ntoskrnl/se/sid.c

   1 /*
   2  * COPYRIGHT:       See COPYING in the top level directory
   3  * PROJECT:         ReactOS kernel
   4  * FILE:            ntoskrnl/se/sid.c
   5  * PURPOSE:         Security manager
   6  *
   7  * PROGRAMMERS:     David Welch <welch@cwcom.net>
   8  */
   9
  10 /* INCLUDES *******************************************************************/
  11
  12 #include <ntoskrnl.h>
  13 #define NDEBUG
  14 #include <debug.h>
  15
  16 #if defined (ALLOC_PRAGMA)
  17 #pragma alloc_text(INIT, SepInitSecurityIDs)
  18 #endif
  19
  20 /* GLOBALS ********************************************************************/
  21
  22 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
  23 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
  24 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY};
  25 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY};
  26 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY};
  27
  28 PSID SeNullSid = NULL;
  29 PSID SeWorldSid = NULL;
  30 PSID SeLocalSid = NULL;
  31 PSID SeCreatorOwnerSid = NULL;
  32 PSID SeCreatorGroupSid = NULL;
  33 PSID SeCreatorOwnerServerSid = NULL;
  34 PSID SeCreatorGroupServerSid = NULL;
  35 PSID SeNtAuthoritySid = NULL;
  36 PSID SeDialupSid = NULL;
  37 PSID SeNetworkSid = NULL;
  38 PSID SeBatchSid = NULL;
  39 PSID SeInteractiveSid = NULL;
  40 PSID SeServiceSid = NULL;
  41 PSID SePrincipalSelfSid = NULL;
  42 PSID SeLocalSystemSid = NULL;
  43 PSID SeAuthenticatedUserSid = NULL;
  44 PSID SeRestrictedCodeSid = NULL;
  45 PSID SeAliasAdminsSid = NULL;
  46 PSID SeAliasUsersSid = NULL;
  47 PSID SeAliasGuestsSid = NULL;
  48 PSID SeAliasPowerUsersSid = NULL;
  49 PSID SeAliasAccountOpsSid = NULL;
  50 PSID SeAliasSystemOpsSid = NULL;
  51 PSID SeAliasPrintOpsSid = NULL;
  52 PSID SeAliasBackupOpsSid = NULL;
  53 PSID SeAuthenticatedUsersSid = NULL;
  54 PSID SeRestrictedSid = NULL;
  55 PSID SeAnonymousLogonSid = NULL;
  56
  57 /* FUNCTIONS ******************************************************************/
  58
  59 VOID
  60 NTAPI
  61 FreeInitializedSids(VOID)
  62 {
  63     if (SeNullSid) ExFreePoolWithTag(SeNullSid, TAG_SID);
  64     if (SeWorldSid) ExFreePoolWithTag(SeWorldSid, TAG_SID);
  65     if (SeLocalSid) ExFreePoolWithTag(SeLocalSid, TAG_SID);
  66     if (SeCreatorOwnerSid) ExFreePoolWithTag(SeCreatorOwnerSid, TAG_SID);
  67     if (SeCreatorGroupSid) ExFreePoolWithTag(SeCreatorGroupSid, TAG_SID);
  68     if (SeCreatorOwnerServerSid) ExFreePoolWithTag(SeCreatorOwnerServerSid, TAG_SID);
  69     if (SeCreatorGroupServerSid) ExFreePoolWithTag(SeCreatorGroupServerSid, TAG_SID);
  70     if (SeNtAuthoritySid) ExFreePoolWithTag(SeNtAuthoritySid, TAG_SID);
  71     if (SeDialupSid) ExFreePoolWithTag(SeDialupSid, TAG_SID);
  72     if (SeNetworkSid) ExFreePoolWithTag(SeNetworkSid, TAG_SID);
  73     if (SeBatchSid) ExFreePoolWithTag(SeBatchSid, TAG_SID);
  74     if (SeInteractiveSid) ExFreePoolWithTag(SeInteractiveSid, TAG_SID);
  75     if (SeServiceSid) ExFreePoolWithTag(SeServiceSid, TAG_SID);
  76     if (SePrincipalSelfSid) ExFreePoolWithTag(SePrincipalSelfSid, TAG_SID);
  77     if (SeLocalSystemSid) ExFreePoolWithTag(SeLocalSystemSid, TAG_SID);
  78     if (SeAuthenticatedUserSid) ExFreePoolWithTag(SeAuthenticatedUserSid, TAG_SID);
  79     if (SeRestrictedCodeSid) ExFreePoolWithTag(SeRestrictedCodeSid, TAG_SID);
  80     if (SeAliasAdminsSid) ExFreePoolWithTag(SeAliasAdminsSid, TAG_SID);
  81     if (SeAliasUsersSid) ExFreePoolWithTag(SeAliasUsersSid, TAG_SID);
  82     if (SeAliasGuestsSid) ExFreePoolWithTag(SeAliasGuestsSid, TAG_SID);
  83     if (SeAliasPowerUsersSid) ExFreePoolWithTag(SeAliasPowerUsersSid, TAG_SID);
  84     if (SeAliasAccountOpsSid) ExFreePoolWithTag(SeAliasAccountOpsSid, TAG_SID);
  85     if (SeAliasSystemOpsSid) ExFreePoolWithTag(SeAliasSystemOpsSid, TAG_SID);
  86     if (SeAliasPrintOpsSid) ExFreePoolWithTag(SeAliasPrintOpsSid, TAG_SID);
  87     if (SeAliasBackupOpsSid) ExFreePoolWithTag(SeAliasBackupOpsSid, TAG_SID);
  88     if (SeAuthenticatedUsersSid) ExFreePoolWithTag(SeAuthenticatedUsersSid, TAG_SID);
  89     if (SeRestrictedSid) ExFreePoolWithTag(SeRestrictedSid, TAG_SID);
  90     if (SeAnonymousLogonSid) ExFreePoolWithTag(SeAnonymousLogonSid, TAG_SID);
  91 }
  92
  93 BOOLEAN
  94 INIT_FUNCTION
  95 NTAPI
  96 SepInitSecurityIDs(VOID)
  97 {
  98     ULONG SidLength0;
  99     ULONG SidLength1;
 100     ULONG SidLength2;
 101     PULONG SubAuthority;
 102
 103     SidLength0 = RtlLengthRequiredSid(0);
 104     SidLength1 = RtlLengthRequiredSid(1);
 105     SidLength2 = RtlLengthRequiredSid(2);
 106
 107     /* create NullSid */
 108     SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 109     SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 110     SeLocalSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 111     SeCreatorOwnerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 112     SeCreatorGroupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 113     SeCreatorOwnerServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 114     SeCreatorGroupServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 115     SeNtAuthoritySid = ExAllocatePoolWithTag(PagedPool, SidLength0, TAG_SID);
 116     SeDialupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 117     SeNetworkSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 118     SeBatchSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 119     SeInteractiveSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 120     SeServiceSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 121     SePrincipalSelfSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 122     SeLocalSystemSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 123     SeAuthenticatedUserSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 124     SeRestrictedCodeSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 125     SeAliasAdminsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 126     SeAliasUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 127     SeAliasGuestsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 128     SeAliasPowerUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 129     SeAliasAccountOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 130     SeAliasSystemOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 131     SeAliasPrintOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 132     SeAliasBackupOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
 133     SeAuthenticatedUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 134     SeRestrictedSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 135     SeAnonymousLogonSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
 136
 137     if (SeNullSid == NULL || SeWorldSid == NULL ||
 138         SeLocalSid == NULL || SeCreatorOwnerSid == NULL ||
 139         SeCreatorGroupSid == NULL || SeCreatorOwnerServerSid == NULL ||
 140         SeCreatorGroupServerSid == NULL || SeNtAuthoritySid == NULL ||
 141         SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
 142         SeInteractiveSid == NULL || SeServiceSid == NULL ||
 143         SePrincipalSelfSid == NULL || SeLocalSystemSid == NULL ||
 144         SeAuthenticatedUserSid == NULL || SeRestrictedCodeSid == NULL ||
 145         SeAliasAdminsSid == NULL || SeAliasUsersSid == NULL ||
 146         SeAliasGuestsSid == NULL || SeAliasPowerUsersSid == NULL ||
 147         SeAliasAccountOpsSid == NULL || SeAliasSystemOpsSid == NULL ||
 148         SeAliasPrintOpsSid == NULL || SeAliasBackupOpsSid == NULL ||
 149         SeAuthenticatedUsersSid == NULL || SeRestrictedSid == NULL ||
 150         SeAnonymousLogonSid == NULL)
 151     {
 152         FreeInitializedSids();
 153         return FALSE;
 154     }
 155
 156     RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
 157     RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
 158     RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
 159     RtlInitializeSid(SeCreatorOwnerSid, &SeCreatorSidAuthority, 1);
 160     RtlInitializeSid(SeCreatorGroupSid, &SeCreatorSidAuthority, 1);
 161     RtlInitializeSid(SeCreatorOwnerServerSid, &SeCreatorSidAuthority, 1);
 162     RtlInitializeSid(SeCreatorGroupServerSid, &SeCreatorSidAuthority, 1);
 163     RtlInitializeSid(SeNtAuthoritySid, &SeNtSidAuthority, 0);
 164     RtlInitializeSid(SeDialupSid, &SeNtSidAuthority, 1);
 165     RtlInitializeSid(SeNetworkSid, &SeNtSidAuthority, 1);
 166     RtlInitializeSid(SeBatchSid, &SeNtSidAuthority, 1);
 167     RtlInitializeSid(SeInteractiveSid, &SeNtSidAuthority, 1);
 168     RtlInitializeSid(SeServiceSid, &SeNtSidAuthority, 1);
 169     RtlInitializeSid(SePrincipalSelfSid, &SeNtSidAuthority, 1);
 170     RtlInitializeSid(SeLocalSystemSid, &SeNtSidAuthority, 1);
 171     RtlInitializeSid(SeAuthenticatedUserSid, &SeNtSidAuthority, 1);
 172     RtlInitializeSid(SeRestrictedCodeSid, &SeNtSidAuthority, 1);
 173     RtlInitializeSid(SeAliasAdminsSid, &SeNtSidAuthority, 2);
 174     RtlInitializeSid(SeAliasUsersSid, &SeNtSidAuthority, 2);
 175     RtlInitializeSid(SeAliasGuestsSid, &SeNtSidAuthority, 2);
 176     RtlInitializeSid(SeAliasPowerUsersSid, &SeNtSidAuthority, 2);
 177     RtlInitializeSid(SeAliasAccountOpsSid, &SeNtSidAuthority, 2);
 178     RtlInitializeSid(SeAliasSystemOpsSid, &SeNtSidAuthority, 2);
 179     RtlInitializeSid(SeAliasPrintOpsSid, &SeNtSidAuthority, 2);
 180     RtlInitializeSid(SeAliasBackupOpsSid, &SeNtSidAuthority, 2);
 181     RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
 182     RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
 183     RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
 184
 185     SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
 186     *SubAuthority = SECURITY_NULL_RID;
 187     SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
 188     *SubAuthority = SECURITY_WORLD_RID;
 189     SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
 190     *SubAuthority = SECURITY_LOCAL_RID;
 191     SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
 192     *SubAuthority = SECURITY_CREATOR_OWNER_RID;
 193     SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
 194     *SubAuthority = SECURITY_CREATOR_GROUP_RID;
 195     SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
 196     *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
 197     SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
 198     *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
 199     SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
 200     *SubAuthority = SECURITY_DIALUP_RID;
 201     SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
 202     *SubAuthority = SECURITY_NETWORK_RID;
 203     SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
 204     *SubAuthority = SECURITY_BATCH_RID;
 205     SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
 206     *SubAuthority = SECURITY_INTERACTIVE_RID;
 207     SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
 208     *SubAuthority = SECURITY_SERVICE_RID;
 209     SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
 210     *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
 211     SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
 212     *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
 213     SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
 214     *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
 215     SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
 216     *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
 217     SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
 218     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 219     SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
 220     *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
 221     SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
 222     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 223     SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
 224     *SubAuthority = DOMAIN_ALIAS_RID_USERS;
 225     SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
 226     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 227     SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
 228     *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
 229     SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
 230     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 231     SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
 232     *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
 233     SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
 234     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 235     SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
 236     *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
 237     SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
 238     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 239     SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
 240     *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
 241     SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
 242     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 243     SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
 244     *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
 245     SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
 246     *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
 247     SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
 248     *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
 249     SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
 250     *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
 251     SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
 252     *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
 253     SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
 254     *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
 255
 256     return TRUE;
 257 }
 258
 259 NTSTATUS
 260 NTAPI
 261 SepCaptureSid(IN PSID InputSid,
 262               IN KPROCESSOR_MODE AccessMode,
 263               IN POOL_TYPE PoolType,
 264               IN BOOLEAN CaptureIfKernel,
 265               OUT PSID *CapturedSid)
 266 {
 267     ULONG SidSize = 0;
 268     PISID NewSid, Sid = (PISID)InputSid;
 269     NTSTATUS Status;
 270
 271     PAGED_CODE();
 272
 273     if (AccessMode != KernelMode)
 274     {
 275         _SEH2_TRY
 276         {
 277             ProbeForRead(Sid,
 278                          FIELD_OFFSET(SID,
 279                                       SubAuthority),
 280                          sizeof(UCHAR));
 281             SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
 282             ProbeForRead(Sid,
 283                          SidSize,
 284                          sizeof(UCHAR));
 285         }
 286         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
 287         {
 288             /* Return the exception code */
 289             _SEH2_YIELD(return _SEH2_GetExceptionCode());
 290         }
 291         _SEH2_END;
 292
 293         /* allocate a SID and copy it */
 294         NewSid = ExAllocatePool(PoolType,
 295                                 SidSize);
 296         if (NewSid != NULL)
 297         {
 298             _SEH2_TRY
 299             {
 300                 RtlCopyMemory(NewSid,
 301                               Sid,
 302                               SidSize);
 303
 304                 *CapturedSid = NewSid;
 305             }
 306             _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
 307             {
 308                 /* Free the SID and return the exception code */
 309                 ExFreePoolWithTag(NewSid, TAG_SID);
 310                 _SEH2_YIELD(return _SEH2_GetExceptionCode());
 311             }
 312             _SEH2_END;
 313         }
 314         else
 315         {
 316             Status = STATUS_INSUFFICIENT_RESOURCES;
 317         }
 318     }
 319     else if (!CaptureIfKernel)
 320     {
 321         *CapturedSid = InputSid;
 322         return STATUS_SUCCESS;
 323     }
 324     else
 325     {
 326         SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
 327
 328         /* allocate a SID and copy it */
 329         NewSid = ExAllocatePool(PoolType,
 330                                 SidSize);
 331         if (NewSid != NULL)
 332         {
 333             RtlCopyMemory(NewSid,
 334                           Sid,
 335                           SidSize);
 336
 337             *CapturedSid = NewSid;
 338         }
 339         else
 340         {
 341             Status = STATUS_INSUFFICIENT_RESOURCES;
 342         }
 343     }
 344
 345     return Status;
 346 }
 347
 348 VOID
 349 NTAPI
 350 SepReleaseSid(IN PSID CapturedSid,
 351               IN KPROCESSOR_MODE AccessMode,
 352               IN BOOLEAN CaptureIfKernel)
 353 {
 354     PAGED_CODE();
 355
 356     if (CapturedSid != NULL &&
 357         (AccessMode != KernelMode ||
 358          (AccessMode == KernelMode && CaptureIfKernel)))
 359     {
 360         ExFreePoolWithTag(CapturedSid, TAG_SID);
 361     }
 362 }
 363
 364 /* EOF */