NT4/private/ntos/se/tokenqry.c

1613 lines
46 KiB
C
Raw Normal View History

2001-01-01 00:00:00 +01:00
/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
Tokenqry.c
Abstract:
This module implements the QUERY function for the executive
token object.
Author:
Jim Kelly (JimK) 15-June-1990
Revision History:
--*/
#include "sep.h"
#include "seopaque.h"
#include "tokenp.h"
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,NtQueryInformationToken)
#pragma alloc_text(PAGE,SeQueryAuthenticationIdToken)
#pragma alloc_text(PAGE,SeQueryInformationToken)
#endif
NTSTATUS
NtQueryInformationToken (
IN HANDLE TokenHandle,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID TokenInformation,
IN ULONG TokenInformationLength,
OUT PULONG ReturnLength
)
/*++
Routine Description:
Retrieve information about a specified token.
Arguments:
TokenHandle - Provides a handle to the token to operate on.
TokenInformationClass - The token information class about which
to retrieve information.
TokenInformation - The buffer to receive the requested class of
information. The buffer must be aligned on at least a
longword boundary. The actual structures returned are
dependent upon the information class requested, as defined in
the TokenInformationClass parameter description.
TokenInformation Format By Information Class:
TokenUser => TOKEN_USER data structure. TOKEN_QUERY
access is needed to retrieve this information about a
token.
TokenGroups => TOKEN_GROUPS data structure. TOKEN_QUERY
access is needed to retrieve this information about a
token.
TokenPrivileges => TOKEN_PRIVILEGES data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenOwner => TOKEN_OWNER data structure. TOKEN_QUERY
access is needed to retrieve this information about a
token.
TokenPrimaryGroup => TOKEN_PRIMARY_GROUP data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenDefaultDacl => TOKEN_DEFAULT_DACL data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenSource => TOKEN_SOURCE data structure.
TOKEN_QUERY_SOURCE access is needed to retrieve this
information about a token.
TokenType => TOKEN_TYPE data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenStatistics => TOKEN_STATISTICS data structure.
TOKEN_QUERY access is needed to retrieve this
information about a token.
TokenInformationLength - Indicates the length, in bytes, of the
TokenInformation buffer.
ReturnLength - This OUT parameter receives the actual length of
the requested information. If this value is larger than that
provided by the TokenInformationLength parameter, then the
buffer provided to receive the requested information is not
large enough to hold that data and no data is returned.
If the queried class is TokenDefaultDacl and there is no
default Dacl established for the token, then the return
length will be returned as zero, and no data will be returned.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
STATUS_BUFFER_TOO_SMALL - if the requested information did not
fit in the provided output buffer. In this case, the
ReturnLength OUT parameter contains the number of bytes
actually needed to store the requested information.
--*/
{
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
PTOKEN Token;
ULONG RequiredLength;
ULONG Index;
PTOKEN_TYPE LocalType;
PTOKEN_USER LocalUser;
PTOKEN_GROUPS LocalGroups;
PTOKEN_PRIVILEGES LocalPrivileges;
PTOKEN_OWNER LocalOwner;
PTOKEN_PRIMARY_GROUP LocalPrimaryGroup;
PTOKEN_DEFAULT_DACL LocalDefaultDacl;
PTOKEN_SOURCE LocalSource;
PSECURITY_IMPERSONATION_LEVEL LocalImpersonationLevel;
PTOKEN_STATISTICS LocalStatistics;
PSID PSid;
PACL PAcl;
PVOID Ignore;
PAGED_CODE();
//
// Get previous processor mode and probe output argument if necessary.
//
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
try {
ProbeForWrite(
TokenInformation,
TokenInformationLength,
sizeof(ULONG)
);
ProbeForWriteUlong(ReturnLength);
} except(EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
}
}
//
// Case on information class.
//
switch ( TokenInformationClass ) {
case TokenUser:
LocalUser = (PTOKEN_USER)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Gain exclusive access to the token.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = SeLengthSid( Token->UserAndGroups[0].Sid) +
(ULONG)sizeof( TOKEN_USER );
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the user SID
//
try {
//
// Put SID immediately following TOKEN_USER data structure
//
PSid = (PSID)( (ULONG)LocalUser + (ULONG)sizeof(TOKEN_USER) );
RtlCopySidAndAttributesArray(
1,
Token->UserAndGroups,
RequiredLength,
&(LocalUser->User),
PSid,
((PSID *)&Ignore),
((PULONG)&Ignore)
);
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenGroups:
LocalGroups = (PTOKEN_GROUPS)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Gain exclusive access to the token.
//
SepAcquireTokenReadLock( Token );
//
// Figure out how much space is needed to return the group SIDs.
// That's the size of TOKEN_GROUPS (without any array entries)
// plus the size of an SID_AND_ATTRIBUTES times the number of groups.
// The number of groups is Token->UserAndGroups-1 (since the count
// includes the user ID). Then the lengths of each individual group
// must be added.
//
RequiredLength = (ULONG)sizeof(TOKEN_GROUPS) +
((Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
((ULONG)sizeof(SID_AND_ATTRIBUTES)) );
Index = 1;
while (Index < Token->UserAndGroupCount) {
RequiredLength += SeLengthSid( Token->UserAndGroups[Index].Sid );
Index += 1;
} // endwhile
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Now copy the groups.
//
try {
LocalGroups->GroupCount = Token->UserAndGroupCount - 1;
PSid = (PSID)( (ULONG)LocalGroups +
(ULONG)sizeof(TOKEN_GROUPS) +
( (Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
(ULONG)sizeof(SID_AND_ATTRIBUTES) )
);
RtlCopySidAndAttributesArray(
(ULONG)(Token->UserAndGroupCount - 1),
&(Token->UserAndGroups[1]),
RequiredLength,
LocalGroups->Groups,
PSid,
((PSID *)&Ignore),
((PULONG)&Ignore)
);
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenPrivileges:
LocalPrivileges = (PTOKEN_PRIVILEGES)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Gain exclusive access to the token to prevent changes
// from occuring to the privileges.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof(TOKEN_PRIVILEGES) +
((Token->PrivilegeCount - ANYSIZE_ARRAY) *
((ULONG)sizeof(LUID_AND_ATTRIBUTES)) );
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the token privileges.
//
try {
LocalPrivileges->PrivilegeCount = Token->PrivilegeCount;
RtlCopyLuidAndAttributesArray(
Token->PrivilegeCount,
Token->Privileges,
LocalPrivileges->Privileges
);
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenOwner:
LocalOwner = (PTOKEN_OWNER)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Gain exclusive access to the token to prevent changes
// from occuring to the owner.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
PSid = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
RequiredLength = (ULONG)sizeof(TOKEN_OWNER) +
SeLengthSid( PSid );
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the owner SID
//
PSid = (PSID)((ULONG)LocalOwner +
(ULONG)sizeof(TOKEN_OWNER));
try {
LocalOwner->Owner = PSid;
Status = RtlCopySid(
(RequiredLength - (ULONG)sizeof(TOKEN_OWNER)),
PSid,
Token->UserAndGroups[Token->DefaultOwnerIndex].Sid
);
ASSERT( NT_SUCCESS(Status) );
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenPrimaryGroup:
LocalPrimaryGroup = (PTOKEN_PRIMARY_GROUP)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Gain exclusive access to the token to prevent changes
// from occuring to the owner.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof(TOKEN_PRIMARY_GROUP) +
SeLengthSid( Token->PrimaryGroup );
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the primary group SID
//
PSid = (PSID)((ULONG)LocalPrimaryGroup +
(ULONG)sizeof(TOKEN_PRIMARY_GROUP));
try {
LocalPrimaryGroup->PrimaryGroup = PSid;
Status = RtlCopySid( (RequiredLength - (ULONG)sizeof(TOKEN_PRIMARY_GROUP)),
PSid,
Token->PrimaryGroup
);
ASSERT( NT_SUCCESS(Status) );
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenDefaultDacl:
LocalDefaultDacl = (PTOKEN_DEFAULT_DACL)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Gain exclusive access to the token to prevent changes
// from occuring to the owner.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof(TOKEN_DEFAULT_DACL);
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
RequiredLength += Token->DefaultDacl->AclSize;
}
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the default Dacl
//
PAcl = (PACL)((ULONG)LocalDefaultDacl +
(ULONG)sizeof(TOKEN_DEFAULT_DACL));
try {
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
LocalDefaultDacl->DefaultDacl = PAcl;
RtlMoveMemory( (PVOID)PAcl,
(PVOID)Token->DefaultDacl,
Token->DefaultDacl->AclSize
);
} else {
LocalDefaultDacl->DefaultDacl = NULL;
}
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenSource:
LocalSource = (PTOKEN_SOURCE)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY_SOURCE, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// The type of a token can not be changed, so
// exclusive access to the token is not necessary.
//
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG) sizeof(TOKEN_SOURCE);
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the token source
//
try {
(*LocalSource) = Token->TokenSource;
} except(EXCEPTION_EXECUTE_HANDLER) {
ObDereferenceObject( Token );
return GetExceptionCode();
}
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenType:
LocalType = (PTOKEN_TYPE)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// The type of a token can not be changed, so
// exclusive access to the token is not necessary.
//
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG) sizeof(TOKEN_TYPE);
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the token type
//
try {
(*LocalType) = Token->TokenType;
} except(EXCEPTION_EXECUTE_HANDLER) {
ObDereferenceObject( Token );
return GetExceptionCode();
}
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenImpersonationLevel:
LocalImpersonationLevel = (PSECURITY_IMPERSONATION_LEVEL)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// The impersonation level of a token can not be changed, so
// exclusive access to the token is not necessary.
//
//
// Make sure the token is an appropriate type to be retrieving
// the impersonation level from.
//
if (Token->TokenType != TokenImpersonation) {
ObDereferenceObject( Token );
return STATUS_INVALID_INFO_CLASS;
}
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG) sizeof(SECURITY_IMPERSONATION_LEVEL);
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the impersonation level
//
try {
(*LocalImpersonationLevel) = Token->ImpersonationLevel;
} except(EXCEPTION_EXECUTE_HANDLER) {
ObDereferenceObject( Token );
return GetExceptionCode();
}
ObDereferenceObject( Token );
return STATUS_SUCCESS;
case TokenStatistics:
LocalStatistics = (PTOKEN_STATISTICS)TokenInformation;
Status = ObReferenceObjectByHandle(
TokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
NULL // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
return Status;
}
//
// Gain exclusive access to the token.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof( TOKEN_STATISTICS );
try {
*ReturnLength = RequiredLength;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
if ( TokenInformationLength < RequiredLength ) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_BUFFER_TOO_SMALL;
}
//
// Return the statistics
//
try {
LocalStatistics->TokenId = Token->TokenId;
LocalStatistics->AuthenticationId = Token->AuthenticationId;
LocalStatistics->ExpirationTime = Token->ExpirationTime;
LocalStatistics->TokenType = Token->TokenType;
LocalStatistics->ImpersonationLevel = Token->ImpersonationLevel;
LocalStatistics->DynamicCharged = Token->DynamicCharged;
LocalStatistics->DynamicAvailable = Token->DynamicAvailable;
LocalStatistics->GroupCount = Token->UserAndGroupCount-1;
LocalStatistics->PrivilegeCount = Token->PrivilegeCount;
LocalStatistics->ModifiedId = Token->ModifiedId;
} except(EXCEPTION_EXECUTE_HANDLER) {
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return GetExceptionCode();
}
SepReleaseTokenReadLock( Token );
ObDereferenceObject( Token );
return STATUS_SUCCESS;
default:
return STATUS_INVALID_INFO_CLASS;
}
}
NTSTATUS
SeQueryAuthenticationIdToken(
IN PACCESS_TOKEN Token,
OUT PLUID AuthenticationId
)
/*++
Routine Description:
Retrieve authentication ID out of the token.
Arguments:
Token - Referenced pointer to a token.
AutenticationId - Receives the token's authentication ID.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
This is the only expected status.
--*/
{
PAGED_CODE();
SepAcquireTokenReadLock( ((PTOKEN)Token) );
(*AuthenticationId) = ((PTOKEN)Token)->AuthenticationId;
SepReleaseTokenReadLock( ((PTOKEN)Token) );
return(STATUS_SUCCESS);
}
NTSTATUS
SeQueryInformationToken (
IN PACCESS_TOKEN AccessToken,
IN TOKEN_INFORMATION_CLASS TokenInformationClass,
OUT PVOID *TokenInformation
)
/*++
Routine Description:
Retrieve information about a specified token.
Arguments:
TokenHandle - Provides a handle to the token to operate on.
TokenInformationClass - The token information class about which
to retrieve information.
TokenInformation - Receives a pointer to the requested information.
The actual structures returned are dependent upon the information
class requested, as defined in the TokenInformationClass parameter
description.
TokenInformation Format By Information Class:
TokenUser => TOKEN_USER data structure. TOKEN_QUERY
access is needed to retrieve this information about a
token.
TokenGroups => TOKEN_GROUPS data structure. TOKEN_QUERY
access is needed to retrieve this information about a
token.
TokenPrivileges => TOKEN_PRIVILEGES data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenOwner => TOKEN_OWNER data structure. TOKEN_QUERY
access is needed to retrieve this information about a
token.
TokenPrimaryGroup => TOKEN_PRIMARY_GROUP data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenDefaultDacl => TOKEN_DEFAULT_DACL data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenSource => TOKEN_SOURCE data structure.
TOKEN_QUERY_SOURCE access is needed to retrieve this
information about a token.
TokenType => TOKEN_TYPE data structure.
TOKEN_QUERY access is needed to retrieve this information
about a token.
TokenStatistics => TOKEN_STATISTICS data structure.
TOKEN_QUERY access is needed to retrieve this
information about a token.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
--*/
{
NTSTATUS Status;
ULONG RequiredLength;
ULONG Index;
PSID PSid;
PACL PAcl;
PVOID Ignore;
PTOKEN Token = (PTOKEN)AccessToken;
PAGED_CODE();
//
// Case on information class.
//
switch ( TokenInformationClass ) {
case TokenUser:
{
PTOKEN_USER LocalUser;
LocalUser = (PTOKEN_USER)(*TokenInformation);
//
// Gain exclusive access to the token.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = SeLengthSid( Token->UserAndGroups[0].Sid) +
(ULONG)sizeof( TOKEN_USER );
LocalUser = ExAllocatePool( PagedPool, RequiredLength );
if (LocalUser == NULL) {
SepReleaseTokenReadLock( Token );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the user SID
//
// Put SID immediately following TOKEN_USER data structure
//
PSid = (PSID)( (ULONG)LocalUser + (ULONG)sizeof(TOKEN_USER) );
RtlCopySidAndAttributesArray(
1,
Token->UserAndGroups,
RequiredLength,
&(LocalUser->User),
PSid,
((PSID *)&Ignore),
((PULONG)&Ignore)
);
SepReleaseTokenReadLock( Token );
return STATUS_SUCCESS;
}
case TokenGroups:
{
PTOKEN_GROUPS LocalGroups;
LocalGroups = (PTOKEN_GROUPS)(*TokenInformation);
//
// Gain exclusive access to the token.
//
SepAcquireTokenReadLock( Token );
//
// Figure out how much space is needed to return the group SIDs.
// That's the size of TOKEN_GROUPS (without any array entries)
// plus the size of an SID_AND_ATTRIBUTES times the number of groups.
// The number of groups is Token->UserAndGroups-1 (since the count
// includes the user ID). Then the lengths of each individual group
// must be added.
//
RequiredLength = (ULONG)sizeof(TOKEN_GROUPS) +
((Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
((ULONG)sizeof(SID_AND_ATTRIBUTES)) );
Index = 1;
while (Index < Token->UserAndGroupCount) {
RequiredLength += SeLengthSid( Token->UserAndGroups[Index].Sid );
Index += 1;
} // endwhile
LocalGroups = ExAllocatePool( PagedPool, RequiredLength );
if (LocalGroups == NULL) {
SepReleaseTokenReadLock( Token );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Now copy the groups.
//
LocalGroups->GroupCount = Token->UserAndGroupCount - 1;
PSid = (PSID)( (ULONG)LocalGroups +
(ULONG)sizeof(TOKEN_GROUPS) +
( (Token->UserAndGroupCount - ANYSIZE_ARRAY - 1) *
(ULONG)sizeof(SID_AND_ATTRIBUTES) )
);
RtlCopySidAndAttributesArray(
(ULONG)(Token->UserAndGroupCount - 1),
&(Token->UserAndGroups[1]),
RequiredLength,
LocalGroups->Groups,
PSid,
((PSID *)&Ignore),
((PULONG)&Ignore)
);
SepReleaseTokenReadLock( Token );
return STATUS_SUCCESS;
}
case TokenPrivileges:
{
PTOKEN_PRIVILEGES LocalPrivileges;
LocalPrivileges = (PTOKEN_PRIVILEGES)(*TokenInformation);
//
// Gain exclusive access to the token to prevent changes
// from occuring to the privileges.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof(TOKEN_PRIVILEGES) +
((Token->PrivilegeCount - ANYSIZE_ARRAY) *
((ULONG)sizeof(LUID_AND_ATTRIBUTES)) );
LocalPrivileges = ExAllocatePool( PagedPool, RequiredLength );
if (LocalPrivileges == NULL) {
SepReleaseTokenReadLock( Token );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the token privileges.
//
LocalPrivileges->PrivilegeCount = Token->PrivilegeCount;
RtlCopyLuidAndAttributesArray(
Token->PrivilegeCount,
Token->Privileges,
LocalPrivileges->Privileges
);
SepReleaseTokenReadLock( Token );
return STATUS_SUCCESS;
}
case TokenOwner:
{
PTOKEN_OWNER LocalOwner;
LocalOwner = (PTOKEN_OWNER)(*TokenInformation);
//
// Gain exclusive access to the token to prevent changes
// from occuring to the owner.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
PSid = Token->UserAndGroups[Token->DefaultOwnerIndex].Sid;
RequiredLength = (ULONG)sizeof(TOKEN_OWNER) +
SeLengthSid( PSid );
LocalOwner = ExAllocatePool( PagedPool, RequiredLength );
if (LocalOwner == NULL) {
SepReleaseTokenReadLock( Token );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the owner SID
//
PSid = (PSID)((ULONG)LocalOwner +
(ULONG)sizeof(TOKEN_OWNER));
LocalOwner->Owner = PSid;
Status = RtlCopySid(
(RequiredLength - (ULONG)sizeof(TOKEN_OWNER)),
PSid,
Token->UserAndGroups[Token->DefaultOwnerIndex].Sid
);
ASSERT( NT_SUCCESS(Status) );
SepReleaseTokenReadLock( Token );
return STATUS_SUCCESS;
}
case TokenPrimaryGroup:
{
PTOKEN_PRIMARY_GROUP LocalPrimaryGroup;
LocalPrimaryGroup = (PTOKEN_PRIMARY_GROUP)(*TokenInformation);
//
// Gain exclusive access to the token to prevent changes
// from occuring to the owner.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof(TOKEN_PRIMARY_GROUP) +
SeLengthSid( Token->PrimaryGroup );
LocalPrimaryGroup = ExAllocatePool( PagedPool, RequiredLength );
if (LocalPrimaryGroup == NULL) {
SepReleaseTokenReadLock( Token );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the primary group SID
//
PSid = (PSID)((ULONG)LocalPrimaryGroup +
(ULONG)sizeof(TOKEN_PRIMARY_GROUP));
LocalPrimaryGroup->PrimaryGroup = PSid;
Status = RtlCopySid( (RequiredLength - (ULONG)sizeof(TOKEN_PRIMARY_GROUP)),
PSid,
Token->PrimaryGroup
);
ASSERT( NT_SUCCESS(Status) );
SepReleaseTokenReadLock( Token );
return STATUS_SUCCESS;
}
case TokenDefaultDacl:
{
PTOKEN_DEFAULT_DACL LocalDefaultDacl;
LocalDefaultDacl = (PTOKEN_DEFAULT_DACL)(*TokenInformation);
//
// Gain exclusive access to the token to prevent changes
// from occuring to the owner.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof(TOKEN_DEFAULT_DACL);
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
RequiredLength += Token->DefaultDacl->AclSize;
}
LocalDefaultDacl = ExAllocatePool( PagedPool, RequiredLength );
if (LocalDefaultDacl == NULL) {
SepReleaseTokenReadLock( Token );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the default Dacl
//
PAcl = (PACL)((ULONG)LocalDefaultDacl +
(ULONG)sizeof(TOKEN_DEFAULT_DACL));
if (ARGUMENT_PRESENT(Token->DefaultDacl)) {
LocalDefaultDacl->DefaultDacl = PAcl;
RtlMoveMemory( (PVOID)PAcl,
(PVOID)Token->DefaultDacl,
Token->DefaultDacl->AclSize
);
} else {
LocalDefaultDacl->DefaultDacl = NULL;
}
SepReleaseTokenReadLock( Token );
return STATUS_SUCCESS;
}
case TokenSource:
{
PTOKEN_SOURCE LocalSource;
LocalSource = (PTOKEN_SOURCE)(*TokenInformation);
//
// The type of a token can not be changed, so
// exclusive access to the token is not necessary.
//
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG) sizeof(TOKEN_SOURCE);
LocalSource = ExAllocatePool( PagedPool, RequiredLength );
if (LocalSource == NULL) {
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the token source
//
(*LocalSource) = Token->TokenSource;
return STATUS_SUCCESS;
}
case TokenType:
{
PTOKEN_TYPE LocalType;
LocalType = (PTOKEN_TYPE)(*TokenInformation);
//
// The type of a token can not be changed, so
// exclusive access to the token is not necessary.
//
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG) sizeof(TOKEN_TYPE);
LocalType = ExAllocatePool( PagedPool, RequiredLength );
if (LocalType == NULL) {
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the token type
//
(*LocalType) = Token->TokenType;
return STATUS_SUCCESS;
}
case TokenImpersonationLevel:
{
PSECURITY_IMPERSONATION_LEVEL LocalImpersonationLevel;
LocalImpersonationLevel = (PSECURITY_IMPERSONATION_LEVEL)(*TokenInformation);
//
// The impersonation level of a token can not be changed, so
// exclusive access to the token is not necessary.
//
//
// Make sure the token is an appropriate type to be retrieving
// the impersonation level from.
//
if (Token->TokenType != TokenImpersonation) {
return STATUS_INVALID_INFO_CLASS;
}
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG) sizeof(SECURITY_IMPERSONATION_LEVEL);
LocalImpersonationLevel = ExAllocatePool( PagedPool, RequiredLength );
if (LocalImpersonationLevel == NULL) {
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the impersonation level
//
(*LocalImpersonationLevel) = Token->ImpersonationLevel;
return STATUS_SUCCESS;
}
case TokenStatistics:
{
PTOKEN_STATISTICS LocalStatistics;
LocalStatistics = (PTOKEN_STATISTICS)(*TokenInformation);
//
// Gain exclusive access to the token.
//
SepAcquireTokenReadLock( Token );
//
// Return the length required now in case not enough buffer
// was provided by the caller and we have to return an error.
//
RequiredLength = (ULONG)sizeof( TOKEN_STATISTICS );
LocalStatistics = ExAllocatePool( PagedPool, RequiredLength );
if (LocalStatistics == NULL) {
SepReleaseTokenReadLock( Token );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Return the statistics
//
LocalStatistics->TokenId = Token->TokenId;
LocalStatistics->AuthenticationId = Token->AuthenticationId;
LocalStatistics->ExpirationTime = Token->ExpirationTime;
LocalStatistics->TokenType = Token->TokenType;
LocalStatistics->ImpersonationLevel = Token->ImpersonationLevel;
LocalStatistics->DynamicCharged = Token->DynamicCharged;
LocalStatistics->DynamicAvailable = Token->DynamicAvailable;
LocalStatistics->GroupCount = Token->UserAndGroupCount-1;
LocalStatistics->PrivilegeCount = Token->PrivilegeCount;
LocalStatistics->ModifiedId = Token->ModifiedId;
SepReleaseTokenReadLock( Token );
return STATUS_SUCCESS;
}
default:
return STATUS_INVALID_INFO_CLASS;
}
}