HRESULT COpcSecurity::Revoke(LPCTSTR pszPrincipal)
{
HRESULT hr = RemovePrincipalFromACL(m_pDACL, pszPrincipal);
if (SUCCEEDED(hr))
SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE);
return hr;
}
DWORD COxtSecurityHelper::RemovePrincipalFromSecurityDescriptor(LPCTSTR tszPermissionName,
LPCTSTR tszPrincipal)
{
DWORD dwReturnValue = ERROR_SUCCESS;
SECURITY_DESCRIPTOR *pSD = NULL;
SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
SECURITY_DESCRIPTOR *psdAbsolute = NULL;
DWORD cbSecurityDesc = 0;
BOOL bPresent = FALSE;
BOOL bDefaultDACL = FALSE;
PACL pDacl = NULL;
do {
// Get security descriptor from registry, if it is not there then
// just return - nothing to do.
dwReturnValue = GetSecurityDescripterByName(tszPermissionName, &pSD, NULL);
if (dwReturnValue != ERROR_SUCCESS)
{
if (dwReturnValue == ERROR_FILE_NOT_FOUND)
dwReturnValue = ERROR_SUCCESS;
break;
}
if (!::GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaultDACL))
{
dwReturnValue = ::GetLastError();
break;
}
// Remove the Principal that the caller wants removed
dwReturnValue = RemovePrincipalFromACL(pDacl, tszPrincipal);
if (dwReturnValue == ERROR_FILE_NOT_FOUND)
{
dwReturnValue = ERROR_SUCCESS;
break;
}
else if (dwReturnValue != ERROR_SUCCESS)
break;
// Make the security descriptor absolute if it isn't new
dwReturnValue = MakeAbsoluteSecurityDescriptor((PSECURITY_DESCRIPTOR)pSD, (PSECURITY_DESCRIPTOR *)&psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS)
break;
// Set the discretionary ACL on the security descriptor
if (!::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pDacl, FALSE))
{
dwReturnValue = ::GetLastError();
break;
}
// Make the security descriptor self-relative so that we can
// store it in the registry
cbSecurityDesc = 0;
::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc);
psdSelfRelative = (SECURITY_DESCRIPTOR *)malloc(cbSecurityDesc);
if (psdSelfRelative == NULL)
{
dwReturnValue = ERROR_OUTOFMEMORY;
break;
}
if (!::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc))
{
dwReturnValue = ::GetLastError();
break;
}
// Store the security descriptor in the registry
dwReturnValue = SetSecurityDescriptorByName(tszPermissionName, psdSelfRelative);
} while (false);
if (pSD != NULL)
free(pSD);
if (psdSelfRelative != NULL)
free(psdSelfRelative);
if (psdAbsolute != NULL)
free(psdAbsolute);
return dwReturnValue;
}
/*---------------------------------------------------------------------------*\
* NAME: RemovePrincipalFromNamedValueSD
* --------------------------------------------------------------------------*
* DESCRIPTION: Retrieves the designated security descriptor from the
* registry and removes all ACLs that belong to the named principal.
\*---------------------------------------------------------------------------*/
DWORD RemovePrincipalFromNamedValueSD (
HKEY hkeyRoot,
LPTSTR tszKeyName,
LPTSTR tszValueName,
LPTSTR tszPrincipal,
DWORD fAceType
)
{
DWORD dwReturnValue = ERROR_SUCCESS;
SECURITY_DESCRIPTOR *pSD = NULL;
SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
SECURITY_DESCRIPTOR *psdAbsolute = NULL;
DWORD cbSecurityDesc = 0;
BOOL fPresent = FALSE;
BOOL fDefaultDACL = FALSE;
PACL pDacl = NULL;
dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, NULL);
// Get security descriptor from registry or create a new one
if (dwReturnValue != ERROR_SUCCESS)
{
if(dwReturnValue == ERROR_FILE_NOT_FOUND)
{
dwReturnValue = ERROR_SUCCESS;
}
goto CLEANUP;
}
if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
// Remove the tszPrincipal that the caller wants removed
dwReturnValue = RemovePrincipalFromACL (pDacl, tszPrincipal, fAceType);
if(dwReturnValue == ERROR_FILE_NOT_FOUND)
{
dwReturnValue = ERROR_SUCCESS;
goto CLEANUP;
}
else if (dwReturnValue != ERROR_SUCCESS)
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
// Make the security descriptor absolute if it isn't new
dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
// Set the discretionary ACL on the security descriptor
if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
// Make the security descriptor self-relative so that we can
// store it in the registry
cbSecurityDesc = 0;
MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc);
psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc);
if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
// Store the security descriptor in the registry
dwReturnValue = SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative);
CLEANUP:
if(pSD) free (pSD);
if(psdSelfRelative) free (psdSelfRelative);
if(psdAbsolute) free (psdAbsolute);
return dwReturnValue;
}
DWORD
RemovePrincipalFromNamedValueSD (
HKEY RootKey,
LPTSTR KeyName,
LPTSTR ValueName,
LPTSTR Principal
)
{
DWORD returnValue;
SECURITY_DESCRIPTOR *sd;
SECURITY_DESCRIPTOR *sdSelfRelative = NULL;
SECURITY_DESCRIPTOR *sdAbsolute;
DWORD secDescSize;
BOOL present;
BOOL defaultDACL;
PACL dacl;
BOOL newSD = FALSE;
returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD);
//
// Get security descriptor from registry or create a new one
//
if (returnValue != ERROR_SUCCESS)
return returnValue;
if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL))
return GetLastError();
//
// If the security descriptor is new, add the required Principals to it
//
if (newSD)
{
AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM"));
AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE"));
}
//
// Remove the Principal that the caller wants removed
//
returnValue = RemovePrincipalFromACL (dacl, Principal);
if (returnValue != ERROR_SUCCESS)
{
free (sd);
return returnValue;
}
//
// Make the security descriptor absolute if it isn't new
//
if (!newSD)
MakeSDAbsolute ((PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); else
sdAbsolute = sd;
//
// Set the discretionary ACL on the security descriptor
//
if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE))
return GetLastError();
//
// Make the security descriptor self-relative so that we can
// store it in the registry
//
secDescSize = 0;
MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize);
sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize);
if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize))
return GetLastError();
//
// Store the security descriptor in the registry
//
SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative);
free (sd);
free (sdSelfRelative);
free (sdAbsolute);
return ERROR_SUCCESS;
}
