[SAMSRV]
authorEric Kohl <eric.kohl@reactos.org>
Sun, 14 Jul 2013 18:41:29 +0000 (18:41 +0000)
committerEric Kohl <eric.kohl@reactos.org>
Sun, 14 Jul 2013 18:41:29 +0000 (18:41 +0000)
Add security descriptors for the account and builtin domains.

svn path=/trunk/; revision=59487

reactos/dll/win32/samsrv/samsrv.h
reactos/dll/win32/samsrv/security.c
reactos/dll/win32/samsrv/setup.c

index a9508ce..ebf29de 100644 (file)
@@ -306,6 +306,14 @@ NTSTATUS
 SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
                    OUT PULONG Size);
 
+NTSTATUS
+SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+                          OUT PULONG Size);
+
+NTSTATUS
+SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+                          OUT PULONG Size);
+
 
 /* setup.c */
 
index eb3a4fb..f589391 100644 (file)
@@ -283,4 +283,580 @@ done:
     return Status;
 }
 
+
+NTSTATUS
+SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+                          OUT PULONG Size)
+{
+    PSECURITY_DESCRIPTOR AbsSD = NULL;
+    PSECURITY_DESCRIPTOR RelSD = NULL;
+    PSID EveryoneSid = NULL;
+    PSID AnonymousSid = NULL;
+    PSID AdministratorsSid = NULL;
+    PACL Dacl = NULL;
+    PACL Sacl = NULL;
+    ULONG DaclSize;
+    ULONG SaclSize;
+    ULONG RelSDSize = 0;
+    NTSTATUS Status = STATUS_SUCCESS;
+
+
+    /* Create the Everyone SID */
+    Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+                                         1,
+                                         SECURITY_WORLD_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &EveryoneSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Anonymous SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         1,
+                                         SECURITY_ANONYMOUS_LOGON_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AnonymousSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Administrators SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         2,
+                                         SECURITY_BUILTIN_DOMAIN_RID,
+                                         DOMAIN_ALIAS_RID_ADMINS,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AdministratorsSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+
+    /* Allocate a buffer for the absolute SD */
+    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+                            HEAP_ZERO_MEMORY,
+                            sizeof(SECURITY_DESCRIPTOR));
+    if (AbsSD == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    /* Create the absolute SD */
+    Status = RtlCreateSecurityDescriptor(AbsSD,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* allocate and create the DACL */
+    DaclSize = sizeof(ACL) + 
+               2 * sizeof(ACE) +
+               RtlLengthSid(EveryoneSid) +
+               RtlLengthSid(AdministratorsSid);
+
+    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Dacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Dacl,
+                          DaclSize,
+                          ACL_REVISION);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    DOMAIN_READ | DOMAIN_EXECUTE,
+                                    EveryoneSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    SAM_SERVER_ALL_ACCESS,
+                                    AdministratorsSid);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the DACL */
+    Status = RtlSetDaclSecurityDescriptor(AbsSD,
+                                          TRUE,
+                                          Dacl,
+                                          FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* allocate and create the SACL */
+    SaclSize = sizeof(ACL) + 
+               2 * sizeof(ACE) +
+               RtlLengthSid(EveryoneSid) +
+               RtlLengthSid(AnonymousSid);
+
+    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Sacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Sacl,
+                          SaclSize,
+                          ACL_REVISION);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAuditAccessAce(Sacl,
+                                  ACL_REVISION,
+                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+                                  SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
+                                  SAM_SERVER_SHUTDOWN,
+                                  EveryoneSid,
+                                  TRUE,
+                                  TRUE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAuditAccessAce(Sacl,
+                                  ACL_REVISION,
+                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+                                  AnonymousSid,
+                                  TRUE,
+                                  TRUE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the SACL */
+    Status = RtlSetSaclSecurityDescriptor(AbsSD,
+                                          TRUE,
+                                          Sacl,
+                                          FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the owner SID */
+    Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+                                           AdministratorsSid,
+                                           FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the group SID */
+    Status = RtlSetGroupSecurityDescriptor(AbsSD,
+                                           AdministratorsSid,
+                                           FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Get the reqired buffer size for the self-relative SD */
+    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+                                         NULL,
+                                         &RelSDSize);
+    if (Status != STATUS_BUFFER_TOO_SMALL)
+        goto done;
+
+    /* Allocate a buffer for the self-relative SD */
+    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+                            HEAP_ZERO_MEMORY,
+                            RelSDSize);
+    if (RelSD == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    /* Convert the absolute SD to self-relative format */
+    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+                                         RelSD,
+                                         &RelSDSize);
+    if (Status == STATUS_BUFFER_TOO_SMALL)
+    {
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    *ServerSd = RelSD;
+    *Size = RelSDSize;
+
+done:
+    if (!NT_SUCCESS(Status))
+    {
+        if (RelSD != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+    }
+
+    if (EveryoneSid != NULL)
+        RtlFreeSid(EveryoneSid);
+
+    if (AnonymousSid != NULL)
+        RtlFreeSid(AnonymousSid);
+
+    if (AdministratorsSid != NULL)
+        RtlFreeSid(AdministratorsSid);
+
+    if (Dacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+    if (Sacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+    if (AbsSD != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+    return Status;
+}
+
+
+NTSTATUS
+SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+                          OUT PULONG Size)
+{
+    PSECURITY_DESCRIPTOR AbsSD = NULL;
+    PSECURITY_DESCRIPTOR RelSD = NULL;
+    PSID EveryoneSid = NULL;
+    PSID AnonymousSid = NULL;
+    PSID AdministratorsSid = NULL;
+    PSID UsersSid = NULL;
+    PSID GuestsSid = NULL;
+    PACL Dacl = NULL;
+    PACL Sacl = NULL;
+    ULONG DaclSize;
+    ULONG SaclSize;
+    ULONG RelSDSize = 0;
+    NTSTATUS Status = STATUS_SUCCESS;
+
+
+    /* Create the Everyone SID */
+    Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+                                         1,
+                                         SECURITY_WORLD_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &EveryoneSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Anonymous SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         1,
+                                         SECURITY_ANONYMOUS_LOGON_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AnonymousSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Administrators SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         2,
+                                         SECURITY_BUILTIN_DOMAIN_RID,
+                                         DOMAIN_ALIAS_RID_ADMINS,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AdministratorsSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Users SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         2,
+                                         SECURITY_BUILTIN_DOMAIN_RID,
+                                         DOMAIN_ALIAS_RID_USERS,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &UsersSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Guests SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         2,
+                                         SECURITY_BUILTIN_DOMAIN_RID,
+                                         DOMAIN_ALIAS_RID_GUESTS,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &GuestsSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+
+    /* Allocate a buffer for the absolute SD */
+    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+                            HEAP_ZERO_MEMORY,
+                            sizeof(SECURITY_DESCRIPTOR));
+    if (AbsSD == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    /* Create the absolute SD */
+    Status = RtlCreateSecurityDescriptor(AbsSD,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* allocate and create the DACL */
+    DaclSize = sizeof(ACL) + 
+               4 * sizeof(ACE) +
+               RtlLengthSid(EveryoneSid) +
+               RtlLengthSid(AdministratorsSid) +
+               RtlLengthSid(UsersSid) +
+               RtlLengthSid(GuestsSid);
+
+    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Dacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Dacl,
+                          DaclSize,
+                          ACL_REVISION);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    DOMAIN_READ | DOMAIN_EXECUTE,
+                                    EveryoneSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    DOMAIN_READ | DOMAIN_EXECUTE,
+                                    UsersSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    DOMAIN_ALL_ACCESS & ~DOMAIN_CREATE_GROUP,
+                                    AdministratorsSid);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    DOMAIN_READ | DOMAIN_EXECUTE | DOMAIN_CREATE_USER | DOMAIN_CREATE_ALIAS,
+                                    GuestsSid);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the DACL */
+    Status = RtlSetDaclSecurityDescriptor(AbsSD,
+                                          TRUE,
+                                          Dacl,
+                                          FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* allocate and create the SACL */
+    SaclSize = sizeof(ACL) + 
+               2 * sizeof(ACE) +
+               RtlLengthSid(EveryoneSid) +
+               RtlLengthSid(AnonymousSid);
+
+    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Sacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Sacl,
+                          SaclSize,
+                          ACL_REVISION);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAuditAccessAce(Sacl,
+                                  ACL_REVISION,
+                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+                                  SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
+                                  SAM_SERVER_SHUTDOWN,
+                                  EveryoneSid,
+                                  TRUE,
+                                  TRUE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAuditAccessAce(Sacl,
+                                  ACL_REVISION,
+                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+                                  AnonymousSid,
+                                  TRUE,
+                                  TRUE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the SACL */
+    Status = RtlSetSaclSecurityDescriptor(AbsSD,
+                                          TRUE,
+                                          Sacl,
+                                          FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the owner SID */
+    Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+                                           AdministratorsSid,
+                                           FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the group SID */
+    Status = RtlSetGroupSecurityDescriptor(AbsSD,
+                                           AdministratorsSid,
+                                           FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Get the reqired buffer size for the self-relative SD */
+    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+                                         NULL,
+                                         &RelSDSize);
+    if (Status != STATUS_BUFFER_TOO_SMALL)
+        goto done;
+
+    /* Allocate a buffer for the self-relative SD */
+    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+                            HEAP_ZERO_MEMORY,
+                            RelSDSize);
+    if (RelSD == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    /* Convert the absolute SD to self-relative format */
+    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+                                         RelSD,
+                                         &RelSDSize);
+    if (Status == STATUS_BUFFER_TOO_SMALL)
+    {
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    *ServerSd = RelSD;
+    *Size = RelSDSize;
+
+done:
+    if (!NT_SUCCESS(Status))
+    {
+        if (RelSD != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+    }
+
+    if (EveryoneSid != NULL)
+        RtlFreeSid(EveryoneSid);
+
+    if (AnonymousSid != NULL)
+        RtlFreeSid(AnonymousSid);
+
+    if (AdministratorsSid != NULL)
+        RtlFreeSid(AdministratorsSid);
+
+    if (Dacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+    if (Sacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+    if (AbsSD != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+    return Status;
+}
+
 /* EOF */
index 76a262f..7f1465a 100644 (file)
@@ -552,6 +552,7 @@ SampSetupCreateDomain(IN HANDLE hServerKey,
                       IN LPCWSTR lpKeyName,
                       IN LPCWSTR lpDomainName,
                       IN PSID lpDomainSid,
+                      IN BOOLEAN bBuiltinDomain,
                       OUT HANDLE *lpDomainKey)
 {
     SAM_DOMAIN_FIXED_DATA FixedData;
@@ -562,6 +563,8 @@ SampSetupCreateDomain(IN HANDLE hServerKey,
     HANDLE hGroupsKey = NULL;
     HANDLE hUsersKey = NULL;
     HANDLE hNamesKey = NULL;
+    PSECURITY_DESCRIPTOR Sd = NULL;
+    ULONG SdSize = 0;
     NTSTATUS Status;
 
     if (lpDomainKey != NULL)
@@ -690,12 +693,35 @@ SampSetupCreateDomain(IN HANDLE hServerKey,
     if (!NT_SUCCESS(Status))
         goto done;
 
+    /* Create the server SD */
+    if (bBuiltinDomain == TRUE)
+        Status = SampCreateBuiltinDomainSD(&Sd,
+                                           &SdSize);
+    else
+        Status = SampCreateAccountDomainSD(&Sd,
+                                           &SdSize);
+
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set SecDesc attribute*/
+    Status = SampRegSetValue(hServerKey,
+                             L"SecDesc",
+                             REG_BINARY,
+                             Sd,
+                             SdSize);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
     SampRegCloseKey(hNamesKey);
 
     if (lpDomainKey != NULL)
         *lpDomainKey = hDomainKey;
 
 done:
+    if (Sd != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
     if (hAliasesKey != NULL)
         SampRegCloseKey(hAliasesKey);
 
@@ -867,6 +893,7 @@ SampInitializeSAM(VOID)
                                    L"Builtin",
                                    szName,
                                    pBuiltinSid,
+                                   TRUE,
                                    &hBuiltinDomainKey);
     if (!NT_SUCCESS(Status))
     {
@@ -936,6 +963,7 @@ SampInitializeSAM(VOID)
                                    L"Account",
                                    L"",
                                    AccountDomainInfo->DomainSid,
+                                   FALSE,
                                    &hAccountDomainKey);
     if (!NT_SUCCESS(Status))
     {