HRESULT COpcSecurity::Deny(LPCTSTR pszPrincipal, DWORD dwAccessMask) { HRESULT hr = AddAccessDeniedACEToACL(&m_pDACL, pszPrincipal, dwAccessMask); if (SUCCEEDED(hr)) SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE); return hr; }
DWORD COxtSecurityHelper::AddPrincipalToNamedSecurityDescriptor(LPCTSTR tszPermissionName, LPCTSTR tszPrincipal, DWORD dwAccessMask, DWORD dwSDType) { DWORD dwReturnValue = ERROR_SUCCESS; SECURITY_DESCRIPTOR *pSD = NULL; SECURITY_DESCRIPTOR *psdSelfRelative = NULL; SECURITY_DESCRIPTOR *psdAbsolute = NULL; DWORD cbSecurityDesc = 0; BOOL bPresent = FALSE; BOOL bDefaultDACL = FALSE; PACL pDacl = NULL; BOOL bNewSD = FALSE; do { // Get security descriptor from registry or create a new one dwReturnValue = GetSecurityDescripterByName(tszPermissionName, &pSD, &bNewSD); if (dwReturnValue != ERROR_SUCCESS) break; if (!::GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaultDACL)) { dwReturnValue = ::GetLastError(); break; } if (bNewSD) { dwReturnValue = SetACLDefaults(&pDacl, dwSDType); if (dwReturnValue != ERROR_SUCCESS) break; } // Add the Principal that the caller wants added dwReturnValue = AddAccessDeniedACEToACL(&pDacl, dwAccessMask, tszPrincipal); if (dwReturnValue != ERROR_SUCCESS) break; // Make the security descriptor absolute if it isn't new if (!bNewSD) { dwReturnValue = MakeAbsoluteSecurityDescriptor((PSECURITY_DESCRIPTOR)pSD, (PSECURITY_DESCRIPTOR *)&psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) break; } else psdAbsolute = pSD; // Set the discretionary ACL on the security descriptor if (!::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pDacl, FALSE)) { dwReturnValue = ::GetLastError(); break; } // Now ensure consistency of the SD dwReturnValue = CanonicalizeSecurityDescriptor(psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) break; // Make the security descriptor self-relative so that we can // store it in the registry cbSecurityDesc = 0; ::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc); psdSelfRelative = (SECURITY_DESCRIPTOR *)malloc(cbSecurityDesc); if (psdSelfRelative == NULL) { dwReturnValue = ERROR_OUTOFMEMORY; break; } if (!::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc)) { dwReturnValue = GetLastError(); break; } // Store the security descriptor in the registry dwReturnValue = SetSecurityDescriptorByName(tszPermissionName, psdSelfRelative); } while (false); if (pSD != NULL) free(pSD); if (psdSelfRelative != NULL) free(psdSelfRelative); if ((psdAbsolute != NULL)&&(pSD != psdAbsolute)) free(psdAbsolute); return dwReturnValue; }
/*---------------------------------------------------------------------------*\ * NAME: AddPrincipalToNamedValueSD * --------------------------------------------------------------------------* * DESCRIPTION: Retrieves the designated security descriptor from the * registry and adds an ACE for the designated principal. \*---------------------------------------------------------------------------*/ DWORD AddPrincipalToNamedValueSD ( HKEY hkeyRoot, LPTSTR tszKeyName, LPTSTR tszValueName, LPTSTR tszPrincipal, BOOL fPermit, DWORD dwAccessMask, DWORD dwSDType ) { DWORD dwReturnValue = ERROR_SUCCESS; SECURITY_DESCRIPTOR *pSD = NULL; SECURITY_DESCRIPTOR *psdSelfRelative = NULL; SECURITY_DESCRIPTOR *psdAbsolute = NULL; DWORD cbSecurityDesc = 0; BOOL fPresent = FALSE; BOOL fDefaultDACL = FALSE; PACL pDacl = NULL; BOOL fNewSD = FALSE; dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, &fNewSD); // Get security descriptor from registry or create a new one if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL)) { dwReturnValue = GetLastError(); goto CLEANUP; } if (fNewSD) { dwReturnValue = SetAclDefaults(&pDacl, dwSDType); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; } // Add the tszPrincipal that the caller wants added if (fPermit) { dwReturnValue = AddAccessAllowedACEToACL (&pDacl, dwAccessMask, tszPrincipal); } else { dwReturnValue = AddAccessDeniedACEToACL (&pDacl, dwAccessMask, tszPrincipal); } if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Make the security descriptor absolute if it isn't new if (!fNewSD) { dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; } else { psdAbsolute = pSD; } // Set the discretionary ACL on the security descriptor if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE)) { dwReturnValue = GetLastError(); goto CLEANUP; } //Now ensure consistency of the SD dwReturnValue = CanonicalizeSD(psdAbsolute); if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP; // Make the security descriptor self-relative so that we can // store it in the registry cbSecurityDesc = 0; MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc); psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc); if(!psdSelfRelative) { dwReturnValue = ERROR_OUTOFMEMORY; goto CLEANUP; } if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc)) { dwReturnValue = GetLastError(); goto CLEANUP; } // Store the security descriptor in the registry SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative); CLEANUP: if(pSD) free (pSD); if(psdSelfRelative) free (psdSelfRelative); if(psdAbsolute && pSD != psdAbsolute) free (psdAbsolute); return dwReturnValue; }
DWORD AddPrincipalToNamedValueSD ( HKEY RootKey, LPTSTR KeyName, LPTSTR ValueName, LPTSTR Principal, BOOL Permit ) { DWORD returnValue; SECURITY_DESCRIPTOR *sd; SECURITY_DESCRIPTOR *sdSelfRelative = NULL; SECURITY_DESCRIPTOR *sdAbsolute; DWORD secDescSize; BOOL present; BOOL defaultDACL; PACL dacl; BOOL newSD = FALSE; returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD); // // Get security descriptor from registry or create a new one // if (returnValue != ERROR_SUCCESS) return returnValue; if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL)) return GetLastError(); if (newSD) { AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM")); AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE")); } // // Add the Principal that the caller wants added // if (Permit) returnValue = AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, Principal); else returnValue = AddAccessDeniedACEToACL (&dacl, GENERIC_ALL, Principal); if (returnValue != ERROR_SUCCESS) { free (sd); return returnValue; } // // Make the security descriptor absolute if it isn't new // if (!newSD) MakeSDAbsolute ((PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); else sdAbsolute = sd; // // Set the discretionary ACL on the security descriptor // if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE)) return GetLastError(); // // Make the security descriptor self-relative so that we can // store it in the registry // secDescSize = 0; MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize); sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize); if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize)) return GetLastError(); // // Store the security descriptor in the registry // SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative); free (sd); free (sdSelfRelative); free (sdAbsolute); return ERROR_SUCCESS; }