[ros-diffs] [fireball] 41515: - Implement two helper functions to correctly set permissions for a window station and desktops. Those are unused now, but they are going to solve two problems in current winlogon. First of them being a "big HACK" in CreateWindowStationAndDesktops(), which has to do CloseDesktop / OpenDesktopW to get a non-inheritable handle with GENERIC_ALL righs. Second problem is that security attributes structure passed to CreateWindowStationW and CreateDesktopW are invalid because now lpSe

Author: fireball Date: Sun Jun 21 23:23:06 2009 New Revision: 41515 URL: http://svn.reactos.org/svn/reactos?rev=41515&view=rev Log: - Implement two helper functions to correctly set permissions for a window station and desktops. Those are unused now, but they are going to solve two problems in current winlogon. First of them being a "big HACK" in CreateWindowStationAndDesktops(), which has to do CloseDesktop / OpenDesktopW to get a non-inheritable handle with GENERIC_ALL righs. Second problem is that security attributes structure passed to CreateWindowStationW and CreateDesktopW are invalid because now lpSecurityDescriptor points to an ACL but it's supposed to point to an actual SECURITY_DESCRIPTOR structure. Information from: http://msdn.microsoft.com/en-us/library/aa379608.aspx. Modified: trunk/reactos/base/system/winlogon/wlx.c Modified: trunk/reactos/base/system/winlogon/wlx.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/system/winlogon/wlx.c… ============================================================================== --- trunk/reactos/base/system/winlogon/wlx.c [iso-8859-1] (original) +++ trunk/reactos/base/system/winlogon/wlx.c [iso-8859-1] Sun Jun 21 23:23:06 2009 @@ -15,6 +15,20 @@ #include <wine/debug.h> WINE_DEFAULT_DEBUG_CHANNEL(winlogon); + +#define DESKTOP_ALL (DESKTOP_READOBJECTS | DESKTOP_CREATEWINDOW | \ + DESKTOP_CREATEMENU | DESKTOP_HOOKCONTROL | DESKTOP_JOURNALRECORD | \ + DESKTOP_JOURNALPLAYBACK | DESKTOP_ENUMERATE | DESKTOP_WRITEOBJECTS | \ + DESKTOP_SWITCHDESKTOP | STANDARD_RIGHTS_REQUIRED) + +#define WINSTA_ALL (WINSTA_ENUMDESKTOPS | WINSTA_READATTRIBUTES | \ + WINSTA_ACCESSCLIPBOARD | WINSTA_CREATEDESKTOP | \ + WINSTA_WRITEATTRIBUTES | WINSTA_ACCESSGLOBALATOMS | \ + WINSTA_EXITWINDOWS | WINSTA_ENUMERATE | WINSTA_READSCREEN | \ + STANDARD_RIGHTS_REQUIRED) + +#define GENERIC_ACCESS (GENERIC_READ | GENERIC_WRITE | \ + GENERIC_EXECUTE | GENERIC_ALL) /* GLOBALS ******************************************************************/ @@ -758,6 +772,185 @@ } BOOL +AddAceToWindowStation( + IN HWINSTA WinSta, + IN PSID Sid) +{ + DWORD AclSize; + SECURITY_INFORMATION SecurityInformation; + PACL pDefaultAcl = NULL; + PSECURITY_DESCRIPTOR WinstaSd = NULL; + PACCESS_ALLOWED_ACE Ace = NULL; + BOOL Ret = FALSE; + + /* Allocate space for an ACL */ + AclSize = sizeof(ACL) + + 2 * (FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + GetLengthSid(Sid)); + pDefaultAcl = HeapAlloc(GetProcessHeap(), 0, AclSize); + if (!pDefaultAcl) + { + ERR("WL: HeapAlloc() failed\n"); + goto cleanup; + } + + /* Initialize it */ + if (!InitializeAcl(pDefaultAcl, AclSize, ACL_REVISION)) + { + ERR("WL: InitializeAcl() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Initialize new security descriptor */ + WinstaSd = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH); + if (!InitializeSecurityDescriptor(WinstaSd, SECURITY_DESCRIPTOR_REVISION)) + { + ERR("WL: InitializeSecurityDescriptor() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Allocate memory for access allowed ACE */ + Ace = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(ACCESS_ALLOWED_ACE)+ + GetLengthSid(Sid) - sizeof(DWORD)); + + /* Create the first ACE for the window station */ + Ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE; + Ace->Header.AceFlags = CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE; + Ace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(Sid) - sizeof(DWORD); + Ace->Mask = GENERIC_ACCESS; + + /* Copy the sid */ + if (!CopySid(GetLengthSid(Sid), &Ace->SidStart, Sid)) + { + ERR("WL: CopySid() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Add the first ACE */ + if (!AddAce(pDefaultAcl, ACL_REVISION, MAXDWORD, (LPVOID)Ace, Ace->Header.AceSize)) + { + ERR("WL: AddAce() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Add the second ACE to the end of ACL */ + Ace->Header.AceFlags = NO_PROPAGATE_INHERIT_ACE; + Ace->Mask = WINSTA_ALL; + if (!AddAce(pDefaultAcl, ACL_REVISION, MAXDWORD, (LPVOID)Ace, Ace->Header.AceSize)) + { + ERR("WL: AddAce() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Add ACL to winsta's security descriptor */ + if (!SetSecurityDescriptorDacl(WinstaSd, TRUE, pDefaultAcl, FALSE)) + { + ERR("WL: SetSecurityDescriptorDacl() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Apply security to the window station */ + SecurityInformation = DACL_SECURITY_INFORMATION; + if (!SetUserObjectSecurity(WinSta, &SecurityInformation, WinstaSd)) + { + ERR("WL: SetUserObjectSecurity() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Indicate success */ + Ret = TRUE; + +cleanup: + /* Free allocated stuff */ + if (pDefaultAcl) HeapFree(GetProcessHeap(), 0, pDefaultAcl); + if (WinstaSd) HeapFree(GetProcessHeap(), 0, WinstaSd); + if (Ace) HeapFree(GetProcessHeap(), 0, Ace); + + return Ret; +} + +BOOL +AddAceToDesktop( + IN HDESK Desktop, + IN PSID WinlogonSid, + IN PSID UserSid) +{ + DWORD AclSize; + SECURITY_INFORMATION SecurityInformation; + PACL Acl = NULL; + PSECURITY_DESCRIPTOR DesktopSd = NULL; + BOOL Ret = FALSE; + + /* Allocate ACL */ + AclSize = sizeof(ACL) + + FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + GetLengthSid(WinlogonSid); + + /* Take user's sid into account */ + if (UserSid) + AclSize += FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + GetLengthSid(UserSid); + + Acl = HeapAlloc(GetProcessHeap(), 0, AclSize); + if (!Acl) + { + ERR("WL: HeapAlloc() failed\n"); + goto cleanup; + } + + /* Initialize ACL */ + if (!InitializeAcl(Acl, AclSize, ACL_REVISION)) + { + ERR("WL: InitializeAcl() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Add full desktop access ACE for winlogon */ + if (!AddAccessAllowedAce(Acl, ACL_REVISION, DESKTOP_ALL, WinlogonSid)) + { + ERR("WL: AddAccessAllowedAce() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Add full desktop access ACE for a user (if provided) */ + if (UserSid && !AddAccessAllowedAce(Acl, ACL_REVISION, DESKTOP_ALL, UserSid)) + { + ERR("WL: AddAccessAllowedAce() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Initialize new security descriptor */ + DesktopSd = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH); + if (!InitializeSecurityDescriptor(DesktopSd, SECURITY_DESCRIPTOR_REVISION)) + { + ERR("WL: InitializeSecurityDescriptor() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Add ACL to the security descriptor */ + if (!SetSecurityDescriptorDacl(DesktopSd, TRUE, Acl, FALSE)) + { + ERR("WL: SetSecurityDescriptorDacl() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Apply security to the window station */ + SecurityInformation = DACL_SECURITY_INFORMATION; + if (!SetUserObjectSecurity(Desktop, &SecurityInformation, DesktopSd)) + { + ERR("WL: SetUserObjectSecurity() failed (error %lu)\n", GetLastError()); + goto cleanup; + } + + /* Indicate success */ + Ret = TRUE; + +cleanup: + /* Free allocated stuff */ + if (Acl) HeapFree(GetProcessHeap(), 0, Acl); + if (DesktopSd) HeapFree(GetProcessHeap(), 0, DesktopSd); + + return Ret; +} + +BOOL CreateWindowStationAndDesktops( IN OUT PWLSESSION Session) {