[ekohl] 56607: [SYSSETUP] - Create builtin LSA accounts. - Add privileges to the accounts. - Ros-diffs

17 May 2012

Author: ekohl
Date: Thu May 17 21:30:30 2012
New Revision: 56607

URL: http://svn.reactos.org/svn/reactos?rev=56607&view=rev
Log:
[SYSSETUP]
- Create builtin LSA accounts.
- Add privileges to the accounts.

Modified:
    trunk/reactos/dll/win32/syssetup/globals.h
    trunk/reactos/dll/win32/syssetup/install.c
    trunk/reactos/dll/win32/syssetup/precomp.h
    trunk/reactos/dll/win32/syssetup/security.c

Modified: trunk/reactos/dll/win32/syssetup/globals.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/globals…
==============================================================================

--- trunk/reactos/dll/win32/syssetup/globals.h [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/syssetup/globals.h [iso-8859-1] Thu May 17 21:30:30 2012
@@ -64,6 +64,7 @@
 /* security.c */
 NTSTATUS SetAccountDomain(LPCWSTR DomainName,
                           PSID DomainSid);
+VOID InstallSecurity(VOID);
 
 /* wizard.c */
 VOID InstallWizard (VOID);

Modified: trunk/reactos/dll/win32/syssetup/install.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/install…
==============================================================================
--- trunk/reactos/dll/win32/syssetup/install.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/syssetup/install.c [iso-8859-1] Thu May 17 21:30:30 2012
@@ -956,6 +956,8 @@
 
     InstallWizard();
 
+    InstallSecurity();
+
     /* Create the Administrator account */
     if (!SamCreateUser(L"Administrator", L"", AdminSid))
     {

Modified: trunk/reactos/dll/win32/syssetup/precomp.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/precomp…
==============================================================================
--- trunk/reactos/dll/win32/syssetup/precomp.h [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/syssetup/precomp.h [iso-8859-1] Thu May 17 21:30:30 2012
@@ -22,7 +22,9 @@
 #include <string.h>
 #include <pseh/pseh2.h>
 #include <time.h>
+#include <ntlsa.h>
 #include <ntsecapi.h>
+#include <sddl.h>
 
 #include "globals.h"
 #include "resource.h"

Modified: trunk/reactos/dll/win32/syssetup/security.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/syssetup/securit…
==============================================================================
--- trunk/reactos/dll/win32/syssetup/security.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/syssetup/security.c [iso-8859-1] Thu May 17 21:30:30 2012
@@ -85,3 +85,188 @@
 
     return Status;
 }
+
+
+static
+VOID
+InstallBuiltinAccounts(VOID)
+{
+    LPWSTR BuiltinAccounts[] = {
+        L"S-1-1-0",         /* Everyone */
+        L"S-1-5-4",         /* Interactive */
+        L"S-1-5-6",         /* Service */
+        L"S-1-5-19",        /* Local Service */
+        L"S-1-5-20",        /* Network Service */
+        L"S-1-5-32-544",    /* Administrators */
+        L"S-1-5-32-545",    /* Users */
+        L"S-1-5-32-547",    /* Power Users */
+        L"S-1-5-32-551",    /* Backup Operators */
+        L"S-1-5-32-555"};   /* Remote Desktop Users */
+    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+    NTSTATUS Status;
+    LSA_HANDLE PolicyHandle = NULL;
+    LSA_HANDLE AccountHandle = NULL;
+    PSID AccountSid;
+    ULONG i;
+
+    DPRINT("InstallBuiltinAccounts()\n");
+
+    memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
+
+    Status = LsaOpenPolicy(NULL,
+                           &ObjectAttributes,
+                           POLICY_CREATE_ACCOUNT,
+                           &PolicyHandle);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("LsaOpenPolicy failed (Status %08lx)\n", Status);
+        return;
+    }
+
+    for (i = 0; i < 10; i++)
+    {
+        ConvertStringSidToSid(BuiltinAccounts[i], &AccountSid);
+
+        Status = LsaCreateAccount(PolicyHandle,
+                                  AccountSid,
+                                  0,
+                                  &AccountHandle);
+        if (NT_SUCCESS(Status))
+        {
+            LsaClose(AccountHandle);
+        }
+
+        LocalFree(AccountSid);
+    }
+
+    LsaClose(PolicyHandle);
+}
+
+
+static
+VOID
+InstallPrivileges(VOID)
+{
+    HINF hSecurityInf = INVALID_HANDLE_VALUE;
+    LSA_OBJECT_ATTRIBUTES ObjectAttributes;
+    WCHAR szPrivilegeString[256];
+    WCHAR szSidString[256];
+    INFCONTEXT InfContext;
+    DWORD i;
+    PRIVILEGE_SET PrivilegeSet;
+    PSID AccountSid;
+    NTSTATUS Status;
+    LSA_HANDLE PolicyHandle = NULL;
+    LSA_HANDLE AccountHandle;
+
+    DPRINT("InstallPrivileges()\n");
+
+    hSecurityInf = SetupOpenInfFileW(L"defltws.inf", //szNameBuffer,
+                                     NULL,
+                                     INF_STYLE_WIN4,
+                                     NULL);
+    if (hSecurityInf == INVALID_HANDLE_VALUE)
+    {
+        DPRINT1("SetupOpenInfFileW failed\n");
+        return;
+    }
+
+    memset(&ObjectAttributes, 0, sizeof(LSA_OBJECT_ATTRIBUTES));
+
+    Status = LsaOpenPolicy(NULL,
+                           &ObjectAttributes,
+                           POLICY_CREATE_ACCOUNT,
+                           &PolicyHandle);
+    if (!NT_SUCCESS(Status))
+    {
+        DPRINT1("LsaOpenPolicy failed (Status %08lx)\n", Status);
+        goto done;
+    }
+
+    if (!SetupFindFirstLineW(hSecurityInf,
+                             L"Privilege Rights",
+                             NULL,
+                             &InfContext))
+    {
+        DPRINT1("SetupFindfirstLineW failed\n");
+        goto done;
+    }
+
+    PrivilegeSet.PrivilegeCount = 1;
+    PrivilegeSet.Control = 0;
+
+    do
+    {
+        /* Retrieve the privilege name */
+        if (!SetupGetStringFieldW(&InfContext,
+                                  0,
+                                  szPrivilegeString,
+                                  256,
+                                  NULL))
+        {
+            DPRINT1("SetupGetStringFieldW() failed\n");
+            goto done;
+        }
+        DPRINT("Privilege: %S\n", szPrivilegeString);
+
+        if (!LookupPrivilegeValueW(NULL,
+                                   szPrivilegeString,
+                                   &(PrivilegeSet.Privilege[0].Luid)))
+        {
+            DPRINT1("LookupPrivilegeNameW() failed\n");
+            goto done;
+        }
+
+        PrivilegeSet.Privilege[0].Attributes = 0;
+
+        for (i = 0; i < SetupGetFieldCount(&InfContext); i++)
+        {
+            if (!SetupGetStringFieldW(&InfContext,
+                                      i + 1,
+                                      szSidString,
+                                      256,
+                                      NULL))
+            {
+                DPRINT1("SetupGetStringFieldW() failed\n");
+                goto done;
+            }
+            DPRINT("SID: %S\n", szSidString);
+
+            ConvertStringSidToSid(szSidString, &AccountSid);
+
+            Status = LsaOpenAccount(PolicyHandle,
+                                    AccountSid,
+                                    ACCOUNT_VIEW | ACCOUNT_ADJUST_PRIVILEGES,
+                                    &AccountHandle);
+            if (NT_SUCCESS(Status))
+            {
+                Status = LsaAddPrivilegesToAccount(AccountHandle,
+                                                   &PrivilegeSet);
+                if (!NT_SUCCESS(Status))
+                {
+                    DPRINT1("LsaAddPrivilegesToAccount() failed (Status
%08lx)\n", Status);
+                }
+
+                LsaClose(AccountHandle);
+            }
+
+            LocalFree(AccountSid);
+        }
+
+    }
+    while (SetupFindNextLine(&InfContext, &InfContext));
+
+done:
+    if (PolicyHandle != NULL)
+        LsaClose(PolicyHandle);
+
+    if (hSecurityInf != INVALID_HANDLE_VALUE)
+        SetupCloseInfFile(hSecurityInf);
+}
+
+VOID
+InstallSecurity(VOID)
+{
+    InstallBuiltinAccounts();
+    InstallPrivileges();
+}



    