void CSWICertStoreTokenType::OpenToken(TCTTokenHandle aHandle, MCTToken*& aToken, TRequestStatus& aStatus)
{
if ((aHandle.iTokenTypeUid.iUid != KSWICertStoreTokenTypeUid) ||
(aHandle.iTokenId != ESWICertStore))
{
TRequestStatus* r = &aStatus;
User::RequestComplete(r, KErrBadHandle);
}
else
{
OpenToken(KSWICertStoreName, aToken, aStatus);
}
}
BOOL ReadMyToken(
HANDLE hMyToken)
{
HANDLE Token;
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
Token = OpenToken(hMyToken, TOKEN_QUERY);
if (Token == NULL) {
DbgPrint("SECEDIT : Failed to open the token with TOKEN_QUERY access\n");
return(FALSE);
}
if (!GetTokenInfo(Token, TokenStatistics, (PPVOID)&(pMyToken->TokenStats))) {
DbgPrint("SECEDIT : Failed to read token statistics from token\n");
}
if (!GetTokenInfo(Token, TokenGroups, (PPVOID)&(pMyToken->Groups))) {
DbgPrint("SECEDIT : Failed to read group info from token\n");
}
if (!GetTokenInfo(Token, TokenUser, (PPVOID)&(pMyToken->UserId))) {
DbgPrint("SECEDIT : Failed to read userid from token\n");
}
if (!GetTokenInfo(Token, TokenOwner, (PPVOID)&(pMyToken->DefaultOwner))) {
DbgPrint("SECEDIT : Failed to read default owner from token\n");
}
if (!GetTokenInfo(Token, TokenPrimaryGroup, (PPVOID)&(pMyToken->PrimaryGroup))) {
DbgPrint("SECEDIT : Failed to read primary group from token\n");
}
if (!GetTokenInfo(Token, TokenPrivileges, (PPVOID)&(pMyToken->Privileges))) {
DbgPrint("SECEDIT : Failed to read privilege info from token\n");
}
CloseToken(Token);
return(TRUE);
}
BOOL WriteMyToken(
HWND hDlg,
HANDLE hMyToken)
{
PMYTOKEN pMyToken = (PMYTOKEN)hMyToken;
HANDLE Token;
//
// Save default owner and primary group
//
Token = OpenToken(hMyToken, TOKEN_ADJUST_DEFAULT);
if (Token == NULL) {
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_DEFAULT access\n");
MessageBox(hDlg, "Failed to open token with access required\nUnable to change default owner or primary group", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
} else {
// Set default owner
//
if ((pMyToken->DefaultOwner != NULL) &&
(!SetTokenInfo(Token, TokenOwner, (PVOID)(pMyToken->DefaultOwner)))) {
MessageBox(hDlg, "Failed to set default owner", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
// Set primary group
//
if ((pMyToken->PrimaryGroup != NULL) &&
(!SetTokenInfo(Token, TokenPrimaryGroup, (PVOID)(pMyToken->PrimaryGroup)))) {
MessageBox(hDlg, "Failed to set primary group", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
CloseToken(Token);
}
//
// Save group info
//
Token = OpenToken(hMyToken, TOKEN_ADJUST_GROUPS);
if (Token == NULL) {
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_GROUPS access\n");
MessageBox(hDlg, "Failed to open token with access required\nUnable to change group settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
} else {
if ((pMyToken->Groups != NULL) &&
(!SetTokenInfo(Token, TokenGroups, (PVOID)(pMyToken->Groups)))) {
MessageBox(hDlg, "Failed to change group settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
CloseToken(Token);
}
//
// Change privileges
//
Token = OpenToken(hMyToken, TOKEN_ADJUST_PRIVILEGES);
if (Token == NULL) {
DbgPrint("SECEDIT: Failed to open token with TOKEN_ADJUST_PRIVILEGES access\n");
MessageBox(hDlg, "Failed to open token with access required\nUnable to change privilege settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
} else {
if ((pMyToken->Privileges != NULL) &&
(!SetTokenInfo(Token, TokenPrivileges, (PVOID)(pMyToken->Privileges)))) {
MessageBox(hDlg, "Failed to change privilege settings", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
CloseToken(Token);
}
return(TRUE);
}
VOID
_CRTAPI1 main (int argc, char *argv[])
{
int i;
PACL Dacl;
LPSTR FileName;
TOKEN_PRIVILEGES OldPrivileges;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
PSID AdminAliasSid;
BOOL Result;
ULONG DaclSize;
HANDLE TokenHandle;
SECURITY_DESCRIPTOR SecurityDescriptor;
Result = OpenToken( &TokenHandle );
if ( !Result ) {
printf("Unable to open token\n");
exit(-1);
}
Result = EnableCreatePermanentPrivilege(
TokenHandle,
&OldPrivileges
);
if ( !Result ) {
//
// This account doesn't have SeCreatePermanent
// privilege. Tell them to try running it again
// from an account that does.
//
printf("Unable to enable SeCreatePermanent privilege\n");
//
// do what you want here...
//
exit(4);
}
//
// Display privileges.
//
//
// Put things back the way they were
//
(VOID) AdjustTokenPrivileges (
TokenHandle,
FALSE,
&OldPrivileges,
sizeof( TOKEN_PRIVILEGES ),
NULL,
NULL
);
if ( GetLastError() != NO_ERROR ) {
//
// This is unlikely to happen,
//
printf("AdjustTokenPrivileges failed turning off SeCreatePermanent privilege\n");
}
}
DWORD
ApplySecurity(
HWND hwndParent,
HANDLE hInstance,
ULONG CallbackContext,
PSECURITY_DESCRIPTOR SecDesc,
PSECURITY_DESCRIPTOR SecDescNewObjects,
BOOLEAN ApplyToSubContainers,
BOOLEAN ApplyToSubObjects,
LPDWORD StatusReturn
)
{
HANDLE MyToken = (HANDLE)CallbackContext;
HANDLE Token = NULL;
PTOKEN_DEFAULT_DACL DefaultDacl = NULL;
NTSTATUS Status;
BOOLEAN DaclPresent;
BOOLEAN DaclDefaulted;
*StatusReturn = SED_STATUS_FAILED_TO_MODIFY;
//
// Get a handle to the token
//
Token = OpenToken(MyToken, TOKEN_ADJUST_DEFAULT);
if (Token == NULL) {
DbgPrint("SECEDIT : Failed to open the token for TOKEN_ADJUST_DEFAULT access\n");
goto CleanupAndExit;
}
DefaultDacl = Alloc(sizeof(TOKEN_DEFAULT_DACL));
if (DefaultDacl == NULL) {
goto CleanupAndExit;
}
Status = RtlGetDaclSecurityDescriptor (
SecDesc,
&DaclPresent,
&DefaultDacl->DefaultDacl,
&DaclDefaulted
);
ASSERT(NT_SUCCESS(Status));
ASSERT(DaclPresent);
if (SetTokenInfo(Token, TokenDefaultDacl, (PVOID)DefaultDacl)) {
*StatusReturn = SED_STATUS_MODIFIED;
}
CleanupAndExit:
if (Token != NULL) {
CloseToken(Token);
}
if (DefaultDacl != NULL) {
Free(DefaultDacl);
}
if (*StatusReturn != SED_STATUS_MODIFIED) {
MessageBox(hwndParent, "Failed to set default DACL", NULL, MB_ICONSTOP | MB_APPLMODAL | MB_OK);
}
return(ERROR_SUCCESS);
}
BOOL
EditDefaultDacl(
HWND hwndOwner,
HANDLE Instance,
HANDLE MyToken
)
{
NTSTATUS Status;
BOOL Success = FALSE;
DWORD EditResult;
HANDLE Token = NULL;
PTOKEN_DEFAULT_DACL DefaultDacl = NULL;
PSECURITY_DESCRIPTOR SecurityDescriptor = NULL;
PTOKEN_OWNER Owner = NULL;
PTOKEN_PRIMARY_GROUP PrimaryGroup = NULL;
WCHAR string[MAX_STRING_LENGTH];
//
// Get the window text so we can use it as the token name
//
GetWindowTextW(((PMYTOKEN)MyToken)->hwnd, string, sizeof(string)/sizeof(*string));
//
// Get a handle to the token
//
Token = OpenToken(MyToken, TOKEN_QUERY);
if (Token == NULL) {
DbgPrint("SECEDIT : Failed to open the token with TOKEN_QUERY access\n");
goto CleanupAndExit;
}
//
// Read the default DACL from the token
//
if (!GetTokenInfo(Token, TokenDefaultDacl, (PPVOID)&DefaultDacl)) {
DbgPrint("SECEDIT : Failed to read default DACL from token\n");
goto CleanupAndExit;
}
//
// Get the owner and group of the token
//
if (!GetTokenInfo(Token, TokenOwner, (PPVOID)&Owner)) {
DbgPrint("SECEDIT : Failed to read owner from token\n");
goto CleanupAndExit;
}
if (!GetTokenInfo(Token, TokenPrimaryGroup, (PPVOID)&PrimaryGroup)) {
DbgPrint("SECEDIT : Failed to read primary group from token\n");
goto CleanupAndExit;
}
//
// Create a security descriptor
//
SecurityDescriptor = Alloc(SECURITY_DESCRIPTOR_MIN_LENGTH);
if (SecurityDescriptor == NULL) {
DbgPrint("SECEDIT : Failed to allocate security descriptor\n");
goto CleanupAndExit;
}
Status = RtlCreateSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION);
ASSERT(NT_SUCCESS(Status));
//
// Set the DACL on the security descriptor
//
Status = RtlSetDaclSecurityDescriptor(
SecurityDescriptor,
TRUE, // DACL present
DefaultDacl->DefaultDacl,
FALSE // DACL defaulted
);
ASSERT(NT_SUCCESS(Status));
//
// Put the owner and group in the security descriptor to keep the
// ACL editor happy
//
Status = RtlSetOwnerSecurityDescriptor(
SecurityDescriptor,
Owner->Owner,
FALSE // Owner defaulted
);
ASSERT(NT_SUCCESS(Status));
Status = RtlSetGroupSecurityDescriptor(
SecurityDescriptor,
PrimaryGroup->PrimaryGroup,
FALSE // Owner defaulted
);
ASSERT(NT_SUCCESS(Status));
ASSERT(RtlValidSecurityDescriptor(SecurityDescriptor));
//
// Call the ACL editor, it will call our ApplySecurity function
// to store any ACL changes in the token.
//
Success = EditTokenDefaultAcl(
hwndOwner,
Instance,
string,
MyToken,
SecurityDescriptor,
&EditResult
);
if (!Success) {
DbgPrint("SECEDIT: Failed to edit token DACL\n");
}
CleanupAndExit:
if (DefaultDacl != NULL) {
FreeTokenInfo(DefaultDacl);
}
if (SecurityDescriptor != NULL) {
FreeTokenInfo(SecurityDescriptor);
}
if (PrimaryGroup != NULL) {
FreeTokenInfo(PrimaryGroup);
}
if (Owner != NULL) {
FreeTokenInfo(Owner);
}
if (Token != NULL) {
CloseToken(Token);
}
return(Success);
}
