Exemplo n.º 1
0
DWORD
ListNamedValueSD (
    HKEY RootKey,
    LPTSTR KeyName,
    LPTSTR ValueName
    )
{
    DWORD               returnValue;
    SECURITY_DESCRIPTOR *sd;
    BOOL                present;
    BOOL                defaultDACL;
    PACL                dacl;
    BOOL                newSD = FALSE;

    returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD);

    if ((returnValue != ERROR_SUCCESS) || (newSD == TRUE))
    {
        _tprintf (TEXT("<Using Default Permissions>\n"));
        free (sd);
        return returnValue;
    }

    if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL))
    {
        free (sd);
        return GetLastError();
    }

    if (!present)
    {
        _tprintf (TEXT("<Access is denied to everyone>\n"));
        free (sd);
        return ERROR_SUCCESS;
    }

    ListACL (dacl);

    free (sd);

    return ERROR_SUCCESS;
}
Exemplo n.º 2
0
/*---------------------------------------------------------------------------*\
 * NAME: ListNamedValueSD 
 * --------------------------------------------------------------------------*
 * DESCRIPTION: Displays the designated security descriptor.
\*---------------------------------------------------------------------------*/
DWORD ListNamedValueSD (
    HKEY hkeyRoot,
    LPTSTR tszKeyName,
    LPTSTR tszValueName,
    DWORD dwSDType
    )
{
    DWORD               dwReturnValue = ERROR_SUCCESS;
    SECURITY_DESCRIPTOR *pSD          = NULL;
    BOOL                fPresent      = FALSE;
    BOOL                fDefaultDACL  = FALSE;
    PACL                dacl          = NULL;

    dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, NULL);

    if (dwReturnValue != ERROR_SUCCESS)
    {
        _tprintf (_T("<Using Default Permissions>\n"));
        goto CLEANUP;
    }

    if (!GetSecurityDescriptorDacl (pSD, &fPresent, &dacl, &fDefaultDACL))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    if (!fPresent)
    {
        _tprintf (_T("<Access is denied to everyone>\n"));
        goto CLEANUP;
    }

    ListACL (dacl, dwSDType);

CLEANUP:

    if(pSD) free (pSD);

    return dwReturnValue;
}
Exemplo n.º 3
0
/*---------------------------------------------------------------------------*\
 * NAME: RemovePrincipalFromNamedValueSD 
 * --------------------------------------------------------------------------*
 * DESCRIPTION: Retrieves the designated security descriptor from the
 * registry and removes all ACLs that belong to the named principal.
\*---------------------------------------------------------------------------*/
DWORD RemovePrincipalFromNamedValueSD (
    HKEY hkeyRoot,
    LPTSTR tszKeyName,
    LPTSTR tszValueName,
    LPTSTR tszPrincipal,
    DWORD fAceType
    )
{
    DWORD               dwReturnValue    = ERROR_SUCCESS;
    SECURITY_DESCRIPTOR *pSD             = NULL;
    SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
    SECURITY_DESCRIPTOR *psdAbsolute     = NULL;
    DWORD               cbSecurityDesc   = 0;
    BOOL                fPresent         = FALSE;
    BOOL                fDefaultDACL     = FALSE;
    PACL                pDacl            = NULL;

    dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, NULL);

    // Get security descriptor from registry or create a new one
    if (dwReturnValue != ERROR_SUCCESS)
    {
        if(dwReturnValue == ERROR_FILE_NOT_FOUND)
        {
            dwReturnValue = ERROR_SUCCESS;
        }
        goto CLEANUP;
    }

    if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Remove the tszPrincipal that the caller wants removed
    dwReturnValue = RemovePrincipalFromACL (pDacl, tszPrincipal, fAceType);
    if(dwReturnValue == ERROR_FILE_NOT_FOUND)
    {
        dwReturnValue = ERROR_SUCCESS;
        goto CLEANUP;
    }
    else if (dwReturnValue != ERROR_SUCCESS)
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Make the security descriptor absolute if it isn't new
    dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute); 
    if (dwReturnValue != ERROR_SUCCESS)  goto CLEANUP;

    // Set the discretionary ACL on the security descriptor
    if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Make the security descriptor self-relative so that we can
    // store it in the registry
    cbSecurityDesc = 0;
    MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc);

    psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc);


    if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Store the security descriptor in the registry
    dwReturnValue = SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative);

CLEANUP:

    if(pSD) free (pSD);
    if(psdSelfRelative) free (psdSelfRelative);
    if(psdAbsolute) free (psdAbsolute);

    return dwReturnValue;
}
Exemplo n.º 4
0
/*---------------------------------------------------------------------------*\
 * NAME: UpdatePrincipalInNamedValueSD 
 * --------------------------------------------------------------------------*
 * DESCRIPTION: Retrieves the designated security descriptor from the
 * registry and updates all ACLs that belong to the named principal.
\*---------------------------------------------------------------------------*/
DWORD UpdatePrincipalInNamedValueSD (
    HKEY hkeyRoot,
    LPTSTR tszKeyName,
    LPTSTR tszValueName,
    LPTSTR tszPrincipal,
    DWORD dwAccessMask,
    BOOL fRemove,
    DWORD fAceType
    )
{
    DWORD               dwReturnValue    = ERROR_SUCCESS;
    SECURITY_DESCRIPTOR *pSD             = NULL;
    SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
    SECURITY_DESCRIPTOR *psdAbsolute     = NULL;
    DWORD               cbSecurityDesc   = 0;
    BOOL                fPresent         = FALSE;
    BOOL                fDefaultDACL     = FALSE;
    PACL                pDacl            = NULL;


    // Get security descriptor from registry
    dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, NULL);


    if (dwReturnValue != ERROR_SUCCESS)
    {
        if(dwReturnValue == ERROR_FILE_NOT_FOUND && fRemove)
        {
            dwReturnValue = ERROR_SUCCESS;
        }
        goto CLEANUP;
    }

    if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Update the tszPrincipal that the caller wants to change
    dwReturnValue = UpdatePrincipalInACL (pDacl, tszPrincipal, dwAccessMask, fRemove, fAceType);
    if(dwReturnValue == ERROR_FILE_NOT_FOUND)
    {
        dwReturnValue = ERROR_SUCCESS;
        goto CLEANUP;
    }
    else if (dwReturnValue != ERROR_SUCCESS)
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Make the security descriptor absolute 
    dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute); 
    if (dwReturnValue != ERROR_SUCCESS)  goto CLEANUP;

    // Set the discretionary ACL on the security descriptor
    if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    //Now ensure consistency of the SD
    dwReturnValue = CanonicalizeSD(psdAbsolute);
    if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;

    // Make the security descriptor self-relative so that we can
    // store it in the registry
    cbSecurityDesc = 0;
    MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc);

    psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc);


    if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Store the security descriptor in the registry
    dwReturnValue = SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative);

CLEANUP:

    if(pSD) free (pSD);
    if(psdSelfRelative) free (psdSelfRelative);
    if(psdAbsolute) free (psdAbsolute);

    return dwReturnValue;
}
Exemplo n.º 5
0
/*---------------------------------------------------------------------------*\
 * NAME: AddPrincipalToNamedValueSD 
 * --------------------------------------------------------------------------*
 * DESCRIPTION: Retrieves the designated security descriptor from the
 * registry and adds an ACE for the designated principal.
\*---------------------------------------------------------------------------*/
DWORD AddPrincipalToNamedValueSD (
    HKEY hkeyRoot,
    LPTSTR tszKeyName,
    LPTSTR tszValueName,
    LPTSTR tszPrincipal,
    BOOL fPermit,
    DWORD dwAccessMask,
    DWORD dwSDType
    )
{
    DWORD               dwReturnValue    = ERROR_SUCCESS;
    SECURITY_DESCRIPTOR *pSD             = NULL;
    SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
    SECURITY_DESCRIPTOR *psdAbsolute     = NULL;
    DWORD               cbSecurityDesc   = 0;
    BOOL                fPresent         = FALSE;
    BOOL                fDefaultDACL     = FALSE;
    PACL                pDacl            = NULL;
    BOOL                fNewSD           = FALSE;

    dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, &fNewSD);

    // Get security descriptor from registry or create a new one
    if (dwReturnValue != ERROR_SUCCESS)  goto CLEANUP;

    if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    if (fNewSD)
    {
        dwReturnValue = SetAclDefaults(&pDacl, dwSDType);
        if (dwReturnValue != ERROR_SUCCESS)  goto CLEANUP;
    }

    // Add the tszPrincipal that the caller wants added
    if (fPermit)
    {
        dwReturnValue = AddAccessAllowedACEToACL (&pDacl, dwAccessMask, tszPrincipal);
    }
    else
    {
        dwReturnValue = AddAccessDeniedACEToACL (&pDacl, dwAccessMask, tszPrincipal);
    }

    if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;

    // Make the security descriptor absolute if it isn't new
    if (!fNewSD)
    {
        dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute);
        if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
    }
    else
    {
        psdAbsolute = pSD;
    }

    // Set the discretionary ACL on the security descriptor
    if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
     }

    //Now ensure consistency of the SD
    dwReturnValue = CanonicalizeSD(psdAbsolute);
    if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;

    // Make the security descriptor self-relative so that we can
    // store it in the registry
    cbSecurityDesc = 0;

    MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc);

    psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc);

    if(!psdSelfRelative)
    {
        dwReturnValue = ERROR_OUTOFMEMORY;
        goto CLEANUP;
    }

    if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc))
    {
        dwReturnValue = GetLastError();
        goto CLEANUP;
    }

    // Store the security descriptor in the registry
    SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative);

CLEANUP:

    if(pSD) free (pSD);
    if(psdSelfRelative) free (psdSelfRelative);
    if(psdAbsolute && pSD != psdAbsolute) free (psdAbsolute);

    return dwReturnValue;
}
Exemplo n.º 6
0
DWORD
RemovePrincipalFromNamedValueSD (
    HKEY RootKey,
    LPTSTR KeyName,
    LPTSTR ValueName,
    LPTSTR Principal
    )
{
    DWORD               returnValue;
    SECURITY_DESCRIPTOR *sd;
    SECURITY_DESCRIPTOR *sdSelfRelative = NULL;
    SECURITY_DESCRIPTOR *sdAbsolute;
    DWORD               secDescSize;
    BOOL                present;
    BOOL                defaultDACL;
    PACL                dacl;
    BOOL                newSD = FALSE;

    returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD);

    //
    // Get security descriptor from registry or create a new one
    //

    if (returnValue != ERROR_SUCCESS)
        return returnValue;

    if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL))
        return GetLastError();

    //
    // If the security descriptor is new, add the required Principals to it
    //

    if (newSD)
    {
        AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM"));
        AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE"));
    }

    //
    // Remove the Principal that the caller wants removed
    //

    returnValue = RemovePrincipalFromACL (dacl, Principal);
    if (returnValue != ERROR_SUCCESS)
    {
        free (sd);
        return returnValue;
    }

    //
    // Make the security descriptor absolute if it isn't new
    //

    if (!newSD)
        MakeSDAbsolute ((PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); else
        sdAbsolute = sd;

    //
    // Set the discretionary ACL on the security descriptor
    //

    if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE))
        return GetLastError();

    //
    // Make the security descriptor self-relative so that we can
    // store it in the registry
    //

    secDescSize = 0;
    MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize);
    sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize);
    if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize))
        return GetLastError();

    //
    // Store the security descriptor in the registry
    //

    SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative);

    free (sd);
    free (sdSelfRelative);
    free (sdAbsolute);

    return ERROR_SUCCESS;
}
Exemplo n.º 7
0
DWORD setDCOMPermission(
    HKEY RootKey, 
    LPTSTR KeyName, 
    PSID sid,
    LPTSTR ValueName,
    DWORD dwPermissionMask,
    BOOL bLimits)
{
    DWORD returnValue;
    SECURITY_DESCRIPTOR *sd = NULL;
    SECURITY_DESCRIPTOR *sdSelfRelative = NULL;
    SECURITY_DESCRIPTOR *sdAbsolute = NULL;
    DWORD secDescSize;
    BOOL present;
    BOOL defaultDACL;
    PACL dacl;
    BOOL newSD = FALSE;

    returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD);

    //
    // Get security descriptor from registry or create a new one
    //

    if (returnValue != ERROR_SUCCESS)
    {
        return returnValue;
    }

    if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL))
    {
        return GetLastError();
    }

    if ((newSD) && (!bLimits))
    {
        AddAccessAllowedACEToACL(
            &dacl, 
            COM_RIGHTS_EXECUTE,
            TEXT("SYSTEM"));
            
        AddAccessAllowedACEToACL(
            &dacl,
            COM_RIGHTS_EXECUTE,
            TEXT("INTERACTIVE"));
    }

    //get account according to the SID
    TCHAR userName[256];
    TCHAR acctName[256];
    TCHAR domainName[256];
    DWORD dwAcctName = 256;
    DWORD dwDomainName = 256;
    SID_NAME_USE eUse = SidTypeUnknown;

    if (LookupAccountSid(
        NULL,
        sid,
        acctName,
        (LPDWORD)&dwAcctName,
        domainName,
        &dwDomainName,
        &eUse)) 
    {
        sprintf(userName, "%s\\%s", domainName, acctName);
    }
    else
    {
        return GetLastError();
    }

    returnValue = AddAccessAllowedACEToACL (
        &dacl, 
        dwPermissionMask, 
        userName); 
    

    if (returnValue != ERROR_SUCCESS)
    {
        free (sd);
        return returnValue;
    }

    //
    // Make the security descriptor absolute if it isn't new
    //

    if (!newSD)
    {
        MakeSDAbsolute (
            (PSECURITY_DESCRIPTOR) sd, 
            (PSECURITY_DESCRIPTOR *) &sdAbsolute);
    } 
    else 
    {
        sdAbsolute = sd;
    }

    //
    // Set the discretionary ACL on the security descriptor
    //

    if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE))
        return GetLastError();

    //
    // Make the security descriptor self-relative so that we can
    // store it in the registry
    //

    secDescSize = 0;
    MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize);
    sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize);
    
    if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize))
    {
        return GetLastError();
    }

    //
    // Store the security descriptor in the registry
    //

    SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative);

    free (sd);
    free (sdSelfRelative);
    
    if (sd != sdAbsolute) 
    {
        free (sdAbsolute);
    }

    return ERROR_SUCCESS;
}