2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: Security Account Manager (SAM) Server
4 * FILE: reactos/dll/win32/samsrv/security.c
5 * PURPOSE: Security descriptor functions
7 * PROGRAMMERS: Eric Kohl
12 /* GLOBALS *****************************************************************/
14 static SID_IDENTIFIER_AUTHORITY WorldAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
15 static SID_IDENTIFIER_AUTHORITY NtAuthority
= {SECURITY_NT_AUTHORITY
};
18 /* FUNCTIONS ***************************************************************/
21 SampCreateServerSD(OUT PSECURITY_DESCRIPTOR
*ServerSd
,
24 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
25 PSECURITY_DESCRIPTOR RelSD
= NULL
;
26 PSID EveryoneSid
= NULL
;
27 PSID AnonymousSid
= NULL
;
28 PSID AdministratorsSid
= NULL
;
34 NTSTATUS Status
= STATUS_SUCCESS
;
37 /* Create the Everyone SID */
38 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
49 ASSERT(NT_SUCCESS(Status
));
50 if (!NT_SUCCESS(Status
))
53 /* Create the Anonymous SID */
54 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
56 SECURITY_ANONYMOUS_LOGON_RID
,
65 ASSERT(NT_SUCCESS(Status
));
66 if (!NT_SUCCESS(Status
))
69 /* Create the Administrators SID */
70 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
72 SECURITY_BUILTIN_DOMAIN_RID
,
73 DOMAIN_ALIAS_RID_ADMINS
,
81 ASSERT(NT_SUCCESS(Status
));
82 if (!NT_SUCCESS(Status
))
86 /* Allocate a buffer for the absolute SD */
87 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
89 sizeof(SECURITY_DESCRIPTOR
));
92 Status
= STATUS_INSUFFICIENT_RESOURCES
;
93 ASSERT(Status
== STATUS_SUCCESS
);
97 /* Create the absolute SD */
98 Status
= RtlCreateSecurityDescriptor(AbsSD
,
99 SECURITY_DESCRIPTOR_REVISION
);
100 ASSERT(NT_SUCCESS(Status
));
101 if (!NT_SUCCESS(Status
))
104 /* allocate and create the DACL */
105 DaclSize
= sizeof(ACL
) +
107 RtlLengthSid(EveryoneSid
) +
108 RtlLengthSid(AdministratorsSid
);
110 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
115 Status
= STATUS_INSUFFICIENT_RESOURCES
;
116 ASSERT(Status
== STATUS_SUCCESS
);
120 Status
= RtlCreateAcl(Dacl
,
123 ASSERT(NT_SUCCESS(Status
));
124 if (!NT_SUCCESS(Status
))
127 Status
= RtlAddAccessAllowedAce(Dacl
,
129 SAM_SERVER_READ
| SAM_SERVER_EXECUTE
,
131 ASSERT(NT_SUCCESS(Status
));
132 if (!NT_SUCCESS(Status
))
135 Status
= RtlAddAccessAllowedAce(Dacl
,
137 SAM_SERVER_ALL_ACCESS
,
139 ASSERT(Status
== STATUS_SUCCESS
);
140 if (!NT_SUCCESS(Status
))
144 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
148 ASSERT(Status
== STATUS_SUCCESS
);
149 if (!NT_SUCCESS(Status
))
152 /* allocate and create the SACL */
153 SaclSize
= sizeof(ACL
) +
155 RtlLengthSid(EveryoneSid
) +
156 RtlLengthSid(AnonymousSid
);
158 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
163 Status
= STATUS_INSUFFICIENT_RESOURCES
;
164 ASSERT(Status
== STATUS_SUCCESS
);
168 Status
= RtlCreateAcl(Sacl
,
171 ASSERT(Status
== STATUS_SUCCESS
);
172 if (!NT_SUCCESS(Status
))
175 Status
= RtlAddAuditAccessAce(Sacl
,
177 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
178 SAM_SERVER_CREATE_DOMAIN
| SAM_SERVER_INITIALIZE
|
183 ASSERT(Status
== STATUS_SUCCESS
);
184 if (!NT_SUCCESS(Status
))
187 Status
= RtlAddAuditAccessAce(Sacl
,
189 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
193 ASSERT(Status
== STATUS_SUCCESS
);
194 if (!NT_SUCCESS(Status
))
198 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
202 ASSERT(Status
== STATUS_SUCCESS
);
203 if (!NT_SUCCESS(Status
))
206 /* Set the owner SID */
207 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
210 ASSERT(Status
== STATUS_SUCCESS
);
211 if (!NT_SUCCESS(Status
))
214 /* Set the group SID */
215 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
218 ASSERT(Status
== STATUS_SUCCESS
);
219 if (!NT_SUCCESS(Status
))
222 /* Get the reqired buffer size for the self-relative SD */
223 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
226 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
229 /* Allocate a buffer for the self-relative SD */
230 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
235 Status
= STATUS_INSUFFICIENT_RESOURCES
;
236 ASSERT(Status
== STATUS_SUCCESS
);
240 /* Convert the absolute SD to self-relative format */
241 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
244 if (Status
== STATUS_BUFFER_TOO_SMALL
)
246 ASSERT(Status
== STATUS_SUCCESS
);
254 if (!NT_SUCCESS(Status
))
257 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
260 if (EveryoneSid
!= NULL
)
261 RtlFreeSid(EveryoneSid
);
263 if (AnonymousSid
!= NULL
)
264 RtlFreeSid(AnonymousSid
);
266 if (AdministratorsSid
!= NULL
)
267 RtlFreeSid(AdministratorsSid
);
270 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
273 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
276 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
283 SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR
*ServerSd
,
286 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
287 PSECURITY_DESCRIPTOR RelSD
= NULL
;
288 PSID EveryoneSid
= NULL
;
289 PSID AnonymousSid
= NULL
;
290 PSID AdministratorsSid
= NULL
;
296 NTSTATUS Status
= STATUS_SUCCESS
;
299 /* Create the Everyone SID */
300 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
311 ASSERT(NT_SUCCESS(Status
));
312 if (!NT_SUCCESS(Status
))
315 /* Create the Anonymous SID */
316 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
318 SECURITY_ANONYMOUS_LOGON_RID
,
327 ASSERT(NT_SUCCESS(Status
));
328 if (!NT_SUCCESS(Status
))
331 /* Create the Administrators SID */
332 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
334 SECURITY_BUILTIN_DOMAIN_RID
,
335 DOMAIN_ALIAS_RID_ADMINS
,
343 ASSERT(NT_SUCCESS(Status
));
344 if (!NT_SUCCESS(Status
))
348 /* Allocate a buffer for the absolute SD */
349 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
351 sizeof(SECURITY_DESCRIPTOR
));
354 Status
= STATUS_INSUFFICIENT_RESOURCES
;
355 ASSERT(Status
== STATUS_SUCCESS
);
359 /* Create the absolute SD */
360 Status
= RtlCreateSecurityDescriptor(AbsSD
,
361 SECURITY_DESCRIPTOR_REVISION
);
362 ASSERT(NT_SUCCESS(Status
));
363 if (!NT_SUCCESS(Status
))
366 /* allocate and create the DACL */
367 DaclSize
= sizeof(ACL
) +
369 RtlLengthSid(EveryoneSid
) +
370 RtlLengthSid(AdministratorsSid
);
372 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
377 Status
= STATUS_INSUFFICIENT_RESOURCES
;
378 ASSERT(Status
== STATUS_SUCCESS
);
382 Status
= RtlCreateAcl(Dacl
,
385 ASSERT(NT_SUCCESS(Status
));
386 if (!NT_SUCCESS(Status
))
389 Status
= RtlAddAccessAllowedAce(Dacl
,
391 DOMAIN_READ
| DOMAIN_EXECUTE
,
393 ASSERT(NT_SUCCESS(Status
));
394 if (!NT_SUCCESS(Status
))
397 Status
= RtlAddAccessAllowedAce(Dacl
,
399 SAM_SERVER_ALL_ACCESS
,
401 ASSERT(Status
== STATUS_SUCCESS
);
402 if (!NT_SUCCESS(Status
))
406 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
410 ASSERT(Status
== STATUS_SUCCESS
);
411 if (!NT_SUCCESS(Status
))
414 /* allocate and create the SACL */
415 SaclSize
= sizeof(ACL
) +
417 RtlLengthSid(EveryoneSid
) +
418 RtlLengthSid(AnonymousSid
);
420 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
425 Status
= STATUS_INSUFFICIENT_RESOURCES
;
426 ASSERT(Status
== STATUS_SUCCESS
);
430 Status
= RtlCreateAcl(Sacl
,
433 ASSERT(Status
== STATUS_SUCCESS
);
434 if (!NT_SUCCESS(Status
))
437 Status
= RtlAddAuditAccessAce(Sacl
,
439 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
440 SAM_SERVER_CREATE_DOMAIN
| SAM_SERVER_INITIALIZE
|
445 ASSERT(Status
== STATUS_SUCCESS
);
446 if (!NT_SUCCESS(Status
))
449 Status
= RtlAddAuditAccessAce(Sacl
,
451 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
455 ASSERT(Status
== STATUS_SUCCESS
);
456 if (!NT_SUCCESS(Status
))
460 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
464 ASSERT(Status
== STATUS_SUCCESS
);
465 if (!NT_SUCCESS(Status
))
468 /* Set the owner SID */
469 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
472 ASSERT(Status
== STATUS_SUCCESS
);
473 if (!NT_SUCCESS(Status
))
476 /* Set the group SID */
477 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
480 ASSERT(Status
== STATUS_SUCCESS
);
481 if (!NT_SUCCESS(Status
))
484 /* Get the reqired buffer size for the self-relative SD */
485 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
488 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
491 /* Allocate a buffer for the self-relative SD */
492 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
497 Status
= STATUS_INSUFFICIENT_RESOURCES
;
498 ASSERT(Status
== STATUS_SUCCESS
);
502 /* Convert the absolute SD to self-relative format */
503 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
506 if (Status
== STATUS_BUFFER_TOO_SMALL
)
508 ASSERT(Status
== STATUS_SUCCESS
);
516 if (!NT_SUCCESS(Status
))
519 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
522 if (EveryoneSid
!= NULL
)
523 RtlFreeSid(EveryoneSid
);
525 if (AnonymousSid
!= NULL
)
526 RtlFreeSid(AnonymousSid
);
528 if (AdministratorsSid
!= NULL
)
529 RtlFreeSid(AdministratorsSid
);
532 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
535 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
538 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
545 SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR
*ServerSd
,
548 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
549 PSECURITY_DESCRIPTOR RelSD
= NULL
;
550 PSID EveryoneSid
= NULL
;
551 PSID AnonymousSid
= NULL
;
552 PSID AdministratorsSid
= NULL
;
553 PSID UsersSid
= NULL
;
554 PSID GuestsSid
= NULL
;
560 NTSTATUS Status
= STATUS_SUCCESS
;
563 /* Create the Everyone SID */
564 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
575 ASSERT(NT_SUCCESS(Status
));
576 if (!NT_SUCCESS(Status
))
579 /* Create the Anonymous SID */
580 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
582 SECURITY_ANONYMOUS_LOGON_RID
,
591 ASSERT(NT_SUCCESS(Status
));
592 if (!NT_SUCCESS(Status
))
595 /* Create the Administrators SID */
596 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
598 SECURITY_BUILTIN_DOMAIN_RID
,
599 DOMAIN_ALIAS_RID_ADMINS
,
607 ASSERT(NT_SUCCESS(Status
));
608 if (!NT_SUCCESS(Status
))
611 /* Create the Users SID */
612 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
614 SECURITY_BUILTIN_DOMAIN_RID
,
615 DOMAIN_ALIAS_RID_USERS
,
623 ASSERT(NT_SUCCESS(Status
));
624 if (!NT_SUCCESS(Status
))
627 /* Create the Guests SID */
628 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
630 SECURITY_BUILTIN_DOMAIN_RID
,
631 DOMAIN_ALIAS_RID_GUESTS
,
639 ASSERT(NT_SUCCESS(Status
));
640 if (!NT_SUCCESS(Status
))
644 /* Allocate a buffer for the absolute SD */
645 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
647 sizeof(SECURITY_DESCRIPTOR
));
650 Status
= STATUS_INSUFFICIENT_RESOURCES
;
651 ASSERT(Status
== STATUS_SUCCESS
);
655 /* Create the absolute SD */
656 Status
= RtlCreateSecurityDescriptor(AbsSD
,
657 SECURITY_DESCRIPTOR_REVISION
);
658 ASSERT(NT_SUCCESS(Status
));
659 if (!NT_SUCCESS(Status
))
662 /* allocate and create the DACL */
663 DaclSize
= sizeof(ACL
) +
665 RtlLengthSid(EveryoneSid
) +
666 RtlLengthSid(AdministratorsSid
) +
667 RtlLengthSid(UsersSid
) +
668 RtlLengthSid(GuestsSid
);
670 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
675 Status
= STATUS_INSUFFICIENT_RESOURCES
;
676 ASSERT(Status
== STATUS_SUCCESS
);
680 Status
= RtlCreateAcl(Dacl
,
683 ASSERT(NT_SUCCESS(Status
));
684 if (!NT_SUCCESS(Status
))
687 Status
= RtlAddAccessAllowedAce(Dacl
,
689 DOMAIN_READ
| DOMAIN_EXECUTE
,
691 ASSERT(NT_SUCCESS(Status
));
692 if (!NT_SUCCESS(Status
))
695 Status
= RtlAddAccessAllowedAce(Dacl
,
697 DOMAIN_READ
| DOMAIN_EXECUTE
,
699 ASSERT(NT_SUCCESS(Status
));
700 if (!NT_SUCCESS(Status
))
703 Status
= RtlAddAccessAllowedAce(Dacl
,
705 DOMAIN_ALL_ACCESS
& ~DOMAIN_CREATE_GROUP
,
707 ASSERT(Status
== STATUS_SUCCESS
);
708 if (!NT_SUCCESS(Status
))
711 Status
= RtlAddAccessAllowedAce(Dacl
,
713 DOMAIN_READ
| DOMAIN_EXECUTE
| DOMAIN_CREATE_USER
| DOMAIN_CREATE_ALIAS
,
715 ASSERT(Status
== STATUS_SUCCESS
);
716 if (!NT_SUCCESS(Status
))
720 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
724 ASSERT(Status
== STATUS_SUCCESS
);
725 if (!NT_SUCCESS(Status
))
728 /* allocate and create the SACL */
729 SaclSize
= sizeof(ACL
) +
731 RtlLengthSid(EveryoneSid
) +
732 RtlLengthSid(AnonymousSid
);
734 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
739 Status
= STATUS_INSUFFICIENT_RESOURCES
;
740 ASSERT(Status
== STATUS_SUCCESS
);
744 Status
= RtlCreateAcl(Sacl
,
747 ASSERT(Status
== STATUS_SUCCESS
);
748 if (!NT_SUCCESS(Status
))
751 Status
= RtlAddAuditAccessAce(Sacl
,
753 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
754 SAM_SERVER_CREATE_DOMAIN
| SAM_SERVER_INITIALIZE
|
759 ASSERT(Status
== STATUS_SUCCESS
);
760 if (!NT_SUCCESS(Status
))
763 Status
= RtlAddAuditAccessAce(Sacl
,
765 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
769 ASSERT(Status
== STATUS_SUCCESS
);
770 if (!NT_SUCCESS(Status
))
774 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
778 ASSERT(Status
== STATUS_SUCCESS
);
779 if (!NT_SUCCESS(Status
))
782 /* Set the owner SID */
783 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
786 ASSERT(Status
== STATUS_SUCCESS
);
787 if (!NT_SUCCESS(Status
))
790 /* Set the group SID */
791 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
794 ASSERT(Status
== STATUS_SUCCESS
);
795 if (!NT_SUCCESS(Status
))
798 /* Get the reqired buffer size for the self-relative SD */
799 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
802 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
805 /* Allocate a buffer for the self-relative SD */
806 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
811 Status
= STATUS_INSUFFICIENT_RESOURCES
;
812 ASSERT(Status
== STATUS_SUCCESS
);
816 /* Convert the absolute SD to self-relative format */
817 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
820 if (Status
== STATUS_BUFFER_TOO_SMALL
)
822 ASSERT(Status
== STATUS_SUCCESS
);
830 if (!NT_SUCCESS(Status
))
833 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
836 if (EveryoneSid
!= NULL
)
837 RtlFreeSid(EveryoneSid
);
839 if (AnonymousSid
!= NULL
)
840 RtlFreeSid(AnonymousSid
);
842 if (AdministratorsSid
!= NULL
)
843 RtlFreeSid(AdministratorsSid
);
846 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
849 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
852 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
859 SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR
*AliasSd
,
862 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
863 PSECURITY_DESCRIPTOR RelSD
= NULL
;
864 PSID EveryoneSid
= NULL
;
865 PSID AnonymousSid
= NULL
;
866 PSID AdministratorsSid
= NULL
;
867 PSID AccountOperatorsSid
= NULL
;
873 NTSTATUS Status
= STATUS_SUCCESS
;
876 /* Create the Everyone SID */
877 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
888 ASSERT(NT_SUCCESS(Status
));
889 if (!NT_SUCCESS(Status
))
892 /* Create the Anonymous SID */
893 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
895 SECURITY_ANONYMOUS_LOGON_RID
,
904 ASSERT(NT_SUCCESS(Status
));
905 if (!NT_SUCCESS(Status
))
908 /* Create the Administrators SID */
909 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
911 SECURITY_BUILTIN_DOMAIN_RID
,
912 DOMAIN_ALIAS_RID_ADMINS
,
920 ASSERT(NT_SUCCESS(Status
));
921 if (!NT_SUCCESS(Status
))
924 /* Create the Account Operators SID */
925 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
927 SECURITY_BUILTIN_DOMAIN_RID
,
928 DOMAIN_ALIAS_RID_ACCOUNT_OPS
,
935 &AccountOperatorsSid
);
936 ASSERT(NT_SUCCESS(Status
));
937 if (!NT_SUCCESS(Status
))
940 /* Allocate a buffer for the absolute SD */
941 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
943 sizeof(SECURITY_DESCRIPTOR
));
946 Status
= STATUS_INSUFFICIENT_RESOURCES
;
947 ASSERT(Status
== STATUS_SUCCESS
);
951 /* Create the absolute SD */
952 Status
= RtlCreateSecurityDescriptor(AbsSD
,
953 SECURITY_DESCRIPTOR_REVISION
);
954 ASSERT(NT_SUCCESS(Status
));
955 if (!NT_SUCCESS(Status
))
958 /* allocate and create the DACL */
959 DaclSize
= sizeof(ACL
) +
961 RtlLengthSid(EveryoneSid
) +
962 RtlLengthSid(AdministratorsSid
) +
963 RtlLengthSid(AccountOperatorsSid
);
965 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
970 Status
= STATUS_INSUFFICIENT_RESOURCES
;
971 ASSERT(Status
== STATUS_SUCCESS
);
975 Status
= RtlCreateAcl(Dacl
,
978 ASSERT(NT_SUCCESS(Status
));
979 if (!NT_SUCCESS(Status
))
982 Status
= RtlAddAccessAllowedAce(Dacl
,
984 READ_CONTROL
| ALIAS_READ_INFORMATION
| ALIAS_LIST_MEMBERS
,
986 ASSERT(NT_SUCCESS(Status
));
987 if (!NT_SUCCESS(Status
))
990 Status
= RtlAddAccessAllowedAce(Dacl
,
994 ASSERT(Status
== STATUS_SUCCESS
);
995 if (!NT_SUCCESS(Status
))
998 Status
= RtlAddAccessAllowedAce(Dacl
,
1001 AccountOperatorsSid
);
1002 ASSERT(Status
== STATUS_SUCCESS
);
1003 if (!NT_SUCCESS(Status
))
1007 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
1011 ASSERT(Status
== STATUS_SUCCESS
);
1012 if (!NT_SUCCESS(Status
))
1015 /* allocate and create the SACL */
1016 SaclSize
= sizeof(ACL
) +
1018 RtlLengthSid(EveryoneSid
) +
1019 RtlLengthSid(AnonymousSid
);
1021 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1026 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1027 ASSERT(Status
== STATUS_SUCCESS
);
1031 Status
= RtlCreateAcl(Sacl
,
1034 ASSERT(Status
== STATUS_SUCCESS
);
1035 if (!NT_SUCCESS(Status
))
1038 Status
= RtlAddAuditAccessAce(Sacl
,
1040 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
1041 ALIAS_WRITE_ACCOUNT
| ALIAS_REMOVE_MEMBER
|
1046 ASSERT(Status
== STATUS_SUCCESS
);
1047 if (!NT_SUCCESS(Status
))
1050 Status
= RtlAddAuditAccessAce(Sacl
,
1052 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
1056 ASSERT(Status
== STATUS_SUCCESS
);
1057 if (!NT_SUCCESS(Status
))
1061 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
1065 ASSERT(Status
== STATUS_SUCCESS
);
1066 if (!NT_SUCCESS(Status
))
1069 /* Set the owner SID */
1070 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
1073 ASSERT(Status
== STATUS_SUCCESS
);
1074 if (!NT_SUCCESS(Status
))
1077 /* Set the group SID */
1078 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
1081 ASSERT(Status
== STATUS_SUCCESS
);
1082 if (!NT_SUCCESS(Status
))
1085 /* Get the reqired buffer size for the self-relative SD */
1086 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1089 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
1092 /* Allocate a buffer for the self-relative SD */
1093 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1098 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1099 ASSERT(Status
== STATUS_SUCCESS
);
1103 /* Convert the absolute SD to self-relative format */
1104 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1107 if (Status
== STATUS_BUFFER_TOO_SMALL
)
1109 ASSERT(Status
== STATUS_SUCCESS
);
1117 if (!NT_SUCCESS(Status
))
1120 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
1123 if (EveryoneSid
!= NULL
)
1124 RtlFreeSid(EveryoneSid
);
1126 if (AnonymousSid
!= NULL
)
1127 RtlFreeSid(AnonymousSid
);
1129 if (AdministratorsSid
!= NULL
)
1130 RtlFreeSid(AdministratorsSid
);
1133 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
1136 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
1139 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
1146 SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR
*GroupSd
,
1149 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
1150 PSECURITY_DESCRIPTOR RelSD
= NULL
;
1151 PSID EveryoneSid
= NULL
;
1152 PSID AnonymousSid
= NULL
;
1153 PSID AdministratorsSid
= NULL
;
1154 PSID AccountOperatorsSid
= NULL
;
1159 ULONG RelSDSize
= 0;
1160 NTSTATUS Status
= STATUS_SUCCESS
;
1163 /* Create the Everyone SID */
1164 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
1175 ASSERT(NT_SUCCESS(Status
));
1176 if (!NT_SUCCESS(Status
))
1179 /* Create the Anonymous SID */
1180 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1182 SECURITY_ANONYMOUS_LOGON_RID
,
1191 ASSERT(NT_SUCCESS(Status
));
1192 if (!NT_SUCCESS(Status
))
1195 /* Create the Administrators SID */
1196 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1198 SECURITY_BUILTIN_DOMAIN_RID
,
1199 DOMAIN_ALIAS_RID_ADMINS
,
1206 &AdministratorsSid
);
1207 ASSERT(NT_SUCCESS(Status
));
1208 if (!NT_SUCCESS(Status
))
1211 /* Create the Account Operators SID */
1212 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1214 SECURITY_BUILTIN_DOMAIN_RID
,
1215 DOMAIN_ALIAS_RID_ACCOUNT_OPS
,
1222 &AccountOperatorsSid
);
1223 ASSERT(NT_SUCCESS(Status
));
1224 if (!NT_SUCCESS(Status
))
1227 /* Allocate a buffer for the absolute SD */
1228 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1230 sizeof(SECURITY_DESCRIPTOR
));
1233 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1234 ASSERT(Status
== STATUS_SUCCESS
);
1238 /* Create the absolute SD */
1239 Status
= RtlCreateSecurityDescriptor(AbsSD
,
1240 SECURITY_DESCRIPTOR_REVISION
);
1241 ASSERT(NT_SUCCESS(Status
));
1242 if (!NT_SUCCESS(Status
))
1245 /* allocate and create the DACL */
1246 DaclSize
= sizeof(ACL
) +
1248 RtlLengthSid(EveryoneSid
) +
1249 RtlLengthSid(AdministratorsSid
) +
1250 RtlLengthSid(AccountOperatorsSid
);
1252 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1257 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1258 ASSERT(Status
== STATUS_SUCCESS
);
1262 Status
= RtlCreateAcl(Dacl
,
1265 ASSERT(NT_SUCCESS(Status
));
1266 if (!NT_SUCCESS(Status
))
1269 Status
= RtlAddAccessAllowedAce(Dacl
,
1271 READ_CONTROL
| GROUP_LIST_MEMBERS
| GROUP_READ_INFORMATION
,
1273 ASSERT(NT_SUCCESS(Status
));
1274 if (!NT_SUCCESS(Status
))
1277 Status
= RtlAddAccessAllowedAce(Dacl
,
1281 ASSERT(Status
== STATUS_SUCCESS
);
1282 if (!NT_SUCCESS(Status
))
1285 Status
= RtlAddAccessAllowedAce(Dacl
,
1288 AccountOperatorsSid
);
1289 ASSERT(Status
== STATUS_SUCCESS
);
1290 if (!NT_SUCCESS(Status
))
1294 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
1298 ASSERT(Status
== STATUS_SUCCESS
);
1299 if (!NT_SUCCESS(Status
))
1302 /* allocate and create the SACL */
1303 SaclSize
= sizeof(ACL
) +
1305 RtlLengthSid(EveryoneSid
) +
1306 RtlLengthSid(AnonymousSid
);
1308 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1313 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1314 ASSERT(Status
== STATUS_SUCCESS
);
1318 Status
= RtlCreateAcl(Sacl
,
1321 ASSERT(Status
== STATUS_SUCCESS
);
1322 if (!NT_SUCCESS(Status
))
1325 Status
= RtlAddAuditAccessAce(Sacl
,
1327 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
1328 GROUP_REMOVE_MEMBER
| GROUP_ADD_MEMBER
|
1329 GROUP_WRITE_ACCOUNT
,
1333 ASSERT(Status
== STATUS_SUCCESS
);
1334 if (!NT_SUCCESS(Status
))
1337 Status
= RtlAddAuditAccessAce(Sacl
,
1339 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
1343 ASSERT(Status
== STATUS_SUCCESS
);
1344 if (!NT_SUCCESS(Status
))
1348 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
1352 ASSERT(Status
== STATUS_SUCCESS
);
1353 if (!NT_SUCCESS(Status
))
1356 /* Set the owner SID */
1357 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
1360 ASSERT(Status
== STATUS_SUCCESS
);
1361 if (!NT_SUCCESS(Status
))
1364 /* Set the group SID */
1365 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
1368 ASSERT(Status
== STATUS_SUCCESS
);
1369 if (!NT_SUCCESS(Status
))
1372 /* Get the reqired buffer size for the self-relative SD */
1373 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1376 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
1379 /* Allocate a buffer for the self-relative SD */
1380 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1385 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1386 ASSERT(Status
== STATUS_SUCCESS
);
1390 /* Convert the absolute SD to self-relative format */
1391 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1394 if (Status
== STATUS_BUFFER_TOO_SMALL
)
1396 ASSERT(Status
== STATUS_SUCCESS
);
1404 if (!NT_SUCCESS(Status
))
1407 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
1410 if (EveryoneSid
!= NULL
)
1411 RtlFreeSid(EveryoneSid
);
1413 if (AnonymousSid
!= NULL
)
1414 RtlFreeSid(AnonymousSid
);
1416 if (AdministratorsSid
!= NULL
)
1417 RtlFreeSid(AdministratorsSid
);
1420 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
1423 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
1426 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
1433 SampCreateUserSD(IN PSID UserSid
,
1434 OUT PSECURITY_DESCRIPTOR
*UserSd
,
1437 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
1438 PSECURITY_DESCRIPTOR RelSD
= NULL
;
1439 PSID EveryoneSid
= NULL
;
1440 PSID AnonymousSid
= NULL
;
1441 PSID AdministratorsSid
= NULL
;
1446 ULONG RelSDSize
= 0;
1447 NTSTATUS Status
= STATUS_SUCCESS
;
1450 /* Create the Everyone SID */
1451 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
1462 ASSERT(NT_SUCCESS(Status
));
1463 if (!NT_SUCCESS(Status
))
1466 /* Create the Anonymous SID */
1467 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1469 SECURITY_ANONYMOUS_LOGON_RID
,
1478 ASSERT(NT_SUCCESS(Status
));
1479 if (!NT_SUCCESS(Status
))
1482 /* Create the Administrators SID */
1483 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1485 SECURITY_BUILTIN_DOMAIN_RID
,
1486 DOMAIN_ALIAS_RID_ADMINS
,
1493 &AdministratorsSid
);
1494 ASSERT(NT_SUCCESS(Status
));
1495 if (!NT_SUCCESS(Status
))
1498 /* Allocate a buffer for the absolute SD */
1499 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1501 sizeof(SECURITY_DESCRIPTOR
));
1504 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1505 ASSERT(Status
== STATUS_SUCCESS
);
1509 /* Create the absolute SD */
1510 Status
= RtlCreateSecurityDescriptor(AbsSD
,
1511 SECURITY_DESCRIPTOR_REVISION
);
1512 ASSERT(NT_SUCCESS(Status
));
1513 if (!NT_SUCCESS(Status
))
1516 /* allocate and create the DACL */
1517 DaclSize
= sizeof(ACL
) +
1519 RtlLengthSid(EveryoneSid
) +
1520 RtlLengthSid(AdministratorsSid
) +
1521 RtlLengthSid(UserSid
);
1523 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1528 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1529 ASSERT(Status
== STATUS_SUCCESS
);
1533 Status
= RtlCreateAcl(Dacl
,
1536 ASSERT(NT_SUCCESS(Status
));
1537 if (!NT_SUCCESS(Status
))
1540 Status
= RtlAddAccessAllowedAce(Dacl
,
1542 READ_CONTROL
| USER_READ_GROUP_INFORMATION
| USER_LIST_GROUPS
|
1543 USER_CHANGE_PASSWORD
| USER_READ_ACCOUNT
| USER_READ_LOGON
|
1544 USER_READ_PREFERENCES
| USER_READ_GENERAL
,
1546 ASSERT(NT_SUCCESS(Status
));
1547 if (!NT_SUCCESS(Status
))
1550 Status
= RtlAddAccessAllowedAce(Dacl
,
1554 ASSERT(Status
== STATUS_SUCCESS
);
1555 if (!NT_SUCCESS(Status
))
1558 Status
= RtlAddAccessAllowedAce(Dacl
,
1560 READ_CONTROL
| USER_CHANGE_PASSWORD
| USER_WRITE_PREFERENCES
,
1562 ASSERT(Status
== STATUS_SUCCESS
);
1563 if (!NT_SUCCESS(Status
))
1567 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
1571 ASSERT(Status
== STATUS_SUCCESS
);
1572 if (!NT_SUCCESS(Status
))
1575 /* allocate and create the SACL */
1576 SaclSize
= sizeof(ACL
) +
1578 RtlLengthSid(EveryoneSid
) +
1579 RtlLengthSid(AnonymousSid
);
1581 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1586 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1587 ASSERT(Status
== STATUS_SUCCESS
);
1591 Status
= RtlCreateAcl(Sacl
,
1594 ASSERT(Status
== STATUS_SUCCESS
);
1595 if (!NT_SUCCESS(Status
))
1598 Status
= RtlAddAuditAccessAce(Sacl
,
1600 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
1601 USER_CHANGE_PASSWORD
| USER_WRITE_PREFERENCES
,
1605 ASSERT(Status
== STATUS_SUCCESS
);
1606 if (!NT_SUCCESS(Status
))
1609 Status
= RtlAddAuditAccessAce(Sacl
,
1611 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
1615 ASSERT(Status
== STATUS_SUCCESS
);
1616 if (!NT_SUCCESS(Status
))
1620 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
1624 ASSERT(Status
== STATUS_SUCCESS
);
1625 if (!NT_SUCCESS(Status
))
1628 /* Set the owner SID */
1629 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
1632 ASSERT(Status
== STATUS_SUCCESS
);
1633 if (!NT_SUCCESS(Status
))
1636 /* Set the group SID */
1637 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
1640 ASSERT(Status
== STATUS_SUCCESS
);
1641 if (!NT_SUCCESS(Status
))
1644 /* Get the reqired buffer size for the self-relative SD */
1645 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1648 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
1651 /* Allocate a buffer for the self-relative SD */
1652 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1657 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1658 ASSERT(Status
== STATUS_SUCCESS
);
1662 /* Convert the absolute SD to self-relative format */
1663 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1666 if (Status
== STATUS_BUFFER_TOO_SMALL
)
1668 ASSERT(Status
== STATUS_SUCCESS
);
1676 if (!NT_SUCCESS(Status
))
1679 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
1682 if (EveryoneSid
!= NULL
)
1683 RtlFreeSid(EveryoneSid
);
1685 if (AnonymousSid
!= NULL
)
1686 RtlFreeSid(AnonymousSid
);
1688 if (AdministratorsSid
!= NULL
)
1689 RtlFreeSid(AdministratorsSid
);
1692 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
1695 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
1698 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);