HRESULT COpcSecurity::Revoke(LPCTSTR pszPrincipal) { HRESULT hr = RemovePrincipalFromACL(m_pDACL, pszPrincipal); if (SUCCEEDED(hr)) SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE); return hr; }
DWORD COxtSecurityHelper::RemovePrincipalFromSecurityDescriptor(LPCTSTR tszPermissionName, LPCTSTR tszPrincipal) { DWORD dwReturnValue = ERROR_SUCCESS; SECURITY_DESCRIPTOR *pSD = NULL; SECURITY_DESCRIPTOR *psdSelfRelative = NULL; SECURITY_DESCRIPTOR *psdAbsolute = NULL; DWORD cbSecurityDesc = 0; BOOL bPresent = FALSE; BOOL bDefaultDACL = FALSE; PACL pDacl = NULL; do { // Get security descriptor from registry, if it is not there then // just return - nothing to do. dwReturnValue = GetSecurityDescripterByName(tszPermissionName, &pSD, NULL); if (dwReturnValue != ERROR_SUCCESS) { if (dwReturnValue == ERROR_FILE_NOT_FOUND) dwReturnValue = ERROR_SUCCESS; break; } if (!::GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaultDACL)) { dwReturnValue = ::GetLastError(); break; } // Remove the Principal that the caller wants removed dwReturnValue = RemovePrincipalFromACL(pDacl, tszPrincipal); if (dwReturnValue == ERROR_FILE_NOT_FOUND) { dwReturnValue = ERROR_SUCCESS; break; } else if (dwReturnValue != ERROR_SUCCESS) break; // Make the security descriptor absolute if it isn't new dwReturnValue = MakeAbsoluteSecurityDescriptor((PSECURITY_DESCRIPTOR)pSD, (PSECURITY_DESCRIPTOR *)&psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) break; // Set the discretionary ACL on the security descriptor if (!::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pDacl, FALSE)) { dwReturnValue = ::GetLastError(); break; } // Make the security descriptor self-relative so that we can // store it in the registry cbSecurityDesc = 0; ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc); psdSelfRelative = (SECURITY_DESCRIPTOR *)malloc(cbSecurityDesc); if (psdSelfRelative == NULL) { dwReturnValue = ERROR_OUTOFMEMORY; break; } if (!::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc)) { dwReturnValue = ::GetLastError(); break; } // Store the security descriptor in the registry dwReturnValue = SetSecurityDescriptorByName(tszPermissionName, psdSelfRelative); } while (false); if (pSD != NULL) free(pSD); if (psdSelfRelative != NULL) free(psdSelfRelative); if (psdAbsolute != NULL) free(psdAbsolute); return dwReturnValue; }
/*---------------------------------------------------------------------------*\ * NAME: RemovePrincipalFromNamedValueSD * --------------------------------------------------------------------------* * DESCRIPTION: Retrieves the designated security descriptor from the * registry and removes all ACLs that belong to the named principal. \*---------------------------------------------------------------------------*/ DWORD RemovePrincipalFromNamedValueSD ( HKEY hkeyRoot, LPTSTR tszKeyName, LPTSTR tszValueName, LPTSTR tszPrincipal, DWORD fAceType ) { DWORD dwReturnValue = ERROR_SUCCESS; SECURITY_DESCRIPTOR *pSD = NULL; SECURITY_DESCRIPTOR *psdSelfRelative = NULL; SECURITY_DESCRIPTOR *psdAbsolute = NULL; DWORD cbSecurityDesc = 0; BOOL fPresent = FALSE; BOOL fDefaultDACL = FALSE; PACL pDacl = NULL; dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, NULL); // Get security descriptor from registry or create a new one if (dwReturnValue != ERROR_SUCCESS) { if(dwReturnValue == ERROR_FILE_NOT_FOUND) { dwReturnValue = ERROR_SUCCESS; } goto CLEANUP; } if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Remove the tszPrincipal that the caller wants removed dwReturnValue = RemovePrincipalFromACL (pDacl, tszPrincipal, fAceType); if(dwReturnValue == ERROR_FILE_NOT_FOUND) { dwReturnValue = ERROR_SUCCESS; goto CLEANUP; } else if (dwReturnValue != ERROR_SUCCESS) { dwReturnValue = GetLastError(); goto CLEANUP; } // Make the security descriptor absolute if it isn't new dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Set the discretionary ACL on the security descriptor if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Make the security descriptor self-relative so that we can // store it in the registry cbSecurityDesc = 0; MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc); psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc); if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Store the security descriptor in the registry dwReturnValue = SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative); CLEANUP: if(pSD) free (pSD); if(psdSelfRelative) free (psdSelfRelative); if(psdAbsolute) free (psdAbsolute); return dwReturnValue; }
DWORD RemovePrincipalFromNamedValueSD ( HKEY RootKey, LPTSTR KeyName, LPTSTR ValueName, LPTSTR Principal ) { DWORD returnValue; SECURITY_DESCRIPTOR *sd; SECURITY_DESCRIPTOR *sdSelfRelative = NULL; SECURITY_DESCRIPTOR *sdAbsolute; DWORD secDescSize; BOOL present; BOOL defaultDACL; PACL dacl; BOOL newSD = FALSE; returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD); // // Get security descriptor from registry or create a new one // if (returnValue != ERROR_SUCCESS) return returnValue; if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL)) return GetLastError(); // // If the security descriptor is new, add the required Principals to it // if (newSD) { AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM")); AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE")); } // // Remove the Principal that the caller wants removed // returnValue = RemovePrincipalFromACL (dacl, Principal); if (returnValue != ERROR_SUCCESS) { free (sd); return returnValue; } // // Make the security descriptor absolute if it isn't new // if (!newSD) MakeSDAbsolute ((PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); else sdAbsolute = sd; // // Set the discretionary ACL on the security descriptor // if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE)) return GetLastError(); // // Make the security descriptor self-relative so that we can // store it in the registry // secDescSize = 0; MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize); sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize); if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize)) return GetLastError(); // // Store the security descriptor in the registry // SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative); free (sd); free (sdSelfRelative); free (sdAbsolute); return ERROR_SUCCESS; }