Author: ekohl Date: Tue Nov 20 22:34:00 2012 New Revision: 57742

URL: http://svn.reactos.org/svn/reactos?rev=57742&view=rev Log: [LSASRV] - Create and set a security descriptor for newly created secrets.

Modified: trunk/reactos/dll/win32/lsasrv/lsarpc.c trunk/reactos/dll/win32/lsasrv/lsasrv.h trunk/reactos/dll/win32/lsasrv/security.c

Modified: trunk/reactos/dll/win32/lsasrv/lsarpc.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/lsarpc.c?r... ============================================================================== --- trunk/reactos/dll/win32/lsasrv/lsarpc.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/lsasrv/lsarpc.c [iso-8859-1] Tue Nov 20 22:34:00 2012 @@ -767,6 +767,8 @@ PLSA_DB_OBJECT PolicyObject; PLSA_DB_OBJECT SecretObject = NULL; LARGE_INTEGER Time; + PSECURITY_DESCRIPTOR SecretSd = NULL; + ULONG SecretSdSize; NTSTATUS Status = STATUS_SUCCESS;

/* Validate the PolicyHandle */ @@ -786,6 +788,15 @@ { ERR("NtQuerySystemTime failed (Status 0x%08lx)\n", Status); goto done; + } + + /* Create a security descriptor for the secret */ + Status = LsapCreateSecretSd(&SecretSd, + &SecretSdSize); + if (!NT_SUCCESS(Status)) + { + ERR("LsapCreateAccountSd returned 0x%08lx\n", Status); + return Status; }

/* Create the Secret object */ @@ -817,8 +828,22 @@ L"OldTime", (PVOID)&Time, sizeof(LARGE_INTEGER)); + if (!NT_SUCCESS(Status)) + { + ERR("LsapSetObjectAttribute (OldTime) failed (Status 0x%08lx)\n", Status); + goto done; + } + + /* Set the SecDesc attribute */ + Status = LsapSetObjectAttribute(SecretObject, + L"SecDesc", + SecretSd, + SecretSdSize);

done: + if (SecretSd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, SecretSd); + if (!NT_SUCCESS(Status)) { if (SecretObject != NULL)

Modified: trunk/reactos/dll/win32/lsasrv/lsasrv.h URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/lsasrv.h?r... ============================================================================== --- trunk/reactos/dll/win32/lsasrv/lsasrv.h [iso-8859-1] (original) +++ trunk/reactos/dll/win32/lsasrv/lsasrv.h [iso-8859-1] Tue Nov 20 22:34:00 2012 @@ -236,4 +236,8 @@ LsapCreateAccountSd(PSECURITY_DESCRIPTOR *AccountSd, PULONG AccountSdSize);

+NTSTATUS +LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd, + PULONG SecretSdSize); + /* EOF */

Modified: trunk/reactos/dll/win32/lsasrv/security.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/security.c... ============================================================================== --- trunk/reactos/dll/win32/lsasrv/security.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/lsasrv/security.c [iso-8859-1] Tue Nov 20 22:34:00 2012 @@ -436,4 +436,172 @@ return Status; }

+ +NTSTATUS +LsapCreateSecretSd(PSECURITY_DESCRIPTOR *SecretSd, + PULONG SecretSdSize) +{ + SECURITY_DESCRIPTOR AbsoluteSd; + PSECURITY_DESCRIPTOR RelativeSd = NULL; + ULONG RelativeSdSize = 0; + PSID AdministratorsSid = NULL; + PSID EveryoneSid = NULL; + PSID LocalSystemSid = NULL; + PACL Dacl = NULL; + ULONG DaclSize; + NTSTATUS Status; + + if (SecretSd == NULL || SecretSdSize == NULL) + return STATUS_INVALID_PARAMETER; + + *SecretSd = NULL; + *SecretSdSize = 0; + + /* Initialize the SD */ + Status = RtlCreateSecurityDescriptor(&AbsoluteSd, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + return Status; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 2, + SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ADMINS, + 0, + 0, + 0, + 0, + 0, + 0, + &AdministratorsSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&WorldSidAuthority, + 1, + SECURITY_WORLD_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &EveryoneSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAllocateAndInitializeSid(&NtAuthority, + 1, + SECURITY_LOCAL_SYSTEM_RID, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + &LocalSystemSid); + if (!NT_SUCCESS(Status)) + goto done; + + /* Allocate and initialize the DACL */ + DaclSize = sizeof(ACL) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(AdministratorsSid) + + sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG) + RtlLengthSid(EveryoneSid); + + Dacl = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + DaclSize); + if (Dacl == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + goto done; + } + + Status = RtlCreateAcl(Dacl, + DaclSize, + ACL_REVISION); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + SECRET_ALL_ACCESS, + AdministratorsSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAddAccessAllowedAce(Dacl, + ACL_REVISION, + SECRET_EXECUTE, + EveryoneSid); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetDaclSecurityDescriptor(&AbsoluteSd, + TRUE, + Dacl, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetGroupSecurityDescriptor(&AbsoluteSd, + LocalSystemSid, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlSetOwnerSecurityDescriptor(&AbsoluteSd, + AdministratorsSid, + FALSE); + if (!NT_SUCCESS(Status)) + goto done; + + Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd, + RelativeSd, + &RelativeSdSize); + if (Status != STATUS_BUFFER_TOO_SMALL) + goto done; + + RelativeSd = RtlAllocateHeap(RtlGetProcessHeap(), + HEAP_ZERO_MEMORY, + RelativeSdSize); + if (RelativeSd == NULL) + { + Status = STATUS_INSUFFICIENT_RESOURCES; + goto done; + } + + Status = RtlAbsoluteToSelfRelativeSD(&AbsoluteSd, + RelativeSd, + &RelativeSdSize); + if (!NT_SUCCESS(Status)) + goto done; + + *SecretSd = RelativeSd; + *SecretSdSize = RelativeSdSize; + +done: + if (Dacl != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl); + + if (AdministratorsSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, AdministratorsSid); + + if (EveryoneSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, EveryoneSid); + + if (LocalSystemSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, LocalSystemSid); + + if (!NT_SUCCESS(Status)) + { + if (RelativeSd != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, RelativeSd); + } + + return Status; +} + /* EOF */