static
DWORD
NtlmGetLocalGuestAccountSid(
OUT PSTR* ppszGuestSid
)
{
DWORD dwError = LW_ERROR_SUCCESS;
NTSTATUS ntStatus = STATUS_SUCCESS;
PLW_MAP_SECURITY_CONTEXT pContext = NULL;
PSID pGuestSid = NULL;
PSTR pszGuestSid = NULL;
ntStatus = LwMapSecurityCreateContext(&pContext);
dwError = LwNtStatusToWin32Error(ntStatus);
BAIL_ON_LSA_ERROR(dwError);
ntStatus = LwMapSecurityGetLocalGuestAccountSid(pContext, &pGuestSid);
dwError = LwNtStatusToWin32Error(ntStatus);
BAIL_ON_LSA_ERROR(dwError);
ntStatus = RtlAllocateCStringFromSid(&pszGuestSid, pGuestSid);
dwError = LwNtStatusToWin32Error(ntStatus);
BAIL_ON_LSA_ERROR(dwError);
cleanup:
if (pContext && pGuestSid)
{
LwMapSecurityFreeSid(pContext, &pGuestSid);
}
LwMapSecurityFreeContext(&pContext);
*ppszGuestSid = pszGuestSid;
return dwError;
error:
LW_SAFE_FREE_STRING(pszGuestSid);
goto cleanup;
}
DWORD
RegSrvApiInit(
VOID
)
{
DWORD dwError = 0;
dwError = LwNtStatusToWin32Error(LwMapSecurityInitialize());
BAIL_ON_REG_ERROR(dwError);
dwError = LwNtStatusToWin32Error(LwMapSecurityCreateContext(&gpRegLwMapSecurityCtx));
BAIL_ON_REG_ERROR(dwError);
#if defined(REG_USE_FILE)
dwError = FileProvider_Initialize(&gpRegProvider);
BAIL_ON_REG_ERROR(dwError);
#elif defined(REG_USE_SQLITE)
dwError = SqliteProvider_Initialize(&gpRegProvider, ROOT_KEYS);
BAIL_ON_REG_ERROR(dwError);
#endif
// make sure gpRegProvider is not NULL
if (!gpRegProvider)
{
dwError = ERROR_INTERNAL_ERROR;
BAIL_ON_REG_ERROR(dwError);
}
cleanup:
return dwError;
error:
goto cleanup;
}
static
DWORD
EVTCreateAccessDescriptor(
PCSTR pszAllowReadTo,
PCSTR pszAllowWriteTo,
PCSTR pszAllowDeleteTo,
PSECURITY_DESCRIPTOR_ABSOLUTE* ppDescriptor,
PBOOLEAN pbFullyResolved
)
{
PSECURITY_DESCRIPTOR_ABSOLUTE pDescriptor = NULL;
DWORD dwCount = 0;
PSTR* ppszArray = NULL;
DWORD dwReadCount = 0;
DWORD dwWriteCount = 0;
DWORD dwDeleteCount = 0;
PSID* ppReadList = NULL;
PSID* ppWriteList = NULL;
PSID* ppDeleteList = NULL;
PACL pDacl = NULL;
DWORD dwDaclSize = 0;
PLW_MAP_SECURITY_CONTEXT pContext = NULL;
DWORD dwError = 0;
PSID pLocalSystem = NULL;
PSID pAdministrators = NULL;
BOOLEAN bFullyResolved = TRUE;
dwError = LwAllocateWellKnownSid(
WinLocalSystemSid,
NULL,
&pLocalSystem,
NULL);
BAIL_ON_EVT_ERROR(dwError);
dwError = LwAllocateWellKnownSid(
WinBuiltinAdministratorsSid,
NULL,
&pAdministrators,
NULL);
BAIL_ON_EVT_ERROR(dwError);
dwError = LwNtStatusToWin32Error(
LwMapSecurityCreateContext(
&pContext));
BAIL_ON_EVT_ERROR(dwError);
dwError = LwAllocateMemory(
SECURITY_DESCRIPTOR_ABSOLUTE_MIN_SIZE,
(PVOID*)&pDescriptor);
BAIL_ON_EVT_ERROR(dwError);
dwError = LwNtStatusToWin32Error(
RtlCreateSecurityDescriptorAbsolute(
pDescriptor,
SECURITY_DESCRIPTOR_REVISION));
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTStringSplit(
pszAllowReadTo,
&dwCount,
&ppszArray);
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTNamesToSids(
pContext,
dwCount,
ppszArray,
&dwReadCount,
&ppReadList);
BAIL_ON_EVT_ERROR(dwError);
if (dwReadCount < dwCount)
{
bFullyResolved = FALSE;
}
LwFreeStringArray(
ppszArray,
dwCount);
ppszArray = NULL;
dwError = EVTStringSplit(
pszAllowWriteTo,
&dwCount,
&ppszArray);
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTNamesToSids(
pContext,
dwCount,
ppszArray,
&dwWriteCount,
&ppWriteList);
BAIL_ON_EVT_ERROR(dwError);
if (dwWriteCount < dwCount)
{
bFullyResolved = FALSE;
}
LwFreeStringArray(
ppszArray,
dwCount);
ppszArray = NULL;
dwError = EVTStringSplit(
pszAllowDeleteTo,
&dwCount,
&ppszArray);
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTNamesToSids(
pContext,
dwCount,
ppszArray,
&dwDeleteCount,
&ppDeleteList);
BAIL_ON_EVT_ERROR(dwError);
if (dwDeleteCount < dwCount)
{
bFullyResolved = FALSE;
}
LwFreeStringArray(
ppszArray,
dwCount);
ppszArray = NULL;
dwDaclSize = ACL_HEADER_SIZE +
EVTGetAllowAcesSize(dwReadCount, ppReadList) +
EVTGetAllowAcesSize(dwWriteCount, ppWriteList) +
EVTGetAllowAcesSize(dwDeleteCount, ppDeleteList);
dwError = LwAllocateMemory(
dwDaclSize,
OUT_PPVOID(&pDacl));
BAIL_ON_EVT_ERROR(dwError);
dwError = LwNtStatusToWin32Error(
RtlCreateAcl(pDacl, dwDaclSize, ACL_REVISION));
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTAddAllowAces(
pDacl,
dwReadCount,
ppReadList,
EVENTLOG_READ_RECORD);
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTAddAllowAces(
pDacl,
dwWriteCount,
ppWriteList,
EVENTLOG_WRITE_RECORD);
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTAddAllowAces(
pDacl,
dwWriteCount,
ppWriteList,
EVENTLOG_DELETE_RECORD);
BAIL_ON_EVT_ERROR(dwError);
dwError = LwNtStatusToWin32Error(
RtlSetDaclSecurityDescriptor(
pDescriptor,
TRUE,
pDacl,
FALSE));
BAIL_ON_EVT_ERROR(dwError);
pDacl = NULL;
dwError = LwNtStatusToWin32Error(
RtlSetOwnerSecurityDescriptor(
pDescriptor,
pLocalSystem,
FALSE));
BAIL_ON_EVT_ERROR(dwError);
pLocalSystem = NULL;
dwError = LwNtStatusToWin32Error(
RtlSetGroupSecurityDescriptor(
pDescriptor,
pAdministrators,
FALSE));
BAIL_ON_EVT_ERROR(dwError);
pAdministrators = NULL;
*ppDescriptor = pDescriptor;
if (pbFullyResolved)
{
*pbFullyResolved = bFullyResolved;
}
cleanup:
if (ppszArray)
{
LwFreeStringArray(
ppszArray,
dwCount);
}
EVTFreeSidArray(
pContext,
dwReadCount,
ppReadList);
EVTFreeSidArray(
pContext,
dwWriteCount,
ppWriteList);
EVTFreeSidArray(
pContext,
dwDeleteCount,
ppDeleteList);
LwMapSecurityFreeContext(&pContext);
return dwError;
error:
EVTFreeSecurityDescriptor(pDescriptor);
*ppDescriptor = NULL;
if (pbFullyResolved)
{
*pbFullyResolved = FALSE;
}
LW_SAFE_FREE_MEMORY(pDacl);
LW_SAFE_FREE_MEMORY(pLocalSystem);
LW_SAFE_FREE_MEMORY(pAdministrators);
goto cleanup;
}
static
NTSTATUS
LwIoFuseTranslateAbsoluteSecurityDescriptor(
PSECURITY_DESCRIPTOR_ABSOLUTE pSecurityDescriptor,
PSID pOwnerSid,
PSID pGroupSid,
struct stat* pStatbuf
)
{
NTSTATUS status = STATUS_SUCCESS;
PACCESS_TOKEN pOwnerToken = NULL;
PACCESS_TOKEN pGroupToken = NULL;
PACCESS_TOKEN pOtherToken = NULL;
PLW_MAP_SECURITY_CONTEXT pContext = NULL;
ULONG ulUserId = 0;
ULONG ulGroupId = 0;
BOOLEAN bIsUser = TRUE;
status = LwMapSecurityCreateContext(&pContext);
BAIL_ON_NT_STATUS(status);
status = LwMapSecurityGetIdFromSid(
pContext,
&bIsUser,
&ulUserId,
pOwnerSid);
if (status != STATUS_SUCCESS || bIsUser != TRUE)
{
status = STATUS_SUCCESS;
ulUserId = 0;
}
status = LwMapSecurityGetIdFromSid(
pContext,
&bIsUser,
&ulGroupId,
pGroupSid);
if (status != STATUS_SUCCESS || bIsUser != FALSE)
{
status = STATUS_SUCCESS;
ulGroupId = 0;
}
pStatbuf->st_uid = (uid_t) ulUserId;
pStatbuf->st_gid = (gid_t) ulGroupId;
/* Create access tokens for user/group/other */
status = LwIoFuseCreateAccessTokenForOwner(
pOwnerSid,
&pOwnerToken);
BAIL_ON_NT_STATUS(status);
status = LwIoFuseCreateAccessTokenForGroup(
pGroupSid,
&pGroupToken);
BAIL_ON_NT_STATUS(status);
status = LwIoFuseCreateAccessTokenForOther(
&pOtherToken);
BAIL_ON_NT_STATUS(status);
/* Generate unix permissions */
status = LwIoFuseTranslateSecurityDescriptorPermissions(
pSecurityDescriptor,
pOwnerToken,
pGroupToken,
pOtherToken,
pStatbuf);
BAIL_ON_NT_STATUS(status);
error:
if (pOwnerToken)
{
RtlReleaseAccessToken(&pOwnerToken);
}
if (pGroupToken)
{
RtlReleaseAccessToken(&pGroupToken);
}
if (pOtherToken)
{
RtlReleaseAccessToken(&pOtherToken);
}
return status;
}
static
DWORD
test_access_token(
PCSTR pszUpn)
{
PTOKEN_USER pUser = NULL;
PTOKEN_GROUPS pGroups = NULL;
PACCESS_TOKEN pAccessToken = NULL;
PSTR pszUserSid = NULL;
PSTR pszGroupSid = NULL;
PLW_MAP_SECURITY_CONTEXT pMapSecurityContext = NULL;
DWORD ulBufLen = 0;
DWORD dwError = 0;
DWORD dwIndex = 0;
dwError = LwMapSecurityCreateContext(&pMapSecurityContext);
BAIL_ON_VMDIR_ERROR(dwError);
printf("Creating access token for UPN: %s\n", pszUpn);
dwError = LwMapSecurityCreateAccessTokenFromCStringUsername(
pMapSecurityContext,
&pAccessToken,
pszUpn);
BAIL_ON_VMDIR_ERROR(dwError);
// get user sid
dwError = RtlQueryAccessTokenInformation(
pAccessToken,
TokenUser,
NULL,
0,
&ulBufLen);
dwError = LwNtStatusToWin32Error(dwError);
BAIL_ON_VMDIR_ERROR(dwError != ERROR_INSUFFICIENT_BUFFER);
pUser = RtlMemoryAllocate(ulBufLen, TRUE);
if (!pUser)
{
dwError = ERROR_NOT_ENOUGH_MEMORY;
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = RtlQueryAccessTokenInformation(
pAccessToken,
TokenUser,
pUser,
ulBufLen,
&ulBufLen);
dwError = LwNtStatusToWin32Error(dwError);
BAIL_ON_VMDIR_ERROR(dwError);
dwError = RtlAllocateCStringFromSid(
&pszUserSid,
pUser->User.Sid);
BAIL_ON_VMDIR_ERROR(dwError);
printf("User SID: %s\n", pszUserSid);
dwError = RtlQueryAccessTokenInformation(
pAccessToken,
TokenGroups,
NULL,
0,
&ulBufLen);
dwError = LwNtStatusToWin32Error(dwError);
BAIL_ON_VMDIR_ERROR(dwError != ERROR_INSUFFICIENT_BUFFER);
pGroups = RtlMemoryAllocate(ulBufLen, TRUE);
if (!pGroups)
{
dwError = ERROR_NOT_ENOUGH_MEMORY;
BAIL_ON_VMDIR_ERROR(dwError);
}
dwError = RtlQueryAccessTokenInformation(
pAccessToken,
TokenGroups,
pGroups,
ulBufLen,
&ulBufLen);
dwError = LwNtStatusToWin32Error(dwError);
BAIL_ON_VMDIR_ERROR(dwError);
for (dwIndex = 0; dwIndex < pGroups->GroupCount; dwIndex++)
{
dwError = RtlAllocateCStringFromSid(
&pszGroupSid,
pGroups->Groups[dwIndex].Sid);
BAIL_ON_VMDIR_ERROR(dwError);
printf("Group SID: %s\n", pszGroupSid);
}
cleanup:
if (pMapSecurityContext)
{
LwMapSecurityFreeContext(&pMapSecurityContext);
}
if (pAccessToken)
{
RtlReleaseAccessToken(&pAccessToken);
}
if (pszUserSid)
{
RtlMemoryFree(pszUserSid);
}
if (pGroups)
{
RtlMemoryFree(pGroups);
}
if (pUser)
{
RtlMemoryFree(pUser);
}
return dwError;
error:
goto cleanup;
}
static
DWORD
LwmEvtSrvGetConnection(
IN LWMsgCall* pCall,
OUT PLWMSG_LW_EVENTLOG_CONNECTION* ppConn
)
{
DWORD dwError = 0;
LWMsgSession* pSession = NULL;
PLWMSG_LW_EVENTLOG_CONNECTION pConn = NULL;
NTSTATUS status = 0;
PLW_MAP_SECURITY_CONTEXT pContext = NULL;
if (pCall == NULL)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_EVT_ERROR(dwError);
}
pSession = lwmsg_call_get_session(pCall);
if (pSession == NULL)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_EVT_ERROR(dwError);
}
pConn = (PLWMSG_LW_EVENTLOG_CONNECTION)lwmsg_session_get_data(pSession);
if (pConn == NULL)
{
dwError = ERROR_INVALID_PARAMETER;
BAIL_ON_EVT_ERROR(dwError);
}
if (!pConn->pUserToken)
{
status = LwMapSecurityCreateContext(&pContext);
BAIL_ON_EVT_ERROR(status);
status = LwMapSecurityCreateAccessTokenFromUidGid(
pContext,
&pConn->pUserToken,
pConn->Uid,
pConn->Gid);
BAIL_ON_EVT_ERROR(status);
dwError = EVTCheckAllowed(
pConn->pUserToken,
EVENTLOG_READ_RECORD,
&pConn->ReadAllowed);
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTCheckAllowed(
pConn->pUserToken,
EVENTLOG_WRITE_RECORD,
&pConn->WriteAllowed);
BAIL_ON_EVT_ERROR(dwError);
dwError = EVTCheckAllowed(
pConn->pUserToken,
EVENTLOG_DELETE_RECORD,
&pConn->DeleteAllowed);
BAIL_ON_EVT_ERROR(dwError);
if (!pConn->ReadAllowed &&
!pConn->WriteAllowed &&
!pConn->DeleteAllowed)
{
dwError = ERROR_ACCESS_DENIED;
BAIL_ON_EVT_ERROR(dwError);
}
}
*ppConn = pConn;
cleanup:
if (pContext)
{
LwMapSecurityFreeContext(&pContext);
}
if (dwError == 0 && status)
{
dwError = LwNtStatusToWin32Error(status);
}
return dwError;
error:
*ppConn = NULL;
goto cleanup;
}
