1 /* Copyright (C) 2002-2005 RealVNC Ltd.  All Rights Reserved.
2  *
3  * This is free software; you can redistribute it and/or modify
4  * it under the terms of the GNU General Public License as published by
5  * the Free Software Foundation; either version 2 of the License, or
6  * (at your option) any later version.
7  *
8  * This software is distributed in the hope that it will be useful,
9  * but WITHOUT ANY WARRANTY; without even the implied warranty of
10  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
11  * GNU General Public License for more details.
12  *
13  * You should have received a copy of the GNU General Public License
14  * along with this software; if not, write to the Free Software
15  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
16  * USA.
17  */
18 
19 // -=- Security.cxx
20 
21 #include <rfb_win32/Security.h>
22 #include <rfb/LogWriter.h>
23 
24 #include <lmcons.h>
25 #include <accctrl.h>
26 #include <list>
27 
28 using namespace rfb;
29 using namespace rfb::win32;
30 
31 static LogWriter vlog("SecurityWin32");
32 
33 
Trustee(const TCHAR * name,TRUSTEE_FORM form,TRUSTEE_TYPE type)34 Trustee::Trustee(const TCHAR* name,
35                  TRUSTEE_FORM form,
36                  TRUSTEE_TYPE type) {
37   pMultipleTrustee = 0;
38   MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
39   TrusteeForm = form;
40   TrusteeType = type;
41   ptstrName = (TCHAR*)name;
42 }
43 
44 
ExplicitAccess(const TCHAR * name,TRUSTEE_FORM type,DWORD perms,ACCESS_MODE mode,DWORD inherit)45 ExplicitAccess::ExplicitAccess(const TCHAR* name,
46                                TRUSTEE_FORM type,
47                                DWORD perms,
48                                ACCESS_MODE mode,
49                                DWORD inherit) {
50   Trustee = rfb::win32::Trustee(name, type);
51   grfAccessPermissions = perms;
52   grfAccessMode = mode;
53   grfInheritance = inherit;
54 }
55 
56 
AccessEntries()57 AccessEntries::AccessEntries() : entries(0), entry_count(0) {}
58 
~AccessEntries()59 AccessEntries::~AccessEntries() {
60   delete [] entries;
61 }
62 
allocMinEntries(int count)63 void AccessEntries::allocMinEntries(int count) {
64   if (count > entry_count) {
65     EXPLICIT_ACCESS* new_entries = new EXPLICIT_ACCESS[entry_count+1];
66     if (entries) {
67       memcpy(new_entries, entries, sizeof(EXPLICIT_ACCESS) * entry_count);
68       delete entries;
69     }
70     entries = new_entries;
71   }
72 }
73 
addEntry(const TCHAR * trusteeName,DWORD permissions,ACCESS_MODE mode)74 void AccessEntries::addEntry(const TCHAR* trusteeName,
75                              DWORD permissions,
76                              ACCESS_MODE mode) {
77   allocMinEntries(entry_count+1);
78   ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));
79   entries[entry_count] = ExplicitAccess(trusteeName, TRUSTEE_IS_NAME, permissions, mode);
80   entry_count++;
81 }
82 
addEntry(const PSID sid,DWORD permissions,ACCESS_MODE mode)83 void AccessEntries::addEntry(const PSID sid,
84                              DWORD permissions,
85                              ACCESS_MODE mode) {
86   allocMinEntries(entry_count+1);
87   ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));
88   entries[entry_count] = ExplicitAccess((TCHAR*)sid, TRUSTEE_IS_SID, permissions, mode);
89   entry_count++;
90 }
91 
92 
copySID(const PSID sid)93 PSID Sid::copySID(const PSID sid) {
94   if (!IsValidSid(sid))
95     throw rdr::Exception("invalid SID in copyPSID");
96   PSID buf = (PSID)new rdr::U8[GetLengthSid(sid)];
97   if (!CopySid(GetLengthSid(sid), buf, sid))
98     throw rdr::SystemException("CopySid failed", GetLastError());
99   return buf;
100 }
101 
setSID(const PSID sid)102 void Sid::setSID(const PSID sid) {
103   delete [] buf;
104   buf = (rdr::U8*)copySID(sid);
105 }
106 
getUserNameAndDomain(TCHAR ** name,TCHAR ** domain)107 void Sid::getUserNameAndDomain(TCHAR** name, TCHAR** domain) {
108   DWORD nameLen = 0;
109   DWORD domainLen = 0;
110   SID_NAME_USE use;
111   LookupAccountSid(0, (PSID)buf, 0, &nameLen, 0, &domainLen, &use);
112   if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
113     throw rdr::SystemException("Unable to determine SID name lengths", GetLastError());
114   vlog.info("nameLen=%lu, domainLen=%lu, use=%d", nameLen, domainLen, use);
115   *name = new TCHAR[nameLen];
116   *domain = new TCHAR[domainLen];
117   if (!LookupAccountSid(0, (PSID)buf, *name, &nameLen, *domain, &domainLen, &use))
118     throw rdr::SystemException("Unable to lookup account SID", GetLastError());
119 }
120 
121 
Administrators()122 Sid::Administrators::Administrators() {
123   PSID sid = 0;
124   SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };
125   if (!AllocateAndInitializeSid(&ntAuth, 2,
126                                 SECURITY_BUILTIN_DOMAIN_RID,
127                                 DOMAIN_ALIAS_RID_ADMINS,
128                                 0, 0, 0, 0, 0, 0, &sid))
129     throw rdr::SystemException("Sid::Administrators", GetLastError());
130   setSID(sid);
131   FreeSid(sid);
132 }
133 
SYSTEM()134 Sid::SYSTEM::SYSTEM() {
135   PSID sid = 0;
136   SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };
137   if (!AllocateAndInitializeSid(&ntAuth, 1,
138                                 SECURITY_LOCAL_SYSTEM_RID,
139                                 0, 0, 0, 0, 0, 0, 0, &sid))
140           throw rdr::SystemException("Sid::SYSTEM", GetLastError());
141   setSID(sid);
142   FreeSid(sid);
143 }
144 
FromToken(HANDLE h)145 Sid::FromToken::FromToken(HANDLE h) {
146   DWORD required = 0;
147   GetTokenInformation(h, TokenUser, 0, 0, &required);
148   rdr::U8Array tmp(required);
149   if (!GetTokenInformation(h, TokenUser, tmp.buf, required, &required))
150     throw rdr::SystemException("GetTokenInformation", GetLastError());
151   TOKEN_USER* tokenUser = (TOKEN_USER*)tmp.buf;
152   setSID(tokenUser->User.Sid);
153 }
154 
155 
CreateACL(const AccessEntries & ae,PACL existing_acl)156 PACL rfb::win32::CreateACL(const AccessEntries& ae, PACL existing_acl) {
157   PACL new_dacl;
158   DWORD result;
159   if ((result = SetEntriesInAcl(ae.entry_count, ae.entries, existing_acl, &new_dacl)) != ERROR_SUCCESS)
160     throw rdr::SystemException("SetEntriesInAcl", result);
161   return new_dacl;
162 }
163 
164 
CreateSdWithDacl(const PACL dacl)165 PSECURITY_DESCRIPTOR rfb::win32::CreateSdWithDacl(const PACL dacl) {
166   SECURITY_DESCRIPTOR absSD;
167   if (!InitializeSecurityDescriptor(&absSD, SECURITY_DESCRIPTOR_REVISION))
168     throw rdr::SystemException("InitializeSecurityDescriptor", GetLastError());
169   Sid::SYSTEM owner;
170   if (!SetSecurityDescriptorOwner(&absSD, owner, FALSE))
171     throw rdr::SystemException("SetSecurityDescriptorOwner", GetLastError());
172   Sid::Administrators group;
173   if (!SetSecurityDescriptorGroup(&absSD, group, FALSE))
174     throw rdr::SystemException("SetSecurityDescriptorGroupp", GetLastError());
175   if (!SetSecurityDescriptorDacl(&absSD, TRUE, dacl, FALSE))
176     throw rdr::SystemException("SetSecurityDescriptorDacl", GetLastError());
177   DWORD sdSize = GetSecurityDescriptorLength(&absSD);
178   SecurityDescriptorPtr sd(sdSize);
179   if (!MakeSelfRelativeSD(&absSD, (PSECURITY_DESCRIPTOR)sd.ptr, &sdSize))
180     throw rdr::SystemException("MakeSelfRelativeSD", GetLastError());
181   return sd.takeSD();
182 }
183