[ekohl] 71684: [SERVICES] - Create the absolute default service security descriptor when services.exe starts up. - Create a self-relative security descriptor whenever it is needed. - Ros-diffs

27 Jun 2016

Author: ekohl
Date: Mon Jun 27 22:19:19 2016
New Revision: 71684
URL: http://svn.reactos.org/svn/reactos?rev=71684&view=rev
Log:
[SERVICES]
- Create the absolute default service security descriptor when services.exe starts up.
- Create a self-relative security descriptor whenever it is needed.
Modified:
    trunk/reactos/base/system/services/security.c
Modified: trunk/reactos/base/system/services/security.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/system/services/securi...
==============================================================================

--- trunk/reactos/base/system/services/security.c	[iso-8859-1] (original)
+++ trunk/reactos/base/system/services/security.c	[iso-8859-1] Mon Jun 27 22:19:19 2016
@@ -18,6 +18,11 @@
 static PSID pAuthenticatedUserSid = NULL;
 static PSID pAliasAdminsSid = NULL;
+static PACL pDefaultDacl = NULL;
+static PACL pDefaultSacl = NULL;
+
+static PSECURITY_DESCRIPTOR pDefaultSD = NULL;
+
/* FUNCTIONS ****************************************************************/
@@ -100,18 +105,11 @@
 }
-DWORD
-ScmCreateDefaultServiceSD(
-    PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
-{
-    PSECURITY_DESCRIPTOR pServiceSD = NULL;
-    PSECURITY_DESCRIPTOR pRelativeSD = NULL;
-    PACL pDacl = NULL;
-    PACL pSacl = NULL;
+static
+DWORD
+ScmCreateAcls(VOID)
+{
     ULONG ulLength;
-    DWORD dwBufferLength = 0;
-    NTSTATUS Status;
-    DWORD dwError = ERROR_SUCCESS;
/* Create DACL */
     ulLength = sizeof(ACL) +
@@ -119,28 +117,25 @@
                (sizeof(ACE) + RtlLengthSid(pAliasAdminsSid)) +
                (sizeof(ACE) + RtlLengthSid(pAuthenticatedUserSid));
-    pDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
-    if (pDacl == NULL)
-    {
-        dwError = ERROR_OUTOFMEMORY;
-        goto done;
-    }
-
-    RtlCreateAcl(pDacl, ulLength, ACL_REVISION);
-
-    RtlAddAccessAllowedAce(pDacl,
+    pDefaultDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
+    if (pDefaultDacl == NULL)
+        return ERROR_OUTOFMEMORY;
+
+    RtlCreateAcl(pDefaultDacl, ulLength, ACL_REVISION);
+
+    RtlAddAccessAllowedAce(pDefaultDacl,
                            ACL_REVISION,
                            READ_CONTROL | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_INTERROGATE |
                            SERVICE_PAUSE_CONTINUE | SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS |
                            SERVICE_START | SERVICE_STOP | SERVICE_USER_DEFINED_CONTROL,
                            pLocalSystemSid);
-    RtlAddAccessAllowedAce(pDacl,
+    RtlAddAccessAllowedAce(pDefaultDacl,
                            ACL_REVISION,
                            SERVICE_ALL_ACCESS,
                            pAliasAdminsSid);
-    RtlAddAccessAllowedAce(pDacl,
+    RtlAddAccessAllowedAce(pDefaultDacl,
                            ACL_REVISION,
                            READ_CONTROL | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_INTERROGATE |
                            SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS | SERVICE_USER_DEFINED_CONTROL,
@@ -150,79 +145,103 @@
     ulLength = sizeof(ACL) +
                (sizeof(ACE) + RtlLengthSid(pNullSid));
-    pSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
-    if (pSacl == NULL)
-    {
-        dwError = ERROR_OUTOFMEMORY;
-        goto done;
-    }
-
-    RtlCreateAcl(pSacl, ulLength, ACL_REVISION);
-
-    RtlAddAuditAccessAce(pSacl,
+    pDefaultSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
+    if (pDefaultSacl == NULL)
+        return ERROR_OUTOFMEMORY;
+
+    RtlCreateAcl(pDefaultSacl, ulLength, ACL_REVISION);
+
+    RtlAddAuditAccessAce(pDefaultSacl,
                          ACL_REVISION,
                          SERVICE_ALL_ACCESS,
                          pNullSid,
                          FALSE,
                          TRUE);
+    return ERROR_SUCCESS;
+}
+
+
+static
+VOID
+ScmFreeAcls(VOID)
+{
+    if (pDefaultDacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl);
+
+    if (pDefaultSacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
+}
+
+
+static
+DWORD
+ScmCreateDefaultSD(VOID)
+{
+    NTSTATUS Status;
+
     /* Create the absolute security descriptor */
-    pServiceSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
-    if (pServiceSD == NULL)
-    {
-        dwError = ERROR_OUTOFMEMORY;
-        goto done;
-    }
-    DPRINT("pServiceSD %p\n", pServiceSD);
-
-    Status = RtlCreateSecurityDescriptor(pServiceSD,
+    pDefaultSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
+    if (pDefaultSD == NULL)
+        return ERROR_OUTOFMEMORY;
+
+    DPRINT("pDefaultSD %p\n", pDefaultSD);
+
+    Status = RtlCreateSecurityDescriptor(pDefaultSD,
                                          SECURITY_DESCRIPTOR_REVISION);
     if (!NT_SUCCESS(Status))
-    {
-        dwError = RtlNtStatusToDosError(Status);
-        goto done;
-    }
-
-    Status = RtlSetOwnerSecurityDescriptor(pServiceSD,
+        return RtlNtStatusToDosError(Status);
+
+    Status = RtlSetOwnerSecurityDescriptor(pDefaultSD,
                                            pLocalSystemSid,
                                            FALSE);
     if (!NT_SUCCESS(Status))
-    {
-        dwError = RtlNtStatusToDosError(Status);
-        goto done;
-    }
-
-    Status = RtlSetGroupSecurityDescriptor(pServiceSD,
+        return RtlNtStatusToDosError(Status);
+
+    Status = RtlSetGroupSecurityDescriptor(pDefaultSD,
                                            pLocalSystemSid,
                                            FALSE);
     if (!NT_SUCCESS(Status))
-    {
-        dwError = RtlNtStatusToDosError(Status);
-        goto done;
-    }
-
-    Status = RtlSetDaclSecurityDescriptor(pServiceSD,
+        return RtlNtStatusToDosError(Status);
+
+    Status = RtlSetDaclSecurityDescriptor(pDefaultSD,
                                           TRUE,
-                                          pDacl,
+                                          pDefaultDacl,
                                           FALSE);
     if (!NT_SUCCESS(Status))
-    {
-        dwError = RtlNtStatusToDosError(Status);
-        goto done;
-    }
-
-    Status = RtlSetSaclSecurityDescriptor(pServiceSD,
+        return RtlNtStatusToDosError(Status);
+
+    Status = RtlSetSaclSecurityDescriptor(pDefaultSD,
                                           TRUE,
-                                          pSacl,
+                                          pDefaultSacl,
                                           FALSE);
     if (!NT_SUCCESS(Status))
-    {
-        dwError = RtlNtStatusToDosError(Status);
-        goto done;
-    }
+        return RtlNtStatusToDosError(Status);
+
+    return ERROR_SUCCESS;
+}
+
+
+static
+VOID
+ScmFreeDefaultSD(VOID)
+{
+    if (pDefaultSD != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD);
+}
+
+
+DWORD
+ScmCreateDefaultServiceSD(
+    PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
+{
+    PSECURITY_DESCRIPTOR pRelativeSD = NULL;
+    DWORD dwBufferLength = 0;
+    NTSTATUS Status;
+    DWORD dwError = ERROR_SUCCESS;
/* Convert the absolute SD to a self-relative SD */
-    Status = RtlAbsoluteToSelfRelativeSD(pServiceSD,
+    Status = RtlAbsoluteToSelfRelativeSD(pDefaultSD,
                                          NULL,
                                          &dwBufferLength);
     if (Status != STATUS_BUFFER_TOO_SMALL)
@@ -243,7 +262,7 @@
     }
     DPRINT("pRelativeSD %p\n", pRelativeSD);
-    Status = RtlAbsoluteToSelfRelativeSD(pServiceSD,
+    Status = RtlAbsoluteToSelfRelativeSD(pDefaultSD,
                                          pRelativeSD,
                                          &dwBufferLength);
     if (!NT_SUCCESS(Status))
@@ -260,15 +279,6 @@
         if (pRelativeSD != NULL)
             RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD);
     }
-
-    if (pServiceSD != NULL)
-        RtlFreeHeap(RtlGetProcessHeap(), 0, pServiceSD);
-
-    if (pSacl != NULL)
-        RtlFreeHeap(RtlGetProcessHeap(), 0, pSacl);
-
-    if (pDacl != NULL)
-        RtlFreeHeap(RtlGetProcessHeap(), 0, pDacl);
return dwError;
 }
@@ -283,6 +293,14 @@
     if (dwError != ERROR_SUCCESS)
         return dwError;
+    dwError = ScmCreateAcls();
+    if (dwError != ERROR_SUCCESS)
+        return dwError;
+
+    dwError = ScmCreateDefaultSD();
+    if (dwError != ERROR_SUCCESS)
+        return dwError;
+
     return ERROR_SUCCESS;
 }
@@ -290,6 +308,8 @@
 VOID
 ScmShutdownSecurity(VOID)
 {
+    ScmFreeDefaultSD();
+    ScmFreeAcls();
     ScmFreeSids();
 }

    