HRESULT COpcSecurity::Deny(LPCTSTR pszPrincipal, DWORD dwAccessMask)
{
HRESULT hr = AddAccessDeniedACEToACL(&m_pDACL, pszPrincipal, dwAccessMask);
if (SUCCEEDED(hr))
SetSecurityDescriptorDacl(m_pSD, TRUE, m_pDACL, FALSE);
return hr;
}
DWORD COxtSecurityHelper::AddPrincipalToNamedSecurityDescriptor(LPCTSTR tszPermissionName,
LPCTSTR tszPrincipal,
DWORD dwAccessMask,
DWORD dwSDType)
{
DWORD dwReturnValue = ERROR_SUCCESS;
SECURITY_DESCRIPTOR *pSD = NULL;
SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
SECURITY_DESCRIPTOR *psdAbsolute = NULL;
DWORD cbSecurityDesc = 0;
BOOL bPresent = FALSE;
BOOL bDefaultDACL = FALSE;
PACL pDacl = NULL;
BOOL bNewSD = FALSE;
do {
// Get security descriptor from registry or create a new one
dwReturnValue = GetSecurityDescripterByName(tszPermissionName, &pSD, &bNewSD);
if (dwReturnValue != ERROR_SUCCESS)
break;
if (!::GetSecurityDescriptorDacl(pSD, &bPresent, &pDacl, &bDefaultDACL))
{
dwReturnValue = ::GetLastError();
break;
}
if (bNewSD)
{
dwReturnValue = SetACLDefaults(&pDacl, dwSDType);
if (dwReturnValue != ERROR_SUCCESS)
break;
}
// Add the Principal that the caller wants added
dwReturnValue = AddAccessDeniedACEToACL(&pDacl, dwAccessMask, tszPrincipal);
if (dwReturnValue != ERROR_SUCCESS)
break;
// Make the security descriptor absolute if it isn't new
if (!bNewSD)
{
dwReturnValue = MakeAbsoluteSecurityDescriptor((PSECURITY_DESCRIPTOR)pSD,
(PSECURITY_DESCRIPTOR *)&psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS)
break;
}
else
psdAbsolute = pSD;
// Set the discretionary ACL on the security descriptor
if (!::SetSecurityDescriptorDacl(psdAbsolute, TRUE, pDacl, FALSE))
{
dwReturnValue = ::GetLastError();
break;
}
// Now ensure consistency of the SD
dwReturnValue = CanonicalizeSecurityDescriptor(psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS)
break;
// Make the security descriptor self-relative so that we can
// store it in the registry
cbSecurityDesc = 0;
::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc);
psdSelfRelative = (SECURITY_DESCRIPTOR *)malloc(cbSecurityDesc);
if (psdSelfRelative == NULL)
{
dwReturnValue = ERROR_OUTOFMEMORY;
break;
}
if (!::MakeSelfRelativeSD(psdAbsolute, psdSelfRelative, &cbSecurityDesc))
{
dwReturnValue = GetLastError();
break;
}
// Store the security descriptor in the registry
dwReturnValue = SetSecurityDescriptorByName(tszPermissionName, psdSelfRelative);
} while (false);
if (pSD != NULL)
free(pSD);
if (psdSelfRelative != NULL)
free(psdSelfRelative);
if ((psdAbsolute != NULL)&&(pSD != psdAbsolute))
free(psdAbsolute);
return dwReturnValue;
}
/*---------------------------------------------------------------------------*\
* NAME: AddPrincipalToNamedValueSD
* --------------------------------------------------------------------------*
* DESCRIPTION: Retrieves the designated security descriptor from the
* registry and adds an ACE for the designated principal.
\*---------------------------------------------------------------------------*/
DWORD AddPrincipalToNamedValueSD (
HKEY hkeyRoot,
LPTSTR tszKeyName,
LPTSTR tszValueName,
LPTSTR tszPrincipal,
BOOL fPermit,
DWORD dwAccessMask,
DWORD dwSDType
)
{
DWORD dwReturnValue = ERROR_SUCCESS;
SECURITY_DESCRIPTOR *pSD = NULL;
SECURITY_DESCRIPTOR *psdSelfRelative = NULL;
SECURITY_DESCRIPTOR *psdAbsolute = NULL;
DWORD cbSecurityDesc = 0;
BOOL fPresent = FALSE;
BOOL fDefaultDACL = FALSE;
PACL pDacl = NULL;
BOOL fNewSD = FALSE;
dwReturnValue = GetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, &pSD, &fNewSD);
// Get security descriptor from registry or create a new one
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
if (!GetSecurityDescriptorDacl (pSD, &fPresent, &pDacl, &fDefaultDACL))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
if (fNewSD)
{
dwReturnValue = SetAclDefaults(&pDacl, dwSDType);
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
}
// Add the tszPrincipal that the caller wants added
if (fPermit)
{
dwReturnValue = AddAccessAllowedACEToACL (&pDacl, dwAccessMask, tszPrincipal);
}
else
{
dwReturnValue = AddAccessDeniedACEToACL (&pDacl, dwAccessMask, tszPrincipal);
}
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
// Make the security descriptor absolute if it isn't new
if (!fNewSD)
{
dwReturnValue = MakeSDAbsolute ((PSECURITY_DESCRIPTOR) pSD, (PSECURITY_DESCRIPTOR *) &psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
}
else
{
psdAbsolute = pSD;
}
// Set the discretionary ACL on the security descriptor
if (!SetSecurityDescriptorDacl (psdAbsolute, TRUE, pDacl, FALSE))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
//Now ensure consistency of the SD
dwReturnValue = CanonicalizeSD(psdAbsolute);
if (dwReturnValue != ERROR_SUCCESS) goto CLEANUP;
// Make the security descriptor self-relative so that we can
// store it in the registry
cbSecurityDesc = 0;
MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc);
psdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (cbSecurityDesc);
if(!psdSelfRelative)
{
dwReturnValue = ERROR_OUTOFMEMORY;
goto CLEANUP;
}
if (!MakeSelfRelativeSD (psdAbsolute, psdSelfRelative, &cbSecurityDesc))
{
dwReturnValue = GetLastError();
goto CLEANUP;
}
// Store the security descriptor in the registry
SetNamedValueSD (hkeyRoot, tszKeyName, tszValueName, psdSelfRelative);
CLEANUP:
if(pSD) free (pSD);
if(psdSelfRelative) free (psdSelfRelative);
if(psdAbsolute && pSD != psdAbsolute) free (psdAbsolute);
return dwReturnValue;
}
DWORD
AddPrincipalToNamedValueSD (
HKEY RootKey,
LPTSTR KeyName,
LPTSTR ValueName,
LPTSTR Principal,
BOOL Permit
)
{
DWORD returnValue;
SECURITY_DESCRIPTOR *sd;
SECURITY_DESCRIPTOR *sdSelfRelative = NULL;
SECURITY_DESCRIPTOR *sdAbsolute;
DWORD secDescSize;
BOOL present;
BOOL defaultDACL;
PACL dacl;
BOOL newSD = FALSE;
returnValue = GetNamedValueSD (RootKey, KeyName, ValueName, &sd, &newSD);
//
// Get security descriptor from registry or create a new one
//
if (returnValue != ERROR_SUCCESS)
return returnValue;
if (!GetSecurityDescriptorDacl (sd, &present, &dacl, &defaultDACL))
return GetLastError();
if (newSD)
{
AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("SYSTEM"));
AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, TEXT("INTERACTIVE"));
}
//
// Add the Principal that the caller wants added
//
if (Permit)
returnValue = AddAccessAllowedACEToACL (&dacl, COM_RIGHTS_EXECUTE, Principal); else
returnValue = AddAccessDeniedACEToACL (&dacl, GENERIC_ALL, Principal);
if (returnValue != ERROR_SUCCESS)
{
free (sd);
return returnValue;
}
//
// Make the security descriptor absolute if it isn't new
//
if (!newSD)
MakeSDAbsolute ((PSECURITY_DESCRIPTOR) sd, (PSECURITY_DESCRIPTOR *) &sdAbsolute); else
sdAbsolute = sd;
//
// Set the discretionary ACL on the security descriptor
//
if (!SetSecurityDescriptorDacl (sdAbsolute, TRUE, dacl, FALSE))
return GetLastError();
//
// Make the security descriptor self-relative so that we can
// store it in the registry
//
secDescSize = 0;
MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize);
sdSelfRelative = (SECURITY_DESCRIPTOR *) malloc (secDescSize);
if (!MakeSelfRelativeSD (sdAbsolute, sdSelfRelative, &secDescSize))
return GetLastError();
//
// Store the security descriptor in the registry
//
SetNamedValueSD (RootKey, KeyName, ValueName, sdSelfRelative);
free (sd);
free (sdSelfRelative);
free (sdAbsolute);
return ERROR_SUCCESS;
}
