[ekohl] 71684: [SERVICES] - Create the absolute default service security descriptor when services.exe starts up. - Create a self-relative security descriptor whenever it is needed.
27 Jun
2016
27 Jun
'16
10:19 p.m.
Author: ekohl
Date: Mon Jun 27 22:19:19 2016
New Revision: 71684
URL: http://svn.reactos.org/svn/reactos?rev=71684&view=rev
Log:
[SERVICES]
- Create the absolute default service security descriptor when services.exe starts up.
- Create a self-relative security descriptor whenever it is needed.
Modified:
trunk/reactos/base/system/services/security.c
Modified: trunk/reactos/base/system/services/security.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/base/system/services/secur…
==============================================================================
--- trunk/reactos/base/system/services/security.c [iso-8859-1] (original)
+++ trunk/reactos/base/system/services/security.c [iso-8859-1] Mon Jun 27 22:19:19 2016
@@ -18,6 +18,11 @@
static PSID pAuthenticatedUserSid = NULL;
static PSID pAliasAdminsSid = NULL;
+static PACL pDefaultDacl = NULL;
+static PACL pDefaultSacl = NULL;
+
+static PSECURITY_DESCRIPTOR pDefaultSD = NULL;
+
/* FUNCTIONS ****************************************************************/
@@ -100,18 +105,11 @@
}
-DWORD
-ScmCreateDefaultServiceSD(
- PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
-{
- PSECURITY_DESCRIPTOR pServiceSD = NULL;
- PSECURITY_DESCRIPTOR pRelativeSD = NULL;
- PACL pDacl = NULL;
- PACL pSacl = NULL;
+static
+DWORD
+ScmCreateAcls(VOID)
+{
ULONG ulLength;
- DWORD dwBufferLength = 0;
- NTSTATUS Status;
- DWORD dwError = ERROR_SUCCESS;
/* Create DACL */
ulLength = sizeof(ACL) +
@@ -119,28 +117,25 @@
(sizeof(ACE) + RtlLengthSid(pAliasAdminsSid)) +
(sizeof(ACE) + RtlLengthSid(pAuthenticatedUserSid));
- pDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
- if (pDacl == NULL)
- {
- dwError = ERROR_OUTOFMEMORY;
- goto done;
- }
-
- RtlCreateAcl(pDacl, ulLength, ACL_REVISION);
-
- RtlAddAccessAllowedAce(pDacl,
+ pDefaultDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
+ if (pDefaultDacl == NULL)
+ return ERROR_OUTOFMEMORY;
+
+ RtlCreateAcl(pDefaultDacl, ulLength, ACL_REVISION);
+
+ RtlAddAccessAllowedAce(pDefaultDacl,
ACL_REVISION,
READ_CONTROL | SERVICE_ENUMERATE_DEPENDENTS |
SERVICE_INTERROGATE |
SERVICE_PAUSE_CONTINUE | SERVICE_QUERY_CONFIG |
SERVICE_QUERY_STATUS |
SERVICE_START | SERVICE_STOP | SERVICE_USER_DEFINED_CONTROL,
pLocalSystemSid);
- RtlAddAccessAllowedAce(pDacl,
+ RtlAddAccessAllowedAce(pDefaultDacl,
ACL_REVISION,
SERVICE_ALL_ACCESS,
pAliasAdminsSid);
- RtlAddAccessAllowedAce(pDacl,
+ RtlAddAccessAllowedAce(pDefaultDacl,
ACL_REVISION,
READ_CONTROL | SERVICE_ENUMERATE_DEPENDENTS |
SERVICE_INTERROGATE |
SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS |
SERVICE_USER_DEFINED_CONTROL,
@@ -150,79 +145,103 @@
ulLength = sizeof(ACL) +
(sizeof(ACE) + RtlLengthSid(pNullSid));
- pSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
- if (pSacl == NULL)
- {
- dwError = ERROR_OUTOFMEMORY;
- goto done;
- }
-
- RtlCreateAcl(pSacl, ulLength, ACL_REVISION);
-
- RtlAddAuditAccessAce(pSacl,
+ pDefaultSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
+ if (pDefaultSacl == NULL)
+ return ERROR_OUTOFMEMORY;
+
+ RtlCreateAcl(pDefaultSacl, ulLength, ACL_REVISION);
+
+ RtlAddAuditAccessAce(pDefaultSacl,
ACL_REVISION,
SERVICE_ALL_ACCESS,
pNullSid,
FALSE,
TRUE);
+ return ERROR_SUCCESS;
+}
+
+
+static
+VOID
+ScmFreeAcls(VOID)
+{
+ if (pDefaultDacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl);
+
+ if (pDefaultSacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
+}
+
+
+static
+DWORD
+ScmCreateDefaultSD(VOID)
+{
+ NTSTATUS Status;
+
/* Create the absolute security descriptor */
- pServiceSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY,
sizeof(SECURITY_DESCRIPTOR));
- if (pServiceSD == NULL)
- {
- dwError = ERROR_OUTOFMEMORY;
- goto done;
- }
- DPRINT("pServiceSD %p\n", pServiceSD);
-
- Status = RtlCreateSecurityDescriptor(pServiceSD,
+ pDefaultSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY,
sizeof(SECURITY_DESCRIPTOR));
+ if (pDefaultSD == NULL)
+ return ERROR_OUTOFMEMORY;
+
+ DPRINT("pDefaultSD %p\n", pDefaultSD);
+
+ Status = RtlCreateSecurityDescriptor(pDefaultSD,
SECURITY_DESCRIPTOR_REVISION);
if (!NT_SUCCESS(Status))
- {
- dwError = RtlNtStatusToDosError(Status);
- goto done;
- }
-
- Status = RtlSetOwnerSecurityDescriptor(pServiceSD,
+ return RtlNtStatusToDosError(Status);
+
+ Status = RtlSetOwnerSecurityDescriptor(pDefaultSD,
pLocalSystemSid,
FALSE);
if (!NT_SUCCESS(Status))
- {
- dwError = RtlNtStatusToDosError(Status);
- goto done;
- }
-
- Status = RtlSetGroupSecurityDescriptor(pServiceSD,
+ return RtlNtStatusToDosError(Status);
+
+ Status = RtlSetGroupSecurityDescriptor(pDefaultSD,
pLocalSystemSid,
FALSE);
if (!NT_SUCCESS(Status))
- {
- dwError = RtlNtStatusToDosError(Status);
- goto done;
- }
-
- Status = RtlSetDaclSecurityDescriptor(pServiceSD,
+ return RtlNtStatusToDosError(Status);
+
+ Status = RtlSetDaclSecurityDescriptor(pDefaultSD,
TRUE,
- pDacl,
+ pDefaultDacl,
FALSE);
if (!NT_SUCCESS(Status))
- {
- dwError = RtlNtStatusToDosError(Status);
- goto done;
- }
-
- Status = RtlSetSaclSecurityDescriptor(pServiceSD,
+ return RtlNtStatusToDosError(Status);
+
+ Status = RtlSetSaclSecurityDescriptor(pDefaultSD,
TRUE,
- pSacl,
+ pDefaultSacl,
FALSE);
if (!NT_SUCCESS(Status))
- {
- dwError = RtlNtStatusToDosError(Status);
- goto done;
- }
+ return RtlNtStatusToDosError(Status);
+
+ return ERROR_SUCCESS;
+}
+
+
+static
+VOID
+ScmFreeDefaultSD(VOID)
+{
+ if (pDefaultSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD);
+}
+
+
+DWORD
+ScmCreateDefaultServiceSD(
+ PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
+{
+ PSECURITY_DESCRIPTOR pRelativeSD = NULL;
+ DWORD dwBufferLength = 0;
+ NTSTATUS Status;
+ DWORD dwError = ERROR_SUCCESS;
/* Convert the absolute SD to a self-relative SD */
- Status = RtlAbsoluteToSelfRelativeSD(pServiceSD,
+ Status = RtlAbsoluteToSelfRelativeSD(pDefaultSD,
NULL,
&dwBufferLength);
if (Status != STATUS_BUFFER_TOO_SMALL)
@@ -243,7 +262,7 @@
}
DPRINT("pRelativeSD %p\n", pRelativeSD);
- Status = RtlAbsoluteToSelfRelativeSD(pServiceSD,
+ Status = RtlAbsoluteToSelfRelativeSD(pDefaultSD,
pRelativeSD,
&dwBufferLength);
if (!NT_SUCCESS(Status))
@@ -260,15 +279,6 @@
if (pRelativeSD != NULL)
RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD);
}
-
- if (pServiceSD != NULL)
- RtlFreeHeap(RtlGetProcessHeap(), 0, pServiceSD);
-
- if (pSacl != NULL)
- RtlFreeHeap(RtlGetProcessHeap(), 0, pSacl);
-
- if (pDacl != NULL)
- RtlFreeHeap(RtlGetProcessHeap(), 0, pDacl);
return dwError;
}
@@ -283,6 +293,14 @@
if (dwError != ERROR_SUCCESS)
return dwError;
+ dwError = ScmCreateAcls();
+ if (dwError != ERROR_SUCCESS)
+ return dwError;
+
+ dwError = ScmCreateDefaultSD();
+ if (dwError != ERROR_SUCCESS)
+ return dwError;
+
return ERROR_SUCCESS;
}
@@ -290,6 +308,8 @@
VOID
ScmShutdownSecurity(VOID)
{
+ ScmFreeDefaultSD();
+ ScmFreeAcls();
ScmFreeSids();
}
3063
days inactive
3063
days old
0 comments
1 participants
participants (1)
-
ekohl@svn.reactos.org