Author: ekohl Date: Thu May 17 21:30:30 2012 New Revision: 56607
URL: http://svn.reactos.org/svn/reactos?rev=56607&view=rev Log: [SYSSETUP] - Create builtin LSA accounts. - Add privileges to the accounts.
Modified: trunk/reactos/dll/win32/syssetup/globals.h trunk/reactos/dll/win32/syssetup/install.c trunk/reactos/dll/win32/syssetup/precomp.h trunk/reactos/dll/win32/syssetup/security.c
Modified: trunk/reactos/dll/win32/syssetup/globals.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/globals.... ============================================================================== --- trunk/reactos/dll/win32/syssetup/globals.h [iso-8859-1] (original) +++ trunk/reactos/dll/win32/syssetup/globals.h [iso-8859-1] Thu May 17 21:30:30 2012 @@ -64,6 +64,7 @@ /* security.c */ NTSTATUS SetAccountDomain(LPCWSTR DomainName, PSID DomainSid); +VOID InstallSecurity(VOID);
/* wizard.c */ VOID InstallWizard (VOID);
Modified: trunk/reactos/dll/win32/syssetup/install.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/install.... ============================================================================== --- trunk/reactos/dll/win32/syssetup/install.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/syssetup/install.c [iso-8859-1] Thu May 17 21:30:30 2012 @@ -956,6 +956,8 @@
InstallWizard();
+ InstallSecurity(); + /* Create the Administrator account */ if (!SamCreateUser(L"Administrator", L"", AdminSid)) {
Modified: trunk/reactos/dll/win32/syssetup/precomp.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/precomp.... ============================================================================== --- trunk/reactos/dll/win32/syssetup/precomp.h [iso-8859-1] (original) +++ trunk/reactos/dll/win32/syssetup/precomp.h [iso-8859-1] Thu May 17 21:30:30 2012 @@ -22,7 +22,9 @@ #include <string.h> #include <pseh/pseh2.h> #include <time.h> +#include <ntlsa.h> #include <ntsecapi.h> +#include <sddl.h>
#include "globals.h" #include "resource.h"
Modified: trunk/reactos/dll/win32/syssetup/security.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/security... ============================================================================== --- trunk/reactos/dll/win32/syssetup/security.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/syssetup/security.c [iso-8859-1] Thu May 17 21:30:30 2012 @@ -85,3 +85,188 @@
return Status; } + + +static +VOID +InstallBuiltinAccounts(VOID) +{ + LPWSTR BuiltinAccounts[] = { + L"S-1-1-0", /* Everyone */ + L"S-1-5-4", /* Interactive */ + L"S-1-5-6", /* Service */ + L"S-1-5-19", /* Local Service */ + L"S-1-5-20", /* Network Service */ + L"S-1-5-32-544", /* Administrators */ + L"S-1-5-32-545", /* Users */ + L"S-1-5-32-547", /* Power Users */ + L"S-1-5-32-551", /* Backup Operators */ + L"S-1-5-32-555"}; /* Remote Desktop Users */ + LSA_OBJECT_ATTRIBUTES ObjectAttributes; + NTSTATUS Status; + LSA_HANDLE PolicyHandle = NULL; + LSA_HANDLE AccountHandle = NULL; + PSID AccountSid; + ULONG i; + + DPRINT("InstallBuiltinAccounts()\n"); + + memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES)); + + Status = LsaOpenPolicy(NULL, + &ObjectAttributes, + POLICY_CREATE_ACCOUNT, + &PolicyHandle); + if (!NT_SUCCESS(Status)) + { + DPRINT1("LsaOpenPolicy failed (Status %08lx)\n", Status); + return; + } + + for (i = 0; i < 10; i++) + { + ConvertStringSidToSid(BuiltinAccounts[i], &AccountSid); + + Status = LsaCreateAccount(PolicyHandle, + AccountSid, + 0, + &AccountHandle); + if (NT_SUCCESS(Status)) + { + LsaClose(AccountHandle); + } + + LocalFree(AccountSid); + } + + LsaClose(PolicyHandle); +} + + +static +VOID +InstallPrivileges(VOID) +{ + HINF hSecurityInf = INVALID_HANDLE_VALUE; + LSA_OBJECT_ATTRIBUTES ObjectAttributes; + WCHAR szPrivilegeString[256]; + WCHAR szSidString[256]; + INFCONTEXT InfContext; + DWORD i; + PRIVILEGE_SET PrivilegeSet; + PSID AccountSid; + NTSTATUS Status; + LSA_HANDLE PolicyHandle = NULL; + LSA_HANDLE AccountHandle; + + DPRINT("InstallPrivileges()\n"); + + hSecurityInf = SetupOpenInfFileW(L"defltws.inf", //szNameBuffer, + NULL, + INF_STYLE_WIN4, + NULL); + if (hSecurityInf == INVALID_HANDLE_VALUE) + { + DPRINT1("SetupOpenInfFileW failed\n"); + return; + } + + memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES)); + + Status = LsaOpenPolicy(NULL, + &ObjectAttributes, + POLICY_CREATE_ACCOUNT, + &PolicyHandle); + if (!NT_SUCCESS(Status)) + { + DPRINT1("LsaOpenPolicy failed (Status %08lx)\n", Status); + goto done; + } + + if (!SetupFindFirstLineW(hSecurityInf, + L"Privilege Rights", + NULL, + &InfContext)) + { + DPRINT1("SetupFindfirstLineW failed\n"); + goto done; + } + + PrivilegeSet.PrivilegeCount = 1; + PrivilegeSet.Control = 0; + + do + { + /* Retrieve the privilege name */ + if (!SetupGetStringFieldW(&InfContext, + 0, + szPrivilegeString, + 256, + NULL)) + { + DPRINT1("SetupGetStringFieldW() failed\n"); + goto done; + } + DPRINT("Privilege: %S\n", szPrivilegeString); + + if (!LookupPrivilegeValueW(NULL, + szPrivilegeString, + &(PrivilegeSet.Privilege[0].Luid))) + { + DPRINT1("LookupPrivilegeNameW() failed\n"); + goto done; + } + + PrivilegeSet.Privilege[0].Attributes = 0; + + for (i = 0; i < SetupGetFieldCount(&InfContext); i++) + { + if (!SetupGetStringFieldW(&InfContext, + i + 1, + szSidString, + 256, + NULL)) + { + DPRINT1("SetupGetStringFieldW() failed\n"); + goto done; + } + DPRINT("SID: %S\n", szSidString); + + ConvertStringSidToSid(szSidString, &AccountSid); + + Status = LsaOpenAccount(PolicyHandle, + AccountSid, + ACCOUNT_VIEW | ACCOUNT_ADJUST_PRIVILEGES, + &AccountHandle); + if (NT_SUCCESS(Status)) + { + Status = LsaAddPrivilegesToAccount(AccountHandle, + &PrivilegeSet); + if (!NT_SUCCESS(Status)) + { + DPRINT1("LsaAddPrivilegesToAccount() failed (Status %08lx)\n", Status); + } + + LsaClose(AccountHandle); + } + + LocalFree(AccountSid); + } + + } + while (SetupFindNextLine(&InfContext, &InfContext)); + +done: + if (PolicyHandle != NULL) + LsaClose(PolicyHandle); + + if (hSecurityInf != INVALID_HANDLE_VALUE) + SetupCloseInfFile(hSecurityInf); +} + +VOID +InstallSecurity(VOID) +{ + InstallBuiltinAccounts(); + InstallPrivileges(); +}