/* Internal sid binary to string translation, see MSKB Q131320. * Several user related operations require our SID to access * the registry, but in a string format. All error handling * depends on IsValidSid(), which internally we better test long * before we get here! */ void get_sid_string(char *buf, apr_size_t blen, apr_uid_t id) { PSID_IDENTIFIER_AUTHORITY psia; DWORD nsa; DWORD sa; int slen; /* Determine authority values (these is a big-endian value, * and NT records the value as hex if the value is > 2^32.) */ psia = GetSidIdentifierAuthority(id); nsa = (DWORD)(psia->Value[5]) + ((DWORD)(psia->Value[4]) << 8) + ((DWORD)(psia->Value[3]) << 16) + ((DWORD)(psia->Value[2]) << 24); sa = (DWORD)(psia->Value[1]) + ((DWORD)(psia->Value[0]) << 8); if (sa) { slen = apr_snprintf(buf, blen, "S-%lu-0x%04x%08x", SID_REVISION, sa, nsa); } else { slen = apr_snprintf(buf, blen, "S-%lu-%lu", SID_REVISION, nsa); } /* Now append all the subauthority strings. */ nsa = *GetSidSubAuthorityCount(id); for (sa = 0; sa < nsa; ++sa) { slen += apr_snprintf(buf + slen, blen - slen, "-%lu", *GetSidSubAuthority(id, sa)); } }
BOOL make_relative_sid(PSID* answer, PSID base, ULONG relative_id) { int count; int i; if (answer == NULL) return print_error(L"Error in make_relative_sid: answer is NULL.\n"); if (base == NULL) return print_error(L"Error in make_relative_sid: base is NULL.\n"); if (!IsValidSid(base)) return print_error(L"Error in make_relative_sid: base is not a valid SID.\n"); count = *GetSidSubAuthorityCount(base); if (count > 7) return print_error(L"Error in make_relative_sid: base has too many sub-authorities.\n"); if (!AllocateAndInitializeSid( GetSidIdentifierAuthority(base) , 1 + count , 0, 0, 0, 0, 0, 0, 0, 0, answer)) return win_error(GetLastError(), L"AllocateAndInitializeSid"); for(i=0; i<count; i++) { *GetSidSubAuthority(*answer, i) = *GetSidSubAuthority(base, i); } *GetSidSubAuthority(*answer, count) = relative_id; return TRUE; }
bool AddSid(LPCWSTR sid_str) { if (_wcsicmp(sid_str, L"CU") == 0) { return AddSid(GetCurrentUserSid().c_str()); } else { PSID p = nullptr; if (!::ConvertStringSidToSid(sid_str, &p)) { return false; } std::unique_ptr<void, LocalFreeDeleter> buf(p); SID_IDENTIFIER_AUTHORITY il_id_auth = { { 0,0,0,0,0,0x10 } }; PSID_IDENTIFIER_AUTHORITY sid_id_auth = GetSidIdentifierAuthority(p); if (memcmp(il_id_auth.Value, sid_id_auth->Value, sizeof(il_id_auth.Value)) == 0) { return !!AddIntegrityLabelToBoundaryDescriptor(&boundary_desc_, p); } else { return !!AddSIDToBoundaryDescriptor(&boundary_desc_, p); } } }
BOOL IsLogonSid( PSID ps ) { static SID_IDENTIFIER_AUTHORITY sia = SECURITY_NT_AUTHORITY; // a logon SID has: sia = 5, subauth count = 3, first subauth = 5 // the following three lines test these three conditions if ( ! memcmp( GetSidIdentifierAuthority( ps ), &sia, sizeof sia ) && // is sia == 5? *GetSidSubAuthorityCount( ps ) == 3 && // is subauth count == 3? *GetSidSubAuthority( ps, 0 ) == 5 ) // first subauth == 5? return TRUE; else return FALSE; }
/* (in) PSID (in/out) char (in) size_t return 0 - success -1 - error */ int get_textual_sid(PSID pSid,char * buf,size_t len) { /*FROM MSDN Converting a Binary SID to String Format in C++*/ PSID_IDENTIFIER_AUTHORITY psia; DWORD dwSubAuthorities; DWORD dwSidRev = SID_REVISION; DWORD dwCounter; DWORD dwSidSize; if (!IsValidSid(pSid)){ SetLastError(ERROR_INVALID_DATA); return -1; } psia = GetSidIdentifierAuthority(pSid); dwSubAuthorities = *GetSidSubAuthorityCount(pSid); dwSidSize = (15 + 12 + (12 * dwSubAuthorities) +1) * sizeof(char); if (len < dwSidSize){ SetLastError(ERROR_INSUFFICIENT_BUFFER); return -1; } _snprintf(buf,len,"S-%lu-",dwSidRev); if ( (psia->Value[0] != 0) || (psia->Value[1] != 0) ){ _snprintf(buf + strlen(buf),len-(strlen(buf)+1), "0x%02hx%02hx%02hx%02hx%02hx%02hx", (USHORT) psia->Value[0], (USHORT) psia->Value[1], (USHORT) psia->Value[2], (USHORT) psia->Value[3], (USHORT) psia->Value[4], (USHORT) psia->Value[5]); }else { _snprintf(buf + strlen(buf),len - (strlen(buf)+1), "%lu", (USHORT) (psia->Value[5]) + (USHORT) (psia->Value[4] << 8)+ (USHORT) (psia->Value[3] << 16)+ (USHORT) (psia->Value[2] << 24)); } for (dwCounter = 0; dwCounter < dwSubAuthorities; dwCounter++){ _snprintf(buf + strlen(buf),len - (strlen(buf)+1),"-%lu", *GetSidSubAuthority(pSid,dwCounter)); } return 0; }
static void PrintSidText(PSID psid, BPRINT_BUFFER & bp) { // // test if parameters passed in are valid, IsValidSid can not take // a NULL parameter // if ( ! psid) return; // obtain SidIdentifierAuthority // obtain sidsubauthority count PSID_IDENTIFIER_AUTHORITY psia = GetSidIdentifierAuthority(psid); DWORD cSubAs = *GetSidSubAuthorityCount(psid); // // S-SID_REVISION- // bprintf(bp, TEXT("S-%lu-"), SID_REVISION); // // append SidIdentifierAuthority // if (psia->Value[0] || psia->Value[1]) { bprintf(bp, TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"), (USHORT)psia->Value[0], (USHORT)psia->Value[1], (USHORT)psia->Value[2], (USHORT)psia->Value[3], (USHORT)psia->Value[4], (USHORT)psia->Value[5]); } else { bprintf(bp, TEXT("%lu"), (ULONG)(psia->Value[5] ) + (ULONG)(psia->Value[4] << 8) + (ULONG)(psia->Value[3] << 16) + (ULONG)(psia->Value[2] << 24)); } // // append SidSubAuthorities // for (UINT ix = 0 ; ix < cSubAs; ++ix) { bprintf(bp, TEXT("-%lu"), *GetSidSubAuthority(psid, ix)); } }
BOOL IsDomainSid( _In_ PSID pSid ) { static const SID_IDENTIFIER_AUTHORITY sSidIdAuthNtSecurity = SECURITY_NT_AUTHORITY; PUCHAR n = GetSidSubAuthorityCount(pSid); if (*n >= 1) { SID_IDENTIFIER_AUTHORITY *pIdAuth = GetSidIdentifierAuthority(pSid); if (memcmp(pIdAuth, &sSidIdAuthNtSecurity, sizeof(SID_IDENTIFIER_AUTHORITY) == 0)) { PDWORD pdwAuth = GetSidSubAuthority(pSid, 0); if ((*pdwAuth == SECURITY_NT_NON_UNIQUE) || (*pdwAuth == SECURITY_BUILTIN_DOMAIN_RID)) { return TRUE; } } } return FALSE; }
static char * put_sid (PSID psid) { static char s[512]; char t[32]; DWORD i; strcpy (s, "S-1-"); sprintf(t, "%u", GetSidIdentifierAuthority (psid)->Value[5]); strcat (s, t); for (i = 0; i < *GetSidSubAuthorityCount (psid); ++i) { sprintf(t, "-%" PRIu32 , (unsigned int) *GetSidSubAuthority (psid, i)); strcat (s, t); } return s; }
// // Function : sidToText // Role : Converts a binary SID to a nice one // Notes : http://win32.mvps.org/security/dumpacl/dumpacl.cpp // const char *sidToTextTok( PSID psid ) { // S-rev- + SIA + subauthlen*maxsubauth + terminator static char buf[15 + 12 + 12*SID_MAX_SUB_AUTHORITIES + 1]; char *p = &buf[0]; PSID_IDENTIFIER_AUTHORITY psia; DWORD numSubAuths, i; // Validate the binary SID. if ( ! IsValidSid( psid ) ) return FALSE; psia = GetSidIdentifierAuthority( psid ); p = buf; p += _snprintf_s( p, 15 + 12 + 12*SID_MAX_SUB_AUTHORITIES + 1, &buf[sizeof buf] - p, "S-%lu-", 0x0f & *( (byte *) psid ) ); if ( ( psia->Value[0] != 0 ) || ( psia->Value[1] != 0 ) ) p += _snprintf_s( p,15 + 12 + 12*SID_MAX_SUB_AUTHORITIES + 1, &buf[sizeof buf] - p, "0x%02hx%02hx%02hx%02hx%02hx%02hx", (USHORT) psia->Value[0], (USHORT) psia->Value[1], (USHORT) psia->Value[2], (USHORT) psia->Value[3], (USHORT) psia->Value[4], (USHORT) psia->Value[5] ); else p += _snprintf_s( p, 15 + 12 + 12*SID_MAX_SUB_AUTHORITIES + 1, &buf[sizeof buf] - p, "%lu", (ULONG) ( psia->Value[5] ) + (ULONG) ( psia->Value[4] << 8 ) + (ULONG) ( psia->Value[3] << 16 ) + (ULONG) ( psia->Value[2] << 24 ) ); // Add SID subauthorities to the string. numSubAuths = *GetSidSubAuthorityCount( psid ); for ( i = 0; i < numSubAuths; ++ i ) p += _snprintf_s( p, 15 + 12 + 12*SID_MAX_SUB_AUTHORITIES + 1,&buf[sizeof buf] - p, "-%lu", *GetSidSubAuthority( psid, i ) ); return buf; }
BOOL LookupUserGroupFromRid( LPWSTR TargetComputer, DWORD Rid, LPWSTR Name, PDWORD cchName ) { PUSER_MODALS_INFO_2 umi2; NET_API_STATUS nas; UCHAR SubAuthorityCount; PSID pSid; SID_NAME_USE snu; WCHAR DomainName[DNLEN+1]; DWORD cchDomainName = DNLEN; BOOL bSuccess = FALSE; // assume failure // // get the account domain Sid on the target machine // note: if you were looking up multiple sids based on the same // account domain, only need to call this once. // nas = NetUserModalsGet(TargetComputer, 2, (LPBYTE *)&umi2); if(nas != NERR_Success) { SetLastError(nas); return FALSE; } SubAuthorityCount = *GetSidSubAuthorityCount (umi2->usrmod2_domain_id); // // allocate storage for new Sid. account domain Sid + account Rid // pSid = (PSID)HeapAlloc(GetProcessHeap(), 0, GetSidLengthRequired((UCHAR)(SubAuthorityCount + 1))); if(pSid != NULL) { if(InitializeSid( pSid, GetSidIdentifierAuthority(umi2->usrmod2_domain_id), (BYTE)(SubAuthorityCount+1) )) { DWORD SubAuthIndex = 0; // // copy existing subauthorities from account domain Sid into // new Sid // for( ; SubAuthIndex < SubAuthorityCount ; SubAuthIndex++) { *GetSidSubAuthority(pSid, SubAuthIndex) = *GetSidSubAuthority(umi2->usrmod2_domain_id, SubAuthIndex); } // // append Rid to new Sid // *GetSidSubAuthority(pSid, SubAuthorityCount) = Rid; bSuccess = LookupAccountSidW( TargetComputer, pSid, Name, cchName, DomainName, &cchDomainName, &snu ); } HeapFree(GetProcessHeap(), 0, pSid); } NetApiBufferFree(umi2); return bSuccess; }
sal_Bool SAL_CALL osl_getUserIdent(oslSecurity Security, rtl_uString **strIdent) { if (Security != NULL) { oslSecurityImpl *pSecImpl = (oslSecurityImpl*)Security; HANDLE hAccessToken = pSecImpl->m_hToken; if (hAccessToken == NULL) OpenProcessToken(GetCurrentProcess(), TOKEN_DUP_QUERY, &hAccessToken); if (hAccessToken) { sal_Char *Ident; DWORD nInfoBuffer = 512; UCHAR* pInfoBuffer = malloc(nInfoBuffer); while (!GetTokenInformation(hAccessToken, TokenUser, pInfoBuffer, nInfoBuffer, &nInfoBuffer)) { if (GetLastError() == ERROR_INSUFFICIENT_BUFFER) pInfoBuffer = realloc(pInfoBuffer, nInfoBuffer); else { free(pInfoBuffer); pInfoBuffer = NULL; break; } } if (pSecImpl->m_hToken == NULL) CloseHandle(hAccessToken); if (pInfoBuffer) { PSID pSid = ((PTOKEN_USER)pInfoBuffer)->User.Sid; PSID_IDENTIFIER_AUTHORITY psia; DWORD dwSubAuthorities; DWORD dwSidRev=SID_REVISION; DWORD dwCounter; DWORD dwSidSize; PUCHAR pSSACount; /* obtain SidIdentifierAuthority */ psia=GetSidIdentifierAuthority(pSid); /* obtain sidsubauthority count */ pSSACount = GetSidSubAuthorityCount(pSid); dwSubAuthorities = (*pSSACount < 5) ? *pSSACount : 5; /* buffer length: S-SID_REVISION- + identifierauthority- + subauthorities- + NULL */ Ident=malloc(88*sizeof(sal_Char)); /* prepare S-SID_REVISION- */ dwSidSize=wsprintf(Ident, TEXT("S-%lu-"), dwSidRev); /* prepare SidIdentifierAuthority */ if ((psia->Value[0] != 0) || (psia->Value[1] != 0)) { dwSidSize+=wsprintf(Ident + strlen(Ident), TEXT("0x%02hx%02hx%02hx%02hx%02hx%02hx"), (USHORT)psia->Value[0], (USHORT)psia->Value[1], (USHORT)psia->Value[2], (USHORT)psia->Value[3], (USHORT)psia->Value[4], (USHORT)psia->Value[5]); } else { dwSidSize+=wsprintf(Ident + strlen(Ident), TEXT("%lu"), (ULONG)(psia->Value[5] ) + (ULONG)(psia->Value[4] << 8) + (ULONG)(psia->Value[3] << 16) + (ULONG)(psia->Value[2] << 24) ); } /* loop through SidSubAuthorities */ for (dwCounter=0; dwCounter < dwSubAuthorities; dwCounter++) { dwSidSize+=wsprintf(Ident + dwSidSize, TEXT("-%lu"), *GetSidSubAuthority(pSid, dwCounter) ); } rtl_uString_newFromAscii( strIdent, Ident ); free(pInfoBuffer); free(Ident); return sal_True; } } else { DWORD needed=0; sal_Unicode *Ident; WNetGetUserA(NULL, NULL, &needed); if (needed < 16) { needed = 16; } Ident=malloc(needed*sizeof(sal_Unicode)); if (WNetGetUserW(NULL, Ident, &needed) != NO_ERROR) { wcscpy(Ident, L"unknown"); Ident[7] = L'\0'; } rtl_uString_newFromStr( strIdent, Ident); free(Ident); return sal_True; } } return sal_False; }
// nearly straight from the SDK BOOL Sid2Text( PSID ps, char *buf, int bufSize ) { PSID_IDENTIFIER_AUTHORITY psia; DWORD dwSubAuthorities; DWORD dwSidRev = SID_REVISION; DWORD i; int n, size; char *p; // Validate the binary SID. if ( ! IsValidSid( ps ) ) return FALSE; // Get the identifier authority value from the SID. psia = GetSidIdentifierAuthority( ps ); // Get the number of subauthorities in the SID. dwSubAuthorities = *GetSidSubAuthorityCount( ps ); // Compute the buffer length. // S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL size = 15 + 12 + ( 12 * dwSubAuthorities ) + 1; // Check input buffer length. // If too small, indicate the proper size and set last error. if ( bufSize < size ) { SetLastError( ERROR_INSUFFICIENT_BUFFER ); return FALSE; } // Add 'S' prefix and revision number to the string. size = wsprintf( buf, "S-%lu-", dwSidRev ); p = buf + size; // Add SID identifier authority to the string. if ( psia->Value[0] != 0 || psia->Value[1] != 0 ) { n = wsprintf( p, "0x%02hx%02hx%02hx%02hx%02hx%02hx", (USHORT) psia->Value[0], (USHORT) psia->Value[1], (USHORT) psia->Value[2], (USHORT) psia->Value[3], (USHORT) psia->Value[4], (USHORT) psia->Value[5] ); size += n; p += n; } else { n = wsprintf( p, "%lu", ( (ULONG) psia->Value[5] ) + ( (ULONG) psia->Value[4] << 8 ) + ( (ULONG) psia->Value[3] << 16 ) + ( (ULONG) psia->Value[2] << 24 ) ); size += n; p += n; } // Add SID subauthorities to the string. for ( i = 0; i < dwSubAuthorities; ++ i ) { n = wsprintf( p, "-%lu", *GetSidSubAuthority( ps, i ) ); size += n; p += n; } return TRUE; }
/* ** Wrapper around the access() system call. This code was copied from Tcl ** 8.6 and then modified. */ int win32_access(const char *zFilename, int flags){ int rc = 0; PSECURITY_DESCRIPTOR pSd = NULL; unsigned long size; PSID pSid = NULL; BOOL sidDefaulted; BOOL impersonated = FALSE; SID_IDENTIFIER_AUTHORITY unmapped = {{0, 0, 0, 0, 0, 22}}; GENERIC_MAPPING genMap; HANDLE hToken = NULL; DWORD desiredAccess = 0, grantedAccess = 0; BOOL accessYesNo = FALSE; PRIVILEGE_SET privSet; DWORD privSetSize = sizeof(PRIVILEGE_SET); wchar_t *zMbcs = fossil_utf8_to_filename(zFilename); DWORD attr = GetFileAttributesW(zMbcs); if( attr==INVALID_FILE_ATTRIBUTES ){ /* * File might not exist. */ if( GetLastError()!=ERROR_SHARING_VIOLATION ){ rc = -1; goto done; } } if( flags==F_OK ){ /* * File exists, nothing else to check. */ goto done; } if( (flags & W_OK) && (attr & FILE_ATTRIBUTE_READONLY) && !(attr & FILE_ATTRIBUTE_DIRECTORY) ){ /* * The attributes say the file is not writable. If the file is a * regular file (i.e., not a directory), then the file is not * writable, full stop. For directories, the read-only bit is * (mostly) ignored by Windows, so we can't ascertain anything about * directory access from the attrib data. */ rc = -1; goto done; } /* * It looks as if the permissions are ok, but if we are on NT, 2000 or XP, * we have a more complex permissions structure so we try to check that. * The code below is remarkably complex for such a simple thing as finding * what permissions the OS has set for a file. */ /* * First find out how big the buffer needs to be. */ size = 0; GetFileSecurityW(zMbcs, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, 0, 0, &size); /* * Should have failed with ERROR_INSUFFICIENT_BUFFER */ if( GetLastError()!=ERROR_INSUFFICIENT_BUFFER ){ /* * Most likely case is ERROR_ACCESS_DENIED, which we will convert to * EACCES - just what we want! */ rc = -1; goto done; } /* * Now size contains the size of buffer needed. */ pSd = (PSECURITY_DESCRIPTOR)HeapAlloc(GetProcessHeap(), 0, size); if( pSd==NULL ){ rc = -1; goto done; } /* * Call GetFileSecurity() for real. */ if( !GetFileSecurityW(zMbcs, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, pSd, size, &size) ){ /* * Error getting owner SD */ rc = -1; goto done; } /* * As of Samba 3.0.23 (10-Jul-2006), unmapped users and groups are * assigned to SID domains S-1-22-1 and S-1-22-2, where "22" is the * top-level authority. If the file owner and group is unmapped then * the ACL access check below will only test against world access, * which is likely to be more restrictive than the actual access * restrictions. Since the ACL tests are more likely wrong than * right, skip them. Moreover, the unix owner access permissions are * usually mapped to the Windows attributes, so if the user is the * file owner then the attrib checks above are correct (as far as they * go). */ if( !GetSecurityDescriptorOwner(pSd, &pSid, &sidDefaulted) || memcmp(GetSidIdentifierAuthority(pSid), &unmapped, sizeof(SID_IDENTIFIER_AUTHORITY))==0 ){ goto done; /* Attrib tests say access allowed. */ } /* * Perform security impersonation of the user and open the resulting * thread token. */ if( !ImpersonateSelf(SecurityImpersonation) ){ /* * Unable to perform security impersonation. */ rc = -1; goto done; } impersonated = TRUE; if( !OpenThreadToken(GetCurrentThread(), TOKEN_DUPLICATE | TOKEN_QUERY, FALSE, &hToken) ){ /* * Unable to get current thread's token. */ rc = -1; goto done; } /* * Setup desiredAccess according to the access priveleges we are * checking. */ if( flags & R_OK ){ desiredAccess |= FILE_GENERIC_READ; } if( flags & W_OK){ desiredAccess |= FILE_GENERIC_WRITE; } memset(&genMap, 0, sizeof(GENERIC_MAPPING)); genMap.GenericRead = FILE_GENERIC_READ; genMap.GenericWrite = FILE_GENERIC_WRITE; genMap.GenericExecute = FILE_GENERIC_EXECUTE; genMap.GenericAll = FILE_ALL_ACCESS; /* * Perform access check using the token. */ if( !AccessCheck(pSd, hToken, desiredAccess, &genMap, &privSet, &privSetSize, &grantedAccess, &accessYesNo) ){ /* * Unable to perform access check. */ rc = -1; goto done; } if( !accessYesNo ) rc = -1; done: if( hToken != NULL ){ CloseHandle(hToken); } if( impersonated ){ RevertToSelf(); impersonated = FALSE; } if( pSd!=NULL ){ HeapFree(GetProcessHeap(), 0, pSd); } fossil_filename_free(zMbcs); return rc; }
void GetTextualSid( PSID pSid, // binary Sid PTCHAR TextualSid) // buffer for Textual representation of Sid { PSID_IDENTIFIER_AUTHORITY psia; DWORD dwSubAuthorities; DWORD dwSidRev=SID_REVISION; DWORD dwCounter; DWORD dwSidSize; // Validate the binary SID. if(!IsValidSid(pSid)) return; // Get the identifier authority value from the SID. psia = GetSidIdentifierAuthority(pSid); // Get the number of subauthorities in the SID. dwSubAuthorities = *GetSidSubAuthorityCount(pSid); // Compute the buffer length. // S-SID_REVISION- + IdentifierAuthority- + subauthorities- + NULL dwSidSize=(15 + 12 + (12 * dwSubAuthorities) + 1) * sizeof(TCHAR); // Add 'S' prefix and revision number to the string. dwSidSize= _stprintf(TextualSid, _T("S-%lu-"), dwSidRev ); // Add SID identifier authority to the string. if ( (psia->Value[0] != 0) || (psia->Value[1] != 0) ) { dwSidSize += _stprintf(TextualSid + lstrlen(TextualSid), _T("0x%02hx%02hx%02hx%02hx%02hx%02hx"), (USHORT)psia->Value[0], (USHORT)psia->Value[1], (USHORT)psia->Value[2], (USHORT)psia->Value[3], (USHORT)psia->Value[4], (USHORT)psia->Value[5]); } else { dwSidSize += _stprintf(TextualSid + lstrlen(TextualSid), _T("%lu"), (ULONG)(psia->Value[5] ) + (ULONG)(psia->Value[4] << 8) + (ULONG)(psia->Value[3] << 16) + (ULONG)(psia->Value[2] << 24) ); } // Add SID subauthorities to the string. // for (dwCounter=0 ; dwCounter < dwSubAuthorities ; dwCounter++) { dwSidSize+= _stprintf(TextualSid + dwSidSize, _T("-%lu"), *GetSidSubAuthority(pSid, dwCounter) ); } }
void RegistryLogAceSidStart(PSID SidStart) { LogIncIndent(); if (FALSE == IsValidSid(SidStart)) { LOG(L"Invalid Sid given, cannot parse\n"); LogDecIndent(); return; } LPTSTR stringSid = NULL; if(FALSE == ConvertSidToStringSid(SidStart,&stringSid)) { LOG(L"Could not convert SID to SIDString\n"); LogDecIndent(); return; } LOG(L"SID = %s\n",stringSid); PSID_IDENTIFIER_AUTHORITY sidia = GetSidIdentifierAuthority(SidStart); PUCHAR pSubAuthorityCount = GetSidSubAuthorityCount(SidStart); UCHAR counter = 0; for(; counter < *pSubAuthorityCount ; counter++) { PDWORD pSidSubAuthority = GetSidSubAuthority(SidStart,counter); BYTE nullauthorityValue[6] = SECURITY_NULL_SID_AUTHORITY; BYTE worldauthorityValue[6] = SECURITY_WORLD_SID_AUTHORITY; BYTE localauthorityValue[6] = SECURITY_LOCAL_SID_AUTHORITY; BYTE creatorauthorityValue[6] = SECURITY_CREATOR_SID_AUTHORITY; BYTE ntauthorityValue[6] = SECURITY_NT_AUTHORITY; if(memcmp(sidia->Value,nullauthorityValue,6) == 0) { switch(*pSidSubAuthority) { case SECURITY_NULL_RID: LOG(L"SECURITY_NULL\n"); break; default: RegistryLogGeneralRIDS(L"SECURITY_NULL_SID_AUTHORITY",*pSidSubAuthority); break; }; } else if (memcmp(sidia->Value,worldauthorityValue,6) == 0) { switch(*pSidSubAuthority) { case SECURITY_WORLD_RID: LOG(L"EVERYONE\n"); break; default: RegistryLogGeneralRIDS(L"SECURITY_WORLD_SID_AUTHORITY",*pSidSubAuthority); break; }; } else if (memcmp(sidia->Value,localauthorityValue,6) == 0) { switch(*pSidSubAuthority) { case SECURITY_LOCAL_RID: LOG(L"SECURITY_LOCAL_SID_AUTHORITY SECURITY_LOCAL_RID\n"); break; case SECURITY_LOCAL_LOGON_RID: LOG(L"SECURITY_LOCAL_SID_AUTHORITY SECURITY_LOCAL_LOGON_RID\n"); break; default: RegistryLogGeneralRIDS(L"SECURITY_LOCAL_SID_AUTHORITY",*pSidSubAuthority); break; }; } else if (memcmp(sidia->Value,creatorauthorityValue,6) == 0) { switch(*pSidSubAuthority) { case SECURITY_CREATOR_OWNER_RID: LOG(L"CREATOR_OWNER\n"); //LOG(L"SECURITY_CREATOR_SID_AUTHORITY SECURITY_CREATOR_OWNER_RID\n"); break; case SECURITY_CREATOR_GROUP_RID: LOG(L"CREATOR_GROUP\n"); //LOG(L"SECURITY_CREATOR_SID_AUTHORITY SECURITY_CREATOR_GROUP_RID\n"); break; default: RegistryLogGeneralRIDS(L"SECURITY_CREATOR_SID_AUTHORITY",*pSidSubAuthority); break; }; } else if (memcmp(sidia->Value,ntauthorityValue,6) == 0) { switch(*pSidSubAuthority) { case SECURITY_DIALUP_RID: LOG(L"DIALUP\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_DIALUP_RID: Users who log on to terminals using a dial-up modem. This is a group identifier\n"); break; case SECURITY_NETWORK_RID: LOG(L"NETWORK\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_NETWORK_RID: Users who log on across a network. This is a group identifier\n"); break; case SECURITY_BATCH_RID: LOG(L"BATCH\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_BATCH_RID: Users who log on using a batch queue facility. This is a group identifier\n"); break; case SECURITY_INTERACTIVE_RID: LOG(L"INTERACTIVE\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_INTERACTIVE_RID: Users who log on for interactive operation. This is a group identifier\n"); break; case SECURITY_LOGON_IDS_RID: LOG(L"LOGON_IDS\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_LOGON_IDS_RID: A logon session\n"); break; case SECURITY_SERVICE_RID: LOG(L"SERVICE\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_SERVICE_RID: Accounts authorized to log on as a service. This is a group identifier\n"); break; case SECURITY_ANONYMOUS_LOGON_RID: LOG(L"ANONYMOUS\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_ANONYMOUS_LOGON_RID: Anonymous logon, or null session logon\n"); break; case SECURITY_PROXY_RID: LOG(L"PROXY\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_PROXY_RID: Proxy\n"); break; case SECURITY_ENTERPRISE_CONTROLLERS_RID: LOG(L"ENTERPRISE_CONTROLLERS\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_ENTERPRISE_CONTROLLERS_RID: Enterprise controllers\n"); break; case SECURITY_PRINCIPAL_SELF_RID: LOG(L"PRINCIPAL_SELF\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_PRINCIPAL_SELF_RID: The PRINCIPAL_SELF security identifier\n"); break; case SECURITY_AUTHENTICATED_USER_RID: LOG(L"AUTHENTICATED_USER\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_AUTHENTICATED_USER_RID: The authenticated users\n"); break; case SECURITY_RESTRICTED_CODE_RID: LOG(L"RESTRICTED_CODE\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_RESTRICTED_CODE_RID: Restricted code\n"); break; case SECURITY_TERMINAL_SERVER_RID: LOG(L"TERMINAL_SERVER\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_TERMINAL_SERVER_RID: Terminal Services\n"); break; case SECURITY_LOCAL_SYSTEM_RID: LOG(L"LOCAL_SYSTEM\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_LOCAL_SYSTEM_RID: A special account used by the operating system\n"); break; case SECURITY_NT_NON_UNIQUE: LOG(L"NT_NON_UNIQUE\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_NT_NON_UNIQUE: SIDS are not unique\n"); break; case SECURITY_BUILTIN_DOMAIN_RID: LOG(L"BUILTIN_DOMAIN\n"); //LOG(L"SECURITY_NT_AUTHORITY SECURITY_BUILTIN_DOMAIN_RID: Buildin Domain\n"); break; default: RegistryLogGeneralRIDS(L"SECURITY_NT_AUTHORITY",*pSidSubAuthority); break; }; } } LogDecIndent(); }
void vsyslog(int pri, const char *fmt, va_list ap) /* * Purpose: * Does the actual logging to the NT event log. * This is actually never called directly by the user * but always through syslog() * * Precondition: * dto. syslog() * * Postcondition: * dto. syslog() * * Mods: * 05/11/97 (CVP) */ { char *aszMsg[1], *p; WORD nt_prio = 0; BYTE sidBuffer[SLG_BUFSIZE]; PSID psid = (PSID) &sidBuffer; PSID PNtSid_ = NULL; DWORD sidBufferSize = SLG_BUFSIZE * sizeof(BYTE); TCHAR domainBuffer[SLG_BUFSIZE]; DWORD domainBufferSize = SLG_BUFSIZE * sizeof(TCHAR); SID_NAME_USE snu; UCHAR SubAuthorityCount = 0; BOOL retBOOL = TRUE; DWORD SubAuthIndex = 0; int saved_errno = 0; int nt_pid = _getpid(); char tbuf[SLG_BUFSIZE]; char fmt_cpy[SLG_BUFSIZE]; DWORD bufsize = SLG_BUFSIZE; BOOL resBOOL = 0; char ch, *t1, *t2; DWORD retDWORD = 0; saved_errno = errno; /* * Username retrieval */ if (*username == 0) { retBOOL = GetUserName(username, &bufsize); if (retBOOL == 0) { SLG_DEBUG(fprintf(SLG_DEBUG_OUT, SLG01, GetLastError())); SLG_PANIC(); } } ZeroMemory(sidBuffer, SLG_BUFSIZE); LookupAccountName( NULL, username, sidBuffer, &sidBufferSize, domainBuffer, &domainBufferSize, &snu); SubAuthorityCount = *GetSidSubAuthorityCount(psid); retBOOL = AllocateAndInitializeSid ( GetSidIdentifierAuthority(psid), SubAuthorityCount, 0,0,0,0,0,0,0,0, &PNtSid_ ); if (retBOOL != 0) { for( ; SubAuthIndex < SubAuthorityCount ; SubAuthIndex++) { *GetSidSubAuthority(PNtSid_, SubAuthIndex) = *GetSidSubAuthority(psid, SubAuthIndex); } } /* * in case of error, PNtSid_ will remain NULL, * which is OK anyway */ (void)sprintf(tbuf, "[pid %d / user %s] ", nt_pid, username); for (p = tbuf; *p; ++p); /* * build the message * substitute error message for %m */ for (t1 = fmt_cpy; ch = *fmt; ++fmt) { if (ch == '%' && fmt[1] == 'm') { ++fmt; for (t2 = strerror(saved_errno); *t1 = *t2++; ++t1); } else *t1++ = ch; } *t1 = '\0'; vsprintf(p, fmt_cpy, ap); aszMsg[0] = tbuf; /* * consider the event types: * EVENTLOG_ERROR_TYPE * EVENTLOG_WARNING_TYPE * EVENTLOG_INFORMATION_TYPE * */ switch(pri) { case LOG_EMERG: /* system is unusable */ case LOG_ALERT: /* action must be taken immediately */ case LOG_CRIT: /* critical conditions */ case LOG_ERR: /* error conditions */ nt_prio = EVENTLOG_ERROR_TYPE; break; case LOG_WARNING: /* warning conditions */ case LOG_NOTICE: /* normal but significant condition */ nt_prio = EVENTLOG_WARNING_TYPE; break; case LOG_INFO: /* informational */ case LOG_DEBUG: /* debug-level messages */ nt_prio = EVENTLOG_INFORMATION_TYPE; break; } if (!ReportEvent( h, /* event log handle */ nt_prio, /* event type */ SLG_ONE, /* category identifier */ SLG_01, /* event identifier */ PNtSid_, /* user security identifier */ 1, /* one substitution string */ 0, /* no data */ (LPTSTR *) aszMsg, /* address of string array */ NULL) /* address of data */ ) { SLG_DEBUG(fprintf(SLG_DEBUG_OUT, SLG02)); SLG_PANIC(); } }