projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[LSASRV]
[reactos.git] / reactos / dll / win32 / lsasrv / security.c
1 /*
2 * PROJECT: Local Security Authority Server DLL
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: dll/win32/lsasrv/security.c
5 * PURPOSE: LSA object security functions
6 * COPYRIGHT: Copyright 2012 Eric Kohl
7 */
8
9 #include "lsasrv.h"
10
11 /* FUNCTIONS ***************************************************************/
12
13 NTSTATUS
14 LsapCreatePolicySd(PSECURITY_DESCRIPTOR *PolicySd,
15 PULONG PolicySdSize)
16 {
17 SECURITY_DESCRIPTOR AbsoluteSd;
18 PSECURITY_DESCRIPTOR RelativeSd = NULL;
19 ULONG RelativeSdSize = 0;
20 PSID AnonymousSid = NULL;
21 PSID AdministratorsSid = NULL;
22 PSID EveryoneSid = NULL;
23 PSID LocalServiceSid = NULL;
24 PSID NetworkServiceSid = NULL;
25 PSID LocalSystemSid = NULL;
26 PACL Dacl = NULL;
27 ULONG DaclSize;
28 NTSTATUS Status;
29
30 if (PolicySd == NULL || PolicySdSize == NULL)
31 return STATUS_INVALID_PARAMETER;
32
33 *PolicySd = NULL;
34 *PolicySdSize = 0;
35
36 /* Initialize the SD */
37 Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
38 SECURITY_DESCRIPTOR_REVISION);
39 if (!NT_SUCCESS(Status))
40 return Status;
41
42 Status = RtlAllocateAndInitializeSid(&NtAuthority,
43 1,
44 SECURITY_ANONYMOUS_LOGON_RID,
45 0,
46 0,
47 0,
48 0,
49 0,
50 0,
51 0,
52 &AnonymousSid);
53 if (!NT_SUCCESS(Status))
54 goto done;
55
56 Status = RtlAllocateAndInitializeSid(&NtAuthority,
57 2,
58 SECURITY_BUILTIN_DOMAIN_RID,
59 DOMAIN_ALIAS_RID_ADMINS,
60 0,
61 0,
62 0,
63 0,
64 0,
65 0,
66 &AdministratorsSid);
67 if (!NT_SUCCESS(Status))
68 goto done;
69
70 Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
71 1,
72 SECURITY_WORLD_RID,
73 0,
74 0,
75 0,
76 0,
77 0,
78 0,
79 0,
80 &EveryoneSid);
81 if (!NT_SUCCESS(Status))
82 goto done;
83
84 Status = RtlAllocateAndInitializeSid(&NtAuthority,
85 1,
86 SECURITY_LOCAL_SERVICE_RID,
87 0,
88 0,
89 0,
90 0,
91 0,
92 0,
93 0,
94 &LocalServiceSid);
95 if (!NT_SUCCESS(Status))
96 goto done;
97
98 Status = RtlAllocateAndInitializeSid(&NtAuthority,
99 1,
100 SECURITY_NETWORK_SERVICE_RID,
101 0,
102 0,
103 0,
104 0,
105 0,
106 0,
107 0,
108 &NetworkServiceSid);
109 if (!NT_SUCCESS(Status))
110 goto done;
111
112 Status = RtlAllocateAndInitializeSid(&NtAuthority,
113 1,
114 SECURITY_LOCAL_SYSTEM_RID,
115 0,
116 0,
117 0,
118 0,
119 0,
120 0,
121 0,
122 &LocalSystemSid);
123 if (!NT_SUCCESS(Status))
124 goto done;
125
126 /* Allocate and initialize the DACL */
127 DaclSize = sizeof(ACL) +
128 sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
129 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
130 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) +
131 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
132 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(LocalServiceSid) +
133 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(NetworkServiceSid);
134
135 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
136 HEAP_ZERO_MEMORY,
137 DaclSize);
138 if (Dacl == NULL)
139 {
140 Status = STATUS_INSUFFICIENT_RESOURCES;
141 goto done;
142 }
143
144 Status = RtlCreateAcl(Dacl,
145 DaclSize,
146 ACL_REVISION);
147 if (!NT_SUCCESS(Status))
148 goto done;
149
150 Status = RtlAddAccessDeniedAce(Dacl,
151 ACL_REVISION,
152 POLICY_LOOKUP_NAMES,
153 AnonymousSid);
154 if (!NT_SUCCESS(Status))
155 goto done;
156
157 Status = RtlAddAccessAllowedAce(Dacl,
158 ACL_REVISION,
159 POLICY_ALL_ACCESS | POLICY_NOTIFICATION,
160 AdministratorsSid);
161 if (!NT_SUCCESS(Status))
162 goto done;
163
164 Status = RtlAddAccessAllowedAce(Dacl,
165 ACL_REVISION,
166 POLICY_EXECUTE,
167 EveryoneSid);
168 if (!NT_SUCCESS(Status))
169 goto done;
170
171 Status = RtlAddAccessAllowedAce(Dacl,
172 ACL_REVISION,
173 POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,
174 AnonymousSid);
175 if (!NT_SUCCESS(Status))
176 goto done;
177
178 Status = RtlAddAccessAllowedAce(Dacl,
179 ACL_REVISION,
180 POLICY_NOTIFICATION,
181 LocalServiceSid);
182 if (!NT_SUCCESS(Status))
183 goto done;
184
185 Status = RtlAddAccessAllowedAce(Dacl,
186 ACL_REVISION,
187 POLICY_NOTIFICATION,
188 NetworkServiceSid);
189 if (!NT_SUCCESS(Status))
190 goto done;
191
192 Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
193 TRUE,
194 Dacl,
195 FALSE);
196 if (!NT_SUCCESS(Status))
197 goto done;
198
199 Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
200 LocalSystemSid,
201 FALSE);
202 if (!NT_SUCCESS(Status))
203 goto done;
204
205 Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
206 AdministratorsSid,
207 FALSE);
208 if (!NT_SUCCESS(Status))
209 goto done;
210
211 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
212 RelativeSd,
213 &RelativeSdSize);
214 if (Status != STATUS_BUFFER_TOO_SMALL)
215 goto done;
216
217 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
218 HEAP_ZERO_MEMORY,
219 RelativeSdSize);
220 if (RelativeSd == NULL)
221 {
222 Status = STATUS_INSUFFICIENT_RESOURCES;
223 goto done;
224 }
225
226 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
227 RelativeSd,
228 &RelativeSdSize);
229 if (!NT_SUCCESS(Status))
230 goto done;
231
232 *PolicySd = RelativeSd;
233 *PolicySdSize = RelativeSdSize;
234
235 done:
236 if (Dacl != NULL)
237 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
238
239 if (AnonymousSid != NULL)
240 RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid);
241
242 if (AdministratorsSid != NULL)
243 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
244
245 if (EveryoneSid != NULL)
246 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
247
248 if (LocalServiceSid != NULL)
249 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid);
250
251 if (NetworkServiceSid != NULL)
252 RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid);
253
254 if (LocalSystemSid != NULL)
255 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
256
257 if (!NT_SUCCESS(Status))
258 {
259 if (RelativeSd != NULL)
260 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
261 }
262
263 return Status;
264 }
265
266
267 NTSTATUS
268 LsapCreateAccountSd(PSECURITY_DESCRIPTOR *AccountSd,
269 PULONG AccountSdSize)
270 {
271 SECURITY_DESCRIPTOR AbsoluteSd;
272 PSECURITY_DESCRIPTOR RelativeSd = NULL;
273 ULONG RelativeSdSize = 0;
274 PSID AdministratorsSid = NULL;
275 PSID EveryoneSid = NULL;
276 PSID LocalSystemSid = NULL;
277 PACL Dacl = NULL;
278 ULONG DaclSize;
279 NTSTATUS Status;
280
281 if (AccountSd == NULL || AccountSdSize == NULL)
282 return STATUS_INVALID_PARAMETER;
283
284 *AccountSd = NULL;
285 *AccountSdSize = 0;
286
287 /* Initialize the SD */
288 Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
289 SECURITY_DESCRIPTOR_REVISION);
290 if (!NT_SUCCESS(Status))
291 return Status;
292
293 Status = RtlAllocateAndInitializeSid(&NtAuthority,
294 2,
295 SECURITY_BUILTIN_DOMAIN_RID,
296 DOMAIN_ALIAS_RID_ADMINS,
297 0,
298 0,
299 0,
300 0,
301 0,
302 0,
303 &AdministratorsSid);
304 if (!NT_SUCCESS(Status))
305 goto done;
306
307 Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
308 1,
309 SECURITY_WORLD_RID,
310 0,
311 0,
312 0,
313 0,
314 0,
315 0,
316 0,
317 &EveryoneSid);
318 if (!NT_SUCCESS(Status))
319 goto done;
320
321 Status = RtlAllocateAndInitializeSid(&NtAuthority,
322 1,
323 SECURITY_LOCAL_SYSTEM_RID,
324 0,
325 0,
326 0,
327 0,
328 0,
329 0,
330 0,
331 &LocalSystemSid);
332 if (!NT_SUCCESS(Status))
333 goto done;
334
335 /* Allocate and initialize the DACL */
336 DaclSize = sizeof(ACL) +
337 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
338 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
339
340 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
341 HEAP_ZERO_MEMORY,
342 DaclSize);
343 if (Dacl == NULL)
344 {
345 Status = STATUS_INSUFFICIENT_RESOURCES;
346 goto done;
347 }
348
349 Status = RtlCreateAcl(Dacl,
350 DaclSize,
351 ACL_REVISION);
352 if (!NT_SUCCESS(Status))
353 goto done;
354
355 Status = RtlAddAccessAllowedAce(Dacl,
356 ACL_REVISION,
357 ACCOUNT_ALL_ACCESS,
358 AdministratorsSid);
359 if (!NT_SUCCESS(Status))
360 goto done;
361
362 Status = RtlAddAccessAllowedAce(Dacl,
363 ACL_REVISION,
364 ACCOUNT_EXECUTE,
365 EveryoneSid);
366 if (!NT_SUCCESS(Status))
367 goto done;
368
369 Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
370 TRUE,
371 Dacl,
372 FALSE);
373 if (!NT_SUCCESS(Status))
374 goto done;
375
376 Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
377 LocalSystemSid,
378 FALSE);
379 if (!NT_SUCCESS(Status))
380 goto done;
381
382 Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
383 AdministratorsSid,
384 FALSE);
385 if (!NT_SUCCESS(Status))
386 goto done;
387
388 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
389 RelativeSd,
390 &RelativeSdSize);
391 if (Status != STATUS_BUFFER_TOO_SMALL)
392 goto done;
393
394 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
395 HEAP_ZERO_MEMORY,
396 RelativeSdSize);
397 if (RelativeSd == NULL)
398 {
399 Status = STATUS_INSUFFICIENT_RESOURCES;
400 goto done;
401 }
402
403 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
404 RelativeSd,
405 &RelativeSdSize);
406 if (!NT_SUCCESS(Status))
407 goto done;
408
409 *AccountSd = RelativeSd;
410 *AccountSdSize = RelativeSdSize;
411
412 done:
413 if (Dacl != NULL)
414 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
415
416 if (AdministratorsSid != NULL)
417 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
418
419 if (EveryoneSid != NULL)
420 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
421
422 if (LocalSystemSid != NULL)
423 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
424
425 if (!NT_SUCCESS(Status))
426 {
427 if (RelativeSd != NULL)
428 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
429 }
430
431 return Status;
432 }
433
434
435 NTSTATUS
436 LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd,
437 PULONG SecretSdSize)
438 {
439 SECURITY_DESCRIPTOR AbsoluteSd;
440 PSECURITY_DESCRIPTOR RelativeSd = NULL;
441 ULONG RelativeSdSize = 0;
442 PSID AdministratorsSid = NULL;
443 PSID EveryoneSid = NULL;
444 PSID LocalSystemSid = NULL;
445 PACL Dacl = NULL;
446 ULONG DaclSize;
447 NTSTATUS Status;
448
449 if (SecretSd == NULL || SecretSdSize == NULL)
450 return STATUS_INVALID_PARAMETER;
451
452 *SecretSd = NULL;
453 *SecretSdSize = 0;
454
455 /* Initialize the SD */
456 Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
457 SECURITY_DESCRIPTOR_REVISION);
458 if (!NT_SUCCESS(Status))
459 return Status;
460
461 Status = RtlAllocateAndInitializeSid(&NtAuthority,
462 2,
463 SECURITY_BUILTIN_DOMAIN_RID,
464 DOMAIN_ALIAS_RID_ADMINS,
465 0,
466 0,
467 0,
468 0,
469 0,
470 0,
471 &AdministratorsSid);
472 if (!NT_SUCCESS(Status))
473 goto done;
474
475 Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
476 1,
477 SECURITY_WORLD_RID,
478 0,
479 0,
480 0,
481 0,
482 0,
483 0,
484 0,
485 &EveryoneSid);
486 if (!NT_SUCCESS(Status))
487 goto done;
488
489 Status = RtlAllocateAndInitializeSid(&NtAuthority,
490 1,
491 SECURITY_LOCAL_SYSTEM_RID,
492 0,
493 0,
494 0,
495 0,
496 0,
497 0,
498 0,
499 &LocalSystemSid);
500 if (!NT_SUCCESS(Status))
501 goto done;
502
503 /* Allocate and initialize the DACL */
504 DaclSize = sizeof(ACL) +
505 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
506 sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
507
508 Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
509 HEAP_ZERO_MEMORY,
510 DaclSize);
511 if (Dacl == NULL)
512 {
513 Status = STATUS_INSUFFICIENT_RESOURCES;
514 goto done;
515 }
516
517 Status = RtlCreateAcl(Dacl,
518 DaclSize,
519 ACL_REVISION);
520 if (!NT_SUCCESS(Status))
521 goto done;
522
523 Status = RtlAddAccessAllowedAce(Dacl,
524 ACL_REVISION,
525 SECRET_ALL_ACCESS,
526 AdministratorsSid);
527 if (!NT_SUCCESS(Status))
528 goto done;
529
530 Status = RtlAddAccessAllowedAce(Dacl,
531 ACL_REVISION,
532 SECRET_EXECUTE,
533 EveryoneSid);
534 if (!NT_SUCCESS(Status))
535 goto done;
536
537 Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
538 TRUE,
539 Dacl,
540 FALSE);
541 if (!NT_SUCCESS(Status))
542 goto done;
543
544 Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
545 LocalSystemSid,
546 FALSE);
547 if (!NT_SUCCESS(Status))
548 goto done;
549
550 Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
551 AdministratorsSid,
552 FALSE);
553 if (!NT_SUCCESS(Status))
554 goto done;
555
556 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
557 RelativeSd,
558 &RelativeSdSize);
559 if (Status != STATUS_BUFFER_TOO_SMALL)
560 goto done;
561
562 RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
563 HEAP_ZERO_MEMORY,
564 RelativeSdSize);
565 if (RelativeSd == NULL)
566 {
567 Status = STATUS_INSUFFICIENT_RESOURCES;
568 goto done;
569 }
570
571 Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
572 RelativeSd,
573 &RelativeSdSize);
574 if (!NT_SUCCESS(Status))
575 goto done;
576
577 *SecretSd = RelativeSd;
578 *SecretSdSize = RelativeSdSize;
579
580 done:
581 if (Dacl != NULL)
582 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
583
584 if (AdministratorsSid != NULL)
585 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
586
587 if (EveryoneSid != NULL)
588 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
589
590 if (LocalSystemSid != NULL)
591 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
592
593 if (!NT_SUCCESS(Status))
594 {
595 if (RelativeSd != NULL)
596 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
597 }
598
599 return Status;
600 }
601
602 /* EOF */
A free Windows-compatible Operating System