2 * PROJECT: ReactOS Service Control Manager
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: base/system/services/security.c
5 * PURPOSE: Security functions
9 /* INCLUDES *****************************************************************/
16 static PSID pNullSid
= NULL
;
17 static PSID pWorldSid
= NULL
;
18 static PSID pLocalSystemSid
= NULL
;
19 static PSID pAuthenticatedUserSid
= NULL
;
20 static PSID pAliasAdminsSid
= NULL
;
22 static PACL pDefaultDacl
= NULL
;
23 static PACL pDefaultSacl
= NULL
;
24 static PACL pPipeDacl
= NULL
;
26 static PSECURITY_DESCRIPTOR pDefaultSD
= NULL
;
27 PSECURITY_DESCRIPTOR pPipeSD
= NULL
;
30 /* FUNCTIONS ****************************************************************/
37 RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid
);
39 if (pWorldSid
!= NULL
)
40 RtlFreeHeap(RtlGetProcessHeap(), 0, pWorldSid
);
42 if (pLocalSystemSid
!= NULL
)
43 RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid
);
45 if (pAuthenticatedUserSid
!= NULL
)
46 RtlFreeHeap(RtlGetProcessHeap(), 0, pAuthenticatedUserSid
);
48 if (pAliasAdminsSid
!= NULL
)
49 RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid
);
57 SID_IDENTIFIER_AUTHORITY NullAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
58 SID_IDENTIFIER_AUTHORITY WorldAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
59 SID_IDENTIFIER_AUTHORITY NtAuthority
= {SECURITY_NT_AUTHORITY
};
61 ULONG ulLength1
= RtlLengthRequiredSid(1);
62 ULONG ulLength2
= RtlLengthRequiredSid(2);
64 /* Create the Null SID */
65 pNullSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1
);
68 return ERROR_OUTOFMEMORY
;
71 RtlInitializeSid(pNullSid
, &NullAuthority
, 1);
72 pSubAuthority
= RtlSubAuthoritySid(pNullSid
, 0);
73 *pSubAuthority
= SECURITY_NULL_RID
;
75 /* Create the World SID */
76 pWorldSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1
);
77 if (pWorldSid
== NULL
)
79 return ERROR_OUTOFMEMORY
;
82 RtlInitializeSid(pWorldSid
, &WorldAuthority
, 1);
83 pSubAuthority
= RtlSubAuthoritySid(pWorldSid
, 0);
84 *pSubAuthority
= SECURITY_WORLD_RID
;
86 /* Create the LocalSystem SID */
87 pLocalSystemSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1
);
88 if (pLocalSystemSid
== NULL
)
90 return ERROR_OUTOFMEMORY
;
93 RtlInitializeSid(pLocalSystemSid
, &NtAuthority
, 1);
94 pSubAuthority
= RtlSubAuthoritySid(pLocalSystemSid
, 0);
95 *pSubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
97 /* Create the AuthenticatedUser SID */
98 pAuthenticatedUserSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1
);
99 if (pAuthenticatedUserSid
== NULL
)
101 return ERROR_OUTOFMEMORY
;
104 RtlInitializeSid(pAuthenticatedUserSid
, &NtAuthority
, 1);
105 pSubAuthority
= RtlSubAuthoritySid(pAuthenticatedUserSid
, 0);
106 *pSubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
108 /* Create the AliasAdmins SID */
109 pAliasAdminsSid
= RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength2
);
110 if (pAliasAdminsSid
== NULL
)
112 return ERROR_OUTOFMEMORY
;
115 RtlInitializeSid(pAliasAdminsSid
, &NtAuthority
, 2);
116 pSubAuthority
= RtlSubAuthoritySid(pAliasAdminsSid
, 0);
117 *pSubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
118 pSubAuthority
= RtlSubAuthoritySid(pAliasAdminsSid
, 1);
119 *pSubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
121 return ERROR_SUCCESS
;
132 ulLength
= sizeof(ACL
) +
133 (sizeof(ACE
) + RtlLengthSid(pLocalSystemSid
)) +
134 (sizeof(ACE
) + RtlLengthSid(pAliasAdminsSid
)) +
135 (sizeof(ACE
) + RtlLengthSid(pAuthenticatedUserSid
));
137 pDefaultDacl
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, ulLength
);
138 if (pDefaultDacl
== NULL
)
139 return ERROR_OUTOFMEMORY
;
141 RtlCreateAcl(pDefaultDacl
, ulLength
, ACL_REVISION
);
143 RtlAddAccessAllowedAce(pDefaultDacl
,
145 READ_CONTROL
| SERVICE_ENUMERATE_DEPENDENTS
| SERVICE_INTERROGATE
|
146 SERVICE_PAUSE_CONTINUE
| SERVICE_QUERY_CONFIG
| SERVICE_QUERY_STATUS
|
147 SERVICE_START
| SERVICE_STOP
| SERVICE_USER_DEFINED_CONTROL
,
150 RtlAddAccessAllowedAce(pDefaultDacl
,
155 RtlAddAccessAllowedAce(pDefaultDacl
,
157 READ_CONTROL
| SERVICE_ENUMERATE_DEPENDENTS
| SERVICE_INTERROGATE
|
158 SERVICE_QUERY_CONFIG
| SERVICE_QUERY_STATUS
| SERVICE_USER_DEFINED_CONTROL
,
159 pAuthenticatedUserSid
);
162 ulLength
= sizeof(ACL
) +
163 (sizeof(ACE
) + RtlLengthSid(pNullSid
));
165 pDefaultSacl
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, ulLength
);
166 if (pDefaultSacl
== NULL
)
167 return ERROR_OUTOFMEMORY
;
169 RtlCreateAcl(pDefaultSacl
, ulLength
, ACL_REVISION
);
171 RtlAddAuditAccessAce(pDefaultSacl
,
178 /* Create the pipe DACL */
179 ulLength
= sizeof(ACL
) +
180 (sizeof(ACE
) + RtlLengthSid(pWorldSid
));
182 pPipeDacl
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, ulLength
);
183 if (pPipeDacl
== NULL
)
184 return ERROR_OUTOFMEMORY
;
186 RtlCreateAcl(pPipeDacl
, ulLength
, ACL_REVISION
);
188 RtlAddAccessAllowedAce(pPipeDacl
,
193 return ERROR_SUCCESS
;
201 if (pDefaultDacl
!= NULL
)
202 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl
);
204 if (pDefaultSacl
!= NULL
)
205 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl
);
207 if (pPipeDacl
!= NULL
)
208 RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeDacl
);
214 ScmCreateDefaultSD(VOID
)
218 /* Create the absolute security descriptor */
219 pDefaultSD
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, sizeof(SECURITY_DESCRIPTOR
));
220 if (pDefaultSD
== NULL
)
221 return ERROR_OUTOFMEMORY
;
223 DPRINT("pDefaultSD %p\n", pDefaultSD
);
225 Status
= RtlCreateSecurityDescriptor(pDefaultSD
,
226 SECURITY_DESCRIPTOR_REVISION
);
227 if (!NT_SUCCESS(Status
))
228 return RtlNtStatusToDosError(Status
);
230 Status
= RtlSetOwnerSecurityDescriptor(pDefaultSD
,
233 if (!NT_SUCCESS(Status
))
234 return RtlNtStatusToDosError(Status
);
236 Status
= RtlSetGroupSecurityDescriptor(pDefaultSD
,
239 if (!NT_SUCCESS(Status
))
240 return RtlNtStatusToDosError(Status
);
242 Status
= RtlSetDaclSecurityDescriptor(pDefaultSD
,
246 if (!NT_SUCCESS(Status
))
247 return RtlNtStatusToDosError(Status
);
249 Status
= RtlSetSaclSecurityDescriptor(pDefaultSD
,
253 if (!NT_SUCCESS(Status
))
254 return RtlNtStatusToDosError(Status
);
256 return ERROR_SUCCESS
;
262 ScmFreeDefaultSD(VOID
)
264 if (pDefaultSD
!= NULL
)
265 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD
);
271 ScmCreatePipeSD(VOID
)
275 /* Create the absolute security descriptor */
276 pPipeSD
= RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY
, sizeof(SECURITY_DESCRIPTOR
));
278 return ERROR_OUTOFMEMORY
;
280 DPRINT("pPipeSD %p\n", pDefaultSD
);
282 Status
= RtlCreateSecurityDescriptor(pPipeSD
,
283 SECURITY_DESCRIPTOR_REVISION
);
284 if (!NT_SUCCESS(Status
))
285 return RtlNtStatusToDosError(Status
);
287 Status
= RtlSetOwnerSecurityDescriptor(pPipeSD
,
290 if (!NT_SUCCESS(Status
))
291 return RtlNtStatusToDosError(Status
);
293 Status
= RtlSetGroupSecurityDescriptor(pPipeSD
,
296 if (!NT_SUCCESS(Status
))
297 return RtlNtStatusToDosError(Status
);
299 Status
= RtlSetDaclSecurityDescriptor(pPipeSD
,
303 if (!NT_SUCCESS(Status
))
304 return RtlNtStatusToDosError(Status
);
306 return ERROR_SUCCESS
;
315 RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeSD
);
320 ScmCreateDefaultServiceSD(
321 PSECURITY_DESCRIPTOR
*ppSecurityDescriptor
)
323 PSECURITY_DESCRIPTOR pRelativeSD
= NULL
;
324 DWORD dwBufferLength
= 0;
326 DWORD dwError
= ERROR_SUCCESS
;
328 /* Convert the absolute SD to a self-relative SD */
329 Status
= RtlAbsoluteToSelfRelativeSD(pDefaultSD
,
332 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
334 dwError
= RtlNtStatusToDosError(Status
);
338 DPRINT("BufferLength %lu\n", dwBufferLength
);
340 pRelativeSD
= RtlAllocateHeap(RtlGetProcessHeap(),
343 if (pRelativeSD
== NULL
)
345 dwError
= ERROR_OUTOFMEMORY
;
348 DPRINT("pRelativeSD %p\n", pRelativeSD
);
350 Status
= RtlAbsoluteToSelfRelativeSD(pDefaultSD
,
353 if (!NT_SUCCESS(Status
))
355 dwError
= RtlNtStatusToDosError(Status
);
359 *ppSecurityDescriptor
= pRelativeSD
;
362 if (dwError
!= ERROR_SUCCESS
)
364 if (pRelativeSD
!= NULL
)
365 RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD
);
373 ScmInitializeSecurity(VOID
)
377 dwError
= ScmCreateSids();
378 if (dwError
!= ERROR_SUCCESS
)
381 dwError
= ScmCreateAcls();
382 if (dwError
!= ERROR_SUCCESS
)
385 dwError
= ScmCreateDefaultSD();
386 if (dwError
!= ERROR_SUCCESS
)
389 dwError
= ScmCreatePipeSD();
390 if (dwError
!= ERROR_SUCCESS
)
393 return ERROR_SUCCESS
;
398 ScmShutdownSecurity(VOID
)