From: Thomas Bluemel Date: Thu, 12 Jan 2006 17:30:27 +0000 (+0000) Subject: use a default security descriptor for the group policy events X-Git-Tag: backups/expat-rbuild@40467~363 X-Git-Url: https://git.reactos.org/?p=reactos.git;a=commitdiff_plain;h=1a3e538952d701e85b0388728a8b7d732fc91150 use a default security descriptor for the group policy events svn path=/trunk/; revision=20805 --- diff --git a/reactos/lib/userenv/gpolicy.c b/reactos/lib/userenv/gpolicy.c index 31b359c4b16..a2d31221758 100644 --- a/reactos/lib/userenv/gpolicy.c +++ b/reactos/lib/userenv/gpolicy.c @@ -249,7 +249,7 @@ GPNotificationThreadProc(IN LPVOID lpParameter) static HANDLE CreateGPEvent(IN BOOL bMachine, - IN PVOID lpSecurityDescriptor) + IN PSECURITY_DESCRIPTOR lpSecurityDescriptor) { HANDLE hEvent; SECURITY_ATTRIBUTES SecurityAttributes; @@ -258,7 +258,7 @@ CreateGPEvent(IN BOOL bMachine, SecurityAttributes.lpSecurityDescriptor = lpSecurityDescriptor; SecurityAttributes.bInheritHandle = FALSE; - hEvent = CreateEventW((lpSecurityDescriptor != NULL ? &SecurityAttributes : NULL), + hEvent = CreateEventW(&SecurityAttributes, TRUE, FALSE, (bMachine ? szMachineGPApplied : szLocalGPApplied)); @@ -271,7 +271,7 @@ RegisterGPNotification(IN HANDLE hEvent, IN BOOL bMachine) { PGP_NOTIFY Notify; - PVOID lpSecurityDescriptor = NULL; + PSECURITY_DESCRIPTOR lpSecurityDescriptor = NULL; BOOL Ret = FALSE; EnterCriticalSection(&GPNotifyLock); @@ -292,7 +292,11 @@ RegisterGPNotification(IN HANDLE hEvent, /* create or open the machine group policy event */ if (hMachineGPAppliedEvent == NULL) { - lpSecurityDescriptor = CreateDefaultSD(); + lpSecurityDescriptor = CreateDefaultSecurityDescriptor(); + if (lpSecurityDescriptor == NULL) + { + goto Cleanup; + } hMachineGPAppliedEvent = CreateGPEvent(TRUE, lpSecurityDescriptor); @@ -307,7 +311,11 @@ RegisterGPNotification(IN HANDLE hEvent, { if (lpSecurityDescriptor == NULL) { - lpSecurityDescriptor = CreateDefaultSD(); + lpSecurityDescriptor = CreateDefaultSecurityDescriptor(); + if (lpSecurityDescriptor == NULL) + { + goto Cleanup; + } } hLocalGPAppliedEvent = CreateGPEvent(FALSE, diff --git a/reactos/lib/userenv/internal.h b/reactos/lib/userenv/internal.h index 6f1f92bc4d5..c3a0dd722f2 100644 --- a/reactos/lib/userenv/internal.h +++ b/reactos/lib/userenv/internal.h @@ -77,8 +77,8 @@ BOOL GetUserSidFromToken (HANDLE hToken, PUNICODE_STRING SidString); -PVOID -CreateDefaultSD(VOID); +PSECURITY_DESCRIPTOR +CreateDefaultSecurityDescriptor(VOID); /* profile.c */ BOOL diff --git a/reactos/lib/userenv/misc.c b/reactos/lib/userenv/misc.c index c5209546353..0f73105e353 100644 --- a/reactos/lib/userenv/misc.c +++ b/reactos/lib/userenv/misc.c @@ -30,6 +30,8 @@ #define NDEBUG #include +static SID_IDENTIFIER_AUTHORITY LocalSystemAuthority = {SECURITY_NT_AUTHORITY}; +static SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY}; /* FUNCTIONS ***************************************************************/ @@ -116,11 +118,149 @@ GetUserSidFromToken (HANDLE hToken, return TRUE; } -PVOID -CreateDefaultSD(VOID) +PSECURITY_DESCRIPTOR +CreateDefaultSecurityDescriptor(VOID) { - /* FIXME - create a default security descriptor */ - return NULL; + PSID LocalSystemSid = NULL; + PSID AdministratorsSid = NULL; + PSID EveryoneSid = NULL; + PACL Dacl; + DWORD DaclSize; + PSECURITY_DESCRIPTOR pSD = NULL; + + /* create the SYSTEM, Administrators and Everyone SIDs */ + if (!AllocateAndInitializeSid(&LocalSystemAuthority, + 1, + SECURITY_LOCAL_SYSTEM_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &LocalSystemSid) || + !AllocateAndInitializeSid(&LocalSystemAuthority, + 2, + SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ADMINS, + 0, + 0, + 0, + 0, + 0, + 0, + &AdministratorsSid) || + !AllocateAndInitializeSid(&WorldAuthority, + 1, + SECURITY_WORLD_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &EveryoneSid)) + { + DPRINT1("Failed initializing the SIDs for the default security descriptor (0x%p, 0x%p, 0x%p)\n", + LocalSystemSid, AdministratorsSid, EveryoneSid); + goto Cleanup; + } + + /* allocate the security descriptor and DACL */ + DaclSize = sizeof(ACL) + + ((GetLengthSid(LocalSystemSid) + + GetLengthSid(AdministratorsSid) + + GetLengthSid(EveryoneSid)) + + (3 * FIELD_OFFSET(ACCESS_ALLOWED_ACE, + SidStart))); + + pSD = (PSECURITY_DESCRIPTOR)LocalAlloc(LMEM_FIXED, + (SIZE_T)DaclSize + sizeof(SECURITY_DESCRIPTOR)); + if (pSD == NULL) + { + DPRINT1("Failed to allocate the default security descriptor and ACL\n"); + goto Cleanup; + } + + if (!InitializeSecurityDescriptor(pSD, + SECURITY_DESCRIPTOR_REVISION)) + { + DPRINT1("Failed to initialize the default security descriptor\n"); + goto Cleanup; + } + + /* initialize and build the DACL */ + Dacl = (PACL)((ULONG_PTR)pSD + sizeof(SECURITY_DESCRIPTOR)); + if (!InitializeAcl(Dacl, + (DWORD)DaclSize, + ACL_REVISION)) + { + DPRINT1("Failed to initialize the DACL of the default security descriptor\n"); + goto Cleanup; + } + + /* add the SYSTEM Ace */ + if (!AddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + LocalSystemSid)) + { + DPRINT1("Failed to add the SYSTEM ACE\n"); + goto Cleanup; + } + + /* add the Administrators Ace */ + if (!AddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + AdministratorsSid)) + { + DPRINT1("Failed to add the Administrators ACE\n"); + goto Cleanup; + } + + /* add the Everyone Ace */ + if (!AddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_EXECUTE, + EveryoneSid)) + { + DPRINT1("Failed to add the Everyone ACE\n"); + goto Cleanup; + } + + /* set the DACL */ + if (!SetSecurityDescriptorDacl(pSD, + TRUE, + Dacl, + FALSE)) + { + DPRINT1("Failed to set the DACL of the default security descriptor\n"); + +Cleanup: + if (pSD != NULL) + { + LocalFree((HLOCAL)pSD); + pSD = NULL; + } + } + + if (LocalSystemSid != NULL) + { + FreeSid(LocalSystemSid); + } + if (AdministratorsSid != NULL) + { + FreeSid(AdministratorsSid); + } + if (EveryoneSid != NULL) + { + FreeSid(EveryoneSid); + } + + return pSD; } /* Dynamic DLL loading interface **********************************************/