[ekohl] 60729: [SAMSRV] Create and set a security descriptor for new alias account objects.
Author: ekohl Date: Mon Oct 21 18:53:26 2013 New Revision: 60729
URL: http://svn.reactos.org/svn/reactos?rev=60729&view=rev Log: [SAMSRV] Create and set a security descriptor for new alias account objects.
Modified: trunk/reactos/dll/win32/samsrv/samrpc.c trunk/reactos/dll/win32/samsrv/samsrv.h trunk/reactos/dll/win32/samsrv/security.c trunk/reactos/dll/win32/samsrv/setup.c
Modified: trunk/reactos/dll/win32/samsrv/samrpc.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samrpc.c?r... ============================================================================== --- trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] Mon Oct 21 18:53:26 2013 @@ -2714,6 +2714,8 @@ SAM_DOMAIN_FIXED_DATA FixedDomainData; PSAM_DB_OBJECT DomainObject; PSAM_DB_OBJECT AliasObject; + PSECURITY_DESCRIPTOR Sd = NULL; + ULONG SdSize = 0; ULONG ulSize; ULONG ulRid; WCHAR szRid[9]; @@ -2755,6 +2757,15 @@ { TRACE("Alias name '%S' already exists in domain (Status 0x%08lx)\n", AccountName->Buffer, Status); + goto done; + } + + /* Create the security descriptor */ + Status = SampCreateAliasSD(&Sd, + &SdSize); + if (!NT_SUCCESS(Status)) + { + TRACE("SampCreateAliasSD failed (Status 0x%08lx)\n", Status); goto done; }
@@ -2837,6 +2848,18 @@ goto done; }
+ /* Set SecDesc attribute*/ + Status = SampSetObjectAttribute(AliasObject, + L"SecDesc", + REG_BINARY, + Sd, + SdSize); + if (!NT_SUCCESS(Status)) + { + TRACE("failed with status 0x%08lx\n", Status); + goto done; + } + if (NT_SUCCESS(Status)) { *AliasHandle = (SAMPR_HANDLE)AliasObject; @@ -2844,6 +2867,9 @@ }
done: + if (Sd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, Sd); + RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);
Modified: trunk/reactos/dll/win32/samsrv/samsrv.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samsrv.h?r... ============================================================================== --- trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] (original) +++ trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] Mon Oct 21 18:53:26 2013 @@ -321,12 +321,16 @@ OUT PULONG Size);
NTSTATUS -SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd, +SampCreateBuiltinDomainSD(OUT PSECURITY_DESCRIPTOR *DomainSd, OUT PULONG Size);
NTSTATUS -SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *ServerSd, +SampCreateAccountDomainSD(OUT PSECURITY_DESCRIPTOR *DomainSd, OUT PULONG Size); + +NTSTATUS +SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd, + OUT PULONG Size);
/* setup.c */
Modified: trunk/reactos/dll/win32/samsrv/security.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/security.c... ============================================================================== --- trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] Mon Oct 21 18:53:26 2013 @@ -859,4 +859,292 @@ return Status; }
+ +NTSTATUS +SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd, + OUT PULONG Size) +{ + PSECURITY_DESCRIPTOR AbsSD = NULL; + PSECURITY_DESCRIPTOR RelSD = NULL; + PSID EveryoneSid = NULL; + PSID AnonymousSid = NULL; + PSID AdministratorsSid = NULL; + PSID AccountOperatorsSid = NULL; + PACL Dacl = NULL; + PACL Sacl = NULL; + ULONG DaclSize; + ULONG SaclSize; + ULONG RelSDSize = 0; + NTSTATUS Status = STATUS_SUCCESS; + + + /* Create the Everyone SID */ + Status = RtlAllocateAndInitializeSid(&WorldAuthority, + 1, + SECURITY_WORLD_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &EveryoneSid); + ASSERT(NT_SUCCESS(Status)); + if (!NT_SUCCESS(Status)) + goto done; + + /* Create the Anonymous SID */ + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_ANONYMOUS_LOGON_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &AnonymousSid); + ASSERT(NT_SUCCESS(Status)); + if (!NT_SUCCESS(Status)) + goto done; + + /* Create the Administrators SID */ + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 2, + SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ADMINS, + 0, + 0, + 0, + 0, + 0, + 0, + &AdministratorsSid); + ASSERT(NT_SUCCESS(Status)); + if (!NT_SUCCESS(Status)) + goto done; + + /* Create the Account Operators SID */ + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 2, + SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ACCOUNT_OPS, + 0, + 0, + 0, + 0, + 0, + 0, + &AccountOperatorsSid); + ASSERT(NT_SUCCESS(Status)); + if (!NT_SUCCESS(Status)) + goto done; + + /* Allocate a buffer for the absolute SD */ + AbsSD = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + sizeof(SECURITY_DESCRIPTOR)); + if (AbsSD == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + ASSERT(Status == STATUS_SUCCESS); + goto done; + } + + /* Create the absolute SD */ + Status = RtlCreateSecurityDescriptor(AbsSD, + SECURITY_DESCRIPTOR_REVISION); + ASSERT(NT_SUCCESS(Status)); + if (!NT_SUCCESS(Status)) + goto done; + + /* allocate and create the DACL */ + DaclSize = sizeof(ACL) + + 3 * sizeof(ACE) + + RtlLengthSid(EveryoneSid) + + RtlLengthSid(AdministratorsSid) + + RtlLengthSid(AccountOperatorsSid); + + Dacl = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + DaclSize); + if (Dacl == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + ASSERT(Status == STATUS_SUCCESS); + goto done; + } + + Status = RtlCreateAcl(Dacl, + DaclSize, + ACL_REVISION); + ASSERT(NT_SUCCESS(Status)); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + READ_CONTROL | ALIAS_READ_INFORMATION | ALIAS_LIST_MEMBERS, + EveryoneSid); + ASSERT(NT_SUCCESS(Status)); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + ALIAS_ALL_ACCESS, + AdministratorsSid); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + ALIAS_ALL_ACCESS, + AccountOperatorsSid); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + /* Set the DACL */ + Status = RtlSetDaclSecurityDescriptor(AbsSD, + TRUE, + Dacl, + FALSE); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + /* allocate and create the SACL */ + SaclSize = sizeof(ACL) + + 2 * sizeof(ACE) + + RtlLengthSid(EveryoneSid) + + RtlLengthSid(AnonymousSid); + + Sacl = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + DaclSize); + if (Sacl == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + ASSERT(Status == STATUS_SUCCESS); + goto done; + } + + Status = RtlCreateAcl(Sacl, + SaclSize, + ACL_REVISION); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAuditAccessAce(Sacl, + ACL_REVISION, + ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE | + ALIAS_WRITE_ACCOUNT | ALIAS_REMOVE_MEMBER | + ALIAS_ADD_MEMBER, + EveryoneSid, + TRUE, + TRUE); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAuditAccessAce(Sacl, + ACL_REVISION, + STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL, + AnonymousSid, + TRUE, + TRUE); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + /* Set the SACL */ + Status = RtlSetSaclSecurityDescriptor(AbsSD, + TRUE, + Sacl, + FALSE); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + /* Set the owner SID */ + Status = RtlSetOwnerSecurityDescriptor(AbsSD, + AdministratorsSid, + FALSE); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + /* Set the group SID */ + Status = RtlSetGroupSecurityDescriptor(AbsSD, + AdministratorsSid, + FALSE); + ASSERT(Status == STATUS_SUCCESS); + if (!NT_SUCCESS(Status)) + goto done; + + /* Get the reqired buffer size for the self-relative SD */ + Status = RtlAbsoluteToSelfRelativeSD(AbsSD, + NULL, + &RelSDSize); + if (Status != STATUS_BUFFER_TOO_SMALL) + goto done; + + /* Allocate a buffer for the self-relative SD */ + RelSD = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + RelSDSize); + if (RelSD == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + ASSERT(Status == STATUS_SUCCESS); + goto done; + } + + /* Convert the absolute SD to self-relative format */ + Status = RtlAbsoluteToSelfRelativeSD(AbsSD, + RelSD, + &RelSDSize); + if (Status == STATUS_BUFFER_TOO_SMALL) + { + ASSERT(Status == STATUS_SUCCESS); + goto done; + } + + *AliasSd = RelSD; + *Size = RelSDSize; + +done: + if (!NT_SUCCESS(Status)) + { + if (RelSD != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD); + } + + if (EveryoneSid != NULL) + RtlFreeSid(EveryoneSid); + + if (AnonymousSid != NULL) + RtlFreeSid(AnonymousSid); + + if (AdministratorsSid != NULL) + RtlFreeSid(AdministratorsSid); + + if (Dacl != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl); + + if (Sacl != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl); + + if (AbsSD != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD); + + return Status; +} + + /* EOF */
Modified: trunk/reactos/dll/win32/samsrv/setup.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/setup.c?re... ============================================================================== --- trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] Mon Oct 21 18:53:26 2013 @@ -98,6 +98,8 @@ WCHAR szAccountKeyName[32]; HANDLE hAccountKey = NULL; HANDLE hNamesKey = NULL; + PSECURITY_DESCRIPTOR Sd = NULL; + ULONG SdSize = 0; NTSTATUS Status;
swprintf(szAccountKeyName, L"Aliases\%08lX", ulRelativeId); @@ -125,6 +127,20 @@ if (!NT_SUCCESS(Status)) goto done;
+ /* Create the server SD */ + Status = SampCreateAliasSD(&Sd, + &SdSize); + if (!NT_SUCCESS(Status)) + goto done; + + /* Set SecDesc attribute*/ + Status = SampRegSetValue(hAccountKey, + L"SecDesc", + REG_BINARY, + Sd, + SdSize); + if (!NT_SUCCESS(Status)) + goto done;
Status = SampRegOpenKey(hDomainKey, L"Aliases\Names", @@ -141,6 +157,9 @@
done: SampRegCloseKey(&hNamesKey); + + if (Sd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
if (hAccountKey != NULL) {
-
ekohl@svn.reactos.org