2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/sid.c
5 * PURPOSE: Security manager
7 * PROGRAMMERS: David Welch <welch@cwcom.net>
10 /* INCLUDES *******************************************************************/
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitSecurityIDs)
20 /* GLOBALS ********************************************************************/
22 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
23 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
24 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
= {SECURITY_LOCAL_SID_AUTHORITY
};
25 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
= {SECURITY_CREATOR_SID_AUTHORITY
};
26 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
= {SECURITY_NT_AUTHORITY
};
28 PSID SeNullSid
= NULL
;
29 PSID SeWorldSid
= NULL
;
30 PSID SeLocalSid
= NULL
;
31 PSID SeCreatorOwnerSid
= NULL
;
32 PSID SeCreatorGroupSid
= NULL
;
33 PSID SeCreatorOwnerServerSid
= NULL
;
34 PSID SeCreatorGroupServerSid
= NULL
;
35 PSID SeNtAuthoritySid
= NULL
;
36 PSID SeDialupSid
= NULL
;
37 PSID SeNetworkSid
= NULL
;
38 PSID SeBatchSid
= NULL
;
39 PSID SeInteractiveSid
= NULL
;
40 PSID SeServiceSid
= NULL
;
41 PSID SePrincipalSelfSid
= NULL
;
42 PSID SeLocalSystemSid
= NULL
;
43 PSID SeAuthenticatedUserSid
= NULL
;
44 PSID SeRestrictedCodeSid
= NULL
;
45 PSID SeAliasAdminsSid
= NULL
;
46 PSID SeAliasUsersSid
= NULL
;
47 PSID SeAliasGuestsSid
= NULL
;
48 PSID SeAliasPowerUsersSid
= NULL
;
49 PSID SeAliasAccountOpsSid
= NULL
;
50 PSID SeAliasSystemOpsSid
= NULL
;
51 PSID SeAliasPrintOpsSid
= NULL
;
52 PSID SeAliasBackupOpsSid
= NULL
;
53 PSID SeAuthenticatedUsersSid
= NULL
;
54 PSID SeRestrictedSid
= NULL
;
55 PSID SeAnonymousLogonSid
= NULL
;
57 /* FUNCTIONS ******************************************************************/
61 FreeInitializedSids(VOID
)
63 if (SeNullSid
) ExFreePoolWithTag(SeNullSid
, TAG_SID
);
64 if (SeWorldSid
) ExFreePoolWithTag(SeWorldSid
, TAG_SID
);
65 if (SeLocalSid
) ExFreePoolWithTag(SeLocalSid
, TAG_SID
);
66 if (SeCreatorOwnerSid
) ExFreePoolWithTag(SeCreatorOwnerSid
, TAG_SID
);
67 if (SeCreatorGroupSid
) ExFreePoolWithTag(SeCreatorGroupSid
, TAG_SID
);
68 if (SeCreatorOwnerServerSid
) ExFreePoolWithTag(SeCreatorOwnerServerSid
, TAG_SID
);
69 if (SeCreatorGroupServerSid
) ExFreePoolWithTag(SeCreatorGroupServerSid
, TAG_SID
);
70 if (SeNtAuthoritySid
) ExFreePoolWithTag(SeNtAuthoritySid
, TAG_SID
);
71 if (SeDialupSid
) ExFreePoolWithTag(SeDialupSid
, TAG_SID
);
72 if (SeNetworkSid
) ExFreePoolWithTag(SeNetworkSid
, TAG_SID
);
73 if (SeBatchSid
) ExFreePoolWithTag(SeBatchSid
, TAG_SID
);
74 if (SeInteractiveSid
) ExFreePoolWithTag(SeInteractiveSid
, TAG_SID
);
75 if (SeServiceSid
) ExFreePoolWithTag(SeServiceSid
, TAG_SID
);
76 if (SePrincipalSelfSid
) ExFreePoolWithTag(SePrincipalSelfSid
, TAG_SID
);
77 if (SeLocalSystemSid
) ExFreePoolWithTag(SeLocalSystemSid
, TAG_SID
);
78 if (SeAuthenticatedUserSid
) ExFreePoolWithTag(SeAuthenticatedUserSid
, TAG_SID
);
79 if (SeRestrictedCodeSid
) ExFreePoolWithTag(SeRestrictedCodeSid
, TAG_SID
);
80 if (SeAliasAdminsSid
) ExFreePoolWithTag(SeAliasAdminsSid
, TAG_SID
);
81 if (SeAliasUsersSid
) ExFreePoolWithTag(SeAliasUsersSid
, TAG_SID
);
82 if (SeAliasGuestsSid
) ExFreePoolWithTag(SeAliasGuestsSid
, TAG_SID
);
83 if (SeAliasPowerUsersSid
) ExFreePoolWithTag(SeAliasPowerUsersSid
, TAG_SID
);
84 if (SeAliasAccountOpsSid
) ExFreePoolWithTag(SeAliasAccountOpsSid
, TAG_SID
);
85 if (SeAliasSystemOpsSid
) ExFreePoolWithTag(SeAliasSystemOpsSid
, TAG_SID
);
86 if (SeAliasPrintOpsSid
) ExFreePoolWithTag(SeAliasPrintOpsSid
, TAG_SID
);
87 if (SeAliasBackupOpsSid
) ExFreePoolWithTag(SeAliasBackupOpsSid
, TAG_SID
);
88 if (SeAuthenticatedUsersSid
) ExFreePoolWithTag(SeAuthenticatedUsersSid
, TAG_SID
);
89 if (SeRestrictedSid
) ExFreePoolWithTag(SeRestrictedSid
, TAG_SID
);
90 if (SeAnonymousLogonSid
) ExFreePoolWithTag(SeAnonymousLogonSid
, TAG_SID
);
96 SepInitSecurityIDs(VOID
)
103 SidLength0
= RtlLengthRequiredSid(0);
104 SidLength1
= RtlLengthRequiredSid(1);
105 SidLength2
= RtlLengthRequiredSid(2);
108 SeNullSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
109 SeWorldSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
110 SeLocalSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
111 SeCreatorOwnerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
112 SeCreatorGroupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
113 SeCreatorOwnerServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
114 SeCreatorGroupServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
115 SeNtAuthoritySid
= ExAllocatePoolWithTag(PagedPool
, SidLength0
, TAG_SID
);
116 SeDialupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
117 SeNetworkSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
118 SeBatchSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
119 SeInteractiveSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
120 SeServiceSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
121 SePrincipalSelfSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
122 SeLocalSystemSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
123 SeAuthenticatedUserSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
124 SeRestrictedCodeSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
125 SeAliasAdminsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
126 SeAliasUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
127 SeAliasGuestsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
128 SeAliasPowerUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
129 SeAliasAccountOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
130 SeAliasSystemOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
131 SeAliasPrintOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
132 SeAliasBackupOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
133 SeAuthenticatedUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
134 SeRestrictedSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
135 SeAnonymousLogonSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
137 if (SeNullSid
== NULL
|| SeWorldSid
== NULL
||
138 SeLocalSid
== NULL
|| SeCreatorOwnerSid
== NULL
||
139 SeCreatorGroupSid
== NULL
|| SeCreatorOwnerServerSid
== NULL
||
140 SeCreatorGroupServerSid
== NULL
|| SeNtAuthoritySid
== NULL
||
141 SeDialupSid
== NULL
|| SeNetworkSid
== NULL
|| SeBatchSid
== NULL
||
142 SeInteractiveSid
== NULL
|| SeServiceSid
== NULL
||
143 SePrincipalSelfSid
== NULL
|| SeLocalSystemSid
== NULL
||
144 SeAuthenticatedUserSid
== NULL
|| SeRestrictedCodeSid
== NULL
||
145 SeAliasAdminsSid
== NULL
|| SeAliasUsersSid
== NULL
||
146 SeAliasGuestsSid
== NULL
|| SeAliasPowerUsersSid
== NULL
||
147 SeAliasAccountOpsSid
== NULL
|| SeAliasSystemOpsSid
== NULL
||
148 SeAliasPrintOpsSid
== NULL
|| SeAliasBackupOpsSid
== NULL
||
149 SeAuthenticatedUsersSid
== NULL
|| SeRestrictedSid
== NULL
||
150 SeAnonymousLogonSid
== NULL
)
152 FreeInitializedSids();
156 RtlInitializeSid(SeNullSid
, &SeNullSidAuthority
, 1);
157 RtlInitializeSid(SeWorldSid
, &SeWorldSidAuthority
, 1);
158 RtlInitializeSid(SeLocalSid
, &SeLocalSidAuthority
, 1);
159 RtlInitializeSid(SeCreatorOwnerSid
, &SeCreatorSidAuthority
, 1);
160 RtlInitializeSid(SeCreatorGroupSid
, &SeCreatorSidAuthority
, 1);
161 RtlInitializeSid(SeCreatorOwnerServerSid
, &SeCreatorSidAuthority
, 1);
162 RtlInitializeSid(SeCreatorGroupServerSid
, &SeCreatorSidAuthority
, 1);
163 RtlInitializeSid(SeNtAuthoritySid
, &SeNtSidAuthority
, 0);
164 RtlInitializeSid(SeDialupSid
, &SeNtSidAuthority
, 1);
165 RtlInitializeSid(SeNetworkSid
, &SeNtSidAuthority
, 1);
166 RtlInitializeSid(SeBatchSid
, &SeNtSidAuthority
, 1);
167 RtlInitializeSid(SeInteractiveSid
, &SeNtSidAuthority
, 1);
168 RtlInitializeSid(SeServiceSid
, &SeNtSidAuthority
, 1);
169 RtlInitializeSid(SePrincipalSelfSid
, &SeNtSidAuthority
, 1);
170 RtlInitializeSid(SeLocalSystemSid
, &SeNtSidAuthority
, 1);
171 RtlInitializeSid(SeAuthenticatedUserSid
, &SeNtSidAuthority
, 1);
172 RtlInitializeSid(SeRestrictedCodeSid
, &SeNtSidAuthority
, 1);
173 RtlInitializeSid(SeAliasAdminsSid
, &SeNtSidAuthority
, 2);
174 RtlInitializeSid(SeAliasUsersSid
, &SeNtSidAuthority
, 2);
175 RtlInitializeSid(SeAliasGuestsSid
, &SeNtSidAuthority
, 2);
176 RtlInitializeSid(SeAliasPowerUsersSid
, &SeNtSidAuthority
, 2);
177 RtlInitializeSid(SeAliasAccountOpsSid
, &SeNtSidAuthority
, 2);
178 RtlInitializeSid(SeAliasSystemOpsSid
, &SeNtSidAuthority
, 2);
179 RtlInitializeSid(SeAliasPrintOpsSid
, &SeNtSidAuthority
, 2);
180 RtlInitializeSid(SeAliasBackupOpsSid
, &SeNtSidAuthority
, 2);
181 RtlInitializeSid(SeAuthenticatedUsersSid
, &SeNtSidAuthority
, 1);
182 RtlInitializeSid(SeRestrictedSid
, &SeNtSidAuthority
, 1);
183 RtlInitializeSid(SeAnonymousLogonSid
, &SeNtSidAuthority
, 1);
185 SubAuthority
= RtlSubAuthoritySid(SeNullSid
, 0);
186 *SubAuthority
= SECURITY_NULL_RID
;
187 SubAuthority
= RtlSubAuthoritySid(SeWorldSid
, 0);
188 *SubAuthority
= SECURITY_WORLD_RID
;
189 SubAuthority
= RtlSubAuthoritySid(SeLocalSid
, 0);
190 *SubAuthority
= SECURITY_LOCAL_RID
;
191 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerSid
, 0);
192 *SubAuthority
= SECURITY_CREATOR_OWNER_RID
;
193 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupSid
, 0);
194 *SubAuthority
= SECURITY_CREATOR_GROUP_RID
;
195 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerServerSid
, 0);
196 *SubAuthority
= SECURITY_CREATOR_OWNER_SERVER_RID
;
197 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupServerSid
, 0);
198 *SubAuthority
= SECURITY_CREATOR_GROUP_SERVER_RID
;
199 SubAuthority
= RtlSubAuthoritySid(SeDialupSid
, 0);
200 *SubAuthority
= SECURITY_DIALUP_RID
;
201 SubAuthority
= RtlSubAuthoritySid(SeNetworkSid
, 0);
202 *SubAuthority
= SECURITY_NETWORK_RID
;
203 SubAuthority
= RtlSubAuthoritySid(SeBatchSid
, 0);
204 *SubAuthority
= SECURITY_BATCH_RID
;
205 SubAuthority
= RtlSubAuthoritySid(SeInteractiveSid
, 0);
206 *SubAuthority
= SECURITY_INTERACTIVE_RID
;
207 SubAuthority
= RtlSubAuthoritySid(SeServiceSid
, 0);
208 *SubAuthority
= SECURITY_SERVICE_RID
;
209 SubAuthority
= RtlSubAuthoritySid(SePrincipalSelfSid
, 0);
210 *SubAuthority
= SECURITY_PRINCIPAL_SELF_RID
;
211 SubAuthority
= RtlSubAuthoritySid(SeLocalSystemSid
, 0);
212 *SubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
213 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUserSid
, 0);
214 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
215 SubAuthority
= RtlSubAuthoritySid(SeRestrictedCodeSid
, 0);
216 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
217 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 0);
218 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
219 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 1);
220 *SubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
221 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 0);
222 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
223 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 1);
224 *SubAuthority
= DOMAIN_ALIAS_RID_USERS
;
225 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 0);
226 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
227 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 1);
228 *SubAuthority
= DOMAIN_ALIAS_RID_GUESTS
;
229 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 0);
230 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
231 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 1);
232 *SubAuthority
= DOMAIN_ALIAS_RID_POWER_USERS
;
233 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 0);
234 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
235 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 1);
236 *SubAuthority
= DOMAIN_ALIAS_RID_ACCOUNT_OPS
;
237 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 0);
238 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
239 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 1);
240 *SubAuthority
= DOMAIN_ALIAS_RID_SYSTEM_OPS
;
241 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 0);
242 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
243 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 1);
244 *SubAuthority
= DOMAIN_ALIAS_RID_PRINT_OPS
;
245 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 0);
246 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
247 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 1);
248 *SubAuthority
= DOMAIN_ALIAS_RID_BACKUP_OPS
;
249 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUsersSid
, 0);
250 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
251 SubAuthority
= RtlSubAuthoritySid(SeRestrictedSid
, 0);
252 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
253 SubAuthority
= RtlSubAuthoritySid(SeAnonymousLogonSid
, 0);
254 *SubAuthority
= SECURITY_ANONYMOUS_LOGON_RID
;
261 SepCaptureSid(IN PSID InputSid
,
262 IN KPROCESSOR_MODE AccessMode
,
263 IN POOL_TYPE PoolType
,
264 IN BOOLEAN CaptureIfKernel
,
265 OUT PSID
*CapturedSid
)
268 PISID NewSid
, Sid
= (PISID
)InputSid
;
272 if (AccessMode
!= KernelMode
)
276 ProbeForRead(Sid
, FIELD_OFFSET(SID
, SubAuthority
), sizeof(UCHAR
));
277 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
278 ProbeForRead(Sid
, SidSize
, sizeof(UCHAR
));
280 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
282 /* Return the exception code */
283 _SEH2_YIELD(return _SEH2_GetExceptionCode());
287 /* allocate a SID and copy it */
288 NewSid
= ExAllocatePoolWithTag(PoolType
, SidSize
, TAG_SID
);
290 return STATUS_INSUFFICIENT_RESOURCES
;
294 RtlCopyMemory(NewSid
, Sid
, SidSize
);
296 *CapturedSid
= NewSid
;
298 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
300 /* Free the SID and return the exception code */
301 ExFreePoolWithTag(NewSid
, TAG_SID
);
302 _SEH2_YIELD(return _SEH2_GetExceptionCode());
306 else if (!CaptureIfKernel
)
308 *CapturedSid
= InputSid
;
312 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
314 /* allocate a SID and copy it */
315 NewSid
= ExAllocatePoolWithTag(PoolType
, SidSize
, TAG_SID
);
317 return STATUS_INSUFFICIENT_RESOURCES
;
319 RtlCopyMemory(NewSid
, Sid
, SidSize
);
321 *CapturedSid
= NewSid
;
324 return STATUS_SUCCESS
;
329 SepReleaseSid(IN PSID CapturedSid
,
330 IN KPROCESSOR_MODE AccessMode
,
331 IN BOOLEAN CaptureIfKernel
)
335 if (CapturedSid
!= NULL
&&
336 (AccessMode
!= KernelMode
||
337 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
339 ExFreePoolWithTag(CapturedSid
, TAG_SID
);