2 * PROJECT: Local Security Authority Server DLL
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: dll/win32/lsasrv/security.c
5 * PURPOSE: LSA object security functions
6 * COPYRIGHT: Copyright 2012 Eric Kohl
11 /* FUNCTIONS ***************************************************************/
14 LsapCreatePolicySd(PSECURITY_DESCRIPTOR
*PolicySd
,
17 SECURITY_DESCRIPTOR AbsoluteSd
;
18 PSECURITY_DESCRIPTOR RelativeSd
= NULL
;
19 ULONG RelativeSdSize
= 0;
20 PSID AnonymousSid
= NULL
;
21 PSID AdministratorsSid
= NULL
;
22 PSID EveryoneSid
= NULL
;
23 PSID LocalServiceSid
= NULL
;
24 PSID NetworkServiceSid
= NULL
;
25 PSID LocalSystemSid
= NULL
;
30 if (PolicySd
== NULL
|| PolicySdSize
== NULL
)
31 return STATUS_INVALID_PARAMETER
;
36 /* Initialize the SD */
37 Status
= RtlCreateSecurityDescriptor(&AbsoluteSd
,
38 SECURITY_DESCRIPTOR_REVISION
);
39 if (!NT_SUCCESS(Status
))
42 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
44 SECURITY_ANONYMOUS_LOGON_RID
,
53 if (!NT_SUCCESS(Status
))
56 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
58 SECURITY_BUILTIN_DOMAIN_RID
,
59 DOMAIN_ALIAS_RID_ADMINS
,
67 if (!NT_SUCCESS(Status
))
70 Status
= RtlAllocateAndInitializeSid(&WorldSidAuthority
,
81 if (!NT_SUCCESS(Status
))
84 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
86 SECURITY_LOCAL_SERVICE_RID
,
95 if (!NT_SUCCESS(Status
))
98 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
100 SECURITY_NETWORK_SERVICE_RID
,
109 if (!NT_SUCCESS(Status
))
112 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
114 SECURITY_LOCAL_SYSTEM_RID
,
123 if (!NT_SUCCESS(Status
))
126 /* Allocate and initialize the DACL */
127 DaclSize
= sizeof(ACL
) +
128 sizeof(ACCESS_DENIED_ACE
) - sizeof(ULONG
) + RtlLengthSid(AnonymousSid
) +
129 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(AdministratorsSid
) +
130 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(EveryoneSid
) +
131 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(AnonymousSid
) +
132 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(LocalServiceSid
) +
133 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(NetworkServiceSid
);
135 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
140 Status
= STATUS_INSUFFICIENT_RESOURCES
;
144 Status
= RtlCreateAcl(Dacl
,
147 if (!NT_SUCCESS(Status
))
150 Status
= RtlAddAccessDeniedAce(Dacl
,
154 if (!NT_SUCCESS(Status
))
157 Status
= RtlAddAccessAllowedAce(Dacl
,
159 POLICY_ALL_ACCESS
| POLICY_NOTIFICATION
,
161 if (!NT_SUCCESS(Status
))
164 Status
= RtlAddAccessAllowedAce(Dacl
,
168 if (!NT_SUCCESS(Status
))
171 Status
= RtlAddAccessAllowedAce(Dacl
,
173 POLICY_LOOKUP_NAMES
| POLICY_VIEW_LOCAL_INFORMATION
,
175 if (!NT_SUCCESS(Status
))
178 Status
= RtlAddAccessAllowedAce(Dacl
,
182 if (!NT_SUCCESS(Status
))
185 Status
= RtlAddAccessAllowedAce(Dacl
,
189 if (!NT_SUCCESS(Status
))
192 Status
= RtlSetDaclSecurityDescriptor(&AbsoluteSd
,
196 if (!NT_SUCCESS(Status
))
199 Status
= RtlSetGroupSecurityDescriptor(&AbsoluteSd
,
202 if (!NT_SUCCESS(Status
))
205 Status
= RtlSetOwnerSecurityDescriptor(&AbsoluteSd
,
208 if (!NT_SUCCESS(Status
))
211 Status
= RtlAbsoluteToSelfRelativeSD(&AbsoluteSd
,
214 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
217 RelativeSd
= RtlAllocateHeap(RtlGetProcessHeap(),
220 if (RelativeSd
== NULL
)
222 Status
= STATUS_INSUFFICIENT_RESOURCES
;
226 Status
= RtlAbsoluteToSelfRelativeSD(&AbsoluteSd
,
229 if (!NT_SUCCESS(Status
))
232 *PolicySd
= RelativeSd
;
233 *PolicySdSize
= RelativeSdSize
;
237 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
239 if (AnonymousSid
!= NULL
)
240 RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid
);
242 if (AdministratorsSid
!= NULL
)
243 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid
);
245 if (EveryoneSid
!= NULL
)
246 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid
);
248 if (LocalServiceSid
!= NULL
)
249 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid
);
251 if (NetworkServiceSid
!= NULL
)
252 RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid
);
254 if (LocalSystemSid
!= NULL
)
255 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid
);
257 if (!NT_SUCCESS(Status
))
259 if (RelativeSd
!= NULL
)
260 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd
);
268 LsapCreateAccountSd(PSECURITY_DESCRIPTOR
*AccountSd
,
269 PULONG AccountSdSize
)
271 SECURITY_DESCRIPTOR AbsoluteSd
;
272 PSECURITY_DESCRIPTOR RelativeSd
= NULL
;
273 ULONG RelativeSdSize
= 0;
274 PSID AdministratorsSid
= NULL
;
275 PSID EveryoneSid
= NULL
;
276 PSID LocalSystemSid
= NULL
;
281 if (AccountSd
== NULL
|| AccountSdSize
== NULL
)
282 return STATUS_INVALID_PARAMETER
;
287 /* Initialize the SD */
288 Status
= RtlCreateSecurityDescriptor(&AbsoluteSd
,
289 SECURITY_DESCRIPTOR_REVISION
);
290 if (!NT_SUCCESS(Status
))
293 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
295 SECURITY_BUILTIN_DOMAIN_RID
,
296 DOMAIN_ALIAS_RID_ADMINS
,
304 if (!NT_SUCCESS(Status
))
307 Status
= RtlAllocateAndInitializeSid(&WorldSidAuthority
,
318 if (!NT_SUCCESS(Status
))
321 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
323 SECURITY_LOCAL_SYSTEM_RID
,
332 if (!NT_SUCCESS(Status
))
335 /* Allocate and initialize the DACL */
336 DaclSize
= sizeof(ACL
) +
337 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(AdministratorsSid
) +
338 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(EveryoneSid
);
340 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
345 Status
= STATUS_INSUFFICIENT_RESOURCES
;
349 Status
= RtlCreateAcl(Dacl
,
352 if (!NT_SUCCESS(Status
))
355 Status
= RtlAddAccessAllowedAce(Dacl
,
359 if (!NT_SUCCESS(Status
))
362 Status
= RtlAddAccessAllowedAce(Dacl
,
366 if (!NT_SUCCESS(Status
))
369 Status
= RtlSetDaclSecurityDescriptor(&AbsoluteSd
,
373 if (!NT_SUCCESS(Status
))
376 Status
= RtlSetGroupSecurityDescriptor(&AbsoluteSd
,
379 if (!NT_SUCCESS(Status
))
382 Status
= RtlSetOwnerSecurityDescriptor(&AbsoluteSd
,
385 if (!NT_SUCCESS(Status
))
388 Status
= RtlAbsoluteToSelfRelativeSD(&AbsoluteSd
,
391 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
394 RelativeSd
= RtlAllocateHeap(RtlGetProcessHeap(),
397 if (RelativeSd
== NULL
)
399 Status
= STATUS_INSUFFICIENT_RESOURCES
;
403 Status
= RtlAbsoluteToSelfRelativeSD(&AbsoluteSd
,
406 if (!NT_SUCCESS(Status
))
409 *AccountSd
= RelativeSd
;
410 *AccountSdSize
= RelativeSdSize
;
414 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
416 if (AdministratorsSid
!= NULL
)
417 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid
);
419 if (EveryoneSid
!= NULL
)
420 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid
);
422 if (LocalSystemSid
!= NULL
)
423 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid
);
425 if (!NT_SUCCESS(Status
))
427 if (RelativeSd
!= NULL
)
428 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd
);
436 LsapCreateSecretSd(PSECURITY_DESCRIPTOR
*SecretSd
,
439 SECURITY_DESCRIPTOR AbsoluteSd
;
440 PSECURITY_DESCRIPTOR RelativeSd
= NULL
;
441 ULONG RelativeSdSize
= 0;
442 PSID AdministratorsSid
= NULL
;
443 PSID EveryoneSid
= NULL
;
444 PSID LocalSystemSid
= NULL
;
449 if (SecretSd
== NULL
|| SecretSdSize
== NULL
)
450 return STATUS_INVALID_PARAMETER
;
455 /* Initialize the SD */
456 Status
= RtlCreateSecurityDescriptor(&AbsoluteSd
,
457 SECURITY_DESCRIPTOR_REVISION
);
458 if (!NT_SUCCESS(Status
))
461 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
463 SECURITY_BUILTIN_DOMAIN_RID
,
464 DOMAIN_ALIAS_RID_ADMINS
,
472 if (!NT_SUCCESS(Status
))
475 Status
= RtlAllocateAndInitializeSid(&WorldSidAuthority
,
486 if (!NT_SUCCESS(Status
))
489 Status
= RtlAllocateAndInitializeSid(&NtAuthority
,
491 SECURITY_LOCAL_SYSTEM_RID
,
500 if (!NT_SUCCESS(Status
))
503 /* Allocate and initialize the DACL */
504 DaclSize
= sizeof(ACL
) +
505 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(AdministratorsSid
) +
506 sizeof(ACCESS_ALLOWED_ACE
) - sizeof(ULONG
) + RtlLengthSid(EveryoneSid
);
508 Dacl
= RtlAllocateHeap(RtlGetProcessHeap(),
513 Status
= STATUS_INSUFFICIENT_RESOURCES
;
517 Status
= RtlCreateAcl(Dacl
,
520 if (!NT_SUCCESS(Status
))
523 Status
= RtlAddAccessAllowedAce(Dacl
,
527 if (!NT_SUCCESS(Status
))
530 Status
= RtlAddAccessAllowedAce(Dacl
,
534 if (!NT_SUCCESS(Status
))
537 Status
= RtlSetDaclSecurityDescriptor(&AbsoluteSd
,
541 if (!NT_SUCCESS(Status
))
544 Status
= RtlSetGroupSecurityDescriptor(&AbsoluteSd
,
547 if (!NT_SUCCESS(Status
))
550 Status
= RtlSetOwnerSecurityDescriptor(&AbsoluteSd
,
553 if (!NT_SUCCESS(Status
))
556 Status
= RtlAbsoluteToSelfRelativeSD(&AbsoluteSd
,
559 if (Status
!= STATUS_BUFFER_TOO_SMALL
)
562 RelativeSd
= RtlAllocateHeap(RtlGetProcessHeap(),
565 if (RelativeSd
== NULL
)
567 Status
= STATUS_INSUFFICIENT_RESOURCES
;
571 Status
= RtlAbsoluteToSelfRelativeSD(&AbsoluteSd
,
574 if (!NT_SUCCESS(Status
))
577 *SecretSd
= RelativeSd
;
578 *SecretSdSize
= RelativeSdSize
;
582 RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl
);
584 if (AdministratorsSid
!= NULL
)
585 RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid
);
587 if (EveryoneSid
!= NULL
)
588 RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid
);
590 if (LocalSystemSid
!= NULL
)
591 RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid
);
593 if (!NT_SUCCESS(Status
))
595 if (RelativeSd
!= NULL
)
596 RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd
);