[ekohl] 57733: [LSASRV] Create a security descriptor for the policy object and store as attribute "SecDesc".
Author: ekohl Date: Sun Nov 18 15:19:14 2012 New Revision: 57733
URL: http://svn.reactos.org/svn/reactos?rev=57733&view=rev Log: [LSASRV] Create a security descriptor for the policy object and store as attribute "SecDesc".
Modified: trunk/reactos/dll/win32/lsasrv/database.c
Modified: trunk/reactos/dll/win32/lsasrv/database.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/database.c... ============================================================================== --- trunk/reactos/dll/win32/lsasrv/database.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/lsasrv/database.c [iso-8859-1] Sun Nov 18 15:19:14 2012 @@ -234,6 +234,260 @@
static NTSTATUS +LsapCreatePolicySd(PSECURITY_DESCRIPTOR *PolicySd, + PULONG PolicySdSize) +{ + SECURITY_DESCRIPTOR AbsoluteSd; + PSECURITY_DESCRIPTOR RelativeSd = NULL; + ULONG RelativeSdSize = 0; + PSID AnonymousSid = NULL; + PSID AdministratorsSid = NULL; + PSID EveryoneSid = NULL; + PSID LocalServiceSid = NULL; + PSID NetworkServiceSid = NULL; + PSID LocalSystemSid = NULL; + PACL Dacl = NULL; + ULONG DaclSize; + NTSTATUS Status; + + if (PolicySd == NULL || PolicySdSize == NULL) + return STATUS_INVALID_PARAMETER; + + *PolicySd = NULL; + *PolicySdSize = 0; + + /* Initialize the SD */ + Status = RtlCreateSecurityDescriptor(&AbsoluteSd, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + return Status; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_ANONYMOUS_LOGON_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &AnonymousSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 2, + SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ADMINS, + 0, + 0, + 0, + 0, + 0, + 0, + &AdministratorsSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&WorldSidAuthority, + 1, + SECURITY_WORLD_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &EveryoneSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_LOCAL_SERVICE_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &LocalServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_NETWORK_SERVICE_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &NetworkServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_LOCAL_SYSTEM_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &LocalSystemSid); + if (!NT_SUCCESS(Status)) + goto done; + + /* Allocate and initialize the DACL */ + DaclSize = sizeof(ACL) + + sizeof(ACCESS_DENIED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AnonymousSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(LocalServiceSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(NetworkServiceSid); + + Dacl = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + DaclSize); + if (Dacl == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + goto done; + } + + Status = RtlCreateAcl(Dacl, + DaclSize, + ACL_REVISION); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessDeniedAce(Dacl, + ACL_REVISION, + POLICY_LOOKUP_NAMES, + AnonymousSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_ALL_ACCESS | POLICY_NOTIFICATION, + AdministratorsSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_EXECUTE, + EveryoneSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_LOOKUP_NAMES | POLICY_VIEW_LOCAL_INFORMATION, + AnonymousSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_NOTIFICATION, + LocalServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + POLICY_NOTIFICATION, + NetworkServiceSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd, + TRUE, + Dacl, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd, + LocalSystemSid, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd, + AdministratorsSid, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd, + RelativeSd, + &RelativeSdSize); + if (Status != STATUS_BUFFER_TOO_SMALL) + goto done; + + RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + RelativeSdSize); + if (RelativeSd == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + goto done; + } + + Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd, + RelativeSd, + &RelativeSdSize); + if (!NT_SUCCESS(Status)) + goto done; + + *PolicySd = RelativeSd; + *PolicySdSize = RelativeSdSize; + +done: + if (Dacl != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl); + + if (AnonymousSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, AnonymousSid); + + if (AdministratorsSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid); + + if (EveryoneSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid); + + if (LocalServiceSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, LocalServiceSid); + + if (NetworkServiceSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, NetworkServiceSid); + + if (LocalSystemSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid); + + if (!NT_SUCCESS(Status)) + { + if (RelativeSd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd); + } + + return Status; +} + + +static NTSTATUS LsapCreateDatabaseObjects(VOID) { PLSAP_POLICY_AUDIT_EVENTS_DATA AuditEventsInfo = NULL; @@ -244,6 +498,8 @@ GUID DnsDomainGuid; PLSA_DB_OBJECT PolicyObject = NULL; PSID AccountDomainSid = NULL; + PSECURITY_DESCRIPTOR PolicySd = NULL; + ULONG PolicySdSize = 0; ULONG AuditEventsCount; ULONG AuditEventsSize; ULONG i; @@ -269,7 +525,7 @@ AuditEventsCount = AuditCategoryAccountLogon - AuditCategorySystem + 1; AuditEventsSize = sizeof(LSAP_POLICY_AUDIT_EVENTS_DATA) + AuditEventsCount * sizeof(DWORD); AuditEventsInfo = RtlAllocateHeap(RtlGetProcessHeap(), - 0, + HEAP_ZERO_MEMORY, AuditEventsSize); if (AuditEventsInfo == NULL) return STATUS_INSUFFICIENT_RESOURCES; @@ -288,6 +544,11 @@
/* Create a random domain SID */ Status = LsapCreateRandomDomainSid(&AccountDomainSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = LsapCreatePolicySd(&PolicySd, + &PolicySdSize); if (!NT_SUCCESS(Status)) goto done;
@@ -369,6 +630,12 @@ &DnsDomainGuid, sizeof(GUID));
+ /* Set the Sceurity Descriptor */ + LsapSetObjectAttribute(PolicyObject, + L"SecDesc", + PolicySd, + PolicySdSize); + done: if (AuditEventsInfo != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, AuditEventsInfo); @@ -378,6 +645,9 @@
if (AccountDomainSid != NULL) RtlFreeSid(AccountDomainSid); + + if (PolicySd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, PolicySd);
return Status; }
-
ekohl@svn.reactos.org