1 /*
2 * PROJECT: ReactOS Service Control Manager
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: base/system/services/security.c
5 * PURPOSE: Security functions
6 * COPYRIGHT: Eric Kohl
7 */
8
9 /* INCLUDES *****************************************************************/
10
11 #include "services.h"
12
13 #define NDEBUG
14 #include <debug.h>
15
16 static PSID pNullSid = NULL;
17 static PSID pWorldSid = NULL;
18 static PSID pLocalSystemSid = NULL;
19 static PSID pAuthenticatedUserSid = NULL;
20 static PSID pAliasAdminsSid = NULL;
21
22 static PACL pDefaultDacl = NULL;
23 static PACL pDefaultSacl = NULL;
24 static PACL pPipeDacl = NULL;
25
26 static PSECURITY_DESCRIPTOR pDefaultSD = NULL;
27 PSECURITY_DESCRIPTOR pPipeSD = NULL;
28
29
30 /* FUNCTIONS ****************************************************************/
31
32 static
33 VOID
ScmFreeSids(VOID)34 ScmFreeSids(VOID)
35 {
36 if (pNullSid != NULL)
37 RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid);
38
39 if (pWorldSid != NULL)
40 RtlFreeHeap(RtlGetProcessHeap(), 0, pWorldSid);
41
42 if (pLocalSystemSid != NULL)
43 RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid);
44
45 if (pAuthenticatedUserSid != NULL)
46 RtlFreeHeap(RtlGetProcessHeap(), 0, pAuthenticatedUserSid);
47
48 if (pAliasAdminsSid != NULL)
49 RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid);
50 }
51
52
53 static
54 DWORD
ScmCreateSids(VOID)55 ScmCreateSids(VOID)
56 {
57 SID_IDENTIFIER_AUTHORITY NullAuthority = {SECURITY_NULL_SID_AUTHORITY};
58 SID_IDENTIFIER_AUTHORITY WorldAuthority = {SECURITY_WORLD_SID_AUTHORITY};
59 SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY};
60 PULONG pSubAuthority;
61 ULONG ulLength1 = RtlLengthRequiredSid(1);
62 ULONG ulLength2 = RtlLengthRequiredSid(2);
63
64 /* Create the Null SID */
65 pNullSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
66 if (pNullSid == NULL)
67 {
68 return ERROR_OUTOFMEMORY;
69 }
70
71 RtlInitializeSid(pNullSid, &NullAuthority, 1);
72 pSubAuthority = RtlSubAuthoritySid(pNullSid, 0);
73 *pSubAuthority = SECURITY_NULL_RID;
74
75 /* Create the World SID */
76 pWorldSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
77 if (pWorldSid == NULL)
78 {
79 return ERROR_OUTOFMEMORY;
80 }
81
82 RtlInitializeSid(pWorldSid, &WorldAuthority, 1);
83 pSubAuthority = RtlSubAuthoritySid(pWorldSid, 0);
84 *pSubAuthority = SECURITY_WORLD_RID;
85
86 /* Create the LocalSystem SID */
87 pLocalSystemSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
88 if (pLocalSystemSid == NULL)
89 {
90 return ERROR_OUTOFMEMORY;
91 }
92
93 RtlInitializeSid(pLocalSystemSid, &NtAuthority, 1);
94 pSubAuthority = RtlSubAuthoritySid(pLocalSystemSid, 0);
95 *pSubAuthority = SECURITY_LOCAL_SYSTEM_RID;
96
97 /* Create the AuthenticatedUser SID */
98 pAuthenticatedUserSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
99 if (pAuthenticatedUserSid == NULL)
100 {
101 return ERROR_OUTOFMEMORY;
102 }
103
104 RtlInitializeSid(pAuthenticatedUserSid, &NtAuthority, 1);
105 pSubAuthority = RtlSubAuthoritySid(pAuthenticatedUserSid, 0);
106 *pSubAuthority = SECURITY_AUTHENTICATED_USER_RID;
107
108 /* Create the AliasAdmins SID */
109 pAliasAdminsSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength2);
110 if (pAliasAdminsSid == NULL)
111 {
112 return ERROR_OUTOFMEMORY;
113 }
114
115 RtlInitializeSid(pAliasAdminsSid, &NtAuthority, 2);
116 pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 0);
117 *pSubAuthority = SECURITY_BUILTIN_DOMAIN_RID;
118 pSubAuthority = RtlSubAuthoritySid(pAliasAdminsSid, 1);
119 *pSubAuthority = DOMAIN_ALIAS_RID_ADMINS;
120
121 return ERROR_SUCCESS;
122 }
123
124
125 static
126 DWORD
ScmCreateAcls(VOID)127 ScmCreateAcls(VOID)
128 {
129 ULONG ulLength;
130
131 /* Create DACL */
132 ulLength = sizeof(ACL) +
133 (sizeof(ACE) + RtlLengthSid(pLocalSystemSid)) +
134 (sizeof(ACE) + RtlLengthSid(pAliasAdminsSid)) +
135 (sizeof(ACE) + RtlLengthSid(pAuthenticatedUserSid));
136
137 pDefaultDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
138 if (pDefaultDacl == NULL)
139 return ERROR_OUTOFMEMORY;
140
141 RtlCreateAcl(pDefaultDacl, ulLength, ACL_REVISION);
142
143 RtlAddAccessAllowedAce(pDefaultDacl,
144 ACL_REVISION,
145 READ_CONTROL | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_INTERROGATE |
146 SERVICE_PAUSE_CONTINUE | SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS |
147 SERVICE_START | SERVICE_STOP | SERVICE_USER_DEFINED_CONTROL,
148 pLocalSystemSid);
149
150 RtlAddAccessAllowedAce(pDefaultDacl,
151 ACL_REVISION,
152 SERVICE_ALL_ACCESS,
153 pAliasAdminsSid);
154
155 RtlAddAccessAllowedAce(pDefaultDacl,
156 ACL_REVISION,
157 READ_CONTROL | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_INTERROGATE |
158 SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS | SERVICE_USER_DEFINED_CONTROL,
159 pAuthenticatedUserSid);
160
161 /* Create SACL */
162 ulLength = sizeof(ACL) +
163 (sizeof(ACE) + RtlLengthSid(pNullSid));
164
165 pDefaultSacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
166 if (pDefaultSacl == NULL)
167 return ERROR_OUTOFMEMORY;
168
169 RtlCreateAcl(pDefaultSacl, ulLength, ACL_REVISION);
170
171 RtlAddAuditAccessAce(pDefaultSacl,
172 ACL_REVISION,
173 SERVICE_ALL_ACCESS,
174 pNullSid,
175 FALSE,
176 TRUE);
177
178 /* Create the pipe DACL */
179 ulLength = sizeof(ACL) +
180 (sizeof(ACE) + RtlLengthSid(pWorldSid));
181
182 pPipeDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
183 if (pPipeDacl == NULL)
184 return ERROR_OUTOFMEMORY;
185
186 RtlCreateAcl(pPipeDacl, ulLength, ACL_REVISION);
187
188 RtlAddAccessAllowedAce(pPipeDacl,
189 ACL_REVISION,
190 GENERIC_ALL,
191 pWorldSid);
192
193 return ERROR_SUCCESS;
194 }
195
196
197 static
198 VOID
ScmFreeAcls(VOID)199 ScmFreeAcls(VOID)
200 {
201 if (pDefaultDacl != NULL)
202 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultDacl);
203
204 if (pDefaultSacl != NULL)
205 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
206
207 if (pPipeDacl != NULL)
208 RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeDacl);
209 }
210
211
212 static
213 DWORD
ScmCreateDefaultSD(VOID)214 ScmCreateDefaultSD(VOID)
215 {
216 NTSTATUS Status;
217
218 /* Create the absolute security descriptor */
219 pDefaultSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
220 if (pDefaultSD == NULL)
221 return ERROR_OUTOFMEMORY;
222
223 DPRINT("pDefaultSD %p\n", pDefaultSD);
224
225 Status = RtlCreateSecurityDescriptor(pDefaultSD,
226 SECURITY_DESCRIPTOR_REVISION);
227 if (!NT_SUCCESS(Status))
228 return RtlNtStatusToDosError(Status);
229
230 Status = RtlSetOwnerSecurityDescriptor(pDefaultSD,
231 pLocalSystemSid,
232 FALSE);
233 if (!NT_SUCCESS(Status))
234 return RtlNtStatusToDosError(Status);
235
236 Status = RtlSetGroupSecurityDescriptor(pDefaultSD,
237 pLocalSystemSid,
238 FALSE);
239 if (!NT_SUCCESS(Status))
240 return RtlNtStatusToDosError(Status);
241
242 Status = RtlSetDaclSecurityDescriptor(pDefaultSD,
243 TRUE,
244 pDefaultDacl,
245 FALSE);
246 if (!NT_SUCCESS(Status))
247 return RtlNtStatusToDosError(Status);
248
249 Status = RtlSetSaclSecurityDescriptor(pDefaultSD,
250 TRUE,
251 pDefaultSacl,
252 FALSE);
253 if (!NT_SUCCESS(Status))
254 return RtlNtStatusToDosError(Status);
255
256 return ERROR_SUCCESS;
257 }
258
259
260 static
261 VOID
ScmFreeDefaultSD(VOID)262 ScmFreeDefaultSD(VOID)
263 {
264 if (pDefaultSD != NULL)
265 RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSD);
266 }
267
268
269 static
270 DWORD
ScmCreatePipeSD(VOID)271 ScmCreatePipeSD(VOID)
272 {
273 NTSTATUS Status;
274
275 /* Create the absolute security descriptor */
276 pPipeSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
277 if (pPipeSD == NULL)
278 return ERROR_OUTOFMEMORY;
279
280 DPRINT("pPipeSD %p\n", pDefaultSD);
281
282 Status = RtlCreateSecurityDescriptor(pPipeSD,
283 SECURITY_DESCRIPTOR_REVISION);
284 if (!NT_SUCCESS(Status))
285 return RtlNtStatusToDosError(Status);
286
287 Status = RtlSetOwnerSecurityDescriptor(pPipeSD,
288 pLocalSystemSid,
289 FALSE);
290 if (!NT_SUCCESS(Status))
291 return RtlNtStatusToDosError(Status);
292
293 Status = RtlSetGroupSecurityDescriptor(pPipeSD,
294 pLocalSystemSid,
295 FALSE);
296 if (!NT_SUCCESS(Status))
297 return RtlNtStatusToDosError(Status);
298
299 Status = RtlSetDaclSecurityDescriptor(pPipeSD,
300 TRUE,
301 pPipeDacl,
302 FALSE);
303 if (!NT_SUCCESS(Status))
304 return RtlNtStatusToDosError(Status);
305
306 return ERROR_SUCCESS;
307 }
308
309
310 static
311 VOID
ScmFreePipeSD(VOID)312 ScmFreePipeSD(VOID)
313 {
314 if (pPipeSD != NULL)
315 RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeSD);
316 }
317
318
319 DWORD
ScmCreateDefaultServiceSD(PSECURITY_DESCRIPTOR * ppSecurityDescriptor)320 ScmCreateDefaultServiceSD(
321 PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
322 {
323 PSECURITY_DESCRIPTOR pRelativeSD = NULL;
324 DWORD dwBufferLength = 0;
325 NTSTATUS Status;
326 DWORD dwError = ERROR_SUCCESS;
327
328 /* Convert the absolute SD to a self-relative SD */
329 Status = RtlAbsoluteToSelfRelativeSD(pDefaultSD,
330 NULL,
331 &dwBufferLength);
332 if (Status != STATUS_BUFFER_TOO_SMALL)
333 {
334 dwError = RtlNtStatusToDosError(Status);
335 goto done;
336 }
337
338 DPRINT("BufferLength %lu\n", dwBufferLength);
339
340 pRelativeSD = RtlAllocateHeap(RtlGetProcessHeap(),
341 HEAP_ZERO_MEMORY,
342 dwBufferLength);
343 if (pRelativeSD == NULL)
344 {
345 dwError = ERROR_OUTOFMEMORY;
346 goto done;
347 }
348 DPRINT("pRelativeSD %p\n", pRelativeSD);
349
350 Status = RtlAbsoluteToSelfRelativeSD(pDefaultSD,
351 pRelativeSD,
352 &dwBufferLength);
353 if (!NT_SUCCESS(Status))
354 {
355 dwError = RtlNtStatusToDosError(Status);
356 goto done;
357 }
358
359 *ppSecurityDescriptor = pRelativeSD;
360
361 done:
362 if (dwError != ERROR_SUCCESS)
363 {
364 if (pRelativeSD != NULL)
365 RtlFreeHeap(RtlGetProcessHeap(), 0, pRelativeSD);
366 }
367
368 return dwError;
369 }
370
371
372 DWORD
ScmInitializeSecurity(VOID)373 ScmInitializeSecurity(VOID)
374 {
375 DWORD dwError;
376
377 dwError = ScmCreateSids();
378 if (dwError != ERROR_SUCCESS)
379 return dwError;
380
381 dwError = ScmCreateAcls();
382 if (dwError != ERROR_SUCCESS)
383 return dwError;
384
385 dwError = ScmCreateDefaultSD();
386 if (dwError != ERROR_SUCCESS)
387 return dwError;
388
389 dwError = ScmCreatePipeSD();
390 if (dwError != ERROR_SUCCESS)
391 return dwError;
392
393 return ERROR_SUCCESS;
394 }
395
396
397 VOID
ScmShutdownSecurity(VOID)398 ScmShutdownSecurity(VOID)
399 {
400 ScmFreePipeSD();
401 ScmFreeDefaultSD();
402 ScmFreeAcls();
403 ScmFreeSids();
404 }
405
406 /* EOF */
407