1 /* $Id: sd.c,v 1.10 2003/07/11 01:23:16 royce Exp $
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * PURPOSE: Security manager
7 * PROGRAMER: David Welch <welch@cwcom.net>
9 * 26/07/98: Added stubs for security functions
12 /* INCLUDES *****************************************************************/
14 #include <ddk/ntddk.h>
15 #include <internal/se.h>
17 #include <internal/debug.h>
19 /* GLOBALS ******************************************************************/
21 PSECURITY_DESCRIPTOR SePublicDefaultSd
= NULL
;
22 PSECURITY_DESCRIPTOR SePublicDefaultUnrestrictedSd
= NULL
;
23 PSECURITY_DESCRIPTOR SePublicOpenSd
= NULL
;
24 PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd
= NULL
;
25 PSECURITY_DESCRIPTOR SeSystemDefaultSd
= NULL
;
26 PSECURITY_DESCRIPTOR SeUnrestrictedSd
= NULL
;
28 /* FUNCTIONS ***************************************************************/
33 /* Create PublicDefaultSd */
34 SePublicDefaultSd
= ExAllocatePool(NonPagedPool
,
35 sizeof(SECURITY_DESCRIPTOR
));
36 if (SePublicDefaultSd
== NULL
)
39 RtlCreateSecurityDescriptor(SePublicDefaultSd
,
40 SECURITY_DESCRIPTOR_REVISION
);
41 RtlSetDaclSecurityDescriptor(SePublicDefaultSd
,
46 /* Create PublicDefaultUnrestrictedSd */
47 SePublicDefaultUnrestrictedSd
= ExAllocatePool(NonPagedPool
,
48 sizeof(SECURITY_DESCRIPTOR
));
49 if (SePublicDefaultUnrestrictedSd
== NULL
)
52 RtlCreateSecurityDescriptor(SePublicDefaultUnrestrictedSd
,
53 SECURITY_DESCRIPTOR_REVISION
);
54 RtlSetDaclSecurityDescriptor(SePublicDefaultUnrestrictedSd
,
56 SePublicDefaultUnrestrictedDacl
,
59 /* Create PublicOpenSd */
60 SePublicOpenSd
= ExAllocatePool(NonPagedPool
,
61 sizeof(SECURITY_DESCRIPTOR
));
62 if (SePublicOpenSd
== NULL
)
65 RtlCreateSecurityDescriptor(SePublicOpenSd
,
66 SECURITY_DESCRIPTOR_REVISION
);
67 RtlSetDaclSecurityDescriptor(SePublicOpenSd
,
72 /* Create PublicOpenUnrestrictedSd */
73 SePublicOpenUnrestrictedSd
= ExAllocatePool(NonPagedPool
,
74 sizeof(SECURITY_DESCRIPTOR
));
75 if (SePublicOpenUnrestrictedSd
== NULL
)
78 RtlCreateSecurityDescriptor(SePublicOpenUnrestrictedSd
,
79 SECURITY_DESCRIPTOR_REVISION
);
80 RtlSetDaclSecurityDescriptor(SePublicOpenUnrestrictedSd
,
82 SePublicOpenUnrestrictedDacl
,
85 /* Create SystemDefaultSd */
86 SeSystemDefaultSd
= ExAllocatePool(NonPagedPool
,
87 sizeof(SECURITY_DESCRIPTOR
));
88 if (SeSystemDefaultSd
== NULL
)
91 RtlCreateSecurityDescriptor(SeSystemDefaultSd
,
92 SECURITY_DESCRIPTOR_REVISION
);
93 RtlSetDaclSecurityDescriptor(SeSystemDefaultSd
,
98 /* Create UnrestrictedSd */
99 SeUnrestrictedSd
= ExAllocatePool(NonPagedPool
,
100 sizeof(SECURITY_DESCRIPTOR
));
101 if (SeUnrestrictedSd
== NULL
)
104 RtlCreateSecurityDescriptor(SeUnrestrictedSd
,
105 SECURITY_DESCRIPTOR_REVISION
);
106 RtlSetDaclSecurityDescriptor(SeUnrestrictedSd
,
119 RtlCreateSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
122 if (Revision
!= SECURITY_DESCRIPTOR_REVISION
)
123 return(STATUS_UNSUCCESSFUL
);
125 SecurityDescriptor
->Revision
= SECURITY_DESCRIPTOR_REVISION
;
126 SecurityDescriptor
->Sbz1
= 0;
127 SecurityDescriptor
->Control
= 0;
128 SecurityDescriptor
->Owner
= NULL
;
129 SecurityDescriptor
->Group
= NULL
;
130 SecurityDescriptor
->Sacl
= NULL
;
131 SecurityDescriptor
->Dacl
= NULL
;
133 return(STATUS_SUCCESS
);
141 RtlLengthSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
)
149 Length
= sizeof(SECURITY_DESCRIPTOR
);
151 if (SecurityDescriptor
->Owner
!= NULL
)
153 Owner
= SecurityDescriptor
->Owner
;
154 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
156 Owner
= (PSID
)((ULONG
)Owner
+
157 (ULONG
)SecurityDescriptor
);
159 Length
= Length
+ ((sizeof(SID
) + (Owner
->SubAuthorityCount
- 1) *
160 sizeof(ULONG
) + 3) & 0xfc);
163 if (SecurityDescriptor
->Group
!= NULL
)
165 Group
= SecurityDescriptor
->Group
;
166 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
168 Group
= (PSID
)((ULONG
)Group
+ (ULONG
)SecurityDescriptor
);
170 Length
= Length
+ ((sizeof(SID
) + (Group
->SubAuthorityCount
- 1) *
171 sizeof(ULONG
) + 3) & 0xfc);
174 if (SecurityDescriptor
->Control
& SE_DACL_PRESENT
&&
175 SecurityDescriptor
->Dacl
!= NULL
)
177 Dacl
= SecurityDescriptor
->Dacl
;
178 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
180 Dacl
= (PACL
)((ULONG
)Dacl
+ (PVOID
)SecurityDescriptor
);
182 Length
= Length
+ ((Dacl
->AclSize
+ 3) & 0xfc);
185 if (SecurityDescriptor
->Control
& SE_SACL_PRESENT
&&
186 SecurityDescriptor
->Sacl
!= NULL
)
188 Sacl
= SecurityDescriptor
->Sacl
;
189 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
191 Sacl
= (PACL
)((ULONG
)Sacl
+ (PVOID
)SecurityDescriptor
);
193 Length
= Length
+ ((Sacl
->AclSize
+ 3) & 0xfc);
204 RtlGetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
205 PBOOLEAN DaclPresent
,
207 PBOOLEAN DaclDefaulted
)
209 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
211 return(STATUS_UNSUCCESSFUL
);
214 if (!(SecurityDescriptor
->Control
& SE_DACL_PRESENT
))
216 *DaclPresent
= FALSE
;
217 return(STATUS_SUCCESS
);
221 if (SecurityDescriptor
->Dacl
== NULL
)
227 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
229 *Dacl
= (PACL
)((ULONG
)SecurityDescriptor
->Dacl
+
230 (PVOID
)SecurityDescriptor
);
234 *Dacl
= SecurityDescriptor
->Dacl
;
238 if (SecurityDescriptor
->Control
& SE_DACL_DEFAULTED
)
240 *DaclDefaulted
= TRUE
;
244 *DaclDefaulted
= FALSE
;
247 return(STATUS_SUCCESS
);
255 RtlSetDaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
258 BOOLEAN DaclDefaulted
)
260 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
262 return(STATUS_UNSUCCESSFUL
);
265 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
267 return(STATUS_UNSUCCESSFUL
);
272 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_DACL_PRESENT
);
273 return(STATUS_SUCCESS
);
276 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_DACL_PRESENT
;
277 SecurityDescriptor
->Dacl
= Dacl
;
278 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_DACL_DEFAULTED
);
282 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_DACL_DEFAULTED
;
285 return(STATUS_SUCCESS
);
293 RtlValidSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
)
300 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
305 Owner
= SecurityDescriptor
->Owner
;
306 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
308 Owner
= (PSID
)((ULONG
)Owner
+ (ULONG
)SecurityDescriptor
);
311 if (!RtlValidSid(Owner
))
316 Group
= SecurityDescriptor
->Group
;
317 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
319 Group
= (PSID
)((ULONG
)Group
+ (ULONG
)SecurityDescriptor
);
322 if (!RtlValidSid(Group
))
327 if (SecurityDescriptor
->Control
& SE_DACL_PRESENT
&&
328 SecurityDescriptor
->Dacl
!= NULL
)
330 Dacl
= SecurityDescriptor
->Dacl
;
331 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
333 Dacl
= (PACL
)((ULONG
)Dacl
+ (ULONG
)SecurityDescriptor
);
336 if (!RtlValidAcl(Dacl
))
342 if (SecurityDescriptor
->Control
& SE_SACL_PRESENT
&&
343 SecurityDescriptor
->Sacl
!= NULL
)
345 Sacl
= SecurityDescriptor
->Sacl
;
346 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
348 Sacl
= (PACL
)((ULONG
)Sacl
+ (ULONG
)SecurityDescriptor
);
351 if (!RtlValidAcl(Sacl
))
365 RtlSetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
367 BOOLEAN OwnerDefaulted
)
369 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
371 return(STATUS_UNSUCCESSFUL
);
374 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
376 return(STATUS_UNSUCCESSFUL
);
379 SecurityDescriptor
->Owner
= Owner
;
380 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_OWNER_DEFAULTED
);
384 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_OWNER_DEFAULTED
;
387 return(STATUS_SUCCESS
);
395 RtlGetOwnerSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
397 PBOOLEAN OwnerDefaulted
)
399 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
401 return(STATUS_UNSUCCESSFUL
);
404 if (SecurityDescriptor
->Owner
!= NULL
)
406 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
408 *Owner
= (PSID
)((ULONG
)SecurityDescriptor
->Owner
+
409 (PVOID
)SecurityDescriptor
);
413 *Owner
= SecurityDescriptor
->Owner
;
420 if (SecurityDescriptor
->Control
& SE_OWNER_DEFAULTED
)
428 return(STATUS_SUCCESS
);
436 RtlSetGroupSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
438 BOOLEAN GroupDefaulted
)
440 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
442 return(STATUS_UNSUCCESSFUL
);
445 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
447 return(STATUS_UNSUCCESSFUL
);
450 SecurityDescriptor
->Group
= Group
;
451 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_GROUP_DEFAULTED
);
455 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_GROUP_DEFAULTED
;
458 return(STATUS_SUCCESS
);
466 RtlGetGroupSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
468 PBOOLEAN GroupDefaulted
)
470 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
472 return(STATUS_UNSUCCESSFUL
);
475 if (SecurityDescriptor
->Group
!= NULL
)
477 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
479 *Group
= (PSID
)((ULONG
)SecurityDescriptor
->Group
+
480 (PVOID
)SecurityDescriptor
);
484 *Group
= SecurityDescriptor
->Group
;
492 if (SecurityDescriptor
->Control
& SE_GROUP_DEFAULTED
)
494 *GroupDefaulted
= TRUE
;
498 *GroupDefaulted
= FALSE
;
501 return(STATUS_SUCCESS
);
509 RtlGetSaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
510 PBOOLEAN SaclPresent
,
512 PBOOLEAN SaclDefaulted
)
514 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
516 return(STATUS_UNSUCCESSFUL
);
519 if (!(SecurityDescriptor
->Control
& SE_SACL_PRESENT
))
521 *SaclPresent
= FALSE
;
522 return(STATUS_SUCCESS
);
526 if (SecurityDescriptor
->Sacl
== NULL
)
532 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
534 *Sacl
= (PACL
)((ULONG
)SecurityDescriptor
->Sacl
+
535 (PVOID
)SecurityDescriptor
);
539 *Sacl
= SecurityDescriptor
->Sacl
;
543 if (SecurityDescriptor
->Control
& SE_SACL_DEFAULTED
)
545 *SaclDefaulted
= TRUE
;
549 *SaclDefaulted
= FALSE
;
552 return(STATUS_SUCCESS
);
560 RtlSetSaclSecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
563 BOOLEAN SaclDefaulted
)
565 if (SecurityDescriptor
->Revision
!= SECURITY_DESCRIPTOR_REVISION
)
567 return(STATUS_UNSUCCESSFUL
);
569 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
571 return(STATUS_UNSUCCESSFUL
);
576 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_SACL_PRESENT
);
577 return(STATUS_SUCCESS
);
580 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_SACL_PRESENT
;
581 SecurityDescriptor
->Sacl
= Sacl
;
582 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
& ~(SE_SACL_DEFAULTED
);
586 SecurityDescriptor
->Control
= SecurityDescriptor
->Control
| SE_SACL_DEFAULTED
;
589 return(STATUS_SUCCESS
);
594 RtlpQuerySecurityDescriptor(PSECURITY_DESCRIPTOR SecurityDescriptor
,
604 if (SecurityDescriptor
->Owner
== NULL
)
610 *Owner
= SecurityDescriptor
->Owner
;
611 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
613 *Owner
= (PSID
)((ULONG
)*Owner
+ (ULONG
)SecurityDescriptor
);
619 *OwnerLength
= (RtlLengthSid(*Owner
) + 3) & ~3;
626 if ((SecurityDescriptor
->Control
& SE_DACL_PRESENT
) &&
627 SecurityDescriptor
->Dacl
!= NULL
)
629 *Dacl
= SecurityDescriptor
->Dacl
;
630 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
632 *Dacl
= (PACL
)((ULONG
)*Dacl
+ (ULONG
)SecurityDescriptor
);
642 *DaclLength
= ((*Dacl
)->AclSize
+ 3) & ~3;
649 if (SecurityDescriptor
->Group
!= NULL
)
655 *Group
= SecurityDescriptor
->Group
;
656 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
658 *Group
= (PSID
)((ULONG
)*Group
+ (ULONG
)SecurityDescriptor
);
664 *GroupLength
= (RtlLengthSid(*Group
) + 3) & ~3;
671 if ((SecurityDescriptor
->Control
& SE_SACL_PRESENT
) &&
672 SecurityDescriptor
->Sacl
!= NULL
)
674 *Sacl
= SecurityDescriptor
->Sacl
;
675 if (SecurityDescriptor
->Control
& SE_SELF_RELATIVE
)
677 *Sacl
= (PACL
)((ULONG
)*Sacl
+ (ULONG
)SecurityDescriptor
);
687 *SaclLength
= ((*Sacl
)->AclSize
+ 3) & ~3;
696 RtlAbsoluteToSelfRelativeSD(PSECURITY_DESCRIPTOR AbsSD
,
697 PSECURITY_DESCRIPTOR RelSD
,
711 if (AbsSD
->Control
& SE_SELF_RELATIVE
)
713 return(STATUS_BAD_DESCRIPTOR_FORMAT
);
716 RtlpQuerySecurityDescriptor(AbsSD
,
726 TotalLength
= OwnerLength
+ GroupLength
+ SaclLength
+
727 DaclLength
+ sizeof(SECURITY_DESCRIPTOR
);
728 if (*BufferLength
< TotalLength
)
730 return(STATUS_BUFFER_TOO_SMALL
);
737 sizeof(SECURITY_DESCRIPTOR
));
738 Current
= (ULONG
)RelSD
+ sizeof(SECURITY_DESCRIPTOR
);
742 memmove((PVOID
)Current
,
745 RelSD
->Sacl
= (PACL
)((ULONG
)Current
- (ULONG
)RelSD
);
746 Current
+= SaclLength
;
751 memmove((PVOID
)Current
,
754 RelSD
->Dacl
= (PACL
)((ULONG
)Current
- (ULONG
)RelSD
);
755 Current
+= DaclLength
;
758 if (OwnerLength
!= 0)
760 memmove((PVOID
)Current
,
763 RelSD
->Owner
= (PSID
)((ULONG
)Current
- (ULONG
)RelSD
);
764 Current
+= OwnerLength
;
767 if (GroupLength
!= 0)
769 memmove((PVOID
)Current
,
772 RelSD
->Group
= (PSID
)((ULONG
)Current
- (ULONG
)RelSD
);
775 RelSD
->Control
|= SE_SELF_RELATIVE
;
777 return(STATUS_SUCCESS
);