Exemple #1
0
DWORD
VmAfdCheckOwnerShipWithHandle (
      PVECS_SRV_STORE_HANDLE pStore,
      PVM_AFD_CONNECTION_CONTEXT pConnectionContext
      )
{
    DWORD dwError = 0;
    PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
    if (!pStore ||
        !pConnectionContext ||
        !pConnectionContext->pSecurityContext
       )
    {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_VMAFD_ERROR (dwError);
    }

    dwError = VmAfdGetSecurityDescriptorFromHandle (
                          pStore,
                          &pSecurityDescriptor
                          );
    BAIL_ON_VMAFD_ERROR (dwError);

    if (!(VmAfdIsRootSecurityContext (pConnectionContext)))
    {
       if (!(VmAfdEqualsSecurityContext(
                     pConnectionContext->pSecurityContext,
                     pSecurityDescriptor->pOwnerSecurityContext
                      )
            ))
       {
          dwError = ERROR_ACCESS_DENIED;
          BAIL_ON_VMAFD_ERROR (dwError);
       }
    }

cleanup:
    if (pSecurityDescriptor)
    {
        VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
    }

    return dwError;

error:
    goto cleanup;
}
Exemple #2
0
DWORD
VmAfdAccessCheckWithHandle (
      PVECS_SRV_STORE_HANDLE pStore,
      PVM_AFD_CONNECTION_CONTEXT pConnectionContext,
      DWORD dwDesiredAccess
      )
{
    DWORD dwError = 0;
    DWORD dwLogError = 0;
    PVECS_SERV_STORE pStoreInfo = NULL;


    PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
    PWSTR pszAccountName = NULL;

    if (!pStore ||
        !pConnectionContext ||
        !pConnectionContext->pSecurityContext
       )
    {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_VMAFD_ERROR (dwError);
    }

    if ((dwDesiredAccess | VECS_MAXIMUM_ALLOWED_MASK) !=
              VECS_MAXIMUM_ALLOWED_MASK
       )
    {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_VMAFD_ERROR (dwError);
    }

    /*
     * We don't care about dwLogError errors because they are
     * used solely for logging purpose. Even if some call fails,
     * the function should not fail
     */

    dwLogError = VmAfdAllocateNameFromContext (
                                                pConnectionContext->pSecurityContext,
                                                &pszAccountName
                                              );


    dwLogError = VmAfdGetStoreFromHandle (
                                          pStore,
                                          pConnectionContext->pSecurityContext,
                                          &pStoreInfo
                                         );

    if (
        !IsNullOrEmptyString(pszAccountName) &&
        pStoreInfo
       )
    {
        PSTR paszAccountName = NULL;
        dwLogError = VmAfdAllocateStringAFromW(
                                                pszAccountName,
                                                &paszAccountName
                                              );
        if (paszAccountName)
        {
          switch (dwDesiredAccess)
          {
            case READ_STORE:
              VmAfdLog (VMAFD_DEBUG_DEBUG,
                  "User %s requested READ operation on Store with ID: %d",
                  paszAccountName,
                  pStoreInfo->dwStoreId
                  );
             break;
            case WRITE_STORE:
              VmAfdLog (VMAFD_DEBUG_DEBUG,
                  "User %s requested WRITE operation on  Store with ID:%d",
                  paszAccountName,
                  pStoreInfo->dwStoreId
                  );
              break;

            default:
              break;
          }
        }
        else
        {
            VmAfdLog(VMAFD_DEBUG_ANY, "%s log failed. error(%u)", __FUNCTION__, dwLogError);
        }
        VMAFD_SAFE_FREE_MEMORY (paszAccountName);
    }

    dwError = VmAfdGetSecurityDescriptorFromHandle (
                          pStore,
                          &pSecurityDescriptor
                          );
    BAIL_ON_VMAFD_ERROR (dwError);

    if (!(VmAfdIsRootSecurityContext (pConnectionContext)))
    {
       if (!(VmAfdEqualsSecurityContext(
                     pConnectionContext->pSecurityContext,
                     pSecurityDescriptor->pOwnerSecurityContext
                      )
            ))
       {
          dwError = VmAfdCheckAcl (
                            pSecurityDescriptor,
                            pConnectionContext->pSecurityContext,
                            dwDesiredAccess
                            );

         BAIL_ON_VMAFD_ERROR (dwError);
       }
    }

cleanup:
    VMAFD_SAFE_FREE_MEMORY (pszAccountName);
    VMAFD_SAFE_FREE_MEMORY (pStoreInfo);
    if (pSecurityDescriptor)
    {
        VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
    }

    return dwError;

error:
    goto cleanup;

}
Exemple #3
0
DWORD
VecsSrvChangeOwner (
    PVECS_SRV_STORE_HANDLE pStore,
    PCWSTR pszUserName,
    PVM_AFD_CONNECTION_CONTEXT pConnectionContext
    )
{
    DWORD dwError = 0;
    PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
    PVECS_SERV_STORE pStoreInstance = NULL;
    BOOL bIsHoldingLock = FALSE;

    dwError = VmAfdCheckOwnerShipWithHandle (
                              pStore,
                              pConnectionContext
                              );
    BAIL_ON_VMAFD_ERROR (dwError);

    pthread_mutex_lock (&gVmafdGlobals.mutexStoreState);

    bIsHoldingLock = TRUE;

    dwError = VmAfdGetSecurityDescriptorFromHandle (
                              pStore,
                              &pSecurityDescriptor
                              );
    BAIL_ON_VMAFD_ERROR (dwError);

    dwError = VmAfdGetStoreFromHandle (
                                        pStore,
                                        pConnectionContext->pSecurityContext,
                                        &pStoreInstance
                                      );
    BAIL_ON_VMAFD_ERROR (dwError);

    dwError = VmAfdModifyOwner (
                                pStoreInstance,
                                pszUserName,
                                pSecurityDescriptor
                                );
    BAIL_ON_VMAFD_ERROR (dwError);

    dwError = VmAfdSetSecurityDescriptorForHandle (
                                pStore,
                                pSecurityDescriptor
                                );
    BAIL_ON_VMAFD_ERROR (dwError);

    pthread_mutex_unlock (&gVmafdGlobals.mutexStoreState);

    bIsHoldingLock = FALSE;

cleanup:
    if (pSecurityDescriptor)
    {
        VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
    }

    if (bIsHoldingLock)
    {
        pthread_mutex_unlock(&gVmafdGlobals.mutexStoreState);
    }

    VMAFD_SAFE_FREE_MEMORY (pStoreInstance);

    return dwError;

error:
    goto cleanup;
}
Exemple #4
0
DWORD
VecsSrvGetPermissions (
    PVECS_SRV_STORE_HANDLE pStore,
    PVM_AFD_CONNECTION_CONTEXT pConnectionContext,
    PWSTR *ppszOwnerName,
    PDWORD pdwUserCount,
    PVECS_STORE_PERMISSION_W *ppPermissions
    )
{
    DWORD dwError = 0;
    PWSTR pszOwnerName = NULL;
    DWORD dwUserCount = 0;
    PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
    PVECS_STORE_PERMISSION_W pPermissions = NULL;


    if (!pStore ||
        !ppszOwnerName ||
        !pdwUserCount ||
        !ppPermissions
       )
    {
        dwError = ERROR_INVALID_PARAMETER;
        BAIL_ON_VMAFD_ERROR (dwError);
    }

    dwError = VmAfdCheckOwnerShipWithHandle(
                                    pStore,
                                    pConnectionContext
                                    );
    BAIL_ON_VMAFD_ERROR (dwError);

    dwError = VmAfdGetSecurityDescriptorFromHandle (
                                           pStore,
                                           &pSecurityDescriptor
                                           );
    BAIL_ON_VMAFD_ERROR (dwError);

    dwError = VmAfdAllocateNameFromContext (
                                  pSecurityDescriptor->pOwnerSecurityContext,
                                  &pszOwnerName
                                  );
    BAIL_ON_VMAFD_ERROR (dwError);

    if (
        pSecurityDescriptor->pAcl &&
        pSecurityDescriptor->pAcl->dwAceCount
       )
    {
        DWORD dwIndex = 0;
        PVMAFD_ACE_LIST pAceListCursor = NULL;
        dwUserCount = pSecurityDescriptor->pAcl->dwAceCount;

        dwError = VmAfdAllocateMemory(
                              dwUserCount * sizeof (VECS_STORE_PERMISSION_W),
                              (PVOID *)&pPermissions
                              );
        BAIL_ON_VMAFD_ERROR (dwError);

        pAceListCursor = pSecurityDescriptor->pAcl->pAceList;

        for (; pAceListCursor && dwIndex < dwUserCount; dwIndex++)
        {

          PVECS_STORE_PERMISSION_W pCursor = &pPermissions[dwIndex];

          dwError = VmAfdAllocateNameFromContext(
                                  pAceListCursor->Ace.pSecurityContext,
                                  &pCursor->pszUserName
                                  );
          BAIL_ON_VMAFD_ERROR (dwError);

          pCursor->dwAccessMask = pAceListCursor->Ace.accessMask;

          pAceListCursor = pAceListCursor->pNext;
        }
    }

    *ppszOwnerName = pszOwnerName;
    *pdwUserCount = dwUserCount;
    *ppPermissions = pPermissions;

cleanup:
    if (pSecurityDescriptor)
    {
        VmAfdFreeSecurityDescriptor(pSecurityDescriptor);
    }

    return dwError;

error:
    if (ppszOwnerName)
    {
        *ppszOwnerName = NULL;
    }
    if (pdwUserCount)
    {
        *pdwUserCount = 0;
    }
    if (ppPermissions)
    {
        *ppPermissions = NULL;
    }

    VMAFD_SAFE_FREE_MEMORY (pszOwnerName);
    if (pPermissions)
    {
        VmAfdFreeStorePermissionArray(
                              pPermissions,
                              dwUserCount
                              );
    }

    goto cleanup;
}
Exemple #5
0
DWORD
VecsSrvRevokePermission (
    PVECS_SRV_STORE_HANDLE pStore,
    PCWSTR pszUserName,
    UINT32 accessMask,
    VMAFD_ACE_TYPE aceType,
    PVM_AFD_CONNECTION_CONTEXT pConnectionContext
    )
{
    DWORD dwError = 0;

    PVMAFD_SECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
    PVECS_SERV_STORE pStoreInstance = NULL;
    BOOL bIsHoldingLock = FALSE;
    PWSTR pwszAccountName = NULL;
    DWORD dwLogError = 0;

    dwError = VmAfdCheckOwnerShipWithHandle (
                            pStore,
                            pConnectionContext
                            );
    BAIL_ON_VMAFD_ERROR (dwError);

    pthread_mutex_lock (&gVmafdGlobals.mutexStoreState);

    bIsHoldingLock = TRUE;

    dwError = VmAfdGetSecurityDescriptorFromHandle (
                                pStore,
                                &pSecurityDescriptor
                                );
    BAIL_ON_VMAFD_ERROR (dwError);

    dwError = VmAfdGetStoreFromHandle (
                                        pStore,
                                        pConnectionContext->pSecurityContext,
                                        &pStoreInstance
                                      );
    BAIL_ON_VMAFD_ERROR (dwError);


    dwError = VmAfdModifyPermissions (
                                pStoreInstance,
                                pszUserName,
                                accessMask,
                                aceType,
                                pSecurityDescriptor,
                                VMW_IPC_MODIFY_PERMISSIONS_REVOKE
                                );
    BAIL_ON_VMAFD_ERROR (dwError);

    dwError = VmAfdSetSecurityDescriptorForHandle (
                                pStore,
                                pSecurityDescriptor
                                );
    BAIL_ON_VMAFD_ERROR (dwError);

    pthread_mutex_unlock (&gVmafdGlobals.mutexStoreState);

    bIsHoldingLock = FALSE;

    dwLogError = VmAfdAllocateNameFromContext (
                                               pConnectionContext->pSecurityContext,
                                               &pwszAccountName
                                              );
    if (!IsNullOrEmptyString(pwszAccountName))
    {
        PSTR pszAccountName = NULL;
        PSTR paszUserName = NULL;
        dwLogError = VmAfdAllocateStringAFromW(
                                               pwszAccountName,
                                               &pszAccountName
                                              );
        dwLogError = VmAfdAllocateStringAFromW (
                                                pszUserName,
                                                &paszUserName
                                               );
        if (pszAccountName)
        {
           VmAfdLog (VMAFD_DEBUG_ANY,
                     "User %s changed permission of Store with ID: %d \n "
                     "Permission %s %s was revoked from user %s",
                     pszAccountName,
                     pStoreInstance->dwStoreId,
                     accessMask & READ_STORE ? "read" : "",
                     accessMask & WRITE_STORE ? "write": "",
                     !IsNullOrEmptyString(paszUserName)? paszUserName: ""
                    );
        }
        VMAFD_SAFE_FREE_MEMORY (pszAccountName);
        VMAFD_SAFE_FREE_MEMORY (paszUserName);
    }


cleanup:
    if (pSecurityDescriptor)
    {
        VmAfdFreeSecurityDescriptor (pSecurityDescriptor);
    }

    if (bIsHoldingLock)
    {
        pthread_mutex_unlock(&gVmafdGlobals.mutexStoreState);
    }

    VMAFD_SAFE_FREE_MEMORY (pStoreInstance);
    VMAFD_SAFE_FREE_MEMORY (pwszAccountName);

    return dwError;

error:
    goto cleanup;
}