projects / reactos.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
merge ROS Shell without integrated explorer part into trunk
[reactos.git] / reactos / ntoskrnl / se / sid.c
1 /* $Id$
2 *
3 * COPYRIGHT: See COPYING in the top level directory
4 * PROJECT: ReactOS kernel
5 * FILE: ntoskrnl/se/sid.c
6 * PURPOSE: Security manager
7 *
8 * PROGRAMMERS: David Welch <welch@cwcom.net>
9 */
10
11 /* INCLUDES *****************************************************************/
12
13 #include <ntoskrnl.h>
14
15 #define NDEBUG
16 #include <internal/debug.h>
17
18 #define TAG_SID TAG('S', 'I', 'D', 'T')
19
20
21 /* GLOBALS ******************************************************************/
22
23 SID_IDENTIFIER_AUTHORITY SeNullSidAuthority = {SECURITY_NULL_SID_AUTHORITY};
24 SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
25 SID_IDENTIFIER_AUTHORITY SeLocalSidAuthority = {SECURITY_LOCAL_SID_AUTHORITY};
26 SID_IDENTIFIER_AUTHORITY SeCreatorSidAuthority = {SECURITY_CREATOR_SID_AUTHORITY};
27 SID_IDENTIFIER_AUTHORITY SeNtSidAuthority = {SECURITY_NT_AUTHORITY};
28
29 PSID SeNullSid = NULL;
30 PSID SeWorldSid = NULL;
31 PSID SeLocalSid = NULL;
32 PSID SeCreatorOwnerSid = NULL;
33 PSID SeCreatorGroupSid = NULL;
34 PSID SeCreatorOwnerServerSid = NULL;
35 PSID SeCreatorGroupServerSid = NULL;
36 PSID SeNtAuthoritySid = NULL;
37 PSID SeDialupSid = NULL;
38 PSID SeNetworkSid = NULL;
39 PSID SeBatchSid = NULL;
40 PSID SeInteractiveSid = NULL;
41 PSID SeServiceSid = NULL;
42 PSID SeAnonymousLogonSid = NULL;
43 PSID SePrincipalSelfSid = NULL;
44 PSID SeLocalSystemSid = NULL;
45 PSID SeAuthenticatedUserSid = NULL;
46 PSID SeRestrictedCodeSid = NULL;
47 PSID SeAliasAdminsSid = NULL;
48 PSID SeAliasUsersSid = NULL;
49 PSID SeAliasGuestsSid = NULL;
50 PSID SeAliasPowerUsersSid = NULL;
51 PSID SeAliasAccountOpsSid = NULL;
52 PSID SeAliasSystemOpsSid = NULL;
53 PSID SeAliasPrintOpsSid = NULL;
54 PSID SeAliasBackupOpsSid = NULL;
55
56
57 /* FUNCTIONS ****************************************************************/
58
59
60 BOOLEAN INIT_FUNCTION
61 SepInitSecurityIDs(VOID)
62 {
63 ULONG SidLength0;
64 ULONG SidLength1;
65 ULONG SidLength2;
66 PULONG SubAuthority;
67
68 SidLength0 = RtlLengthRequiredSid(0);
69 SidLength1 = RtlLengthRequiredSid(1);
70 SidLength2 = RtlLengthRequiredSid(2);
71
72 /* create NullSid */
73 SeNullSid = ExAllocatePoolWithTag(NonPagedPool,
74 SidLength1,
75 TAG_SID);
76 if (SeNullSid == NULL)
77 return(FALSE);
78
79 RtlInitializeSid(SeNullSid,
80 &SeNullSidAuthority,
81 1);
82 SubAuthority = RtlSubAuthoritySid(SeNullSid,
83 0);
84 *SubAuthority = SECURITY_NULL_RID;
85
86 /* create WorldSid */
87 SeWorldSid = ExAllocatePoolWithTag(NonPagedPool,
88 SidLength1,
89 TAG_SID);
90 if (SeWorldSid == NULL)
91 return(FALSE);
92
93 RtlInitializeSid(SeWorldSid,
94 &SeWorldSidAuthority,
95 1);
96 SubAuthority = RtlSubAuthoritySid(SeWorldSid,
97 0);
98 *SubAuthority = SECURITY_WORLD_RID;
99
100 /* create LocalSid */
101 SeLocalSid = ExAllocatePoolWithTag(NonPagedPool,
102 SidLength1,
103 TAG_SID);
104 if (SeLocalSid == NULL)
105 return(FALSE);
106
107 RtlInitializeSid(SeLocalSid,
108 &SeLocalSidAuthority,
109 1);
110 SubAuthority = RtlSubAuthoritySid(SeLocalSid,
111 0);
112 *SubAuthority = SECURITY_LOCAL_RID;
113
114 /* create CreatorOwnerSid */
115 SeCreatorOwnerSid = ExAllocatePoolWithTag(NonPagedPool,
116 SidLength1,
117 TAG_SID);
118 if (SeCreatorOwnerSid == NULL)
119 return(FALSE);
120
121 RtlInitializeSid(SeCreatorOwnerSid,
122 &SeCreatorSidAuthority,
123 1);
124 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerSid,
125 0);
126 *SubAuthority = SECURITY_CREATOR_OWNER_RID;
127
128 /* create CreatorGroupSid */
129 SeCreatorGroupSid = ExAllocatePoolWithTag(NonPagedPool,
130 SidLength1,
131 TAG_SID);
132 if (SeCreatorGroupSid == NULL)
133 return(FALSE);
134
135 RtlInitializeSid(SeCreatorGroupSid,
136 &SeCreatorSidAuthority,
137 1);
138 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupSid,
139 0);
140 *SubAuthority = SECURITY_CREATOR_GROUP_RID;
141
142 /* create CreatorOwnerServerSid */
143 SeCreatorOwnerServerSid = ExAllocatePoolWithTag(NonPagedPool,
144 SidLength1,
145 TAG_SID);
146 if (SeCreatorOwnerServerSid == NULL)
147 return(FALSE);
148
149 RtlInitializeSid(SeCreatorOwnerServerSid,
150 &SeCreatorSidAuthority,
151 1);
152 SubAuthority = RtlSubAuthoritySid(SeCreatorOwnerServerSid,
153 0);
154 *SubAuthority = SECURITY_CREATOR_OWNER_SERVER_RID;
155
156 /* create CreatorGroupServerSid */
157 SeCreatorGroupServerSid = ExAllocatePoolWithTag(NonPagedPool,
158 SidLength1,
159 TAG_SID);
160 if (SeCreatorGroupServerSid == NULL)
161 return(FALSE);
162
163 RtlInitializeSid(SeCreatorGroupServerSid,
164 &SeCreatorSidAuthority,
165 1);
166 SubAuthority = RtlSubAuthoritySid(SeCreatorGroupServerSid,
167 0);
168 *SubAuthority = SECURITY_CREATOR_GROUP_SERVER_RID;
169
170
171 /* create NtAuthoritySid */
172 SeNtAuthoritySid = ExAllocatePoolWithTag(NonPagedPool,
173 SidLength0,
174 TAG_SID);
175 if (SeNtAuthoritySid == NULL)
176 return(FALSE);
177
178 RtlInitializeSid(SeNtAuthoritySid,
179 &SeNtSidAuthority,
180 0);
181
182 /* create DialupSid */
183 SeDialupSid = ExAllocatePoolWithTag(NonPagedPool,
184 SidLength1,
185 TAG_SID);
186 if (SeDialupSid == NULL)
187 return(FALSE);
188
189 RtlInitializeSid(SeDialupSid,
190 &SeNtSidAuthority,
191 1);
192 SubAuthority = RtlSubAuthoritySid(SeDialupSid,
193 0);
194 *SubAuthority = SECURITY_DIALUP_RID;
195
196 /* create NetworkSid */
197 SeNetworkSid = ExAllocatePoolWithTag(NonPagedPool,
198 SidLength1,
199 TAG_SID);
200 if (SeNetworkSid == NULL)
201 return(FALSE);
202
203 RtlInitializeSid(SeNetworkSid,
204 &SeNtSidAuthority,
205 1);
206 SubAuthority = RtlSubAuthoritySid(SeNetworkSid,
207 0);
208 *SubAuthority = SECURITY_NETWORK_RID;
209
210 /* create BatchSid */
211 SeBatchSid = ExAllocatePoolWithTag(NonPagedPool,
212 SidLength1,
213 TAG_SID);
214 if (SeBatchSid == NULL)
215 return(FALSE);
216
217 RtlInitializeSid(SeBatchSid,
218 &SeNtSidAuthority,
219 1);
220 SubAuthority = RtlSubAuthoritySid(SeBatchSid,
221 0);
222 *SubAuthority = SECURITY_BATCH_RID;
223
224 /* create InteractiveSid */
225 SeInteractiveSid = ExAllocatePoolWithTag(NonPagedPool,
226 SidLength1,
227 TAG_SID);
228 if (SeInteractiveSid == NULL)
229 return(FALSE);
230
231 RtlInitializeSid(SeInteractiveSid,
232 &SeNtSidAuthority,
233 1);
234 SubAuthority = RtlSubAuthoritySid(SeInteractiveSid,
235 0);
236 *SubAuthority = SECURITY_INTERACTIVE_RID;
237
238 /* create ServiceSid */
239 SeServiceSid = ExAllocatePoolWithTag(NonPagedPool,
240 SidLength1,
241 TAG_SID);
242 if (SeServiceSid == NULL)
243 return(FALSE);
244
245 RtlInitializeSid(SeServiceSid,
246 &SeNtSidAuthority,
247 1);
248 SubAuthority = RtlSubAuthoritySid(SeServiceSid,
249 0);
250 *SubAuthority = SECURITY_SERVICE_RID;
251
252 /* create AnonymousLogonSid */
253 SeAnonymousLogonSid = ExAllocatePoolWithTag(NonPagedPool,
254 SidLength1,
255 TAG_SID);
256 if (SeAnonymousLogonSid == NULL)
257 return(FALSE);
258
259 RtlInitializeSid(SeAnonymousLogonSid,
260 &SeNtSidAuthority,
261 1);
262 SubAuthority = RtlSubAuthoritySid(SeAnonymousLogonSid,
263 0);
264 *SubAuthority = SECURITY_ANONYMOUS_LOGON_RID;
265
266 /* create PrincipalSelfSid */
267 SePrincipalSelfSid = ExAllocatePoolWithTag(NonPagedPool,
268 SidLength1,
269 TAG_SID);
270 if (SePrincipalSelfSid == NULL)
271 return(FALSE);
272
273 RtlInitializeSid(SePrincipalSelfSid,
274 &SeNtSidAuthority,
275 1);
276 SubAuthority = RtlSubAuthoritySid(SePrincipalSelfSid,
277 0);
278 *SubAuthority = SECURITY_PRINCIPAL_SELF_RID;
279
280 /* create LocalSystemSid */
281 SeLocalSystemSid = ExAllocatePoolWithTag(NonPagedPool,
282 SidLength1,
283 TAG_SID);
284 if (SeLocalSystemSid == NULL)
285 return(FALSE);
286
287 RtlInitializeSid(SeLocalSystemSid,
288 &SeNtSidAuthority,
289 1);
290 SubAuthority = RtlSubAuthoritySid(SeLocalSystemSid,
291 0);
292 *SubAuthority = SECURITY_LOCAL_SYSTEM_RID;
293
294 /* create AuthenticatedUserSid */
295 SeAuthenticatedUserSid = ExAllocatePoolWithTag(NonPagedPool,
296 SidLength1,
297 TAG_SID);
298 if (SeAuthenticatedUserSid == NULL)
299 return(FALSE);
300
301 RtlInitializeSid(SeAuthenticatedUserSid,
302 &SeNtSidAuthority,
303 1);
304 SubAuthority = RtlSubAuthoritySid(SeAuthenticatedUserSid,
305 0);
306 *SubAuthority = SECURITY_AUTHENTICATED_USER_RID;
307
308 /* create RestrictedCodeSid */
309 SeRestrictedCodeSid = ExAllocatePoolWithTag(NonPagedPool,
310 SidLength1,
311 TAG_SID);
312 if (SeRestrictedCodeSid == NULL)
313 return(FALSE);
314
315 RtlInitializeSid(SeRestrictedCodeSid,
316 &SeNtSidAuthority,
317 1);
318 SubAuthority = RtlSubAuthoritySid(SeRestrictedCodeSid,
319 0);
320 *SubAuthority = SECURITY_RESTRICTED_CODE_RID;
321
322 /* create AliasAdminsSid */
323 SeAliasAdminsSid = ExAllocatePoolWithTag(NonPagedPool,
324 SidLength2,
325 TAG_SID);
326 if (SeAliasAdminsSid == NULL)
327 return(FALSE);
328
329 RtlInitializeSid(SeAliasAdminsSid,
330 &SeNtSidAuthority,
331 2);
332 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid,
333 0);
334 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
335
336 SubAuthority = RtlSubAuthoritySid(SeAliasAdminsSid,
337 1);
338 *SubAuthority = DOMAIN_ALIAS_RID_ADMINS;
339
340 /* create AliasUsersSid */
341 SeAliasUsersSid = ExAllocatePoolWithTag(NonPagedPool,
342 SidLength2,
343 TAG_SID);
344 if (SeAliasUsersSid == NULL)
345 return(FALSE);
346
347 RtlInitializeSid(SeAliasUsersSid,
348 &SeNtSidAuthority,
349 2);
350 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid,
351 0);
352 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
353
354 SubAuthority = RtlSubAuthoritySid(SeAliasUsersSid,
355 1);
356 *SubAuthority = DOMAIN_ALIAS_RID_USERS;
357
358 /* create AliasGuestsSid */
359 SeAliasGuestsSid = ExAllocatePoolWithTag(NonPagedPool,
360 SidLength2,
361 TAG_SID);
362 if (SeAliasGuestsSid == NULL)
363 return(FALSE);
364
365 RtlInitializeSid(SeAliasGuestsSid,
366 &SeNtSidAuthority,
367 2);
368 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid,
369 0);
370 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
371
372 SubAuthority = RtlSubAuthoritySid(SeAliasGuestsSid,
373 1);
374 *SubAuthority = DOMAIN_ALIAS_RID_GUESTS;
375
376 /* create AliasPowerUsersSid */
377 SeAliasPowerUsersSid = ExAllocatePoolWithTag(NonPagedPool,
378 SidLength2,
379 TAG_SID);
380 if (SeAliasPowerUsersSid == NULL)
381 return(FALSE);
382
383 RtlInitializeSid(SeAliasPowerUsersSid,
384 &SeNtSidAuthority,
385 2);
386 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid,
387 0);
388 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
389
390 SubAuthority = RtlSubAuthoritySid(SeAliasPowerUsersSid,
391 1);
392 *SubAuthority = DOMAIN_ALIAS_RID_POWER_USERS;
393
394 /* create AliasAccountOpsSid */
395 SeAliasAccountOpsSid = ExAllocatePoolWithTag(NonPagedPool,
396 SidLength2,
397 TAG_SID);
398 if (SeAliasAccountOpsSid == NULL)
399 return(FALSE);
400
401 RtlInitializeSid(SeAliasAccountOpsSid,
402 &SeNtSidAuthority,
403 2);
404 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid,
405 0);
406 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
407
408 SubAuthority = RtlSubAuthoritySid(SeAliasAccountOpsSid,
409 1);
410 *SubAuthority = DOMAIN_ALIAS_RID_ACCOUNT_OPS;
411
412 /* create AliasSystemOpsSid */
413 SeAliasSystemOpsSid = ExAllocatePoolWithTag(NonPagedPool,
414 SidLength2,
415 TAG_SID);
416 if (SeAliasSystemOpsSid == NULL)
417 return(FALSE);
418
419 RtlInitializeSid(SeAliasSystemOpsSid,
420 &SeNtSidAuthority,
421 2);
422 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid,
423 0);
424 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
425
426 SubAuthority = RtlSubAuthoritySid(SeAliasSystemOpsSid,
427 1);
428 *SubAuthority = DOMAIN_ALIAS_RID_SYSTEM_OPS;
429
430 /* create AliasPrintOpsSid */
431 SeAliasPrintOpsSid = ExAllocatePoolWithTag(NonPagedPool,
432 SidLength2,
433 TAG_SID);
434 if (SeAliasPrintOpsSid == NULL)
435 return(FALSE);
436
437 RtlInitializeSid(SeAliasPrintOpsSid,
438 &SeNtSidAuthority,
439 2);
440 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid,
441 0);
442 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
443
444 SubAuthority = RtlSubAuthoritySid(SeAliasPrintOpsSid,
445 1);
446 *SubAuthority = DOMAIN_ALIAS_RID_PRINT_OPS;
447
448 /* create AliasBackupOpsSid */
449 SeAliasBackupOpsSid = ExAllocatePoolWithTag(NonPagedPool,
450 SidLength2,
451 TAG_SID);
452 if (SeAliasBackupOpsSid == NULL)
453 return(FALSE);
454
455 RtlInitializeSid(SeAliasBackupOpsSid,
456 &SeNtSidAuthority,
457 2);
458 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid,
459 0);
460 *SubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
461
462 SubAuthority = RtlSubAuthoritySid(SeAliasBackupOpsSid,
463 1);
464 *SubAuthority = DOMAIN_ALIAS_RID_BACKUP_OPS;
465
466 return(TRUE);
467 }
468
469 NTSTATUS
470 SepCaptureSid(IN PSID InputSid,
471 IN KPROCESSOR_MODE AccessMode,
472 IN POOL_TYPE PoolType,
473 IN BOOLEAN CaptureIfKernel,
474 OUT PSID *CapturedSid)
475 {
476 ULONG SidSize = 0;
477 PISID NewSid, Sid = (PISID)InputSid;
478 NTSTATUS Status = STATUS_SUCCESS;
479
480 PAGED_CODE();
481
482 if(AccessMode != KernelMode)
483 {
484 _SEH_TRY
485 {
486 ProbeForRead(Sid,
487 sizeof(*Sid) - sizeof(Sid->SubAuthority),
488 sizeof(UCHAR));
489 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
490 ProbeForRead(Sid,
491 SidSize,
492 sizeof(UCHAR));
493 }
494 _SEH_HANDLE
495 {
496 Status = _SEH_GetExceptionCode();
497 }
498 _SEH_END;
499
500 if(NT_SUCCESS(Status))
501 {
502 /* allocate a SID and copy it */
503 NewSid = ExAllocatePool(PoolType,
504 SidSize);
505 if(NewSid != NULL)
506 {
507 _SEH_TRY
508 {
509 RtlCopyMemory(NewSid,
510 Sid,
511 SidSize);
512
513 *CapturedSid = NewSid;
514 }
515 _SEH_HANDLE
516 {
517 ExFreePool(NewSid);
518 Status = _SEH_GetExceptionCode();
519 }
520 _SEH_END;
521 }
522 else
523 {
524 Status = STATUS_INSUFFICIENT_RESOURCES;
525 }
526 }
527 }
528 else if(!CaptureIfKernel)
529 {
530 *CapturedSid = InputSid;
531 return STATUS_SUCCESS;
532 }
533 else
534 {
535 SidSize = RtlLengthRequiredSid(Sid->SubAuthorityCount);
536
537 /* allocate a SID and copy it */
538 NewSid = ExAllocatePool(PoolType,
539 SidSize);
540 if(NewSid != NULL)
541 {
542 RtlCopyMemory(NewSid,
543 Sid,
544 SidSize);
545
546 *CapturedSid = NewSid;
547 }
548 else
549 {
550 Status = STATUS_INSUFFICIENT_RESOURCES;
551 }
552 }
553
554 return Status;
555 }
556
557 VOID
558 SepReleaseSid(IN PSID CapturedSid,
559 IN KPROCESSOR_MODE AccessMode,
560 IN BOOLEAN CaptureIfKernel)
561 {
562 PAGED_CODE();
563
564 if(CapturedSid != NULL &&
565 (AccessMode == UserMode ||
566 (AccessMode == KernelMode && CaptureIfKernel)))
567 {
568 ExFreePool(CapturedSid);
569 }
570 }
571
572 /* EOF */
A free Windows-compatible Operating System