projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Create a branch for network fixes.
[reactos.git] / ntoskrnl / se / sid.c
1 /*
2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/sid.c
5 * PURPOSE: Security manager
6 *
7 * PROGRAMMERS: David Welch <welch@cwcom.net>
8 */
9
10 /* INCLUDES *******************************************************************/
11
12 #include <ntoskrnl.h>
13 #define NDEBUG
14 #include <debug.h>
15
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitSecurityIDs)
18 #endif
19
20 /* GLOBALS ********************************************************************/
21
22 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
23 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
24 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY};
25 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY};
26 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY};
27
28 PSID SeNullSid = NULL;
29 PSID SeWorldSid = NULL;
30 PSID SeLocalSid = NULL;
31 PSID SeCreatorOwnerSid = NULL;
32 PSID SeCreatorGroupSid = NULL;
33 PSID SeCreatorOwnerServerSid = NULL;
34 PSID SeCreatorGroupServerSid = NULL;
35 PSID SeNtAuthoritySid = NULL;
36 PSID SeDialupSid = NULL;
37 PSID SeNetworkSid = NULL;
38 PSID SeBatchSid = NULL;
39 PSID SeInteractiveSid = NULL;
40 PSID SeServiceSid = NULL;
41 PSID SePrincipalSelfSid = NULL;
42 PSID SeLocalSystemSid = NULL;
43 PSID SeAuthenticatedUserSid = NULL;
44 PSID SeRestrictedCodeSid = NULL;
45 PSID SeAliasAdminsSid = NULL;
46 PSID SeAliasUsersSid = NULL;
47 PSID SeAliasGuestsSid = NULL;
48 PSID SeAliasPowerUsersSid = NULL;
49 PSID SeAliasAccountOpsSid = NULL;
50 PSID SeAliasSystemOpsSid = NULL;
51 PSID SeAliasPrintOpsSid = NULL;
52 PSID SeAliasBackupOpsSid = NULL;
53 PSID SeAuthenticatedUsersSid = NULL;
54 PSID SeRestrictedSid = NULL;
55 PSID SeAnonymousLogonSid = NULL;
56
57 /* FUNCTIONS ******************************************************************/
58
59 BOOLEAN
60 INIT_FUNCTION
61 NTAPI
62 SepInitSecurityIDs(VOID)
63 {
64 ULONG SidLength0;
65 ULONG SidLength1;
66 ULONG SidLength2;
67 PULONG SubAuthority;
68
69 SidLength0 = RtlLengthRequiredSid(0);
70 SidLength1 = RtlLengthRequiredSid(1);
71 SidLength2 = RtlLengthRequiredSid(2);
72
73 /* create NullSid */
74 SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
75 SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
76 SeLocalSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
77 SeCreatorOwnerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
78 SeCreatorGroupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
79 SeCreatorOwnerServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
80 SeCreatorGroupServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
81 SeNtAuthoritySid = ExAllocatePoolWithTag(PagedPool, SidLength0, TAG_SID);
82 SeDialupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
83 SeNetworkSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
84 SeBatchSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
85 SeInteractiveSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
86 SeServiceSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
87 SePrincipalSelfSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
88 SeLocalSystemSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
89 SeAuthenticatedUserSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
90 SeRestrictedCodeSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
91 SeAliasAdminsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
92 SeAliasUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
93 SeAliasGuestsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
94 SeAliasPowerUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
95 SeAliasAccountOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
96 SeAliasSystemOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
97 SeAliasPrintOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
98 SeAliasBackupOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
99 SeAuthenticatedUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
100 SeRestrictedSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
101 SeAnonymousLogonSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
102
103 if (SeNullSid == NULL || SeWorldSid == NULL ||
104 SeLocalSid == NULL || SeCreatorOwnerSid == NULL ||
105 SeCreatorGroupSid == NULL || SeCreatorOwnerServerSid == NULL ||
106 SeCreatorGroupServerSid == NULL || SeNtAuthoritySid == NULL ||
107 SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
108 SeInteractiveSid == NULL || SeServiceSid == NULL ||
109 SePrincipalSelfSid == NULL || SeLocalSystemSid == NULL ||
110 SeAuthenticatedUserSid == NULL || SeRestrictedCodeSid == NULL ||
111 SeAliasAdminsSid == NULL || SeAliasUsersSid == NULL ||
112 SeAliasGuestsSid == NULL || SeAliasPowerUsersSid == NULL ||
113 SeAliasAccountOpsSid == NULL || SeAliasSystemOpsSid == NULL ||
114 SeAliasPrintOpsSid == NULL || SeAliasBackupOpsSid == NULL ||
115 SeAuthenticatedUsersSid == NULL || SeRestrictedSid == NULL ||
116 SeAnonymousLogonSid == NULL)
117 {
118 /* FIXME: We're leaking memory here. */
119 return(FALSE);
120 }
121
122 RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
123 RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
124 RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
125 RtlInitializeSid(SeCreatorOwnerSid, &SeCreatorSidAuthority, 1);
126 RtlInitializeSid(SeCreatorGroupSid, &SeCreatorSidAuthority, 1);
127 RtlInitializeSid(SeCreatorOwnerServerSid, &SeCreatorSidAuthority, 1);
128 RtlInitializeSid(SeCreatorGroupServerSid, &SeCreatorSidAuthority, 1);
129 RtlInitializeSid(SeNtAuthoritySid, &SeNtSidAuthority, 0);
130 RtlInitializeSid(SeDialupSid, &SeNtSidAuthority, 1);
131 RtlInitializeSid(SeNetworkSid, &SeNtSidAuthority, 1);
132 RtlInitializeSid(SeBatchSid, &SeNtSidAuthority, 1);
133 RtlInitializeSid(SeInteractiveSid, &SeNtSidAuthority, 1);
134 RtlInitializeSid(SeServiceSid, &SeNtSidAuthority, 1);
135 RtlInitializeSid(SePrincipalSelfSid, &SeNtSidAuthority, 1);
136 RtlInitializeSid(SeLocalSystemSid, &SeNtSidAuthority, 1);
137 RtlInitializeSid(SeAuthenticatedUserSid, &SeNtSidAuthority, 1);
138 RtlInitializeSid(SeRestrictedCodeSid, &SeNtSidAuthority, 1);
139 RtlInitializeSid(SeAliasAdminsSid, &SeNtSidAuthority, 2);
140 RtlInitializeSid(SeAliasUsersSid, &SeNtSidAuthority, 2);
141 RtlInitializeSid(SeAliasGuestsSid, &SeNtSidAuthority, 2);
142 RtlInitializeSid(SeAliasPowerUsersSid, &SeNtSidAuthority, 2);
143 RtlInitializeSid(SeAliasAccountOpsSid, &SeNtSidAuthority, 2);
144 RtlInitializeSid(SeAliasSystemOpsSid, &SeNtSidAuthority, 2);
145 RtlInitializeSid(SeAliasPrintOpsSid, &SeNtSidAuthority, 2);
146 RtlInitializeSid(SeAliasBackupOpsSid, &SeNtSidAuthority, 2);
147 RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
148 RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
149 RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
150
151 SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
152 *SubAuthority = SECURITY_NULL_RID;
153 SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
154 *SubAuthority = SECURITY_WORLD_RID;
155 SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
156 *SubAuthority = SECURITY_LOCAL_RID;
157 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
158 *SubAuthority = SECURITY_CREATOR_OWNER_RID;
159 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
160 *SubAuthority = SECURITY_CREATOR_GROUP_RID;
161 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
162 *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
163 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
164 *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
165 SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
166 *SubAuthority = SECURITY_DIALUP_RID;
167 SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
168 *SubAuthority = SECURITY_NETWORK_RID;
169 SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
170 *SubAuthority = SECURITY_BATCH_RID;
171 SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
172 *SubAuthority = SECURITY_INTERACTIVE_RID;
173 SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
174 *SubAuthority = SECURITY_SERVICE_RID;
175 SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
176 *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
177 SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
178 *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
179 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
180 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
181 SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
182 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
183 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
184 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
185 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
186 *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
187 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
188 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
189 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
190 *SubAuthority = DOMAIN_ALIAS_RID_USERS;
191 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
192 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
193 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
194 *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
195 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
196 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
197 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
198 *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
199 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
200 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
201 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
202 *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
203 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
204 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
205 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
206 *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
207 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
208 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
209 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
210 *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
211 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
212 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
213 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
214 *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
215 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
216 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
217 SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
218 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
219 SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
220 *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
221
222 return(TRUE);
223 }
224
225 NTSTATUS
226 NTAPI
227 SepCaptureSid(IN PSID InputSid,
228 IN KPROCESSOR_MODE AccessMode,
229 IN POOL_TYPE PoolType,
230 IN BOOLEAN CaptureIfKernel,
231 OUT PSID *CapturedSid)
232 {
233 ULONG SidSize = 0;
234 PISID NewSid, Sid = (PISID)InputSid;
235 NTSTATUS Status = STATUS_SUCCESS;
236
237 PAGED_CODE();
238
239 if(AccessMode != KernelMode)
240 {
241 _SEH_TRY
242 {
243 ProbeForRead(Sid,
244 FIELD_OFFSET(SID,
245 SubAuthority),
246 sizeof(UCHAR));
247 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
248 ProbeForRead(Sid,
249 SidSize,
250 sizeof(UCHAR));
251 }
252 _SEH_HANDLE
253 {
254 Status = _SEH_GetExceptionCode();
255 }
256 _SEH_END;
257
258 if(NT_SUCCESS(Status))
259 {
260 /* allocate a SID and copy it */
261 NewSid = ExAllocatePool(PoolType,
262 SidSize);
263 if(NewSid != NULL)
264 {
265 _SEH_TRY
266 {
267 RtlCopyMemory(NewSid,
268 Sid,
269 SidSize);
270
271 *CapturedSid = NewSid;
272 }
273 _SEH_HANDLE
274 {
275 ExFreePool(NewSid);
276 Status = _SEH_GetExceptionCode();
277 }
278 _SEH_END;
279 }
280 else
281 {
282 Status = STATUS_INSUFFICIENT_RESOURCES;
283 }
284 }
285 }
286 else if(!CaptureIfKernel)
287 {
288 *CapturedSid = InputSid;
289 return STATUS_SUCCESS;
290 }
291 else
292 {
293 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
294
295 /* allocate a SID and copy it */
296 NewSid = ExAllocatePool(PoolType,
297 SidSize);
298 if(NewSid != NULL)
299 {
300 RtlCopyMemory(NewSid,
301 Sid,
302 SidSize);
303
304 *CapturedSid = NewSid;
305 }
306 else
307 {
308 Status = STATUS_INSUFFICIENT_RESOURCES;
309 }
310 }
311
312 return Status;
313 }
314
315 VOID
316 NTAPI
317 SepReleaseSid(IN PSID CapturedSid,
318 IN KPROCESSOR_MODE AccessMode,
319 IN BOOLEAN CaptureIfKernel)
320 {
321 PAGED_CODE();
322
323 if(CapturedSid != NULL &&
324 (AccessMode != KernelMode ||
325 (AccessMode == KernelMode && CaptureIfKernel)))
326 {
327 ExFreePool(CapturedSid);
328 }
329 }
330
331 /* EOF */
A free Windows-compatible Operating System