[ekohl] 61457: [LSASRV][MSV1_0] - Add default group SIDs to the token groups list (WorldSID aka Everyone and the logon type SID). - Remove these SIDs from the hard-coded list. - Ros-diffs

28 Dec 2013

Author: ekohl
Date: Sat Dec 28 01:45:36 2013
New Revision: 61457
URL: http://svn.reactos.org/svn/reactos?rev=61457&view=rev
Log:
[LSASRV][MSV1_0]
- Add default group SIDs to the token groups list (WorldSID aka Everyone and the logon type SID).
- Remove these SIDs from the hard-coded list.
Modified:
    trunk/reactos/dll/win32/lsasrv/authpackage.c
    trunk/reactos/dll/win32/lsasrv/lookup.c
    trunk/reactos/dll/win32/lsasrv/lsasrv.h
    trunk/reactos/dll/win32/msv1_0/msv1_0.c
Modified: trunk/reactos/dll/win32/lsasrv/authpackage.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/authpackag...
==============================================================================

--- trunk/reactos/dll/win32/lsasrv/authpackage.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/lsasrv/authpackage.c	[iso-8859-1] Sat Dec 28 01:45:36 2013
@@ -726,6 +726,128 @@
     return STATUS_SUCCESS;
 }
+static
+NTSTATUS
+LsapAddDefaultGroups(
+    IN PVOID TokenInformation,
+    IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType,
+    IN SECURITY_LOGON_TYPE LogonType)
+{
+    PLSA_TOKEN_INFORMATION_V1 TokenInfo1;
+    PTOKEN_GROUPS Groups;
+    ULONG i, Length;
+    PSID SrcSid;
+
+    if (TokenInformationType == LsaTokenInformationV1)
+    {
+        TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation;
+
+        if (TokenInfo1->Groups != NULL)
+        {
+            Length = sizeof(TOKEN_GROUPS) +
+                     (TokenInfo1->Groups->GroupCount + 2 - ANYSIZE_ARRAY) * sizeof(SID_AND_ATTRIBUTES);
+
+            Groups = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, Length);
+            if (Groups == NULL)
+            {
+                ERR("Group buffer allocation failed!\n");
+                return STATUS_INSUFFICIENT_RESOURCES;
+            }
+
+            Groups->GroupCount = TokenInfo1->Groups->GroupCount;
+
+            for (i = 0; i < TokenInfo1->Groups->GroupCount; i++)
+            {
+                Groups->Groups[i].Sid = TokenInfo1->Groups->Groups[i].Sid;
+                Groups->Groups[i].Attributes = TokenInfo1->Groups->Groups[i].Attributes;
+            }
+
+            RtlFreeHeap(RtlGetProcessHeap(), 0, TokenInfo1->Groups);
+
+            TokenInfo1->Groups = Groups;
+
+        }
+        else
+        {
+            Length = sizeof(TOKEN_GROUPS) +
+                     (2 - ANYSIZE_ARRAY) * sizeof(SID_AND_ATTRIBUTES);
+
+            Groups = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, Length);
+            if (Groups == NULL)
+            {
+                ERR("Group buffer allocation failed!\n");
+                return STATUS_INSUFFICIENT_RESOURCES;
+            }
+
+            TokenInfo1->Groups = Groups;
+        }
+
+        /* Append the World SID (aka Everyone) */
+        Length = RtlLengthSid(LsapWorldSid);
+        Groups->Groups[Groups->GroupCount].Sid = RtlAllocateHeap(RtlGetProcessHeap(),
+                                                                 HEAP_ZERO_MEMORY,
+                                                                 Length);
+        if (Groups->Groups[Groups->GroupCount].Sid == NULL)
+            return STATUS_INSUFFICIENT_RESOURCES;
+
+        RtlCopyMemory(Groups->Groups[Groups->GroupCount].Sid,
+                      LsapWorldSid,
+                      Length);
+
+        Groups->Groups[Groups->GroupCount].Attributes =
+            SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
+
+        Groups->GroupCount++;
+
+        /* Append the logon type SID */
+        switch (LogonType)
+        {
+            case Interactive:
+                SrcSid = LsapInteractiveSid;
+                break;
+
+            case Network:
+                SrcSid = LsapNetworkSid;
+                break;
+
+            case Batch:
+                SrcSid = LsapBatchSid;
+                break;
+
+            case Service:
+                SrcSid = LsapServiceSid;
+                break;
+
+            default:
+                FIXME("LogonType %d is not supported!\n", LogonType);
+                return STATUS_NOT_IMPLEMENTED;
+        }
+
+        Length = RtlLengthSid(SrcSid);
+        Groups->Groups[Groups->GroupCount].Sid = RtlAllocateHeap(RtlGetProcessHeap(),
+                                                                 HEAP_ZERO_MEMORY,
+                                                                 Length);
+        if (Groups->Groups[Groups->GroupCount].Sid == NULL)
+            return STATUS_INSUFFICIENT_RESOURCES;
+
+        RtlCopyMemory(Groups->Groups[Groups->GroupCount].Sid,
+                      SrcSid,
+                      Length);
+
+        Groups->Groups[Groups->GroupCount].Attributes =
+            SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
+
+        Groups->GroupCount++;
+    }
+    else
+    {
+        FIXME("TokenInformationType %d is not supported!\n", TokenInformationType);
+        return STATUS_NOT_IMPLEMENTED;
+    }
+
+    return STATUS_SUCCESS;
+}
+
static
 NTSTATUS
@@ -832,11 +954,13 @@
     HANDLE TokenHandle = NULL;
     ULONG i;
     ULONG PackageId;
+    SECURITY_LOGON_TYPE LogonType;
     NTSTATUS Status;
TRACE("(%p %p)\n", RequestMsg, LogonContext);
PackageId = RequestMsg->LogonUser.Request.AuthenticationPackage;
+    LogonType = RequestMsg->LogonUser.Request.LogonType;
/* Get the right authentication package */
     Package = LsapGetAuthenticationPackage(PackageId);
@@ -959,6 +1083,15 @@
         }
     }
+    Status = LsapAddDefaultGroups(TokenInformation,
+                                  TokenInformationType,
+                                  LogonType);
+    if (!NT_SUCCESS(Status))
+    {
+        ERR("LsapAddDefaultGroups() failed (Status 0x%08lx)\n", Status);
+        goto done;
+    }
+
     Status = LsapSetTokenOwner(TokenInformation,
                                TokenInformationType);
     if (!NT_SUCCESS(Status))
Modified: trunk/reactos/dll/win32/lsasrv/lookup.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/lookup.c?r...
==============================================================================
--- trunk/reactos/dll/win32/lsasrv/lookup.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/lsasrv/lookup.c	[iso-8859-1] Sat Dec 28 01:45:36 2013
@@ -80,6 +80,11 @@
LIST_ENTRY WellKnownSidListHead;
+PSID LsapWorldSid = NULL;
+PSID LsapNetworkSid = NULL;
+PSID LsapBatchSid = NULL;
+PSID LsapInteractiveSid = NULL;
+PSID LsapServiceSid = NULL;
 PSID LsapLocalSystemSid = NULL;
 PSID LsapAdministratorsSid = NULL;
@@ -215,7 +220,7 @@
                   szAccountName,
                   L"",
                   SidTypeWellKnownGroup,
-                  NULL);
+                  &LsapWorldSid);
/* Local Sid */
     LsapLoadString(hInstance, IDS_LOCAL_RID, szAccountName, 80);
@@ -300,7 +305,7 @@
                   szAccountName,
                   szDomainName,
                   SidTypeWellKnownGroup,
-                  NULL);
+                  &LsapNetworkSid);
/* Batch Sid*/
     LsapLoadString(hInstance, IDS_BATCH_RID, szAccountName, 80);
@@ -312,7 +317,7 @@
                   szAccountName,
                   szDomainName,
                   SidTypeWellKnownGroup,
-                  NULL);
+                  &LsapBatchSid);
/* Interactive Sid */
     LsapLoadString(hInstance, IDS_INTERACTIVE_RID, szAccountName, 80);
@@ -324,7 +329,7 @@
                   szAccountName,
                   szDomainName,
                   SidTypeWellKnownGroup,
-                  NULL);
+                  &LsapInteractiveSid);
/* Service Sid */
     LsapLoadString(hInstance, IDS_SERVICE_RID, szAccountName, 80);
@@ -336,7 +341,7 @@
                   szAccountName,
                   szDomainName,
                   SidTypeWellKnownGroup,
-                  NULL);
+                  &LsapServiceSid);
/* Anonymous Logon Sid */
     LsapLoadString(hInstance, IDS_ANONYMOUS_LOGON_RID, szAccountName, 80);
Modified: trunk/reactos/dll/win32/lsasrv/lsasrv.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/lsasrv.h?r...
==============================================================================
--- trunk/reactos/dll/win32/lsasrv/lsasrv.h	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/lsasrv/lsasrv.h	[iso-8859-1] Sat Dec 28 01:45:36 2013
@@ -91,6 +91,11 @@
 extern PSID AccountDomainSid;
 extern UNICODE_STRING AccountDomainName;
+extern PSID LsapWorldSid;
+extern PSID LsapNetworkSid;
+extern PSID LsapBatchSid;
+extern PSID LsapInteractiveSid;
+extern PSID LsapServiceSid;
 extern PSID LsapLocalSystemSid;
 extern PSID LsapAdministratorsSid;
Modified: trunk/reactos/dll/win32/msv1_0/msv1_0.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msv1_0/msv1_0.c?r...
==============================================================================
--- trunk/reactos/dll/win32/msv1_0/msv1_0.c	[iso-8859-1] (original)
+++ trunk/reactos/dll/win32/msv1_0/msv1_0.c	[iso-8859-1] Sat Dec 28 01:45:36 2013
@@ -273,10 +273,9 @@
                  OUT PTOKEN_GROUPS *Groups,
                  OUT PSID *PrimaryGroupSid)
 {
-    SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY};
     SID_IDENTIFIER_AUTHORITY SystemAuthority = {SECURITY_NT_AUTHORITY};
     PTOKEN_GROUPS TokenGroups;
-#define MAX_GROUPS 6
+#define MAX_GROUPS 4
     DWORD GroupCount = 0;
     PSID Sid;
     NTSTATUS Status = STATUS_SUCCESS;
@@ -301,22 +300,6 @@
     *PrimaryGroupSid = Sid;
     GroupCount++;
-    /* Member of 'Everyone' */
-    RtlAllocateAndInitializeSid(&WorldAuthority,
-                                1,
-                                SECURITY_WORLD_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                &Sid);
-    TokenGroups->Groups[GroupCount].Sid = Sid;
-    TokenGroups->Groups[GroupCount].Attributes =
-        SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
-    GroupCount++;
#if 1
     /* Member of 'Administrators' */
@@ -356,22 +339,6 @@
         SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
     GroupCount++;
-    /* Member of 'Interactive users' */
-    RtlAllocateAndInitializeSid(&SystemAuthority,
-                                1,
-                                SECURITY_INTERACTIVE_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                SECURITY_NULL_RID,
-                                &Sid);
-    TokenGroups->Groups[GroupCount].Sid = Sid;
-    TokenGroups->Groups[GroupCount].Attributes =
-        SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY;
-    GroupCount++;
/* Member of 'Authenticated users' */
     RtlAllocateAndInitializeSid(&SystemAuthority,

    