[mbosma] 30331: Fix CreateLogoffSecurityAttributes. It does still not work because SetEntriesInAcl is not implemented yet. - Ros-diffs

10 Nov 2007

Author: mbosma
Date: Sat Nov 10 18:56:36 2007
New Revision: 30331
URL: http://svn.reactos.org/svn/reactos?rev=30331&view=rev
Log:
Fix CreateLogoffSecurityAttributes. It does still not work because SetEntriesInAcl is not implemented yet.
Modified:
    trunk/reactos/base/system/winlogon/sas.c
    trunk/reactos/base/system/winlogon/winlogon.h
Modified: trunk/reactos/base/system/winlogon/sas.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/system/winlogon/sas.c?...
==============================================================================

--- trunk/reactos/base/system/winlogon/sas.c (original)
+++ trunk/reactos/base/system/winlogon/sas.c Sat Nov 10 18:56:36 2007
@@ -319,7 +319,7 @@
 CreateLogoffSecurityAttributes(
    OUT PSECURITY_ATTRIBUTES* ppsa)
 {
-	/* The following code is no only incomplete, it's a mess and uncompilable */
+	/* The following code is not working yet and messy */
    /* Still, it gives some ideas about data types and functions involved and */
    /* required to set up a SECURITY_DESCRIPTOR for a SECURITY_ATTRIBUTES */
    /* instance for a thread, to allow that  thread to ImpersonateLoggedOnUser(). */
@@ -328,7 +328,9 @@
    PSECURITY_ATTRIBUTES psa = 0;
    BYTE* pMem;
    PACL pACL;
-	//EXPLICIT_ACCESS ea[2];
+	EXPLICIT_ACCESS Access;
+	PSID pEveryoneSID = NULL;
+	static SID_IDENTIFIER_AUTHORITY WorldAuthority = { SECURITY_WORLD_SID_AUTHORITY };
*ppsa = NULL;
@@ -351,6 +353,16 @@
    // while the user's SID obviously must be created for each new user.
    // Might as well store it when the user logs on?
+	if(!AllocateAndInitializeSid(&WorldAuthority, 
+				     1,
+				     SECURITY_WORLD_RID,
+				     0, 0, 0, 0, 0, 0, 0,
+				     &pEveryoneSID))	 
+	{
+		DPRINT("Failed to initialize security descriptor for logoff thread!\n");
+		return STATUS_UNSUCCESSFUL;
+	}
+
    /* set up the required security attributes to be able to shut down */
    /* To save space and time, allocate a single block of memory holding */
    /* both SECURITY_ATTRIBUTES and SECURITY_DESCRIPTOR */
@@ -372,6 +384,25 @@
    SecurityDescriptor = (PSECURITY_DESCRIPTOR)(pMem + sizeof(SECURITY_ATTRIBUTES));
    pACL = (PACL)(((PBYTE)SecurityDescriptor) + SECURITY_DESCRIPTOR_MIN_LENGTH);
+	// Initialize an EXPLICIT_ACCESS structure for an ACE.
+	// The ACE will allow this thread to log off (and shut down the system, currently).
+	ZeroMemory(&Access, sizeof(Access));
+	Access.grfAccessPermissions = THREAD_SET_THREAD_TOKEN;
+	Access.grfAccessMode = SET_ACCESS; // GRANT_ACCESS?
+	Access.grfInheritance = NO_INHERITANCE;
+	Access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+	Access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+	Access.Trustee.ptstrName = pEveryoneSID;
+
+	if (SetEntriesInAcl(1, &Access, NULL, &pACL) != ERROR_SUCCESS) 
+	{
+        // SetEntriesInAcl is not implemented yet
+        DPRINT1 ("Failed to set Access Rights for logoff thread. Logging out will most likely fail.\n");
+
+		HeapFree(GetProcessHeap(), 0, pMem);
+		return STATUS_UNSUCCESSFUL;
+	}
+
    if (!InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
    {
    	HeapFree(GetProcessHeap(), 0, pMem);
@@ -379,18 +410,7 @@
    	return STATUS_UNSUCCESSFUL;
    }
-	// Initialize an EXPLICIT_ACCESS structure for an ACE.
-	// The ACE will allow this thread to log off (and shut down the system, currently).
-#if 0
-	ZeroMemory(ea, sizeof(ea));
-	ea[0].grfAccessPermissions = THREAD_SET_THREAD_TOKEN;
-	ea[0].grfAccessMode = SET_ACCESS; // GRANT_ACCESS?
-	ea[0].grfInheritance= NO_INHERITANCE;
-	ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
-	ea[0].Trustee.TrusteeType = TRUSTEE_IS_USER;
-	ea[0].Trustee.ptstrName  = (LPTSTR) pEveryoneSID;
-
-	if (!SetSecurityDescriptorDacl(pSD,
+	if (!SetSecurityDescriptorDacl(SecurityDescriptor,
            TRUE,     // bDaclPresent flag
            pACL,
            FALSE))   // not a default DACL
@@ -399,7 +419,6 @@
    	HeapFree(GetProcessHeap(), 0, pMem);
    	return STATUS_UNSUCCESSFUL;
    }
-#endif
psa->nLength = sizeof(SECURITY_ATTRIBUTES);
    psa->lpSecurityDescriptor = SecurityDescriptor;
@@ -447,14 +466,9 @@
    Status = CreateLogoffSecurityAttributes(&psa);
    if (!NT_SUCCESS(Status))
    {
-		WARN("Failed to create a required security descriptor. Status 0x%08x\n", Status);
-#if 1
-		WARN("Attempting to continue without it.\n");
-#else
-		ERR("Aborting logoff\n");
+		ERR("Failed to create a required security descriptor. Status 0x%08x\n", Status);
    	HeapFree(GetProcessHeap(), 0, LSData);
    	return Status;
-#endif
    }
/* Run logoff thread */
Modified: trunk/reactos/base/system/winlogon/winlogon.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/system/winlogon/winlog...
==============================================================================
--- trunk/reactos/base/system/winlogon/winlogon.h (original)
+++ trunk/reactos/base/system/winlogon/winlogon.h Sat Nov 10 18:56:36 2007
@@ -36,6 +36,8 @@
 #include <exfuncs.h>
 #include <setypes.h>
 #include <ntsecapi.h>
+#include <accctrl.h>
+#include <aclapi.h>
#include <reactos/winlogon.h>

    