static int
iwin32_file_get_group (const char *file, group_id_t *gid)
{
char file_sd_buf [256];
DWORD sd_size = 256;
PSECURITY_DESCRIPTOR file_sd = (PSECURITY_DESCRIPTOR) &file_sd_buf;
PSID sid;
BOOL dummy;
assert (file != NULL);
assert (gid != NULL);
if (!InitializeSecurityDescriptor (file_sd, SECURITY_DESCRIPTOR_REVISION))
return 0;
if (!GetFileSecurity (file, (SECURITY_INFORMATION)(GROUP_SECURITY_INFORMATION),
file_sd, sizeof (file_sd_buf), &sd_size)) return 0;
if (!GetSecurityDescriptorGroup (file_sd, &sid, &dummy)) return 0;
if (!IsValidSid (sid)) return 0;
gid->value = malloc (sd_size);
if (!gid->value) return 0;
if (!CopySid (sd_size, gid->value, sid)) return 0;
return 1;
}
/*
* FreeSD: Frees the memory of an absolute SD.
*/
void
vncAccessControl::FreeSD(PSECURITY_DESCRIPTOR pSD){
PSID pOwnerSID = NULL;
PSID pGroupSID = NULL;
PACL pDACL = NULL;
PACL pSACL = NULL;
BOOL bOwnerDefaulted = FALSE;
BOOL bGroupDefaulted = FALSE;
BOOL bDaclPresent = FALSE;
BOOL bDaclDefaulted = FALSE;
BOOL bSaclPresent = FALSE;
BOOL bSaclDefaulted = FALSE;
if (pSD) {
GetSecurityDescriptorOwner(pSD, &pOwnerSID, &bOwnerDefaulted);
GetSecurityDescriptorGroup(pSD, &pGroupSID, &bGroupDefaulted);
GetSecurityDescriptorDacl(pSD, &bDaclPresent, &pDACL, &bDaclDefaulted);
GetSecurityDescriptorSacl(pSD, &bSaclPresent, &pSACL, &bSaclDefaulted);
}
// Clean up
if (pSD)
HeapFree(GetProcessHeap(), 0, pSD);
if (bDaclPresent && pDACL)
HeapFree(GetProcessHeap(), 0, pDACL);
if (bSaclPresent && pSACL)
HeapFree(GetProcessHeap(), 0, pSACL);
if (pOwnerSID)
HeapFree(GetProcessHeap(), 0, pOwnerSID);
if (pGroupSID)
HeapFree(GetProcessHeap(), 0, pGroupSID);
}
BOOL ValidateSecurity(uch *securitydata)
{
PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)securitydata;
PACL pAcl;
PSID pSid;
BOOL bAclPresent;
BOOL bDefaulted;
if(!IsWinNT()) return TRUE; /* don't do anything if not on WinNT */
if(!IsValidSecurityDescriptor(sd)) return FALSE;
/* verify Dacl integrity */
if(!GetSecurityDescriptorDacl(sd, &bAclPresent, &pAcl, &bDefaulted))
return FALSE;
if(bAclPresent && pAcl!=NULL) {
if(!IsValidAcl(pAcl)) return FALSE;
}
/* verify Sacl integrity */
if(!GetSecurityDescriptorSacl(sd, &bAclPresent, &pAcl, &bDefaulted))
return FALSE;
if(bAclPresent && pAcl!=NULL) {
if(!IsValidAcl(pAcl)) return FALSE;
}
/* verify owner integrity */
if(!GetSecurityDescriptorOwner(sd, &pSid, &bDefaulted))
return FALSE;
if(pSid != NULL) {
if(!IsValidSid(pSid)) return FALSE;
}
/* verify group integrity */
if(!GetSecurityDescriptorGroup(sd, &pSid, &bDefaulted))
return FALSE;
if(pSid != NULL) {
if(!IsValidSid(pSid)) return FALSE;
}
return TRUE;
}
/*
(in) PSECURITY_DESCRIPTOR file or directory handle
(in/out) struct acl * acl
*/
int get_file_acl(PSECURITY_DESCRIPTOR pSD,struct acl * acl)
{
DWORD dwLastError;
PACL pDacl;
PSID pOwnerSid,pGroupSid;
SID_NAME_USE eUse;
BOOL bPresent;
BOOL bDef;
int i;
if (0 == GetSecurityDescriptorOwner(pSD,
&pOwnerSid,
&bDef)){
return (-1);
}
if (0 == GetSecurityDescriptorGroup(pSD,
&pGroupSid,
&bDef)){
return(-1);
}
if (0 == GetSecurityDescriptorDacl(pSD,&bPresent,&pDacl,&bDef)){
return(-1);
}
if (get_account_sid(pOwnerSid,acl->owner,MAX_LEN,&eUse) == -1){
return (-1);
}
if (get_account_sid(pGroupSid,acl->group,MAX_LEN,&eUse) == -1){
return (-1);
}
if (pDacl != NULL)
get_ace(pDacl,acl,&eUse);
return (0);
}
HRESULT COpcSecurity::Attach(PSECURITY_DESCRIPTOR pSelfRelativeSD)
{
PACL pDACL = NULL;
PACL pSACL = NULL;
BOOL bDACLPresent, bSACLPresent;
BOOL bDefaulted;
PACL m_pDACL = NULL;
ACCESS_ALLOWED_ACE* pACE;
HRESULT hr;
PSID pUserSid;
PSID pGroupSid;
hr = Initialize();
if(FAILED(hr))
return hr;
// get the existing DACL.
if (!GetSecurityDescriptorDacl(pSelfRelativeSD, &bDACLPresent, &pDACL, &bDefaulted))
goto failed;
if (bDACLPresent)
{
if (pDACL)
{
// allocate new DACL.
m_pDACL = (PACL) malloc(pDACL->AclSize);
if (m_pDACL == NULL)
{
hr = E_OUTOFMEMORY;
goto failedMemory;
}
// initialize the DACL
if (!InitializeAcl(m_pDACL, pDACL->AclSize, ACL_REVISION))
goto failed;
// copy the ACES
for (int i = 0; i < pDACL->AceCount; i++)
{
if (!GetAce(pDACL, i, (void **)&pACE))
goto failed;
if (!AddAccessAllowedAce(m_pDACL, ACL_REVISION, pACE->Mask, (PSID)&(pACE->SidStart)))
goto failed;
}
if (!IsValidAcl(m_pDACL))
goto failed;
}
// set the DACL
if (!SetSecurityDescriptorDacl(m_pSD, m_pDACL ? TRUE : FALSE, m_pDACL, bDefaulted))
goto failed;
}
// get the existing SACL.
if (!GetSecurityDescriptorSacl(pSelfRelativeSD, &bSACLPresent, &pSACL, &bDefaulted))
goto failed;
if (bSACLPresent)
{
if (pSACL)
{
// allocate new SACL.
m_pSACL = (PACL) malloc(pSACL->AclSize);
if (m_pSACL == NULL)
{
hr = E_OUTOFMEMORY;
goto failedMemory;
}
// initialize the SACL
if (!InitializeAcl(m_pSACL, pSACL->AclSize, ACL_REVISION))
goto failed;
// copy the ACES
for (int i = 0; i < pSACL->AceCount; i++)
{
if (!GetAce(pSACL, i, (void **)&pACE))
goto failed;
if (!AddAccessAllowedAce(m_pSACL, ACL_REVISION, pACE->Mask, (PSID)&(pACE->SidStart)))
goto failed;
}
if (!IsValidAcl(m_pSACL))
goto failed;
}
// set the SACL
if (!SetSecurityDescriptorSacl(m_pSD, m_pSACL ? TRUE : FALSE, m_pSACL, bDefaulted))
goto failed;
}
if (!GetSecurityDescriptorOwner(m_pSD, &pUserSid, &bDefaulted))
goto failed;
if (FAILED(SetOwner(pUserSid, bDefaulted)))
goto failed;
if (!GetSecurityDescriptorGroup(m_pSD, &pGroupSid, &bDefaulted))
goto failed;
if (FAILED(SetGroup(pGroupSid, bDefaulted)))
goto failed;
if (!IsValidSecurityDescriptor(m_pSD))
goto failed;
return hr;
failed:
hr = HRESULT_FROM_WIN32(hr);
failedMemory:
if (m_pDACL)
{
free(m_pDACL);
m_pDACL = NULL;
}
if (m_pSD)
{
free(m_pSD);
m_pSD = NULL;
}
return hr;
}
/*---------------------------------------------------------------------------*\
* NAME: MakeSDAbsolute
* --------------------------------------------------------------------------*
* DESCRIPTION: Takes a self-relative security descriptor and returns a
* newly created absolute security descriptor.
\*---------------------------------------------------------------------------*/
DWORD MakeSDAbsolute (
PSECURITY_DESCRIPTOR psidOld,
PSECURITY_DESCRIPTOR *psidNew
)
{
PSECURITY_DESCRIPTOR pSid = NULL;
DWORD cbDescriptor = 0;
DWORD cbDacl = 0;
DWORD cbSacl = 0;
DWORD cbOwnerSID = 0;
DWORD cbGroupSID = 0;
PACL pDacl = NULL;
PACL pSacl = NULL;
PSID psidOwner = NULL;
PSID psidGroup = NULL;
BOOL fPresent = FALSE;
BOOL fSystemDefault = FALSE;
DWORD dwReturnValue = ERROR_SUCCESS;
// Get SACL
if (!GetSecurityDescriptorSacl (psidOld, &fPresent, &pSacl, &fSystemDefault))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
if (pSacl && fPresent)
{
cbSacl = pSacl->AclSize;
}
// Get DACL
if (!GetSecurityDescriptorDacl (psidOld, &fPresent, &pDacl, &fSystemDefault))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
if (pDacl && fPresent)
{
cbDacl = pDacl->AclSize;
}
// Get Owner
if (!GetSecurityDescriptorOwner (psidOld, &psidOwner, &fSystemDefault))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
cbOwnerSID = GetLengthSid (psidOwner);
// Get Group
if (!GetSecurityDescriptorGroup (psidOld, &psidGroup, &fSystemDefault))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
cbGroupSID = GetLengthSid (psidGroup);
// Do the conversion
cbDescriptor = 0;
MakeAbsoluteSD (psidOld, pSid, &cbDescriptor, pDacl, &cbDacl, pSacl,
&cbSacl, psidOwner, &cbOwnerSID, psidGroup,
&cbGroupSID);
pSid = (PSECURITY_DESCRIPTOR) malloc(cbDescriptor);
if(!pSid)
{
dwReturnValue = ERROR_OUTOFMEMORY;
goto CLEANUP;
}
ZeroMemory(pSid, cbDescriptor);
if (!InitializeSecurityDescriptor (pSid, SECURITY_DESCRIPTOR_REVISION))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
if (!MakeAbsoluteSD (psidOld, pSid, &cbDescriptor, pDacl, &cbDacl, pSacl,
&cbSacl, psidOwner, &cbOwnerSID, psidGroup,
&cbGroupSID))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
CLEANUP:
if(dwReturnValue != ERROR_SUCCESS && pSid)
{
free(pSid);
pSid = NULL;
}
*psidNew = pSid;
return dwReturnValue;
}
/* Dump ACE to file line per line in the following format:
* ownerSID, groupSID, ACEType, ACEFlags, AccessMask, (Flags), (ObjectType guid), (InheritedObjectType guid), TrusteeSID
*/
void DumpACE(
IN long long sd_id,
IN unsigned char *buffer,
IN FILE *dump
)
{
BOOL daclPresent, daclDefaulted;
PACL dacl;
PSID owner, group;
BOOL ownerDefaulted, groupDefaulted;
LPVOID ace;
LPWSTR stringOwner = NULL;
LPWSTR stringGroup = NULL;
LPWSTR stringTrustee = NULL;
RPC_WSTR OTGuid = NULL;
RPC_WSTR IOTGuid = NULL;
unsigned int i;
GetSecurityDescriptorOwner(buffer, &owner, &ownerDefaulted);
ConvertSidToStringSid(owner, &stringOwner);
GetSecurityDescriptorGroup(buffer, &group, &groupDefaulted);
ConvertSidToStringSid(group, &stringGroup);
GetSecurityDescriptorDacl(buffer, &daclPresent, &dacl, &daclDefaulted);
for(i = 0 ; GetAce(dacl, i, &ace) ; i++)
{
//Remove inherited ACE
if((((ACE_HEADER *)ace)->AceFlags & INHERITED_ACE) != INHERITED_ACE)
{
fwprintf(dump,L"\n");
//Standard allow&deny ACE
if(((ACE_HEADER *)ace)->AceType < 0x5)
{
ConvertSidToStringSid((PSID)&(((ACCESS_ALLOWED_ACE *)ace)->SidStart), &stringTrustee);
fwprintf_s(dump, L"%lld\t%s\t%s\t%.2X\t%.2X\t%d\t\t\t\t%s",
sd_id,
stringOwner,
stringGroup,
((ACE_HEADER *)ace)->AceType,
((ACE_HEADER *)ace)->AceFlags,
((ACCESS_ALLOWED_ACE *)ace)->Mask,
stringTrustee
);
}
//Object ACE
else
{
switch(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->Flags)
{
//not any OT
case 0x0:
{
ConvertSidToStringSid((PSID)((DWORD)&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->SidStart) - 2 * sizeof(GUID)),
&stringTrustee
);
break;
}
//Only OT
case 0x1:
{
UuidToString(&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->ObjectType), &OTGuid);
ConvertSidToStringSid((PSID)((DWORD)&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->SidStart) - sizeof(GUID)),
&stringTrustee
);
break;
}
//Only IOT
case 0x2:
{
UuidToString(&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->InheritedObjectType), &IOTGuid);
ConvertSidToStringSid((PSID)((DWORD)&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->SidStart) - sizeof(GUID)),
&stringTrustee
);
break;
}
//both
case 0x3:
{
UuidToString(&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->ObjectType), &OTGuid);
UuidToString(&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->InheritedObjectType), &IOTGuid);
ConvertSidToStringSid((PSID)&(((ACCESS_ALLOWED_OBJECT_ACE *)ace)->SidStart),
&stringTrustee
);
break;
}
}
fwprintf_s(dump, L"%lld\t%s\t%s\t%.2X\t%.2X\t%d\t%d\t%s\t%s\t%s",
sd_id,
stringOwner,
stringGroup,
((ACE_HEADER *)ace)->AceType,
((ACE_HEADER *)ace)->AceFlags,
((ACCESS_ALLOWED_OBJECT_ACE *)ace)->Mask,
((ACCESS_ALLOWED_OBJECT_ACE *)ace)->Flags,
OTGuid,
IOTGuid,
stringTrustee
);
}
LocalFree(stringTrustee);
stringTrustee = NULL;
RpcStringFree(&OTGuid);
OTGuid = NULL;
RpcStringFree(&IOTGuid);
IOTGuid = NULL;
}
}
LocalFree(stringOwner);
stringOwner = NULL;
LocalFree(stringGroup);
stringGroup = NULL;
}
DWORD
MakeSDAbsolute (
PSECURITY_DESCRIPTOR OldSD,
PSECURITY_DESCRIPTOR *NewSD
)
{
PSECURITY_DESCRIPTOR sd = NULL;
DWORD descriptorSize;
DWORD daclSize;
DWORD saclSize;
DWORD ownerSIDSize;
DWORD groupSIDSize;
PACL dacl;
PACL sacl;
PSID ownerSID;
PSID groupSID;
BOOL present;
BOOL systemDefault;
//
// Get SACL
//
if (!GetSecurityDescriptorSacl (OldSD, &present, &sacl, &systemDefault))
return GetLastError();
if (sacl && present)
{
saclSize = sacl->AclSize;
} else saclSize = 0;
//
// Get DACL
//
if (!GetSecurityDescriptorDacl (OldSD, &present, &dacl, &systemDefault))
return GetLastError();
if (dacl && present)
{
daclSize = dacl->AclSize;
} else daclSize = 0;
//
// Get Owner
//
if (!GetSecurityDescriptorOwner (OldSD, &ownerSID, &systemDefault))
return GetLastError();
ownerSIDSize = GetLengthSid (ownerSID);
//
// Get Group
//
if (!GetSecurityDescriptorGroup (OldSD, &groupSID, &systemDefault))
return GetLastError();
groupSIDSize = GetLengthSid (groupSID);
//
// Do the conversion
//
descriptorSize = 0;
MakeAbsoluteSD (OldSD, sd, &descriptorSize, dacl, &daclSize, sacl,
&saclSize, ownerSID, &ownerSIDSize, groupSID,
&groupSIDSize);
sd = (PSECURITY_DESCRIPTOR) new BYTE [SECURITY_DESCRIPTOR_MIN_LENGTH];
if (!InitializeSecurityDescriptor (sd, SECURITY_DESCRIPTOR_REVISION))
return GetLastError();
if (!MakeAbsoluteSD (OldSD, sd, &descriptorSize, dacl, &daclSize, sacl,
&saclSize, ownerSID, &ownerSIDSize, groupSID,
&groupSIDSize))
return GetLastError();
*NewSD = sd;
return ERROR_SUCCESS;
}
