[ros-diffs] [ekohl] 60750: [SAMSRV] Create and set a security descriptor for new user account objects.

26 Oct 2013

Author: ekohl
Date: Sat Oct 26 09:09:31 2013
New Revision: 60750
URL: http://svn.reactos.org/svn/reactos?rev=60750&view=rev
Log:
[SAMSRV]
Create and set a security descriptor for new user account objects.
Modified:
    trunk/reactos/dll/win32/samsrv/domain.c
    trunk/reactos/dll/win32/samsrv/samrpc.c
    trunk/reactos/dll/win32/samsrv/samsrv.h
    trunk/reactos/dll/win32/samsrv/security.c
    trunk/reactos/dll/win32/samsrv/setup.c
Modified: trunk/reactos/dll/win32/samsrv/domain.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/domain.c?r...
==============================================================================

--- trunk/reactos/dll/win32/samsrv/domain.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/domain.c	[iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -303,4 +303,55 @@
     return Status;
 }
+
+NTSTATUS
+SampCreateAccountSid(IN PSAM_DB_OBJECT DomainObject,
+                     IN ULONG ulRelativeId,
+                     IN OUT PSID *AccountSid)
+{
+    PSID DomainSid = NULL;
+    ULONG Length = 0;
+    NTSTATUS Status;
+
+    Status = SampGetObjectAttribute(DomainObject,
+                                    L"SID",
+                                    NULL,
+                                    NULL,
+                                    &Length);
+    if (!NT_SUCCESS(Status) && Status != STATUS_BUFFER_OVERFLOW)
+    {
+        TRACE("Status 0x%08lx\n", Status);
+        goto done;
+    }
+
+    TRACE("Length: %lu\n", Length);
+
+    DomainSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, Length);
+    if (DomainSid == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+        goto done;
+    }
+
+    Status = SampGetObjectAttribute(DomainObject,
+                                    L"SID",
+                                    NULL,
+                                    DomainSid,
+                                    &Length);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("Status 0x%08lx\n", Status);
+        goto done;
+    }
+
+    *AccountSid = AppendRidToSid(DomainSid,
+                                 ulRelativeId);
+
+done:
+    if (DomainSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, DomainSid);
+
+    return Status;
+}
+
 /* EOF */
Modified: trunk/reactos/dll/win32/samsrv/samrpc.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samrpc.c?r...
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samrpc.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samrpc.c	[iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -2174,6 +2174,9 @@
     ULONG ulSize;
     ULONG ulRid;
     WCHAR szRid[9];
+    PSECURITY_DESCRIPTOR Sd = NULL;
+    ULONG SdSize = 0;
+    PSID UserSid = NULL;
     NTSTATUS Status;
TRACE("SamrCreateUserInDomain(%p %p %lx %p %p)\n",
@@ -2239,6 +2242,28 @@
     ulRid = FixedDomainData.NextRid;
     FixedDomainData.NextRid++;
+    TRACE("RID: %lx\n", ulRid);
+
+    /* Create the user SID */
+    Status = SampCreateAccountSid(DomainObject,
+                                  ulRid,
+                                  &UserSid);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("SampCreateAccountSid failed (Status 0x%08lx)\n", Status);
+        goto done;
+    }
+
+    /* Create the security descriptor */
+    Status = SampCreateUserSD(UserSid,
+                              &Sd,
+                              &SdSize);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("SampCreateUserSD failed (Status 0x%08lx)\n", Status);
+        goto done;
+    }
+
     /* Store the fixed domain attributes */
     Status = SampSetObjectAttribute(DomainObject,
                            L"F",
@@ -2250,8 +2275,6 @@
         TRACE("failed with status 0x%08lx\n", Status);
         goto done;
     }
-
-    TRACE("RID: %lx\n", ulRid);
/* Convert the RID into a string (hex) */
     swprintf(szRid, L"%08lX", ulRid);
@@ -2505,7 +2528,17 @@
         goto done;
     }
-    /* FIXME: Set SecDesc attribute*/
+    /* Set the SecDesc attribute*/
+    Status = SampSetObjectAttribute(UserObject,
+                                    L"SecDesc",
+                                    REG_BINARY,
+                                    Sd,
+                                    SdSize);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("failed with status 0x%08lx\n", Status);
+        goto done;
+    }
if (NT_SUCCESS(Status))
     {
@@ -2514,6 +2547,12 @@
     }
done:
+    if (Sd != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
+    if (UserSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, UserSid);
+
     RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);
@@ -6871,7 +6910,6 @@
if (InfoBuffer->All.WhichFields & USER_ALL_SECURITYDESCRIPTOR)
     {
-#if 0
         Length = 0;
         SampGetObjectAttribute(UserObject,
                                L"SecDesc",
@@ -6898,7 +6936,6 @@
             if (!NT_SUCCESS(Status))
                 goto done;
         }
-#endif
     }
*Buffer = InfoBuffer;
@@ -7670,13 +7707,11 @@
if (WhichFields & USER_ALL_SECURITYDESCRIPTOR)
     {
-#if 0
         Status = SampSetObjectAttribute(UserObject,
                                         L"SecDesc",
                                         REG_BINARY,
                                         Buffer->All.SecurityDescriptor.SecurityDescriptor,
                                         Buffer->All.SecurityDescriptor.Length);
-#endif
     }
if (WriteFixedData == TRUE)
@@ -8523,6 +8558,9 @@
     ULONG ulSize;
     ULONG ulRid;
     WCHAR szRid[9];
+    PSECURITY_DESCRIPTOR Sd = NULL;
+    ULONG SdSize = 0;
+    PSID UserSid = NULL;
     NTSTATUS Status;
TRACE("SamrCreateUserInDomain(%p %p %lx %p %p)\n",
@@ -8596,6 +8634,28 @@
     ulRid = FixedDomainData.NextRid;
     FixedDomainData.NextRid++;
+    TRACE("RID: %lx\n", ulRid);
+
+    /* Create the user SID */
+    Status = SampCreateAccountSid(DomainObject,
+                                  ulRid,
+                                  &UserSid);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("SampCreateAccountSid failed (Status 0x%08lx)\n", Status);
+        goto done;
+    }
+
+    /* Create the security descriptor */
+    Status = SampCreateUserSD(UserSid,
+                              &Sd,
+                              &SdSize);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("SampCreateUserSD failed (Status 0x%08lx)\n", Status);
+        goto done;
+    }
+
     /* Store the fixed domain attributes */
     Status = SampSetObjectAttribute(DomainObject,
                                     L"F",
@@ -8607,8 +8667,6 @@
         TRACE("failed with status 0x%08lx\n", Status);
         goto done;
     }
-
-    TRACE("RID: %lx\n", ulRid);
/* Convert the RID into a string (hex) */
     swprintf(szRid, L"%08lX", ulRid);
@@ -8861,7 +8919,17 @@
         goto done;
     }
-    /* FIXME: Set SecDesc attribute*/
+    /* Set the SecDesc attribute*/
+    Status = SampSetObjectAttribute(UserObject,
+                                    L"SecDesc",
+                                    REG_BINARY,
+                                    Sd,
+                                    SdSize);
+    if (!NT_SUCCESS(Status))
+    {
+        TRACE("failed with status 0x%08lx\n", Status);
+        goto done;
+    }
if (NT_SUCCESS(Status))
     {
@@ -8871,6 +8939,12 @@
     }
done:
+    if (Sd != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
+    if (UserSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, UserSid);
+
     RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);
Modified: trunk/reactos/dll/win32/samsrv/samsrv.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samsrv.h?r...
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samsrv.h	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samsrv.h	[iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -230,6 +230,10 @@
 SampRemoveMemberFromAllAliases(IN PSAM_DB_OBJECT DomainObject,
                                IN PRPC_SID MemberSid);
+NTSTATUS
+SampCreateAccountSid(IN PSAM_DB_OBJECT DomainObject,
+                     IN ULONG ulRelativeId,
+                     IN OUT PSID *AccountSid);
/* group.h */
@@ -336,6 +340,10 @@
 SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd,
                   OUT PULONG Size);
+NTSTATUS
+SampCreateUserSD(IN PSID UserSid,
+                 OUT PSECURITY_DESCRIPTOR *UserSd,
+                 OUT PULONG Size);
/* setup.c */
Modified: trunk/reactos/dll/win32/samsrv/security.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/security.c...
==============================================================================
--- trunk/reactos/dll/win32/samsrv/security.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/security.c	[iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -1433,4 +1433,276 @@
     return Status;
 }
+
+NTSTATUS
+SampCreateUserSD(IN PSID UserSid,
+                 OUT PSECURITY_DESCRIPTOR *UserSd,
+                 OUT PULONG Size)
+{
+    PSECURITY_DESCRIPTOR AbsSD = NULL;
+    PSECURITY_DESCRIPTOR RelSD = NULL;
+    PSID EveryoneSid = NULL;
+    PSID AnonymousSid = NULL;
+    PSID AdministratorsSid = NULL;
+    PACL Dacl = NULL;
+    PACL Sacl = NULL;
+    ULONG DaclSize;
+    ULONG SaclSize;
+    ULONG RelSDSize = 0;
+    NTSTATUS Status = STATUS_SUCCESS;
+
+
+    /* Create the Everyone SID */
+    Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+                                         1,
+                                         SECURITY_WORLD_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &EveryoneSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Anonymous SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         1,
+                                         SECURITY_ANONYMOUS_LOGON_RID,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AnonymousSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Create the Administrators SID */
+    Status = RtlAllocateAndInitializeSid(&NtAuthority,
+                                         2,
+                                         SECURITY_BUILTIN_DOMAIN_RID,
+                                         DOMAIN_ALIAS_RID_ADMINS,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         0,
+                                         &AdministratorsSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Allocate a buffer for the absolute SD */
+    AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+                            HEAP_ZERO_MEMORY,
+                            sizeof(SECURITY_DESCRIPTOR));
+    if (AbsSD == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    /* Create the absolute SD */
+    Status = RtlCreateSecurityDescriptor(AbsSD,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* allocate and create the DACL */
+    DaclSize = sizeof(ACL) + 
+               3 * sizeof(ACE) +
+               RtlLengthSid(EveryoneSid) +
+               RtlLengthSid(AdministratorsSid) +
+               RtlLengthSid(UserSid);
+
+    Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Dacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Dacl,
+                          DaclSize,
+                          ACL_REVISION);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    READ_CONTROL | USER_READ_GROUP_INFORMATION | USER_LIST_GROUPS |
+                                    USER_CHANGE_PASSWORD | USER_READ_ACCOUNT | USER_READ_LOGON |
+                                    USER_READ_PREFERENCES | USER_READ_GENERAL,
+                                    EveryoneSid);
+    ASSERT(NT_SUCCESS(Status));
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    USER_ALL_ACCESS,
+                                    AdministratorsSid);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAccessAllowedAce(Dacl,
+                                    ACL_REVISION,
+                                    READ_CONTROL | USER_CHANGE_PASSWORD | USER_WRITE_PREFERENCES,
+                                    UserSid);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the DACL */
+    Status = RtlSetDaclSecurityDescriptor(AbsSD,
+                                          TRUE,
+                                          Dacl,
+                                          FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* allocate and create the SACL */
+    SaclSize = sizeof(ACL) + 
+               2 * sizeof(ACE) +
+               RtlLengthSid(EveryoneSid) +
+               RtlLengthSid(AnonymousSid);
+
+    Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+                           HEAP_ZERO_MEMORY,
+                           DaclSize);
+    if (Sacl == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    Status = RtlCreateAcl(Sacl,
+                          SaclSize,
+                          ACL_REVISION);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAuditAccessAce(Sacl,
+                                  ACL_REVISION,
+                                  ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+                                  USER_CHANGE_PASSWORD | USER_WRITE_PREFERENCES,
+                                  EveryoneSid,
+                                  TRUE,
+                                  TRUE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    Status = RtlAddAuditAccessAce(Sacl,
+                                  ACL_REVISION,
+                                  STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+                                  AnonymousSid,
+                                  TRUE,
+                                  TRUE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the SACL */
+    Status = RtlSetSaclSecurityDescriptor(AbsSD,
+                                          TRUE,
+                                          Sacl,
+                                          FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the owner SID */
+    Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+                                           AdministratorsSid,
+                                           FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Set the group SID */
+    Status = RtlSetGroupSecurityDescriptor(AbsSD,
+                                           AdministratorsSid,
+                                           FALSE);
+    ASSERT(Status == STATUS_SUCCESS);
+    if (!NT_SUCCESS(Status))
+        goto done;
+
+    /* Get the reqired buffer size for the self-relative SD */
+    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+                                         NULL,
+                                         &RelSDSize);
+    if (Status != STATUS_BUFFER_TOO_SMALL)
+        goto done;
+
+    /* Allocate a buffer for the self-relative SD */
+    RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+                            HEAP_ZERO_MEMORY,
+                            RelSDSize);
+    if (RelSD == NULL)
+    {
+        Status = STATUS_INSUFFICIENT_RESOURCES;
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    /* Convert the absolute SD to self-relative format */
+    Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+                                         RelSD,
+                                         &RelSDSize);
+    if (Status == STATUS_BUFFER_TOO_SMALL)
+    {
+    ASSERT(Status == STATUS_SUCCESS);
+        goto done;
+    }
+
+    *UserSd = RelSD;
+    *Size = RelSDSize;
+
+done:
+    if (!NT_SUCCESS(Status))
+    {
+        if (RelSD != NULL)
+            RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+    }
+
+    if (EveryoneSid != NULL)
+        RtlFreeSid(EveryoneSid);
+
+    if (AnonymousSid != NULL)
+        RtlFreeSid(AnonymousSid);
+
+    if (AdministratorsSid != NULL)
+        RtlFreeSid(AdministratorsSid);
+
+    if (Dacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+    if (Sacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+    if (AbsSD != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+    return Status;
+}
+
 /* EOF */
Modified: trunk/reactos/dll/win32/samsrv/setup.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/setup.c?re...
==============================================================================
--- trunk/reactos/dll/win32/samsrv/setup.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/setup.c	[iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -359,6 +359,7 @@
 SampSetupCreateUserAccount(HANDLE hDomainKey,
                            LPCWSTR lpAccountName,
                            LPCWSTR lpComment,
+                           PSID lpDomainSid,
                            ULONG ulRelativeId,
                            ULONG UserAccountControl)
 {
@@ -369,7 +370,20 @@
     WCHAR szAccountKeyName[32];
     HANDLE hAccountKey = NULL;
     HANDLE hNamesKey = NULL;
+    PSECURITY_DESCRIPTOR Sd = NULL;
+    ULONG SdSize = 0;
+    PSID UserSid = NULL;
     NTSTATUS Status;
+
+    UserSid = AppendRidToSid(lpDomainSid,
+                             ulRelativeId);
+
+    /* Create the security descriptor */
+    Status = SampCreateUserSD(UserSid,
+                              &Sd,
+                              &SdSize);
+    if (!NT_SUCCESS(Status))
+        goto done;
/* Initialize fixed user data */
     FixedUserData.Version = 1;
@@ -558,9 +572,14 @@
     if (!NT_SUCCESS(Status))
         goto done;
-
-    /* FIXME: Set SecDesc attribute*/
-
+    /* Set the SecDesc attribute*/
+    Status = SampRegSetValue(hAccountKey,
+                             L"SecDesc",
+                             REG_BINARY,
+                             Sd,
+                             SdSize);
+    if (!NT_SUCCESS(Status))
+        goto done;
Status = SampRegOpenKey(hDomainKey,
                             L"Users\Names",
@@ -577,6 +596,12 @@
done:
     SampRegCloseKey(&hNamesKey);
+
+    if (Sd != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
+    if (UserSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, UserSid);
if (hAccountKey != NULL)
     {
@@ -1057,6 +1082,7 @@
         SampSetupCreateUserAccount(hAccountDomainKey,
                                    szName,
                                    szComment,
+                                   AccountDomainInfo->DomainSid,
                                    DOMAIN_USER_RID_ADMIN,
                                    USER_DONT_EXPIRE_PASSWORD | USER_NORMAL_ACCOUNT);
@@ -1070,6 +1096,7 @@
         SampSetupCreateUserAccount(hAccountDomainKey,
                                    szName,
                                    szComment,
+                                   AccountDomainInfo->DomainSid,
                                    DOMAIN_USER_RID_GUEST,
                                    USER_ACCOUNT_DISABLED | USER_DONT_EXPIRE_PASSWORD | USER_NORMAL_ACCOUNT);

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

[ros-diffs] [ekohl] 60750: [SAMSRV] Create and set a security descriptor for new user account objects.