_ACE_TYPE");
|
|
pACCESS_DENIED_ACE = reinterpret_cast<PACCESS_DENIED_ACE>(pAceHeader);
|
|
|
|
|
|
//
|
|
// If the requested access is MAXIMUM_ALLOWED, consider all bits in the Mask
|
|
// controlled by this ACE.
|
|
// Otherwise, consider only those bits that are also specified in the
|
|
// desired access mask.
|
|
//
|
|
|
|
if(dwDesiredAccessMask == MAXIMUM_ALLOWED)
|
|
{
|
|
dwMask = pACCESS_DENIED_ACE->Mask;
|
|
}
|
|
else
|
|
{
|
|
dwMask = dwDesiredAccessMask & pACCESS_DENIED_ACE->Mask;
|
|
}
|
|
|
|
accumulatedPermissions.ProcessAceMask( dwMask,
|
|
PERMISSION_DENIED,
|
|
NULL);
|
|
|
|
if(dwDesiredAccessMask != MAXIMUM_ALLOWED)
|
|
{
|
|
if(accumulatedPermissions.AnyDenied())
|
|
{
|
|
*pbAccessExplicitlyDenied = true;
|
|
}
|
|
}
|
|
|
|
break;
|
|
|
|
case ACCESS_DENIED_OBJECT_ACE_TYPE:
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - ACE type: ACCESS_DENIED_OBJECT_ACE_TYPE");
|
|
pACCESS_DENIED_OBJECT_ACE = reinterpret_cast<PACCESS_DENIED_OBJECT_ACE>(pAceHeader);
|
|
|
|
|
|
//
|
|
// We have chosen to process only those object ACEs that have
|
|
// the flag ACE_OBJECT_TYPE_PRESENT set.
|
|
//
|
|
|
|
if(pACCESS_DENIED_OBJECT_ACE->Flags & ACE_OBJECT_TYPE_PRESENT)
|
|
{
|
|
|
|
|
|
//
|
|
// Notice that if this function is invoked with no
|
|
// ObjectTypeList, object ACEs are disregarded.
|
|
//
|
|
|
|
for(i = 0; i < ObjectTypeListLength; i++)
|
|
{
|
|
POBJECT_TYPE_LIST pObjectType = &(pObjectTypeList[i]);
|
|
if(*(pObjectType->ObjectType) == pACCESS_DENIED_OBJECT_ACE->ObjectType)
|
|
{
|
|
//
|
|
// If the requested access is MAXIMUM_ALLOWED, consider all bits in the Mask
|
|
// controlled by this ACE.
|
|
// Otherwise, consider only those bits that are also specified in the
|
|
// desired access mask.
|
|
//
|
|
|
|
if(dwDesiredAccessMask == MAXIMUM_ALLOWED)
|
|
{
|
|
dwMask = pACCESS_DENIED_OBJECT_ACE->Mask;
|
|
}
|
|
else
|
|
{
|
|
dwMask = dwDesiredAccessMask & pACCESS_DENIED_OBJECT_ACE->Mask;
|
|
}
|
|
|
|
accumulatedPermissions.ProcessAceMask( dwMask,
|
|
PERMISSION_DENIED,
|
|
&(pACCESS_DENIED_OBJECT_ACE->ObjectType));
|
|
|
|
if(dwDesiredAccessMask != MAXIMUM_ALLOWED)
|
|
{
|
|
if(accumulatedPermissions.AnyDenied())
|
|
{
|
|
*pbAccessExplicitlyDenied = true;
|
|
}
|
|
}
|
|
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"ProcessAce - Unexpected ACE type found in ACE header. Type: 0x%08x", pAceHeader->AceType);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Leaving.");
|
|
return E_FAIL;
|
|
break;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Accumulated Permissions AFTER Processing Ace: 0x%08X.", accumulatedPermissions.GetAccumulatedPermissions());
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"ProcessAce - Leaving.");
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: RsopAccessCheckByType
|
|
//
|
|
// Description:
|
|
//
|
|
// Parameters: - pSecurityDescriptor,
|
|
// - pPrincipalSelfSid:
|
|
// - pRsopToken:
|
|
// - dwDesiredAccessMask:
|
|
// - pObjectTypeList:
|
|
// - ObjectTypeListLength:
|
|
// - pGenericMapping:
|
|
// - pPrivilegeSet:
|
|
// - pdwPrivilegeSetLength:
|
|
// - pdwGrantedAccessMask:
|
|
// - pbAccessStatus:
|
|
//
|
|
// Return: S_OK on success. An HRESULT error code on failure.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT RsopAccessCheckByType( PSECURITY_DESCRIPTOR pSecurityDescriptor,
|
|
PSID pPrincipalSelfSid,
|
|
PRSOPTOKEN pRsopToken,
|
|
DWORD dwDesiredAccessMask,
|
|
POBJECT_TYPE_LIST pObjectTypeList,
|
|
DWORD ObjectTypeListLength,
|
|
PGENERIC_MAPPING pGenericMapping,
|
|
PPRIVILEGE_SET pPrivilegeSet,
|
|
LPDWORD pdwPrivilegeSetLength,
|
|
LPDWORD pdwGrantedAccessMask,
|
|
LPBOOL pbAccessStatus)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Entering.");
|
|
|
|
|
|
//
|
|
// Check arguments.
|
|
//
|
|
|
|
if( !pSecurityDescriptor |
|
|
!IsValidSecurityDescriptor(pSecurityDescriptor) |
|
|
!pRsopToken |
|
|
!pGenericMapping |
|
|
!pdwGrantedAccessMask |
|
|
!pbAccessStatus)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopAccessCheckByType - Function invoked with invalid arguments.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the DACL from the Security Descriptor
|
|
//
|
|
|
|
BOOL bDaclPresent;
|
|
PACL pDacl;
|
|
BOOL bDaclDefaulted;
|
|
if(!GetSecurityDescriptorDacl(pSecurityDescriptor, &bDaclPresent, &pDacl, &bDaclDefaulted))
|
|
{
|
|
DWORD dwLastError = GetLastError();
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopAccessCheckByType - GetSecurityDescriptorDacl failed. GetLastError=0x%08X", dwLastError);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
//
|
|
// Map generic rights specified in dwDesiredAccessMask to standard
|
|
// and specific rights.
|
|
// This is necessary because the ACEs in the DACL specify standard
|
|
// and specific rights only.
|
|
//
|
|
|
|
if(dwDesiredAccessMask != MAXIMUM_ALLOWED)
|
|
{
|
|
MapGenericMask(&dwDesiredAccessMask, pGenericMapping);
|
|
}
|
|
|
|
|
|
//
|
|
// If no DACL is present (as indicated by bDaclPresent) in the security descriptor,
|
|
// or if it present (as indicated by bDaclPresent) but it is a NULL DACL
|
|
// the object implicitly grants all access.
|
|
//
|
|
|
|
if(!bDaclPresent || pDacl == NULL)
|
|
{
|
|
if(dwDesiredAccessMask == MAXIMUM_ALLOWED)
|
|
{
|
|
*pdwGrantedAccessMask = pGenericMapping->GenericAll |
|
|
pGenericMapping->GenericExecute |
|
|
pGenericMapping->GenericRead |
|
|
pGenericMapping->GenericWrite;
|
|
}
|
|
else
|
|
{
|
|
*pdwGrantedAccessMask = dwDesiredAccessMask;
|
|
}
|
|
*pbAccessStatus = TRUE;
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - No DACL present. All access is granted.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return S_OK;
|
|
}
|
|
|
|
DWORD dwAceCount = pDacl->AceCount;
|
|
|
|
|
|
//
|
|
// If the DACL is present but it is empty,
|
|
// the object implicitly denies access to everyone.
|
|
//
|
|
|
|
if(!dwAceCount)
|
|
{
|
|
*pdwGrantedAccessMask = 0;
|
|
*pbAccessStatus = FALSE;
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - The DACL is present but it is empty. All access is denied.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
//
|
|
// At this point we have an array of ACES structures
|
|
//
|
|
// If the desired access is different from MAXIMUM_ALLOWED,
|
|
// inspect them until one of the following happens:
|
|
//
|
|
// 1. An ACE is found which explicitly denies one of the requested
|
|
// access rights. In this case checking stops immediately and
|
|
// access is (explicitly) denied.
|
|
//
|
|
// 2. All the requested accesses are explicitly granted by one or
|
|
// more ACEs. In this case checking stops immediately and
|
|
// access is (explicitly) allowed.
|
|
//
|
|
//
|
|
// 3. All the ACEs have been inspected inspected and there is at least
|
|
// one requested access right that has not been explicitly allowed.
|
|
// In this case, access is (implicitly) denied.
|
|
//
|
|
// If the desired access is MAXIMUM_ALLOWED, inspect all the ACEs.
|
|
//
|
|
|
|
PISID pSid;
|
|
BYTE* pByte;
|
|
|
|
CAccumulatedPermissions accumulatedPermissions( pObjectTypeList, ObjectTypeListLength);
|
|
|
|
if(!accumulatedPermissions.Initialized())
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopAccessCheckByType - CAccumulatedPermissions failed to initialize.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
|
|
*pdwGrantedAccessMask = 0;
|
|
*pbAccessStatus = FALSE;
|
|
|
|
|
|
//
|
|
// Log SID information contained in the RsopToken.
|
|
//
|
|
|
|
CRsopToken* pToken = static_cast<CRsopToken*>(pRsopToken);
|
|
for(CTLink<CSid>* pLink = pToken->m_pSidsHead; pLink; pLink = pLink->m_pNext)
|
|
{
|
|
LogSid(pLink->m_pData->GetSidPtr());
|
|
}
|
|
|
|
|
|
//
|
|
// The first ACE immediately follows the DACL structure. We don't know up front
|
|
// the type of ACE so we get the ACE header which has a format common to all
|
|
// ACE types.
|
|
//
|
|
|
|
PACE_HEADER pAceHeader = reinterpret_cast<PACE_HEADER>(pDacl+1);
|
|
|
|
for(DWORD i=0; i<dwAceCount; i++)
|
|
{
|
|
bool bAccessExplicitlyDenied;
|
|
HRESULT hr = ProcessAce(pAceHeader,
|
|
pRsopToken,
|
|
pObjectTypeList,
|
|
ObjectTypeListLength,
|
|
dwDesiredAccessMask,
|
|
accumulatedPermissions,
|
|
&bAccessExplicitlyDenied);
|
|
|
|
if(FAILED(hr))
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopAccessCheckByType - ProcessAce failed. Return code: 0x%08X", hr);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return hr;
|
|
}
|
|
|
|
|
|
//
|
|
// If, this ACE explicitly denies any of the requested access rights,
|
|
// stop immediately. Access is denied.
|
|
// ProcessAce will never set this variable to true when dwDesiredAccessMask
|
|
// is MAXIMUM_ALLOWED.
|
|
//
|
|
|
|
if(bAccessExplicitlyDenied)
|
|
{
|
|
*pdwGrantedAccessMask = 0;
|
|
*pbAccessStatus = FALSE;
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - An ACE explicitly denies any of the requested access rights. Access is denied.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
//
|
|
// If, after processing this ACE all requested access rights have been granted,
|
|
// stop immediately. Access is granted.
|
|
//
|
|
|
|
DWORD dwAccumulatedPermissions = accumulatedPermissions.GetAccumulatedPermissions();
|
|
if((dwDesiredAccessMask != MAXIMUM_ALLOWED) && (dwAccumulatedPermissions == dwDesiredAccessMask))
|
|
{
|
|
*pdwGrantedAccessMask = dwDesiredAccessMask;
|
|
*pbAccessStatus = TRUE;
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - dwDesiredAccessMask != MAXIMUM_ALLOWED && dwAccumulatedPermissions == dwDesiredAccessMask. Access is granted.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
return S_OK;
|
|
}
|
|
|
|
|
|
//
|
|
// Otherwise, point to the next ACE.
|
|
//
|
|
|
|
pAceHeader = reinterpret_cast<PACE_HEADER>(reinterpret_cast<BYTE*>(pAceHeader) + pAceHeader->AceSize);
|
|
}
|
|
|
|
if(dwDesiredAccessMask == MAXIMUM_ALLOWED)
|
|
{
|
|
*pdwGrantedAccessMask = accumulatedPermissions.GetAccumulatedPermissions();
|
|
*pbAccessStatus = *pdwGrantedAccessMask ? TRUE : FALSE;
|
|
}
|
|
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopAccessCheckByType - Leaving.");
|
|
|
|
return S_OK;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: RsopFileAccessCheck
|
|
//
|
|
// Description: Determines whether the security descriptor pointed to by pSecurityDescriptor
|
|
// grants the set of file access rights specified in dwDesiredAccessMask
|
|
// to the client identified by the RSOPTOKEN pointed to by pRsopToken.
|
|
//
|
|
// Parameters: - pszFileName: Pointer to an existing filename.
|
|
// - pRsopToken: Pointer to a valid RSOPTOKEN against which access
|
|
// is to be checked.
|
|
// - dwDesiredAccessMask: Mask of requested generic and/or standard and/or specific access rights,
|
|
// - pdwGrantedAccessMask: On success, if pbAccessStatus is true, it contains
|
|
// the mask of standard and specific rights granted.
|
|
// If pbAccessStatus is false, it is set to 0.
|
|
// On failure, it is not modified.
|
|
// - pbAccessStatus: On success, indicates wether the requested set
|
|
// of access rights was granted.
|
|
// On failure, it is not modified
|
|
//
|
|
// Return: S_OK on success. An HRESULT error code on failure.
|
|
//
|
|
// History: 7/30/99 leonardm Created.
|
|
//
|
|
//******************************************************************************
|
|
HRESULT RsopFileAccessCheck(LPTSTR pszFileName,
|
|
PRSOPTOKEN pRsopToken,
|
|
DWORD dwDesiredAccessMask,
|
|
LPDWORD pdwGrantedAccessMask,
|
|
LPBOOL pbAccessStatus)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopFileAccessCheck - Entering.");
|
|
|
|
|
|
//
|
|
// Check for invalid arguments.
|
|
//
|
|
|
|
if( !pszFileName |!pRsopToken | !pdwGrantedAccessMask | !pbAccessStatus)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopFileAccessCheck - Function called with invalid parameters.");
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopFileAccessCheck - Leaving.");
|
|
return E_INVALIDARG;
|
|
}
|
|
|
|
|
|
//
|
|
// Attempt to get a handle with READ_CONTROL access right that can be used to
|
|
// read the security descriptor.
|
|
//
|
|
|
|
XHandle hFile = CreateFile( pszFileName,
|
|
READ_CONTROL,
|
|
FILE_SHARE_READ|FILE_SHARE_WRITE,
|
|
NULL,
|
|
OPEN_EXISTING,
|
|
0,
|
|
NULL);
|
|
|
|
|
|
if(hFile == INVALID_HANDLE_VALUE)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopFileAccessCheck - Call to CreateFile failed. Filename: %s. Last error: 0x%08X", pszFileName, GetLastError());
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopFileAccessCheck - Leaving.");
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
//
|
|
// Use the handle to get the security descriptor with only the DACL in it.
|
|
//
|
|
|
|
PACL pDacl;
|
|
XPtrLF<SECURITY_DESCRIPTOR>xpSecurityDescriptor = NULL;
|
|
DWORD status = GetSecurityInfo( hFile,
|
|
SE_FILE_OBJECT,
|
|
DACL_SECURITY_INFORMATION,
|
|
NULL,
|
|
NULL,
|
|
&pDacl,
|
|
NULL,
|
|
reinterpret_cast<void**>(&xpSecurityDescriptor));
|
|
|
|
if(status != ERROR_SUCCESS)
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopFileAccessCheck - Call to GetSecurityInfo failed. Return: 0x%08X", status);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopFileAccessCheck - Leaving.");
|
|
return E_FAIL;
|
|
}
|
|
|
|
|
|
//
|
|
// This will be used by RSOPAccessCheckByType to map generic rights specified in
|
|
// dwDesiredAccessMask to standard and specific rights.
|
|
//
|
|
|
|
GENERIC_MAPPING FileGenericMapping;
|
|
FileGenericMapping.GenericRead = FILE_GENERIC_READ;
|
|
FileGenericMapping.GenericWrite = FILE_GENERIC_WRITE;
|
|
FileGenericMapping.GenericExecute = FILE_GENERIC_EXECUTE;
|
|
FileGenericMapping.GenericAll = FILE_ALL_ACCESS;
|
|
|
|
|
|
//
|
|
// Call RsopAccessCheckByType to do the actual checking.
|
|
//
|
|
|
|
HRESULT hr = RsopAccessCheckByType( xpSecurityDescriptor,
|
|
NULL,
|
|
pRsopToken,
|
|
dwDesiredAccessMask,
|
|
NULL,
|
|
0,
|
|
&FileGenericMapping,
|
|
NULL,
|
|
0,
|
|
pdwGrantedAccessMask,
|
|
pbAccessStatus);
|
|
|
|
if(SUCCEEDED(hr))
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopFileAccessCheck - Leaving successfully.");
|
|
}
|
|
else
|
|
{
|
|
dbg.Msg(DEBUG_MESSAGE_WARNING, L"RsopFileAccessCheck - Call to RsopAccessCheckByType failed. Return: 0x%08X", hr);
|
|
dbg.Msg(DEBUG_MESSAGE_VERBOSE, L"RsopFileAccessCheck - Leaving.");
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
//******************************************************************************
|
|
//
|
|
// Function: RsopSidsFromToken
|
|
//
|
|
// Description: Returns all the sids in the token
|
|
//
|
|
// Parameters: pRsopToken -- an rsop token from which to obtain sids
|
|
// ppGroups -- a pointer to the address of a TOKEN_GROUPS structure
|
|
// that will be allocated by this function and will contain
|
|
// references to the sids. The caller should free this
|
|
// pointer with LocalFree -- this will also free all memory
|
|
// referenced by the structure.
|
|
//
|
|
// Return: S_OK on success. An HRESULT error code on failure.
|
|
//
|
|
//
|
|
//******************************************************************************
|
|
HRESULT RsopSidsFromToken(PRSOPTOKEN pRsopToken,
|
|
PTOKEN_GROUPS* ppGroups)
|
|
{
|
|
HRESULT hr;
|
|
CRsopToken* pToken;
|
|
|
|
//
|
|
// Initializations
|
|
//
|
|
hr = S_OK;
|
|
*ppGroups = NULL;
|
|
|
|
pToken = (CRsopToken*) pRsopToken;
|
|
|
|
//
|
|
// First, determine the number of groups and the size
|
|
// needed for each sid
|
|
//
|
|
CTLink<CSid>* pCurrent;
|
|
DWORD cbSize;
|
|
DWORD cGroups;
|
|
|
|
cbSize = 0;
|
|
cGroups = 0;
|
|
|
|
//
|
|
// Iterate through each sid, adding its size to the total
|
|
// needed to store the sids
|
|
//
|
|
for ( pCurrent = pToken->m_pSidsHead;
|
|
pCurrent;
|
|
pCurrent = pCurrent->m_pNext)
|
|
{
|
|
cbSize += RtlLengthSid(pCurrent->m_pData->GetSidPtr());
|
|
cGroups++;
|
|
}
|
|
|
|
//
|
|
// Add in the size of the fixed portion of the return structure.
|
|
// Note that the fixed portion of the structure already has
|
|
// space for one group, so we exclude that group from the amount
|
|
// neeeded to allocate if we are allocating at least one group
|
|
//
|
|
cbSize += sizeof(TOKEN_GROUPS) + (sizeof(SID_AND_ATTRIBUTES) *
|
|
(cGroups - (cGroups ? 1 : 0)));
|
|
|
|
//
|
|
// Now allocate space for the groups
|
|
//
|
|
*ppGroups = (PTOKEN_GROUPS) LocalAlloc( LPTR, cbSize );
|
|
|
|
if ( !*ppGroups )
|
|
{
|
|
return E_OUTOFMEMORY;
|
|
}
|
|
|
|
//
|
|
// Set the count member of the structure
|
|
//
|
|
(*ppGroups)->GroupCount = cGroups;
|
|
|
|
//
|
|
// If there are groups, copy the sids
|
|
//
|
|
if ( 0 != cGroups )
|
|
{
|
|
PSID pCurrentSid;
|
|
PSID_AND_ATTRIBUTES pCurrentGroup;
|
|
|
|
//
|
|
// Set the current sid to an offset past the
|
|
// array of SID_AND_ATTRIBUTE structures that
|
|
// represents each group
|
|
//
|
|
pCurrentSid = &((*ppGroups)->Groups[cGroups]);
|
|
|
|
//
|
|
// Set the current group to the first SID_AND_ATTRIBUTE structure
|
|
//
|
|
pCurrentGroup = (PSID_AND_ATTRIBUTES) &((*ppGroups)->Groups);
|
|
|
|
//
|
|
// We have no information in the rsop token regarding
|
|
// the attributes, so we clear this member
|
|
//
|
|
pCurrentGroup->Attributes = 0;
|
|
|
|
//
|
|
// Iterate through each group and copy it
|
|
//
|
|
for (pCurrent = pToken->m_pSidsHead;
|
|
pCurrent;
|
|
pCurrent = pCurrent->m_pNext)
|
|
{
|
|
DWORD cbSid;
|
|
NTSTATUS Status;
|
|
|
|
//
|
|
// Determine the length of the source sid
|
|
//
|
|
cbSid = RtlLengthSid(pCurrent->m_pData->GetSidPtr());
|
|
|
|
//
|
|
// Copy the source sid to the current sid
|
|
//
|
|
Status = RtlCopySid(
|
|
cbSid,
|
|
pCurrentSid,
|
|
pCurrent->m_pData->GetSidPtr());
|
|
|
|
//
|
|
// Check for errors
|
|
//
|
|
if (STATUS_SUCCESS != Status)
|
|
{
|
|
hr = HRESULT_FROM_WIN32(Status);
|
|
|
|
break;
|
|
}
|
|
|
|
//
|
|
// Set the current group's sid reference to the
|
|
// current sid
|
|
//
|
|
pCurrentGroup->Sid = pCurrentSid;
|
|
|
|
//
|
|
// Move our current sid offset forward by the length of
|
|
// the current sid. Move our group reference forward as well.
|
|
//
|
|
pCurrentSid = (PSID) (((BYTE*) pCurrentSid) + cbSid);
|
|
pCurrentGroup++;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Free any memory on failure and remove
|
|
// any reference to it
|
|
//
|
|
if (FAILED(hr))
|
|
{
|
|
LocalFree(*ppGroups);
|
|
*ppGroups = NULL;
|
|
}
|
|
|
|
return hr;
|
|
}
|
|
|
|
|