DWORD COxtSecurityHelper::RemovePrincipalFromACL(PACL paclOrig, LPCTSTR tszPrincipal)
{
ACL_SIZE_INFORMATION aclSizeInfo = {0};
LONG i;
LPVOID pvAce = NULL;
ACCESS_DENIED_ACE *pAccessDeniedAce = NULL;
PSID psidPrincipal = NULL;
DWORD dwReturnValue = ERROR_SUCCESS;
ACE_HEADER *pAceHeader = NULL;
DWORD dwFoundValue = ERROR_FILE_NOT_FOUND;
do {
dwReturnValue = GetPrincipalSID(tszPrincipal, &psidPrincipal);
if (dwReturnValue != ERROR_SUCCESS)
break;
if (!::GetAclInformation(paclOrig, (LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION), AclSizeInformation))
{
dwReturnValue = ::GetLastError();
break;
}
for (i = aclSizeInfo.AceCount - 1; i >= 0; i--)
{
if (!::GetAce(paclOrig, i, &pvAce))
{
dwReturnValue = ::GetLastError();
break; // inner loop
}
pAceHeader = (ACE_HEADER*)pvAce;
// Searching for ACCESS_DENIED_ACE_TYPE types only
if (pAceHeader->AceType == ACCESS_DENIED_ACE_TYPE)
{
pAccessDeniedAce = (ACCESS_DENIED_ACE*)pvAce;
if (::EqualSid(psidPrincipal, (PSID)&pAccessDeniedAce->SidStart))
{
if (pAccessDeniedAce->Mask & SPECIFIC_RIGHTS_ALL)
::DeleteAce(paclOrig, i);
dwFoundValue = ERROR_SUCCESS;
}
}
}
} while (false);
if (psidPrincipal != NULL)
::LocalFree(psidPrincipal);
if (dwReturnValue == ERROR_SUCCESS)
dwReturnValue = dwFoundValue;
return dwReturnValue;
}
DWORD
AddAccessDeniedACEToACL (
PACL *Acl,
DWORD PermissionMask,
LPTSTR Principal
)
{
ACL_SIZE_INFORMATION aclSizeInfo;
int aclSize;
DWORD returnValue;
PSID principalSID;
PACL oldACL, newACL;
oldACL = *Acl;
returnValue = GetPrincipalSID (Principal, &principalSID);
if (returnValue != ERROR_SUCCESS)
return returnValue;
GetAclInformation (oldACL, (LPVOID) &aclSizeInfo, (DWORD) sizeof (ACL_SIZE_INFORMATION), AclSizeInformation);
aclSize = aclSizeInfo.AclBytesInUse +
sizeof (ACL) + sizeof (ACCESS_DENIED_ACE) +
GetLengthSid (principalSID) - sizeof (DWORD);
newACL = (PACL) new BYTE [aclSize];
if (!InitializeAcl (newACL, aclSize, ACL_REVISION))
{
free (principalSID);
return GetLastError();
}
if (!AddAccessDeniedAce (newACL, ACL_REVISION2, PermissionMask, principalSID))
{
free (principalSID);
return GetLastError();
}
returnValue = CopyACL (oldACL, newACL);
if (returnValue != ERROR_SUCCESS)
{
free (principalSID);
return returnValue;
}
*Acl = newACL;
free (principalSID);
return ERROR_SUCCESS;
}
HRESULT COpcSecurity::AddAccessAllowedACEToACL(PACL *ppAcl, LPCTSTR pszPrincipal, DWORD dwAccessMask)
{
ACL_SIZE_INFORMATION aclSizeInfo;
int aclSize;
DWORD returnValue;
PSID principalSID;
PACL oldACL, newACL = NULL;
oldACL = *ppAcl;
returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
if (FAILED(returnValue))
return returnValue;
aclSizeInfo.AclBytesInUse = 0;
if (*ppAcl != NULL)
GetAclInformation(oldACL, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
aclSize = aclSizeInfo.AclBytesInUse + sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(principalSID) - sizeof(DWORD);
OPCTRY(newACL = (PACL) new BYTE[aclSize]);
if (newACL == NULL)
return E_OUTOFMEMORY;
if (!InitializeAcl(newACL, aclSize, ACL_REVISION))
{
free(principalSID);
return HRESULT_FROM_WIN32(GetLastError());
}
returnValue = CopyACL(newACL, oldACL);
if (FAILED(returnValue))
{
free(principalSID);
return returnValue;
}
if (!AddAccessAllowedAce(newACL, ACL_REVISION2, dwAccessMask, principalSID))
{
free(principalSID);
return HRESULT_FROM_WIN32(GetLastError());
}
*ppAcl = newACL;
if (oldACL != NULL)
free(oldACL);
free(principalSID);
return S_OK;
}
HRESULT COpcSecurity::RemovePrincipalFromACL(PACL pAcl, LPCTSTR pszPrincipal)
{
ACL_SIZE_INFORMATION aclSizeInfo;
ULONG i;
LPVOID ace;
ACCESS_ALLOWED_ACE *accessAllowedAce;
ACCESS_DENIED_ACE *accessDeniedAce;
SYSTEM_AUDIT_ACE *systemAuditAce;
PSID principalSID;
DWORD returnValue;
ACE_HEADER *aceHeader;
returnValue = GetPrincipalSID(pszPrincipal, &principalSID);
if (FAILED(returnValue))
return returnValue;
GetAclInformation(pAcl, (LPVOID) &aclSizeInfo, (DWORD) sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);
for (i = 0; i < aclSizeInfo.AceCount; i++)
{
if (!GetAce(pAcl, i, &ace))
{
free(principalSID);
return HRESULT_FROM_WIN32(GetLastError());
}
aceHeader = (ACE_HEADER *) ace;
if (aceHeader->AceType == ACCESS_ALLOWED_ACE_TYPE)
{
accessAllowedAce = (ACCESS_ALLOWED_ACE *) ace;
if (EqualSid(principalSID, (PSID) &accessAllowedAce->SidStart))
{
DeleteAce(pAcl, i);
free(principalSID);
return S_OK;
}
} else
if (aceHeader->AceType == ACCESS_DENIED_ACE_TYPE)
{
accessDeniedAce = (ACCESS_DENIED_ACE *) ace;
if (EqualSid(principalSID, (PSID) &accessDeniedAce->SidStart))
{
DeleteAce(pAcl, i);
free(principalSID);
return S_OK;
}
} else
if (aceHeader->AceType == SYSTEM_AUDIT_ACE_TYPE)
{
systemAuditAce = (SYSTEM_AUDIT_ACE *) ace;
if (EqualSid(principalSID, (PSID) &systemAuditAce->SidStart))
{
DeleteAce(pAcl, i);
free(principalSID);
return S_OK;
}
}
}
free(principalSID);
return S_OK;
}
DWORD
RemovePrincipalFromACL (
PACL Acl,
LPTSTR Principal
)
{
ACL_SIZE_INFORMATION aclSizeInfo;
ULONG i;
LPVOID ace;
ACCESS_ALLOWED_ACE *accessAllowedAce;
ACCESS_DENIED_ACE *accessDeniedAce;
SYSTEM_AUDIT_ACE *systemAuditAce;
PSID principalSID;
DWORD returnValue;
ACE_HEADER *aceHeader;
returnValue = GetPrincipalSID (Principal, &principalSID);
if (returnValue != ERROR_SUCCESS)
return returnValue;
GetAclInformation (Acl, (LPVOID) &aclSizeInfo, (DWORD) sizeof (ACL_SIZE_INFORMATION), AclSizeInformation);
for (i = 0; i < aclSizeInfo.AceCount; i++)
{
if (!GetAce (Acl, i, &ace))
{
free (principalSID);
return GetLastError();
}
aceHeader = (ACE_HEADER *) ace;
if (aceHeader->AceType == ACCESS_ALLOWED_ACE_TYPE)
{
accessAllowedAce = (ACCESS_ALLOWED_ACE *) ace;
if (EqualSid (principalSID, (PSID) &accessAllowedAce->SidStart))
{
DeleteAce (Acl, i);
free (principalSID);
return ERROR_SUCCESS;
}
} else
if (aceHeader->AceType == ACCESS_DENIED_ACE_TYPE)
{
accessDeniedAce = (ACCESS_DENIED_ACE *) ace;
if (EqualSid (principalSID, (PSID) &accessDeniedAce->SidStart))
{
DeleteAce (Acl, i);
free (principalSID);
return ERROR_SUCCESS;
}
} else
if (aceHeader->AceType == SYSTEM_AUDIT_ACE_TYPE)
{
systemAuditAce = (SYSTEM_AUDIT_ACE *) ace;
if (EqualSid (principalSID, (PSID) &systemAuditAce->SidStart))
{
DeleteAce (Acl, i);
free (principalSID);
return ERROR_SUCCESS;
}
}
}
free (principalSID);
return ERROR_SUCCESS;
}
DWORD COxtSecurityHelper::UpdatePrincipalInACL(PACL paclOrig, LPCTSTR tszPrincipal, DWORD dwAccessMask)
{
ACL_SIZE_INFORMATION aclSizeInfo = {0};
LONG i;
LPVOID pvAce = NULL;
ACCESS_ALLOWED_ACE *pAccessAllowedAce = NULL;
ACCESS_DENIED_ACE *pAccessDeniedAce = NULL;
SYSTEM_AUDIT_ACE *pSystemAuditAce = NULL;
PSID psidPrincipal = NULL;
DWORD dwReturnValue = ERROR_SUCCESS;
ACE_HEADER *pAceHeader = NULL;
DWORD dwFoundValue = ERROR_FILE_NOT_FOUND;
do {
// Construct a SID for this principal
dwReturnValue = GetPrincipalSID(tszPrincipal, &psidPrincipal);
if (dwReturnValue != ERROR_SUCCESS)
break;
if (!::GetAclInformation(paclOrig, (LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION), AclSizeInformation))
{
dwReturnValue = ::GetLastError();
break;
}
// Iterate through all of the ACEs in this ACL looking for a SID that corresponds
// to the principal.
for (i = aclSizeInfo.AceCount - 1; i >= 0; i--)
{
if (!::GetAce(paclOrig, i, &pvAce))
{
dwReturnValue = ::GetLastError();
break; // inner loop
}
pAceHeader = (ACE_HEADER*)pvAce;
// Searching for ACCESS_DENIED_ACE_TYPE types only
if (pAceHeader->AceType == ACCESS_ALLOWED_ACE_TYPE)
{
pAccessAllowedAce = (ACCESS_ALLOWED_ACE*)pvAce;
if (::EqualSid(psidPrincipal, (PSID)&pAccessAllowedAce->SidStart))
{
// Found an ACE, modify the mask bits
if (pAccessAllowedAce->Mask & SPECIFIC_RIGHTS_ALL)
{
pAccessAllowedAce->Mask &= ~dwAccessMask;
// If there are any COM rights reamining we must ensure
// COM_RIGHTS_EXECUTE is set before leaving.
if (pAccessAllowedAce->Mask & (COM_RIGHTS_ACTIVATE_LOCAL |
COM_RIGHTS_ACTIVATE_REMOTE |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE_REMOTE))
{
pAccessAllowedAce->Mask |= COM_RIGHTS_EXECUTE;
}
else if((pAccessAllowedAce->Mask & SPECIFIC_RIGHTS_ALL) == 0)
{
// If there are no more specific rights on this ACE, delete it.
::DeleteAce(paclOrig, i);
}
}
else
{
pAccessAllowedAce->Mask |= dwAccessMask;
}
dwFoundValue = ERROR_SUCCESS;
}
}
}
} while (false);
if (psidPrincipal != NULL)
::LocalFree(psidPrincipal);
if (dwReturnValue == ERROR_SUCCESS)
dwReturnValue = dwFoundValue;
return dwReturnValue;
}
DWORD COxtSecurityHelper::AddAccessDeniedACEToACL(PACL *paclOrig,
DWORD dwAccessMask,
LPCTSTR tszPrincipal)
{
ACL_SIZE_INFORMATION aclSizeInfo = {0};
int cbAclSize = 0;
DWORD dwReturnValue = ERROR_SUCCESS;
PSID psidPrincipal = NULL;
PACL paclOld = NULL;
PACL paclNew = NULL;
if (paclOrig == NULL)
return ERROR_BAD_ARGUMENTS;
paclOld = *paclOrig;
do {
dwReturnValue = GetPrincipalSID(tszPrincipal, &psidPrincipal);
if (dwReturnValue != ERROR_SUCCESS)
break;
if (!::GetAclInformation(paclOld, (LPVOID)&aclSizeInfo,
sizeof (ACL_SIZE_INFORMATION), AclSizeInformation))
{
dwReturnValue = ::GetLastError();
break;
}
cbAclSize = aclSizeInfo.AclBytesInUse + sizeof (ACL) + sizeof (ACCESS_DENIED_ACE) +
::GetLengthSid (psidPrincipal) - sizeof (DWORD);
paclNew = (PACL)malloc(cbAclSize);
if (paclNew == NULL)
{
dwReturnValue = ERROR_OUTOFMEMORY;
break;
}
if (!::InitializeAcl(paclNew, cbAclSize, ACL_REVISION))
{
dwReturnValue = ::GetLastError();
break;
}
if (!::AddAccessDeniedAce(paclNew, ACL_REVISION2, dwAccessMask, psidPrincipal))
{
dwReturnValue = ::GetLastError();
break;
}
dwReturnValue = CopyACL(paclOld, paclNew);
if (dwReturnValue != ERROR_SUCCESS)
break;
*paclOrig = paclNew;
} while (false);
if (psidPrincipal != NULL)
::LocalFree(psidPrincipal);
return dwReturnValue;
}
