2 * PROJECT: ReactOS Service Control Manager
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: base/system/services/security.c
5 * PURPOSE: Security functions
9 /* INCLUDES *****************************************************************/
16 static PSID pNullSid
= NULL
;
17 static PSID pLocalSystemSid
= NULL
;
18 static PSID pAuthenticatedUserSid
= NULL
;
19 static PSID pAliasAdminsSid
= NULL
;
21 static PACL pDefaultDacl
= NULL
;
22 static PACL pDefaultSacl
= NULL
;
24 static PSECURITY_DESCRIPTOR pDefaultSD
= NULL
;
27 /* FUNCTIONS ****************************************************************/
34 RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid
);
36 if (pLocalSystemSid
!= NULL
)
37 RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid
);
39 if (pAuthenticatedUserSid
!= NULL
)
40 RtlFreeHeap(RtlGetProcessHeap(), 0, pAuthenticatedUserSid
);
42 if (pAliasAdminsSid
!= NULL
)
43 RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid
);
52 SID_IDENTIFIER_AUTHORITY NullAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
53 SID_IDENTIFIER_AUTHORITY NtAuthority
= {SECURITY_NT_AUTHORITY
};
55 ULONG ulLength1
= RtlLengthRequiredSid(1);
56 ULONG ulLength2
= RtlLengthRequiredSid(2);
58 /* Create the Null SID */
59 pNullSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1
);
62 return ERROR_OUTOFMEMORY
;
65 RtlInitializeSid(pNullSid
, &NullAuthority
, 1);
66 pSubAuthority
= RtlSubAuthoritySid(pNullSid
, 0);
67 *pSubAuthority
= SECURITY_NULL_RID
;
69 /* Create the LocalSystem SID */
70 pLocalSystemSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1
);
71 if (pLocalSystemSid
== NULL
)
73 return ERROR_OUTOFMEMORY
;
76 RtlInitializeSid(pLocalSystemSid
, &NtAuthority
, 1);
77 pSubAuthority
= RtlSubAuthoritySid(pLocalSystemSid
, 0);
78 *pSubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
80 /* Create the AuthenticatedUser SID */
81 pAuthenticatedUserSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1
);
82 if (pAuthenticatedUserSid
== NULL
)
84 return ERROR_OUTOFMEMORY
;
87 RtlInitializeSid(pAuthenticatedUserSid
, &NtAuthority
, 1);
88 pSubAuthority
= RtlSubAuthoritySid(pAuthenticatedUserSid
, 0);
89 *pSubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
91 /* Create the AliasAdmins SID */
92 pAliasAdminsSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength2
);
93 if (pAliasAdminsSid
== NULL
)
95 return ERROR_OUTOFMEMORY
;
98 RtlInitializeSid(pAliasAdminsSid
, &NtAuthority
, 2);
99 pSubAuthority
= RtlSubAuthoritySid(pAliasAdminsSid
, 0);
100 *pSubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
101 pSubAuthority
= RtlSubAuthoritySid(pAliasAdminsSid
, 1);
102 *pSubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
104 return ERROR_SUCCESS
;
115 ulLength
= sizeof(ACL
) +
116 (sizeof(ACE
) + RtlLengthSid(pLocalSystemSid
)) +
117 (sizeof(ACE
) + RtlLengthSid(pAliasAdminsSid
)) +
118 (sizeof(ACE
) + RtlLengthSid(pAuthenticatedUserSid
));
120 pDefaultDacl
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, ulLength
);
121 if (pDefaultDacl
== NULL
)
122 return ERROR_OUTOFMEMORY
;
124 RtlCreateAcl(pDefaultDacl
, ulLength
, ACL_REVISION
);
126 RtlAddAccessAllowedAce(pDefaultDacl
,
128 READ_CONTROL
| SERVICE_ENUMERATE_DEPENDENTS
| SERVICE_INTERROGATE
|
129 SERVICE_PAUSE_CONTINUE
| SERVICE_QUERY_CONFIG
| SERVICE_QUERY_STATUS
|
130 SERVICE_START
| SERVICE_STOP
| SERVICE_USER_DEFINED_CONTROL
,
133 RtlAddAccessAllowedAce(pDefaultDacl
,
138 RtlAddAccessAllowedAce(pDefaultDacl
,
140 READ_CONTROL
| SERVICE_ENUMERATE_DEPENDENTS
| SERVICE_INTERROGATE
|
141 SERVICE_QUERY_CONFIG
| SERVICE_QUERY_STATUS
| SERVICE_USER_DEFINED_CONTROL
,
142 pAuthenticatedUserSid
);
145 ulLength
= sizeof(ACL
) +
146 (sizeof(ACE
) + RtlLengthSid(pNullSid
));
148 pDefaultSacl
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, ulLength
);
149 if (pDefaultSacl
== NULL
)
150 return ERROR_OUTOFMEMORY
;
152 RtlCreateAcl(pDefaultSacl
, ulLength
, ACL_REVISION
);
154 RtlAddAuditAccessAce(pDefaultSacl
,
161 return ERROR_SUCCESS
;
169 if (pDefaultDacl
!= NULL
)
170 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl
);
172 if (pDefaultSacl
!= NULL
)
173 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl
);
179 ScmCreateDefaultSD(VOID
)
183 /* Create the absolute security descriptor */
184 pDefaultSD
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, sizeof(SECURITY_DESCRIPTOR
));
185 if (pDefaultSD
== NULL
)
186 return ERROR_OUTOFMEMORY
;
188 DPRINT("pDefaultSD %p\n", pDefaultSD
);
190 Status
= RtlCreateSecurityDescriptor(pDefaultSD
,
191 SECURITY_DESCRIPTOR_REVISION
);
192 if (!NT_SUCCESS(Status
))
193 return RtlNtStatusToDosError(Status
);
195 Status
= RtlSetOwnerSecurityDescriptor(pDefaultSD
,
198 if (!NT_SUCCESS(Status
))
199 return RtlNtStatusToDosError(Status
);
201 Status
= RtlSetGroupSecurityDescriptor(pDefaultSD
,
204 if (!NT_SUCCESS(Status
))
205 return RtlNtStatusToDosError(Status
);
207 Status
= RtlSetDaclSecurityDescriptor(pDefaultSD
,
211 if (!NT_SUCCESS(Status
))
212 return RtlNtStatusToDosError(Status
);
214 Status
= RtlSetSaclSecurityDescriptor(pDefaultSD
,
218 if (!NT_SUCCESS(Status
))
219 return RtlNtStatusToDosError(Status
);
221 return ERROR_SUCCESS
;
227 ScmFreeDefaultSD(VOID
)
229 if (pDefaultSD
!= NULL
)
230 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD
);
235 ScmCreateDefaultServiceSD(
236 PSECURITY_DESCRIPTOR
*ppSecurityDescriptor
)
238 PSECURITY_DESCRIPTOR pRelativeSD
= NULL
;
239 DWORD dwBufferLength
= 0;
241 DWORD dwError
= ERROR_SUCCESS
;
243 /* Convert the absolute SD to a self-relative SD */
244 Status
= RtlAbsoluteToSelfRelativeSD(pDefaultSD
,
247 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
249 dwError
= RtlNtStatusToDosError(Status
);
253 DPRINT("BufferLength %lu\n", dwBufferLength
);
255 pRelativeSD
= RtlAllocateHeap(RtlGetProcessHeap(),
258 if (pRelativeSD
== NULL
)
260 dwError
= ERROR_OUTOFMEMORY
;
263 DPRINT("pRelativeSD %p\n", pRelativeSD
);
265 Status
= RtlAbsoluteToSelfRelativeSD(pDefaultSD
,
268 if (!NT_SUCCESS(Status
))
270 dwError
= RtlNtStatusToDosError(Status
);
274 *ppSecurityDescriptor
= pRelativeSD
;
277 if (dwError
!= ERROR_SUCCESS
)
279 if (pRelativeSD
!= NULL
)
280 RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD
);
288 ScmInitializeSecurity(VOID
)
292 dwError
= ScmCreateSids();
293 if (dwError
!= ERROR_SUCCESS
)
296 dwError
= ScmCreateAcls();
297 if (dwError
!= ERROR_SUCCESS
)
300 dwError
= ScmCreateDefaultSD();
301 if (dwError
!= ERROR_SUCCESS
)
304 return ERROR_SUCCESS
;
309 ScmShutdownSecurity(VOID
)