1 /* Copyright (C) 2002-2005 RealVNC Ltd. All Rights Reserved.
2 *
3 * This is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by
5 * the Free Software Foundation; either version 2 of the License, or
6 * (at your option) any later version.
7 *
8 * This software is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 *
13 * You should have received a copy of the GNU General Public License
14 * along with this software; if not, write to the Free Software
15 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
16 * USA.
17 */
18
19 // -=- Security.cxx
20
21 #include <rfb_win32/Security.h>
22 #include <rfb/LogWriter.h>
23
24 #include <lmcons.h>
25 #include <accctrl.h>
26 #include <list>
27
28 using namespace rfb;
29 using namespace rfb::win32;
30
31 static LogWriter vlog("SecurityWin32");
32
33
Trustee(const TCHAR * name,TRUSTEE_FORM form,TRUSTEE_TYPE type)34 Trustee::Trustee(const TCHAR* name,
35 TRUSTEE_FORM form,
36 TRUSTEE_TYPE type) {
37 pMultipleTrustee = 0;
38 MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
39 TrusteeForm = form;
40 TrusteeType = type;
41 ptstrName = (TCHAR*)name;
42 }
43
44
ExplicitAccess(const TCHAR * name,TRUSTEE_FORM type,DWORD perms,ACCESS_MODE mode,DWORD inherit)45 ExplicitAccess::ExplicitAccess(const TCHAR* name,
46 TRUSTEE_FORM type,
47 DWORD perms,
48 ACCESS_MODE mode,
49 DWORD inherit) {
50 Trustee = rfb::win32::Trustee(name, type);
51 grfAccessPermissions = perms;
52 grfAccessMode = mode;
53 grfInheritance = inherit;
54 }
55
56
AccessEntries()57 AccessEntries::AccessEntries() : entries(0), entry_count(0) {}
58
~AccessEntries()59 AccessEntries::~AccessEntries() {
60 delete [] entries;
61 }
62
allocMinEntries(int count)63 void AccessEntries::allocMinEntries(int count) {
64 if (count > entry_count) {
65 EXPLICIT_ACCESS* new_entries = new EXPLICIT_ACCESS[entry_count+1];
66 if (entries) {
67 memcpy(new_entries, entries, sizeof(EXPLICIT_ACCESS) * entry_count);
68 delete entries;
69 }
70 entries = new_entries;
71 }
72 }
73
addEntry(const TCHAR * trusteeName,DWORD permissions,ACCESS_MODE mode)74 void AccessEntries::addEntry(const TCHAR* trusteeName,
75 DWORD permissions,
76 ACCESS_MODE mode) {
77 allocMinEntries(entry_count+1);
78 ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));
79 entries[entry_count] = ExplicitAccess(trusteeName, TRUSTEE_IS_NAME, permissions, mode);
80 entry_count++;
81 }
82
addEntry(const PSID sid,DWORD permissions,ACCESS_MODE mode)83 void AccessEntries::addEntry(const PSID sid,
84 DWORD permissions,
85 ACCESS_MODE mode) {
86 allocMinEntries(entry_count+1);
87 ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));
88 entries[entry_count] = ExplicitAccess((TCHAR*)sid, TRUSTEE_IS_SID, permissions, mode);
89 entry_count++;
90 }
91
92
copySID(const PSID sid)93 PSID Sid::copySID(const PSID sid) {
94 if (!IsValidSid(sid))
95 throw rdr::Exception("invalid SID in copyPSID");
96 PSID buf = (PSID)new rdr::U8[GetLengthSid(sid)];
97 if (!CopySid(GetLengthSid(sid), buf, sid))
98 throw rdr::SystemException("CopySid failed", GetLastError());
99 return buf;
100 }
101
setSID(const PSID sid)102 void Sid::setSID(const PSID sid) {
103 delete [] buf;
104 buf = (rdr::U8*)copySID(sid);
105 }
106
getUserNameAndDomain(TCHAR ** name,TCHAR ** domain)107 void Sid::getUserNameAndDomain(TCHAR** name, TCHAR** domain) {
108 DWORD nameLen = 0;
109 DWORD domainLen = 0;
110 SID_NAME_USE use;
111 LookupAccountSid(0, (PSID)buf, 0, &nameLen, 0, &domainLen, &use);
112 if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
113 throw rdr::SystemException("Unable to determine SID name lengths", GetLastError());
114 vlog.info("nameLen=%lu, domainLen=%lu, use=%d", nameLen, domainLen, use);
115 *name = new TCHAR[nameLen];
116 *domain = new TCHAR[domainLen];
117 if (!LookupAccountSid(0, (PSID)buf, *name, &nameLen, *domain, &domainLen, &use))
118 throw rdr::SystemException("Unable to lookup account SID", GetLastError());
119 }
120
121
Administrators()122 Sid::Administrators::Administrators() {
123 PSID sid = 0;
124 SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };
125 if (!AllocateAndInitializeSid(&ntAuth, 2,
126 SECURITY_BUILTIN_DOMAIN_RID,
127 DOMAIN_ALIAS_RID_ADMINS,
128 0, 0, 0, 0, 0, 0, &sid))
129 throw rdr::SystemException("Sid::Administrators", GetLastError());
130 setSID(sid);
131 FreeSid(sid);
132 }
133
SYSTEM()134 Sid::SYSTEM::SYSTEM() {
135 PSID sid = 0;
136 SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };
137 if (!AllocateAndInitializeSid(&ntAuth, 1,
138 SECURITY_LOCAL_SYSTEM_RID,
139 0, 0, 0, 0, 0, 0, 0, &sid))
140 throw rdr::SystemException("Sid::SYSTEM", GetLastError());
141 setSID(sid);
142 FreeSid(sid);
143 }
144
FromToken(HANDLE h)145 Sid::FromToken::FromToken(HANDLE h) {
146 DWORD required = 0;
147 GetTokenInformation(h, TokenUser, 0, 0, &required);
148 rdr::U8Array tmp(required);
149 if (!GetTokenInformation(h, TokenUser, tmp.buf, required, &required))
150 throw rdr::SystemException("GetTokenInformation", GetLastError());
151 TOKEN_USER* tokenUser = (TOKEN_USER*)tmp.buf;
152 setSID(tokenUser->User.Sid);
153 }
154
155
CreateACL(const AccessEntries & ae,PACL existing_acl)156 PACL rfb::win32::CreateACL(const AccessEntries& ae, PACL existing_acl) {
157 PACL new_dacl;
158 DWORD result;
159 if ((result = SetEntriesInAcl(ae.entry_count, ae.entries, existing_acl, &new_dacl)) != ERROR_SUCCESS)
160 throw rdr::SystemException("SetEntriesInAcl", result);
161 return new_dacl;
162 }
163
164
CreateSdWithDacl(const PACL dacl)165 PSECURITY_DESCRIPTOR rfb::win32::CreateSdWithDacl(const PACL dacl) {
166 SECURITY_DESCRIPTOR absSD;
167 if (!InitializeSecurityDescriptor(&absSD, SECURITY_DESCRIPTOR_REVISION))
168 throw rdr::SystemException("InitializeSecurityDescriptor", GetLastError());
169 Sid::SYSTEM owner;
170 if (!SetSecurityDescriptorOwner(&absSD, owner, FALSE))
171 throw rdr::SystemException("SetSecurityDescriptorOwner", GetLastError());
172 Sid::Administrators group;
173 if (!SetSecurityDescriptorGroup(&absSD, group, FALSE))
174 throw rdr::SystemException("SetSecurityDescriptorGroupp", GetLastError());
175 if (!SetSecurityDescriptorDacl(&absSD, TRUE, dacl, FALSE))
176 throw rdr::SystemException("SetSecurityDescriptorDacl", GetLastError());
177 DWORD sdSize = GetSecurityDescriptorLength(&absSD);
178 SecurityDescriptorPtr sd(sdSize);
179 if (!MakeSelfRelativeSD(&absSD, (PSECURITY_DESCRIPTOR)sd.ptr, &sdSize))
180 throw rdr::SystemException("MakeSelfRelativeSD", GetLastError());
181 return sd.takeSD();
182 }
183