3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/sid.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
11 /* INCLUDES *****************************************************************/
16 #include <internal/debug.h>
18 /* GLOBALS ******************************************************************/
20 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
21 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
22 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
= {SECURITY_LOCAL_SID_AUTHORITY
};
23 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
= {SECURITY_CREATOR_SID_AUTHORITY
};
24 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
= {SECURITY_NT_AUTHORITY
};
26 PSID SeNullSid
= NULL
;
27 PSID SeWorldSid
= NULL
;
28 PSID SeLocalSid
= NULL
;
29 PSID SeCreatorOwnerSid
= NULL
;
30 PSID SeCreatorGroupSid
= NULL
;
31 PSID SeCreatorOwnerServerSid
= NULL
;
32 PSID SeCreatorGroupServerSid
= NULL
;
33 PSID SeNtAuthoritySid
= NULL
;
34 PSID SeDialupSid
= NULL
;
35 PSID SeNetworkSid
= NULL
;
36 PSID SeBatchSid
= NULL
;
37 PSID SeInteractiveSid
= NULL
;
38 PSID SeServiceSid
= NULL
;
39 PSID SeAnonymousLogonSid
= NULL
;
40 PSID SePrincipalSelfSid
= NULL
;
41 PSID SeLocalSystemSid
= NULL
;
42 PSID SeAuthenticatedUserSid
= NULL
;
43 PSID SeRestrictedCodeSid
= NULL
;
44 PSID SeAliasAdminsSid
= NULL
;
45 PSID SeAliasUsersSid
= NULL
;
46 PSID SeAliasGuestsSid
= NULL
;
47 PSID SeAliasPowerUsersSid
= NULL
;
48 PSID SeAliasAccountOpsSid
= NULL
;
49 PSID SeAliasSystemOpsSid
= NULL
;
50 PSID SeAliasPrintOpsSid
= NULL
;
51 PSID SeAliasBackupOpsSid
= NULL
;
54 /* FUNCTIONS ****************************************************************/
58 SepInitSecurityIDs(VOID
)
65 SidLength0
= RtlLengthRequiredSid(0);
66 SidLength1
= RtlLengthRequiredSid(1);
67 SidLength2
= RtlLengthRequiredSid(2);
70 SeNullSid
= ExAllocatePoolWithTag(NonPagedPool
,
73 if (SeNullSid
== NULL
)
76 RtlInitializeSid(SeNullSid
,
79 SubAuthority
= RtlSubAuthoritySid(SeNullSid
,
81 *SubAuthority
= SECURITY_NULL_RID
;
84 SeWorldSid
= ExAllocatePoolWithTag(NonPagedPool
,
87 if (SeWorldSid
== NULL
)
90 RtlInitializeSid(SeWorldSid
,
93 SubAuthority
= RtlSubAuthoritySid(SeWorldSid
,
95 *SubAuthority
= SECURITY_WORLD_RID
;
98 SeLocalSid
= ExAllocatePoolWithTag(NonPagedPool
,
101 if (SeLocalSid
== NULL
)
104 RtlInitializeSid(SeLocalSid
,
105 &SeLocalSidAuthority
,
107 SubAuthority
= RtlSubAuthoritySid(SeLocalSid
,
109 *SubAuthority
= SECURITY_LOCAL_RID
;
111 /* create CreatorOwnerSid */
112 SeCreatorOwnerSid
= ExAllocatePoolWithTag(NonPagedPool
,
115 if (SeCreatorOwnerSid
== NULL
)
118 RtlInitializeSid(SeCreatorOwnerSid
,
119 &SeCreatorSidAuthority
,
121 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerSid
,
123 *SubAuthority
= SECURITY_CREATOR_OWNER_RID
;
125 /* create CreatorGroupSid */
126 SeCreatorGroupSid
= ExAllocatePoolWithTag(NonPagedPool
,
129 if (SeCreatorGroupSid
== NULL
)
132 RtlInitializeSid(SeCreatorGroupSid
,
133 &SeCreatorSidAuthority
,
135 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupSid
,
137 *SubAuthority
= SECURITY_CREATOR_GROUP_RID
;
139 /* create CreatorOwnerServerSid */
140 SeCreatorOwnerServerSid
= ExAllocatePoolWithTag(NonPagedPool
,
143 if (SeCreatorOwnerServerSid
== NULL
)
146 RtlInitializeSid(SeCreatorOwnerServerSid
,
147 &SeCreatorSidAuthority
,
149 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerServerSid
,
151 *SubAuthority
= SECURITY_CREATOR_OWNER_SERVER_RID
;
153 /* create CreatorGroupServerSid */
154 SeCreatorGroupServerSid
= ExAllocatePoolWithTag(NonPagedPool
,
157 if (SeCreatorGroupServerSid
== NULL
)
160 RtlInitializeSid(SeCreatorGroupServerSid
,
161 &SeCreatorSidAuthority
,
163 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupServerSid
,
165 *SubAuthority
= SECURITY_CREATOR_GROUP_SERVER_RID
;
168 /* create NtAuthoritySid */
169 SeNtAuthoritySid
= ExAllocatePoolWithTag(NonPagedPool
,
172 if (SeNtAuthoritySid
== NULL
)
175 RtlInitializeSid(SeNtAuthoritySid
,
179 /* create DialupSid */
180 SeDialupSid
= ExAllocatePoolWithTag(NonPagedPool
,
183 if (SeDialupSid
== NULL
)
186 RtlInitializeSid(SeDialupSid
,
189 SubAuthority
= RtlSubAuthoritySid(SeDialupSid
,
191 *SubAuthority
= SECURITY_DIALUP_RID
;
193 /* create NetworkSid */
194 SeNetworkSid
= ExAllocatePoolWithTag(NonPagedPool
,
197 if (SeNetworkSid
== NULL
)
200 RtlInitializeSid(SeNetworkSid
,
203 SubAuthority
= RtlSubAuthoritySid(SeNetworkSid
,
205 *SubAuthority
= SECURITY_NETWORK_RID
;
207 /* create BatchSid */
208 SeBatchSid
= ExAllocatePoolWithTag(NonPagedPool
,
211 if (SeBatchSid
== NULL
)
214 RtlInitializeSid(SeBatchSid
,
217 SubAuthority
= RtlSubAuthoritySid(SeBatchSid
,
219 *SubAuthority
= SECURITY_BATCH_RID
;
221 /* create InteractiveSid */
222 SeInteractiveSid
= ExAllocatePoolWithTag(NonPagedPool
,
225 if (SeInteractiveSid
== NULL
)
228 RtlInitializeSid(SeInteractiveSid
,
231 SubAuthority
= RtlSubAuthoritySid(SeInteractiveSid
,
233 *SubAuthority
= SECURITY_INTERACTIVE_RID
;
235 /* create ServiceSid */
236 SeServiceSid
= ExAllocatePoolWithTag(NonPagedPool
,
239 if (SeServiceSid
== NULL
)
242 RtlInitializeSid(SeServiceSid
,
245 SubAuthority
= RtlSubAuthoritySid(SeServiceSid
,
247 *SubAuthority
= SECURITY_SERVICE_RID
;
249 /* create AnonymousLogonSid */
250 SeAnonymousLogonSid
= ExAllocatePoolWithTag(NonPagedPool
,
253 if (SeAnonymousLogonSid
== NULL
)
256 RtlInitializeSid(SeAnonymousLogonSid
,
259 SubAuthority
= RtlSubAuthoritySid(SeAnonymousLogonSid
,
261 *SubAuthority
= SECURITY_ANONYMOUS_LOGON_RID
;
263 /* create PrincipalSelfSid */
264 SePrincipalSelfSid
= ExAllocatePoolWithTag(NonPagedPool
,
267 if (SePrincipalSelfSid
== NULL
)
270 RtlInitializeSid(SePrincipalSelfSid
,
273 SubAuthority
= RtlSubAuthoritySid(SePrincipalSelfSid
,
275 *SubAuthority
= SECURITY_PRINCIPAL_SELF_RID
;
277 /* create LocalSystemSid */
278 SeLocalSystemSid
= ExAllocatePoolWithTag(NonPagedPool
,
281 if (SeLocalSystemSid
== NULL
)
284 RtlInitializeSid(SeLocalSystemSid
,
287 SubAuthority
= RtlSubAuthoritySid(SeLocalSystemSid
,
289 *SubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
291 /* create AuthenticatedUserSid */
292 SeAuthenticatedUserSid
= ExAllocatePoolWithTag(NonPagedPool
,
295 if (SeAuthenticatedUserSid
== NULL
)
298 RtlInitializeSid(SeAuthenticatedUserSid
,
301 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUserSid
,
303 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
305 /* create RestrictedCodeSid */
306 SeRestrictedCodeSid
= ExAllocatePoolWithTag(NonPagedPool
,
309 if (SeRestrictedCodeSid
== NULL
)
312 RtlInitializeSid(SeRestrictedCodeSid
,
315 SubAuthority
= RtlSubAuthoritySid(SeRestrictedCodeSid
,
317 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
319 /* create AliasAdminsSid */
320 SeAliasAdminsSid
= ExAllocatePoolWithTag(NonPagedPool
,
323 if (SeAliasAdminsSid
== NULL
)
326 RtlInitializeSid(SeAliasAdminsSid
,
329 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
,
331 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
333 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
,
335 *SubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
337 /* create AliasUsersSid */
338 SeAliasUsersSid
= ExAllocatePoolWithTag(NonPagedPool
,
341 if (SeAliasUsersSid
== NULL
)
344 RtlInitializeSid(SeAliasUsersSid
,
347 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
,
349 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
351 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
,
353 *SubAuthority
= DOMAIN_ALIAS_RID_USERS
;
355 /* create AliasGuestsSid */
356 SeAliasGuestsSid
= ExAllocatePoolWithTag(NonPagedPool
,
359 if (SeAliasGuestsSid
== NULL
)
362 RtlInitializeSid(SeAliasGuestsSid
,
365 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
,
367 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
369 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
,
371 *SubAuthority
= DOMAIN_ALIAS_RID_GUESTS
;
373 /* create AliasPowerUsersSid */
374 SeAliasPowerUsersSid
= ExAllocatePoolWithTag(NonPagedPool
,
377 if (SeAliasPowerUsersSid
== NULL
)
380 RtlInitializeSid(SeAliasPowerUsersSid
,
383 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
,
385 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
387 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
,
389 *SubAuthority
= DOMAIN_ALIAS_RID_POWER_USERS
;
391 /* create AliasAccountOpsSid */
392 SeAliasAccountOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
395 if (SeAliasAccountOpsSid
== NULL
)
398 RtlInitializeSid(SeAliasAccountOpsSid
,
401 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
,
403 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
405 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
,
407 *SubAuthority
= DOMAIN_ALIAS_RID_ACCOUNT_OPS
;
409 /* create AliasSystemOpsSid */
410 SeAliasSystemOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
413 if (SeAliasSystemOpsSid
== NULL
)
416 RtlInitializeSid(SeAliasSystemOpsSid
,
419 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
,
421 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
423 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
,
425 *SubAuthority
= DOMAIN_ALIAS_RID_SYSTEM_OPS
;
427 /* create AliasPrintOpsSid */
428 SeAliasPrintOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
431 if (SeAliasPrintOpsSid
== NULL
)
434 RtlInitializeSid(SeAliasPrintOpsSid
,
437 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
,
439 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
441 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
,
443 *SubAuthority
= DOMAIN_ALIAS_RID_PRINT_OPS
;
445 /* create AliasBackupOpsSid */
446 SeAliasBackupOpsSid
= ExAllocatePoolWithTag(NonPagedPool
,
449 if (SeAliasBackupOpsSid
== NULL
)
452 RtlInitializeSid(SeAliasBackupOpsSid
,
455 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
,
457 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
459 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
,
461 *SubAuthority
= DOMAIN_ALIAS_RID_BACKUP_OPS
;
467 SepCaptureSid(IN PSID InputSid
,
468 IN KPROCESSOR_MODE AccessMode
,
469 IN POOL_TYPE PoolType
,
470 IN BOOLEAN CaptureIfKernel
,
471 OUT PSID
*CapturedSid
)
474 PISID NewSid
, Sid
= (PISID
)InputSid
;
475 NTSTATUS Status
= STATUS_SUCCESS
;
479 if(AccessMode
!= KernelMode
)
484 sizeof(*Sid
) - sizeof(Sid
->SubAuthority
),
486 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
493 Status
= _SEH_GetExceptionCode();
497 if(NT_SUCCESS(Status
))
499 /* allocate a SID and copy it */
500 NewSid
= ExAllocatePool(PoolType
,
506 RtlCopyMemory(NewSid
,
510 *CapturedSid
= NewSid
;
515 Status
= _SEH_GetExceptionCode();
521 Status
= STATUS_INSUFFICIENT_RESOURCES
;
525 else if(!CaptureIfKernel
)
527 *CapturedSid
= InputSid
;
528 return STATUS_SUCCESS
;
532 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
534 /* allocate a SID and copy it */
535 NewSid
= ExAllocatePool(PoolType
,
539 RtlCopyMemory(NewSid
,
543 *CapturedSid
= NewSid
;
547 Status
= STATUS_INSUFFICIENT_RESOURCES
;
555 SepReleaseSid(IN PSID CapturedSid
,
556 IN KPROCESSOR_MODE AccessMode
,
557 IN BOOLEAN CaptureIfKernel
)
561 if(CapturedSid
!= NULL
&&
562 (AccessMode
== UserMode
||
563 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
565 ExFreePool(CapturedSid
);