[ekohl] 60729: [SAMSRV] Create and set a security descriptor for new alias account objects.
21 Oct
2013
21 Oct
'13
6:53 p.m.
Author: ekohl
Date: Mon Oct 21 18:53:26 2013
New Revision: 60729
URL: http://svn.reactos.org/svn/reactos?rev=60729&view=rev
Log:
[SAMSRV]
Create and set a security descriptor for new alias account objects.
Modified:
trunk/reactos/dll/win32/samsrv/samrpc.c
trunk/reactos/dll/win32/samsrv/samsrv.h
trunk/reactos/dll/win32/samsrv/security.c
trunk/reactos/dll/win32/samsrv/setup.c
Modified: trunk/reactos/dll/win32/samsrv/samrpc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samrpc.c?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] Mon Oct 21 18:53:26 2013
@@ -2714,6 +2714,8 @@
SAM_DOMAIN_FIXED_DATA FixedDomainData;
PSAM_DB_OBJECT DomainObject;
PSAM_DB_OBJECT AliasObject;
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
ULONG ulSize;
ULONG ulRid;
WCHAR szRid[9];
@@ -2755,6 +2757,15 @@
{
TRACE("Alias name \'%S\' already exists in domain (Status
0x%08lx)\n",
AccountName->Buffer, Status);
+ goto done;
+ }
+
+ /* Create the security descriptor */
+ Status = SampCreateAliasSD(&Sd,
+ &SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("SampCreateAliasSD failed (Status 0x%08lx)\n", Status);
goto done;
}
@@ -2837,6 +2848,18 @@
goto done;
}
+ /* Set SecDesc attribute*/
+ Status = SampSetObjectAttribute(AliasObject,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("failed with status 0x%08lx\n", Status);
+ goto done;
+ }
+
if (NT_SUCCESS(Status))
{
*AliasHandle = (SAMPR_HANDLE)AliasObject;
@@ -2844,6 +2867,9 @@
}
done:
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);
Modified: trunk/reactos/dll/win32/samsrv/samsrv.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samsrv.h?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] Mon Oct 21 18:53:26 2013
@@ -321,12 +321,16 @@
OUT PULONG Size);
NTSTATUS
-SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *DomainSd,
OUT PULONG Size);
NTSTATUS
-SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd,
+SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *DomainSd,
OUT PULONG Size);
+
+NTSTATUS
+SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd,
+ OUT PULONG Size);
/* setup.c */
Modified: trunk/reactos/dll/win32/samsrv/security.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/security.…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] Mon Oct 21 18:53:26 2013
@@ -859,4 +859,292 @@
return Status;
}
+
+NTSTATUS
+SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd,
+ OUT PULONG Size)
+{
+ PSECURITY_DESCRIPTOR AbsSD = NULL;
+ PSECURITY_DESCRIPTOR RelSD = NULL;
+ PSID EveryoneSid = NULL;
+ PSID AnonymousSid = NULL;
+ PSID AdministratorsSid = NULL;
+ PSID AccountOperatorsSid = NULL;
+ PACL Dacl = NULL;
+ PACL Sacl = NULL;
+ ULONG DaclSize;
+ ULONG SaclSize;
+ ULONG RelSDSize = 0;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+
+ /* Create the Everyone SID */
+ Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Anonymous SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_ANONYMOUS_LOGON_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AnonymousSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Administrators SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Account Operators SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ACCOUNT_OPS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AccountOperatorsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Allocate a buffer for the absolute SD */
+ AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ sizeof(SECURITY_DESCRIPTOR));
+ if (AbsSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Create the absolute SD */
+ Status = RtlCreateSecurityDescriptor(AbsSD,
+ SECURITY_DESCRIPTOR_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the DACL */
+ DaclSize = sizeof(ACL) +
+ 3 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AdministratorsSid) +
+ RtlLengthSid(AccountOperatorsSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ READ_CONTROL | ALIAS_READ_INFORMATION |
ALIAS_LIST_MEMBERS,
+ EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ ALIAS_ALL_ACCESS,
+ AdministratorsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ ALIAS_ALL_ACCESS,
+ AccountOperatorsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the DACL */
+ Status = RtlSetDaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Dacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the SACL */
+ SaclSize = sizeof(ACL) +
+ 2 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AnonymousSid);
+
+ Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Sacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Sacl,
+ SaclSize,
+ ACL_REVISION);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+ ALIAS_WRITE_ACCOUNT | ALIAS_REMOVE_MEMBER |
+ ALIAS_ADD_MEMBER,
+ EveryoneSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ AnonymousSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the SACL */
+ Status = RtlSetSaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Sacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the owner SID */
+ Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the group SID */
+ Status = RtlSetGroupSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Get the reqired buffer size for the self-relative SD */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ NULL,
+ &RelSDSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ /* Allocate a buffer for the self-relative SD */
+ RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelSDSize);
+ if (RelSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Convert the absolute SD to self-relative format */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ RelSD,
+ &RelSDSize);
+ if (Status == STATUS_BUFFER_TOO_SMALL)
+ {
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ *AliasSd = RelSD;
+ *Size = RelSDSize;
+
+done:
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+ }
+
+ if (EveryoneSid != NULL)
+ RtlFreeSid(EveryoneSid);
+
+ if (AnonymousSid != NULL)
+ RtlFreeSid(AnonymousSid);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeSid(AdministratorsSid);
+
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (Sacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+ if (AbsSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+ return Status;
+}
+
+
/* EOF */
Modified: trunk/reactos/dll/win32/samsrv/setup.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/setup.c?r…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] Mon Oct 21 18:53:26 2013
@@ -98,6 +98,8 @@
WCHAR szAccountKeyName[32];
HANDLE hAccountKey = NULL;
HANDLE hNamesKey = NULL;
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
NTSTATUS Status;
swprintf(szAccountKeyName, L"Aliases\\%08lX", ulRelativeId);
@@ -125,6 +127,20 @@
if (!NT_SUCCESS(Status))
goto done;
+ /* Create the server SD */
+ Status = SampCreateAliasSD(&Sd,
+ &SdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set SecDesc attribute*/
+ Status = SampRegSetValue(hAccountKey,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
Status = SampRegOpenKey(hDomainKey,
L"Aliases\\Names",
@@ -141,6 +157,9 @@
done:
SampRegCloseKey(&hNamesKey);
+
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
if (hAccountKey != NULL)
{
4040
days inactive
4040
days old
0 comments
1 participants
participants (1)
-
ekohl@svn.reactos.org