[ekohl] 60730: [SAMSRV] Create and set a security descriptor for new group account objects.
21 Oct
2013
21 Oct
'13
8:16 p.m.
Author: ekohl
Date: Mon Oct 21 20:16:56 2013
New Revision: 60730
URL: http://svn.reactos.org/svn/reactos?rev=60730&view=rev
Log:
[SAMSRV]
Create and set a security descriptor for new group account objects.
Modified:
trunk/reactos/dll/win32/samsrv/samrpc.c
trunk/reactos/dll/win32/samsrv/samsrv.h
trunk/reactos/dll/win32/samsrv/security.c
trunk/reactos/dll/win32/samsrv/setup.c
Modified: trunk/reactos/dll/win32/samsrv/samrpc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samrpc.c?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] Mon Oct 21 20:16:56 2013
@@ -1770,6 +1770,8 @@
SAM_GROUP_FIXED_DATA FixedGroupData;
PSAM_DB_OBJECT DomainObject;
PSAM_DB_OBJECT GroupObject;
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
ULONG ulSize;
ULONG ulRid;
WCHAR szRid[9];
@@ -1811,6 +1813,15 @@
{
TRACE("Group name \'%S\' already exists in domain (Status
0x%08lx)\n",
Name->Buffer, Status);
+ goto done;
+ }
+
+ /* Create the security descriptor */
+ Status = SampCreateGroupSD(&Sd,
+ &SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("SampCreateGroupSD failed (Status 0x%08lx)\n", Status);
goto done;
}
@@ -1910,6 +1921,18 @@
goto done;
}
+ /* Set the SecDesc attribute*/
+ Status = SampSetObjectAttribute(GroupObject,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("failed with status 0x%08lx\n", Status);
+ goto done;
+ }
+
if (NT_SUCCESS(Status))
{
*GroupHandle = (SAMPR_HANDLE)GroupObject;
@@ -1917,6 +1940,9 @@
}
done:
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);
@@ -2848,7 +2874,7 @@
goto done;
}
- /* Set SecDesc attribute*/
+ /* Set the SecDesc attribute*/
Status = SampSetObjectAttribute(AliasObject,
L"SecDesc",
REG_BINARY,
Modified: trunk/reactos/dll/win32/samsrv/samsrv.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samsrv.h?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] Mon Oct 21 20:16:56 2013
@@ -332,6 +332,10 @@
SampCreateAliasSD(OUT PSECURITY_DESCRIPTOR *AliasSd,
OUT PULONG Size);
+NTSTATUS
+SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd,
+ OUT PULONG Size);
+
/* setup.c */
Modified: trunk/reactos/dll/win32/samsrv/security.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/security.…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] Mon Oct 21 20:16:56 2013
@@ -1147,4 +1147,290 @@
}
+NTSTATUS
+SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd,
+ OUT PULONG Size)
+{
+ PSECURITY_DESCRIPTOR AbsSD = NULL;
+ PSECURITY_DESCRIPTOR RelSD = NULL;
+ PSID EveryoneSid = NULL;
+ PSID AnonymousSid = NULL;
+ PSID AdministratorsSid = NULL;
+ PSID AccountOperatorsSid = NULL;
+ PACL Dacl = NULL;
+ PACL Sacl = NULL;
+ ULONG DaclSize;
+ ULONG SaclSize;
+ ULONG RelSDSize = 0;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+
+ /* Create the Everyone SID */
+ Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Anonymous SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_ANONYMOUS_LOGON_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AnonymousSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Administrators SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Account Operators SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ACCOUNT_OPS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AccountOperatorsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Allocate a buffer for the absolute SD */
+ AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ sizeof(SECURITY_DESCRIPTOR));
+ if (AbsSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Create the absolute SD */
+ Status = RtlCreateSecurityDescriptor(AbsSD,
+ SECURITY_DESCRIPTOR_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the DACL */
+ DaclSize = sizeof(ACL) +
+ 3 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AdministratorsSid) +
+ RtlLengthSid(AccountOperatorsSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ READ_CONTROL | GROUP_LIST_MEMBERS |
GROUP_READ_INFORMATION,
+ EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GROUP_ALL_ACCESS,
+ AdministratorsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ GROUP_ALL_ACCESS,
+ AccountOperatorsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the DACL */
+ Status = RtlSetDaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Dacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the SACL */
+ SaclSize = sizeof(ACL) +
+ 2 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AnonymousSid);
+
+ Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Sacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Sacl,
+ SaclSize,
+ ACL_REVISION);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+ GROUP_REMOVE_MEMBER | GROUP_ADD_MEMBER |
+ GROUP_WRITE_ACCOUNT,
+ EveryoneSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ AnonymousSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the SACL */
+ Status = RtlSetSaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Sacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the owner SID */
+ Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the group SID */
+ Status = RtlSetGroupSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Get the reqired buffer size for the self-relative SD */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ NULL,
+ &RelSDSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ /* Allocate a buffer for the self-relative SD */
+ RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelSDSize);
+ if (RelSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Convert the absolute SD to self-relative format */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ RelSD,
+ &RelSDSize);
+ if (Status == STATUS_BUFFER_TOO_SMALL)
+ {
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ *GroupSd = RelSD;
+ *Size = RelSDSize;
+
+done:
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+ }
+
+ if (EveryoneSid != NULL)
+ RtlFreeSid(EveryoneSid);
+
+ if (AnonymousSid != NULL)
+ RtlFreeSid(AnonymousSid);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeSid(AdministratorsSid);
+
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (Sacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+ if (AbsSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+ return Status;
+}
+
/* EOF */
Modified: trunk/reactos/dll/win32/samsrv/setup.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/setup.c?r…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] Mon Oct 21 20:16:56 2013
@@ -264,6 +264,8 @@
WCHAR szAccountKeyName[32];
HANDLE hAccountKey = NULL;
HANDLE hNamesKey = NULL;
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
NTSTATUS Status;
/* Initialize fixed group data */
@@ -305,6 +307,21 @@
if (!NT_SUCCESS(Status))
goto done;
+ /* Create the security descriptor */
+ Status = SampCreateGroupSD(&Sd,
+ &SdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the SecDesc attribute*/
+ Status = SampRegSetValue(hAccountKey,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
Status = SampRegOpenKey(hDomainKey,
L"Groups\\Names",
KEY_ALL_ACCESS,
@@ -320,6 +337,9 @@
done:
SampRegCloseKey(&hNamesKey);
+
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
if (hAccountKey != NULL)
{
4040
days inactive
4040
days old
0 comments
1 participants
participants (1)
-
ekohl@svn.reactos.org