windows-nt/Source/XPSP1/NT/ds/netapi/svcdlls/wkssvc/server/wssec.c

/*++

Copyright (c) 1991  Microsoft Corporation

Module Name:

    wssec.c

Abstract:

    This module contains the Workstation service support routines
    which create security objects and enforce security _access checking.

Author:

    Rita Wong (ritaw) 19-Feb-1991

Revision History:

--*/

#include "wsutil.h"
#include "wsmain.h"
#include "wssec.h"

//-------------------------------------------------------------------//
//                                                                   //
// Local function prototypes                                         //
//                                                                   //
//-------------------------------------------------------------------//

STATIC
NTSTATUS
WsCreateConfigInfoObject(
    VOID
    );

STATIC
NTSTATUS
WsCreateMessageSendObject(
    VOID
    );

#if 0
STATIC
NTSTATUS
WsCreateLogonSupportObject(
    VOID
    );
#endif

//-------------------------------------------------------------------//
//                                                                   //
// Global variables                                                  //
//                                                                   //
//-------------------------------------------------------------------//

//
// Security descriptors of workstation objects to control user accesses
// to the workstation configuration information, sending messages, and the
// logon support functions.
//
PSECURITY_DESCRIPTOR ConfigurationInfoSd;
PSECURITY_DESCRIPTOR MessageSendSd;
#if 0
PSECURITY_DESCRIPTOR LogonSupportSd;
#endif

//
// Structure that describes the mapping of Generic access rights to
// object specific access rights for the ConfigurationInfo object.
//
GENERIC_MAPPING WsConfigInfoMapping = {
    STANDARD_RIGHTS_READ            |      // Generic read
        WKSTA_CONFIG_GUEST_INFO_GET |
        WKSTA_CONFIG_USER_INFO_GET  |
        WKSTA_CONFIG_ADMIN_INFO_GET,
    STANDARD_RIGHTS_WRITE |                // Generic write
        WKSTA_CONFIG_INFO_SET,
    STANDARD_RIGHTS_EXECUTE,               // Generic execute
    WKSTA_CONFIG_ALL_ACCESS                // Generic all
    };

//
// Structure that describes the mapping of generic access rights to
// object specific access rights for the MessageSend object.
//
GENERIC_MAPPING WsMessageSendMapping = {
    STANDARD_RIGHTS_READ,                  // Generic read
    STANDARD_RIGHTS_WRITE |                // Generic write
        WKSTA_MESSAGE_SEND,
    STANDARD_RIGHTS_EXECUTE,               // Generic execute
    WKSTA_MESSAGE_ALL_ACCESS               // Generic all
    };

#if 0
//
// Structure that describes the mapping of generic access rights to
// object specific access rights for the LogonSupport object.
//
GENERIC_MAPPING WsLogonSupportMapping = {
    STANDARD_RIGHTS_READ,                  // Generic read
    STANDARD_RIGHTS_WRITE |                // Generic write
        WKSTA_LOGON_REQUEST_BROADCAST |
        WKSTA_LOGON_DOMAIN_WRITE,
    STANDARD_RIGHTS_EXECUTE,               // Generic execute
    WKSTA_LOGON_ALL_ACCESS                 // Generic all
    };
#endif



NET_API_STATUS
WsCreateWkstaObjects(
    VOID
    )
/*++

Routine Description:

    This function creates the workstation user-mode objects which are
    represented by security descriptors.

Arguments:

    None.

Return Value:

    NET_API_STATUS - NERR_Success or reason for failure.

--*/
{
    NTSTATUS ntstatus;


    //
    // Create ConfigurationInfo object
    //
    if (! NT_SUCCESS (ntstatus = WsCreateConfigInfoObject())) {
        IF_DEBUG(UTIL) {
            NetpKdPrint(("[Wksta] Failure to create ConfigurationInfo object\n"));
        }
        return NetpNtStatusToApiStatus(ntstatus);
    }

    //
    // Create MessageSend object
    //
    if (! NT_SUCCESS (ntstatus = WsCreateMessageSendObject())) {
        IF_DEBUG(UTIL) {
            NetpKdPrint(("[Wksta] Failure to create MessageSend object\n"));
        }
        return NetpNtStatusToApiStatus(ntstatus);
    }

#if 0
    //
    // Create LogonSupport object
    //
    if (! NT_SUCCESS (ntstatus = WsCreateLogonSupportObject())) {
        IF_DEBUG(UTIL) {
            NetpKdPrint(("[Wksta] Failure to create LogonSupport object\n"));
        }
        return NetpNtStatusToApiStatus(ntstatus);
    }
#endif

    return NERR_Success;
}



STATIC
NTSTATUS
WsCreateConfigInfoObject(
    VOID
    )
/*++

Routine Description:

    This function creates the workstation configuration information object.

Arguments:

    None.

Return Value:

    NTSTATUS - status returned from NetpCreateSecurityObject.

--*/
{
    //
    // Order matters!  These ACEs are inserted into the DACL in the
    // following order.  Security access is granted or denied based on
    // the order of the ACEs in the DACL.
    //
    // Local users, admins, and operators are allowed to get all information.
    // Only admins are allowed to set information.  Users are allowed to get
    // user and guest info; guests are allowed to get guest info only.
    //

#define CONFIG_INFO_ACES  8                 // Number of ACEs in this DACL

    ACE_DATA AceData[CONFIG_INFO_ACES] = {
        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_CONFIG_GUEST_INFO_GET |
               WKSTA_CONFIG_USER_INFO_GET  |
               WKSTA_CONFIG_ADMIN_INFO_GET,  &WsLmsvcsGlobalData->LocalSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               GENERIC_ALL,                  &WsLmsvcsGlobalData->AliasAdminsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_CONFIG_GUEST_INFO_GET |
               WKSTA_CONFIG_USER_INFO_GET  |
               WKSTA_CONFIG_ADMIN_INFO_GET,  &WsLmsvcsGlobalData->AliasAccountOpsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_CONFIG_GUEST_INFO_GET |
               WKSTA_CONFIG_USER_INFO_GET  |
               WKSTA_CONFIG_ADMIN_INFO_GET,  &WsLmsvcsGlobalData->AliasSystemOpsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_CONFIG_GUEST_INFO_GET |
               WKSTA_CONFIG_USER_INFO_GET  |
               WKSTA_CONFIG_ADMIN_INFO_GET,  &WsLmsvcsGlobalData->AliasPrintOpsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_CONFIG_GUEST_INFO_GET |
               WKSTA_CONFIG_USER_INFO_GET,   &WsLmsvcsGlobalData->AliasUsersSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_CONFIG_GUEST_INFO_GET,  &WsLmsvcsGlobalData->WorldSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_CONFIG_GUEST_INFO_GET,  &WsLmsvcsGlobalData->AnonymousLogonSid}
        };
     

    return NetpCreateSecurityObject(
               AceData,
               CONFIG_INFO_ACES,
               WsLmsvcsGlobalData->LocalSystemSid,
               WsLmsvcsGlobalData->LocalSystemSid,
               &WsConfigInfoMapping,
               &ConfigurationInfoSd
               );
}



STATIC
NTSTATUS
WsCreateMessageSendObject(
    VOID
    )
/*++

Routine Description:

    This function creates the workstation message send object.

Arguments:

    None.

Return Value:

    NTSTATUS - status returned from NetpCreateSecurityObject.

--*/
{
    //
    // Order matters!  These ACEs are inserted into the DACL in the
    // following order.  Security access is granted or denied based on
    // the order of the ACEs in the DACL.
    //
    // Any local user, and domain admins and operators are allowed to
    // send messages.  Remote users besides domain admins, and operators
    // are not allowed to send messages.
    //

#define MESSAGE_SEND_ACES  5                // Number of ACEs in this DACL

    ACE_DATA AceData[MESSAGE_SEND_ACES] = {
        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               GENERIC_ALL,         &WsLmsvcsGlobalData->LocalSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               GENERIC_ALL,         &WsLmsvcsGlobalData->AliasAdminsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_MESSAGE_SEND,  &WsLmsvcsGlobalData->AliasAccountOpsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_MESSAGE_SEND,  &WsLmsvcsGlobalData->AliasSystemOpsSid},

        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_MESSAGE_SEND,  &WsLmsvcsGlobalData->AliasPrintOpsSid}

        };


    return NetpCreateSecurityObject(
               AceData,
               MESSAGE_SEND_ACES,
               WsLmsvcsGlobalData->LocalSystemSid,
               WsLmsvcsGlobalData->LocalSystemSid,
               &WsMessageSendMapping,
               &MessageSendSd
               );
}

#if 0

STATIC
NTSTATUS
WsCreateLogonSupportObject(
    VOID
    )
/*++

Routine Description:

    This function creates the workstation logon support object.

Arguments:

    None.

Return Value:

    NTSTATUS - status returned from NetpCreateSecurityObject.

--*/
{
    //
    // These ACEs can be inserted into the DACL in any order.
    //

#define LOGON_ACES  1                     // Number of ACEs in this DACL

    ACE_DATA AceData[LOGON_ACES] = {
        {ACCESS_ALLOWED_ACE_TYPE, 0, 0,
               WKSTA_LOGON_REQUEST_BROADCAST | WKSTA_LOGON_DOMAIN_WRITE,
                                   &WsLmsvcsGlobalData->LocalSystemSid},

        };

    return NetpCreateSecurityObject(
               AceData,
               LOGON_ACES,
               WsLmsvcsGlobalData->LocalSystemSid,
               WsLmsvcsGlobalData->LocalSystemSid,
               &WsLogonSupportMapping,
               &LogonSupportSd
               );
}
#endif


VOID
WsDestroyWkstaObjects(
    VOID
    )
/*++

Routine Description:

    This function destroys the workstation user-mode objects which are
    represented by security descriptors.

Arguments:

    None.

Return Value:

    None.

--*/
{
    (void) NetpDeleteSecurityObject(&ConfigurationInfoSd);
    (void) NetpDeleteSecurityObject(&MessageSendSd);
#if 0
    (void) NetpDeleteSecurityObject(&LogonSupportSd);
#endif

}