14 Jul
2013
14 Jul
'13
6:41 p.m.
Author: ekohl
Date: Sun Jul 14 18:41:29 2013
New Revision: 59487
URL: http://svn.reactos.org/svn/reactos?rev=59487&view=rev
Log:
[SAMSRV]
Add security descriptors for the account and builtin domains.
Modified:
trunk/reactos/dll/win32/samsrv/samsrv.h
trunk/reactos/dll/win32/samsrv/security.c
trunk/reactos/dll/win32/samsrv/setup.c
Modified: trunk/reactos/dll/win32/samsrv/samsrv.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samsrv.h?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] Sun Jul 14 18:41:29 2013
@@ -306,6 +306,14 @@
SampCreateServerSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
OUT PULONG Size);
+NTSTATUS
+SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+ OUT PULONG Size);
+
+NTSTATUS
+SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+ OUT PULONG Size);
+
/* setup.c */
Modified: trunk/reactos/dll/win32/samsrv/security.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/security.…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] Sun Jul 14 18:41:29 2013
@@ -283,4 +283,580 @@
return Status;
}
+
+NTSTATUS
+SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+ OUT PULONG Size)
+{
+ PSECURITY_DESCRIPTOR AbsSD = NULL;
+ PSECURITY_DESCRIPTOR RelSD = NULL;
+ PSID EveryoneSid = NULL;
+ PSID AnonymousSid = NULL;
+ PSID AdministratorsSid = NULL;
+ PACL Dacl = NULL;
+ PACL Sacl = NULL;
+ ULONG DaclSize;
+ ULONG SaclSize;
+ ULONG RelSDSize = 0;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+
+ /* Create the Everyone SID */
+ Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Anonymous SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_ANONYMOUS_LOGON_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AnonymousSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Administrators SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+
+ /* Allocate a buffer for the absolute SD */
+ AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ sizeof(SECURITY_DESCRIPTOR));
+ if (AbsSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Create the absolute SD */
+ Status = RtlCreateSecurityDescriptor(AbsSD,
+ SECURITY_DESCRIPTOR_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the DACL */
+ DaclSize = sizeof(ACL) +
+ 2 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AdministratorsSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ DOMAIN_READ | DOMAIN_EXECUTE,
+ EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ SAM_SERVER_ALL_ACCESS,
+ AdministratorsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the DACL */
+ Status = RtlSetDaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Dacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the SACL */
+ SaclSize = sizeof(ACL) +
+ 2 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AnonymousSid);
+
+ Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Sacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Sacl,
+ SaclSize,
+ ACL_REVISION);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+ SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
+ SAM_SERVER_SHUTDOWN,
+ EveryoneSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ AnonymousSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the SACL */
+ Status = RtlSetSaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Sacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the owner SID */
+ Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the group SID */
+ Status = RtlSetGroupSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Get the reqired buffer size for the self-relative SD */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ NULL,
+ &RelSDSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ /* Allocate a buffer for the self-relative SD */
+ RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelSDSize);
+ if (RelSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Convert the absolute SD to self-relative format */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ RelSD,
+ &RelSDSize);
+ if (Status == STATUS_BUFFER_TOO_SMALL)
+ {
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ *ServerSd = RelSD;
+ *Size = RelSDSize;
+
+done:
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+ }
+
+ if (EveryoneSid != NULL)
+ RtlFreeSid(EveryoneSid);
+
+ if (AnonymousSid != NULL)
+ RtlFreeSid(AnonymousSid);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeSid(AdministratorsSid);
+
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (Sacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+ if (AbsSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+ return Status;
+}
+
+
+NTSTATUS
+SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+ OUT PULONG Size)
+{
+ PSECURITY_DESCRIPTOR AbsSD = NULL;
+ PSECURITY_DESCRIPTOR RelSD = NULL;
+ PSID EveryoneSid = NULL;
+ PSID AnonymousSid = NULL;
+ PSID AdministratorsSid = NULL;
+ PSID UsersSid = NULL;
+ PSID GuestsSid = NULL;
+ PACL Dacl = NULL;
+ PACL Sacl = NULL;
+ ULONG DaclSize;
+ ULONG SaclSize;
+ ULONG RelSDSize = 0;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+
+ /* Create the Everyone SID */
+ Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Anonymous SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_ANONYMOUS_LOGON_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AnonymousSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Administrators SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Users SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_USERS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &UsersSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Guests SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_GUESTS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &GuestsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+
+ /* Allocate a buffer for the absolute SD */
+ AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ sizeof(SECURITY_DESCRIPTOR));
+ if (AbsSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Create the absolute SD */
+ Status = RtlCreateSecurityDescriptor(AbsSD,
+ SECURITY_DESCRIPTOR_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the DACL */
+ DaclSize = sizeof(ACL) +
+ 4 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AdministratorsSid) +
+ RtlLengthSid(UsersSid) +
+ RtlLengthSid(GuestsSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ DOMAIN_READ | DOMAIN_EXECUTE,
+ EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ DOMAIN_READ | DOMAIN_EXECUTE,
+ UsersSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ DOMAIN_ALL_ACCESS & ~DOMAIN_CREATE_GROUP,
+ AdministratorsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ DOMAIN_READ | DOMAIN_EXECUTE | DOMAIN_CREATE_USER |
DOMAIN_CREATE_ALIAS,
+ GuestsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the DACL */
+ Status = RtlSetDaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Dacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the SACL */
+ SaclSize = sizeof(ACL) +
+ 2 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AnonymousSid);
+
+ Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Sacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Sacl,
+ SaclSize,
+ ACL_REVISION);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+ SAM_SERVER_CREATE_DOMAIN | SAM_SERVER_INITIALIZE |
+ SAM_SERVER_SHUTDOWN,
+ EveryoneSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ AnonymousSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the SACL */
+ Status = RtlSetSaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Sacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the owner SID */
+ Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the group SID */
+ Status = RtlSetGroupSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Get the reqired buffer size for the self-relative SD */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ NULL,
+ &RelSDSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ /* Allocate a buffer for the self-relative SD */
+ RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelSDSize);
+ if (RelSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Convert the absolute SD to self-relative format */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ RelSD,
+ &RelSDSize);
+ if (Status == STATUS_BUFFER_TOO_SMALL)
+ {
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ *ServerSd = RelSD;
+ *Size = RelSDSize;
+
+done:
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+ }
+
+ if (EveryoneSid != NULL)
+ RtlFreeSid(EveryoneSid);
+
+ if (AnonymousSid != NULL)
+ RtlFreeSid(AnonymousSid);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeSid(AdministratorsSid);
+
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (Sacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+ if (AbsSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+ return Status;
+}
+
/* EOF */
Modified: trunk/reactos/dll/win32/samsrv/setup.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/setup.c?r…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] Sun Jul 14 18:41:29 2013
@@ -552,6 +552,7 @@
IN LPCWSTR lpKeyName,
IN LPCWSTR lpDomainName,
IN PSID lpDomainSid,
+ IN BOOLEAN bBuiltinDomain,
OUT HANDLE *lpDomainKey)
{
SAM_DOMAIN_FIXED_DATA FixedData;
@@ -562,6 +563,8 @@
HANDLE hGroupsKey = NULL;
HANDLE hUsersKey = NULL;
HANDLE hNamesKey = NULL;
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
NTSTATUS Status;
if (lpDomainKey != NULL)
@@ -690,12 +693,35 @@
if (!NT_SUCCESS(Status))
goto done;
+ /* Create the server SD */
+ if (bBuiltinDomain == TRUE)
+ Status = SampCreateBuiltinDomainSD(&Sd,
+ &SdSize);
+ else
+ Status = SampCreateAccountDomainSD(&Sd,
+ &SdSize);
+
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set SecDesc attribute*/
+ Status = SampRegSetValue(hServerKey,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
SampRegCloseKey(hNamesKey);
if (lpDomainKey != NULL)
*lpDomainKey = hDomainKey;
done:
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
if (hAliasesKey != NULL)
SampRegCloseKey(hAliasesKey);
@@ -867,6 +893,7 @@
L"Builtin",
szName,
pBuiltinSid,
+ TRUE,
&hBuiltinDomainKey);
if (!NT_SUCCESS(Status))
{
@@ -936,6 +963,7 @@
L"Account",
L"",
AccountDomainInfo->DomainSid,
+ FALSE,
&hAccountDomainKey);
if (!NT_SUCCESS(Status))
{