static DWORD NtlmGetLocalGuestAccountSid( OUT PSTR* ppszGuestSid ) { DWORD dwError = LW_ERROR_SUCCESS; NTSTATUS ntStatus = STATUS_SUCCESS; PLW_MAP_SECURITY_CONTEXT pContext = NULL; PSID pGuestSid = NULL; PSTR pszGuestSid = NULL; ntStatus = LwMapSecurityCreateContext(&pContext); dwError = LwNtStatusToWin32Error(ntStatus); BAIL_ON_LSA_ERROR(dwError); ntStatus = LwMapSecurityGetLocalGuestAccountSid(pContext, &pGuestSid); dwError = LwNtStatusToWin32Error(ntStatus); BAIL_ON_LSA_ERROR(dwError); ntStatus = RtlAllocateCStringFromSid(&pszGuestSid, pGuestSid); dwError = LwNtStatusToWin32Error(ntStatus); BAIL_ON_LSA_ERROR(dwError); cleanup: if (pContext && pGuestSid) { LwMapSecurityFreeSid(pContext, &pGuestSid); } LwMapSecurityFreeContext(&pContext); *ppszGuestSid = pszGuestSid; return dwError; error: LW_SAFE_FREE_STRING(pszGuestSid); goto cleanup; }
DWORD RegSrvApiInit( VOID ) { DWORD dwError = 0; dwError = LwNtStatusToWin32Error(LwMapSecurityInitialize()); BAIL_ON_REG_ERROR(dwError); dwError = LwNtStatusToWin32Error(LwMapSecurityCreateContext(&gpRegLwMapSecurityCtx)); BAIL_ON_REG_ERROR(dwError); #if defined(REG_USE_FILE) dwError = FileProvider_Initialize(&gpRegProvider); BAIL_ON_REG_ERROR(dwError); #elif defined(REG_USE_SQLITE) dwError = SqliteProvider_Initialize(&gpRegProvider, ROOT_KEYS); BAIL_ON_REG_ERROR(dwError); #endif // make sure gpRegProvider is not NULL if (!gpRegProvider) { dwError = ERROR_INTERNAL_ERROR; BAIL_ON_REG_ERROR(dwError); } cleanup: return dwError; error: goto cleanup; }
static DWORD EVTCreateAccessDescriptor( PCSTR pszAllowReadTo, PCSTR pszAllowWriteTo, PCSTR pszAllowDeleteTo, PSECURITY_DESCRIPTOR_ABSOLUTE* ppDescriptor, PBOOLEAN pbFullyResolved ) { PSECURITY_DESCRIPTOR_ABSOLUTE pDescriptor = NULL; DWORD dwCount = 0; PSTR* ppszArray = NULL; DWORD dwReadCount = 0; DWORD dwWriteCount = 0; DWORD dwDeleteCount = 0; PSID* ppReadList = NULL; PSID* ppWriteList = NULL; PSID* ppDeleteList = NULL; PACL pDacl = NULL; DWORD dwDaclSize = 0; PLW_MAP_SECURITY_CONTEXT pContext = NULL; DWORD dwError = 0; PSID pLocalSystem = NULL; PSID pAdministrators = NULL; BOOLEAN bFullyResolved = TRUE; dwError = LwAllocateWellKnownSid( WinLocalSystemSid, NULL, &pLocalSystem, NULL); BAIL_ON_EVT_ERROR(dwError); dwError = LwAllocateWellKnownSid( WinBuiltinAdministratorsSid, NULL, &pAdministrators, NULL); BAIL_ON_EVT_ERROR(dwError); dwError = LwNtStatusToWin32Error( LwMapSecurityCreateContext( &pContext)); BAIL_ON_EVT_ERROR(dwError); dwError = LwAllocateMemory( SECURITY_DESCRIPTOR_ABSOLUTE_MIN_SIZE, (PVOID*)&pDescriptor); BAIL_ON_EVT_ERROR(dwError); dwError = LwNtStatusToWin32Error( RtlCreateSecurityDescriptorAbsolute( pDescriptor, SECURITY_DESCRIPTOR_REVISION)); BAIL_ON_EVT_ERROR(dwError); dwError = EVTStringSplit( pszAllowReadTo, &dwCount, &ppszArray); BAIL_ON_EVT_ERROR(dwError); dwError = EVTNamesToSids( pContext, dwCount, ppszArray, &dwReadCount, &ppReadList); BAIL_ON_EVT_ERROR(dwError); if (dwReadCount < dwCount) { bFullyResolved = FALSE; } LwFreeStringArray( ppszArray, dwCount); ppszArray = NULL; dwError = EVTStringSplit( pszAllowWriteTo, &dwCount, &ppszArray); BAIL_ON_EVT_ERROR(dwError); dwError = EVTNamesToSids( pContext, dwCount, ppszArray, &dwWriteCount, &ppWriteList); BAIL_ON_EVT_ERROR(dwError); if (dwWriteCount < dwCount) { bFullyResolved = FALSE; } LwFreeStringArray( ppszArray, dwCount); ppszArray = NULL; dwError = EVTStringSplit( pszAllowDeleteTo, &dwCount, &ppszArray); BAIL_ON_EVT_ERROR(dwError); dwError = EVTNamesToSids( pContext, dwCount, ppszArray, &dwDeleteCount, &ppDeleteList); BAIL_ON_EVT_ERROR(dwError); if (dwDeleteCount < dwCount) { bFullyResolved = FALSE; } LwFreeStringArray( ppszArray, dwCount); ppszArray = NULL; dwDaclSize = ACL_HEADER_SIZE + EVTGetAllowAcesSize(dwReadCount, ppReadList) + EVTGetAllowAcesSize(dwWriteCount, ppWriteList) + EVTGetAllowAcesSize(dwDeleteCount, ppDeleteList); dwError = LwAllocateMemory( dwDaclSize, OUT_PPVOID(&pDacl)); BAIL_ON_EVT_ERROR(dwError); dwError = LwNtStatusToWin32Error( RtlCreateAcl(pDacl, dwDaclSize, ACL_REVISION)); BAIL_ON_EVT_ERROR(dwError); dwError = EVTAddAllowAces( pDacl, dwReadCount, ppReadList, EVENTLOG_READ_RECORD); BAIL_ON_EVT_ERROR(dwError); dwError = EVTAddAllowAces( pDacl, dwWriteCount, ppWriteList, EVENTLOG_WRITE_RECORD); BAIL_ON_EVT_ERROR(dwError); dwError = EVTAddAllowAces( pDacl, dwWriteCount, ppWriteList, EVENTLOG_DELETE_RECORD); BAIL_ON_EVT_ERROR(dwError); dwError = LwNtStatusToWin32Error( RtlSetDaclSecurityDescriptor( pDescriptor, TRUE, pDacl, FALSE)); BAIL_ON_EVT_ERROR(dwError); pDacl = NULL; dwError = LwNtStatusToWin32Error( RtlSetOwnerSecurityDescriptor( pDescriptor, pLocalSystem, FALSE)); BAIL_ON_EVT_ERROR(dwError); pLocalSystem = NULL; dwError = LwNtStatusToWin32Error( RtlSetGroupSecurityDescriptor( pDescriptor, pAdministrators, FALSE)); BAIL_ON_EVT_ERROR(dwError); pAdministrators = NULL; *ppDescriptor = pDescriptor; if (pbFullyResolved) { *pbFullyResolved = bFullyResolved; } cleanup: if (ppszArray) { LwFreeStringArray( ppszArray, dwCount); } EVTFreeSidArray( pContext, dwReadCount, ppReadList); EVTFreeSidArray( pContext, dwWriteCount, ppWriteList); EVTFreeSidArray( pContext, dwDeleteCount, ppDeleteList); LwMapSecurityFreeContext(&pContext); return dwError; error: EVTFreeSecurityDescriptor(pDescriptor); *ppDescriptor = NULL; if (pbFullyResolved) { *pbFullyResolved = FALSE; } LW_SAFE_FREE_MEMORY(pDacl); LW_SAFE_FREE_MEMORY(pLocalSystem); LW_SAFE_FREE_MEMORY(pAdministrators); goto cleanup; }
static NTSTATUS LwIoFuseTranslateAbsoluteSecurityDescriptor( PSECURITY_DESCRIPTOR_ABSOLUTE pSecurityDescriptor, PSID pOwnerSid, PSID pGroupSid, struct stat* pStatbuf ) { NTSTATUS status = STATUS_SUCCESS; PACCESS_TOKEN pOwnerToken = NULL; PACCESS_TOKEN pGroupToken = NULL; PACCESS_TOKEN pOtherToken = NULL; PLW_MAP_SECURITY_CONTEXT pContext = NULL; ULONG ulUserId = 0; ULONG ulGroupId = 0; BOOLEAN bIsUser = TRUE; status = LwMapSecurityCreateContext(&pContext); BAIL_ON_NT_STATUS(status); status = LwMapSecurityGetIdFromSid( pContext, &bIsUser, &ulUserId, pOwnerSid); if (status != STATUS_SUCCESS || bIsUser != TRUE) { status = STATUS_SUCCESS; ulUserId = 0; } status = LwMapSecurityGetIdFromSid( pContext, &bIsUser, &ulGroupId, pGroupSid); if (status != STATUS_SUCCESS || bIsUser != FALSE) { status = STATUS_SUCCESS; ulGroupId = 0; } pStatbuf->st_uid = (uid_t) ulUserId; pStatbuf->st_gid = (gid_t) ulGroupId; /* Create access tokens for user/group/other */ status = LwIoFuseCreateAccessTokenForOwner( pOwnerSid, &pOwnerToken); BAIL_ON_NT_STATUS(status); status = LwIoFuseCreateAccessTokenForGroup( pGroupSid, &pGroupToken); BAIL_ON_NT_STATUS(status); status = LwIoFuseCreateAccessTokenForOther( &pOtherToken); BAIL_ON_NT_STATUS(status); /* Generate unix permissions */ status = LwIoFuseTranslateSecurityDescriptorPermissions( pSecurityDescriptor, pOwnerToken, pGroupToken, pOtherToken, pStatbuf); BAIL_ON_NT_STATUS(status); error: if (pOwnerToken) { RtlReleaseAccessToken(&pOwnerToken); } if (pGroupToken) { RtlReleaseAccessToken(&pGroupToken); } if (pOtherToken) { RtlReleaseAccessToken(&pOtherToken); } return status; }
static DWORD test_access_token( PCSTR pszUpn) { PTOKEN_USER pUser = NULL; PTOKEN_GROUPS pGroups = NULL; PACCESS_TOKEN pAccessToken = NULL; PSTR pszUserSid = NULL; PSTR pszGroupSid = NULL; PLW_MAP_SECURITY_CONTEXT pMapSecurityContext = NULL; DWORD ulBufLen = 0; DWORD dwError = 0; DWORD dwIndex = 0; dwError = LwMapSecurityCreateContext(&pMapSecurityContext); BAIL_ON_VMDIR_ERROR(dwError); printf("Creating access token for UPN: %s\n", pszUpn); dwError = LwMapSecurityCreateAccessTokenFromCStringUsername( pMapSecurityContext, &pAccessToken, pszUpn); BAIL_ON_VMDIR_ERROR(dwError); // get user sid dwError = RtlQueryAccessTokenInformation( pAccessToken, TokenUser, NULL, 0, &ulBufLen); dwError = LwNtStatusToWin32Error(dwError); BAIL_ON_VMDIR_ERROR(dwError != ERROR_INSUFFICIENT_BUFFER); pUser = RtlMemoryAllocate(ulBufLen, TRUE); if (!pUser) { dwError = ERROR_NOT_ENOUGH_MEMORY; BAIL_ON_VMDIR_ERROR(dwError); } dwError = RtlQueryAccessTokenInformation( pAccessToken, TokenUser, pUser, ulBufLen, &ulBufLen); dwError = LwNtStatusToWin32Error(dwError); BAIL_ON_VMDIR_ERROR(dwError); dwError = RtlAllocateCStringFromSid( &pszUserSid, pUser->User.Sid); BAIL_ON_VMDIR_ERROR(dwError); printf("User SID: %s\n", pszUserSid); dwError = RtlQueryAccessTokenInformation( pAccessToken, TokenGroups, NULL, 0, &ulBufLen); dwError = LwNtStatusToWin32Error(dwError); BAIL_ON_VMDIR_ERROR(dwError != ERROR_INSUFFICIENT_BUFFER); pGroups = RtlMemoryAllocate(ulBufLen, TRUE); if (!pGroups) { dwError = ERROR_NOT_ENOUGH_MEMORY; BAIL_ON_VMDIR_ERROR(dwError); } dwError = RtlQueryAccessTokenInformation( pAccessToken, TokenGroups, pGroups, ulBufLen, &ulBufLen); dwError = LwNtStatusToWin32Error(dwError); BAIL_ON_VMDIR_ERROR(dwError); for (dwIndex = 0; dwIndex < pGroups->GroupCount; dwIndex++) { dwError = RtlAllocateCStringFromSid( &pszGroupSid, pGroups->Groups[dwIndex].Sid); BAIL_ON_VMDIR_ERROR(dwError); printf("Group SID: %s\n", pszGroupSid); } cleanup: if (pMapSecurityContext) { LwMapSecurityFreeContext(&pMapSecurityContext); } if (pAccessToken) { RtlReleaseAccessToken(&pAccessToken); } if (pszUserSid) { RtlMemoryFree(pszUserSid); } if (pGroups) { RtlMemoryFree(pGroups); } if (pUser) { RtlMemoryFree(pUser); } return dwError; error: goto cleanup; }
static DWORD LwmEvtSrvGetConnection( IN LWMsgCall* pCall, OUT PLWMSG_LW_EVENTLOG_CONNECTION* ppConn ) { DWORD dwError = 0; LWMsgSession* pSession = NULL; PLWMSG_LW_EVENTLOG_CONNECTION pConn = NULL; NTSTATUS status = 0; PLW_MAP_SECURITY_CONTEXT pContext = NULL; if (pCall == NULL) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_EVT_ERROR(dwError); } pSession = lwmsg_call_get_session(pCall); if (pSession == NULL) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_EVT_ERROR(dwError); } pConn = (PLWMSG_LW_EVENTLOG_CONNECTION)lwmsg_session_get_data(pSession); if (pConn == NULL) { dwError = ERROR_INVALID_PARAMETER; BAIL_ON_EVT_ERROR(dwError); } if (!pConn->pUserToken) { status = LwMapSecurityCreateContext(&pContext); BAIL_ON_EVT_ERROR(status); status = LwMapSecurityCreateAccessTokenFromUidGid( pContext, &pConn->pUserToken, pConn->Uid, pConn->Gid); BAIL_ON_EVT_ERROR(status); dwError = EVTCheckAllowed( pConn->pUserToken, EVENTLOG_READ_RECORD, &pConn->ReadAllowed); BAIL_ON_EVT_ERROR(dwError); dwError = EVTCheckAllowed( pConn->pUserToken, EVENTLOG_WRITE_RECORD, &pConn->WriteAllowed); BAIL_ON_EVT_ERROR(dwError); dwError = EVTCheckAllowed( pConn->pUserToken, EVENTLOG_DELETE_RECORD, &pConn->DeleteAllowed); BAIL_ON_EVT_ERROR(dwError); if (!pConn->ReadAllowed && !pConn->WriteAllowed && !pConn->DeleteAllowed) { dwError = ERROR_ACCESS_DENIED; BAIL_ON_EVT_ERROR(dwError); } } *ppConn = pConn; cleanup: if (pContext) { LwMapSecurityFreeContext(&pContext); } if (dwError == 0 && status) { dwError = LwNtStatusToWin32Error(status); } return dwError; error: *ppConn = NULL; goto cleanup; }