2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/sid.c
5 * PURPOSE: Security manager
7 * PROGRAMMERS: David Welch <welch@cwcom.net>
10 /* INCLUDES *******************************************************************/
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitSecurityIDs)
20 /* GLOBALS ********************************************************************/
22 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
23 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
24 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
= {SECURITY_LOCAL_SID_AUTHORITY
};
25 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
= {SECURITY_CREATOR_SID_AUTHORITY
};
26 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
= {SECURITY_NT_AUTHORITY
};
28 PSID SeNullSid
= NULL
;
29 PSID SeWorldSid
= NULL
;
30 PSID SeLocalSid
= NULL
;
31 PSID SeCreatorOwnerSid
= NULL
;
32 PSID SeCreatorGroupSid
= NULL
;
33 PSID SeCreatorOwnerServerSid
= NULL
;
34 PSID SeCreatorGroupServerSid
= NULL
;
35 PSID SeNtAuthoritySid
= NULL
;
36 PSID SeDialupSid
= NULL
;
37 PSID SeNetworkSid
= NULL
;
38 PSID SeBatchSid
= NULL
;
39 PSID SeInteractiveSid
= NULL
;
40 PSID SeServiceSid
= NULL
;
41 PSID SePrincipalSelfSid
= NULL
;
42 PSID SeLocalSystemSid
= NULL
;
43 PSID SeAuthenticatedUserSid
= NULL
;
44 PSID SeRestrictedCodeSid
= NULL
;
45 PSID SeAliasAdminsSid
= NULL
;
46 PSID SeAliasUsersSid
= NULL
;
47 PSID SeAliasGuestsSid
= NULL
;
48 PSID SeAliasPowerUsersSid
= NULL
;
49 PSID SeAliasAccountOpsSid
= NULL
;
50 PSID SeAliasSystemOpsSid
= NULL
;
51 PSID SeAliasPrintOpsSid
= NULL
;
52 PSID SeAliasBackupOpsSid
= NULL
;
53 PSID SeAuthenticatedUsersSid
= NULL
;
54 PSID SeRestrictedSid
= NULL
;
55 PSID SeAnonymousLogonSid
= NULL
;
57 /* FUNCTIONS ******************************************************************/
62 SepInitSecurityIDs(VOID
)
69 SidLength0
= RtlLengthRequiredSid(0);
70 SidLength1
= RtlLengthRequiredSid(1);
71 SidLength2
= RtlLengthRequiredSid(2);
74 SeNullSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
75 SeWorldSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
76 SeLocalSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
77 SeCreatorOwnerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
78 SeCreatorGroupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
79 SeCreatorOwnerServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
80 SeCreatorGroupServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
81 SeNtAuthoritySid
= ExAllocatePoolWithTag(PagedPool
, SidLength0
, TAG_SID
);
82 SeDialupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
83 SeNetworkSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
84 SeBatchSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
85 SeInteractiveSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
86 SeServiceSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
87 SePrincipalSelfSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
88 SeLocalSystemSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
89 SeAuthenticatedUserSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
90 SeRestrictedCodeSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
91 SeAliasAdminsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
92 SeAliasUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
93 SeAliasGuestsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
94 SeAliasPowerUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
95 SeAliasAccountOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
96 SeAliasSystemOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
97 SeAliasPrintOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
98 SeAliasBackupOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
99 SeAuthenticatedUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
100 SeRestrictedSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
101 SeAnonymousLogonSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
103 if (SeNullSid
== NULL
|| SeWorldSid
== NULL
||
104 SeLocalSid
== NULL
|| SeCreatorOwnerSid
== NULL
||
105 SeCreatorGroupSid
== NULL
|| SeCreatorOwnerServerSid
== NULL
||
106 SeCreatorGroupServerSid
== NULL
|| SeNtAuthoritySid
== NULL
||
107 SeDialupSid
== NULL
|| SeNetworkSid
== NULL
|| SeBatchSid
== NULL
||
108 SeInteractiveSid
== NULL
|| SeServiceSid
== NULL
||
109 SePrincipalSelfSid
== NULL
|| SeLocalSystemSid
== NULL
||
110 SeAuthenticatedUserSid
== NULL
|| SeRestrictedCodeSid
== NULL
||
111 SeAliasAdminsSid
== NULL
|| SeAliasUsersSid
== NULL
||
112 SeAliasGuestsSid
== NULL
|| SeAliasPowerUsersSid
== NULL
||
113 SeAliasAccountOpsSid
== NULL
|| SeAliasSystemOpsSid
== NULL
||
114 SeAliasPrintOpsSid
== NULL
|| SeAliasBackupOpsSid
== NULL
||
115 SeAuthenticatedUsersSid
== NULL
|| SeRestrictedSid
== NULL
||
116 SeAnonymousLogonSid
== NULL
)
118 /* FIXME: We're leaking memory here. */
122 RtlInitializeSid(SeNullSid
, &SeNullSidAuthority
, 1);
123 RtlInitializeSid(SeWorldSid
, &SeWorldSidAuthority
, 1);
124 RtlInitializeSid(SeLocalSid
, &SeLocalSidAuthority
, 1);
125 RtlInitializeSid(SeCreatorOwnerSid
, &SeCreatorSidAuthority
, 1);
126 RtlInitializeSid(SeCreatorGroupSid
, &SeCreatorSidAuthority
, 1);
127 RtlInitializeSid(SeCreatorOwnerServerSid
, &SeCreatorSidAuthority
, 1);
128 RtlInitializeSid(SeCreatorGroupServerSid
, &SeCreatorSidAuthority
, 1);
129 RtlInitializeSid(SeNtAuthoritySid
, &SeNtSidAuthority
, 0);
130 RtlInitializeSid(SeDialupSid
, &SeNtSidAuthority
, 1);
131 RtlInitializeSid(SeNetworkSid
, &SeNtSidAuthority
, 1);
132 RtlInitializeSid(SeBatchSid
, &SeNtSidAuthority
, 1);
133 RtlInitializeSid(SeInteractiveSid
, &SeNtSidAuthority
, 1);
134 RtlInitializeSid(SeServiceSid
, &SeNtSidAuthority
, 1);
135 RtlInitializeSid(SePrincipalSelfSid
, &SeNtSidAuthority
, 1);
136 RtlInitializeSid(SeLocalSystemSid
, &SeNtSidAuthority
, 1);
137 RtlInitializeSid(SeAuthenticatedUserSid
, &SeNtSidAuthority
, 1);
138 RtlInitializeSid(SeRestrictedCodeSid
, &SeNtSidAuthority
, 1);
139 RtlInitializeSid(SeAliasAdminsSid
, &SeNtSidAuthority
, 2);
140 RtlInitializeSid(SeAliasUsersSid
, &SeNtSidAuthority
, 2);
141 RtlInitializeSid(SeAliasGuestsSid
, &SeNtSidAuthority
, 2);
142 RtlInitializeSid(SeAliasPowerUsersSid
, &SeNtSidAuthority
, 2);
143 RtlInitializeSid(SeAliasAccountOpsSid
, &SeNtSidAuthority
, 2);
144 RtlInitializeSid(SeAliasSystemOpsSid
, &SeNtSidAuthority
, 2);
145 RtlInitializeSid(SeAliasPrintOpsSid
, &SeNtSidAuthority
, 2);
146 RtlInitializeSid(SeAliasBackupOpsSid
, &SeNtSidAuthority
, 2);
147 RtlInitializeSid(SeAuthenticatedUsersSid
, &SeNtSidAuthority
, 1);
148 RtlInitializeSid(SeRestrictedSid
, &SeNtSidAuthority
, 1);
149 RtlInitializeSid(SeAnonymousLogonSid
, &SeNtSidAuthority
, 1);
151 SubAuthority
= RtlSubAuthoritySid(SeNullSid
, 0);
152 *SubAuthority
= SECURITY_NULL_RID
;
153 SubAuthority
= RtlSubAuthoritySid(SeWorldSid
, 0);
154 *SubAuthority
= SECURITY_WORLD_RID
;
155 SubAuthority
= RtlSubAuthoritySid(SeLocalSid
, 0);
156 *SubAuthority
= SECURITY_LOCAL_RID
;
157 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerSid
, 0);
158 *SubAuthority
= SECURITY_CREATOR_OWNER_RID
;
159 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupSid
, 0);
160 *SubAuthority
= SECURITY_CREATOR_GROUP_RID
;
161 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerServerSid
, 0);
162 *SubAuthority
= SECURITY_CREATOR_OWNER_SERVER_RID
;
163 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupServerSid
, 0);
164 *SubAuthority
= SECURITY_CREATOR_GROUP_SERVER_RID
;
165 SubAuthority
= RtlSubAuthoritySid(SeDialupSid
, 0);
166 *SubAuthority
= SECURITY_DIALUP_RID
;
167 SubAuthority
= RtlSubAuthoritySid(SeNetworkSid
, 0);
168 *SubAuthority
= SECURITY_NETWORK_RID
;
169 SubAuthority
= RtlSubAuthoritySid(SeBatchSid
, 0);
170 *SubAuthority
= SECURITY_BATCH_RID
;
171 SubAuthority
= RtlSubAuthoritySid(SeInteractiveSid
, 0);
172 *SubAuthority
= SECURITY_INTERACTIVE_RID
;
173 SubAuthority
= RtlSubAuthoritySid(SeServiceSid
, 0);
174 *SubAuthority
= SECURITY_SERVICE_RID
;
175 SubAuthority
= RtlSubAuthoritySid(SePrincipalSelfSid
, 0);
176 *SubAuthority
= SECURITY_PRINCIPAL_SELF_RID
;
177 SubAuthority
= RtlSubAuthoritySid(SeLocalSystemSid
, 0);
178 *SubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
179 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUserSid
, 0);
180 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
181 SubAuthority
= RtlSubAuthoritySid(SeRestrictedCodeSid
, 0);
182 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
183 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 0);
184 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
185 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 1);
186 *SubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
187 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 0);
188 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
189 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 1);
190 *SubAuthority
= DOMAIN_ALIAS_RID_USERS
;
191 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 0);
192 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
193 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 1);
194 *SubAuthority
= DOMAIN_ALIAS_RID_GUESTS
;
195 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 0);
196 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
197 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 1);
198 *SubAuthority
= DOMAIN_ALIAS_RID_POWER_USERS
;
199 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 0);
200 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
201 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 1);
202 *SubAuthority
= DOMAIN_ALIAS_RID_ACCOUNT_OPS
;
203 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 0);
204 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
205 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 1);
206 *SubAuthority
= DOMAIN_ALIAS_RID_SYSTEM_OPS
;
207 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 0);
208 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
209 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 1);
210 *SubAuthority
= DOMAIN_ALIAS_RID_PRINT_OPS
;
211 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 0);
212 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
213 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 1);
214 *SubAuthority
= DOMAIN_ALIAS_RID_BACKUP_OPS
;
215 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUsersSid
, 0);
216 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
217 SubAuthority
= RtlSubAuthoritySid(SeRestrictedSid
, 0);
218 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
219 SubAuthority
= RtlSubAuthoritySid(SeAnonymousLogonSid
, 0);
220 *SubAuthority
= SECURITY_ANONYMOUS_LOGON_RID
;
227 SepCaptureSid(IN PSID InputSid
,
228 IN KPROCESSOR_MODE AccessMode
,
229 IN POOL_TYPE PoolType
,
230 IN BOOLEAN CaptureIfKernel
,
231 OUT PSID
*CapturedSid
)
234 PISID NewSid
, Sid
= (PISID
)InputSid
;
235 NTSTATUS Status
= STATUS_SUCCESS
;
239 if(AccessMode
!= KernelMode
)
247 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
254 Status
= _SEH_GetExceptionCode();
258 if(NT_SUCCESS(Status
))
260 /* allocate a SID and copy it */
261 NewSid
= ExAllocatePool(PoolType
,
267 RtlCopyMemory(NewSid
,
271 *CapturedSid
= NewSid
;
276 Status
= _SEH_GetExceptionCode();
282 Status
= STATUS_INSUFFICIENT_RESOURCES
;
286 else if(!CaptureIfKernel
)
288 *CapturedSid
= InputSid
;
289 return STATUS_SUCCESS
;
293 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
295 /* allocate a SID and copy it */
296 NewSid
= ExAllocatePool(PoolType
,
300 RtlCopyMemory(NewSid
,
304 *CapturedSid
= NewSid
;
308 Status
= STATUS_INSUFFICIENT_RESOURCES
;
317 SepReleaseSid(IN PSID CapturedSid
,
318 IN KPROCESSOR_MODE AccessMode
,
319 IN BOOLEAN CaptureIfKernel
)
323 if(CapturedSid
!= NULL
&&
324 (AccessMode
!= KernelMode
||
325 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
327 ExFreePool(CapturedSid
);