From 5b127ff896d93d7d5093c5cb2f5c868e26779c50 Mon Sep 17 00:00:00 2001 From: Eric Kohl Date: Sat, 8 Dec 2012 17:18:17 +0000 Subject: [PATCH] [LSASRV] - Add a trusted flag to the lsa object type. - Inherit the trusted flag from the policy object when an account or secret object is created or opened. - Set the trusted flag for a policy object in LsaIOpenPolicyTrusted. svn path=/trunk/; revision=57821 --- reactos/dll/win32/lsasrv/database.c | 6 ++++++ reactos/dll/win32/lsasrv/lsarpc.c | 8 +++++++- reactos/dll/win32/lsasrv/lsasrv.h | 3 +++ reactos/dll/win32/lsasrv/policy.c | 1 + 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/reactos/dll/win32/lsasrv/database.c b/reactos/dll/win32/lsasrv/database.c index 1afa0a38d7b..aa04e13a801 100644 --- a/reactos/dll/win32/lsasrv/database.c +++ b/reactos/dll/win32/lsasrv/database.c @@ -304,6 +304,7 @@ LsapCreateDatabaseObjects(VOID) L"Policy", LsaDbPolicyObject, 0, + TRUE, &PolicyObject); if (!NT_SUCCESS(Status)) goto done; @@ -434,6 +435,7 @@ LsapGetDomainInfo(VOID) L"Policy", LsaDbPolicyObject, 0, + TRUE, &PolicyObject); if (!NT_SUCCESS(Status)) goto done; @@ -596,6 +598,7 @@ LsapCreateDbObject(IN PLSA_DB_OBJECT ParentObject, IN LPWSTR ObjectName, IN LSA_DB_OBJECT_TYPE ObjectType, IN ACCESS_MASK DesiredAccess, + IN BOOLEAN Trusted, OUT PLSA_DB_OBJECT *DbObject) { PLSA_DB_OBJECT NewObject; @@ -698,6 +701,7 @@ LsapCreateDbObject(IN PLSA_DB_OBJECT ParentObject, NewObject->Access = DesiredAccess; NewObject->KeyHandle = ObjectKeyHandle; NewObject->ParentObject = ParentObject; + NewObject->Trusted = Trusted; if (ParentObject != NULL) ParentObject->RefCount++; @@ -714,6 +718,7 @@ LsapOpenDbObject(IN PLSA_DB_OBJECT ParentObject, IN LPWSTR ObjectName, IN LSA_DB_OBJECT_TYPE ObjectType, IN ACCESS_MASK DesiredAccess, + IN BOOLEAN Trusted, OUT PLSA_DB_OBJECT *DbObject) { PLSA_DB_OBJECT NewObject; @@ -809,6 +814,7 @@ LsapOpenDbObject(IN PLSA_DB_OBJECT ParentObject, NewObject->Access = DesiredAccess; NewObject->KeyHandle = ObjectKeyHandle; NewObject->ParentObject = ParentObject; + NewObject->Trusted = Trusted; if (ParentObject != NULL) ParentObject->RefCount++; diff --git a/reactos/dll/win32/lsasrv/lsarpc.c b/reactos/dll/win32/lsasrv/lsarpc.c index db70223619a..a95ef980a03 100644 --- a/reactos/dll/win32/lsasrv/lsarpc.c +++ b/reactos/dll/win32/lsasrv/lsarpc.c @@ -258,6 +258,7 @@ NTSTATUS WINAPI LsarOpenPolicy( L"Policy", LsaDbPolicyObject, DesiredAccess, + FALSE, &PolicyObject); RtlLeaveCriticalSection(&PolicyHandleTableLock); @@ -592,6 +593,7 @@ NTSTATUS WINAPI LsarCreateAccount( SidString, LsaDbAccountObject, DesiredAccess, + PolicyObject->Trusted, &AccountObject); if (!NT_SUCCESS(Status)) { @@ -1036,6 +1038,7 @@ NTSTATUS WINAPI LsarCreateSecret( SecretName->Buffer, LsaDbSecretObject, DesiredAccess, + PolicyObject->Trusted, &SecretObject); if (!NT_SUCCESS(Status)) { @@ -1131,6 +1134,7 @@ NTSTATUS WINAPI LsarOpenAccount( SidString, LsaDbAccountObject, DesiredAccess, + PolicyObject->Trusted, &AccountObject); if (!NT_SUCCESS(Status)) { @@ -1241,6 +1245,7 @@ NTSTATUS WINAPI LsarAddPrivilegesToAccount( return Status; } + /* Get the size of the Privilgs attribute */ Status = LsapGetObjectAttribute(AccountObject, L"Privilgs", NULL, @@ -1348,7 +1353,7 @@ NTSTATUS WINAPI LsarAddPrivilegesToAccount( } } - /* Set the new priivliege set */ + /* Set the new privilege set */ Status = LsapSetObjectAttribute(AccountObject, L"Privilgs", NewPrivileges, @@ -1591,6 +1596,7 @@ NTSTATUS WINAPI LsarOpenSecret( SecretName->Buffer, LsaDbSecretObject, DesiredAccess, + PolicyObject->Trusted, &SecretObject); if (!NT_SUCCESS(Status)) { diff --git a/reactos/dll/win32/lsasrv/lsasrv.h b/reactos/dll/win32/lsasrv/lsasrv.h index 6488585c04e..10a9573daa4 100644 --- a/reactos/dll/win32/lsasrv/lsasrv.h +++ b/reactos/dll/win32/lsasrv/lsasrv.h @@ -47,6 +47,7 @@ typedef struct _LSA_DB_OBJECT ULONG RefCount; ACCESS_MASK Access; HANDLE KeyHandle; + BOOLEAN Trusted; struct _LSA_DB_OBJECT *ParentObject; } LSA_DB_OBJECT, *PLSA_DB_OBJECT; @@ -87,6 +88,7 @@ LsapCreateDbObject(IN PLSA_DB_OBJECT ParentObject, IN LPWSTR ObjectName, IN LSA_DB_OBJECT_TYPE HandleType, IN ACCESS_MASK DesiredAccess, + IN BOOLEAN Trusted, OUT PLSA_DB_OBJECT *DbObject); NTSTATUS @@ -95,6 +97,7 @@ LsapOpenDbObject(IN PLSA_DB_OBJECT ParentObject, IN LPWSTR ObjectName, IN LSA_DB_OBJECT_TYPE ObjectType, IN ACCESS_MASK DesiredAccess, + IN BOOLEAN Trusted, OUT PLSA_DB_OBJECT *DbObject); NTSTATUS diff --git a/reactos/dll/win32/lsasrv/policy.c b/reactos/dll/win32/lsasrv/policy.c index 8fe0735e19f..88463b21a5d 100644 --- a/reactos/dll/win32/lsasrv/policy.c +++ b/reactos/dll/win32/lsasrv/policy.c @@ -29,6 +29,7 @@ LsaIOpenPolicyTrusted(OUT LSAPR_HANDLE *PolicyHandle) L"Policy", LsaDbPolicyObject, POLICY_ALL_ACCESS, + TRUE, &PolicyObject); if (NT_SUCCESS(Status)) -- 2.17.1