/*---------------------------------------------------------------------------*\ * NAME: RemovePrincipalFromNamedValueSD * --------------------------------------------------------------------------* * DESCRIPTION: Retrieves the designated security descriptor from the * registry and removes all ACLs that belong to the named principal. \*---------------------------------------------------------------------------*/ DWORD RemovePrincipalFromNamedValueSD ( HKEY hkeyRoot, LPTSTR tszKeyName, LPTSTR tszValueName, LPTSTR tszPrincipal, DWORD fAceType ) { DWORD dwReturnValue = ERROR_SUCCESS; SECURITY_DESCRIPTOR *pSD = NULL; SECURITY_DESCRIPTOR *psdSelfRelative = NULL; SECURITY_DESCRIPTOR *psdAbsolute = NULL; DWORD cbSecurityDesc = 0; BOOL fPresent = FALSE; BOOL fDefaultDACL = FALSE; PACL pDacl = NULL; dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, NULL); // Get security descriptor from registry or create a new one if (dwReturnValue != ERROR_SUCCESS) { if(dwReturnValue == ERROR_FILE_NOT_FOUND) { dwReturnValue = ERROR_SUCCESS; } goto CLEANUP; } if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Remove the tszPrincipal that the caller wants removed dwReturnValue = RemovePrincipalFromACL (pDacl, tszPrincipal, fAceType); if(dwReturnValue == ERROR_FILE_NOT_FOUND) { dwReturnValue = ERROR_SUCCESS; goto CLEANUP; } else if (dwReturnValue != ERROR_SUCCESS) { dwReturnValue = GetLastError(); goto CLEANUP; } // Make the security descriptor absolute if it isn't new dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Set the discretionary ACL on the security descriptor if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Make the security descriptor self-relative so that we can // store it in the registry cbSecurityDesc = 0; MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc); psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc); if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Store the security descriptor in the registry dwReturnValue = SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative); CLEANUP: if(pSD) free (pSD); if(psdSelfRelative) free (psdSelfRelative); if(psdAbsolute) free (psdAbsolute); return dwReturnValue; }
/*---------------------------------------------------------------------------*\ * NAME: UpdatePrincipalInNamedValueSD * --------------------------------------------------------------------------* * DESCRIPTION: Retrieves the designated security descriptor from the * registry and updates all ACLs that belong to the named principal. \*---------------------------------------------------------------------------*/ DWORD UpdatePrincipalInNamedValueSD ( HKEY hkeyRoot, LPTSTR tszKeyName, LPTSTR tszValueName, LPTSTR tszPrincipal, DWORD dwAccessMask, BOOL fRemove, DWORD fAceType ) { DWORD dwReturnValue = ERROR_SUCCESS; SECURITY_DESCRIPTOR *pSD = NULL; SECURITY_DESCRIPTOR *psdSelfRelative = NULL; SECURITY_DESCRIPTOR *psdAbsolute = NULL; DWORD cbSecurityDesc = 0; BOOL fPresent = FALSE; BOOL fDefaultDACL = FALSE; PACL pDacl = NULL; // Get security descriptor from registry dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, NULL); if (dwReturnValue != ERROR_SUCCESS) { if(dwReturnValue == ERROR_FILE_NOT_FOUND && fRemove) { dwReturnValue = ERROR_SUCCESS; } goto CLEANUP; } if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Update the tszPrincipal that the caller wants to change dwReturnValue = UpdatePrincipalInACL (pDacl, tszPrincipal, dwAccessMask, fRemove, fAceType); if(dwReturnValue == ERROR_FILE_NOT_FOUND) { dwReturnValue = ERROR_SUCCESS; goto CLEANUP; } else if (dwReturnValue != ERROR_SUCCESS) { dwReturnValue = GetLastError(); goto CLEANUP; } // Make the security descriptor absolute dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Set the discretionary ACL on the security descriptor if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE)) { dwReturnValue = GetLastError(); goto CLEANUP; } //Now ensure consistency of the SD dwReturnValue = CanonicalizeSD(psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Make the security descriptor self-relative so that we can // store it in the registry cbSecurityDesc = 0; MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc); psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc); if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Store the security descriptor in the registry dwReturnValue = SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative); CLEANUP: if(pSD) free (pSD); if(psdSelfRelative) free (psdSelfRelative); if(psdAbsolute) free (psdAbsolute); return dwReturnValue; }
DWORD RemovePrincipalFromNamedValueSD ( HKEY RootKey, LPTSTR KeyName, LPTSTR ValueName, LPTSTR Principal ) { DWORD returnValue; SECURITY_DESCRIPTOR *sd; SECURITY_DESCRIPTOR *sdSelfRelative = NULL; SECURITY_DESCRIPTOR *sdAbsolute; DWORD secDescSize; BOOL present; BOOL defaultDACL; PACL dacl; BOOL newSD = FALSE; returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD); // // Get security descriptor from registry or create a new one // if (returnValue != ERROR_SUCCESS) return returnValue; if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL)) return GetLastError(); // // If the security descriptor is new, add the required Principals to it // if (newSD) { AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM")); AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE")); } // // Remove the Principal that the caller wants removed // returnValue = RemovePrincipalFromACL (dacl, Principal); if (returnValue != ERROR_SUCCESS) { free (sd); return returnValue; } // // Make the security descriptor absolute if it isn't new // if (!newSD) MakeSDAbsolute ((PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); else sdAbsolute = sd; // // Set the discretionary ACL on the security descriptor // if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE)) return GetLastError(); // // Make the security descriptor self-relative so that we can // store it in the registry // secDescSize = 0; MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize); sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize); if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize)) return GetLastError(); // // Store the security descriptor in the registry // SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative); free (sd); free (sdSelfRelative); free (sdAbsolute); return ERROR_SUCCESS; }
/*---------------------------------------------------------------------------*\ * NAME: AddPrincipalToNamedValueSD * --------------------------------------------------------------------------* * DESCRIPTION: Retrieves the designated security descriptor from the * registry and adds an ACE for the designated principal. \*---------------------------------------------------------------------------*/ DWORD AddPrincipalToNamedValueSD ( HKEY hkeyRoot, LPTSTR tszKeyName, LPTSTR tszValueName, LPTSTR tszPrincipal, BOOL fPermit, DWORD dwAccessMask, DWORD dwSDType ) { DWORD dwReturnValue = ERROR_SUCCESS; SECURITY_DESCRIPTOR *pSD = NULL; SECURITY_DESCRIPTOR *psdSelfRelative = NULL; SECURITY_DESCRIPTOR *psdAbsolute = NULL; DWORD cbSecurityDesc = 0; BOOL fPresent = FALSE; BOOL fDefaultDACL = FALSE; PACL pDacl = NULL; BOOL fNewSD = FALSE; dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, &fNewSD); // Get security descriptor from registry or create a new one if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL)) { dwReturnValue = GetLastError(); goto CLEANUP; } if (fNewSD) { dwReturnValue = SetAclDefaults(&pDacl, dwSDType); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; } // Add the tszPrincipal that the caller wants added if (fPermit) { dwReturnValue = AddAccessAllowedACEToACL (&pDacl, dwAccessMask, tszPrincipal); } else { dwReturnValue = AddAccessDeniedACEToACL (&pDacl, dwAccessMask, tszPrincipal); } if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Make the security descriptor absolute if it isn't new if (!fNewSD) { dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; } else { psdAbsolute = pSD; } // Set the discretionary ACL on the security descriptor if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE)) { dwReturnValue = GetLastError(); goto CLEANUP; } //Now ensure consistency of the SD dwReturnValue = CanonicalizeSD(psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Make the security descriptor self-relative so that we can // store it in the registry cbSecurityDesc = 0; MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc); psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc); if(!psdSelfRelative) { dwReturnValue = ERROR_OUTOFMEMORY; goto CLEANUP; } if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Store the security descriptor in the registry SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative); CLEANUP: if(pSD) free (pSD); if(psdSelfRelative) free (psdSelfRelative); if(psdAbsolute && pSD != psdAbsolute) free (psdAbsolute); return dwReturnValue; }
DWORD setDCOMPermission( HKEY RootKey, LPTSTR KeyName, PSID sid, LPTSTR ValueName, DWORD dwPermissionMask, BOOL bLimits) { DWORD returnValue; SECURITY_DESCRIPTOR *sd = NULL; SECURITY_DESCRIPTOR *sdSelfRelative = NULL; SECURITY_DESCRIPTOR *sdAbsolute = NULL; DWORD secDescSize; BOOL present; BOOL defaultDACL; PACL dacl; BOOL newSD = FALSE; returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD); // // Get security descriptor from registry or create a new one // if (returnValue != ERROR_SUCCESS) { return returnValue; } if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL)) { return GetLastError(); } if ((newSD) && (!bLimits)) { AddAccessAllowedACEToACL( &dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM")); AddAccessAllowedACEToACL( &dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE")); } //get account according to the SID TCHAR userName[256]; TCHAR acctName[256]; TCHAR domainName[256]; DWORD dwAcctName = 256; DWORD dwDomainName = 256; SID_NAME_USE eUse = SidTypeUnknown; if (LookupAccountSid( NULL, sid, acctName, (LPDWORD)&dwAcctName, domainName, &dwDomainName, &eUse)) { sprintf(userName, "%s\\%s", domainName, acctName); } else { return GetLastError(); } returnValue = AddAccessAllowedACEToACL ( &dacl, dwPermissionMask, userName); if (returnValue != ERROR_SUCCESS) { free (sd); return returnValue; } // // Make the security descriptor absolute if it isn't new // if (!newSD) { MakeSDAbsolute ( (PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); } else { sdAbsolute = sd; } // // Set the discretionary ACL on the security descriptor // if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE)) return GetLastError(); // // Make the security descriptor self-relative so that we can // store it in the registry // secDescSize = 0; MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize); sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize); if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize)) { return GetLastError(); } // // Store the security descriptor in the registry // SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative); free (sd); free (sdSelfRelative); if (sd != sdAbsolute) { free (sdAbsolute); } return ERROR_SUCCESS; }