static DWORD VmAfdCreateAccessToken( PACCESS_TOKEN * AccessToken, PTOKEN_USER User, PTOKEN_GROUPS Groups, PTOKEN_PRIVILEGES Privileges, PTOKEN_OWNER Owner, PTOKEN_PRIMARY_GROUP PrimaryGroup, PTOKEN_DEFAULT_DACL DefaultDacl) { DWORD dwError = 0; NTSTATUS ntStatus = 0; ntStatus = RtlCreateAccessToken( AccessToken, User, Groups, Privileges, Owner, PrimaryGroup, DefaultDacl, NULL); dwError = LwNtStatusToWin32Error(ntStatus); return dwError; }
static NTSTATUS LwIoFuseCreateAccessTokenForOther( PACCESS_TOKEN* ppOtherToken ) { NTSTATUS status = STATUS_SUCCESS; PACCESS_TOKEN pOtherToken = NULL; TOKEN_USER user = {{0}}; TOKEN_OWNER owner = {0}; TOKEN_GROUPS groups = {0}; TOKEN_PRIVILEGES privileges = {0}; TOKEN_PRIMARY_GROUP primaryGroup = {0}; TOKEN_DEFAULT_DACL dacl = {0}; status = RtlAllocateSidFromCString( &user.User.Sid, "S-1-1-0"); BAIL_ON_NT_STATUS(status); status = RtlCreateAccessToken( &pOtherToken, &user, &groups, &privileges, &owner, &primaryGroup, &dacl, NULL); BAIL_ON_NT_STATUS(status); *ppOtherToken = pOtherToken; cleanup: RTL_FREE(&user.User.Sid); return status; error: *ppOtherToken = NULL; if (pOtherToken) { RtlReleaseAccessToken(&pOtherToken); } goto cleanup; }
static NTSTATUS LwIoFuseCreateAccessTokenForGroup( PSID pGroupSid, PACCESS_TOKEN* ppGroupToken ) { NTSTATUS status = STATUS_SUCCESS; PACCESS_TOKEN pGroupToken = NULL; TOKEN_USER user = {{0}}; TOKEN_OWNER owner = {0}; TOKEN_GROUPS groups = {0}; TOKEN_PRIVILEGES privileges = {0}; TOKEN_PRIMARY_GROUP primaryGroup = {0}; TOKEN_DEFAULT_DACL dacl = {0}; user.User.Sid = pGroupSid; status = RtlCreateAccessToken( &pGroupToken, &user, &groups, &privileges, &owner, &primaryGroup, &dacl, NULL); BAIL_ON_NT_STATUS(status); *ppGroupToken = pGroupToken; cleanup: return status; error: *ppGroupToken = NULL; if (pGroupToken) { RtlReleaseAccessToken(&pGroupToken); } goto cleanup; }
NTSTATUS RtlSelfRelativeAccessTokenToAccessToken( IN PACCESS_TOKEN_SELF_RELATIVE pRelative, IN ULONG ulRelativeSize, OUT PACCESS_TOKEN* ppToken ) { NTSTATUS status = STATUS_SUCCESS; ULONG ulOffset = 0; PBYTE pBuffer = (PBYTE) pRelative; PSID pSid = NULL; PSID_AND_ATTRIBUTES_SELF_RELATIVE pGroups = NULL; ULONG ulSize = 0; ULONG ulRealSize = 0; ULONG i = 0; TOKEN_USER User = {{0}}; TOKEN_OWNER Owner = {0}; TOKEN_PRIMARY_GROUP PrimaryGroup = {0}; TOKEN_UNIX Unix = {0}; PTOKEN_GROUPS pTokenGroups = NULL; PTOKEN_PRIVILEGES pTokenPrivileges = NULL; TOKEN_DEFAULT_DACL DefaultDacl = {0}; status = CheckOffset(0, sizeof(*pRelative), ulRelativeSize); GOTO_CLEANUP_ON_STATUS(status); if (pRelative->Flags & ACCESS_TOKEN_FLAG_UNIX_PRESENT) { Unix.Uid = pRelative->Uid; Unix.Gid = pRelative->Gid; Unix.Umask = pRelative->Umask; } User.User.Attributes = pRelative->User.Attributes; ulOffset = pRelative->User.SidOffset; pSid = (PSID) (pBuffer + ulOffset); status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize); GOTO_CLEANUP_ON_STATUS(status); User.User.Sid = pSid; ulOffset = pRelative->GroupsOffset; if (ulOffset) { status = LwRtlSafeMultiplyULONG( &ulSize, sizeof(SID_AND_ATTRIBUTES_SELF_RELATIVE), pRelative->GroupCount); GOTO_CLEANUP_ON_STATUS(status); status = LwRtlSafeMultiplyULONG( &ulRealSize, sizeof(SID_AND_ATTRIBUTES), pRelative->GroupCount); GOTO_CLEANUP_ON_STATUS(status); status = LwRtlSafeAddULONG( &ulRealSize, ulRealSize, sizeof(TOKEN_GROUPS)); GOTO_CLEANUP_ON_STATUS(status); status = CheckOffset(ulOffset, ulSize, ulRelativeSize); GOTO_CLEANUP_ON_STATUS(status); pGroups = (PSID_AND_ATTRIBUTES_SELF_RELATIVE) (pBuffer + ulOffset); status = RTL_ALLOCATE(&pTokenGroups, TOKEN_GROUPS, ulRealSize); GOTO_CLEANUP_ON_STATUS(status); pTokenGroups->GroupCount = pRelative->GroupCount; for (i = 0; i < pRelative->GroupCount; i++) { pTokenGroups->Groups[i].Attributes = pGroups[i].Attributes; ulOffset = pGroups[i].SidOffset; pSid = (PSID) (pBuffer + ulOffset); status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize); GOTO_CLEANUP_ON_STATUS(status); pTokenGroups->Groups[i].Sid = pSid; } } ulOffset = pRelative->PrivilegesOffset; if (ulOffset) { status = LwRtlSafeMultiplyULONG( &ulSize, sizeof(LUID_AND_ATTRIBUTES), pRelative->PrivilegeCount); GOTO_CLEANUP_ON_STATUS(status); status = LwRtlSafeMultiplyULONG( &ulRealSize, sizeof(LUID_AND_ATTRIBUTES), pRelative->PrivilegeCount); GOTO_CLEANUP_ON_STATUS(status); status = LwRtlSafeAddULONG( &ulRealSize, ulRealSize, sizeof(TOKEN_PRIVILEGES)); GOTO_CLEANUP_ON_STATUS(status); status = CheckOffset(ulOffset, ulSize, ulRelativeSize); GOTO_CLEANUP_ON_STATUS(status); status = RTL_ALLOCATE(&pTokenPrivileges, TOKEN_PRIVILEGES, ulRealSize); GOTO_CLEANUP_ON_STATUS(status); pTokenPrivileges->PrivilegeCount = pRelative->PrivilegeCount; memcpy(pTokenPrivileges->Privileges, pBuffer + ulOffset, sizeof(LUID_AND_ATTRIBUTES) * pTokenPrivileges->PrivilegeCount); } ulOffset = pRelative->OwnerOffset; if (ulOffset) { pSid = (PSID) (pBuffer + ulOffset); status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize); GOTO_CLEANUP_ON_STATUS(status); Owner.Owner = pSid; } ulOffset = pRelative->PrimaryGroupOffset; if (ulOffset) { pSid = (PSID) (pBuffer + ulOffset); status = RtlValidateSelfRelativeSid(pSid, ulOffset, ulRelativeSize); GOTO_CLEANUP_ON_STATUS(status); PrimaryGroup.PrimaryGroup = pSid; } status = RtlCreateAccessToken( ppToken, &User, pTokenGroups, pTokenPrivileges, &Owner, &PrimaryGroup, &DefaultDacl, pRelative->Flags & ACCESS_TOKEN_FLAG_UNIX_PRESENT ? &Unix : NULL); GOTO_CLEANUP_ON_STATUS(status); cleanup: RTL_FREE(&pTokenGroups); if (!NT_SUCCESS(status)) { *ppToken = NULL; } return status; }