2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* Security related utilities for the Windows platform */
22 #include "secutil_nt.h"
26 /* local declarations */
29 WorldGroupSidAllocate(PSID *sidPP);
32 LocalAdminsGroupSidAllocate(PSID *sidPP);
35 BuildExplicitAccessWithSid(PEXPLICIT_ACCESS explicitAccessP,
38 ACCESS_MODE accessMode,
43 /* -------------------- Exported functions ------------------------ */
48 * ObjectDaclEntryAdd() -- add an access-control entry to an object's DACL.
50 * Notes: The accessPerm, accessMode, and inheritance args must be correct
51 * for an EXPLICIT_ACCESS structure describing a DACL entry.
52 * Caller must have READ_CONTRL/WRITE_DAC rights for object handle.
54 * RETURN CODES: Win32 status code (ERROR_SUCCESS if succeeds)
57 ObjectDaclEntryAdd(HANDLE objectHandle,
58 SE_OBJECT_TYPE objectType,
59 WELLKNOWN_TRUSTEE_ID trustee,
61 ACCESS_MODE accessMode,
64 DWORD status = ERROR_SUCCESS;
67 /* allocate SID for (well-known) trustee */
69 if (trustee == WorldGroup) {
70 if (!WorldGroupSidAllocate(&trusteeSidP)) {
71 status = GetLastError();
73 } else if (trustee == LocalAdministratorsGroup) {
74 if (!LocalAdminsGroupSidAllocate(&trusteeSidP)) {
75 status = GetLastError();
78 status = ERROR_INVALID_PARAMETER;
81 if (status == ERROR_SUCCESS) {
82 EXPLICIT_ACCESS accessEntry;
83 PACL curDaclP, newDaclP;
84 PSECURITY_DESCRIPTOR secP;
86 /* initialize access information for trustee */
88 BuildExplicitAccessWithSid(&accessEntry,
90 accessPerm, accessMode, inheritance);
92 /* get object's current DACL */
94 status = GetSecurityInfo(objectHandle,
96 DACL_SECURITY_INFORMATION,
97 NULL, NULL, &curDaclP, NULL, &secP);
99 if (status == ERROR_SUCCESS) {
100 /* merge access information into current DACL to form new DACL */
101 status = SetEntriesInAcl(1, &accessEntry, curDaclP, &newDaclP);
103 if (status == ERROR_SUCCESS) {
104 /* replace object's current DACL with newly formed DACL */
106 /* MS SP4 introduced a bug into SetSecurityInfo() so that it
107 * no longer operates correctly with named pipes. Work around
108 * this problem by using "low-level" access control functions
109 * for kernel objects (of which named pipes are one example).
112 if (objectType != SE_KERNEL_OBJECT) {
113 status = SetSecurityInfo(objectHandle,
115 DACL_SECURITY_INFORMATION,
116 NULL, NULL, newDaclP, NULL);
118 if (!SetSecurityDescriptorDacl(secP,
119 TRUE, newDaclP, FALSE) ||
121 !SetKernelObjectSecurity(objectHandle,
122 DACL_SECURITY_INFORMATION,
124 status = GetLastError();
128 (void)LocalFree((HLOCAL)newDaclP);
131 (void)LocalFree((HLOCAL)secP);
134 FreeSid(trusteeSidP);
143 /* -------------------- Local functions ------------------------ */
146 * WorldGroupSidAllocate() -- allocate and initialize SID for the
147 * well-known World group representing all users.
149 * SID is freed via FreeSid()
151 * RETURN CODES: TRUE success, FALSE failure (GetLastError() indicates why)
154 WorldGroupSidAllocate(PSID *sidPP)
156 SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_WORLD_SID_AUTHORITY;
158 return AllocateAndInitializeSid(&sidAuth,
167 * LocalAdminsGroupSidAllocate() -- allocate and initialize SID for the
168 * well-known local Administrators group.
170 * SID is freed via FreeSid()
172 * RETURN CODES: TRUE success, FALSE failure (GetLastError() indicates why)
175 LocalAdminsGroupSidAllocate(PSID *sidPP)
177 SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_NT_AUTHORITY;
179 return AllocateAndInitializeSid(&sidAuth,
181 SECURITY_BUILTIN_DOMAIN_RID,
182 DOMAIN_ALIAS_RID_ADMINS,
189 * BuildExplicitAccessWithSid() - counterpart to the Win32 API function
190 * BuildExplicitAccessWithName() (surprisingly, MS doesn't provide this).
193 BuildExplicitAccessWithSid(PEXPLICIT_ACCESS explicitAccessP,
196 ACCESS_MODE accessMode,
199 if (explicitAccessP != NULL) {
200 explicitAccessP->grfAccessPermissions = accessPerm;
201 explicitAccessP->grfAccessMode = accessMode;
202 explicitAccessP->grfInheritance = inheritance;
203 BuildTrusteeWithSid(&explicitAccessP->Trustee, trusteeSidP);