[LSASRV]
authorEric Kohl <eric.kohl@reactos.org>
Tue, 20 Nov 2012 22:34:00 +0000 (22:34 +0000)
committerEric Kohl <eric.kohl@reactos.org>
Tue, 20 Nov 2012 22:34:00 +0000 (22:34 +0000)
- Create and set a security descriptor for newly created secrets.

svn path=/trunk/; revision=57742

reactos/dll/win32/lsasrv/lsarpc.c
reactos/dll/win32/lsasrv/lsasrv.h
reactos/dll/win32/lsasrv/security.c

index b0b8699..8cf1c5c 100644 (file)
@@ -767,6 +767,8 @@ NTSTATUS WINAPI LsarCreateSecret(
     PLSA_DB_OBJECT PolicyObject;
     PLSA_DB_OBJECT SecretObject = NULL;
     LARGE_INTEGER Time;
+    PSECURITY_DESCRIPTOR SecretSd = NULL;
+    ULONG SecretSdSize;
     NTSTATUS Status = STATUS_SUCCESS;
 
     /* Validate the PolicyHandle */
@@ -788,6 +790,15 @@ NTSTATUS WINAPI LsarCreateSecret(
         goto done;
     }
 
+    /* Create a security descriptor for the secret */
+    Status = LsapCreateSecretSd(&SecretSd,
+                                &SecretSdSize);
+    if (!NT_SUCCESS(Status))
+    {
+        ERR("LsapCreateAccountSd returned 0x%08lx\n", Status);
+        return Status;
+    }
+
     /* Create the Secret object */
     Status = LsapCreateDbObject(PolicyObject,
                                 L"Secrets",
@@ -817,8 +828,22 @@ NTSTATUS WINAPI LsarCreateSecret(
                                     L"OldTime",
                                     (PVOID)&Time,
                                     sizeof(LARGE_INTEGER));
+    if (!NT_SUCCESS(Status))
+    {
+        ERR("LsapSetObjectAttribute (OldTime) failed (Status 0x%08lx)\n", Status);
+        goto done;
+    }
+
+    /* Set the SecDesc attribute */
+    Status = LsapSetObjectAttribute(SecretObject,
+                                    L"SecDesc",
+                                    SecretSd,
+                                    SecretSdSize);
 
 done:
+    if (SecretSd != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, SecretSd);
+
     if (!NT_SUCCESS(Status))
     {
         if (SecretObject != NULL)
index 3239376..be20c69 100644 (file)
@@ -236,4 +236,8 @@ NTSTATUS
 LsapCreateAccountSd(PSECURITY_DESCRIPTOR *AccountSd,
                     PULONG AccountSdSize);
 
+NTSTATUS
+LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd,
+                   PULONG SecretSdSize);
+
 /* EOF */
index b8173b5..7112470 100644 (file)
@@ -436,4 +436,172 @@ done:
     return Status;
 }
 
+
+NTSTATUS
+LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd,
+                   PULONG SecretSdSize)
+{
+    SECURITY_DESCRIPTOR AbsoluteSd;
+    PSECURITY_DESCRIPTOR RelativeSd = NULL;
+    ULONG RelativeSdSize = 0;
+    PSID AdministratorsSid = NULL;
+    PSID EveryoneSid = NULL;
+    PSID LocalSystemSid = NULL;
+    PACL Dacl = NULL;
+    ULONG DaclSize;
+    NTSTATUS Status;
+
+    if (SecretSd == NULL || SecretSdSize == NULL)
+        return STATUS_INVALID_PARAMETER;
+
+    *SecretSd = NULL;
+    *SecretSdSize = 0;
+
+    /* Initialize the SD */
+    Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    if (!NT_SUCCESS(Status))
+        return Status;
+
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         2,
+                                         SECURITY_BUILTIN_DOMAIN_RID,
+                                         DOMAIN_ALIAS_RID_ADMINS,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AdministratorsSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
+                                         1,
+                                         SECURITY_WORLD_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &EveryoneSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         1,
+                                         SECURITY_LOCAL_SYSTEM_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &LocalSystemSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Allocate and initialize the DACL */
+    DaclSize = sizeof(ACL) +
+               sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
+               sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
+
+    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Dacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Dacl,
+                          DaclSize,
+                          ACL_REVISION);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    SECRET_ALL_ACCESS,
+                                    AdministratorsSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    SECRET_EXECUTE,
+                                    EveryoneSid);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
+                                          TRUE,
+                                          Dacl,
+                                          FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
+                                           LocalSystemSid,
+                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
+                                           AdministratorsSid,
+                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+                                         RelativeSd,
+                                         &RelativeSdSize);
+    if (Status != STATUS_BUFFER_TOO_SMALL)
+        goto done;
+
+    RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
+                                 HEAP_ZERO_MEMORY,
+                                 RelativeSdSize);
+    if (RelativeSd == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+        goto done;
+    }
+
+    Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+                                         RelativeSd,
+                                         &RelativeSdSize);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    *SecretSd = RelativeSd;
+    *SecretSdSize = RelativeSdSize;
+
+done:
+    if (Dacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+    if (AdministratorsSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
+
+    if (EveryoneSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
+
+    if (LocalSystemSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
+
+    if (!NT_SUCCESS(Status))
+    {
+        if (RelativeSd != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
+    }
+
+    return Status;
+}
+
 /* EOF */