2 * COPYRIGHT: See COPYING in the top level directory
3 * PROJECT: ReactOS kernel
4 * FILE: ntoskrnl/se/sid.c
5 * PURPOSE: Security manager
7 * PROGRAMMERS: David Welch <welch@cwcom.net>
10 /* INCLUDES *******************************************************************/
16 #if defined (ALLOC_PRAGMA)
17 #pragma alloc_text(INIT, SepInitSecurityIDs)
20 /* GLOBALS ********************************************************************/
22 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
23 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
24 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
= {SECURITY_LOCAL_SID_AUTHORITY
};
25 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
= {SECURITY_CREATOR_SID_AUTHORITY
};
26 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
= {SECURITY_NT_AUTHORITY
};
28 PSID SeNullSid
= NULL
;
29 PSID SeWorldSid
= NULL
;
30 PSID SeLocalSid
= NULL
;
31 PSID SeCreatorOwnerSid
= NULL
;
32 PSID SeCreatorGroupSid
= NULL
;
33 PSID SeCreatorOwnerServerSid
= NULL
;
34 PSID SeCreatorGroupServerSid
= NULL
;
35 PSID SeNtAuthoritySid
= NULL
;
36 PSID SeDialupSid
= NULL
;
37 PSID SeNetworkSid
= NULL
;
38 PSID SeBatchSid
= NULL
;
39 PSID SeInteractiveSid
= NULL
;
40 PSID SeServiceSid
= NULL
;
41 PSID SePrincipalSelfSid
= NULL
;
42 PSID SeLocalSystemSid
= NULL
;
43 PSID SeAuthenticatedUserSid
= NULL
;
44 PSID SeRestrictedCodeSid
= NULL
;
45 PSID SeAliasAdminsSid
= NULL
;
46 PSID SeAliasUsersSid
= NULL
;
47 PSID SeAliasGuestsSid
= NULL
;
48 PSID SeAliasPowerUsersSid
= NULL
;
49 PSID SeAliasAccountOpsSid
= NULL
;
50 PSID SeAliasSystemOpsSid
= NULL
;
51 PSID SeAliasPrintOpsSid
= NULL
;
52 PSID SeAliasBackupOpsSid
= NULL
;
53 PSID SeAuthenticatedUsersSid
= NULL
;
54 PSID SeRestrictedSid
= NULL
;
55 PSID SeAnonymousLogonSid
= NULL
;
57 /* FUNCTIONS ******************************************************************/
61 FreeInitializedSids(VOID
)
63 if (SeNullSid
) ExFreePool(SeNullSid
);
64 if (SeWorldSid
) ExFreePool(SeWorldSid
);
65 if (SeLocalSid
) ExFreePool(SeLocalSid
);
66 if (SeCreatorOwnerSid
) ExFreePool(SeCreatorOwnerSid
);
67 if (SeCreatorGroupSid
) ExFreePool(SeCreatorGroupSid
);
68 if (SeCreatorOwnerServerSid
) ExFreePool(SeCreatorOwnerServerSid
);
69 if (SeCreatorGroupServerSid
) ExFreePool(SeCreatorGroupServerSid
);
70 if (SeNtAuthoritySid
) ExFreePool(SeNtAuthoritySid
);
71 if (SeDialupSid
) ExFreePool(SeDialupSid
);
72 if (SeNetworkSid
) ExFreePool(SeNetworkSid
);
73 if (SeBatchSid
) ExFreePool(SeBatchSid
);
74 if (SeInteractiveSid
) ExFreePool(SeInteractiveSid
);
75 if (SeServiceSid
) ExFreePool(SeServiceSid
);
76 if (SePrincipalSelfSid
) ExFreePool(SePrincipalSelfSid
);
77 if (SeLocalSystemSid
) ExFreePool(SeLocalSystemSid
);
78 if (SeAuthenticatedUserSid
) ExFreePool(SeAuthenticatedUserSid
);
79 if (SeRestrictedCodeSid
) ExFreePool(SeRestrictedCodeSid
);
80 if (SeAliasAdminsSid
) ExFreePool(SeAliasAdminsSid
);
81 if (SeAliasUsersSid
) ExFreePool(SeAliasUsersSid
);
82 if (SeAliasGuestsSid
) ExFreePool(SeAliasGuestsSid
);
83 if (SeAliasPowerUsersSid
) ExFreePool(SeAliasPowerUsersSid
);
84 if (SeAliasAccountOpsSid
) ExFreePool(SeAliasAccountOpsSid
);
85 if (SeAliasSystemOpsSid
) ExFreePool(SeAliasSystemOpsSid
);
86 if (SeAliasPrintOpsSid
) ExFreePool(SeAliasPrintOpsSid
);
87 if (SeAliasBackupOpsSid
) ExFreePool(SeAliasBackupOpsSid
);
88 if (SeAuthenticatedUsersSid
) ExFreePool(SeAuthenticatedUsersSid
);
89 if (SeRestrictedSid
) ExFreePool(SeRestrictedSid
);
90 if (SeAnonymousLogonSid
) ExFreePool(SeAnonymousLogonSid
);
96 SepInitSecurityIDs(VOID
)
103 SidLength0
= RtlLengthRequiredSid(0);
104 SidLength1
= RtlLengthRequiredSid(1);
105 SidLength2
= RtlLengthRequiredSid(2);
108 SeNullSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
109 SeWorldSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
110 SeLocalSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
111 SeCreatorOwnerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
112 SeCreatorGroupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
113 SeCreatorOwnerServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
114 SeCreatorGroupServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
115 SeNtAuthoritySid
= ExAllocatePoolWithTag(PagedPool
, SidLength0
, TAG_SID
);
116 SeDialupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
117 SeNetworkSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
118 SeBatchSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
119 SeInteractiveSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
120 SeServiceSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
121 SePrincipalSelfSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
122 SeLocalSystemSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
123 SeAuthenticatedUserSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
124 SeRestrictedCodeSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
125 SeAliasAdminsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
126 SeAliasUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
127 SeAliasGuestsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
128 SeAliasPowerUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
129 SeAliasAccountOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
130 SeAliasSystemOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
131 SeAliasPrintOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
132 SeAliasBackupOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
133 SeAuthenticatedUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
134 SeRestrictedSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
135 SeAnonymousLogonSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
137 if (SeNullSid
== NULL
|| SeWorldSid
== NULL
||
138 SeLocalSid
== NULL
|| SeCreatorOwnerSid
== NULL
||
139 SeCreatorGroupSid
== NULL
|| SeCreatorOwnerServerSid
== NULL
||
140 SeCreatorGroupServerSid
== NULL
|| SeNtAuthoritySid
== NULL
||
141 SeDialupSid
== NULL
|| SeNetworkSid
== NULL
|| SeBatchSid
== NULL
||
142 SeInteractiveSid
== NULL
|| SeServiceSid
== NULL
||
143 SePrincipalSelfSid
== NULL
|| SeLocalSystemSid
== NULL
||
144 SeAuthenticatedUserSid
== NULL
|| SeRestrictedCodeSid
== NULL
||
145 SeAliasAdminsSid
== NULL
|| SeAliasUsersSid
== NULL
||
146 SeAliasGuestsSid
== NULL
|| SeAliasPowerUsersSid
== NULL
||
147 SeAliasAccountOpsSid
== NULL
|| SeAliasSystemOpsSid
== NULL
||
148 SeAliasPrintOpsSid
== NULL
|| SeAliasBackupOpsSid
== NULL
||
149 SeAuthenticatedUsersSid
== NULL
|| SeRestrictedSid
== NULL
||
150 SeAnonymousLogonSid
== NULL
)
152 FreeInitializedSids();
156 RtlInitializeSid(SeNullSid
, &SeNullSidAuthority
, 1);
157 RtlInitializeSid(SeWorldSid
, &SeWorldSidAuthority
, 1);
158 RtlInitializeSid(SeLocalSid
, &SeLocalSidAuthority
, 1);
159 RtlInitializeSid(SeCreatorOwnerSid
, &SeCreatorSidAuthority
, 1);
160 RtlInitializeSid(SeCreatorGroupSid
, &SeCreatorSidAuthority
, 1);
161 RtlInitializeSid(SeCreatorOwnerServerSid
, &SeCreatorSidAuthority
, 1);
162 RtlInitializeSid(SeCreatorGroupServerSid
, &SeCreatorSidAuthority
, 1);
163 RtlInitializeSid(SeNtAuthoritySid
, &SeNtSidAuthority
, 0);
164 RtlInitializeSid(SeDialupSid
, &SeNtSidAuthority
, 1);
165 RtlInitializeSid(SeNetworkSid
, &SeNtSidAuthority
, 1);
166 RtlInitializeSid(SeBatchSid
, &SeNtSidAuthority
, 1);
167 RtlInitializeSid(SeInteractiveSid
, &SeNtSidAuthority
, 1);
168 RtlInitializeSid(SeServiceSid
, &SeNtSidAuthority
, 1);
169 RtlInitializeSid(SePrincipalSelfSid
, &SeNtSidAuthority
, 1);
170 RtlInitializeSid(SeLocalSystemSid
, &SeNtSidAuthority
, 1);
171 RtlInitializeSid(SeAuthenticatedUserSid
, &SeNtSidAuthority
, 1);
172 RtlInitializeSid(SeRestrictedCodeSid
, &SeNtSidAuthority
, 1);
173 RtlInitializeSid(SeAliasAdminsSid
, &SeNtSidAuthority
, 2);
174 RtlInitializeSid(SeAliasUsersSid
, &SeNtSidAuthority
, 2);
175 RtlInitializeSid(SeAliasGuestsSid
, &SeNtSidAuthority
, 2);
176 RtlInitializeSid(SeAliasPowerUsersSid
, &SeNtSidAuthority
, 2);
177 RtlInitializeSid(SeAliasAccountOpsSid
, &SeNtSidAuthority
, 2);
178 RtlInitializeSid(SeAliasSystemOpsSid
, &SeNtSidAuthority
, 2);
179 RtlInitializeSid(SeAliasPrintOpsSid
, &SeNtSidAuthority
, 2);
180 RtlInitializeSid(SeAliasBackupOpsSid
, &SeNtSidAuthority
, 2);
181 RtlInitializeSid(SeAuthenticatedUsersSid
, &SeNtSidAuthority
, 1);
182 RtlInitializeSid(SeRestrictedSid
, &SeNtSidAuthority
, 1);
183 RtlInitializeSid(SeAnonymousLogonSid
, &SeNtSidAuthority
, 1);
185 SubAuthority
= RtlSubAuthoritySid(SeNullSid
, 0);
186 *SubAuthority
= SECURITY_NULL_RID
;
187 SubAuthority
= RtlSubAuthoritySid(SeWorldSid
, 0);
188 *SubAuthority
= SECURITY_WORLD_RID
;
189 SubAuthority
= RtlSubAuthoritySid(SeLocalSid
, 0);
190 *SubAuthority
= SECURITY_LOCAL_RID
;
191 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerSid
, 0);
192 *SubAuthority
= SECURITY_CREATOR_OWNER_RID
;
193 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupSid
, 0);
194 *SubAuthority
= SECURITY_CREATOR_GROUP_RID
;
195 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerServerSid
, 0);
196 *SubAuthority
= SECURITY_CREATOR_OWNER_SERVER_RID
;
197 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupServerSid
, 0);
198 *SubAuthority
= SECURITY_CREATOR_GROUP_SERVER_RID
;
199 SubAuthority
= RtlSubAuthoritySid(SeDialupSid
, 0);
200 *SubAuthority
= SECURITY_DIALUP_RID
;
201 SubAuthority
= RtlSubAuthoritySid(SeNetworkSid
, 0);
202 *SubAuthority
= SECURITY_NETWORK_RID
;
203 SubAuthority
= RtlSubAuthoritySid(SeBatchSid
, 0);
204 *SubAuthority
= SECURITY_BATCH_RID
;
205 SubAuthority
= RtlSubAuthoritySid(SeInteractiveSid
, 0);
206 *SubAuthority
= SECURITY_INTERACTIVE_RID
;
207 SubAuthority
= RtlSubAuthoritySid(SeServiceSid
, 0);
208 *SubAuthority
= SECURITY_SERVICE_RID
;
209 SubAuthority
= RtlSubAuthoritySid(SePrincipalSelfSid
, 0);
210 *SubAuthority
= SECURITY_PRINCIPAL_SELF_RID
;
211 SubAuthority
= RtlSubAuthoritySid(SeLocalSystemSid
, 0);
212 *SubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
213 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUserSid
, 0);
214 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
215 SubAuthority
= RtlSubAuthoritySid(SeRestrictedCodeSid
, 0);
216 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
217 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 0);
218 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
219 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 1);
220 *SubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
221 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 0);
222 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
223 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 1);
224 *SubAuthority
= DOMAIN_ALIAS_RID_USERS
;
225 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 0);
226 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
227 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 1);
228 *SubAuthority
= DOMAIN_ALIAS_RID_GUESTS
;
229 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 0);
230 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
231 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 1);
232 *SubAuthority
= DOMAIN_ALIAS_RID_POWER_USERS
;
233 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 0);
234 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
235 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 1);
236 *SubAuthority
= DOMAIN_ALIAS_RID_ACCOUNT_OPS
;
237 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 0);
238 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
239 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 1);
240 *SubAuthority
= DOMAIN_ALIAS_RID_SYSTEM_OPS
;
241 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 0);
242 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
243 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 1);
244 *SubAuthority
= DOMAIN_ALIAS_RID_PRINT_OPS
;
245 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 0);
246 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
247 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 1);
248 *SubAuthority
= DOMAIN_ALIAS_RID_BACKUP_OPS
;
249 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUsersSid
, 0);
250 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
251 SubAuthority
= RtlSubAuthoritySid(SeRestrictedSid
, 0);
252 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
253 SubAuthority
= RtlSubAuthoritySid(SeAnonymousLogonSid
, 0);
254 *SubAuthority
= SECURITY_ANONYMOUS_LOGON_RID
;
261 SepCaptureSid(IN PSID InputSid
,
262 IN KPROCESSOR_MODE AccessMode
,
263 IN POOL_TYPE PoolType
,
264 IN BOOLEAN CaptureIfKernel
,
265 OUT PSID
*CapturedSid
)
268 PISID NewSid
, Sid
= (PISID
)InputSid
;
273 if (AccessMode
!= KernelMode
)
281 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
286 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
288 /* Return the exception code */
289 _SEH2_YIELD(return _SEH2_GetExceptionCode());
293 /* allocate a SID and copy it */
294 NewSid
= ExAllocatePool(PoolType
,
300 RtlCopyMemory(NewSid
,
304 *CapturedSid
= NewSid
;
306 _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER
)
308 /* Free the SID and return the exception code */
310 _SEH2_YIELD(return _SEH2_GetExceptionCode());
316 Status
= STATUS_INSUFFICIENT_RESOURCES
;
319 else if (!CaptureIfKernel
)
321 *CapturedSid
= InputSid
;
322 return STATUS_SUCCESS
;
326 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
328 /* allocate a SID and copy it */
329 NewSid
= ExAllocatePool(PoolType
,
333 RtlCopyMemory(NewSid
,
337 *CapturedSid
= NewSid
;
341 Status
= STATUS_INSUFFICIENT_RESOURCES
;
350 SepReleaseSid(IN PSID CapturedSid
,
351 IN KPROCESSOR_MODE AccessMode
,
352 IN BOOLEAN CaptureIfKernel
)
356 if (CapturedSid
!= NULL
&&
357 (AccessMode
!= KernelMode
||
358 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
360 ExFreePool(CapturedSid
);