/*---------------------------------------------------------------------------*\
* NAME: SetLegacyAclDefaults
* --------------------------------------------------------------------------*
* DESCRIPTION: Adds the default ACEs to the supplied ACL as confgured in
* the legacy COM security model.
\*---------------------------------------------------------------------------*/
DWORD SetLegacyAclDefaults(
PACL pDacl,
DWORD dwSDType
)
{
DWORD dwReturnValue = ERROR_BAD_ARGUMENTS;
switch (dwSDType)
{
case SDTYPE_DEFAULT_LAUNCH:
case SDTYPE_APPLICATION_LAUNCH:
dwReturnValue = AddAccessAllowedACEToACL (&pDacl,
COM_RIGHTS_EXECUTE,
_T("SYSTEM"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (&pDacl,
COM_RIGHTS_EXECUTE,
_T("Administrators"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (&pDacl,
COM_RIGHTS_EXECUTE,
_T("Interactive"));
break;
case SDTYPE_DEFAULT_ACCESS:
case SDTYPE_APPLICATION_ACCESS:
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (&pDacl,
COM_RIGHTS_EXECUTE,
_T("SYSTEM"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (&pDacl,
COM_RIGHTS_EXECUTE,
_T("SELF"));
break;
default:
_tprintf(_T("WARNING: SetLegacyAclDefaults- Invalid security descriptor type.\n"));
break;
}
CLEANUP:
return dwReturnValue;
}
HRESULT COpcSecurity::Allow(LPCTSTR pszPrincipal, DWORD dwAccessMask)
{
HRESULT hr = AddAccessAllowedACEToACL(&m_pDACL, pszPrincipal, dwAccessMask);
if (SUCCEEDED(hr))
SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE);
return hr;
}
DWORD COxtSecurityHelper::SetLegacyACLDefaults(PACL *ppDacl, DWORD dwSDType)
{
DWORD dwReturnValue = ERROR_BAD_ARGUMENTS;
switch (dwSDType)
{
case SDTYPE_APPLICATION_LAUNCH:
{
dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
COM_RIGHTS_EXECUTE,
g_ptszPrincipals[1]); // SYSTEM
if (dwReturnValue != ERROR_SUCCESS)
break;
dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
COM_RIGHTS_EXECUTE,
g_ptszPrincipals[2]); // Administrators
if (dwReturnValue != ERROR_SUCCESS)
break;
dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
COM_RIGHTS_EXECUTE,
g_ptszPrincipals[0]); // INTERACTIVE
break;
}
case SDTYPE_APPLICATION_ACCESS:
{
dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
COM_RIGHTS_EXECUTE,
g_ptszPrincipals[1]); // SYSTEM
if (dwReturnValue != ERROR_SUCCESS)
break;
dwReturnValue = AddAccessAllowedACEToACL(ppDacl,
COM_RIGHTS_EXECUTE,
g_ptszPrincipals[0]); // INTERACTIVE
break;
}
default:
break;
}
return dwReturnValue;
}
/*---------------------------------------------------------------------------*\
* NAME: AddPrincipalToNamedValueSD
* --------------------------------------------------------------------------*
* DESCRIPTION: Retrieves the designated security descriptor from the
* registry and adds an ACE for the designated principal.
\*---------------------------------------------------------------------------*/
DWORD AddPrincipalToNamedValueSD (
HKEY hkeyRoot,
LPTSTR tszKeyName,
LPTSTR tszValueName,
LPTSTR tszPrincipal,
BOOL fPermit,
DWORD dwAccessMask,
DWORD dwSDType
)
{
DWORD dwReturnValue = ERROR_SUCCESS;
SECURITY_DESCRIPTOR *pSD = NULL;
SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
SECURITY_DESCRIPTOR *psdAbsolute = NULL;
DWORD cbSecurityDesc = 0;
BOOL fPresent = FALSE;
BOOL fDefaultDACL = FALSE;
PACL pDacl = NULL;
BOOL fNewSD = FALSE;
dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, &fNewSD);
// Get security descriptor from registry or create a new one
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
if (fNewSD)
{
dwReturnValue = SetAclDefaults(&pDacl, dwSDType);
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
}
// Add the tszPrincipal that the caller wants added
if (fPermit)
{
dwReturnValue = AddAccessAllowedACEToACL (&pDacl, dwAccessMask, tszPrincipal);
}
else
{
dwReturnValue = AddAccessDeniedACEToACL (&pDacl, dwAccessMask, tszPrincipal);
}
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
// Make the security descriptor absolute if it isn't new
if (!fNewSD)
{
dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
}
else
{
psdAbsolute = pSD;
}
// Set the discretionary ACL on the security descriptor
if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
//Now ensure consistency of the SD
dwReturnValue = CanonicalizeSD(psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
// Make the security descriptor self-relative so that we can
// store it in the registry
cbSecurityDesc = 0;
MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc);
psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc);
if(!psdSelfRelative)
{
dwReturnValue = ERROR_OUTOFMEMORY;
goto CLEANUP;
}
if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
// Store the security descriptor in the registry
SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative);
CLEANUP:
if(pSD) free (pSD);
if(psdSelfRelative) free (psdSelfRelative);
if(psdAbsolute && pSD != psdAbsolute) free (psdAbsolute);
return dwReturnValue;
}
/*---------------------------------------------------------------------------*\
* NAME: SetAclDefaults
* --------------------------------------------------------------------------*
* DESCRIPTION: Sets the default ACEs in a ACL for the enhanced COM
* security model.
\*---------------------------------------------------------------------------*/
DWORD SetAclDefaults(
PACL *ppDacl,
DWORD dwSDType
)
{
DWORD dwReturnValue = ERROR_BAD_ARGUMENTS;
switch (dwSDType)
{
case SDTYPE_MACHINE_LAUNCH:
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_ACTIVATE_REMOTE |
COM_RIGHTS_EXECUTE_REMOTE |
COM_RIGHTS_ACTIVATE_LOCAL |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("Administrators"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_ACTIVATE_REMOTE |
COM_RIGHTS_EXECUTE_REMOTE |
COM_RIGHTS_ACTIVATE_LOCAL |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("Offer Remote Assistance Helpers"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_ACTIVATE_LOCAL |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("Everyone"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
break;
case SDTYPE_MACHINE_ACCESS:
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_EXECUTE_REMOTE |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("Everyone"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("Everyone"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
break;
case SDTYPE_DEFAULT_LAUNCH:
case SDTYPE_APPLICATION_LAUNCH:
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_ACTIVATE_REMOTE |
COM_RIGHTS_EXECUTE_REMOTE |
COM_RIGHTS_ACTIVATE_LOCAL |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("SYSTEM"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_ACTIVATE_REMOTE |
COM_RIGHTS_EXECUTE_REMOTE |
COM_RIGHTS_ACTIVATE_LOCAL |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("Administrators"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_ACTIVATE_REMOTE |
COM_RIGHTS_EXECUTE_REMOTE |
COM_RIGHTS_ACTIVATE_LOCAL |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("Interactive"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
break;
case SDTYPE_DEFAULT_ACCESS:
case SDTYPE_APPLICATION_ACCESS:
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("SYSTEM"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
dwReturnValue = AddAccessAllowedACEToACL (ppDacl,
COM_RIGHTS_EXECUTE_REMOTE |
COM_RIGHTS_EXECUTE_LOCAL |
COM_RIGHTS_EXECUTE,
_T("SELF"));
if(dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
break;
default:
_tprintf(_T("WARNING: SetAclDefaults- Invalid security descriptor type.\n"));
break;
}
CLEANUP:
return dwReturnValue;
}
DWORD
RemovePrincipalFromNamedValueSD (
HKEY RootKey,
LPTSTR KeyName,
LPTSTR ValueName,
LPTSTR Principal
)
{
DWORD returnValue;
SECURITY_DESCRIPTOR *sd;
SECURITY_DESCRIPTOR *sdSelfRelative = NULL;
SECURITY_DESCRIPTOR *sdAbsolute;
DWORD secDescSize;
BOOL present;
BOOL defaultDACL;
PACL dacl;
BOOL newSD = FALSE;
returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD);
//
// Get security descriptor from registry or create a new one
//
if (returnValue != ERROR_SUCCESS)
return returnValue;
if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL))
return GetLastError();
//
// If the security descriptor is new, add the required Principals to it
//
if (newSD)
{
AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM"));
AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE"));
}
//
// Remove the Principal that the caller wants removed
//
returnValue = RemovePrincipalFromACL (dacl, Principal);
if (returnValue != ERROR_SUCCESS)
{
free (sd);
return returnValue;
}
//
// Make the security descriptor absolute if it isn't new
//
if (!newSD)
MakeSDAbsolute ((PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); else
sdAbsolute = sd;
//
// Set the discretionary ACL on the security descriptor
//
if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE))
return GetLastError();
//
// Make the security descriptor self-relative so that we can
// store it in the registry
//
secDescSize = 0;
MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize);
sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize);
if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize))
return GetLastError();
//
// Store the security descriptor in the registry
//
SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative);
free (sd);
free (sdSelfRelative);
free (sdAbsolute);
return ERROR_SUCCESS;
}
DWORD setDCOMPermission(
HKEY RootKey,
LPTSTR KeyName,
PSID sid,
LPTSTR ValueName,
DWORD dwPermissionMask,
BOOL bLimits)
{
DWORD returnValue;
SECURITY_DESCRIPTOR *sd = NULL;
SECURITY_DESCRIPTOR *sdSelfRelative = NULL;
SECURITY_DESCRIPTOR *sdAbsolute = NULL;
DWORD secDescSize;
BOOL present;
BOOL defaultDACL;
PACL dacl;
BOOL newSD = FALSE;
returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD);
//
// Get security descriptor from registry or create a new one
//
if (returnValue != ERROR_SUCCESS)
{
return returnValue;
}
if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL))
{
return GetLastError();
}
if ((newSD) && (!bLimits))
{
AddAccessAllowedACEToACL(
&dacl,
COM_RIGHTS_EXECUTE,
TEXT("SYSTEM"));
AddAccessAllowedACEToACL(
&dacl,
COM_RIGHTS_EXECUTE,
TEXT("INTERACTIVE"));
}
//get account according to the SID
TCHAR userName[256];
TCHAR acctName[256];
TCHAR domainName[256];
DWORD dwAcctName = 256;
DWORD dwDomainName = 256;
SID_NAME_USE eUse = SidTypeUnknown;
if (LookupAccountSid(
NULL,
sid,
acctName,
(LPDWORD)&dwAcctName,
domainName,
&dwDomainName,
&eUse))
{
sprintf(userName, "%s\\%s", domainName, acctName);
}
else
{
return GetLastError();
}
returnValue = AddAccessAllowedACEToACL (
&dacl,
dwPermissionMask,
userName);
if (returnValue != ERROR_SUCCESS)
{
free (sd);
return returnValue;
}
//
// Make the security descriptor absolute if it isn't new
//
if (!newSD)
{
MakeSDAbsolute (
(PSECURITY_DESCRIPTOR) sd,
(PSECURITY_DESCRIPTOR *) &sdAbsolute);
}
else
{
sdAbsolute = sd;
}
//
// Set the discretionary ACL on the security descriptor
//
if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE))
return GetLastError();
//
// Make the security descriptor self-relative so that we can
// store it in the registry
//
secDescSize = 0;
MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize);
sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize);
if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize))
{
return GetLastError();
}
//
// Store the security descriptor in the registry
//
SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative);
free (sd);
free (sdSelfRelative);
if (sd != sdAbsolute)
{
free (sdAbsolute);
}
return ERROR_SUCCESS;
}