2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: Security Account Manager (SAM) Server
4 * FILE: reactos/dll/win32/samsrv/security.c
5 * PURPOSE: Security descriptor functions
7 * PROGRAMMERS: Eric Kohl
10 /* INCLUDES ****************************************************************/
14 WINE_DEFAULT_DEBUG_CHANNEL(samsrv
);
17 /* GLOBALS *****************************************************************/
19 static SID_IDENTIFIER_AUTHORITY WorldAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
20 static SID_IDENTIFIER_AUTHORITY NtAuthority
= {SECURITY_NT_AUTHORITY
};
23 /* FUNCTIONS ***************************************************************/
26 SampCreateServerSD(OUT PSECURITY_DESCRIPTOR
*ServerSd
,
29 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
30 PSECURITY_DESCRIPTOR RelSD
= NULL
;
31 PSID EveryoneSid
= NULL
;
32 PSID AnonymousSid
= NULL
;
33 PSID AdministratorsSid
= NULL
;
39 NTSTATUS Status
= STATUS_SUCCESS
;
42 /* Create the Everyone SID */
43 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
54 ASSERT(NT_SUCCESS(Status
));
55 if (!NT_SUCCESS(Status
))
58 /* Create the Anonymous SID */
59 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
61 SECURITY_ANONYMOUS_LOGON_RID
,
70 ASSERT(NT_SUCCESS(Status
));
71 if (!NT_SUCCESS(Status
))
74 /* Create the Administrators SID */
75 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
77 SECURITY_BUILTIN_DOMAIN_RID
,
78 DOMAIN_ALIAS_RID_ADMINS
,
86 ASSERT(NT_SUCCESS(Status
));
87 if (!NT_SUCCESS(Status
))
91 /* Allocate a buffer for the absolute SD */
92 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
94 sizeof(SECURITY_DESCRIPTOR
));
97 Status
= STATUS_INSUFFICIENT_RESOURCES
;
98 ASSERT(Status
== STATUS_SUCCESS
);
102 /* Create the absolute SD */
103 Status
= RtlCreateSecurityDescriptor(AbsSD
,
104 SECURITY_DESCRIPTOR_REVISION
);
105 ASSERT(NT_SUCCESS(Status
));
106 if (!NT_SUCCESS(Status
))
109 /* allocate and create the DACL */
110 DaclSize
= sizeof(ACL
) +
112 RtlLengthSid(EveryoneSid
) +
113 RtlLengthSid(AdministratorsSid
);
115 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
120 Status
= STATUS_INSUFFICIENT_RESOURCES
;
121 ASSERT(Status
== STATUS_SUCCESS
);
125 Status
= RtlCreateAcl(Dacl
,
128 ASSERT(NT_SUCCESS(Status
));
129 if (!NT_SUCCESS(Status
))
132 Status
= RtlAddAccessAllowedAce(Dacl
,
134 SAM_SERVER_READ
| SAM_SERVER_EXECUTE
,
136 ASSERT(NT_SUCCESS(Status
));
137 if (!NT_SUCCESS(Status
))
140 Status
= RtlAddAccessAllowedAce(Dacl
,
142 SAM_SERVER_ALL_ACCESS
,
144 ASSERT(Status
== STATUS_SUCCESS
);
145 if (!NT_SUCCESS(Status
))
149 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
153 ASSERT(Status
== STATUS_SUCCESS
);
154 if (!NT_SUCCESS(Status
))
157 /* allocate and create the SACL */
158 SaclSize
= sizeof(ACL
) +
160 RtlLengthSid(EveryoneSid
) +
161 RtlLengthSid(AnonymousSid
);
163 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
168 Status
= STATUS_INSUFFICIENT_RESOURCES
;
169 ASSERT(Status
== STATUS_SUCCESS
);
173 Status
= RtlCreateAcl(Sacl
,
176 ASSERT(Status
== STATUS_SUCCESS
);
177 if (!NT_SUCCESS(Status
))
180 Status
= RtlAddAuditAccessAce(Sacl
,
182 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
183 SAM_SERVER_CREATE_DOMAIN
| SAM_SERVER_INITIALIZE
|
188 ASSERT(Status
== STATUS_SUCCESS
);
189 if (!NT_SUCCESS(Status
))
192 Status
= RtlAddAuditAccessAce(Sacl
,
194 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
198 ASSERT(Status
== STATUS_SUCCESS
);
199 if (!NT_SUCCESS(Status
))
203 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
207 ASSERT(Status
== STATUS_SUCCESS
);
208 if (!NT_SUCCESS(Status
))
211 /* Set the owner SID */
212 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
215 ASSERT(Status
== STATUS_SUCCESS
);
216 if (!NT_SUCCESS(Status
))
219 /* Set the group SID */
220 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
223 ASSERT(Status
== STATUS_SUCCESS
);
224 if (!NT_SUCCESS(Status
))
227 /* Get the reqired buffer size for the self-relative SD */
228 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
231 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
234 /* Allocate a buffer for the self-relative SD */
235 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
240 Status
= STATUS_INSUFFICIENT_RESOURCES
;
241 ASSERT(Status
== STATUS_SUCCESS
);
245 /* Convert the absolute SD to self-relative format */
246 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
249 if (Status
== STATUS_BUFFER_TOO_SMALL
)
251 ASSERT(Status
== STATUS_SUCCESS
);
259 if (!NT_SUCCESS(Status
))
262 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
265 if (EveryoneSid
!= NULL
)
266 RtlFreeSid(EveryoneSid
);
268 if (AnonymousSid
!= NULL
)
269 RtlFreeSid(AnonymousSid
);
271 if (AdministratorsSid
!= NULL
)
272 RtlFreeSid(AdministratorsSid
);
275 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
278 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
281 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
288 SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR
*ServerSd
,
291 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
292 PSECURITY_DESCRIPTOR RelSD
= NULL
;
293 PSID EveryoneSid
= NULL
;
294 PSID AnonymousSid
= NULL
;
295 PSID AdministratorsSid
= NULL
;
301 NTSTATUS Status
= STATUS_SUCCESS
;
304 /* Create the Everyone SID */
305 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
316 ASSERT(NT_SUCCESS(Status
));
317 if (!NT_SUCCESS(Status
))
320 /* Create the Anonymous SID */
321 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
323 SECURITY_ANONYMOUS_LOGON_RID
,
332 ASSERT(NT_SUCCESS(Status
));
333 if (!NT_SUCCESS(Status
))
336 /* Create the Administrators SID */
337 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
339 SECURITY_BUILTIN_DOMAIN_RID
,
340 DOMAIN_ALIAS_RID_ADMINS
,
348 ASSERT(NT_SUCCESS(Status
));
349 if (!NT_SUCCESS(Status
))
353 /* Allocate a buffer for the absolute SD */
354 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
356 sizeof(SECURITY_DESCRIPTOR
));
359 Status
= STATUS_INSUFFICIENT_RESOURCES
;
360 ASSERT(Status
== STATUS_SUCCESS
);
364 /* Create the absolute SD */
365 Status
= RtlCreateSecurityDescriptor(AbsSD
,
366 SECURITY_DESCRIPTOR_REVISION
);
367 ASSERT(NT_SUCCESS(Status
));
368 if (!NT_SUCCESS(Status
))
371 /* allocate and create the DACL */
372 DaclSize
= sizeof(ACL
) +
374 RtlLengthSid(EveryoneSid
) +
375 RtlLengthSid(AdministratorsSid
);
377 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
382 Status
= STATUS_INSUFFICIENT_RESOURCES
;
383 ASSERT(Status
== STATUS_SUCCESS
);
387 Status
= RtlCreateAcl(Dacl
,
390 ASSERT(NT_SUCCESS(Status
));
391 if (!NT_SUCCESS(Status
))
394 Status
= RtlAddAccessAllowedAce(Dacl
,
396 DOMAIN_READ
| DOMAIN_EXECUTE
,
398 ASSERT(NT_SUCCESS(Status
));
399 if (!NT_SUCCESS(Status
))
402 Status
= RtlAddAccessAllowedAce(Dacl
,
404 SAM_SERVER_ALL_ACCESS
,
406 ASSERT(Status
== STATUS_SUCCESS
);
407 if (!NT_SUCCESS(Status
))
411 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
415 ASSERT(Status
== STATUS_SUCCESS
);
416 if (!NT_SUCCESS(Status
))
419 /* allocate and create the SACL */
420 SaclSize
= sizeof(ACL
) +
422 RtlLengthSid(EveryoneSid
) +
423 RtlLengthSid(AnonymousSid
);
425 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
430 Status
= STATUS_INSUFFICIENT_RESOURCES
;
431 ASSERT(Status
== STATUS_SUCCESS
);
435 Status
= RtlCreateAcl(Sacl
,
438 ASSERT(Status
== STATUS_SUCCESS
);
439 if (!NT_SUCCESS(Status
))
442 Status
= RtlAddAuditAccessAce(Sacl
,
444 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
445 SAM_SERVER_CREATE_DOMAIN
| SAM_SERVER_INITIALIZE
|
450 ASSERT(Status
== STATUS_SUCCESS
);
451 if (!NT_SUCCESS(Status
))
454 Status
= RtlAddAuditAccessAce(Sacl
,
456 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
460 ASSERT(Status
== STATUS_SUCCESS
);
461 if (!NT_SUCCESS(Status
))
465 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
469 ASSERT(Status
== STATUS_SUCCESS
);
470 if (!NT_SUCCESS(Status
))
473 /* Set the owner SID */
474 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
477 ASSERT(Status
== STATUS_SUCCESS
);
478 if (!NT_SUCCESS(Status
))
481 /* Set the group SID */
482 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
485 ASSERT(Status
== STATUS_SUCCESS
);
486 if (!NT_SUCCESS(Status
))
489 /* Get the reqired buffer size for the self-relative SD */
490 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
493 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
496 /* Allocate a buffer for the self-relative SD */
497 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
502 Status
= STATUS_INSUFFICIENT_RESOURCES
;
503 ASSERT(Status
== STATUS_SUCCESS
);
507 /* Convert the absolute SD to self-relative format */
508 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
511 if (Status
== STATUS_BUFFER_TOO_SMALL
)
513 ASSERT(Status
== STATUS_SUCCESS
);
521 if (!NT_SUCCESS(Status
))
524 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
527 if (EveryoneSid
!= NULL
)
528 RtlFreeSid(EveryoneSid
);
530 if (AnonymousSid
!= NULL
)
531 RtlFreeSid(AnonymousSid
);
533 if (AdministratorsSid
!= NULL
)
534 RtlFreeSid(AdministratorsSid
);
537 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
540 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
543 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
550 SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR
*ServerSd
,
553 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
554 PSECURITY_DESCRIPTOR RelSD
= NULL
;
555 PSID EveryoneSid
= NULL
;
556 PSID AnonymousSid
= NULL
;
557 PSID AdministratorsSid
= NULL
;
558 PSID UsersSid
= NULL
;
559 PSID GuestsSid
= NULL
;
565 NTSTATUS Status
= STATUS_SUCCESS
;
568 /* Create the Everyone SID */
569 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
580 ASSERT(NT_SUCCESS(Status
));
581 if (!NT_SUCCESS(Status
))
584 /* Create the Anonymous SID */
585 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
587 SECURITY_ANONYMOUS_LOGON_RID
,
596 ASSERT(NT_SUCCESS(Status
));
597 if (!NT_SUCCESS(Status
))
600 /* Create the Administrators SID */
601 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
603 SECURITY_BUILTIN_DOMAIN_RID
,
604 DOMAIN_ALIAS_RID_ADMINS
,
612 ASSERT(NT_SUCCESS(Status
));
613 if (!NT_SUCCESS(Status
))
616 /* Create the Users SID */
617 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
619 SECURITY_BUILTIN_DOMAIN_RID
,
620 DOMAIN_ALIAS_RID_USERS
,
628 ASSERT(NT_SUCCESS(Status
));
629 if (!NT_SUCCESS(Status
))
632 /* Create the Guests SID */
633 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
635 SECURITY_BUILTIN_DOMAIN_RID
,
636 DOMAIN_ALIAS_RID_GUESTS
,
644 ASSERT(NT_SUCCESS(Status
));
645 if (!NT_SUCCESS(Status
))
649 /* Allocate a buffer for the absolute SD */
650 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
652 sizeof(SECURITY_DESCRIPTOR
));
655 Status
= STATUS_INSUFFICIENT_RESOURCES
;
656 ASSERT(Status
== STATUS_SUCCESS
);
660 /* Create the absolute SD */
661 Status
= RtlCreateSecurityDescriptor(AbsSD
,
662 SECURITY_DESCRIPTOR_REVISION
);
663 ASSERT(NT_SUCCESS(Status
));
664 if (!NT_SUCCESS(Status
))
667 /* allocate and create the DACL */
668 DaclSize
= sizeof(ACL
) +
670 RtlLengthSid(EveryoneSid
) +
671 RtlLengthSid(AdministratorsSid
) +
672 RtlLengthSid(UsersSid
) +
673 RtlLengthSid(GuestsSid
);
675 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
680 Status
= STATUS_INSUFFICIENT_RESOURCES
;
681 ASSERT(Status
== STATUS_SUCCESS
);
685 Status
= RtlCreateAcl(Dacl
,
688 ASSERT(NT_SUCCESS(Status
));
689 if (!NT_SUCCESS(Status
))
692 Status
= RtlAddAccessAllowedAce(Dacl
,
694 DOMAIN_READ
| DOMAIN_EXECUTE
,
696 ASSERT(NT_SUCCESS(Status
));
697 if (!NT_SUCCESS(Status
))
700 Status
= RtlAddAccessAllowedAce(Dacl
,
702 DOMAIN_READ
| DOMAIN_EXECUTE
,
704 ASSERT(NT_SUCCESS(Status
));
705 if (!NT_SUCCESS(Status
))
708 Status
= RtlAddAccessAllowedAce(Dacl
,
710 DOMAIN_ALL_ACCESS
& ~DOMAIN_CREATE_GROUP
,
712 ASSERT(Status
== STATUS_SUCCESS
);
713 if (!NT_SUCCESS(Status
))
716 Status
= RtlAddAccessAllowedAce(Dacl
,
718 DOMAIN_READ
| DOMAIN_EXECUTE
| DOMAIN_CREATE_USER
| DOMAIN_CREATE_ALIAS
,
720 ASSERT(Status
== STATUS_SUCCESS
);
721 if (!NT_SUCCESS(Status
))
725 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
729 ASSERT(Status
== STATUS_SUCCESS
);
730 if (!NT_SUCCESS(Status
))
733 /* allocate and create the SACL */
734 SaclSize
= sizeof(ACL
) +
736 RtlLengthSid(EveryoneSid
) +
737 RtlLengthSid(AnonymousSid
);
739 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
744 Status
= STATUS_INSUFFICIENT_RESOURCES
;
745 ASSERT(Status
== STATUS_SUCCESS
);
749 Status
= RtlCreateAcl(Sacl
,
752 ASSERT(Status
== STATUS_SUCCESS
);
753 if (!NT_SUCCESS(Status
))
756 Status
= RtlAddAuditAccessAce(Sacl
,
758 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
759 SAM_SERVER_CREATE_DOMAIN
| SAM_SERVER_INITIALIZE
|
764 ASSERT(Status
== STATUS_SUCCESS
);
765 if (!NT_SUCCESS(Status
))
768 Status
= RtlAddAuditAccessAce(Sacl
,
770 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
774 ASSERT(Status
== STATUS_SUCCESS
);
775 if (!NT_SUCCESS(Status
))
779 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
783 ASSERT(Status
== STATUS_SUCCESS
);
784 if (!NT_SUCCESS(Status
))
787 /* Set the owner SID */
788 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
791 ASSERT(Status
== STATUS_SUCCESS
);
792 if (!NT_SUCCESS(Status
))
795 /* Set the group SID */
796 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
799 ASSERT(Status
== STATUS_SUCCESS
);
800 if (!NT_SUCCESS(Status
))
803 /* Get the reqired buffer size for the self-relative SD */
804 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
807 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
810 /* Allocate a buffer for the self-relative SD */
811 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
816 Status
= STATUS_INSUFFICIENT_RESOURCES
;
817 ASSERT(Status
== STATUS_SUCCESS
);
821 /* Convert the absolute SD to self-relative format */
822 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
825 if (Status
== STATUS_BUFFER_TOO_SMALL
)
827 ASSERT(Status
== STATUS_SUCCESS
);
835 if (!NT_SUCCESS(Status
))
838 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
841 if (EveryoneSid
!= NULL
)
842 RtlFreeSid(EveryoneSid
);
844 if (AnonymousSid
!= NULL
)
845 RtlFreeSid(AnonymousSid
);
847 if (AdministratorsSid
!= NULL
)
848 RtlFreeSid(AdministratorsSid
);
851 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
854 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
857 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
864 SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR
*AliasSd
,
867 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
868 PSECURITY_DESCRIPTOR RelSD
= NULL
;
869 PSID EveryoneSid
= NULL
;
870 PSID AnonymousSid
= NULL
;
871 PSID AdministratorsSid
= NULL
;
872 PSID AccountOperatorsSid
= NULL
;
878 NTSTATUS Status
= STATUS_SUCCESS
;
881 /* Create the Everyone SID */
882 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
893 ASSERT(NT_SUCCESS(Status
));
894 if (!NT_SUCCESS(Status
))
897 /* Create the Anonymous SID */
898 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
900 SECURITY_ANONYMOUS_LOGON_RID
,
909 ASSERT(NT_SUCCESS(Status
));
910 if (!NT_SUCCESS(Status
))
913 /* Create the Administrators SID */
914 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
916 SECURITY_BUILTIN_DOMAIN_RID
,
917 DOMAIN_ALIAS_RID_ADMINS
,
925 ASSERT(NT_SUCCESS(Status
));
926 if (!NT_SUCCESS(Status
))
929 /* Create the Account Operators SID */
930 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
932 SECURITY_BUILTIN_DOMAIN_RID
,
933 DOMAIN_ALIAS_RID_ACCOUNT_OPS
,
940 &AccountOperatorsSid
);
941 ASSERT(NT_SUCCESS(Status
));
942 if (!NT_SUCCESS(Status
))
945 /* Allocate a buffer for the absolute SD */
946 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
948 sizeof(SECURITY_DESCRIPTOR
));
951 Status
= STATUS_INSUFFICIENT_RESOURCES
;
952 ASSERT(Status
== STATUS_SUCCESS
);
956 /* Create the absolute SD */
957 Status
= RtlCreateSecurityDescriptor(AbsSD
,
958 SECURITY_DESCRIPTOR_REVISION
);
959 ASSERT(NT_SUCCESS(Status
));
960 if (!NT_SUCCESS(Status
))
963 /* allocate and create the DACL */
964 DaclSize
= sizeof(ACL
) +
966 RtlLengthSid(EveryoneSid
) +
967 RtlLengthSid(AdministratorsSid
) +
968 RtlLengthSid(AccountOperatorsSid
);
970 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
975 Status
= STATUS_INSUFFICIENT_RESOURCES
;
976 ASSERT(Status
== STATUS_SUCCESS
);
980 Status
= RtlCreateAcl(Dacl
,
983 ASSERT(NT_SUCCESS(Status
));
984 if (!NT_SUCCESS(Status
))
987 Status
= RtlAddAccessAllowedAce(Dacl
,
989 READ_CONTROL
| ALIAS_READ_INFORMATION
| ALIAS_LIST_MEMBERS
,
991 ASSERT(NT_SUCCESS(Status
));
992 if (!NT_SUCCESS(Status
))
995 Status
= RtlAddAccessAllowedAce(Dacl
,
999 ASSERT(Status
== STATUS_SUCCESS
);
1000 if (!NT_SUCCESS(Status
))
1003 Status
= RtlAddAccessAllowedAce(Dacl
,
1006 AccountOperatorsSid
);
1007 ASSERT(Status
== STATUS_SUCCESS
);
1008 if (!NT_SUCCESS(Status
))
1012 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
1016 ASSERT(Status
== STATUS_SUCCESS
);
1017 if (!NT_SUCCESS(Status
))
1020 /* allocate and create the SACL */
1021 SaclSize
= sizeof(ACL
) +
1023 RtlLengthSid(EveryoneSid
) +
1024 RtlLengthSid(AnonymousSid
);
1026 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1031 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1032 ASSERT(Status
== STATUS_SUCCESS
);
1036 Status
= RtlCreateAcl(Sacl
,
1039 ASSERT(Status
== STATUS_SUCCESS
);
1040 if (!NT_SUCCESS(Status
))
1043 Status
= RtlAddAuditAccessAce(Sacl
,
1045 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
1046 ALIAS_WRITE_ACCOUNT
| ALIAS_REMOVE_MEMBER
|
1051 ASSERT(Status
== STATUS_SUCCESS
);
1052 if (!NT_SUCCESS(Status
))
1055 Status
= RtlAddAuditAccessAce(Sacl
,
1057 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
1061 ASSERT(Status
== STATUS_SUCCESS
);
1062 if (!NT_SUCCESS(Status
))
1066 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
1070 ASSERT(Status
== STATUS_SUCCESS
);
1071 if (!NT_SUCCESS(Status
))
1074 /* Set the owner SID */
1075 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
1078 ASSERT(Status
== STATUS_SUCCESS
);
1079 if (!NT_SUCCESS(Status
))
1082 /* Set the group SID */
1083 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
1086 ASSERT(Status
== STATUS_SUCCESS
);
1087 if (!NT_SUCCESS(Status
))
1090 /* Get the reqired buffer size for the self-relative SD */
1091 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1094 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
1097 /* Allocate a buffer for the self-relative SD */
1098 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1103 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1104 ASSERT(Status
== STATUS_SUCCESS
);
1108 /* Convert the absolute SD to self-relative format */
1109 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1112 if (Status
== STATUS_BUFFER_TOO_SMALL
)
1114 ASSERT(Status
== STATUS_SUCCESS
);
1122 if (!NT_SUCCESS(Status
))
1125 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
1128 if (EveryoneSid
!= NULL
)
1129 RtlFreeSid(EveryoneSid
);
1131 if (AnonymousSid
!= NULL
)
1132 RtlFreeSid(AnonymousSid
);
1134 if (AdministratorsSid
!= NULL
)
1135 RtlFreeSid(AdministratorsSid
);
1138 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
1141 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
1144 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);
1151 SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR
*GroupSd
,
1154 PSECURITY_DESCRIPTOR AbsSD
= NULL
;
1155 PSECURITY_DESCRIPTOR RelSD
= NULL
;
1156 PSID EveryoneSid
= NULL
;
1157 PSID AnonymousSid
= NULL
;
1158 PSID AdministratorsSid
= NULL
;
1159 PSID AccountOperatorsSid
= NULL
;
1164 ULONG RelSDSize
= 0;
1165 NTSTATUS Status
= STATUS_SUCCESS
;
1168 /* Create the Everyone SID */
1169 Status
= RtlAllocateAndInitializeSid(&WorldAuthority
,
1180 ASSERT(NT_SUCCESS(Status
));
1181 if (!NT_SUCCESS(Status
))
1184 /* Create the Anonymous SID */
1185 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1187 SECURITY_ANONYMOUS_LOGON_RID
,
1196 ASSERT(NT_SUCCESS(Status
));
1197 if (!NT_SUCCESS(Status
))
1200 /* Create the Administrators SID */
1201 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1203 SECURITY_BUILTIN_DOMAIN_RID
,
1204 DOMAIN_ALIAS_RID_ADMINS
,
1211 &AdministratorsSid
);
1212 ASSERT(NT_SUCCESS(Status
));
1213 if (!NT_SUCCESS(Status
))
1216 /* Create the Account Operators SID */
1217 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
1219 SECURITY_BUILTIN_DOMAIN_RID
,
1220 DOMAIN_ALIAS_RID_ACCOUNT_OPS
,
1227 &AccountOperatorsSid
);
1228 ASSERT(NT_SUCCESS(Status
));
1229 if (!NT_SUCCESS(Status
))
1232 /* Allocate a buffer for the absolute SD */
1233 AbsSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1235 sizeof(SECURITY_DESCRIPTOR
));
1238 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1239 ASSERT(Status
== STATUS_SUCCESS
);
1243 /* Create the absolute SD */
1244 Status
= RtlCreateSecurityDescriptor(AbsSD
,
1245 SECURITY_DESCRIPTOR_REVISION
);
1246 ASSERT(NT_SUCCESS(Status
));
1247 if (!NT_SUCCESS(Status
))
1250 /* allocate and create the DACL */
1251 DaclSize
= sizeof(ACL
) +
1253 RtlLengthSid(EveryoneSid
) +
1254 RtlLengthSid(AdministratorsSid
) +
1255 RtlLengthSid(AccountOperatorsSid
);
1257 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1262 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1263 ASSERT(Status
== STATUS_SUCCESS
);
1267 Status
= RtlCreateAcl(Dacl
,
1270 ASSERT(NT_SUCCESS(Status
));
1271 if (!NT_SUCCESS(Status
))
1274 Status
= RtlAddAccessAllowedAce(Dacl
,
1276 READ_CONTROL
| GROUP_LIST_MEMBERS
| GROUP_READ_INFORMATION
,
1278 ASSERT(NT_SUCCESS(Status
));
1279 if (!NT_SUCCESS(Status
))
1282 Status
= RtlAddAccessAllowedAce(Dacl
,
1286 ASSERT(Status
== STATUS_SUCCESS
);
1287 if (!NT_SUCCESS(Status
))
1290 Status
= RtlAddAccessAllowedAce(Dacl
,
1293 AccountOperatorsSid
);
1294 ASSERT(Status
== STATUS_SUCCESS
);
1295 if (!NT_SUCCESS(Status
))
1299 Status
= RtlSetDaclSecurityDescriptor(AbsSD
,
1303 ASSERT(Status
== STATUS_SUCCESS
);
1304 if (!NT_SUCCESS(Status
))
1307 /* allocate and create the SACL */
1308 SaclSize
= sizeof(ACL
) +
1310 RtlLengthSid(EveryoneSid
) +
1311 RtlLengthSid(AnonymousSid
);
1313 Sacl
= RtlAllocateHeap(RtlGetProcessHeap(),
1318 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1319 ASSERT(Status
== STATUS_SUCCESS
);
1323 Status
= RtlCreateAcl(Sacl
,
1326 ASSERT(Status
== STATUS_SUCCESS
);
1327 if (!NT_SUCCESS(Status
))
1330 Status
= RtlAddAuditAccessAce(Sacl
,
1332 ACCESS_SYSTEM_SECURITY
| WRITE_DAC
| DELETE
|
1333 GROUP_REMOVE_MEMBER
| GROUP_ADD_MEMBER
|
1334 GROUP_WRITE_ACCOUNT
,
1338 ASSERT(Status
== STATUS_SUCCESS
);
1339 if (!NT_SUCCESS(Status
))
1342 Status
= RtlAddAuditAccessAce(Sacl
,
1344 STANDARD_RIGHTS_ALL
| SPECIFIC_RIGHTS_ALL
,
1348 ASSERT(Status
== STATUS_SUCCESS
);
1349 if (!NT_SUCCESS(Status
))
1353 Status
= RtlSetSaclSecurityDescriptor(AbsSD
,
1357 ASSERT(Status
== STATUS_SUCCESS
);
1358 if (!NT_SUCCESS(Status
))
1361 /* Set the owner SID */
1362 Status
= RtlSetOwnerSecurityDescriptor(AbsSD
,
1365 ASSERT(Status
== STATUS_SUCCESS
);
1366 if (!NT_SUCCESS(Status
))
1369 /* Set the group SID */
1370 Status
= RtlSetGroupSecurityDescriptor(AbsSD
,
1373 ASSERT(Status
== STATUS_SUCCESS
);
1374 if (!NT_SUCCESS(Status
))
1377 /* Get the reqired buffer size for the self-relative SD */
1378 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1381 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
1384 /* Allocate a buffer for the self-relative SD */
1385 RelSD
= RtlAllocateHeap(RtlGetProcessHeap(),
1390 Status
= STATUS_INSUFFICIENT_RESOURCES
;
1391 ASSERT(Status
== STATUS_SUCCESS
);
1395 /* Convert the absolute SD to self-relative format */
1396 Status
= RtlAbsoluteToSelfRelativeSD(AbsSD
,
1399 if (Status
== STATUS_BUFFER_TOO_SMALL
)
1401 ASSERT(Status
== STATUS_SUCCESS
);
1409 if (!NT_SUCCESS(Status
))
1412 RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD
);
1415 if (EveryoneSid
!= NULL
)
1416 RtlFreeSid(EveryoneSid
);
1418 if (AnonymousSid
!= NULL
)
1419 RtlFreeSid(AnonymousSid
);
1421 if (AdministratorsSid
!= NULL
)
1422 RtlFreeSid(AdministratorsSid
);
1425 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
1428 RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl
);
1431 RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD
);