Windows: include owner/group in Security DACL

Include the World (Everyone) SID as the owner and group for
all files in AFS.

FIXES 130343

Change-Id: I01d697d7a6dea8e0bea67b81c14597c197b4241d
Reviewed-on: http://gerrit.openafs.org/6236
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSData.cpp b/src/WINNT/afsrdr/kernel/lib/AFSData.cpp
index 377a3ef..d892c12 100644 (file)
--- a/src/WINNT/afsrdr/kernel/lib/AFSData.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSData.cpp
@@ -114,4 +114,8 @@ PAFSRtlSetSaclSecurityDescriptor AFSRtlSetSaclSecurityDescriptor = NULL;
 
 SECURITY_DESCRIPTOR *AFSDefaultSD = NULL;
 
+PAFSRtlSetGroupSecurityDescriptor AFSRtlSetGroupSecurityDescriptor = NULL;
+
+SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
+
 }

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp b/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp
index 6d6b126..4146ced 100644 (file)
--- a/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp
@@ -8083,10 +8083,35 @@ AFSCreateDefaultSecurityDescriptor()
     SECURITY_DESCRIPTOR *pSecurityDescr = NULL;
     ULONG ulSDLength = 0;
     SECURITY_DESCRIPTOR *pRelativeSecurityDescr = NULL;
+    PSID pWorldSID = NULL;
+    ULONG *pulSubAuthority = NULL;
+    ULONG ulWorldSIDLEngth = 0;
 
     __Enter
     {
 
+        ulWorldSIDLEngth = RtlLengthRequiredSid( 1);
+
+        pWorldSID = (PSID)ExAllocatePoolWithTag( PagedPool,
+                                                 ulWorldSIDLEngth,
+                                                 AFS_GENERIC_MEMORY_29_TAG);
+
+        if( pWorldSID == NULL)
+        {
+            AFSPrint( "AFSCreateDefaultSecurityDescriptor unable to allocate World SID\n");
+            try_return( ntStatus = STATUS_INSUFFICIENT_RESOURCES);
+        }
+
+        RtlZeroMemory( pWorldSID,
+                       ulWorldSIDLEngth);
+
+        RtlInitializeSid( pWorldSID,
+                          &SeWorldSidAuthority,
+                          1);
+
+        pulSubAuthority = RtlSubAuthoritySid(pWorldSID, 0);
+        *pulSubAuthority = SECURITY_WORLD_RID;
+
         if( AFSRtlSetSaclSecurityDescriptor == NULL)
         {
 
@@ -8206,6 +8231,39 @@ AFSCreateDefaultSecurityDescriptor()
             }
         }
 
+        //
+        // Add in the group and owner to the SD
+        //
+
+        if( AFSRtlSetGroupSecurityDescriptor != NULL)
+        {
+            ntStatus = AFSRtlSetGroupSecurityDescriptor( pSecurityDescr,
+                                                         pWorldSID,
+                                                         FALSE);
+
+            if( !NT_SUCCESS( ntStatus))
+            {
+
+                AFSPrint( "AFSCreateDefaultSecurityDescriptor RtlSetGroupSecurityDescriptor failed ntStatus %08lX\n",
+                          ntStatus);
+
+                try_return( ntStatus);
+            }
+        }
+
+        ntStatus = RtlSetOwnerSecurityDescriptor( pSecurityDescr,
+                                                  pWorldSID,
+                                                  FALSE);
+
+        if( !NT_SUCCESS( ntStatus))
+        {
+
+            AFSPrint( "AFSCreateDefaultSecurityDescriptor RtlSetOwnerSecurityDescriptor failed ntStatus %08lX\n",
+                      ntStatus);
+
+            try_return( ntStatus);
+        }
+
         if( !RtlValidSecurityDescriptor( pSecurityDescr))
         {
 
@@ -8268,6 +8326,11 @@ try_exit:
         {
             ExFreePool( pACE);
         }
+
+        if( pWorldSID != NULL)
+        {
+            ExFreePool( pWorldSID);
+        }
     }
 
     return ntStatus;
@@ -8304,3 +8367,4 @@ AFSRetrieveParentPath( IN UNICODE_STRING *FullFileName,
 
     return;
 }
+

diff --git a/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp b/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp
index 658a892..98a5941 100644 (file)
--- a/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp
+++ b/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp
@@ -147,7 +147,14 @@ DriverEntry( PDRIVER_OBJECT DriverObject,
 
             AFSRtlSetSaclSecurityDescriptor = (PAFSRtlSetSaclSecurityDescriptor)MmGetSystemRoutineAddress( &uniRoutine);
         }
+
 #endif
+
+        RtlInitUnicodeString( &uniRoutine,
+                              L"RtlSetGroupSecurityDescriptor");
+
+        AFSRtlSetGroupSecurityDescriptor = (PAFSRtlSetGroupSecurityDescriptor)MmGetSystemRoutineAddress( &uniRoutine);
+
         ntStatus = AFSCreateDefaultSecurityDescriptor();
 
         if( !NT_SUCCESS( ntStatus))

diff --git a/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h b/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h
index 8f070c1..510718b 100644 (file)
--- a/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h
+++ b/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h
@@ -86,6 +86,12 @@ NTSTATUS
                                      PACL Sacl,
                                      BOOLEAN SaclDefaulted);
 
+typedef
+NTSTATUS
+(*PAFSRtlSetGroupSecurityDescriptor)( IN PSECURITY_DESCRIPTOR  SecurityDescriptor,
+                                      IN PSID  Group  OPTIONAL,
+                                      IN BOOLEAN  GroupDefaulted);
+
 //
 // Worker thread count
 //

diff --git a/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h b/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h
index 37c4fb6..f38652b 100644 (file)
--- a/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h
+++ b/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h
@@ -97,6 +97,10 @@ extern PAFSRtlSetSaclSecurityDescriptor AFSRtlSetSaclSecurityDescriptor;
 
 extern SECURITY_DESCRIPTOR *AFSDefaultSD;
 
+extern PAFSRtlSetGroupSecurityDescriptor AFSRtlSetGroupSecurityDescriptor;
+
+extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority;
+
 }
 
 #endif /* _AFS_EXTERN_H */