projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- split logoff and shutdown resources
[reactos.git] / reactos / ntoskrnl / se / sid.c
1 /* $Id$
2 *
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/sid.c
6 * PURPOSE: Security manager
7 *
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
9 */
10
11 /* INCLUDES *****************************************************************/
12
13 #include <ntoskrnl.h>
14
15 #define NDEBUG
16 #include <internal/debug.h>
17
18 #if defined (ALLOC_PRAGMA)
19 #pragma alloc_text(INIT, SepInitSecurityIDs)
20 #endif
21
22
23 /* GLOBALS ******************************************************************/
24
25 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
26 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
27 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY};
28 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY};
29 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY};
30
31 PSID SeNullSid = NULL;
32 PSID SeWorldSid = NULL;
33 PSID SeLocalSid = NULL;
34 PSID SeCreatorOwnerSid = NULL;
35 PSID SeCreatorGroupSid = NULL;
36 PSID SeCreatorOwnerServerSid = NULL;
37 PSID SeCreatorGroupServerSid = NULL;
38 PSID SeNtAuthoritySid = NULL;
39 PSID SeDialupSid = NULL;
40 PSID SeNetworkSid = NULL;
41 PSID SeBatchSid = NULL;
42 PSID SeInteractiveSid = NULL;
43 PSID SeServiceSid = NULL;
44 PSID SePrincipalSelfSid = NULL;
45 PSID SeLocalSystemSid = NULL;
46 PSID SeAuthenticatedUserSid = NULL;
47 PSID SeRestrictedCodeSid = NULL;
48 PSID SeAliasAdminsSid = NULL;
49 PSID SeAliasUsersSid = NULL;
50 PSID SeAliasGuestsSid = NULL;
51 PSID SeAliasPowerUsersSid = NULL;
52 PSID SeAliasAccountOpsSid = NULL;
53 PSID SeAliasSystemOpsSid = NULL;
54 PSID SeAliasPrintOpsSid = NULL;
55 PSID SeAliasBackupOpsSid = NULL;
56 PSID SeAuthenticatedUsersSid = NULL;
57 PSID SeRestrictedSid = NULL;
58 PSID SeAnonymousLogonSid = NULL;
59
60
61 /* FUNCTIONS ****************************************************************/
62
63
64 BOOLEAN
65 INIT_FUNCTION
66 NTAPI
67 SepInitSecurityIDs(VOID)
68 {
69 ULONG SidLength0;
70 ULONG SidLength1;
71 ULONG SidLength2;
72 PULONG SubAuthority;
73
74 SidLength0 = RtlLengthRequiredSid(0);
75 SidLength1 = RtlLengthRequiredSid(1);
76 SidLength2 = RtlLengthRequiredSid(2);
77
78 /* create NullSid */
79 SeNullSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
80 SeWorldSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
81 SeLocalSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
82 SeCreatorOwnerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
83 SeCreatorGroupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
84 SeCreatorOwnerServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
85 SeCreatorGroupServerSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
86 SeNtAuthoritySid = ExAllocatePoolWithTag(PagedPool, SidLength0, TAG_SID);
87 SeDialupSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
88 SeNetworkSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
89 SeBatchSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
90 SeInteractiveSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
91 SeServiceSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
92 SePrincipalSelfSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
93 SeLocalSystemSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
94 SeAuthenticatedUserSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
95 SeRestrictedCodeSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
96 SeAliasAdminsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
97 SeAliasUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
98 SeAliasGuestsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
99 SeAliasPowerUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
100 SeAliasAccountOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
101 SeAliasSystemOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
102 SeAliasPrintOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
103 SeAliasBackupOpsSid = ExAllocatePoolWithTag(PagedPool, SidLength2, TAG_SID);
104 SeAuthenticatedUsersSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
105 SeRestrictedSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
106 SeAnonymousLogonSid = ExAllocatePoolWithTag(PagedPool, SidLength1, TAG_SID);
107
108 if (SeNullSid == NULL || SeNullSid == NULL || SeWorldSid == NULL ||
109 SeLocalSid == NULL || SeCreatorOwnerSid == NULL ||
110 SeCreatorGroupSid == NULL || SeCreatorOwnerServerSid == NULL ||
111 SeCreatorGroupServerSid == NULL || SeNtAuthoritySid == NULL ||
112 SeDialupSid == NULL || SeNetworkSid == NULL || SeBatchSid == NULL ||
113 SeInteractiveSid == NULL || SeServiceSid == NULL ||
114 SePrincipalSelfSid == NULL || SeLocalSystemSid == NULL ||
115 SeAuthenticatedUserSid == NULL || SeRestrictedCodeSid == NULL ||
116 SeAliasAdminsSid == NULL || SeAliasUsersSid == NULL ||
117 SeAliasGuestsSid == NULL || SeAliasPowerUsersSid == NULL ||
118 SeAliasAccountOpsSid == NULL || SeAliasSystemOpsSid == NULL ||
119 SeAliasPrintOpsSid == NULL || SeAliasBackupOpsSid == NULL ||
120 SeAuthenticatedUsersSid == NULL || SeRestrictedSid == NULL ||
121 SeAnonymousLogonSid == NULL)
122 {
123 /* FIXME: We're leaking memory here. */
124 return(FALSE);
125 }
126
127 RtlInitializeSid(SeNullSid, &SeNullSidAuthority, 1);
128 RtlInitializeSid(SeWorldSid, &SeWorldSidAuthority, 1);
129 RtlInitializeSid(SeLocalSid, &SeLocalSidAuthority, 1);
130 RtlInitializeSid(SeCreatorOwnerSid, &SeCreatorSidAuthority, 1);
131 RtlInitializeSid(SeCreatorGroupSid, &SeCreatorSidAuthority, 1);
132 RtlInitializeSid(SeCreatorOwnerServerSid, &SeCreatorSidAuthority, 1);
133 RtlInitializeSid(SeCreatorGroupServerSid, &SeCreatorSidAuthority, 1);
134 RtlInitializeSid(SeNtAuthoritySid, &SeNtSidAuthority, 0);
135 RtlInitializeSid(SeDialupSid, &SeNtSidAuthority, 1);
136 RtlInitializeSid(SeNetworkSid, &SeNtSidAuthority, 1);
137 RtlInitializeSid(SeBatchSid, &SeNtSidAuthority, 1);
138 RtlInitializeSid(SeInteractiveSid, &SeNtSidAuthority, 1);
139 RtlInitializeSid(SeServiceSid, &SeNtSidAuthority, 1);
140 RtlInitializeSid(SePrincipalSelfSid, &SeNtSidAuthority, 1);
141 RtlInitializeSid(SeLocalSystemSid, &SeNtSidAuthority, 1);
142 RtlInitializeSid(SeAuthenticatedUserSid, &SeNtSidAuthority, 1);
143 RtlInitializeSid(SeRestrictedCodeSid, &SeNtSidAuthority, 1);
144 RtlInitializeSid(SeAliasAdminsSid, &SeNtSidAuthority, 2);
145 RtlInitializeSid(SeAliasUsersSid, &SeNtSidAuthority, 2);
146 RtlInitializeSid(SeAliasGuestsSid, &SeNtSidAuthority, 2);
147 RtlInitializeSid(SeAliasPowerUsersSid, &SeNtSidAuthority, 2);
148 RtlInitializeSid(SeAliasAccountOpsSid, &SeNtSidAuthority, 2);
149 RtlInitializeSid(SeAliasSystemOpsSid, &SeNtSidAuthority, 2);
150 RtlInitializeSid(SeAliasPrintOpsSid, &SeNtSidAuthority, 2);
151 RtlInitializeSid(SeAliasBackupOpsSid, &SeNtSidAuthority, 2);
152 RtlInitializeSid(SeAuthenticatedUsersSid, &SeNtSidAuthority, 1);
153 RtlInitializeSid(SeRestrictedSid, &SeNtSidAuthority, 1);
154 RtlInitializeSid(SeAnonymousLogonSid, &SeNtSidAuthority, 1);
155
156 SubAuthority = RtlSubAuthoritySid(SeNullSid, 0);
157 *SubAuthority = SECURITY_NULL_RID;
158 SubAuthority = RtlSubAuthoritySid(SeWorldSid, 0);
159 *SubAuthority = SECURITY_WORLD_RID;
160 SubAuthority = RtlSubAuthoritySid(SeLocalSid, 0);
161 *SubAuthority = SECURITY_LOCAL_RID;
162 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid, 0);
163 *SubAuthority = SECURITY_CREATOR_OWNER_RID;
164 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid, 0);
165 *SubAuthority = SECURITY_CREATOR_GROUP_RID;
166 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid, 0);
167 *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
168 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid, 0);
169 *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
170 SubAuthority = RtlSubAuthoritySid(SeDialupSid, 0);
171 *SubAuthority = SECURITY_DIALUP_RID;
172 SubAuthority = RtlSubAuthoritySid(SeNetworkSid, 0);
173 *SubAuthority = SECURITY_NETWORK_RID;
174 SubAuthority = RtlSubAuthoritySid(SeBatchSid, 0);
175 *SubAuthority = SECURITY_BATCH_RID;
176 SubAuthority = RtlSubAuthoritySid(SeInteractiveSid, 0);
177 *SubAuthority = SECURITY_INTERACTIVE_RID;
178 SubAuthority = RtlSubAuthoritySid(SeServiceSid, 0);
179 *SubAuthority = SECURITY_SERVICE_RID;
180 SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid, 0);
181 *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
182 SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid, 0);
183 *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
184 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid, 0);
185 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
186 SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid, 0);
187 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
188 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 0);
189 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
190 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid, 1);
191 *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
192 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 0);
193 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
194 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid, 1);
195 *SubAuthority = DOMAIN_ALIAS_RID_USERS;
196 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 0);
197 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
198 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid, 1);
199 *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
200 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 0);
201 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
202 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid, 1);
203 *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
204 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 0);
205 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
206 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid, 1);
207 *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
208 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 0);
209 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
210 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid, 1);
211 *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
212 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 0);
213 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
214 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid, 1);
215 *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
216 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 0);
217 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
218 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid, 1);
219 *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
220 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUsersSid, 0);
221 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
222 SubAuthority = RtlSubAuthoritySid(SeRestrictedSid, 0);
223 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
224 SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid, 0);
225 *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
226
227 return(TRUE);
228 }
229
230 NTSTATUS
231 NTAPI
232 SepCaptureSid(IN PSID InputSid,
233 IN KPROCESSOR_MODE AccessMode,
234 IN POOL_TYPE PoolType,
235 IN BOOLEAN CaptureIfKernel,
236 OUT PSID *CapturedSid)
237 {
238 ULONG SidSize = 0;
239 PISID NewSid, Sid = (PISID)InputSid;
240 NTSTATUS Status = STATUS_SUCCESS;
241
242 PAGED_CODE();
243
244 if(AccessMode != KernelMode)
245 {
246 _SEH_TRY
247 {
248 ProbeForRead(Sid,
249 sizeof(*Sid) - sizeof(Sid->SubAuthority),
250 sizeof(UCHAR));
251 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
252 ProbeForRead(Sid,
253 SidSize,
254 sizeof(UCHAR));
255 }
256 _SEH_HANDLE
257 {
258 Status = _SEH_GetExceptionCode();
259 }
260 _SEH_END;
261
262 if(NT_SUCCESS(Status))
263 {
264 /* allocate a SID and copy it */
265 NewSid = ExAllocatePool(PoolType,
266 SidSize);
267 if(NewSid != NULL)
268 {
269 _SEH_TRY
270 {
271 RtlCopyMemory(NewSid,
272 Sid,
273 SidSize);
274
275 *CapturedSid = NewSid;
276 }
277 _SEH_HANDLE
278 {
279 ExFreePool(NewSid);
280 Status = _SEH_GetExceptionCode();
281 }
282 _SEH_END;
283 }
284 else
285 {
286 Status = STATUS_INSUFFICIENT_RESOURCES;
287 }
288 }
289 }
290 else if(!CaptureIfKernel)
291 {
292 *CapturedSid = InputSid;
293 return STATUS_SUCCESS;
294 }
295 else
296 {
297 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
298
299 /* allocate a SID and copy it */
300 NewSid = ExAllocatePool(PoolType,
301 SidSize);
302 if(NewSid != NULL)
303 {
304 RtlCopyMemory(NewSid,
305 Sid,
306 SidSize);
307
308 *CapturedSid = NewSid;
309 }
310 else
311 {
312 Status = STATUS_INSUFFICIENT_RESOURCES;
313 }
314 }
315
316 return Status;
317 }
318
319 VOID
320 NTAPI
321 SepReleaseSid(IN PSID CapturedSid,
322 IN KPROCESSOR_MODE AccessMode,
323 IN BOOLEAN CaptureIfKernel)
324 {
325 PAGED_CODE();
326
327 if(CapturedSid != NULL &&
328 (AccessMode != KernelMode ||
329 (AccessMode == KernelMode && CaptureIfKernel)))
330 {
331 ExFreePool(CapturedSid);
332 }
333 }
334
335 /* EOF */
A free Windows-compatible Operating System