static NTSTATUS DOKAN_CALLBACK MirrorSetFileSecurity(
LPCWSTR FileName, PSECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG SecurityDescriptorLength,
PDOKAN_FILE_INFO DokanFileInfo) {
HANDLE handle;
WCHAR filePath[MAX_PATH];
UNREFERENCED_PARAMETER(SecurityDescriptorLength);
GetFilePath(filePath, MAX_PATH, FileName);
DbgPrint(L"SetFileSecurity %s\n", filePath);
handle = (HANDLE)DokanFileInfo->Context;
if (!handle || handle == INVALID_HANDLE_VALUE) {
DbgPrint(L"\tinvalid handle\n\n");
return STATUS_INVALID_HANDLE;
}
if (!SetUserObjectSecurity(handle, SecurityInformation, SecurityDescriptor)) {
int error = GetLastError();
DbgPrint(L" SetUserObjectSecurity failed: %d\n", error);
return ToNtStatus(error);
}
return STATUS_SUCCESS;
}
/* Quick and dirty window station security fix */
BOOL SetWinstaDesktopSecurity(void)
{
HWINSTA hWinsta;
HDESK hDesk;
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
SECURITY_DESCRIPTOR sd;
// Get the current window station and desktop
hWinsta = GetProcessWindowStation();
if(hWinsta == NULL)
return FALSE;
hDesk = GetThreadDesktop(GetCurrentThreadId());
if (hDesk == NULL)
return FALSE;
// Create a NULL DACL
InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
SetSecurityDescriptorDacl(&sd, TRUE, (PACL) NULL, FALSE);
// Set the NULL DACL
if (!SetUserObjectSecurity(hWinsta, &si, &sd))
{
printf("SetUserObjectSecurity on the window station failed: %d",GetLastError());
return FALSE;
}
if (!SetUserObjectSecurity(hDesk, &si, &sd))
{
printf("SetUserObjectSecurity on the desktop failed: %d",GetLastError());
return FALSE;
}
// Return indicating success
return TRUE;
}
BOOL AddAceToWindowStation(HWINSTA hwinsta, PSID psid)
{
// Obtain the DACL for the window station.
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
DWORD sd_length = 0;
if (!GetUserObjectSecurity(hwinsta, &si, NULL, 0, &sd_length)) {
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
printf("GetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
}
auto_buffer<PSECURITY_DESCRIPTOR> psd(sd_length);
if (!GetUserObjectSecurity(hwinsta, &si, psd.get(), sd_length, &sd_length)) {
printf("GetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
// Create a new DACL.
auto_buffer<PSECURITY_DESCRIPTOR> psd_new(sd_length);
if (!InitializeSecurityDescriptor(psd_new.get(), SECURITY_DESCRIPTOR_REVISION)) {
printf("InitializeSecurityDescriptor() failed: %d\n", GetLastError());
return FALSE;
}
// Get the DACL from the security descriptor.
BOOL bDaclPresent;
PACL pacl;
BOOL bDaclExist;
if (!GetSecurityDescriptorDacl(psd.get(), &bDaclPresent, &pacl, &bDaclExist)) {
printf("GetSecurityDescriptorDacl() failed: %d\n", GetLastError());
return FALSE;
}
// Initialize the ACL.
ACL_SIZE_INFORMATION aclSizeInfo = {};
aclSizeInfo.AclBytesInUse = sizeof(ACL);
if (NULL != pacl) {
// get the file ACL size info
if (!GetAclInformation(pacl, &aclSizeInfo, sizeof aclSizeInfo, AclSizeInformation)) {
printf("GetAclInformation() failed: %d\n", GetLastError());
return FALSE;
}
}
// Compute the size of the new ACL.
DWORD new_acl_size = aclSizeInfo.AclBytesInUse +
(2 * sizeof(ACCESS_ALLOWED_ACE)) +
(2 * GetLengthSid(psid)) - (2 * sizeof(DWORD));
auto_buffer<PACL> new_acl(new_acl_size);
// Initialize the new DACL.
if (!InitializeAcl(new_acl.get(), new_acl_size, ACL_REVISION)) {
printf("InitializeAcl() failed: %d\n", GetLastError());
return FALSE;
}
// If DACL is present, copy it to a new DACL.
if (bDaclPresent) {
// Copy the ACEs to the new ACL.
if (aclSizeInfo.AceCount) {
for (DWORD i = 0; i != aclSizeInfo.AceCount; ++i) {
LPVOID pTempAce;
if (!GetAce(pacl, i, &pTempAce)) {
printf("GetAce() failed: %d\n", GetLastError());
return FALSE;
}
if (!AddAce(new_acl.get(), ACL_REVISION, MAXDWORD,
pTempAce, ((PACE_HEADER)pTempAce)->AceSize)) {
printf("AddAce() failed: %d\n", GetLastError());
return FALSE;
}
}
}
}
// Add the first ACE to the window station.
auto_buffer<ACCESS_ALLOWED_ACE*> ace(sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(psid) -
sizeof(DWORD));
ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
ace->Header.AceFlags = CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE;
ace->Header.AceSize = (WORD) (sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(psid) - sizeof(DWORD));
ace->Mask = GENERIC_ACCESS;
if (!CopySid(GetLengthSid(psid), &ace->SidStart, psid)) {
printf("CopySid() failed: %d\n", GetLastError());
return FALSE;
}
if (!AddAce(new_acl.get(), ACL_REVISION, MAXDWORD, ace.get(), ace->Header.AceSize)) {
printf("AddAce() failed: %d\n", GetLastError());
return FALSE;
}
// Add the second ACE to the window station.
ace->Header.AceFlags = NO_PROPAGATE_INHERIT_ACE;
ace->Mask = WINSTA_ALL;
if (!AddAce(new_acl.get(), ACL_REVISION,MAXDWORD, ace.get(), ace->Header.AceSize)) {
printf("AddAce() failed: %d\n", GetLastError());
return FALSE;
}
// Set a new DACL for the security descriptor.
if (!SetSecurityDescriptorDacl(psd_new.get(), TRUE, new_acl.get(), FALSE)) {
printf("SetSecurityDescriptorDacl() failed: %d\n", GetLastError());
return FALSE;
}
// Set the new security descriptor for the window station.
if (!SetUserObjectSecurity(hwinsta, &si, psd_new.get())) {
printf("SetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
return TRUE;
}
BOOL RemoveAceFromDesktop(HDESK hdesk, PSID psid)
{
// Obtain the security descriptor for the desktop object.
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
DWORD sd_size = 0;
if (!GetUserObjectSecurity(hdesk, &si, NULL, 0, &sd_size)) {
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
printf("GetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
}
auto_buffer<PSECURITY_DESCRIPTOR> psd(sd_size);
if (!GetUserObjectSecurity(hdesk, &si, psd.get(), sd_size, &sd_size)) {
printf("GetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
// Create a new security descriptor.
auto_buffer<PSECURITY_DESCRIPTOR> psd_new(sd_size);
if (!InitializeSecurityDescriptor(psd_new.get(), SECURITY_DESCRIPTOR_REVISION)) {
printf("InitializeSecurityDescriptor() failed: %d\n", GetLastError());
return FALSE;
}
// Obtain the DACL from the security descriptor.
BOOL bDaclPresent;
PACL pacl;
BOOL bDaclExist;
if (!GetSecurityDescriptorDacl(psd.get(), &bDaclPresent, &pacl, &bDaclExist)) {
printf("GetSecurityDescriptorDacl() failed: %d\n", GetLastError());
return FALSE;
}
// Initialize.
ACL_SIZE_INFORMATION aclSizeInfo = {};
aclSizeInfo.AclBytesInUse = sizeof(ACL);
if (pacl != NULL) {
// Determine the size of the ACL information.
if (!GetAclInformation(pacl, (LPVOID)&aclSizeInfo, sizeof aclSizeInfo, AclSizeInformation)) {
printf("GetAclInformation() failed: %d\n", GetLastError());
return FALSE;
}
}
// Allocate buffer for the new ACL.
DWORD dwNewAclSize = aclSizeInfo.AclBytesInUse -
(sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(psid) - sizeof(DWORD));
auto_buffer<PACL> new_acl(dwNewAclSize);
// Initialize the new ACL.
if (!InitializeAcl(new_acl.get(), dwNewAclSize, ACL_REVISION)) {
printf("InitializeAcl() failed: %d\n", GetLastError());
return FALSE;
}
// If DACL is present, copy it to a new DACL.
if (bDaclPresent) {
// Copy the ACEs to the new ACL.
for (DWORD i = 0; i != aclSizeInfo.AceCount; ++i) {
// Get an ACE.
ACCESS_ALLOWED_ACE* pace;
if (!GetAce(pacl, i, (void**)&pace)) {
printf("GetAce() failed: %d\n", GetLastError());
return FALSE;
}
if (!EqualSid(psid, &pace->SidStart)) {
// Add the ACE to the new ACL.
if (!AddAce(new_acl.get(), ACL_REVISION,MAXDWORD, pace,
pace->Header.AceSize)) {
printf("AddAce() failed: %d\n", GetLastError());
return FALSE;
}
}
}
}
// Set new DACL to the new security descriptor.
if (!SetSecurityDescriptorDacl(psd_new.get(), TRUE, new_acl.get(), FALSE)) {
printf("SetSecurityDescriptorDacl() failed: %d\n", GetLastError());
return FALSE;
}
// Set the new security descriptor for the desktop object.
if (!SetUserObjectSecurity(hdesk, &si, psd_new.get())) {
printf("SetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
return TRUE;
}
BOOL RemoveAceFromWindowStation(HWINSTA hwinsta, PSID psid)
{
// Obtain the DACL for the window station.
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
DWORD sd_length = 0;
if (!GetUserObjectSecurity(hwinsta, &si, NULL, 0, &sd_length)) {
if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
printf("GetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
}
auto_buffer<PSECURITY_DESCRIPTOR> psd(sd_length);
if (!GetUserObjectSecurity(hwinsta, &si, psd.get(), sd_length, &sd_length)) {
printf("GetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
// Create a new DACL.
auto_buffer<PSECURITY_DESCRIPTOR> psd_new(sd_length);
if (!InitializeSecurityDescriptor(psd_new.get(), SECURITY_DESCRIPTOR_REVISION)) {
printf("InitializeSecurityDescriptor() failed: %d\n", GetLastError());
return FALSE;
}
// Get the DACL from the security descriptor.
BOOL bDaclPresent;
PACL pacl;
BOOL bDaclExist;
if (!GetSecurityDescriptorDacl(psd.get(), &bDaclPresent, &pacl, &bDaclExist)) {
printf("GetSecurityDescriptorDacl() failed: %d\n", GetLastError());
return FALSE;
}
// Initialize the ACL.
ACL_SIZE_INFORMATION aclSizeInfo = {};
aclSizeInfo.AclBytesInUse = sizeof(ACL);
if (NULL != pacl) {
// get the file ACL size info
if (!GetAclInformation(pacl, &aclSizeInfo, sizeof aclSizeInfo, AclSizeInformation)) {
printf("GetAclInformation() failed: %d\n", GetLastError());
return FALSE;
}
}
// Compute the size of the new ACL.
DWORD new_acl_size = aclSizeInfo.AclBytesInUse -
((2 * sizeof(ACCESS_ALLOWED_ACE)) +
(2 * GetLengthSid(psid)) - (2 * sizeof(DWORD)));
auto_buffer<PACL> new_acl(new_acl_size);
// Initialize the new DACL.
if (!InitializeAcl(new_acl.get(), new_acl_size, ACL_REVISION)) {
printf("InitializeAcl() failed: %d\n", GetLastError());
return FALSE;
}
// If DACL is present, copy it to a new DACL.
if (bDaclPresent) {
// Copy the ACEs to the new ACL.
for (DWORD i = 0; i != aclSizeInfo.AceCount; ++i) {
ACCESS_ALLOWED_ACE* pace;
if (!GetAce(pacl, i, (void**)&pace)) {
printf("GetAce() failed: %d\n", GetLastError());
return FALSE;
}
if (!EqualSid(psid, &pace->SidStart)) {
if (!AddAce(new_acl.get(), ACL_REVISION, MAXDWORD,
pace, pace->Header.AceSize)) {
printf("AddAce() failed: %d\n", GetLastError());
return FALSE;
}
}
}
}
// Set a new DACL for the security descriptor.
if (!SetSecurityDescriptorDacl(psd_new.get(), TRUE, new_acl.get(), FALSE)) {
printf("SetSecurityDescriptorDacl() failed: %d\n", GetLastError());
return FALSE;
}
// Set the new security descriptor for the window station.
if (!SetUserObjectSecurity(hwinsta, &si, psd_new.get())) {
printf("SetUserObjectSecurity() failed: %d\n", GetLastError());
return FALSE;
}
return TRUE;
}
DWORD MergeWithExistingDacl(
IN HANDLE object,
IN ULONG countOfExplicitEntries,
IN EXPLICIT_ACCESS *listOfExplicitEntries
)
{
DWORD status = ERROR_UNIDENTIFIED_ERROR;
SECURITY_DESCRIPTOR *sd = NULL;
BOOL daclPresent = FALSE;
ACL *dacl = NULL;
ACL *newAcl = NULL;
SECURITY_INFORMATION siRequested = DACL_SECURITY_INFORMATION;
if (countOfExplicitEntries == 0 || listOfExplicitEntries == NULL)
return ERROR_INVALID_PARAMETER;
status = GetObjectSecurityDescriptorDacl(object, &sd, &daclPresent, &dacl);
if (ERROR_SUCCESS != status)
{
perror("GetObjectSecurityDescriptorDacl");
goto cleanup;
}
status = SetEntriesInAcl(countOfExplicitEntries, listOfExplicitEntries, dacl, &newAcl);
if (ERROR_SUCCESS != status)
{
perror("SetEntriesInAcl");
goto cleanup;
}
sd = LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (!sd)
{
status = perror("LocalAlloc");
goto cleanup;
}
if (!InitializeSecurityDescriptor(sd, SECURITY_DESCRIPTOR_REVISION))
{
status = perror("InitializeSecurityDescriptor");
goto cleanup;
}
if (!SetSecurityDescriptorDacl(sd, TRUE, newAcl, FALSE))
{
status = perror("SetSecurityDescriptorDacl");
goto cleanup;
}
if (!SetUserObjectSecurity(object, &siRequested, sd))
{
status = perror("SetUserObjectSecurity");
goto cleanup;
}
status = ERROR_SUCCESS;
cleanup:
if (newAcl)
LocalFree(newAcl);
if (sd)
LocalFree(sd);
return status;
}
/**
* This function adjusts the specified Desktop to include the specfied
* user.
*
* See: http://msdn2.microsoft.com/en-us/library/aa379608(VS.85).aspx
**/
BOOL AddAceToDesktop(HDESK hdesk, PSID psid)
{
ACL_SIZE_INFORMATION aclSizeInfo;
BOOL bDaclExist;
BOOL bDaclPresent;
BOOL bSuccess = FALSE;
DWORD dwNewAclSize;
DWORD dwSidSize = 0;
DWORD dwSdSizeNeeded;
PACL pacl = NULL;
PACL pNewAcl = NULL;
PSECURITY_DESCRIPTOR psd = NULL;
PSECURITY_DESCRIPTOR psdNew = NULL;
PVOID pTempAce;
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
unsigned int i;
try
{
// Obtain the security descriptor for the desktop object.
if (!GetUserObjectSecurity(
hdesk,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded))
{
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
psd = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded );
if (psd == NULL)
throw;
psdNew = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if (psdNew == NULL)
throw;
dwSidSize = dwSdSizeNeeded;
if (!GetUserObjectSecurity(
hdesk,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
throw;
}
else
throw;
}
// Create a new security descriptor.
if (!InitializeSecurityDescriptor(
psdNew,
SECURITY_DESCRIPTOR_REVISION)
)
throw;
// Obtain the DACL from the security descriptor.
if (!GetSecurityDescriptorDacl(
psd,
&bDaclPresent,
&pacl,
&bDaclExist)
)
throw;
// Initialize.
ZeroMemory(&aclSizeInfo, sizeof(ACL_SIZE_INFORMATION));
aclSizeInfo.AclBytesInUse = sizeof(ACL);
// Call only if NULL DACL.
if (pacl != NULL)
{
// Determine the size of the ACL information.
if (!GetAclInformation(
pacl,
(LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION),
AclSizeInformation)
)
throw;
}
// Compute the size of the new ACL.
dwNewAclSize = aclSizeInfo.AclBytesInUse +
sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(psid) - sizeof(DWORD);
// Allocate buffer for the new ACL.
pNewAcl = (PACL)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwNewAclSize);
if (pNewAcl == NULL)
throw;
// Initialize the new ACL.
if (!InitializeAcl(pNewAcl, dwNewAclSize, ACL_REVISION))
throw;
// If DACL is present, copy it to a new DACL.
if (bDaclPresent)
{
// Copy the ACEs to the new ACL.
if (aclSizeInfo.AceCount)
{
for (i=0; i < aclSizeInfo.AceCount; i++)
{
// Get an ACE.
if (!GetAce(pacl, i, &pTempAce))
throw;
// Add the ACE to the new ACL.
if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
pTempAce,
((PACE_HEADER)pTempAce)->AceSize)
)
throw;
}
}
}
// Add ACE to the DACL.
if (!AddAccessAllowedAce(
pNewAcl,
ACL_REVISION,
GENERIC_ALL,
psid)
)
throw;
// Set new DACL to the new security descriptor.
if (!SetSecurityDescriptorDacl(
psdNew,
TRUE,
pNewAcl,
FALSE)
)
throw;
// Set the new security descriptor for the desktop object.
if (!SetUserObjectSecurity(hdesk, &si, psdNew))
throw;
// Indicate success.
bSuccess = TRUE;
}
catch(...)
{
// Free buffers.
if (pNewAcl != NULL)
HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl);
if (psd != NULL)
HeapFree(GetProcessHeap(), 0, (LPVOID)psd);
if (psdNew != NULL)
HeapFree(GetProcessHeap(), 0, (LPVOID)psdNew);
}
return bSuccess;
}
/**
* This function adjusts the specified WindowStation to include the specfied
* user.
*
* See: http://msdn2.microsoft.com/en-us/library/aa379608(VS.85).aspx
**/
BOOL AddAceToWindowStation(HWINSTA hwinsta, PSID psid)
{
ACCESS_ALLOWED_ACE *pace = NULL;
ACL_SIZE_INFORMATION aclSizeInfo;
BOOL bDaclExist;
BOOL bDaclPresent;
BOOL bSuccess = FALSE;
DWORD dwNewAclSize;
DWORD dwSidSize = 0;
DWORD dwSdSizeNeeded;
PACL pacl = NULL;
PACL pNewAcl = NULL;
PSECURITY_DESCRIPTOR psd = NULL;
PSECURITY_DESCRIPTOR psdNew = NULL;
PVOID pTempAce;
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
unsigned int i;
try
{
// Obtain the DACL for the window station.
if (!GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
if (GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
psd = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if (psd == NULL)
throw;
psdNew = (PSECURITY_DESCRIPTOR)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwSdSizeNeeded);
if (psdNew == NULL)
throw;
dwSidSize = dwSdSizeNeeded;
if (!GetUserObjectSecurity(
hwinsta,
&si,
psd,
dwSidSize,
&dwSdSizeNeeded)
)
throw;
}
else
throw;
// Create a new DACL.
if (!InitializeSecurityDescriptor(
psdNew,
SECURITY_DESCRIPTOR_REVISION)
)
throw;
// Get the DACL from the security descriptor.
if (!GetSecurityDescriptorDacl(
psd,
&bDaclPresent,
&pacl,
&bDaclExist)
)
throw;
// Initialize the ACL.
ZeroMemory(&aclSizeInfo, sizeof(ACL_SIZE_INFORMATION));
aclSizeInfo.AclBytesInUse = sizeof(ACL);
// Call only if the DACL is not NULL.
if (pacl != NULL)
{
// get the file ACL size info
if (!GetAclInformation(
pacl,
(LPVOID)&aclSizeInfo,
sizeof(ACL_SIZE_INFORMATION),
AclSizeInformation)
)
throw;
}
// Compute the size of the new ACL.
dwNewAclSize = aclSizeInfo.AclBytesInUse +
(2*sizeof(ACCESS_ALLOWED_ACE)) + (2*GetLengthSid(psid)) -
(2*sizeof(DWORD));
// Allocate memory for the new ACL.
pNewAcl = (PACL)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
dwNewAclSize);
if (pNewAcl == NULL)
throw;
// Initialize the new DACL.
if (!InitializeAcl(pNewAcl, dwNewAclSize, ACL_REVISION))
throw;
// If DACL is present, copy it to a new DACL.
if (bDaclPresent)
{
// Copy the ACEs to the new ACL.
if (aclSizeInfo.AceCount)
{
for (i=0; i < aclSizeInfo.AceCount; i++)
{
// Get an ACE.
if (!GetAce(pacl, i, &pTempAce))
throw;
// Add the ACE to the new ACL.
if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
pTempAce,
((PACE_HEADER)pTempAce)->AceSize)
)
throw;
}
}
}
// Add the first ACE to the window station.
pace = (ACCESS_ALLOWED_ACE *)HeapAlloc(
GetProcessHeap(),
HEAP_ZERO_MEMORY,
sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(psid) - sizeof(DWORD)
);
if (pace == NULL)
throw;
pace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
pace->Header.AceFlags = CONTAINER_INHERIT_ACE |
INHERIT_ONLY_ACE |
OBJECT_INHERIT_ACE;
pace->Header.AceSize = (WORD)sizeof(ACCESS_ALLOWED_ACE) +
(WORD)GetLengthSid(psid) -
(WORD)sizeof(DWORD);
pace->Mask = GENERIC_ALL;
if (!CopySid(GetLengthSid(psid), &pace->SidStart, psid))
throw;
if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
(LPVOID)pace,
pace->Header.AceSize)
)
throw;
// Add an ACE to the window station.
pace->Header.AceFlags = NO_PROPAGATE_INHERIT_ACE;
pace->Mask = GENERIC_ALL;
if (!AddAce(
pNewAcl,
ACL_REVISION,
MAXDWORD,
(LPVOID)pace,
pace->Header.AceSize)
)
throw;
// Set a new DACL for the security descriptor.
if (!SetSecurityDescriptorDacl(
psdNew,
TRUE,
pNewAcl,
FALSE)
)
throw;
// Set the new security descriptor for the window station.
if (!SetUserObjectSecurity(hwinsta, &si, psdNew))
throw;
// Indicate success.
bSuccess = TRUE;
}
catch(...)
{
// Free the allocated buffers.
if (pace != NULL)
HeapFree(GetProcessHeap(), 0, (LPVOID)pace);
if (pNewAcl != NULL)
HeapFree(GetProcessHeap(), 0, (LPVOID)pNewAcl);
if (psd != NULL)
HeapFree(GetProcessHeap(), 0, (LPVOID)psd);
if (psdNew != NULL)
HeapFree(GetProcessHeap(), 0, (LPVOID)psdNew);
}
return bSuccess;
}
BOOL
AddAceToWindowStation(
IN HWINSTA WinSta,
IN PSID Sid)
{
DWORD AclSize;
SECURITY_INFORMATION SecurityInformation;
PACL pDefaultAcl = NULL;
PSECURITY_DESCRIPTOR WinstaSd = NULL;
PACCESS_ALLOWED_ACE Ace = NULL;
BOOL Ret = FALSE;
/* Allocate space for an ACL */
AclSize = sizeof(ACL)
+ 2 * (FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + GetLengthSid(Sid));
pDefaultAcl = HeapAlloc(GetProcessHeap(), 0, AclSize);
if (!pDefaultAcl)
{
ERR("WL: HeapAlloc() failed\n");
goto cleanup;
}
/* Initialize it */
if (!InitializeAcl(pDefaultAcl, AclSize, ACL_REVISION))
{
ERR("WL: InitializeAcl() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Initialize new security descriptor */
WinstaSd = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (!InitializeSecurityDescriptor(WinstaSd, SECURITY_DESCRIPTOR_REVISION))
{
ERR("WL: InitializeSecurityDescriptor() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Allocate memory for access allowed ACE */
Ace = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(ACCESS_ALLOWED_ACE)+
GetLengthSid(Sid) - sizeof(DWORD));
/* Create the first ACE for the window station */
Ace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
Ace->Header.AceFlags = CONTAINER_INHERIT_ACE | INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE;
Ace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(Sid) - sizeof(DWORD);
Ace->Mask = GENERIC_ACCESS;
/* Copy the sid */
if (!CopySid(GetLengthSid(Sid), &Ace->SidStart, Sid))
{
ERR("WL: CopySid() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Add the first ACE */
if (!AddAce(pDefaultAcl, ACL_REVISION, MAXDWORD, (LPVOID)Ace, Ace->Header.AceSize))
{
ERR("WL: AddAce() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Add the second ACE to the end of ACL */
Ace->Header.AceFlags = NO_PROPAGATE_INHERIT_ACE;
Ace->Mask = WINSTA_ALL;
if (!AddAce(pDefaultAcl, ACL_REVISION, MAXDWORD, (LPVOID)Ace, Ace->Header.AceSize))
{
ERR("WL: AddAce() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Add ACL to winsta's security descriptor */
if (!SetSecurityDescriptorDacl(WinstaSd, TRUE, pDefaultAcl, FALSE))
{
ERR("WL: SetSecurityDescriptorDacl() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Apply security to the window station */
SecurityInformation = DACL_SECURITY_INFORMATION;
if (!SetUserObjectSecurity(WinSta, &SecurityInformation, WinstaSd))
{
ERR("WL: SetUserObjectSecurity() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Indicate success */
Ret = TRUE;
cleanup:
/* Free allocated stuff */
if (pDefaultAcl) HeapFree(GetProcessHeap(), 0, pDefaultAcl);
if (WinstaSd) HeapFree(GetProcessHeap(), 0, WinstaSd);
if (Ace) HeapFree(GetProcessHeap(), 0, Ace);
return Ret;
}
BOOL
AddAceToDesktop(
IN HDESK Desktop,
IN PSID WinlogonSid,
IN PSID UserSid)
{
DWORD AclSize;
SECURITY_INFORMATION SecurityInformation;
PACL Acl = NULL;
PSECURITY_DESCRIPTOR DesktopSd = NULL;
BOOL Ret = FALSE;
/* Allocate ACL */
AclSize = sizeof(ACL)
+ FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + GetLengthSid(WinlogonSid);
/* Take user's sid into account */
if (UserSid)
AclSize += FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + GetLengthSid(UserSid);
Acl = HeapAlloc(GetProcessHeap(), 0, AclSize);
if (!Acl)
{
ERR("WL: HeapAlloc() failed\n");
goto cleanup;
}
/* Initialize ACL */
if (!InitializeAcl(Acl, AclSize, ACL_REVISION))
{
ERR("WL: InitializeAcl() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Add full desktop access ACE for winlogon */
if (!AddAccessAllowedAce(Acl, ACL_REVISION, DESKTOP_ALL, WinlogonSid))
{
ERR("WL: AddAccessAllowedAce() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Add full desktop access ACE for a user (if provided) */
if (UserSid && !AddAccessAllowedAce(Acl, ACL_REVISION, DESKTOP_ALL, UserSid))
{
ERR("WL: AddAccessAllowedAce() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Initialize new security descriptor */
DesktopSd = HeapAlloc(GetProcessHeap(), 0, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (!InitializeSecurityDescriptor(DesktopSd, SECURITY_DESCRIPTOR_REVISION))
{
ERR("WL: InitializeSecurityDescriptor() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Add ACL to the security descriptor */
if (!SetSecurityDescriptorDacl(DesktopSd, TRUE, Acl, FALSE))
{
ERR("WL: SetSecurityDescriptorDacl() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Apply security to the window station */
SecurityInformation = DACL_SECURITY_INFORMATION;
if (!SetUserObjectSecurity(Desktop, &SecurityInformation, DesktopSd))
{
ERR("WL: SetUserObjectSecurity() failed (error %lu)\n", GetLastError());
goto cleanup;
}
/* Indicate success */
Ret = TRUE;
cleanup:
/* Free allocated stuff */
if (Acl) HeapFree(GetProcessHeap(), 0, Acl);
if (DesktopSd) HeapFree(GetProcessHeap(), 0, DesktopSd);
return Ret;
}
