windows-nt/Source/XPSP1/NT/base/ntsetup/winnt32/dll/security.c
2020-09-26 16:20:57 +08:00

244 lines
4.8 KiB
C

#include "precomp.h"
#pragma hdrstop
BOOL
IsUserAdmin(
VOID
)
/*++
Routine Description:
This routine returns TRUE if the caller's process is a
member of the Administrators local group.
Caller is NOT expected to be impersonating anyone and IS
expected to be able to open their own process and process
token.
Arguments:
None.
Return Value:
TRUE - Caller has Administrators local group.
FALSE - Caller does not have Administrators local group.
--*/
{
HANDLE Token;
DWORD BytesRequired;
PTOKEN_GROUPS Groups;
BOOL b;
DWORD i;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID AdministratorsGroup;
//
// On non-NT platforms the user is administrator.
//
if(!ISNT()) {
return(TRUE);
}
//
// Open the process token.
//
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&Token)) {
return(FALSE);
}
b = FALSE;
Groups = NULL;
//
// Get group information.
//
if(!GetTokenInformation(Token,TokenGroups,NULL,0,&BytesRequired)
&& (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
&& (Groups = (PTOKEN_GROUPS)LocalAlloc(LPTR,BytesRequired))
&& GetTokenInformation(Token,TokenGroups,Groups,BytesRequired,&BytesRequired)) {
b = AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&AdministratorsGroup
);
if(b) {
//
// See if the user has the administrator group.
//
b = FALSE;
for(i=0; i<Groups->GroupCount; i++) {
if(EqualSid(Groups->Groups[i].Sid,AdministratorsGroup)) {
b = TRUE;
break;
}
}
FreeSid(AdministratorsGroup);
}
}
//
// Clean up and return.
//
if(Groups) {
LocalFree((HLOCAL)Groups);
}
CloseHandle(Token);
return(b);
}
BOOL
DoesUserHavePrivilege(
PTSTR PrivilegeName
)
/*++
Routine Description:
This routine returns TRUE if the caller's process has
the specified privilege. The privilege does not have
to be currently enabled. This routine is used to indicate
whether the caller has the potential to enable the privilege.
Caller is NOT expected to be impersonating anyone and IS
expected to be able to open their own process and process
token.
Arguments:
Privilege - the name form of privilege ID (such as
SE_SECURITY_NAME).
Return Value:
TRUE - Caller has the specified privilege.
FALSE - Caller does not have the specified privilege.
--*/
{
HANDLE Token;
ULONG BytesRequired;
PTOKEN_PRIVILEGES Privileges;
BOOL b;
DWORD i;
LUID Luid;
//
// On non-NT platforms the user has all privileges
//
if(!ISNT()) {
return(TRUE);
}
//
// Open the process token.
//
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_QUERY,&Token)) {
return(FALSE);
}
b = FALSE;
Privileges = NULL;
//
// Get privilege information.
//
if(!GetTokenInformation(Token,TokenPrivileges,NULL,0,&BytesRequired)
&& (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
&& (Privileges = (PTOKEN_PRIVILEGES)LocalAlloc(LPTR,BytesRequired))
&& GetTokenInformation(Token,TokenPrivileges,Privileges,BytesRequired,&BytesRequired)
&& LookupPrivilegeValue(NULL,PrivilegeName,&Luid)) {
//
// See if we have the requested privilege
//
for(i=0; i<Privileges->PrivilegeCount; i++) {
if(!memcmp(&Luid,&Privileges->Privileges[i].Luid,sizeof(LUID))) {
b = TRUE;
break;
}
}
}
//
// Clean up and return.
//
if(Privileges) {
LocalFree((HLOCAL)Privileges);
}
CloseHandle(Token);
return(b);
}
BOOL
EnablePrivilege(
IN PTSTR PrivilegeName,
IN BOOL Enable
)
{
HANDLE Token;
BOOL b;
TOKEN_PRIVILEGES NewPrivileges;
LUID Luid;
//
// On non-NT platforms the user already has all privileges
//
if(!ISNT()) {
return(TRUE);
}
if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES,&Token)) {
return(FALSE);
}
if(!LookupPrivilegeValue(NULL,PrivilegeName,&Luid)) {
CloseHandle(Token);
return(FALSE);
}
NewPrivileges.PrivilegeCount = 1;
NewPrivileges.Privileges[0].Luid = Luid;
NewPrivileges.Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0;
b = AdjustTokenPrivileges(
Token,
FALSE,
&NewPrivileges,
0,
NULL,
NULL
);
CloseHandle(Token);
return(b);
}