[ekohl] 60750: [SAMSRV] Create and set a security descriptor for new user account objects.
26 Oct
2013
26 Oct
'13
9:09 a.m.
Author: ekohl
Date: Sat Oct 26 09:09:31 2013
New Revision: 60750
URL: http://svn.reactos.org/svn/reactos?rev=60750&view=rev
Log:
[SAMSRV]
Create and set a security descriptor for new user account objects.
Modified:
trunk/reactos/dll/win32/samsrv/domain.c
trunk/reactos/dll/win32/samsrv/samrpc.c
trunk/reactos/dll/win32/samsrv/samsrv.h
trunk/reactos/dll/win32/samsrv/security.c
trunk/reactos/dll/win32/samsrv/setup.c
Modified: trunk/reactos/dll/win32/samsrv/domain.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/domain.c?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/domain.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/domain.c [iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -303,4 +303,55 @@
return Status;
}
+
+NTSTATUS
+SampCreateAccountSid(IN PSAM_DB_OBJECT DomainObject,
+ IN ULONG ulRelativeId,
+ IN OUT PSID *AccountSid)
+{
+ PSID DomainSid = NULL;
+ ULONG Length = 0;
+ NTSTATUS Status;
+
+ Status = SampGetObjectAttribute(DomainObject,
+ L"SID",
+ NULL,
+ NULL,
+ &Length);
+ if (!NT_SUCCESS(Status) && Status != STATUS_BUFFER_OVERFLOW)
+ {
+ TRACE("Status 0x%08lx\n", Status);
+ goto done;
+ }
+
+ TRACE("Length: %lu\n", Length);
+
+ DomainSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, Length);
+ if (DomainSid == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ goto done;
+ }
+
+ Status = SampGetObjectAttribute(DomainObject,
+ L"SID",
+ NULL,
+ DomainSid,
+ &Length);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("Status 0x%08lx\n", Status);
+ goto done;
+ }
+
+ *AccountSid = AppendRidToSid(DomainSid,
+ ulRelativeId);
+
+done:
+ if (DomainSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, DomainSid);
+
+ return Status;
+}
+
/* EOF */
Modified: trunk/reactos/dll/win32/samsrv/samrpc.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samrpc.c?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samrpc.c [iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -2174,6 +2174,9 @@
ULONG ulSize;
ULONG ulRid;
WCHAR szRid[9];
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
+ PSID UserSid = NULL;
NTSTATUS Status;
TRACE("SamrCreateUserInDomain(%p %p %lx %p %p)\n",
@@ -2239,6 +2242,28 @@
ulRid = FixedDomainData.NextRid;
FixedDomainData.NextRid++;
+ TRACE("RID: %lx\n", ulRid);
+
+ /* Create the user SID */
+ Status = SampCreateAccountSid(DomainObject,
+ ulRid,
+ &UserSid);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("SampCreateAccountSid failed (Status 0x%08lx)\n", Status);
+ goto done;
+ }
+
+ /* Create the security descriptor */
+ Status = SampCreateUserSD(UserSid,
+ &Sd,
+ &SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("SampCreateUserSD failed (Status 0x%08lx)\n", Status);
+ goto done;
+ }
+
/* Store the fixed domain attributes */
Status = SampSetObjectAttribute(DomainObject,
L"F",
@@ -2250,8 +2275,6 @@
TRACE("failed with status 0x%08lx\n", Status);
goto done;
}
-
- TRACE("RID: %lx\n", ulRid);
/* Convert the RID into a string (hex) */
swprintf(szRid, L"%08lX", ulRid);
@@ -2505,7 +2528,17 @@
goto done;
}
- /* FIXME: Set SecDesc attribute*/
+ /* Set the SecDesc attribute*/
+ Status = SampSetObjectAttribute(UserObject,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("failed with status 0x%08lx\n", Status);
+ goto done;
+ }
if (NT_SUCCESS(Status))
{
@@ -2514,6 +2547,12 @@
}
done:
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
+ if (UserSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, UserSid);
+
RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);
@@ -6871,7 +6910,6 @@
if (InfoBuffer->All.WhichFields & USER_ALL_SECURITYDESCRIPTOR)
{
-#if 0
Length = 0;
SampGetObjectAttribute(UserObject,
L"SecDesc",
@@ -6898,7 +6936,6 @@
if (!NT_SUCCESS(Status))
goto done;
}
-#endif
}
*Buffer = InfoBuffer;
@@ -7670,13 +7707,11 @@
if (WhichFields & USER_ALL_SECURITYDESCRIPTOR)
{
-#if 0
Status = SampSetObjectAttribute(UserObject,
L"SecDesc",
REG_BINARY,
Buffer->All.SecurityDescriptor.SecurityDescriptor,
Buffer->All.SecurityDescriptor.Length);
-#endif
}
if (WriteFixedData == TRUE)
@@ -8523,6 +8558,9 @@
ULONG ulSize;
ULONG ulRid;
WCHAR szRid[9];
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
+ PSID UserSid = NULL;
NTSTATUS Status;
TRACE("SamrCreateUserInDomain(%p %p %lx %p %p)\n",
@@ -8596,6 +8634,28 @@
ulRid = FixedDomainData.NextRid;
FixedDomainData.NextRid++;
+ TRACE("RID: %lx\n", ulRid);
+
+ /* Create the user SID */
+ Status = SampCreateAccountSid(DomainObject,
+ ulRid,
+ &UserSid);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("SampCreateAccountSid failed (Status 0x%08lx)\n", Status);
+ goto done;
+ }
+
+ /* Create the security descriptor */
+ Status = SampCreateUserSD(UserSid,
+ &Sd,
+ &SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("SampCreateUserSD failed (Status 0x%08lx)\n", Status);
+ goto done;
+ }
+
/* Store the fixed domain attributes */
Status = SampSetObjectAttribute(DomainObject,
L"F",
@@ -8607,8 +8667,6 @@
TRACE("failed with status 0x%08lx\n", Status);
goto done;
}
-
- TRACE("RID: %lx\n", ulRid);
/* Convert the RID into a string (hex) */
swprintf(szRid, L"%08lX", ulRid);
@@ -8861,7 +8919,17 @@
goto done;
}
- /* FIXME: Set SecDesc attribute*/
+ /* Set the SecDesc attribute*/
+ Status = SampSetObjectAttribute(UserObject,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ {
+ TRACE("failed with status 0x%08lx\n", Status);
+ goto done;
+ }
if (NT_SUCCESS(Status))
{
@@ -8871,6 +8939,12 @@
}
done:
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
+ if (UserSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, UserSid);
+
RtlReleaseResource(&SampResource);
TRACE("returns with status 0x%08lx\n", Status);
Modified: trunk/reactos/dll/win32/samsrv/samsrv.h
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/samsrv.h?…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/samsrv.h [iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -230,6 +230,10 @@
SampRemoveMemberFromAllAliases(IN PSAM_DB_OBJECT DomainObject,
IN PRPC_SID MemberSid);
+NTSTATUS
+SampCreateAccountSid(IN PSAM_DB_OBJECT DomainObject,
+ IN ULONG ulRelativeId,
+ IN OUT PSID *AccountSid);
/* group.h */
@@ -336,6 +340,10 @@
SampCreateGroupSD(OUT PSECURITY_DESCRIPTOR *GroupSd,
OUT PULONG Size);
+NTSTATUS
+SampCreateUserSD(IN PSID UserSid,
+ OUT PSECURITY_DESCRIPTOR *UserSd,
+ OUT PULONG Size);
/* setup.c */
Modified: trunk/reactos/dll/win32/samsrv/security.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/security.…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/security.c [iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -1433,4 +1433,276 @@
return Status;
}
+
+NTSTATUS
+SampCreateUserSD(IN PSID UserSid,
+ OUT PSECURITY_DESCRIPTOR *UserSd,
+ OUT PULONG Size)
+{
+ PSECURITY_DESCRIPTOR AbsSD = NULL;
+ PSECURITY_DESCRIPTOR RelSD = NULL;
+ PSID EveryoneSid = NULL;
+ PSID AnonymousSid = NULL;
+ PSID AdministratorsSid = NULL;
+ PACL Dacl = NULL;
+ PACL Sacl = NULL;
+ ULONG DaclSize;
+ ULONG SaclSize;
+ ULONG RelSDSize = 0;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+
+ /* Create the Everyone SID */
+ Status = RtlAllocateAndInitializeSid(&WorldAuthority,
+ 1,
+ SECURITY_WORLD_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Anonymous SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 1,
+ SECURITY_ANONYMOUS_LOGON_RID,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AnonymousSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Create the Administrators SID */
+ Status = RtlAllocateAndInitializeSid(&NtAuthority,
+ 2,
+ SECURITY_BUILTIN_DOMAIN_RID,
+ DOMAIN_ALIAS_RID_ADMINS,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ 0,
+ &AdministratorsSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Allocate a buffer for the absolute SD */
+ AbsSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ sizeof(SECURITY_DESCRIPTOR));
+ if (AbsSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Create the absolute SD */
+ Status = RtlCreateSecurityDescriptor(AbsSD,
+ SECURITY_DESCRIPTOR_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the DACL */
+ DaclSize = sizeof(ACL) +
+ 3 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AdministratorsSid) +
+ RtlLengthSid(UserSid);
+
+ Dacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Dacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Dacl,
+ DaclSize,
+ ACL_REVISION);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ READ_CONTROL | USER_READ_GROUP_INFORMATION |
USER_LIST_GROUPS |
+ USER_CHANGE_PASSWORD | USER_READ_ACCOUNT |
USER_READ_LOGON |
+ USER_READ_PREFERENCES | USER_READ_GENERAL,
+ EveryoneSid);
+ ASSERT(NT_SUCCESS(Status));
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ USER_ALL_ACCESS,
+ AdministratorsSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAccessAllowedAce(Dacl,
+ ACL_REVISION,
+ READ_CONTROL | USER_CHANGE_PASSWORD |
USER_WRITE_PREFERENCES,
+ UserSid);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the DACL */
+ Status = RtlSetDaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Dacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* allocate and create the SACL */
+ SaclSize = sizeof(ACL) +
+ 2 * sizeof(ACE) +
+ RtlLengthSid(EveryoneSid) +
+ RtlLengthSid(AnonymousSid);
+
+ Sacl = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ DaclSize);
+ if (Sacl == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ Status = RtlCreateAcl(Sacl,
+ SaclSize,
+ ACL_REVISION);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ ACCESS_SYSTEM_SECURITY | WRITE_DAC | DELETE |
+ USER_CHANGE_PASSWORD | USER_WRITE_PREFERENCES,
+ EveryoneSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ Status = RtlAddAuditAccessAce(Sacl,
+ ACL_REVISION,
+ STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL,
+ AnonymousSid,
+ TRUE,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the SACL */
+ Status = RtlSetSaclSecurityDescriptor(AbsSD,
+ TRUE,
+ Sacl,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the owner SID */
+ Status = RtlSetOwnerSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Set the group SID */
+ Status = RtlSetGroupSecurityDescriptor(AbsSD,
+ AdministratorsSid,
+ FALSE);
+ ASSERT(Status == STATUS_SUCCESS);
+ if (!NT_SUCCESS(Status))
+ goto done;
+
+ /* Get the reqired buffer size for the self-relative SD */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ NULL,
+ &RelSDSize);
+ if (Status != STATUS_BUFFER_TOO_SMALL)
+ goto done;
+
+ /* Allocate a buffer for the self-relative SD */
+ RelSD = RtlAllocateHeap(RtlGetProcessHeap(),
+ HEAP_ZERO_MEMORY,
+ RelSDSize);
+ if (RelSD == NULL)
+ {
+ Status = STATUS_INSUFFICIENT_RESOURCES;
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ /* Convert the absolute SD to self-relative format */
+ Status = RtlAbsoluteToSelfRelativeSD(AbsSD,
+ RelSD,
+ &RelSDSize);
+ if (Status == STATUS_BUFFER_TOO_SMALL)
+ {
+ ASSERT(Status == STATUS_SUCCESS);
+ goto done;
+ }
+
+ *UserSd = RelSD;
+ *Size = RelSDSize;
+
+done:
+ if (!NT_SUCCESS(Status))
+ {
+ if (RelSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, RelSD);
+ }
+
+ if (EveryoneSid != NULL)
+ RtlFreeSid(EveryoneSid);
+
+ if (AnonymousSid != NULL)
+ RtlFreeSid(AnonymousSid);
+
+ if (AdministratorsSid != NULL)
+ RtlFreeSid(AdministratorsSid);
+
+ if (Dacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Dacl);
+
+ if (Sacl != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sacl);
+
+ if (AbsSD != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, AbsSD);
+
+ return Status;
+}
+
/* EOF */
Modified: trunk/reactos/dll/win32/samsrv/setup.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/samsrv/setup.c?r…
==============================================================================
--- trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/samsrv/setup.c [iso-8859-1] Sat Oct 26 09:09:31 2013
@@ -359,6 +359,7 @@
SampSetupCreateUserAccount(HANDLE hDomainKey,
LPCWSTR lpAccountName,
LPCWSTR lpComment,
+ PSID lpDomainSid,
ULONG ulRelativeId,
ULONG UserAccountControl)
{
@@ -369,7 +370,20 @@
WCHAR szAccountKeyName[32];
HANDLE hAccountKey = NULL;
HANDLE hNamesKey = NULL;
+ PSECURITY_DESCRIPTOR Sd = NULL;
+ ULONG SdSize = 0;
+ PSID UserSid = NULL;
NTSTATUS Status;
+
+ UserSid = AppendRidToSid(lpDomainSid,
+ ulRelativeId);
+
+ /* Create the security descriptor */
+ Status = SampCreateUserSD(UserSid,
+ &Sd,
+ &SdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
/* Initialize fixed user data */
FixedUserData.Version = 1;
@@ -558,9 +572,14 @@
if (!NT_SUCCESS(Status))
goto done;
-
- /* FIXME: Set SecDesc attribute*/
-
+ /* Set the SecDesc attribute*/
+ Status = SampRegSetValue(hAccountKey,
+ L"SecDesc",
+ REG_BINARY,
+ Sd,
+ SdSize);
+ if (!NT_SUCCESS(Status))
+ goto done;
Status = SampRegOpenKey(hDomainKey,
L"Users\\Names",
@@ -577,6 +596,12 @@
done:
SampRegCloseKey(&hNamesKey);
+
+ if (Sd != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, Sd);
+
+ if (UserSid != NULL)
+ RtlFreeHeap(RtlGetProcessHeap(), 0, UserSid);
if (hAccountKey != NULL)
{
@@ -1057,6 +1082,7 @@
SampSetupCreateUserAccount(hAccountDomainKey,
szName,
szComment,
+ AccountDomainInfo->DomainSid,
DOMAIN_USER_RID_ADMIN,
USER_DONT_EXPIRE_PASSWORD | USER_NORMAL_ACCOUNT);
@@ -1070,6 +1096,7 @@
SampSetupCreateUserAccount(hAccountDomainKey,
szName,
szComment,
+ AccountDomainInfo->DomainSid,
DOMAIN_USER_RID_GUEST,
USER_ACCOUNT_DISABLED | USER_DONT_EXPIRE_PASSWORD |
USER_NORMAL_ACCOUNT);
4037
days inactive
4037
days old
0 comments
1 participants
participants (1)
-
ekohl@svn.reactos.org