3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/sid.c
6 * PURPOSE: Security manager
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
11 /* INCLUDES *****************************************************************/
16 #include <internal/debug.h>
18 #if defined (ALLOC_PRAGMA)
19 #pragma alloc_text(INIT, SepInitSecurityIDs)
23 /* GLOBALS ******************************************************************/
25 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority
= {SECURITY_NULL_SID_AUTHORITY
};
26 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority
= {SECURITY_WORLD_SID_AUTHORITY
};
27 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority
= {SECURITY_LOCAL_SID_AUTHORITY
};
28 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority
= {SECURITY_CREATOR_SID_AUTHORITY
};
29 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority
= {SECURITY_NT_AUTHORITY
};
31 PSID SeNullSid
= NULL
;
32 PSID SeWorldSid
= NULL
;
33 PSID SeLocalSid
= NULL
;
34 PSID SeCreatorOwnerSid
= NULL
;
35 PSID SeCreatorGroupSid
= NULL
;
36 PSID SeCreatorOwnerServerSid
= NULL
;
37 PSID SeCreatorGroupServerSid
= NULL
;
38 PSID SeNtAuthoritySid
= NULL
;
39 PSID SeDialupSid
= NULL
;
40 PSID SeNetworkSid
= NULL
;
41 PSID SeBatchSid
= NULL
;
42 PSID SeInteractiveSid
= NULL
;
43 PSID SeServiceSid
= NULL
;
44 PSID SePrincipalSelfSid
= NULL
;
45 PSID SeLocalSystemSid
= NULL
;
46 PSID SeAuthenticatedUserSid
= NULL
;
47 PSID SeRestrictedCodeSid
= NULL
;
48 PSID SeAliasAdminsSid
= NULL
;
49 PSID SeAliasUsersSid
= NULL
;
50 PSID SeAliasGuestsSid
= NULL
;
51 PSID SeAliasPowerUsersSid
= NULL
;
52 PSID SeAliasAccountOpsSid
= NULL
;
53 PSID SeAliasSystemOpsSid
= NULL
;
54 PSID SeAliasPrintOpsSid
= NULL
;
55 PSID SeAliasBackupOpsSid
= NULL
;
56 PSID SeAuthenticatedUsersSid
= NULL
;
57 PSID SeRestrictedSid
= NULL
;
58 PSID SeAnonymousLogonSid
= NULL
;
61 /* FUNCTIONS ****************************************************************/
67 SepInitSecurityIDs(VOID
)
74 SidLength0
= RtlLengthRequiredSid(0);
75 SidLength1
= RtlLengthRequiredSid(1);
76 SidLength2
= RtlLengthRequiredSid(2);
79 SeNullSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
80 SeWorldSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
81 SeLocalSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
82 SeCreatorOwnerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
83 SeCreatorGroupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
84 SeCreatorOwnerServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
85 SeCreatorGroupServerSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
86 SeNtAuthoritySid
= ExAllocatePoolWithTag(PagedPool
, SidLength0
, TAG_SID
);
87 SeDialupSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
88 SeNetworkSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
89 SeBatchSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
90 SeInteractiveSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
91 SeServiceSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
92 SePrincipalSelfSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
93 SeLocalSystemSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
94 SeAuthenticatedUserSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
95 SeRestrictedCodeSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
96 SeAliasAdminsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
97 SeAliasUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
98 SeAliasGuestsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
99 SeAliasPowerUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
100 SeAliasAccountOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
101 SeAliasSystemOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
102 SeAliasPrintOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
103 SeAliasBackupOpsSid
= ExAllocatePoolWithTag(PagedPool
, SidLength2
, TAG_SID
);
104 SeAuthenticatedUsersSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
105 SeRestrictedSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
106 SeAnonymousLogonSid
= ExAllocatePoolWithTag(PagedPool
, SidLength1
, TAG_SID
);
108 if (SeNullSid
== NULL
|| SeNullSid
== NULL
|| SeWorldSid
== NULL
||
109 SeLocalSid
== NULL
|| SeCreatorOwnerSid
== NULL
||
110 SeCreatorGroupSid
== NULL
|| SeCreatorOwnerServerSid
== NULL
||
111 SeCreatorGroupServerSid
== NULL
|| SeNtAuthoritySid
== NULL
||
112 SeDialupSid
== NULL
|| SeNetworkSid
== NULL
|| SeBatchSid
== NULL
||
113 SeInteractiveSid
== NULL
|| SeServiceSid
== NULL
||
114 SePrincipalSelfSid
== NULL
|| SeLocalSystemSid
== NULL
||
115 SeAuthenticatedUserSid
== NULL
|| SeRestrictedCodeSid
== NULL
||
116 SeAliasAdminsSid
== NULL
|| SeAliasUsersSid
== NULL
||
117 SeAliasGuestsSid
== NULL
|| SeAliasPowerUsersSid
== NULL
||
118 SeAliasAccountOpsSid
== NULL
|| SeAliasSystemOpsSid
== NULL
||
119 SeAliasPrintOpsSid
== NULL
|| SeAliasBackupOpsSid
== NULL
||
120 SeAuthenticatedUsersSid
== NULL
|| SeRestrictedSid
== NULL
||
121 SeAnonymousLogonSid
== NULL
)
123 /* FIXME: We're leaking memory here. */
127 RtlInitializeSid(SeNullSid
, &SeNullSidAuthority
, 1);
128 RtlInitializeSid(SeWorldSid
, &SeWorldSidAuthority
, 1);
129 RtlInitializeSid(SeLocalSid
, &SeLocalSidAuthority
, 1);
130 RtlInitializeSid(SeCreatorOwnerSid
, &SeCreatorSidAuthority
, 1);
131 RtlInitializeSid(SeCreatorGroupSid
, &SeCreatorSidAuthority
, 1);
132 RtlInitializeSid(SeCreatorOwnerServerSid
, &SeCreatorSidAuthority
, 1);
133 RtlInitializeSid(SeCreatorGroupServerSid
, &SeCreatorSidAuthority
, 1);
134 RtlInitializeSid(SeNtAuthoritySid
, &SeNtSidAuthority
, 0);
135 RtlInitializeSid(SeDialupSid
, &SeNtSidAuthority
, 1);
136 RtlInitializeSid(SeNetworkSid
, &SeNtSidAuthority
, 1);
137 RtlInitializeSid(SeBatchSid
, &SeNtSidAuthority
, 1);
138 RtlInitializeSid(SeInteractiveSid
, &SeNtSidAuthority
, 1);
139 RtlInitializeSid(SeServiceSid
, &SeNtSidAuthority
, 1);
140 RtlInitializeSid(SePrincipalSelfSid
, &SeNtSidAuthority
, 1);
141 RtlInitializeSid(SeLocalSystemSid
, &SeNtSidAuthority
, 1);
142 RtlInitializeSid(SeAuthenticatedUserSid
, &SeNtSidAuthority
, 1);
143 RtlInitializeSid(SeRestrictedCodeSid
, &SeNtSidAuthority
, 1);
144 RtlInitializeSid(SeAliasAdminsSid
, &SeNtSidAuthority
, 2);
145 RtlInitializeSid(SeAliasUsersSid
, &SeNtSidAuthority
, 2);
146 RtlInitializeSid(SeAliasGuestsSid
, &SeNtSidAuthority
, 2);
147 RtlInitializeSid(SeAliasPowerUsersSid
, &SeNtSidAuthority
, 2);
148 RtlInitializeSid(SeAliasAccountOpsSid
, &SeNtSidAuthority
, 2);
149 RtlInitializeSid(SeAliasSystemOpsSid
, &SeNtSidAuthority
, 2);
150 RtlInitializeSid(SeAliasPrintOpsSid
, &SeNtSidAuthority
, 2);
151 RtlInitializeSid(SeAliasBackupOpsSid
, &SeNtSidAuthority
, 2);
152 RtlInitializeSid(SeAuthenticatedUsersSid
, &SeNtSidAuthority
, 1);
153 RtlInitializeSid(SeRestrictedSid
, &SeNtSidAuthority
, 1);
154 RtlInitializeSid(SeAnonymousLogonSid
, &SeNtSidAuthority
, 1);
156 SubAuthority
= RtlSubAuthoritySid(SeNullSid
, 0);
157 *SubAuthority
= SECURITY_NULL_RID
;
158 SubAuthority
= RtlSubAuthoritySid(SeWorldSid
, 0);
159 *SubAuthority
= SECURITY_WORLD_RID
;
160 SubAuthority
= RtlSubAuthoritySid(SeLocalSid
, 0);
161 *SubAuthority
= SECURITY_LOCAL_RID
;
162 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerSid
, 0);
163 *SubAuthority
= SECURITY_CREATOR_OWNER_RID
;
164 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupSid
, 0);
165 *SubAuthority
= SECURITY_CREATOR_GROUP_RID
;
166 SubAuthority
= RtlSubAuthoritySid(SeCreatorOwnerServerSid
, 0);
167 *SubAuthority
= SECURITY_CREATOR_OWNER_SERVER_RID
;
168 SubAuthority
= RtlSubAuthoritySid(SeCreatorGroupServerSid
, 0);
169 *SubAuthority
= SECURITY_CREATOR_GROUP_SERVER_RID
;
170 SubAuthority
= RtlSubAuthoritySid(SeDialupSid
, 0);
171 *SubAuthority
= SECURITY_DIALUP_RID
;
172 SubAuthority
= RtlSubAuthoritySid(SeNetworkSid
, 0);
173 *SubAuthority
= SECURITY_NETWORK_RID
;
174 SubAuthority
= RtlSubAuthoritySid(SeBatchSid
, 0);
175 *SubAuthority
= SECURITY_BATCH_RID
;
176 SubAuthority
= RtlSubAuthoritySid(SeInteractiveSid
, 0);
177 *SubAuthority
= SECURITY_INTERACTIVE_RID
;
178 SubAuthority
= RtlSubAuthoritySid(SeServiceSid
, 0);
179 *SubAuthority
= SECURITY_SERVICE_RID
;
180 SubAuthority
= RtlSubAuthoritySid(SePrincipalSelfSid
, 0);
181 *SubAuthority
= SECURITY_PRINCIPAL_SELF_RID
;
182 SubAuthority
= RtlSubAuthoritySid(SeLocalSystemSid
, 0);
183 *SubAuthority
= SECURITY_LOCAL_SYSTEM_RID
;
184 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUserSid
, 0);
185 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
186 SubAuthority
= RtlSubAuthoritySid(SeRestrictedCodeSid
, 0);
187 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
188 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 0);
189 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
190 SubAuthority
= RtlSubAuthoritySid(SeAliasAdminsSid
, 1);
191 *SubAuthority
= DOMAIN_ALIAS_RID_ADMINS
;
192 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 0);
193 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
194 SubAuthority
= RtlSubAuthoritySid(SeAliasUsersSid
, 1);
195 *SubAuthority
= DOMAIN_ALIAS_RID_USERS
;
196 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 0);
197 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
198 SubAuthority
= RtlSubAuthoritySid(SeAliasGuestsSid
, 1);
199 *SubAuthority
= DOMAIN_ALIAS_RID_GUESTS
;
200 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 0);
201 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
202 SubAuthority
= RtlSubAuthoritySid(SeAliasPowerUsersSid
, 1);
203 *SubAuthority
= DOMAIN_ALIAS_RID_POWER_USERS
;
204 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 0);
205 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
206 SubAuthority
= RtlSubAuthoritySid(SeAliasAccountOpsSid
, 1);
207 *SubAuthority
= DOMAIN_ALIAS_RID_ACCOUNT_OPS
;
208 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 0);
209 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
210 SubAuthority
= RtlSubAuthoritySid(SeAliasSystemOpsSid
, 1);
211 *SubAuthority
= DOMAIN_ALIAS_RID_SYSTEM_OPS
;
212 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 0);
213 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
214 SubAuthority
= RtlSubAuthoritySid(SeAliasPrintOpsSid
, 1);
215 *SubAuthority
= DOMAIN_ALIAS_RID_PRINT_OPS
;
216 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 0);
217 *SubAuthority
= SECURITY_BUILTIN_DOMAIN_RID
;
218 SubAuthority
= RtlSubAuthoritySid(SeAliasBackupOpsSid
, 1);
219 *SubAuthority
= DOMAIN_ALIAS_RID_BACKUP_OPS
;
220 SubAuthority
= RtlSubAuthoritySid(SeAuthenticatedUsersSid
, 0);
221 *SubAuthority
= SECURITY_AUTHENTICATED_USER_RID
;
222 SubAuthority
= RtlSubAuthoritySid(SeRestrictedSid
, 0);
223 *SubAuthority
= SECURITY_RESTRICTED_CODE_RID
;
224 SubAuthority
= RtlSubAuthoritySid(SeAnonymousLogonSid
, 0);
225 *SubAuthority
= SECURITY_ANONYMOUS_LOGON_RID
;
232 SepCaptureSid(IN PSID InputSid
,
233 IN KPROCESSOR_MODE AccessMode
,
234 IN POOL_TYPE PoolType
,
235 IN BOOLEAN CaptureIfKernel
,
236 OUT PSID
*CapturedSid
)
239 PISID NewSid
, Sid
= (PISID
)InputSid
;
240 NTSTATUS Status
= STATUS_SUCCESS
;
244 if(AccessMode
!= KernelMode
)
249 sizeof(*Sid
) - sizeof(Sid
->SubAuthority
),
251 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
258 Status
= _SEH_GetExceptionCode();
262 if(NT_SUCCESS(Status
))
264 /* allocate a SID and copy it */
265 NewSid
= ExAllocatePool(PoolType
,
271 RtlCopyMemory(NewSid
,
275 *CapturedSid
= NewSid
;
280 Status
= _SEH_GetExceptionCode();
286 Status
= STATUS_INSUFFICIENT_RESOURCES
;
290 else if(!CaptureIfKernel
)
292 *CapturedSid
= InputSid
;
293 return STATUS_SUCCESS
;
297 SidSize
= RtlLengthRequiredSid(Sid
->SubAuthorityCount
);
299 /* allocate a SID and copy it */
300 NewSid
= ExAllocatePool(PoolType
,
304 RtlCopyMemory(NewSid
,
308 *CapturedSid
= NewSid
;
312 Status
= STATUS_INSUFFICIENT_RESOURCES
;
321 SepReleaseSid(IN PSID CapturedSid
,
322 IN KPROCESSOR_MODE AccessMode
,
323 IN BOOLEAN CaptureIfKernel
)
327 if(CapturedSid
!= NULL
&&
328 (AccessMode
!= KernelMode
||
329 (AccessMode
== KernelMode
&& CaptureIfKernel
)))
331 ExFreePool(CapturedSid
);