18 Nov
2012
18 Nov
'12
3:19 p.m.
Author: ekohl
Date: Sun Nov 18 15:19:14 2012
New Revision: 57733
URL: http://svn.reactos.org/svn/reactos?rev=57733&view=rev
Log:
[LSASRV]
Create a security descriptor for the policy object and store as attribute
"SecDesc".
Modified:
trunk/reactos/dll/win32/lsasrv/database.c
Modified: trunk/reactos/dll/win32/lsasrv/database.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/database.…
==============================================================================
--- trunk/reactos/dll/win32/lsasrv/database.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/lsasrv/database.c [iso-8859-1] Sun Nov 18 15:19:14 2012
@@ -234,6 +234,260 @@
static NTSTATUS
+LsapCreatePolicySd(PSECURITY_DESCRIPTOR *PolicySd,
+ PULONG PolicySdSize)
+{
+ SECURITY_DESCRIPTOR AbsoluteSd;
+ PSECURITY_DESCRIPTOR RelativeSd = NULL;
+ ULONG RelativeSdSize = 0;
+ PSID AnonymousSid = NULL;
+ PSID AdministratorsSid = NULL;
+ PSID EveryoneSid = NULL;
+ PSID LocalServiceSid = NULL;
+ PSID NetworkServiceSid = NULL;
+ PSID LocalSystemSid = NULL;
+ PACL Dacl = NULL;
+ ULONG DaclSize;
+ NTSTATUS Status;
+
+ if (PolicySd == NULL || PolicySdSize == NULL)
+ return STATUS_INVALID_PARAMETER;
+
+ *PolicySd = NULL;
+ *PolicySdSize = 0;
+
+ /* Initialize the SD */
+ Status = RtlCreateSecurityDescriptor(&AbsoluteSd,
+ SECURITY_DESCRIPTOR_REVISION);
+ if (!NT_SUCCESS(Status))
+ return Status;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_ANONYMOUS_LOGON_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AnonymousSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&WorldSidAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_LOCAL_SERVICE_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &LocalServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_NETWORK_SERVICE_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &NetworkServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_LOCAL_SYSTEM_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &LocalSystemSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Allocate and initialize the DACL */
+ DaclSize = sizeof(ACL) +
+ sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) +
RtlLengthSid(AdministratorsSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) +
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(LocalServiceSid)
+
+ sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) +
RtlLengthSid(NetworkServiceSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessDeniedAce(Dacl,
+ ACL_REVISION,
+ POLICY_LOOKUP_NAMES,
+ AnonymousSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_ALL_ACCESS | POLICY_NOTIFICATION,
+ AdministratorsSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_EXECUTE,
+ EveryoneSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION,
+ AnonymousSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_NOTIFICATION,
+ LocalServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ POLICY_NOTIFICATION,
+ NetworkServiceSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd,
+ TRUE,
+ Dacl,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd,
+ LocalSystemSid,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd,
+ AdministratorsSid,
+ FALSE);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+ RelativeSd,
+ &RelativeSdSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelativeSdSize);
+ if (RelativeSd == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto done;
+ }
+
+ Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd,
+ RelativeSd,
+ &RelativeSdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ *PolicySd = RelativeSd;
+ *PolicySdSize = RelativeSdSize;
+
+done:
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (AnonymousSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid);
+
+ if (EveryoneSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid);
+
+ if (LocalServiceSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid);
+
+ if (NetworkServiceSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid);
+
+ if (LocalSystemSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid);
+
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelativeSd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd);
+ }
+
+ return Status;
+}
+
+
+static NTSTATUS
LsapCreateDatabaseObjects(VOID)
{
PLSAP_POLICY_AUDIT_EVENTS_DATA AuditEventsInfo = NULL;
@@ -244,6 +498,8 @@
GUID DnsDomainGuid;
PLSA_DB_OBJECT PolicyObject = NULL;
PSID AccountDomainSid = NULL;
+ PSECURITY_DESCRIPTOR PolicySd = NULL;
+ ULONG PolicySdSize = 0;
ULONG AuditEventsCount;
ULONG AuditEventsSize;
ULONG i;
@@ -269,7 +525,7 @@
AuditEventsCount = AuditCategoryAccountLogon - AuditCategorySystem + 1;
AuditEventsSize = sizeof(LSAP_POLICY_AUDIT_EVENTS_DATA) + AuditEventsCount *
sizeof(DWORD);
AuditEventsInfo = RtlAllocateHeap(RtlGetProcessHeap(),
- 0,
+ HEAP_ZERO_MEMORY,
AuditEventsSize);
if (AuditEventsInfo == NULL)
return STATUS_INSUFFICIENT_RESOURCES;
@@ -288,6 +544,11 @@
/* Create a random domain SID */
Status = LsapCreateRandomDomainSid(&AccountDomainSid);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = LsapCreatePolicySd(&PolicySd,
+ &PolicySdSize);
if (!NT_SUCCESS(Status))
goto done;
@@ -369,6 +630,12 @@
&DnsDomainGuid,
sizeof(GUID));
+ /* Set the Sceurity Descriptor */
+ LsapSetObjectAttribute(PolicyObject,
+ L"SecDesc",
+ PolicySd,
+ PolicySdSize);
+
done:
if (AuditEventsInfo != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, AuditEventsInfo);
@@ -378,6 +645,9 @@
if (AccountDomainSid != NULL)
RtlFreeSid(AccountDomainSid);
+
+ if (PolicySd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, PolicySd);
return Status;
}