3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/sid.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
11 /* INCLUDES *****************************************************************/
16 #include <internal/debug.h>
18 #define TAG_SID TAG('S', 'I', 'D', 'T')
21 /* GLOBALS ******************************************************************/
23 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
24 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
25 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
= {SECURITY_LOCAL_SID_AUTHORITY
};
26 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
= {SECURITY_CREATOR_SID_AUTHORITY
};
27 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
= {SECURITY_NT_AUTHORITY
};
29 PSID SeNullSid
= NULL
;
30 PSID SeWorldSid
= NULL
;
31 PSID SeLocalSid
= NULL
;
32 PSID SeCreatorOwnerSid
= NULL
;
33 PSID SeCreatorGroupSid
= NULL
;
34 PSID SeCreatorOwnerServerSid
= NULL
;
35 PSID SeCreatorGroupServerSid
= NULL
;
36 PSID SeNtAuthoritySid
= NULL
;
37 PSID SeDialupSid
= NULL
;
38 PSID SeNetworkSid
= NULL
;
39 PSID SeBatchSid
= NULL
;
40 PSID SeInteractiveSid
= NULL
;
41 PSID SeServiceSid
= NULL
;
42 PSID SeAnonymousLogonSid
= NULL
;
43 PSID SePrincipalSelfSid
= NULL
;
44 PSID SeLocalSystemSid
= NULL
;
45 PSID SeAuthenticatedUserSid
= NULL
;
46 PSID SeRestrictedCodeSid
= NULL
;
47 PSID SeAliasAdminsSid
= NULL
;
48 PSID SeAliasUsersSid
= NULL
;
49 PSID SeAliasGuestsSid
= NULL
;
50 PSID SeAliasPowerUsersSid
= NULL
;
51 PSID SeAliasAccountOpsSid
= NULL
;
52 PSID SeAliasSystemOpsSid
= NULL
;
53 PSID SeAliasPrintOpsSid
= NULL
;
54 PSID SeAliasBackupOpsSid
= NULL
;
57 /* FUNCTIONS ****************************************************************/
61 SepInitSecurityIDs(VOID
)
68 SidLength0
= RtlLengthRequiredSid(0);
69 SidLength1
= RtlLengthRequiredSid(1);
70 SidLength2
= RtlLengthRequiredSid(2);
73 SeNullSid
= ExAllocatePoolWithTag(NonPagedPool
,
76 if (SeNullSid
== NULL
)
79 RtlInitializeSid(SeNullSid
,
82 SubAuthority
= RtlSubAuthoritySid(SeNullSid
,
84 *SubAuthority
= SECURITY_NULL_RID
;
87 SeWorldSid
= ExAllocatePoolWithTag(NonPagedPool
,
90 if (SeWorldSid
== NULL
)
93 RtlInitializeSid(SeWorldSid
,
96 SubAuthority
= RtlSubAuthoritySid(SeWorldSid
,
98 *SubAuthority
= SECURITY_WORLD_RID
;
100 /* create LocalSid */
101 SeLocalSid
= ExAllocatePoolWithTag(NonPagedPool
,
104 if (SeLocalSid
== NULL
)
107 RtlInitializeSid(SeLocalSid
,
108 &SeLocalSidAuthority
,
110 SubAuthority
= RtlSubAuthoritySid(SeLocalSid
,
112 *SubAuthority
= SECURITY_LOCAL_RID
;
114 /* create CreatorOwnerSid */
115 SeCreatorOwnerSid
= ExAllocatePoolWithTag(NonPagedPool
,
118 if (SeCreatorOwnerSid
== NULL
)
121 RtlInitializeSid(SeCreatorOwnerSid
,
122 &SeCreatorSidAuthority
,
124 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerSid
,
126 *SubAuthority
= SECURITY_CREATOR_OWNER_RID
;
128 /* create CreatorGroupSid */
129 SeCreatorGroupSid
= ExAllocatePoolWithTag(NonPagedPool
,
132 if (SeCreatorGroupSid
== NULL
)
135 RtlInitializeSid(SeCreatorGroupSid
,
136 &SeCreatorSidAuthority
,
138 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupSid
,
140 *SubAuthority
= SECURITY_CREATOR_GROUP_RID
;
142 /* create CreatorOwnerServerSid */
143 SeCreatorOwnerServerSid
= ExAllocatePoolWithTag(NonPagedPool
,
146 if (SeCreatorOwnerServerSid
== NULL
)
149 RtlInitializeSid(SeCreatorOwnerServerSid
,
150 &SeCreatorSidAuthority
,
152 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerServerSid
,
154 *SubAuthority
= SECURITY_CREATOR_OWNER_SERVER_RID
;
156 /* create CreatorGroupServerSid */
157 SeCreatorGroupServerSid
= ExAllocatePoolWithTag(NonPagedPool
,
160 if (SeCreatorGroupServerSid
== NULL
)
163 RtlInitializeSid(SeCreatorGroupServerSid
,
164 &SeCreatorSidAuthority
,
166 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupServerSid
,
168 *SubAuthority
= SECURITY_CREATOR_GROUP_SERVER_RID
;
171 /* create NtAuthoritySid */
172 SeNtAuthoritySid
= ExAllocatePoolWithTag(NonPagedPool
,
175 if (SeNtAuthoritySid
== NULL
)
178 RtlInitializeSid(SeNtAuthoritySid
,
182 /* create DialupSid */
183 SeDialupSid
= ExAllocatePoolWithTag(NonPagedPool
,
186 if (SeDialupSid
== NULL
)
189 RtlInitializeSid(SeDialupSid
,
192 SubAuthority
= RtlSubAuthoritySid(SeDialupSid
,
194 *SubAuthority
= SECURITY_DIALUP_RID
;
196 /* create NetworkSid */
197 SeNetworkSid
= ExAllocatePoolWithTag(NonPagedPool
,
200 if (SeNetworkSid
== NULL
)
203 RtlInitializeSid(SeNetworkSid
,
206 SubAuthority
= RtlSubAuthoritySid(SeNetworkSid
,
208 *SubAuthority
= SECURITY_NETWORK_RID
;
210 /* create BatchSid */
211 SeBatchSid
= ExAllocatePoolWithTag(NonPagedPool
,
214 if (SeBatchSid
== NULL
)
217 RtlInitializeSid(SeBatchSid
,
220 SubAuthority
= RtlSubAuthoritySid(SeBatchSid
,
222 *SubAuthority
= SECURITY_BATCH_RID
;
224 /* create InteractiveSid */
225 SeInteractiveSid
= ExAllocatePoolWithTag(NonPagedPool
,
228 if (SeInteractiveSid
== NULL
)
231 RtlInitializeSid(SeInteractiveSid
,
234 SubAuthority
= RtlSubAuthoritySid(SeInteractiveSid
,
236 *SubAuthority
= SECURITY_INTERACTIVE_RID
;
238 /* create ServiceSid */
239 SeServiceSid
= ExAllocatePoolWithTag(NonPagedPool
,
242 if (SeServiceSid
== NULL
)
245 RtlInitializeSid(SeServiceSid
,
248 SubAuthority
= RtlSubAuthoritySid(SeServiceSid
,
250 *SubAuthority
= SECURITY_SERVICE_RID
;
252 /* create AnonymousLogonSid */
253 SeAnonymousLogonSid
= ExAllocatePoolWithTag(NonPagedPool
,
256 if (SeAnonymousLogonSid
== NULL
)
259 RtlInitializeSid(SeAnonymousLogonSid
,
262 SubAuthority
= RtlSubAuthoritySid(SeAnonymousLogonSid
,
264 *SubAuthority
= SECURITY_ANONYMOUS_LOGON_RID
;
266 /* create PrincipalSelfSid */
267 SePrincipalSelfSid
= ExAllocatePoolWithTag(NonPagedPool
,
270 if (SePrincipalSelfSid
== NULL
)
273 RtlInitializeSid(SePrincipalSelfSid
,
276 SubAuthority
= RtlSubAuthoritySid(SePrincipalSelfSid
,
278 *SubAuthority
= SECURITY_PRINCIPAL_SELF_RID
;
280 /* create LocalSystemSid */
281 SeLocalSystemSid
= ExAllocatePoolWithTag(NonPagedPool
,
284 if (SeLocalSystemSid
== NULL
)
287 RtlInitializeSid(SeLocalSystemSid
,
290 SubAuthority
= RtlSubAuthoritySid(SeLocalSystemSid
,
292 *SubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
294 /* create AuthenticatedUserSid */
295 SeAuthenticatedUserSid
= ExAllocatePoolWithTag(NonPagedPool
,
298 if (SeAuthenticatedUserSid
== NULL
)
301 RtlInitializeSid(SeAuthenticatedUserSid
,
304 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUserSid
,
306 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
308 /* create RestrictedCodeSid */
309 SeRestrictedCodeSid
= ExAllocatePoolWithTag(NonPagedPool
,
312 if (SeRestrictedCodeSid
== NULL
)
315 RtlInitializeSid(SeRestrictedCodeSid
,
318 SubAuthority
= RtlSubAuthoritySid(SeRestrictedCodeSid
,
320 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
322 /* create AliasAdminsSid */
323 SeAliasAdminsSid
= ExAllocatePoolWithTag(NonPagedPool
,
326 if (SeAliasAdminsSid
== NULL
)
329 RtlInitializeSid(SeAliasAdminsSid
,
332 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
,
334 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
336 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
,
338 *SubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
340 /* create AliasUsersSid */
341 SeAliasUsersSid
= ExAllocatePoolWithTag(NonPagedPool
,
344 if (SeAliasUsersSid
== NULL
)
347 RtlInitializeSid(SeAliasUsersSid
,
350 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
,
352 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
354 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
,
356 *SubAuthority
= DOMAIN_ALIAS_RID_USERS
;
358 /* create AliasGuestsSid */
359 SeAliasGuestsSid
= ExAllocatePoolWithTag(NonPagedPool
,
362 if (SeAliasGuestsSid
== NULL
)
365 RtlInitializeSid(SeAliasGuestsSid
,
368 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
,
370 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
372 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
,
374 *SubAuthority
= DOMAIN_ALIAS_RID_GUESTS
;
376 /* create AliasPowerUsersSid */
377 SeAliasPowerUsersSid
= ExAllocatePoolWithTag(NonPagedPool
,
380 if (SeAliasPowerUsersSid
== NULL
)
383 RtlInitializeSid(SeAliasPowerUsersSid
,
386 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
,
388 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
390 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
,
392 *SubAuthority
= DOMAIN_ALIAS_RID_POWER_USERS
;
394 /* create AliasAccountOpsSid */
395 SeAliasAccountOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
398 if (SeAliasAccountOpsSid
== NULL
)
401 RtlInitializeSid(SeAliasAccountOpsSid
,
404 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
,
406 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
408 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
,
410 *SubAuthority
= DOMAIN_ALIAS_RID_ACCOUNT_OPS
;
412 /* create AliasSystemOpsSid */
413 SeAliasSystemOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
416 if (SeAliasSystemOpsSid
== NULL
)
419 RtlInitializeSid(SeAliasSystemOpsSid
,
422 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
,
424 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
426 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
,
428 *SubAuthority
= DOMAIN_ALIAS_RID_SYSTEM_OPS
;
430 /* create AliasPrintOpsSid */
431 SeAliasPrintOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
434 if (SeAliasPrintOpsSid
== NULL
)
437 RtlInitializeSid(SeAliasPrintOpsSid
,
440 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
,
442 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
444 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
,
446 *SubAuthority
= DOMAIN_ALIAS_RID_PRINT_OPS
;
448 /* create AliasBackupOpsSid */
449 SeAliasBackupOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
452 if (SeAliasBackupOpsSid
== NULL
)
455 RtlInitializeSid(SeAliasBackupOpsSid
,
458 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
,
460 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
462 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
,
464 *SubAuthority
= DOMAIN_ALIAS_RID_BACKUP_OPS
;
470 SepCaptureSid(IN PSID InputSid
,
471 IN KPROCESSOR_MODE AccessMode
,
472 IN POOL_TYPE PoolType
,
473 IN BOOLEAN CaptureIfKernel
,
474 OUT PSID
*CapturedSid
)
477 PISID NewSid
, Sid
= (PISID
)InputSid
;
478 NTSTATUS Status
= STATUS_SUCCESS
;
482 if(AccessMode
!= KernelMode
)
487 sizeof(*Sid
) - sizeof(Sid
->SubAuthority
),
489 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
496 Status
= _SEH_GetExceptionCode();
500 if(NT_SUCCESS(Status
))
502 /* allocate a SID and copy it */
503 NewSid
= ExAllocatePool(PoolType
,
509 RtlCopyMemory(NewSid
,
513 *CapturedSid
= NewSid
;
518 Status
= _SEH_GetExceptionCode();
524 Status
= STATUS_INSUFFICIENT_RESOURCES
;
528 else if(!CaptureIfKernel
)
530 *CapturedSid
= InputSid
;
531 return STATUS_SUCCESS
;
535 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
537 /* allocate a SID and copy it */
538 NewSid
= ExAllocatePool(PoolType
,
542 RtlCopyMemory(NewSid
,
546 *CapturedSid
= NewSid
;
550 Status
= STATUS_INSUFFICIENT_RESOURCES
;
558 SepReleaseSid(IN PSID CapturedSid
,
559 IN KPROCESSOR_MODE AccessMode
,
560 IN BOOLEAN CaptureIfKernel
)
564 if(CapturedSid
!= NULL
&&
565 (AccessMode
== UserMode
||
566 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
568 ExFreePool(CapturedSid
);