306 lines
8.0 KiB
C
306 lines
8.0 KiB
C
/*++
|
||
|
||
Copyright (c) 1991 Microsoft Corporation
|
||
|
||
Module Name:
|
||
|
||
wssec.c
|
||
|
||
Abstract:
|
||
|
||
This module contains the Workstation service support routines
|
||
which create security objects and enforce security _access checking.
|
||
|
||
Author:
|
||
|
||
Rita Wong (ritaw) 19-Feb-1991
|
||
|
||
Revision History:
|
||
|
||
--*/
|
||
|
||
#include "wsutil.h"
|
||
#include "wsmain.h"
|
||
#include "wssec.h"
|
||
|
||
//-------------------------------------------------------------------//
|
||
// //
|
||
// Local function prototypes //
|
||
// //
|
||
//-------------------------------------------------------------------//
|
||
|
||
STATIC
|
||
NTSTATUS
|
||
WsCreateConfigInfoObject(
|
||
VOID
|
||
);
|
||
|
||
STATIC
|
||
NTSTATUS
|
||
WsCreateMessageSendObject(
|
||
VOID
|
||
);
|
||
|
||
//-------------------------------------------------------------------//
|
||
// //
|
||
// Global variables //
|
||
// //
|
||
//-------------------------------------------------------------------//
|
||
|
||
//
|
||
// Security descriptors of workstation objects to control user accesses
|
||
// to the workstation configuration information, sending messages, and the
|
||
// logon support functions.
|
||
//
|
||
PSECURITY_DESCRIPTOR ConfigurationInfoSd;
|
||
PSECURITY_DESCRIPTOR MessageSendSd;
|
||
|
||
|
||
//
|
||
// Structure that describes the mapping of Generic access rights to
|
||
// object specific access rights for the ConfigurationInfo object.
|
||
//
|
||
GENERIC_MAPPING WsConfigInfoMapping = {
|
||
STANDARD_RIGHTS_READ | // Generic read
|
||
WKSTA_CONFIG_GUEST_INFO_GET |
|
||
WKSTA_CONFIG_USER_INFO_GET |
|
||
WKSTA_CONFIG_ADMIN_INFO_GET,
|
||
STANDARD_RIGHTS_WRITE | // Generic write
|
||
WKSTA_CONFIG_INFO_SET,
|
||
STANDARD_RIGHTS_EXECUTE, // Generic execute
|
||
WKSTA_CONFIG_ALL_ACCESS // Generic all
|
||
};
|
||
|
||
//
|
||
// Structure that describes the mapping of generic access rights to
|
||
// object specific access rights for the MessageSend object.
|
||
//
|
||
GENERIC_MAPPING WsMessageSendMapping = {
|
||
STANDARD_RIGHTS_READ, // Generic read
|
||
STANDARD_RIGHTS_WRITE | // Generic write
|
||
WKSTA_MESSAGE_SEND,
|
||
STANDARD_RIGHTS_EXECUTE, // Generic execute
|
||
WKSTA_MESSAGE_ALL_ACCESS // Generic all
|
||
};
|
||
|
||
|
||
|
||
NET_API_STATUS
|
||
WsCreateWkstaObjects(
|
||
VOID
|
||
)
|
||
/*++
|
||
|
||
Routine Description:
|
||
|
||
This function creates the workstation user-mode objects which are
|
||
represented by security descriptors.
|
||
|
||
Arguments:
|
||
|
||
None.
|
||
|
||
Return Value:
|
||
|
||
NET_API_STATUS - NERR_Success or reason for failure.
|
||
|
||
--*/
|
||
{
|
||
NTSTATUS ntstatus;
|
||
|
||
|
||
//
|
||
// Create ConfigurationInfo object
|
||
//
|
||
if (! NT_SUCCESS (ntstatus = WsCreateConfigInfoObject())) {
|
||
IF_DEBUG(UTIL) {
|
||
NetpKdPrint(("[Wksta] Failure to create ConfigurationInfo object\n"));
|
||
}
|
||
return NetpNtStatusToApiStatus(ntstatus);
|
||
}
|
||
|
||
//
|
||
// Create MessageSend object
|
||
//
|
||
if (! NT_SUCCESS (ntstatus = WsCreateMessageSendObject())) {
|
||
IF_DEBUG(UTIL) {
|
||
NetpKdPrint(("[Wksta] Failure to create MessageSend object\n"));
|
||
}
|
||
return NetpNtStatusToApiStatus(ntstatus);
|
||
}
|
||
|
||
return NERR_Success;
|
||
}
|
||
|
||
|
||
|
||
STATIC
|
||
NTSTATUS
|
||
WsCreateConfigInfoObject(
|
||
VOID
|
||
)
|
||
/*++
|
||
|
||
Routine Description:
|
||
|
||
This function creates the workstation configuration information object.
|
||
|
||
Arguments:
|
||
|
||
None.
|
||
|
||
Return Value:
|
||
|
||
NTSTATUS - status returned from NetpCreateSecurityObject.
|
||
|
||
--*/
|
||
{
|
||
//
|
||
// Order matters! These ACEs are inserted into the DACL in the
|
||
// following order. Security access is granted or denied based on
|
||
// the order of the ACEs in the DACL.
|
||
//
|
||
// Local users, admins, and operators are allowed to get all information.
|
||
// Only admins are allowed to set information. Users are allowed to get
|
||
// user and guest info; guests are allowed to get guest info only.
|
||
//
|
||
|
||
#define CONFIG_INFO_ACES 8 // Number of ACEs in this DACL
|
||
|
||
ACE_DATA AceData[CONFIG_INFO_ACES] = {
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_CONFIG_GUEST_INFO_GET |
|
||
WKSTA_CONFIG_USER_INFO_GET |
|
||
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->LocalSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
GENERIC_ALL, &WsLmsvcsGlobalData->AliasAdminsSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_CONFIG_GUEST_INFO_GET |
|
||
WKSTA_CONFIG_USER_INFO_GET |
|
||
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->AliasAccountOpsSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_CONFIG_GUEST_INFO_GET |
|
||
WKSTA_CONFIG_USER_INFO_GET |
|
||
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->AliasSystemOpsSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_CONFIG_GUEST_INFO_GET |
|
||
WKSTA_CONFIG_USER_INFO_GET |
|
||
WKSTA_CONFIG_ADMIN_INFO_GET, &WsLmsvcsGlobalData->AliasPrintOpsSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_CONFIG_GUEST_INFO_GET |
|
||
WKSTA_CONFIG_USER_INFO_GET, &WsLmsvcsGlobalData->AliasUsersSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_CONFIG_GUEST_INFO_GET, &WsLmsvcsGlobalData->WorldSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_CONFIG_GUEST_INFO_GET, &WsLmsvcsGlobalData->AnonymousLogonSid}
|
||
};
|
||
|
||
|
||
return NetpCreateSecurityObject(
|
||
AceData,
|
||
CONFIG_INFO_ACES,
|
||
WsLmsvcsGlobalData->LocalSystemSid,
|
||
WsLmsvcsGlobalData->LocalSystemSid,
|
||
&WsConfigInfoMapping,
|
||
&ConfigurationInfoSd
|
||
);
|
||
}
|
||
|
||
|
||
|
||
STATIC
|
||
NTSTATUS
|
||
WsCreateMessageSendObject(
|
||
VOID
|
||
)
|
||
/*++
|
||
|
||
Routine Description:
|
||
|
||
This function creates the workstation message send object.
|
||
|
||
Arguments:
|
||
|
||
None.
|
||
|
||
Return Value:
|
||
|
||
NTSTATUS - status returned from NetpCreateSecurityObject.
|
||
|
||
--*/
|
||
{
|
||
//
|
||
// Order matters! These ACEs are inserted into the DACL in the
|
||
// following order. Security access is granted or denied based on
|
||
// the order of the ACEs in the DACL.
|
||
//
|
||
// Any local user, and domain admins and operators are allowed to
|
||
// send messages. Remote users besides domain admins, and operators
|
||
// are not allowed to send messages.
|
||
//
|
||
|
||
#define MESSAGE_SEND_ACES 5 // Number of ACEs in this DACL
|
||
|
||
ACE_DATA AceData[MESSAGE_SEND_ACES] = {
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
GENERIC_ALL, &WsLmsvcsGlobalData->LocalSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
GENERIC_ALL, &WsLmsvcsGlobalData->AliasAdminsSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_MESSAGE_SEND, &WsLmsvcsGlobalData->AliasAccountOpsSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_MESSAGE_SEND, &WsLmsvcsGlobalData->AliasSystemOpsSid},
|
||
|
||
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
|
||
WKSTA_MESSAGE_SEND, &WsLmsvcsGlobalData->AliasPrintOpsSid}
|
||
|
||
};
|
||
|
||
|
||
return NetpCreateSecurityObject(
|
||
AceData,
|
||
MESSAGE_SEND_ACES,
|
||
WsLmsvcsGlobalData->LocalSystemSid,
|
||
WsLmsvcsGlobalData->LocalSystemSid,
|
||
&WsMessageSendMapping,
|
||
&MessageSendSd
|
||
);
|
||
}
|
||
|
||
|
||
|
||
VOID
|
||
WsDestroyWkstaObjects(
|
||
VOID
|
||
)
|
||
/*++
|
||
|
||
Routine Description:
|
||
|
||
This function destroys the workstation user-mode objects which are
|
||
represented by security descriptors.
|
||
|
||
Arguments:
|
||
|
||
None.
|
||
|
||
Return Value:
|
||
|
||
None.
|
||
|
||
--*/
|
||
{
|
||
(void) NetpDeleteSecurityObject(&ConfigurationInfoSd);
|
||
(void) NetpDeleteSecurityObject(&MessageSendSd);
|
||
}
|