From 021ea6a4f86c8d66b19f0b38b04c768a7a3cc224 Mon Sep 17 00:00:00 2001 From: Eric Kohl Date: Wed, 25 Dec 2013 13:24:42 +0000 Subject: [PATCH 1/1] [LSASRV][MSV1_0] - Move the creation of the default DACL from msv1_0 to lsasrv. Create the default DACL only if the selected authentication package does not provide one. svn path=/trunk/; revision=61401 --- reactos/dll/win32/lsasrv/authpackage.c | 105 ++++++++++++++++---- reactos/dll/win32/lsasrv/lookup.c | 130 +++++++++++++++++-------- reactos/dll/win32/lsasrv/lsasrv.h | 3 + reactos/dll/win32/msv1_0/msv1_0.c | 65 ------------- 4 files changed, 175 insertions(+), 128 deletions(-) diff --git a/reactos/dll/win32/lsasrv/authpackage.c b/reactos/dll/win32/lsasrv/authpackage.c index 884ae5e429a..6eea470e30e 100644 --- a/reactos/dll/win32/lsasrv/authpackage.c +++ b/reactos/dll/win32/lsasrv/authpackage.c @@ -547,9 +547,9 @@ LsapCopyLocalGroups( PTOKEN_GROUPS LocalGroups = NULL; ULONG SidHeaderLength = 0; PSID SidHeader = NULL; - PSID Sid; + PSID SrcSid, DstSid; ULONG SidLength; - ULONG CopiedSids = 0; + ULONG AllocatedSids = 0; ULONG i; NTSTATUS Status; @@ -585,8 +585,10 @@ LsapCopyLocalGroups( for (i = 0; i < ClientGroupsCount; i++) { + SrcSid = LocalGroups->Groups[i].Sid; + Status = NtReadVirtualMemory(LogonContext->ClientProcessHandle, - LocalGroups->Groups[i].Sid, + SrcSid, SidHeader, SidHeaderLength, NULL); @@ -596,28 +598,28 @@ LsapCopyLocalGroups( SidLength = RtlLengthSid(SidHeader); TRACE("Sid %lu: Length %lu\n", i, SidLength); - Sid = RtlAllocateHeap(RtlGetProcessHeap(), - HEAP_ZERO_MEMORY, - SidLength); - if (SidHeader == NULL) + DstSid = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + SidLength); + if (DstSid == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto done; } Status = NtReadVirtualMemory(LogonContext->ClientProcessHandle, - LocalGroups->Groups[i].Sid, - Sid, + SrcSid, + DstSid, SidLength, NULL); if (!NT_SUCCESS(Status)) { - RtlFreeHeap(RtlGetProcessHeap(), 0, Sid); + RtlFreeHeap(RtlGetProcessHeap(), 0, DstSid); goto done; } - LocalGroups->Groups[i].Sid = Sid; - CopiedSids++; + LocalGroups->Groups[i].Sid = DstSid; + AllocatedSids++; } *TokenGroups = LocalGroups; @@ -630,7 +632,7 @@ done: { if (LocalGroups != NULL) { - for (i = 0; i < CopiedSids; i++) + for (i = 0; i < AllocatedSids; i++) RtlFreeHeap(RtlGetProcessHeap(), 0, LocalGroups->Groups[i].Sid); RtlFreeHeap(RtlGetProcessHeap(), 0, LocalGroups); @@ -641,6 +643,52 @@ done: } +static +NTSTATUS +LsapAddTokenDefaultDacl( + IN PVOID TokenInformation, + IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType) +{ + PLSA_TOKEN_INFORMATION_V1 TokenInfo1; + PACL Dacl = NULL; + ULONG Length; + + if (TokenInformationType == LsaTokenInformationV1) + { + TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation; + + if (TokenInfo1->DefaultDacl.DefaultDacl != NULL) + return STATUS_SUCCESS; + + Length = sizeof(ACL) + + (2 * sizeof(ACCESS_ALLOWED_ACE)) + + RtlLengthSid(TokenInfo1->Owner.Owner) + + RtlLengthSid(LsapLocalSystemSid); + + Dacl = DispatchTable.AllocateLsaHeap(Length); + if (Dacl == NULL) + return STATUS_INSUFFICIENT_RESOURCES; + + RtlCreateAcl(Dacl, Length, ACL_REVISION); + + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + TokenInfo1->Owner.Owner); + + /* SID: S-1-5-18 */ + RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + GENERIC_ALL, + LsapLocalSystemSid); + + TokenInfo1->DefaultDacl.DefaultDacl = Dacl; + } + + return STATUS_SUCCESS; +} + + NTSTATUS LsapLogonUser(PLSA_API_MSG RequestMsg, PLSAP_LOGON_CONTEXT LogonContext) @@ -669,7 +717,7 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, Package = LsapGetAuthenticationPackage(PackageId); if (Package == NULL) { - TRACE("LsapGetAuthenticationPackage() failed to find a package\n"); + ERR("LsapGetAuthenticationPackage() failed to find a package\n"); return STATUS_NO_SUCH_PACKAGE; } @@ -681,7 +729,7 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, RequestMsg->LogonUser.Request.AuthenticationInformationLength); if (LocalAuthInfo == NULL) { - TRACE("RtlAllocateHeap() failed\n"); + ERR("RtlAllocateHeap() failed\n"); return STATUS_INSUFFICIENT_RESOURCES; } @@ -693,7 +741,7 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, NULL); if (!NT_SUCCESS(Status)) { - TRACE("NtReadVirtualMemory() failed (Status 0x%08lx)\n", Status); + ERR("NtReadVirtualMemory() failed (Status 0x%08lx)\n", Status); RtlFreeHeap(RtlGetProcessHeap(), 0, LocalAuthInfo); return Status; } @@ -706,7 +754,10 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, RequestMsg->LogonUser.Request.LocalGroupsCount, &LocalGroups); if (!NT_SUCCESS(Status)) + { + ERR("LsapCopyLocalGroups failed (Status 0x%08lx)\n", Status); goto done; + } TRACE("GroupCount: %lu\n", LocalGroups->GroupCount); } @@ -766,7 +817,16 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, if (!NT_SUCCESS(Status)) { - TRACE("LsaApLogonUser/Ex/2 failed (Status 0x%08lx)\n", Status); + ERR("LsaApLogonUser/Ex/2 failed (Status 0x%08lx)\n", Status); + goto done; + } + + + Status = LsapAddTokenDefaultDacl(TokenInformation, + TokenInformationType); + if (!NT_SUCCESS(Status)) + { + ERR("LsapAddTokenDefaultDacl() failed (Status 0x%08lx)\n", Status); goto done; } @@ -802,7 +862,7 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, &RequestMsg->LogonUser.Request.SourceContext); if (!NT_SUCCESS(Status)) { - TRACE("NtCreateToken failed (Status 0x%08lx)\n", Status); + ERR("NtCreateToken failed (Status 0x%08lx)\n", Status); goto done; } } @@ -823,7 +883,7 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, DUPLICATE_SAME_ACCESS | DUPLICATE_SAME_ATTRIBUTES | DUPLICATE_CLOSE_SOURCE); if (!NT_SUCCESS(Status)) { - TRACE("NtDuplicateObject failed (Status 0x%08lx)\n", Status); + ERR("NtDuplicateObject failed (Status 0x%08lx)\n", Status); goto done; } @@ -832,7 +892,7 @@ LsapLogonUser(PLSA_API_MSG RequestMsg, Status = LsapSetLogonSessionData(&RequestMsg->LogonUser.Reply.LogonId); if (!NT_SUCCESS(Status)) { - TRACE("LsapSetLogonSessionData failed (Status 0x%08lx)\n", Status); + ERR("LsapSetLogonSessionData failed (Status 0x%08lx)\n", Status); goto done; } @@ -847,7 +907,10 @@ done: if (LocalGroups != NULL) { for (i = 0; i < LocalGroups->GroupCount; i++) - RtlFreeHeap(RtlGetProcessHeap(), 0, LocalGroups->Groups[i].Sid); + { + if (LocalGroups->Groups[i].Sid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, LocalGroups->Groups[i].Sid); + } RtlFreeHeap(RtlGetProcessHeap(), 0, LocalGroups); } diff --git a/reactos/dll/win32/lsasrv/lookup.c b/reactos/dll/win32/lsasrv/lookup.c index a05529e61bc..d7f6f2f1072 100644 --- a/reactos/dll/win32/lsasrv/lookup.c +++ b/reactos/dll/win32/lsasrv/lookup.c @@ -80,6 +80,7 @@ typedef struct _WELL_KNOWN_SID LIST_ENTRY WellKnownSidListHead; +PSID LsapLocalSystemSid = NULL; /* FUNCTIONS ***************************************************************/ @@ -90,7 +91,8 @@ LsapCreateSid(PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, PULONG SubAuthorities, PWSTR AccountName, PWSTR DomainName, - SID_NAME_USE Use) + SID_NAME_USE Use, + PSID *SidPtr) { PWELL_KNOWN_SID SidEntry; PULONG p; @@ -159,6 +161,9 @@ LsapCreateSid(PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, InsertTailList(&WellKnownSidListHead, &SidEntry->ListEntry); + if (SidPtr != NULL) + *SidPtr = SidEntry->Sid; + return TRUE; } @@ -184,7 +189,8 @@ LsapInitSids(VOID) NULL, szAccountName, szDomainName, - SidTypeDomain); + SidTypeDomain, + NULL); /* Null Sid */ LsapLoadString(hInstance, IDS_NULL_RID, szAccountName, 80); @@ -195,7 +201,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, L"", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* World Sid */ LsapLoadString(hInstance, IDS_WORLD_RID, szAccountName, 80); @@ -206,7 +213,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, L"", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Local Sid */ LsapLoadString(hInstance, IDS_LOCAL_RID, szAccountName, 80); @@ -217,7 +225,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, L"", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Creator Owner Sid */ LsapLoadString(hInstance, IDS_CREATOR_OWNER_RID, szAccountName, 80); @@ -228,7 +237,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, L"", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Creator Group Sid */ LsapLoadString(hInstance, IDS_CREATOR_GROUP_RID, szAccountName, 80); @@ -239,7 +249,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, L"", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Creator Owner Server Sid */ LsapLoadString(hInstance, IDS_CREATOR_OWNER_SERVER_RID, szAccountName, 80); @@ -250,7 +261,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, L"", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Creator Group Server Sid */ LsapLoadString(hInstance, IDS_CREATOR_GROUP_SERVER_RID, szAccountName, 80); @@ -261,7 +273,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, L"", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Dialup Sid */ LsapLoadString(hInstance, IDS_DIALUP_RID, szAccountName, 80); @@ -273,7 +286,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Network Sid */ LsapLoadString(hInstance, IDS_DIALUP_RID, szAccountName, 80); @@ -284,7 +298,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Batch Sid*/ LsapLoadString(hInstance, IDS_BATCH_RID, szAccountName, 80); @@ -295,7 +310,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Interactive Sid */ LsapLoadString(hInstance, IDS_INTERACTIVE_RID, szAccountName, 80); @@ -306,7 +322,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Service Sid */ LsapLoadString(hInstance, IDS_SERVICE_RID, szAccountName, 80); @@ -317,7 +334,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Anonymous Logon Sid */ LsapLoadString(hInstance, IDS_ANONYMOUS_LOGON_RID, szAccountName, 80); @@ -328,7 +346,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Proxy Sid */ LsapLoadString(hInstance, IDS_PROXY_RID, szAccountName, 80); @@ -339,7 +358,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Enterprise Controllers Sid */ LsapLoadString(hInstance, IDS_ENTERPRISE_CONTROLLERS_RID, szAccountName, 80); @@ -350,7 +370,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Principal Self Sid */ LsapLoadString(hInstance, IDS_PRINCIPAL_SELF_RID, szAccountName, 80); @@ -361,7 +382,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Authenticated Users Sid */ LsapLoadString(hInstance, IDS_AUTHENTICATED_USER_RID, szAccountName, 80); @@ -372,7 +394,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Restricted Code Sid */ LsapLoadString(hInstance, IDS_RESTRICTED_CODE_RID, szAccountName, 80); @@ -383,7 +406,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Terminal Server Sid */ LsapLoadString(hInstance, IDS_TERMINAL_SERVER_RID, szAccountName, 80); @@ -394,7 +418,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Remote Logon Sid */ LsapLoadString(hInstance, IDS_REMOTE_LOGON_RID, szAccountName, 80); @@ -405,7 +430,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* This Organization Sid */ LsapLoadString(hInstance, IDS_THIS_ORGANIZATION_RID, szAccountName, 80); @@ -416,7 +442,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Local System Sid */ LsapLoadString(hInstance, IDS_LOCAL_SYSTEM_RID, szAccountName, 80); @@ -427,7 +454,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + &LsapLocalSystemSid); /* Local Service Sid */ LsapLoadString(hInstance, IDS_LOCAL_SERVICE_RID, szAccountName, 80); @@ -438,14 +466,16 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); LsapCreateSid(&NtAuthority, 1, SubAuthorities, L"LOCALSERVICE", L"NT AUTHORITY", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Network Service Sid */ LsapLoadString(hInstance, IDS_NETWORK_SERVICE_RID, szAccountName, 80); @@ -456,14 +486,16 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); LsapCreateSid(&NtAuthority, 1, SubAuthorities, L"NETWORKSERVICE", L"NT AUTHORITY", - SidTypeWellKnownGroup); + SidTypeWellKnownGroup, + NULL); /* Builtin Domain Sid */ LsapLoadString(hInstance, IDS_BUILTIN_DOMAIN_RID, szAccountName, 80); @@ -475,7 +507,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeDomain); + SidTypeDomain, + NULL); /* Administrators Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_ADMINS, szAccountName, 80); @@ -487,7 +520,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Users Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_USERS, szAccountName, 80); @@ -499,7 +533,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Guests Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_GUESTS, szAccountName, 80); @@ -511,7 +546,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Power User Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_POWER_USERS, szAccountName, 80); @@ -523,7 +559,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Account Operators Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_ACCOUNT_OPS, szAccountName, 80); @@ -535,7 +572,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* System Operators Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_SYSTEM_OPS, szAccountName, 80); @@ -547,7 +585,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Print Operators Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_PRINT_OPS, szAccountName, 80); @@ -559,7 +598,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Backup Operators Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_BACKUP_OPS, szAccountName, 80); @@ -571,7 +611,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Replicators Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_REPLICATOR, szAccountName, 80); @@ -583,7 +624,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* RAS Servers Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_RAS_SERVERS, szAccountName, 80); @@ -595,7 +637,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Pre-Windows 2000 Compatible Access Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_PREW2KCOMPACCESS, szAccountName, 80); @@ -607,7 +650,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Remote Desktop Users Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_REMOTE_DESKTOP_USERS, szAccountName, 80); @@ -619,7 +663,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* Network Configuration Operators Alias Sid */ LsapLoadString(hInstance, IDS_ALIAS_RID_NETWORK_CONFIGURATION_OPS, szAccountName, 80); @@ -631,7 +676,8 @@ LsapInitSids(VOID) SubAuthorities, szAccountName, szDomainName, - SidTypeAlias); + SidTypeAlias, + NULL); /* FIXME: Add more well known sids */ diff --git a/reactos/dll/win32/lsasrv/lsasrv.h b/reactos/dll/win32/lsasrv/lsasrv.h index 0e94eb1289c..16c7b3c7db4 100644 --- a/reactos/dll/win32/lsasrv/lsasrv.h +++ b/reactos/dll/win32/lsasrv/lsasrv.h @@ -91,6 +91,9 @@ extern UNICODE_STRING BuiltinDomainName; extern PSID AccountDomainSid; extern UNICODE_STRING AccountDomainName; +extern PSID LsapLocalSystemSid; + + /* authpackage.c */ NTSTATUS LsapInitAuthPackages(VOID); diff --git a/reactos/dll/win32/msv1_0/msv1_0.c b/reactos/dll/win32/msv1_0/msv1_0.c index 90a43d360e5..921aa6f7b5f 100644 --- a/reactos/dll/win32/msv1_0/msv1_0.c +++ b/reactos/dll/win32/msv1_0/msv1_0.c @@ -571,66 +571,6 @@ BuildTokenOwner(PTOKEN_OWNER Owner, } -static -NTSTATUS -BuildTokenDefaultDacl(PTOKEN_DEFAULT_DACL DefaultDacl, - PSID OwnerSid) -{ - SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY}; - PSID LocalSystemSid = NULL; - PACL Dacl = NULL; - NTSTATUS Status = STATUS_SUCCESS; - - RtlAllocateAndInitializeSid(&SystemAuthority, - 1, - SECURITY_LOCAL_SYSTEM_RID, - SECURITY_NULL_RID, - SECURITY_NULL_RID, - SECURITY_NULL_RID, - SECURITY_NULL_RID, - SECURITY_NULL_RID, - SECURITY_NULL_RID, - SECURITY_NULL_RID, - &LocalSystemSid); - - Dacl = DispatchTable.AllocateLsaHeap(1024); - if (Dacl == NULL) - { - Status = STATUS_INSUFFICIENT_RESOURCES; - goto done; - } - - Status = RtlCreateAcl(Dacl, 1024, ACL_REVISION); - if (!NT_SUCCESS(Status)) - goto done; - - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_ALL, - OwnerSid); - - /* SID: S-1-5-18 */ - RtlAddAccessAllowedAce(Dacl, - ACL_REVISION, - GENERIC_ALL, - LocalSystemSid); - - DefaultDacl->DefaultDacl = Dacl; - -done: - if (!NT_SUCCESS(Status)) - { - if (Dacl != NULL) - DispatchTable.FreeLsaHeap(Dacl); - } - - if (LocalSystemSid != NULL) - RtlFreeSid(LocalSystemSid); - - return Status; -} - - static NTSTATUS BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation, @@ -683,11 +623,6 @@ BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation, if (!NT_SUCCESS(Status)) goto done; - Status = BuildTokenDefaultDacl(&Buffer->DefaultDacl, - OwnerSid); - if (!NT_SUCCESS(Status)) - goto done; - *TokenInformation = Buffer; done: -- 2.17.1