PLSA_DB_OBJECT PolicyObject;
PLSA_DB_OBJECT SecretObject = NULL;
LARGE_INTEGER Time;
+ PSECURITY_DESCRIPTOR SecretSd = NULL;
+ ULONG SecretSdSize;
NTSTATUS Status = STATUS_SUCCESS;
/* Validate the PolicyHandle */
goto done;
}
+ /* Create a security descriptor for the secret */
+ Status = LsapCreateSecretSd(&SecretSd,
+ &SecretSdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ ERR("LsapCreateAccountSd returned 0x%08lx\n", Status);
+ return Status;
+ }
+
/* Create the Secret object */
Status = LsapCreateDbObject(PolicyObject,
L"Secrets",
L"OldTime",
(PVOID)&Time,
sizeof(LARGE_INTEGER));
+ if (!NT_SUCCESS(Status))
+ {
+ ERR("LsapSetObjectAttribute (OldTime) failed (Status 0x%08lx)\n", Status);
+ goto done;
+ }
+
+ /* Set the SecDesc attribute */
+ Status = LsapSetObjectAttribute(SecretObject,
+ L"SecDesc",
+ SecretSd,
+ SecretSdSize);
done:
+ if (SecretSd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, SecretSd);
+
if (!NT_SUCCESS(Status))
{
if (SecretObject != NULL)
return Status;
}
+
+NTSTATUS
+LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd,
+ PULONG SecretSdSize)
+{
+ SECURITY_DESCRIPTOR AbsoluteSd;
+ PSECURITY_DESCRIPTOR RelativeSd = NULL;
+ ULONG RelativeSdSize = 0;
+ PSID AdministratorsSid = NULL;
+ PSID EveryoneSid = NULL;
+ PSID LocalSystemSid = NULL;
+ PACL Dacl = NULL;
+ ULONG DaclSize;
+ NTSTATUS Status;
+
+ if (SecretSd == NULL || SecretSdSize == NULL)
+ return STATUS_INVALID_PARAMETER;
+
+ *SecretSd = NULL;
+ *SecretSdSize = 0;
+
+ /* Initialize the SD */
+ Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
+ SECURITY_DESCRIPTOR_REVISION);
+ if (!NT_SUCCESS(Status))
+ return Status;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_LOCAL_SYSTEM_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &LocalSystemSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Allocate and initialize the DACL */
+ DaclSize = sizeof(ACL) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ SECRET_ALL_ACCESS,
+ AdministratorsSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ SECRET_EXECUTE,
+ EveryoneSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
+ TRUE,
+ Dacl,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
+ LocalSystemSid,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
+ AdministratorsSid,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+ RelativeSd,
+ &RelativeSdSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelativeSdSize);
+ if (RelativeSd == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto done;
+ }
+
+ Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+ RelativeSd,
+ &RelativeSdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ *SecretSd = RelativeSd;
+ *SecretSdSize = RelativeSdSize;
+
+done:
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
+
+ if (EveryoneSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
+
+ if (LocalSystemSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
+
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelativeSd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
+ }
+
+ return Status;
+}
+
/* EOF */