Sweden-Number/dlls/advapi32/security.c

6220 lines
210 KiB
C

/*
* Copyright 1999, 2000 Juergen Schmied <juergen.schmied@debitel.net>
* Copyright 2003 CodeWeavers Inc. (Ulrich Czekalla)
* Copyright 2006 Robert Reif
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
*
*/
#include "config.h"
#include <stdarg.h>
#include <string.h>
#include "ntstatus.h"
#define WIN32_NO_STATUS
#include "windef.h"
#include "winbase.h"
#include "winerror.h"
#include "winreg.h"
#include "winsafer.h"
#include "winternl.h"
#include "winioctl.h"
#include "accctrl.h"
#include "sddl.h"
#include "winsvc.h"
#include "aclapi.h"
#include "objbase.h"
#include "iads.h"
#include "advapi32_misc.h"
#include "lmcons.h"
#include "wine/debug.h"
#include "wine/unicode.h"
WINE_DEFAULT_DEBUG_CHANNEL(advapi);
static BOOL ParseStringSidToSid(LPCWSTR StringSid, PSID pSid, LPDWORD cBytes);
static DWORD trustee_to_sid(DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee);
typedef struct _ACEFLAG
{
LPCWSTR wstr;
DWORD value;
} ACEFLAG, *LPACEFLAG;
typedef struct _MAX_SID
{
/* same fields as struct _SID */
BYTE Revision;
BYTE SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
DWORD SubAuthority[SID_MAX_SUB_AUTHORITIES];
} MAX_SID;
typedef struct WELLKNOWNSID
{
WCHAR wstr[2];
WELL_KNOWN_SID_TYPE Type;
MAX_SID Sid;
} WELLKNOWNSID;
static const WELLKNOWNSID WellKnownSids[] =
{
{ {0,0}, WinNullSid, { SID_REVISION, 1, { SECURITY_NULL_SID_AUTHORITY }, { SECURITY_NULL_RID } } },
{ {'W','D'}, WinWorldSid, { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY }, { SECURITY_WORLD_RID } } },
{ {0,0}, WinLocalSid, { SID_REVISION, 1, { SECURITY_LOCAL_SID_AUTHORITY }, { SECURITY_LOCAL_RID } } },
{ {'C','O'}, WinCreatorOwnerSid, { SID_REVISION, 1, { SECURITY_CREATOR_SID_AUTHORITY }, { SECURITY_CREATOR_OWNER_RID } } },
{ {'C','G'}, WinCreatorGroupSid, { SID_REVISION, 1, { SECURITY_CREATOR_SID_AUTHORITY }, { SECURITY_CREATOR_GROUP_RID } } },
{ {'O','W'}, WinCreatorOwnerRightsSid, { SID_REVISION, 1, { SECURITY_CREATOR_SID_AUTHORITY }, { SECURITY_CREATOR_OWNER_RIGHTS_RID } } },
{ {0,0}, WinCreatorOwnerServerSid, { SID_REVISION, 1, { SECURITY_CREATOR_SID_AUTHORITY }, { SECURITY_CREATOR_OWNER_SERVER_RID } } },
{ {0,0}, WinCreatorGroupServerSid, { SID_REVISION, 1, { SECURITY_CREATOR_SID_AUTHORITY }, { SECURITY_CREATOR_GROUP_SERVER_RID } } },
{ {0,0}, WinNtAuthoritySid, { SID_REVISION, 0, { SECURITY_NT_AUTHORITY }, { SECURITY_NULL_RID } } },
{ {0,0}, WinDialupSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_DIALUP_RID } } },
{ {'N','U'}, WinNetworkSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_NETWORK_RID } } },
{ {0,0}, WinBatchSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_BATCH_RID } } },
{ {'I','U'}, WinInteractiveSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_INTERACTIVE_RID } } },
{ {'S','U'}, WinServiceSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_SERVICE_RID } } },
{ {'A','N'}, WinAnonymousSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_ANONYMOUS_LOGON_RID } } },
{ {0,0}, WinProxySid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_PROXY_RID } } },
{ {'E','D'}, WinEnterpriseControllersSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_ENTERPRISE_CONTROLLERS_RID } } },
{ {'P','S'}, WinSelfSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_PRINCIPAL_SELF_RID } } },
{ {'A','U'}, WinAuthenticatedUserSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_AUTHENTICATED_USER_RID } } },
{ {'R','C'}, WinRestrictedCodeSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_RESTRICTED_CODE_RID } } },
{ {0,0}, WinTerminalServerSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_TERMINAL_SERVER_RID } } },
{ {0,0}, WinRemoteLogonIdSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_REMOTE_LOGON_RID } } },
{ {0,0}, WinLogonIdsSid, { SID_REVISION, SECURITY_LOGON_IDS_RID_COUNT, { SECURITY_NT_AUTHORITY }, { SECURITY_LOGON_IDS_RID } } },
{ {'S','Y'}, WinLocalSystemSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SYSTEM_RID } } },
{ {'L','S'}, WinLocalServiceSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_LOCAL_SERVICE_RID } } },
{ {'N','S'}, WinNetworkServiceSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_NETWORK_SERVICE_RID } } },
{ {0,0}, WinBuiltinDomainSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID } } },
{ {'B','A'}, WinBuiltinAdministratorsSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } } },
{ {'B','U'}, WinBuiltinUsersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } } },
{ {'B','G'}, WinBuiltinGuestsSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_GUESTS } } },
{ {'P','U'}, WinBuiltinPowerUsersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS } } },
{ {'A','O'}, WinBuiltinAccountOperatorsSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ACCOUNT_OPS } } },
{ {'S','O'}, WinBuiltinSystemOperatorsSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_SYSTEM_OPS } } },
{ {'P','O'}, WinBuiltinPrintOperatorsSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_PRINT_OPS } } },
{ {'B','O'}, WinBuiltinBackupOperatorsSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_BACKUP_OPS } } },
{ {'R','E'}, WinBuiltinReplicatorSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_REPLICATOR } } },
{ {'R','U'}, WinBuiltinPreWindows2000CompatibleAccessSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_PREW2KCOMPACCESS } } },
{ {'R','D'}, WinBuiltinRemoteDesktopUsersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_REMOTE_DESKTOP_USERS } } },
{ {'N','O'}, WinBuiltinNetworkConfigurationOperatorsSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_NETWORK_CONFIGURATION_OPS } } },
{ {0,0}, WinNTLMAuthenticationSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_PACKAGE_BASE_RID, SECURITY_PACKAGE_NTLM_RID } } },
{ {0,0}, WinDigestAuthenticationSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_PACKAGE_BASE_RID, SECURITY_PACKAGE_DIGEST_RID } } },
{ {0,0}, WinSChannelAuthenticationSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_PACKAGE_BASE_RID, SECURITY_PACKAGE_SCHANNEL_RID } } },
{ {0,0}, WinThisOrganizationSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_THIS_ORGANIZATION_RID } } },
{ {0,0}, WinOtherOrganizationSid, { SID_REVISION, 1, { SECURITY_NT_AUTHORITY }, { SECURITY_OTHER_ORGANIZATION_RID } } },
{ {0,0}, WinBuiltinIncomingForestTrustBuildersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_INCOMING_FOREST_TRUST_BUILDERS } } },
{ {0,0}, WinBuiltinPerfMonitoringUsersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_MONITORING_USERS } } },
{ {0,0}, WinBuiltinPerfLoggingUsersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_LOGGING_USERS } } },
{ {0,0}, WinBuiltinAuthorizationAccessSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_AUTHORIZATIONACCESS } } },
{ {0,0}, WinBuiltinTerminalServerLicenseServersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_TS_LICENSE_SERVERS } } },
{ {0,0}, WinBuiltinDCOMUsersSid, { SID_REVISION, 2, { SECURITY_NT_AUTHORITY }, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_DCOM_USERS } } },
{ {'L','W'}, WinLowLabelSid, { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY}, { SECURITY_MANDATORY_LOW_RID} } },
{ {'M','E'}, WinMediumLabelSid, { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY}, { SECURITY_MANDATORY_MEDIUM_RID } } },
{ {'H','I'}, WinHighLabelSid, { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY}, { SECURITY_MANDATORY_HIGH_RID } } },
{ {'S','I'}, WinSystemLabelSid, { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY}, { SECURITY_MANDATORY_SYSTEM_RID } } },
{ {'A','C'}, WinBuiltinAnyPackageSid, { SID_REVISION, 2, { SECURITY_APP_PACKAGE_AUTHORITY }, { SECURITY_APP_PACKAGE_BASE_RID, SECURITY_BUILTIN_PACKAGE_ANY_PACKAGE } } },
};
/* these SIDs must be constructed as relative to some domain - only the RID is well-known */
typedef struct WELLKNOWNRID
{
WCHAR wstr[2];
WELL_KNOWN_SID_TYPE Type;
DWORD Rid;
} WELLKNOWNRID;
static const WELLKNOWNRID WellKnownRids[] = {
{ {'L','A'}, WinAccountAdministratorSid, DOMAIN_USER_RID_ADMIN },
{ {'L','G'}, WinAccountGuestSid, DOMAIN_USER_RID_GUEST },
{ {0,0}, WinAccountKrbtgtSid, DOMAIN_USER_RID_KRBTGT },
{ {'D','A'}, WinAccountDomainAdminsSid, DOMAIN_GROUP_RID_ADMINS },
{ {'D','U'}, WinAccountDomainUsersSid, DOMAIN_GROUP_RID_USERS },
{ {'D','G'}, WinAccountDomainGuestsSid, DOMAIN_GROUP_RID_GUESTS },
{ {'D','C'}, WinAccountComputersSid, DOMAIN_GROUP_RID_COMPUTERS },
{ {'D','D'}, WinAccountControllersSid, DOMAIN_GROUP_RID_CONTROLLERS },
{ {'C','A'}, WinAccountCertAdminsSid, DOMAIN_GROUP_RID_CERT_ADMINS },
{ {'S','A'}, WinAccountSchemaAdminsSid, DOMAIN_GROUP_RID_SCHEMA_ADMINS },
{ {'E','A'}, WinAccountEnterpriseAdminsSid, DOMAIN_GROUP_RID_ENTERPRISE_ADMINS },
{ {'P','A'}, WinAccountPolicyAdminsSid, DOMAIN_GROUP_RID_POLICY_ADMINS },
{ {'R','S'}, WinAccountRasAndIasServersSid, DOMAIN_ALIAS_RID_RAS_SERVERS },
};
static SID const sidWorld = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY} , { SECURITY_WORLD_RID } };
typedef struct _AccountSid {
WELL_KNOWN_SID_TYPE type;
LPCWSTR account;
LPCWSTR domain;
SID_NAME_USE name_use;
LPCWSTR alias;
} AccountSid;
static const WCHAR Account_Operators[] = { 'A','c','c','o','u','n','t',' ','O','p','e','r','a','t','o','r','s',0 };
static const WCHAR Administrator[] = {'A','d','m','i','n','i','s','t','r','a','t','o','r',0 };
static const WCHAR Administrators[] = { 'A','d','m','i','n','i','s','t','r','a','t','o','r','s',0 };
static const WCHAR ALL_APPLICATION_PACKAGES[] = { 'A','L','L',' ','A','P','P','L','I','C','A','T','I','O','N',' ','P','A','C','K','A','G','E','S',0 };
static const WCHAR ANONYMOUS_LOGON[] = { 'A','N','O','N','Y','M','O','U','S',' ','L','O','G','O','N',0 };
static const WCHAR APPLICATION_PACKAGE_AUTHORITY[] = { 'A','P','P','L','I','C','A','T','I','O','N',' ','P','A','C','K','A','G','E',' ','A','U','T','H','O','R','I','T','Y',0 };
static const WCHAR Authenticated_Users[] = { 'A','u','t','h','e','n','t','i','c','a','t','e','d',' ','U','s','e','r','s',0 };
static const WCHAR Backup_Operators[] = { 'B','a','c','k','u','p',' ','O','p','e','r','a','t','o','r','s',0 };
static const WCHAR BATCH[] = { 'B','A','T','C','H',0 };
static const WCHAR Blank[] = { 0 };
static const WCHAR BUILTIN[] = { 'B','U','I','L','T','I','N',0 };
static const WCHAR Cert_Publishers[] = { 'C','e','r','t',' ','P','u','b','l','i','s','h','e','r','s',0 };
static const WCHAR CREATOR_GROUP[] = { 'C','R','E','A','T','O','R',' ','G','R','O','U','P',0 };
static const WCHAR CREATOR_GROUP_SERVER[] = { 'C','R','E','A','T','O','R',' ','G','R','O','U','P',' ','S','E','R','V','E','R',0 };
static const WCHAR CREATOR_OWNER[] = { 'C','R','E','A','T','O','R',' ','O','W','N','E','R',0 };
static const WCHAR CREATOR_OWNER_SERVER[] = { 'C','R','E','A','T','O','R',' ','O','W','N','E','R',' ','S','E','R','V','E','R',0 };
static const WCHAR CURRENT_USER[] = { 'C','U','R','R','E','N','T','_','U','S','E','R',0 };
static const WCHAR DIALUP[] = { 'D','I','A','L','U','P',0 };
static const WCHAR Digest_Authentication[] = { 'D','i','g','e','s','t',' ','A','u','t','h','e','n','t','i','c','a','t','i','o','n',0 };
static const WCHAR Domain_Admins[] = { 'D','o','m','a','i','n',' ','A','d','m','i','n','s',0 };
static const WCHAR Domain_Computers[] = { 'D','o','m','a','i','n',' ','C','o','m','p','u','t','e','r','s',0 };
static const WCHAR Domain_Controllers[] = { 'D','o','m','a','i','n',' ','C','o','n','t','r','o','l','l','e','r','s',0 };
static const WCHAR Domain_Guests[] = { 'D','o','m','a','i','n',' ','G','u','e','s','t','s',0 };
static const WCHAR Domain_Users[] = { 'D','o','m','a','i','n',' ','U','s','e','r','s',0 };
static const WCHAR Enterprise_Admins[] = { 'E','n','t','e','r','p','r','i','s','e',' ','A','d','m','i','n','s',0 };
static const WCHAR ENTERPRISE_DOMAIN_CONTROLLERS[] = { 'E','N','T','E','R','P','R','I','S','E',' ','D','O','M','A','I','N',' ','C','O','N','T','R','O','L','L','E','R','S',0 };
static const WCHAR Everyone[] = { 'E','v','e','r','y','o','n','e',0 };
static const WCHAR Group_Policy_Creator_Owners[] = { 'G','r','o','u','p',' ','P','o','l','i','c','y',' ','C','r','e','a','t','o','r',' ','O','w','n','e','r','s',0 };
static const WCHAR Guest[] = { 'G','u','e','s','t',0 };
static const WCHAR Guests[] = { 'G','u','e','s','t','s',0 };
static const WCHAR INTERACTIVE[] = { 'I','N','T','E','R','A','C','T','I','V','E',0 };
static const WCHAR LOCAL[] = { 'L','O','C','A','L',0 };
static const WCHAR LOCAL_SERVICE[] = { 'L','O','C','A','L',' ','S','E','R','V','I','C','E',0 };
static const WCHAR LOCAL_SERVICE2[] = { 'L','O','C','A','L','S','E','R','V','I','C','E',0 };
static const WCHAR NETWORK[] = { 'N','E','T','W','O','R','K',0 };
static const WCHAR Network_Configuration_Operators[] = { 'N','e','t','w','o','r','k',' ','C','o','n','f','i','g','u','r','a','t','i','o','n',' ','O','p','e','r','a','t','o','r','s',0 };
static const WCHAR NETWORK_SERVICE[] = { 'N','E','T','W','O','R','K',' ','S','E','R','V','I','C','E',0 };
static const WCHAR NETWORK_SERVICE2[] = { 'N','E','T','W','O','R','K','S','E','R','V','I','C','E',0 };
static const WCHAR NT_AUTHORITY[] = { 'N','T',' ','A','U','T','H','O','R','I','T','Y',0 };
static const WCHAR NT_Pseudo_Domain[] = { 'N','T',' ','P','s','e','u','d','o',' ','D','o','m','a','i','n',0 };
static const WCHAR NTML_Authentication[] = { 'N','T','M','L',' ','A','u','t','h','e','n','t','i','c','a','t','i','o','n',0 };
static const WCHAR NULL_SID[] = { 'N','U','L','L',' ','S','I','D',0 };
static const WCHAR Other_Organization[] = { 'O','t','h','e','r',' ','O','r','g','a','n','i','z','a','t','i','o','n',0 };
static const WCHAR Performance_Log_Users[] = { 'P','e','r','f','o','r','m','a','n','c','e',' ','L','o','g',' ','U','s','e','r','s',0 };
static const WCHAR Performance_Monitor_Users[] = { 'P','e','r','f','o','r','m','a','n','c','e',' ','M','o','n','i','t','o','r',' ','U','s','e','r','s',0 };
static const WCHAR Power_Users[] = { 'P','o','w','e','r',' ','U','s','e','r','s',0 };
static const WCHAR Pre_Windows_2000_Compatible_Access[] = { 'P','r','e','-','W','i','n','d','o','w','s',' ','2','0','0','0',' ','C','o','m','p','a','t','i','b','l','e',' ','A','c','c','e','s','s',0 };
static const WCHAR Print_Operators[] = { 'P','r','i','n','t',' ','O','p','e','r','a','t','o','r','s',0 };
static const WCHAR PROXY[] = { 'P','R','O','X','Y',0 };
static const WCHAR RAS_and_IAS_Servers[] = { 'R','A','S',' ','a','n','d',' ','I','A','S',' ','S','e','r','v','e','r','s',0 };
static const WCHAR Remote_Desktop_Users[] = { 'R','e','m','o','t','e',' ','D','e','s','k','t','o','p',' ','U','s','e','r','s',0 };
static const WCHAR REMOTE_INTERACTIVE_LOGON[] = { 'R','E','M','O','T','E',' ','I','N','T','E','R','A','C','T','I','V','E',' ','L','O','G','O','N',0 };
static const WCHAR Replicators[] = { 'R','e','p','l','i','c','a','t','o','r','s',0 };
static const WCHAR RESTRICTED[] = { 'R','E','S','T','R','I','C','T','E','D',0 };
static const WCHAR SChannel_Authentication[] = { 'S','C','h','a','n','n','e','l',' ','A','u','t','h','e','n','t','i','c','a','t','i','o','n',0 };
static const WCHAR Schema_Admins[] = { 'S','c','h','e','m','a',' ','A','d','m','i','n','s',0 };
static const WCHAR SELF[] = { 'S','E','L','F',0 };
static const WCHAR Server_Operators[] = { 'S','e','r','v','e','r',' ','O','p','e','r','a','t','o','r','s',0 };
static const WCHAR SERVICE[] = { 'S','E','R','V','I','C','E',0 };
static const WCHAR SYSTEM[] = { 'S','Y','S','T','E','M',0 };
static const WCHAR TERMINAL_SERVER_USER[] = { 'T','E','R','M','I','N','A','L',' ','S','E','R','V','E','R',' ','U','S','E','R',0 };
static const WCHAR This_Organization[] = { 'T','h','i','s',' ','O','r','g','a','n','i','z','a','t','i','o','n',0 };
static const WCHAR Users[] = { 'U','s','e','r','s',0 };
static const AccountSid ACCOUNT_SIDS[] = {
{ WinNullSid, NULL_SID, Blank, SidTypeWellKnownGroup },
{ WinWorldSid, Everyone, Blank, SidTypeWellKnownGroup },
{ WinLocalSid, LOCAL, Blank, SidTypeWellKnownGroup },
{ WinCreatorOwnerSid, CREATOR_OWNER, Blank, SidTypeWellKnownGroup },
{ WinCreatorGroupSid, CREATOR_GROUP, Blank, SidTypeWellKnownGroup },
{ WinCreatorOwnerServerSid, CREATOR_OWNER_SERVER, Blank, SidTypeWellKnownGroup },
{ WinCreatorGroupServerSid, CREATOR_GROUP_SERVER, Blank, SidTypeWellKnownGroup },
{ WinNtAuthoritySid, NT_Pseudo_Domain, NT_Pseudo_Domain, SidTypeDomain },
{ WinDialupSid, DIALUP, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinNetworkSid, NETWORK, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinBatchSid, BATCH, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinInteractiveSid, INTERACTIVE, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinServiceSid, SERVICE, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinAnonymousSid, ANONYMOUS_LOGON, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinProxySid, PROXY, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinEnterpriseControllersSid, ENTERPRISE_DOMAIN_CONTROLLERS, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinSelfSid, SELF, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinAuthenticatedUserSid, Authenticated_Users, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinRestrictedCodeSid, RESTRICTED, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinTerminalServerSid, TERMINAL_SERVER_USER, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinRemoteLogonIdSid, REMOTE_INTERACTIVE_LOGON, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinLocalSystemSid, SYSTEM, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinLocalServiceSid, LOCAL_SERVICE, NT_AUTHORITY, SidTypeWellKnownGroup, LOCAL_SERVICE2 },
{ WinNetworkServiceSid, NETWORK_SERVICE, NT_AUTHORITY, SidTypeWellKnownGroup , NETWORK_SERVICE2},
{ WinBuiltinDomainSid, BUILTIN, BUILTIN, SidTypeDomain },
{ WinBuiltinAdministratorsSid, Administrators, BUILTIN, SidTypeAlias },
{ WinBuiltinUsersSid, Users, BUILTIN, SidTypeAlias },
{ WinBuiltinGuestsSid, Guests, BUILTIN, SidTypeAlias },
{ WinBuiltinPowerUsersSid, Power_Users, BUILTIN, SidTypeAlias },
{ WinBuiltinAccountOperatorsSid, Account_Operators, BUILTIN, SidTypeAlias },
{ WinBuiltinSystemOperatorsSid, Server_Operators, BUILTIN, SidTypeAlias },
{ WinBuiltinPrintOperatorsSid, Print_Operators, BUILTIN, SidTypeAlias },
{ WinBuiltinBackupOperatorsSid, Backup_Operators, BUILTIN, SidTypeAlias },
{ WinBuiltinReplicatorSid, Replicators, BUILTIN, SidTypeAlias },
{ WinBuiltinPreWindows2000CompatibleAccessSid, Pre_Windows_2000_Compatible_Access, BUILTIN, SidTypeAlias },
{ WinBuiltinRemoteDesktopUsersSid, Remote_Desktop_Users, BUILTIN, SidTypeAlias },
{ WinBuiltinNetworkConfigurationOperatorsSid, Network_Configuration_Operators, BUILTIN, SidTypeAlias },
{ WinNTLMAuthenticationSid, NTML_Authentication, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinDigestAuthenticationSid, Digest_Authentication, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinSChannelAuthenticationSid, SChannel_Authentication, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinThisOrganizationSid, This_Organization, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinOtherOrganizationSid, Other_Organization, NT_AUTHORITY, SidTypeWellKnownGroup },
{ WinBuiltinPerfMonitoringUsersSid, Performance_Monitor_Users, BUILTIN, SidTypeAlias },
{ WinBuiltinPerfLoggingUsersSid, Performance_Log_Users, BUILTIN, SidTypeAlias },
{ WinBuiltinAnyPackageSid, ALL_APPLICATION_PACKAGES, APPLICATION_PACKAGE_AUTHORITY, SidTypeWellKnownGroup },
};
/*
* ACE access rights
*/
static const WCHAR SDDL_READ_CONTROL[] = {'R','C',0};
static const WCHAR SDDL_WRITE_DAC[] = {'W','D',0};
static const WCHAR SDDL_WRITE_OWNER[] = {'W','O',0};
static const WCHAR SDDL_STANDARD_DELETE[] = {'S','D',0};
static const WCHAR SDDL_READ_PROPERTY[] = {'R','P',0};
static const WCHAR SDDL_WRITE_PROPERTY[] = {'W','P',0};
static const WCHAR SDDL_CREATE_CHILD[] = {'C','C',0};
static const WCHAR SDDL_DELETE_CHILD[] = {'D','C',0};
static const WCHAR SDDL_LIST_CHILDREN[] = {'L','C',0};
static const WCHAR SDDL_SELF_WRITE[] = {'S','W',0};
static const WCHAR SDDL_LIST_OBJECT[] = {'L','O',0};
static const WCHAR SDDL_DELETE_TREE[] = {'D','T',0};
static const WCHAR SDDL_CONTROL_ACCESS[] = {'C','R',0};
static const WCHAR SDDL_FILE_ALL[] = {'F','A',0};
static const WCHAR SDDL_FILE_READ[] = {'F','R',0};
static const WCHAR SDDL_FILE_WRITE[] = {'F','W',0};
static const WCHAR SDDL_FILE_EXECUTE[] = {'F','X',0};
static const WCHAR SDDL_KEY_ALL[] = {'K','A',0};
static const WCHAR SDDL_KEY_READ[] = {'K','R',0};
static const WCHAR SDDL_KEY_WRITE[] = {'K','W',0};
static const WCHAR SDDL_KEY_EXECUTE[] = {'K','X',0};
static const WCHAR SDDL_GENERIC_ALL[] = {'G','A',0};
static const WCHAR SDDL_GENERIC_READ[] = {'G','R',0};
static const WCHAR SDDL_GENERIC_WRITE[] = {'G','W',0};
static const WCHAR SDDL_GENERIC_EXECUTE[] = {'G','X',0};
static const WCHAR SDDL_NO_READ_UP[] = {'N','R',0};
static const WCHAR SDDL_NO_WRITE_UP[] = {'N','W',0};
static const WCHAR SDDL_NO_EXECUTE_UP[] = {'N','X',0};
/*
* ACL flags
*/
static const WCHAR SDDL_PROTECTED[] = {'P',0};
static const WCHAR SDDL_AUTO_INHERIT_REQ[] = {'A','R',0};
static const WCHAR SDDL_AUTO_INHERITED[] = {'A','I',0};
/*
* ACE types
*/
static const WCHAR SDDL_ACCESS_ALLOWED[] = {'A',0};
static const WCHAR SDDL_ACCESS_DENIED[] = {'D',0};
static const WCHAR SDDL_AUDIT[] = {'A','U',0};
static const WCHAR SDDL_ALARM[] = {'A','L',0};
static const WCHAR SDDL_MANDATORY_LABEL[] = {'M','L',0};
/*
* ACE flags
*/
static const WCHAR SDDL_CONTAINER_INHERIT[] = {'C','I',0};
static const WCHAR SDDL_OBJECT_INHERIT[] = {'O','I',0};
static const WCHAR SDDL_NO_PROPAGATE[] = {'N','P',0};
static const WCHAR SDDL_INHERIT_ONLY[] = {'I','O',0};
static const WCHAR SDDL_INHERITED[] = {'I','D',0};
static const WCHAR SDDL_AUDIT_SUCCESS[] = {'S','A',0};
static const WCHAR SDDL_AUDIT_FAILURE[] = {'F','A',0};
const char * debugstr_sid(PSID sid)
{
int auth = 0;
SID * psid = sid;
if (psid == NULL)
return "(null)";
auth = psid->IdentifierAuthority.Value[5] +
(psid->IdentifierAuthority.Value[4] << 8) +
(psid->IdentifierAuthority.Value[3] << 16) +
(psid->IdentifierAuthority.Value[2] << 24);
switch (psid->SubAuthorityCount) {
case 0:
return wine_dbg_sprintf("S-%d-%d", psid->Revision, auth);
case 1:
return wine_dbg_sprintf("S-%d-%d-%u", psid->Revision, auth,
psid->SubAuthority[0]);
case 2:
return wine_dbg_sprintf("S-%d-%d-%u-%u", psid->Revision, auth,
psid->SubAuthority[0], psid->SubAuthority[1]);
case 3:
return wine_dbg_sprintf("S-%d-%d-%u-%u-%u", psid->Revision, auth,
psid->SubAuthority[0], psid->SubAuthority[1], psid->SubAuthority[2]);
case 4:
return wine_dbg_sprintf("S-%d-%d-%u-%u-%u-%u", psid->Revision, auth,
psid->SubAuthority[0], psid->SubAuthority[1], psid->SubAuthority[2],
psid->SubAuthority[3]);
case 5:
return wine_dbg_sprintf("S-%d-%d-%u-%u-%u-%u-%u", psid->Revision, auth,
psid->SubAuthority[0], psid->SubAuthority[1], psid->SubAuthority[2],
psid->SubAuthority[3], psid->SubAuthority[4]);
case 6:
return wine_dbg_sprintf("S-%d-%d-%u-%u-%u-%u-%u-%u", psid->Revision, auth,
psid->SubAuthority[3], psid->SubAuthority[1], psid->SubAuthority[2],
psid->SubAuthority[0], psid->SubAuthority[4], psid->SubAuthority[5]);
case 7:
return wine_dbg_sprintf("S-%d-%d-%u-%u-%u-%u-%u-%u-%u", psid->Revision, auth,
psid->SubAuthority[0], psid->SubAuthority[1], psid->SubAuthority[2],
psid->SubAuthority[3], psid->SubAuthority[4], psid->SubAuthority[5],
psid->SubAuthority[6]);
case 8:
return wine_dbg_sprintf("S-%d-%d-%u-%u-%u-%u-%u-%u-%u-%u", psid->Revision, auth,
psid->SubAuthority[0], psid->SubAuthority[1], psid->SubAuthority[2],
psid->SubAuthority[3], psid->SubAuthority[4], psid->SubAuthority[5],
psid->SubAuthority[6], psid->SubAuthority[7]);
}
return "(too-big)";
}
/* set last error code from NT status and get the proper boolean return value */
/* used for functions that are a simple wrapper around the corresponding ntdll API */
static inline BOOL set_ntstatus( NTSTATUS status )
{
if (status) SetLastError( RtlNtStatusToDosError( status ));
return !status;
}
/* helper function for SE_FILE_OBJECT objects in [Get|Set]NamedSecurityInfo */
static inline DWORD get_security_file( LPCWSTR full_file_name, DWORD access, HANDLE *file )
{
UNICODE_STRING file_nameW;
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK io;
NTSTATUS status;
if (!RtlDosPathNameToNtPathName_U( full_file_name, &file_nameW, NULL, NULL ))
return ERROR_PATH_NOT_FOUND;
attr.Length = sizeof(attr);
attr.RootDirectory = 0;
attr.Attributes = OBJ_CASE_INSENSITIVE;
attr.ObjectName = &file_nameW;
attr.SecurityDescriptor = NULL;
status = NtCreateFile( file, access|SYNCHRONIZE, &attr, &io, NULL, FILE_FLAG_BACKUP_SEMANTICS,
FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, FILE_OPEN,
FILE_OPEN_FOR_BACKUP_INTENT, NULL, 0 );
RtlFreeUnicodeString( &file_nameW );
return RtlNtStatusToDosError( status );
}
/* helper function for SE_SERVICE objects in [Get|Set]NamedSecurityInfo */
static inline DWORD get_security_service( LPWSTR full_service_name, DWORD access, HANDLE *service )
{
SC_HANDLE manager = 0;
DWORD err;
err = SERV_OpenSCManagerW( NULL, NULL, access, (SC_HANDLE *)&manager );
if (err == ERROR_SUCCESS)
{
err = SERV_OpenServiceW( manager, full_service_name, access, (SC_HANDLE *)service );
CloseServiceHandle( manager );
}
return err;
}
/* helper function for SE_REGISTRY_KEY objects in [Get|Set]NamedSecurityInfo */
static inline DWORD get_security_regkey( LPWSTR full_key_name, DWORD access, HANDLE *key )
{
static const WCHAR classes_rootW[] = {'C','L','A','S','S','E','S','_','R','O','O','T',0};
static const WCHAR current_userW[] = {'C','U','R','R','E','N','T','_','U','S','E','R',0};
static const WCHAR machineW[] = {'M','A','C','H','I','N','E',0};
static const WCHAR usersW[] = {'U','S','E','R','S',0};
LPWSTR p = strchrW(full_key_name, '\\');
int len = p-full_key_name;
HKEY hParent;
if (!p) return ERROR_INVALID_PARAMETER;
if (strncmpW( full_key_name, classes_rootW, len ) == 0)
hParent = HKEY_CLASSES_ROOT;
else if (strncmpW( full_key_name, current_userW, len ) == 0)
hParent = HKEY_CURRENT_USER;
else if (strncmpW( full_key_name, machineW, len ) == 0)
hParent = HKEY_LOCAL_MACHINE;
else if (strncmpW( full_key_name, usersW, len ) == 0)
hParent = HKEY_USERS;
else
return ERROR_INVALID_PARAMETER;
return RegOpenKeyExW( hParent, p+1, 0, access, (HKEY *)key );
}
#define WINE_SIZE_OF_WORLD_ACCESS_ACL (sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + sizeof(sidWorld) - sizeof(DWORD))
static void GetWorldAccessACL(PACL pACL)
{
PACCESS_ALLOWED_ACE pACE = (PACCESS_ALLOWED_ACE) (pACL + 1);
pACL->AclRevision = ACL_REVISION;
pACL->Sbz1 = 0;
pACL->AclSize = WINE_SIZE_OF_WORLD_ACCESS_ACL;
pACL->AceCount = 1;
pACL->Sbz2 = 0;
pACE->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
pACE->Header.AceFlags = CONTAINER_INHERIT_ACE;
pACE->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE) + sizeof(sidWorld) - sizeof(DWORD);
pACE->Mask = 0xf3ffffff; /* Everything except reserved bits */
memcpy(&pACE->SidStart, &sidWorld, sizeof(sidWorld));
}
/************************************************************
* ADVAPI_IsLocalComputer
*
* Checks whether the server name indicates local machine.
*/
BOOL ADVAPI_IsLocalComputer(LPCWSTR ServerName)
{
DWORD dwSize = MAX_COMPUTERNAME_LENGTH + 1;
BOOL Result;
LPWSTR buf;
if (!ServerName || !ServerName[0])
return TRUE;
buf = heap_alloc(dwSize * sizeof(WCHAR));
Result = GetComputerNameW(buf, &dwSize);
if (Result && (ServerName[0] == '\\') && (ServerName[1] == '\\'))
ServerName += 2;
Result = Result && !lstrcmpW(ServerName, buf);
heap_free(buf);
return Result;
}
/************************************************************
* ADVAPI_GetComputerSid
*/
BOOL ADVAPI_GetComputerSid(PSID sid)
{
static const struct /* same fields as struct SID */
{
BYTE Revision;
BYTE SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
DWORD SubAuthority[4];
} computer_sid =
{ SID_REVISION, 4, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0 } };
memcpy( sid, &computer_sid, sizeof(computer_sid) );
return TRUE;
}
/* ##############################
###### TOKEN FUNCTIONS ######
##############################
*/
/******************************************************************************
* OpenProcessToken [ADVAPI32.@]
* Opens the access token associated with a process handle.
*
* PARAMS
* ProcessHandle [I] Handle to process
* DesiredAccess [I] Desired access to process
* TokenHandle [O] Pointer to handle of open access token
*
* RETURNS
* Success: TRUE. TokenHandle contains the access token.
* Failure: FALSE.
*
* NOTES
* See NtOpenProcessToken.
*/
BOOL WINAPI
OpenProcessToken( HANDLE ProcessHandle, DWORD DesiredAccess,
HANDLE *TokenHandle )
{
return set_ntstatus(NtOpenProcessToken( ProcessHandle, DesiredAccess, TokenHandle ));
}
/******************************************************************************
* OpenThreadToken [ADVAPI32.@]
*
* Opens the access token associated with a thread handle.
*
* PARAMS
* ThreadHandle [I] Handle to process
* DesiredAccess [I] Desired access to the thread
* OpenAsSelf [I] ???
* TokenHandle [O] Destination for the token handle
*
* RETURNS
* Success: TRUE. TokenHandle contains the access token.
* Failure: FALSE.
*
* NOTES
* See NtOpenThreadToken.
*/
BOOL WINAPI
OpenThreadToken( HANDLE ThreadHandle, DWORD DesiredAccess,
BOOL OpenAsSelf, HANDLE *TokenHandle)
{
return set_ntstatus( NtOpenThreadToken(ThreadHandle, DesiredAccess, OpenAsSelf, TokenHandle));
}
BOOL WINAPI
AdjustTokenGroups( HANDLE TokenHandle, BOOL ResetToDefault, PTOKEN_GROUPS NewState,
DWORD BufferLength, PTOKEN_GROUPS PreviousState, PDWORD ReturnLength )
{
return set_ntstatus( NtAdjustGroupsToken(TokenHandle, ResetToDefault, NewState, BufferLength,
PreviousState, ReturnLength));
}
/******************************************************************************
* AdjustTokenPrivileges [ADVAPI32.@]
*
* Adjust the privileges of an open token handle.
*
* PARAMS
* TokenHandle [I] Handle from OpenProcessToken() or OpenThreadToken()
* DisableAllPrivileges [I] TRUE=Remove all privileges, FALSE=Use NewState
* NewState [I] Desired new privileges of the token
* BufferLength [I] Length of NewState
* PreviousState [O] Destination for the previous state
* ReturnLength [I/O] Size of PreviousState
*
*
* RETURNS
* Success: TRUE. Privileges are set to NewState and PreviousState is updated.
* Failure: FALSE.
*
* NOTES
* See NtAdjustPrivilegesToken.
*/
BOOL WINAPI
AdjustTokenPrivileges( HANDLE TokenHandle, BOOL DisableAllPrivileges,
PTOKEN_PRIVILEGES NewState, DWORD BufferLength,
PTOKEN_PRIVILEGES PreviousState, PDWORD ReturnLength )
{
NTSTATUS status;
TRACE("(%p %d %p %d %p %p)\n", TokenHandle, DisableAllPrivileges, NewState, BufferLength,
PreviousState, ReturnLength);
status = NtAdjustPrivilegesToken(TokenHandle, DisableAllPrivileges,
NewState, BufferLength, PreviousState,
ReturnLength);
SetLastError( RtlNtStatusToDosError( status ));
if ((status == STATUS_SUCCESS) || (status == STATUS_NOT_ALL_ASSIGNED))
return TRUE;
else
return FALSE;
}
/******************************************************************************
* CheckTokenMembership [ADVAPI32.@]
*
* Determine if an access token is a member of a SID.
*
* PARAMS
* TokenHandle [I] Handle from OpenProcessToken() or OpenThreadToken()
* SidToCheck [I] SID that possibly contains the token
* IsMember [O] Destination for result.
*
* RETURNS
* Success: TRUE. IsMember is TRUE if TokenHandle is a member, FALSE otherwise.
* Failure: FALSE.
*/
BOOL WINAPI
CheckTokenMembership( HANDLE token, PSID sid_to_check,
PBOOL is_member )
{
PTOKEN_GROUPS token_groups = NULL;
HANDLE thread_token = NULL;
DWORD size, i;
BOOL ret;
TRACE("(%p %s %p)\n", token, debugstr_sid(sid_to_check), is_member);
*is_member = FALSE;
if (!token)
{
if (!OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, TRUE, &thread_token))
{
HANDLE process_token;
ret = OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE, &process_token);
if (!ret)
goto exit;
ret = DuplicateTokenEx(process_token, TOKEN_QUERY,
NULL, SecurityImpersonation, TokenImpersonation,
&thread_token);
CloseHandle(process_token);
if (!ret)
goto exit;
}
token = thread_token;
}
else
{
TOKEN_TYPE type;
ret = GetTokenInformation(token, TokenType, &type, sizeof(TOKEN_TYPE), &size);
if (!ret) goto exit;
if (type == TokenPrimary)
{
SetLastError(ERROR_NO_IMPERSONATION_TOKEN);
return FALSE;
}
}
ret = GetTokenInformation(token, TokenGroups, NULL, 0, &size);
if (!ret && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
goto exit;
token_groups = heap_alloc(size);
if (!token_groups)
{
ret = FALSE;
goto exit;
}
ret = GetTokenInformation(token, TokenGroups, token_groups, size, &size);
if (!ret)
goto exit;
for (i = 0; i < token_groups->GroupCount; i++)
{
TRACE("Groups[%d]: {0x%x, %s}\n", i,
token_groups->Groups[i].Attributes,
debugstr_sid(token_groups->Groups[i].Sid));
if ((token_groups->Groups[i].Attributes & SE_GROUP_ENABLED) &&
EqualSid(sid_to_check, token_groups->Groups[i].Sid))
{
*is_member = TRUE;
TRACE("sid enabled and found in token\n");
break;
}
}
exit:
heap_free(token_groups);
if (thread_token != NULL) CloseHandle(thread_token);
return ret;
}
/******************************************************************************
* GetTokenInformation [ADVAPI32.@]
*
* Get a type of information about an access token.
*
* PARAMS
* token [I] Handle from OpenProcessToken() or OpenThreadToken()
* tokeninfoclass [I] A TOKEN_INFORMATION_CLASS from "winnt.h"
* tokeninfo [O] Destination for token information
* tokeninfolength [I] Length of tokeninfo
* retlen [O] Destination for returned token information length
*
* RETURNS
* Success: TRUE. tokeninfo contains retlen bytes of token information
* Failure: FALSE.
*
* NOTES
* See NtQueryInformationToken.
*/
BOOL WINAPI
GetTokenInformation( HANDLE token, TOKEN_INFORMATION_CLASS tokeninfoclass,
LPVOID tokeninfo, DWORD tokeninfolength, LPDWORD retlen )
{
TRACE("(%p, %s, %p, %d, %p):\n",
token,
(tokeninfoclass == TokenUser) ? "TokenUser" :
(tokeninfoclass == TokenGroups) ? "TokenGroups" :
(tokeninfoclass == TokenPrivileges) ? "TokenPrivileges" :
(tokeninfoclass == TokenOwner) ? "TokenOwner" :
(tokeninfoclass == TokenPrimaryGroup) ? "TokenPrimaryGroup" :
(tokeninfoclass == TokenDefaultDacl) ? "TokenDefaultDacl" :
(tokeninfoclass == TokenSource) ? "TokenSource" :
(tokeninfoclass == TokenType) ? "TokenType" :
(tokeninfoclass == TokenImpersonationLevel) ? "TokenImpersonationLevel" :
(tokeninfoclass == TokenStatistics) ? "TokenStatistics" :
(tokeninfoclass == TokenRestrictedSids) ? "TokenRestrictedSids" :
(tokeninfoclass == TokenSessionId) ? "TokenSessionId" :
(tokeninfoclass == TokenGroupsAndPrivileges) ? "TokenGroupsAndPrivileges" :
(tokeninfoclass == TokenSessionReference) ? "TokenSessionReference" :
(tokeninfoclass == TokenSandBoxInert) ? "TokenSandBoxInert" :
"Unknown",
tokeninfo, tokeninfolength, retlen);
return set_ntstatus( NtQueryInformationToken( token, tokeninfoclass, tokeninfo,
tokeninfolength, retlen));
}
/******************************************************************************
* SetTokenInformation [ADVAPI32.@]
*
* Set information for an access token.
*
* PARAMS
* token [I] Handle from OpenProcessToken() or OpenThreadToken()
* tokeninfoclass [I] A TOKEN_INFORMATION_CLASS from "winnt.h"
* tokeninfo [I] Token information to set
* tokeninfolength [I] Length of tokeninfo
*
* RETURNS
* Success: TRUE. The information for the token is set to tokeninfo.
* Failure: FALSE.
*/
BOOL WINAPI
SetTokenInformation( HANDLE token, TOKEN_INFORMATION_CLASS tokeninfoclass,
LPVOID tokeninfo, DWORD tokeninfolength )
{
TRACE("(%p, %s, %p, %d)\n",
token,
(tokeninfoclass == TokenUser) ? "TokenUser" :
(tokeninfoclass == TokenGroups) ? "TokenGroups" :
(tokeninfoclass == TokenPrivileges) ? "TokenPrivileges" :
(tokeninfoclass == TokenOwner) ? "TokenOwner" :
(tokeninfoclass == TokenPrimaryGroup) ? "TokenPrimaryGroup" :
(tokeninfoclass == TokenDefaultDacl) ? "TokenDefaultDacl" :
(tokeninfoclass == TokenSource) ? "TokenSource" :
(tokeninfoclass == TokenType) ? "TokenType" :
(tokeninfoclass == TokenImpersonationLevel) ? "TokenImpersonationLevel" :
(tokeninfoclass == TokenStatistics) ? "TokenStatistics" :
(tokeninfoclass == TokenRestrictedSids) ? "TokenRestrictedSids" :
(tokeninfoclass == TokenSessionId) ? "TokenSessionId" :
(tokeninfoclass == TokenGroupsAndPrivileges) ? "TokenGroupsAndPrivileges" :
(tokeninfoclass == TokenSessionReference) ? "TokenSessionReference" :
(tokeninfoclass == TokenSandBoxInert) ? "TokenSandBoxInert" :
"Unknown",
tokeninfo, tokeninfolength);
return set_ntstatus( NtSetInformationToken( token, tokeninfoclass, tokeninfo, tokeninfolength ));
}
/*************************************************************************
* SetThreadToken [ADVAPI32.@]
*
* Assigns an 'impersonation token' to a thread so it can assume the
* security privileges of another thread or process. Can also remove
* a previously assigned token.
*
* PARAMS
* thread [O] Handle to thread to set the token for
* token [I] Token to set
*
* RETURNS
* Success: TRUE. The threads access token is set to token
* Failure: FALSE.
*
* NOTES
* Only supported on NT or higher. On Win9X this function does nothing.
* See SetTokenInformation.
*/
BOOL WINAPI SetThreadToken(PHANDLE thread, HANDLE token)
{
return set_ntstatus( NtSetInformationThread( thread ? *thread : GetCurrentThread(),
ThreadImpersonationToken, &token, sizeof token ));
}
/*************************************************************************
* CreateRestrictedToken [ADVAPI32.@]
*
* Create a new more restricted token from an existing token.
*
* PARAMS
* baseToken [I] Token to base the new restricted token on
* flags [I] Options
* nDisableSids [I] Length of disableSids array
* disableSids [I] Array of SIDs to disable in the new token
* nDeletePrivs [I] Length of deletePrivs array
* deletePrivs [I] Array of privileges to delete in the new token
* nRestrictSids [I] Length of restrictSids array
* restrictSids [I] Array of SIDs to restrict in the new token
* newToken [O] Address where the new token is stored
*
* RETURNS
* Success: TRUE
* Failure: FALSE
*/
BOOL WINAPI CreateRestrictedToken(
HANDLE baseToken,
DWORD flags,
DWORD nDisableSids,
PSID_AND_ATTRIBUTES disableSids,
DWORD nDeletePrivs,
PLUID_AND_ATTRIBUTES deletePrivs,
DWORD nRestrictSids,
PSID_AND_ATTRIBUTES restrictSids,
PHANDLE newToken)
{
TOKEN_TYPE type;
SECURITY_IMPERSONATION_LEVEL level = SecurityAnonymous;
DWORD size;
FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
baseToken, flags, nDisableSids, disableSids,
nDeletePrivs, deletePrivs,
nRestrictSids, restrictSids,
newToken);
size = sizeof(type);
if (!GetTokenInformation( baseToken, TokenType, &type, size, &size )) return FALSE;
if (type == TokenImpersonation)
{
size = sizeof(level);
if (!GetTokenInformation( baseToken, TokenImpersonationLevel, &level, size, &size ))
return FALSE;
}
return DuplicateTokenEx( baseToken, MAXIMUM_ALLOWED, NULL, level, type, newToken );
}
/* ##############################
###### SID FUNCTIONS ######
##############################
*/
/******************************************************************************
* AllocateAndInitializeSid [ADVAPI32.@]
*
* PARAMS
* pIdentifierAuthority []
* nSubAuthorityCount []
* nSubAuthority0 []
* nSubAuthority1 []
* nSubAuthority2 []
* nSubAuthority3 []
* nSubAuthority4 []
* nSubAuthority5 []
* nSubAuthority6 []
* nSubAuthority7 []
* pSid []
*/
BOOL WINAPI
AllocateAndInitializeSid( PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
BYTE nSubAuthorityCount,
DWORD nSubAuthority0, DWORD nSubAuthority1,
DWORD nSubAuthority2, DWORD nSubAuthority3,
DWORD nSubAuthority4, DWORD nSubAuthority5,
DWORD nSubAuthority6, DWORD nSubAuthority7,
PSID *pSid )
{
return set_ntstatus( RtlAllocateAndInitializeSid(
pIdentifierAuthority, nSubAuthorityCount,
nSubAuthority0, nSubAuthority1, nSubAuthority2, nSubAuthority3,
nSubAuthority4, nSubAuthority5, nSubAuthority6, nSubAuthority7,
pSid ));
}
/******************************************************************************
* FreeSid [ADVAPI32.@]
*
* PARAMS
* pSid []
*/
PVOID WINAPI
FreeSid( PSID pSid )
{
RtlFreeSid(pSid);
return NULL; /* is documented like this */
}
/******************************************************************************
* CopySid [ADVAPI32.@]
*
* PARAMS
* nDestinationSidLength []
* pDestinationSid []
* pSourceSid []
*/
BOOL WINAPI
CopySid( DWORD nDestinationSidLength, PSID pDestinationSid, PSID pSourceSid )
{
return RtlCopySid(nDestinationSidLength, pDestinationSid, pSourceSid);
}
/******************************************************************************
* CreateWellKnownSid [ADVAPI32.@]
*/
BOOL WINAPI
CreateWellKnownSid( WELL_KNOWN_SID_TYPE WellKnownSidType,
PSID DomainSid,
PSID pSid,
DWORD* cbSid)
{
unsigned int i;
TRACE("(%d, %s, %p, %p)\n", WellKnownSidType, debugstr_sid(DomainSid), pSid, cbSid);
if (cbSid == NULL || (DomainSid && !IsValidSid(DomainSid)))
{
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
for (i = 0; i < ARRAY_SIZE(WellKnownSids); i++) {
if (WellKnownSids[i].Type == WellKnownSidType) {
DWORD length = GetSidLengthRequired(WellKnownSids[i].Sid.SubAuthorityCount);
if (*cbSid < length)
{
*cbSid = length;
SetLastError(ERROR_INSUFFICIENT_BUFFER);
return FALSE;
}
if (!pSid)
{
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
CopyMemory(pSid, &WellKnownSids[i].Sid.Revision, length);
*cbSid = length;
return TRUE;
}
}
if (DomainSid == NULL || *GetSidSubAuthorityCount(DomainSid) == SID_MAX_SUB_AUTHORITIES)
{
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
for (i = 0; i < ARRAY_SIZE(WellKnownRids); i++)
if (WellKnownRids[i].Type == WellKnownSidType) {
UCHAR domain_subauth = *GetSidSubAuthorityCount(DomainSid);
DWORD domain_sid_length = GetSidLengthRequired(domain_subauth);
DWORD output_sid_length = GetSidLengthRequired(domain_subauth + 1);
if (*cbSid < output_sid_length)
{
*cbSid = output_sid_length;
SetLastError(ERROR_INSUFFICIENT_BUFFER);
return FALSE;
}
if (!pSid)
{
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
CopyMemory(pSid, DomainSid, domain_sid_length);
(*GetSidSubAuthorityCount(pSid))++;
(*GetSidSubAuthority(pSid, domain_subauth)) = WellKnownRids[i].Rid;
*cbSid = output_sid_length;
return TRUE;
}
SetLastError(ERROR_INVALID_PARAMETER);
return FALSE;
}
/******************************************************************************
* IsWellKnownSid [ADVAPI32.@]
*/
BOOL WINAPI
IsWellKnownSid( PSID pSid, WELL_KNOWN_SID_TYPE WellKnownSidType )
{
unsigned int i;
TRACE("(%s, %d)\n", debugstr_sid(pSid), WellKnownSidType);
for (i = 0; i < ARRAY_SIZE(WellKnownSids); i++)
if (WellKnownSids[i].Type == WellKnownSidType)
if (EqualSid(pSid, (PSID)&(WellKnownSids[i].Sid.Revision)))
return TRUE;
return FALSE;
}
BOOL WINAPI
IsTokenRestricted( HANDLE TokenHandle )
{
TOKEN_GROUPS *groups;
DWORD size;
NTSTATUS status;
BOOL restricted;
TRACE("(%p)\n", TokenHandle);
status = NtQueryInformationToken(TokenHandle, TokenRestrictedSids, NULL, 0, &size);
if (status != STATUS_BUFFER_TOO_SMALL)
return FALSE;
groups = heap_alloc(size);
if (!groups)
{
SetLastError(ERROR_OUTOFMEMORY);
return FALSE;
}
status = NtQueryInformationToken(TokenHandle, TokenRestrictedSids, groups, size, &size);
if (status != STATUS_SUCCESS)
{
heap_free(groups);
return set_ntstatus(status);
}
restricted = groups->GroupCount > 0;
heap_free(groups);
return restricted;
}
/******************************************************************************
* IsValidSid [ADVAPI32.@]
*
* PARAMS
* pSid []
*/
BOOL WINAPI
IsValidSid( PSID pSid )
{
return RtlValidSid( pSid );
}
/******************************************************************************
* EqualSid [ADVAPI32.@]
*
* PARAMS
* pSid1 []
* pSid2 []
*/
BOOL WINAPI
EqualSid( PSID pSid1, PSID pSid2 )
{
BOOL ret = RtlEqualSid( pSid1, pSid2 );
SetLastError(ERROR_SUCCESS);
return ret;
}
/******************************************************************************
* EqualPrefixSid [ADVAPI32.@]
*/
BOOL WINAPI EqualPrefixSid (PSID pSid1, PSID pSid2)
{
return RtlEqualPrefixSid(pSid1, pSid2);
}
/******************************************************************************
* GetSidLengthRequired [ADVAPI32.@]
*
* PARAMS
* nSubAuthorityCount []
*/
DWORD WINAPI
GetSidLengthRequired( BYTE nSubAuthorityCount )
{
return RtlLengthRequiredSid(nSubAuthorityCount);
}
/******************************************************************************
* InitializeSid [ADVAPI32.@]
*
* PARAMS
* pIdentifierAuthority []
*/
BOOL WINAPI
InitializeSid (
PSID pSid,
PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
BYTE nSubAuthorityCount)
{
return RtlInitializeSid(pSid, pIdentifierAuthority, nSubAuthorityCount);
}
DWORD WINAPI
GetEffectiveRightsFromAclA( PACL pacl, PTRUSTEEA pTrustee, PACCESS_MASK pAccessRights )
{
FIXME("%p %p %p - stub\n", pacl, pTrustee, pAccessRights);
*pAccessRights = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL;
return 0;
}
DWORD WINAPI
GetEffectiveRightsFromAclW( PACL pacl, PTRUSTEEW pTrustee, PACCESS_MASK pAccessRights )
{
FIXME("%p %p %p - stub\n", pacl, pTrustee, pAccessRights);
return 1;
}
/******************************************************************************
* GetSidIdentifierAuthority [ADVAPI32.@]
*
* PARAMS
* pSid []
*/
PSID_IDENTIFIER_AUTHORITY WINAPI
GetSidIdentifierAuthority( PSID pSid )
{
SetLastError(ERROR_SUCCESS);
return RtlIdentifierAuthoritySid(pSid);
}
/******************************************************************************
* GetSidSubAuthority [ADVAPI32.@]
*
* PARAMS
* pSid []
* nSubAuthority []
*/
PDWORD WINAPI
GetSidSubAuthority( PSID pSid, DWORD nSubAuthority )
{
SetLastError(ERROR_SUCCESS);
return RtlSubAuthoritySid(pSid, nSubAuthority);
}
/******************************************************************************
* GetSidSubAuthorityCount [ADVAPI32.@]
*
* PARAMS
* pSid []
*/
PUCHAR WINAPI
GetSidSubAuthorityCount (PSID pSid)
{
SetLastError(ERROR_SUCCESS);
return RtlSubAuthorityCountSid(pSid);
}
/******************************************************************************
* GetLengthSid [ADVAPI32.@]
*
* PARAMS
* pSid []
*/
DWORD WINAPI
GetLengthSid (PSID pSid)
{
return RtlLengthSid(pSid);
}
/* ##############################################
###### SECURITY DESCRIPTOR FUNCTIONS ######
##############################################
*/
/******************************************************************************
* BuildSecurityDescriptorA [ADVAPI32.@]
*
* Builds a SD from
*
* PARAMS
* pOwner [I]
* pGroup [I]
* cCountOfAccessEntries [I]
* pListOfAccessEntries [I]
* cCountOfAuditEntries [I]
* pListofAuditEntries [I]
* pOldSD [I]
* lpdwBufferLength [I/O]
* pNewSD [O]
*
* RETURNS
* Success: ERROR_SUCCESS
* Failure: nonzero error code from Winerror.h
*/
DWORD WINAPI BuildSecurityDescriptorA(
IN PTRUSTEEA pOwner,
IN PTRUSTEEA pGroup,
IN ULONG cCountOfAccessEntries,
IN PEXPLICIT_ACCESSA pListOfAccessEntries,
IN ULONG cCountOfAuditEntries,
IN PEXPLICIT_ACCESSA pListofAuditEntries,
IN PSECURITY_DESCRIPTOR pOldSD,
IN OUT PULONG lpdwBufferLength,
OUT PSECURITY_DESCRIPTOR* pNewSD)
{
FIXME("(%p,%p,%d,%p,%d,%p,%p,%p,%p) stub!\n",pOwner,pGroup,
cCountOfAccessEntries,pListOfAccessEntries,cCountOfAuditEntries,
pListofAuditEntries,pOldSD,lpdwBufferLength,pNewSD);
return ERROR_CALL_NOT_IMPLEMENTED;
}
/******************************************************************************
* BuildSecurityDescriptorW [ADVAPI32.@]
*
* See BuildSecurityDescriptorA.
*/
DWORD WINAPI BuildSecurityDescriptorW(
IN PTRUSTEEW pOwner,
IN PTRUSTEEW pGroup,
IN ULONG cCountOfAccessEntries,
IN PEXPLICIT_ACCESSW pListOfAccessEntries,
IN ULONG cCountOfAuditEntries,
IN PEXPLICIT_ACCESSW pListOfAuditEntries,
IN PSECURITY_DESCRIPTOR pOldSD,
IN OUT PULONG lpdwBufferLength,
OUT PSECURITY_DESCRIPTOR* pNewSD)
{
SECURITY_DESCRIPTOR desc;
NTSTATUS status;
DWORD ret = ERROR_SUCCESS;
TRACE("(%p,%p,%d,%p,%d,%p,%p,%p,%p)\n", pOwner, pGroup,
cCountOfAccessEntries, pListOfAccessEntries, cCountOfAuditEntries,
pListOfAuditEntries, pOldSD, lpdwBufferLength, pNewSD);
if (pOldSD)
{
SECURITY_DESCRIPTOR_CONTROL control;
DWORD desc_size, dacl_size = 0, sacl_size = 0, owner_size = 0, group_size = 0;
PACL dacl = NULL, sacl = NULL;
PSID owner = NULL, group = NULL;
DWORD revision;
if ((status = RtlGetControlSecurityDescriptor( pOldSD, &control, &revision )) != STATUS_SUCCESS)
return RtlNtStatusToDosError( status );
if (!(control & SE_SELF_RELATIVE))
return ERROR_INVALID_SECURITY_DESCR;
desc_size = sizeof(desc);
status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size,
owner, &owner_size, group, &group_size );
if (status == STATUS_BUFFER_TOO_SMALL)
{
if (dacl_size)
dacl = LocalAlloc( LMEM_FIXED, dacl_size );
if (sacl_size)
sacl = LocalAlloc( LMEM_FIXED, sacl_size );
if (owner_size)
owner = LocalAlloc( LMEM_FIXED, owner_size );
if (group_size)
group = LocalAlloc( LMEM_FIXED, group_size );
desc_size = sizeof(desc);
status = RtlSelfRelativeToAbsoluteSD( pOldSD, &desc, &desc_size, dacl, &dacl_size, sacl, &sacl_size,
owner, &owner_size, group, &group_size );
}
if (status != STATUS_SUCCESS)
{
LocalFree( dacl );
LocalFree( sacl );
LocalFree( owner );
LocalFree( group );
return RtlNtStatusToDosError( status );
}
}
else
{
if ((status = RtlCreateSecurityDescriptor( &desc, SECURITY_DESCRIPTOR_REVISION )) != STATUS_SUCCESS)
return RtlNtStatusToDosError( status );
}
if (pOwner)
{
LocalFree( desc.Owner );
desc.Owner = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) );
if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Owner, pOwner )))
goto done;
}
if (pGroup)
{
LocalFree( desc.Group );
desc.Group = LocalAlloc( LMEM_FIXED, sizeof(MAX_SID) );
if ((ret = trustee_to_sid( sizeof(MAX_SID), desc.Group, pGroup )))
goto done;
}
if (pListOfAccessEntries)
{
PACL new_dacl;
if ((ret = SetEntriesInAclW( cCountOfAccessEntries, pListOfAccessEntries, desc.Dacl, &new_dacl )))
goto done;
LocalFree( desc.Dacl );
desc.Dacl = new_dacl;
desc.Control |= SE_DACL_PRESENT;
}
if (pListOfAuditEntries)
{
PACL new_sacl;
if ((ret = SetEntriesInAclW( cCountOfAuditEntries, pListOfAuditEntries, desc.Sacl, &new_sacl )))
goto done;
LocalFree( desc.Sacl );
desc.Sacl = new_sacl;
desc.Control |= SE_SACL_PRESENT;
}
*lpdwBufferLength = RtlLengthSecurityDescriptor( &desc );
*pNewSD = LocalAlloc( LMEM_FIXED, *lpdwBufferLength );
if ((status = RtlMakeSelfRelativeSD( &desc, *pNewSD, lpdwBufferLength )) != STATUS_SUCCESS)
{
ret = RtlNtStatusToDosError( status );
LocalFree( *pNewSD );
*pNewSD = NULL;
}
done:
/* free absolute descriptor */
LocalFree( desc.Owner );
LocalFree( desc.Group );
LocalFree( desc.Sacl );
LocalFree( desc.Dacl );
return ret;
}
/******************************************************************************
* InitializeSecurityDescriptor [ADVAPI32.@]
*
* PARAMS
* pDescr []
* revision []
*/
BOOL WINAPI
InitializeSecurityDescriptor( PSECURITY_DESCRIPTOR pDescr, DWORD revision )
{
return set_ntstatus( RtlCreateSecurityDescriptor(pDescr, revision ));
}
/******************************************************************************
* MakeAbsoluteSD [ADVAPI32.@]
*/
BOOL WINAPI MakeAbsoluteSD (
IN PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
OUT PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor,
OUT LPDWORD lpdwAbsoluteSecurityDescriptorSize,
OUT PACL pDacl,
OUT LPDWORD lpdwDaclSize,
OUT PACL pSacl,
OUT LPDWORD lpdwSaclSize,
OUT PSID pOwner,
OUT LPDWORD lpdwOwnerSize,
OUT PSID pPrimaryGroup,
OUT LPDWORD lpdwPrimaryGroupSize)
{
return set_ntstatus( RtlSelfRelativeToAbsoluteSD(pSelfRelativeSecurityDescriptor,
pAbsoluteSecurityDescriptor,
lpdwAbsoluteSecurityDescriptorSize,
pDacl, lpdwDaclSize, pSacl, lpdwSaclSize,
pOwner, lpdwOwnerSize,
pPrimaryGroup, lpdwPrimaryGroupSize));
}
/******************************************************************************
* GetKernelObjectSecurity [ADVAPI32.@]
*/
BOOL WINAPI GetKernelObjectSecurity(
HANDLE Handle,
SECURITY_INFORMATION RequestedInformation,
PSECURITY_DESCRIPTOR pSecurityDescriptor,
DWORD nLength,
LPDWORD lpnLengthNeeded )
{
TRACE("(%p,0x%08x,%p,0x%08x,%p)\n", Handle, RequestedInformation,
pSecurityDescriptor, nLength, lpnLengthNeeded);
return set_ntstatus( NtQuerySecurityObject(Handle, RequestedInformation, pSecurityDescriptor,
nLength, lpnLengthNeeded ));
}
/******************************************************************************
* GetPrivateObjectSecurity [ADVAPI32.@]
*/
BOOL WINAPI GetPrivateObjectSecurity(
PSECURITY_DESCRIPTOR ObjectDescriptor,
SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR ResultantDescriptor,
DWORD DescriptorLength,
PDWORD ReturnLength )
{
SECURITY_DESCRIPTOR desc;
BOOL defaulted, present;
PACL pacl;
PSID psid;
TRACE("(%p,0x%08x,%p,0x%08x,%p)\n", ObjectDescriptor, SecurityInformation,
ResultantDescriptor, DescriptorLength, ReturnLength);
if (!InitializeSecurityDescriptor(&desc, SECURITY_DESCRIPTOR_REVISION))
return FALSE;
if (SecurityInformation & OWNER_SECURITY_INFORMATION)
{
if (!GetSecurityDescriptorOwner(ObjectDescriptor, &psid, &defaulted))
return FALSE;
SetSecurityDescriptorOwner(&desc, psid, defaulted);
}
if (SecurityInformation & GROUP_SECURITY_INFORMATION)
{
if (!GetSecurityDescriptorGroup(ObjectDescriptor, &psid, &defaulted))
return FALSE;
SetSecurityDescriptorGroup(&desc, psid, defaulted);
}
if (SecurityInformation & DACL_SECURITY_INFORMATION)
{
if (!GetSecurityDescriptorDacl(ObjectDescriptor, &present, &pacl, &defaulted))
return FALSE;
SetSecurityDescriptorDacl(&desc, present, pacl, defaulted);
}
if (SecurityInformation & SACL_SECURITY_INFORMATION)
{
if (!GetSecurityDescriptorSacl(ObjectDescriptor, &present, &pacl, &defaulted))
return FALSE;
SetSecurityDescriptorSacl(&desc, present, pacl, defaulted);
}
*ReturnLength = DescriptorLength;
return MakeSelfRelativeSD(&desc, ResultantDescriptor, ReturnLength);
}
/******************************************************************************
* GetSecurityDescriptorLength [ADVAPI32.@]
*/
DWORD WINAPI GetSecurityDescriptorLength( PSECURITY_DESCRIPTOR pDescr)
{
return RtlLengthSecurityDescriptor(pDescr);
}
/******************************************************************************
* GetSecurityDescriptorOwner [ADVAPI32.@]
*
* PARAMS
* pOwner []
* lpbOwnerDefaulted []
*/
BOOL WINAPI
GetSecurityDescriptorOwner( PSECURITY_DESCRIPTOR pDescr, PSID *pOwner,
LPBOOL lpbOwnerDefaulted )
{
BOOLEAN defaulted;
BOOL ret = set_ntstatus( RtlGetOwnerSecurityDescriptor( pDescr, pOwner, &defaulted ));
*lpbOwnerDefaulted = defaulted;
return ret;
}
/******************************************************************************
* SetSecurityDescriptorOwner [ADVAPI32.@]
*
* PARAMS
*/
BOOL WINAPI SetSecurityDescriptorOwner( PSECURITY_DESCRIPTOR pSecurityDescriptor,
PSID pOwner, BOOL bOwnerDefaulted)
{
return set_ntstatus( RtlSetOwnerSecurityDescriptor(pSecurityDescriptor, pOwner, bOwnerDefaulted));
}
/******************************************************************************
* GetSecurityDescriptorGroup [ADVAPI32.@]
*/
BOOL WINAPI GetSecurityDescriptorGroup(
PSECURITY_DESCRIPTOR SecurityDescriptor,
PSID *Group,
LPBOOL GroupDefaulted)
{
BOOLEAN defaulted;
BOOL ret = set_ntstatus( RtlGetGroupSecurityDescriptor(SecurityDescriptor, Group, &defaulted ));
*GroupDefaulted = defaulted;
return ret;
}
/******************************************************************************
* SetSecurityDescriptorGroup [ADVAPI32.@]
*/
BOOL WINAPI SetSecurityDescriptorGroup ( PSECURITY_DESCRIPTOR SecurityDescriptor,
PSID Group, BOOL GroupDefaulted)
{
return set_ntstatus( RtlSetGroupSecurityDescriptor( SecurityDescriptor, Group, GroupDefaulted));
}
/******************************************************************************
* IsValidSecurityDescriptor [ADVAPI32.@]
*
* PARAMS
* lpsecdesc []
*/
BOOL WINAPI
IsValidSecurityDescriptor( PSECURITY_DESCRIPTOR SecurityDescriptor )
{
return set_ntstatus( RtlValidSecurityDescriptor(SecurityDescriptor));
}
/******************************************************************************
* GetSecurityDescriptorDacl [ADVAPI32.@]
*/
BOOL WINAPI GetSecurityDescriptorDacl(
IN PSECURITY_DESCRIPTOR pSecurityDescriptor,
OUT LPBOOL lpbDaclPresent,
OUT PACL *pDacl,
OUT LPBOOL lpbDaclDefaulted)
{
BOOLEAN present, defaulted;
BOOL ret = set_ntstatus( RtlGetDaclSecurityDescriptor(pSecurityDescriptor, &present, pDacl, &defaulted));
*lpbDaclPresent = present;
*lpbDaclDefaulted = defaulted;
return ret;
}
/******************************************************************************
* SetSecurityDescriptorDacl [ADVAPI32.@]
*/
BOOL WINAPI
SetSecurityDescriptorDacl (
PSECURITY_DESCRIPTOR lpsd,
BOOL daclpresent,
PACL dacl,
BOOL dacldefaulted )
{
return set_ntstatus( RtlSetDaclSecurityDescriptor (lpsd, daclpresent, dacl, dacldefaulted ) );
}
/******************************************************************************
* GetSecurityDescriptorSacl [ADVAPI32.@]
*/
BOOL WINAPI GetSecurityDescriptorSacl(
IN PSECURITY_DESCRIPTOR lpsd,
OUT LPBOOL lpbSaclPresent,
OUT PACL *pSacl,
OUT LPBOOL lpbSaclDefaulted)
{
BOOLEAN present, defaulted;
BOOL ret = set_ntstatus( RtlGetSaclSecurityDescriptor(lpsd, &present, pSacl, &defaulted) );
*lpbSaclPresent = present;
*lpbSaclDefaulted = defaulted;
return ret;
}
/**************************************************************************
* SetSecurityDescriptorSacl [ADVAPI32.@]
*/
BOOL WINAPI SetSecurityDescriptorSacl (
PSECURITY_DESCRIPTOR lpsd,
BOOL saclpresent,
PACL lpsacl,
BOOL sacldefaulted)
{
return set_ntstatus (RtlSetSaclSecurityDescriptor(lpsd, saclpresent, lpsacl, sacldefaulted));
}
/******************************************************************************
* MakeSelfRelativeSD [ADVAPI32.@]
*
* PARAMS
* lpabssecdesc []
* lpselfsecdesc []
* lpbuflen []
*/
BOOL WINAPI
MakeSelfRelativeSD(
IN PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor,
IN PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
IN OUT LPDWORD lpdwBufferLength)
{
return set_ntstatus( RtlMakeSelfRelativeSD( pAbsoluteSecurityDescriptor,
pSelfRelativeSecurityDescriptor, lpdwBufferLength));
}
/******************************************************************************
* GetSecurityDescriptorControl [ADVAPI32.@]
*/
BOOL WINAPI GetSecurityDescriptorControl ( PSECURITY_DESCRIPTOR pSecurityDescriptor,
PSECURITY_DESCRIPTOR_CONTROL pControl, LPDWORD lpdwRevision)
{
return set_ntstatus( RtlGetControlSecurityDescriptor(pSecurityDescriptor,pControl,lpdwRevision));
}
/******************************************************************************
* SetSecurityDescriptorControl [ADVAPI32.@]
*/
BOOL WINAPI SetSecurityDescriptorControl( PSECURITY_DESCRIPTOR pSecurityDescriptor,
SECURITY_DESCRIPTOR_CONTROL ControlBitsOfInterest,
SECURITY_DESCRIPTOR_CONTROL ControlBitsToSet )
{
return set_ntstatus( RtlSetControlSecurityDescriptor(
pSecurityDescriptor, ControlBitsOfInterest, ControlBitsToSet ) );
}
/******************************************************************************
* GetWindowsAccountDomainSid [ADVAPI32.@]
*/
BOOL WINAPI GetWindowsAccountDomainSid( PSID sid, PSID domain_sid, DWORD *size )
{
SID_IDENTIFIER_AUTHORITY domain_ident = { SECURITY_NT_AUTHORITY };
DWORD required_size;
int i;
FIXME( "(%p %p %p): semi-stub\n", sid, domain_sid, size );
if (!sid || !IsValidSid( sid ))
{
SetLastError( ERROR_INVALID_SID );
return FALSE;
}
if (!size)
{
SetLastError( ERROR_INVALID_PARAMETER );
return FALSE;
}
if (*GetSidSubAuthorityCount( sid ) < 4)
{
SetLastError( ERROR_INVALID_SID );
return FALSE;
}
required_size = GetSidLengthRequired( 4 );
if (*size < required_size || !domain_sid)
{
*size = required_size;
SetLastError( domain_sid ? ERROR_INSUFFICIENT_BUFFER :
ERROR_INVALID_PARAMETER );
return FALSE;
}
InitializeSid( domain_sid, &domain_ident, 4 );
for (i = 0; i < 4; i++)
*GetSidSubAuthority( domain_sid, i ) = *GetSidSubAuthority( sid, i );
*size = required_size;
return TRUE;
}
/* ##############################
###### ACL FUNCTIONS ######
##############################
*/
/*************************************************************************
* InitializeAcl [ADVAPI32.@]
*/
BOOL WINAPI InitializeAcl(PACL acl, DWORD size, DWORD rev)
{
return set_ntstatus( RtlCreateAcl(acl, size, rev));
}
BOOL WINAPI ImpersonateNamedPipeClient( HANDLE hNamedPipe )
{
IO_STATUS_BLOCK io_block;
TRACE("(%p)\n", hNamedPipe);
return set_ntstatus( NtFsControlFile(hNamedPipe, NULL, NULL, NULL,
&io_block, FSCTL_PIPE_IMPERSONATE, NULL, 0, NULL, 0) );
}
/******************************************************************************
* AddAccessAllowedAce [ADVAPI32.@]
*/
BOOL WINAPI AddAccessAllowedAce(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD AccessMask,
IN PSID pSid)
{
return set_ntstatus(RtlAddAccessAllowedAce(pAcl, dwAceRevision, AccessMask, pSid));
}
/******************************************************************************
* AddAccessAllowedAceEx [ADVAPI32.@]
*/
BOOL WINAPI AddAccessAllowedAceEx(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD AceFlags,
IN DWORD AccessMask,
IN PSID pSid)
{
return set_ntstatus(RtlAddAccessAllowedAceEx(pAcl, dwAceRevision, AceFlags, AccessMask, pSid));
}
/******************************************************************************
* AddAccessAllowedObjectAce [ADVAPI32.@]
*/
BOOL WINAPI AddAccessAllowedObjectAce(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD dwAceFlags,
IN DWORD dwAccessMask,
IN GUID* pObjectTypeGuid,
IN GUID* pInheritedObjectTypeGuid,
IN PSID pSid)
{
return set_ntstatus(RtlAddAccessAllowedObjectAce(pAcl, dwAceRevision, dwAceFlags, dwAccessMask,
pObjectTypeGuid, pInheritedObjectTypeGuid, pSid));
}
/******************************************************************************
* AddAccessDeniedAce [ADVAPI32.@]
*/
BOOL WINAPI AddAccessDeniedAce(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD AccessMask,
IN PSID pSid)
{
return set_ntstatus(RtlAddAccessDeniedAce(pAcl, dwAceRevision, AccessMask, pSid));
}
/******************************************************************************
* AddAccessDeniedAceEx [ADVAPI32.@]
*/
BOOL WINAPI AddAccessDeniedAceEx(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD AceFlags,
IN DWORD AccessMask,
IN PSID pSid)
{
return set_ntstatus(RtlAddAccessDeniedAceEx(pAcl, dwAceRevision, AceFlags, AccessMask, pSid));
}
/******************************************************************************
* AddAccessDeniedObjectAce [ADVAPI32.@]
*/
BOOL WINAPI AddAccessDeniedObjectAce(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD dwAceFlags,
IN DWORD dwAccessMask,
IN GUID* pObjectTypeGuid,
IN GUID* pInheritedObjectTypeGuid,
IN PSID pSid)
{
return set_ntstatus( RtlAddAccessDeniedObjectAce(pAcl, dwAceRevision, dwAceFlags, dwAccessMask,
pObjectTypeGuid, pInheritedObjectTypeGuid, pSid) );
}
/******************************************************************************
* AddAce [ADVAPI32.@]
*/
BOOL WINAPI AddAce(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD dwStartingAceIndex,
LPVOID pAceList,
DWORD nAceListLength)
{
return set_ntstatus(RtlAddAce(pAcl, dwAceRevision, dwStartingAceIndex, pAceList, nAceListLength));
}
/******************************************************************************
* AddMandatoryAce [ADVAPI32.@]
*/
BOOL WINAPI AddMandatoryAce(ACL *acl, DWORD ace_revision, DWORD ace_flags, DWORD mandatory_policy, PSID label_sid)
{
return set_ntstatus(RtlAddMandatoryAce(acl, ace_revision, ace_flags, mandatory_policy,
SYSTEM_MANDATORY_LABEL_ACE_TYPE, label_sid));
}
/******************************************************************************
* DeleteAce [ADVAPI32.@]
*/
BOOL WINAPI DeleteAce(PACL pAcl, DWORD dwAceIndex)
{
return set_ntstatus(RtlDeleteAce(pAcl, dwAceIndex));
}
/******************************************************************************
* FindFirstFreeAce [ADVAPI32.@]
*/
BOOL WINAPI FindFirstFreeAce(IN PACL pAcl, LPVOID * pAce)
{
return RtlFirstFreeAce(pAcl, (PACE_HEADER *)pAce);
}
/******************************************************************************
* GetAce [ADVAPI32.@]
*/
BOOL WINAPI GetAce(PACL pAcl,DWORD dwAceIndex,LPVOID *pAce )
{
return set_ntstatus(RtlGetAce(pAcl, dwAceIndex, pAce));
}
/******************************************************************************
* GetAclInformation [ADVAPI32.@]
*/
BOOL WINAPI GetAclInformation(
PACL pAcl,
LPVOID pAclInformation,
DWORD nAclInformationLength,
ACL_INFORMATION_CLASS dwAclInformationClass)
{
return set_ntstatus(RtlQueryInformationAcl(pAcl, pAclInformation,
nAclInformationLength, dwAclInformationClass));
}
/******************************************************************************
* IsValidAcl [ADVAPI32.@]
*/
BOOL WINAPI IsValidAcl(IN PACL pAcl)
{
return RtlValidAcl(pAcl);
}
/* ##############################
###### MISC FUNCTIONS ######
##############################
*/
/******************************************************************************
* AllocateLocallyUniqueId [ADVAPI32.@]
*
* PARAMS
* lpLuid []
*/
BOOL WINAPI AllocateLocallyUniqueId( PLUID lpLuid )
{
return set_ntstatus(NtAllocateLocallyUniqueId(lpLuid));
}
static const WCHAR SE_CREATE_TOKEN_NAME_W[] =
{ 'S','e','C','r','e','a','t','e','T','o','k','e','n','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_ASSIGNPRIMARYTOKEN_NAME_W[] =
{ 'S','e','A','s','s','i','g','n','P','r','i','m','a','r','y','T','o','k','e','n','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_LOCK_MEMORY_NAME_W[] =
{ 'S','e','L','o','c','k','M','e','m','o','r','y','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_INCREASE_QUOTA_NAME_W[] =
{ 'S','e','I','n','c','r','e','a','s','e','Q','u','o','t','a','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_MACHINE_ACCOUNT_NAME_W[] =
{ 'S','e','M','a','c','h','i','n','e','A','c','c','o','u','n','t','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_TCB_NAME_W[] =
{ 'S','e','T','c','b','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_SECURITY_NAME_W[] =
{ 'S','e','S','e','c','u','r','i','t','y','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_TAKE_OWNERSHIP_NAME_W[] =
{ 'S','e','T','a','k','e','O','w','n','e','r','s','h','i','p','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_LOAD_DRIVER_NAME_W[] =
{ 'S','e','L','o','a','d','D','r','i','v','e','r','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_SYSTEM_PROFILE_NAME_W[] =
{ 'S','e','S','y','s','t','e','m','P','r','o','f','i','l','e','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_SYSTEMTIME_NAME_W[] =
{ 'S','e','S','y','s','t','e','m','t','i','m','e','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_PROF_SINGLE_PROCESS_NAME_W[] =
{ 'S','e','P','r','o','f','i','l','e','S','i','n','g','l','e','P','r','o','c','e','s','s','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_INC_BASE_PRIORITY_NAME_W[] =
{ 'S','e','I','n','c','r','e','a','s','e','B','a','s','e','P','r','i','o','r','i','t','y','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_CREATE_PAGEFILE_NAME_W[] =
{ 'S','e','C','r','e','a','t','e','P','a','g','e','f','i','l','e','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_CREATE_PERMANENT_NAME_W[] =
{ 'S','e','C','r','e','a','t','e','P','e','r','m','a','n','e','n','t','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_BACKUP_NAME_W[] =
{ 'S','e','B','a','c','k','u','p','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_RESTORE_NAME_W[] =
{ 'S','e','R','e','s','t','o','r','e','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_SHUTDOWN_NAME_W[] =
{ 'S','e','S','h','u','t','d','o','w','n','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_DEBUG_NAME_W[] =
{ 'S','e','D','e','b','u','g','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_AUDIT_NAME_W[] =
{ 'S','e','A','u','d','i','t','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_SYSTEM_ENVIRONMENT_NAME_W[] =
{ 'S','e','S','y','s','t','e','m','E','n','v','i','r','o','n','m','e','n','t','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_CHANGE_NOTIFY_NAME_W[] =
{ 'S','e','C','h','a','n','g','e','N','o','t','i','f','y','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_REMOTE_SHUTDOWN_NAME_W[] =
{ 'S','e','R','e','m','o','t','e','S','h','u','t','d','o','w','n','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_UNDOCK_NAME_W[] =
{ 'S','e','U','n','d','o','c','k','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_SYNC_AGENT_NAME_W[] =
{ 'S','e','S','y','n','c','A','g','e','n','t','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_ENABLE_DELEGATION_NAME_W[] =
{ 'S','e','E','n','a','b','l','e','D','e','l','e','g','a','t','i','o','n','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_MANAGE_VOLUME_NAME_W[] =
{ 'S','e','M','a','n','a','g','e','V','o','l','u','m','e','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_IMPERSONATE_NAME_W[] =
{ 'S','e','I','m','p','e','r','s','o','n','a','t','e','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR SE_CREATE_GLOBAL_NAME_W[] =
{ 'S','e','C','r','e','a','t','e','G','l','o','b','a','l','P','r','i','v','i','l','e','g','e',0 };
static const WCHAR * const WellKnownPrivNames[SE_MAX_WELL_KNOWN_PRIVILEGE + 1] =
{
NULL,
NULL,
SE_CREATE_TOKEN_NAME_W,
SE_ASSIGNPRIMARYTOKEN_NAME_W,
SE_LOCK_MEMORY_NAME_W,
SE_INCREASE_QUOTA_NAME_W,
SE_MACHINE_ACCOUNT_NAME_W,
SE_TCB_NAME_W,
SE_SECURITY_NAME_W,
SE_TAKE_OWNERSHIP_NAME_W,
SE_LOAD_DRIVER_NAME_W,
SE_SYSTEM_PROFILE_NAME_W,
SE_SYSTEMTIME_NAME_W,
SE_PROF_SINGLE_PROCESS_NAME_W,
SE_INC_BASE_PRIORITY_NAME_W,
SE_CREATE_PAGEFILE_NAME_W,
SE_CREATE_PERMANENT_NAME_W,
SE_BACKUP_NAME_W,
SE_RESTORE_NAME_W,
SE_SHUTDOWN_NAME_W,
SE_DEBUG_NAME_W,
SE_AUDIT_NAME_W,
SE_SYSTEM_ENVIRONMENT_NAME_W,
SE_CHANGE_NOTIFY_NAME_W,
SE_REMOTE_SHUTDOWN_NAME_W,
SE_UNDOCK_NAME_W,
SE_SYNC_AGENT_NAME_W,
SE_ENABLE_DELEGATION_NAME_W,
SE_MANAGE_VOLUME_NAME_W,
SE_IMPERSONATE_NAME_W,
SE_CREATE_GLOBAL_NAME_W,
};
const WCHAR *get_wellknown_privilege_name(const LUID *luid)
{
if (luid->HighPart || luid->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
luid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE || !WellKnownPrivNames[luid->LowPart])
return NULL;
return WellKnownPrivNames[luid->LowPart];
}
/******************************************************************************
* LookupPrivilegeValueW [ADVAPI32.@]
*
* See LookupPrivilegeValueA.
*/
BOOL WINAPI
LookupPrivilegeValueW( LPCWSTR lpSystemName, LPCWSTR lpName, PLUID lpLuid )
{
UINT i;
TRACE("%s,%s,%p\n",debugstr_w(lpSystemName), debugstr_w(lpName), lpLuid);
if (!ADVAPI_IsLocalComputer(lpSystemName))
{
SetLastError(RPC_S_SERVER_UNAVAILABLE);
return FALSE;
}
if (!lpName)
{
SetLastError(ERROR_NO_SUCH_PRIVILEGE);
return FALSE;
}
for( i=SE_MIN_WELL_KNOWN_PRIVILEGE; i<=SE_MAX_WELL_KNOWN_PRIVILEGE; i++ )
{
if( !WellKnownPrivNames[i] )
continue;
if( strcmpiW( WellKnownPrivNames[i], lpName) )
continue;
lpLuid->LowPart = i;
lpLuid->HighPart = 0;
TRACE( "%s -> %08x-%08x\n",debugstr_w( lpSystemName ),
lpLuid->HighPart, lpLuid->LowPart );
return TRUE;
}
SetLastError(ERROR_NO_SUCH_PRIVILEGE);
return FALSE;
}
/******************************************************************************
* LookupPrivilegeValueA [ADVAPI32.@]
*
* Retrieves LUID used on a system to represent the privilege name.
*
* PARAMS
* lpSystemName [I] Name of the system
* lpName [I] Name of the privilege
* lpLuid [O] Destination for the resulting LUID
*
* RETURNS
* Success: TRUE. lpLuid contains the requested LUID.
* Failure: FALSE.
*/
BOOL WINAPI
LookupPrivilegeValueA( LPCSTR lpSystemName, LPCSTR lpName, PLUID lpLuid )
{
UNICODE_STRING lpSystemNameW;
UNICODE_STRING lpNameW;
BOOL ret;
RtlCreateUnicodeStringFromAsciiz(&lpSystemNameW, lpSystemName);
RtlCreateUnicodeStringFromAsciiz(&lpNameW,lpName);
ret = LookupPrivilegeValueW(lpSystemNameW.Buffer, lpNameW.Buffer, lpLuid);
RtlFreeUnicodeString(&lpNameW);
RtlFreeUnicodeString(&lpSystemNameW);
return ret;
}
BOOL WINAPI LookupPrivilegeDisplayNameA( LPCSTR lpSystemName, LPCSTR lpName, LPSTR lpDisplayName,
LPDWORD cchDisplayName, LPDWORD lpLanguageId )
{
FIXME("%s %s %s %p %p - stub\n", debugstr_a(lpSystemName), debugstr_a(lpName),
debugstr_a(lpDisplayName), cchDisplayName, lpLanguageId);
return FALSE;
}
BOOL WINAPI LookupPrivilegeDisplayNameW( LPCWSTR lpSystemName, LPCWSTR lpName, LPWSTR lpDisplayName,
LPDWORD cchDisplayName, LPDWORD lpLanguageId )
{
FIXME("%s %s %s %p %p - stub\n", debugstr_w(lpSystemName), debugstr_w(lpName),
debugstr_w(lpDisplayName), cchDisplayName, lpLanguageId);
return FALSE;
}
/******************************************************************************
* LookupPrivilegeNameA [ADVAPI32.@]
*
* See LookupPrivilegeNameW.
*/
BOOL WINAPI
LookupPrivilegeNameA( LPCSTR lpSystemName, PLUID lpLuid, LPSTR lpName,
LPDWORD cchName)
{
UNICODE_STRING lpSystemNameW;
BOOL ret;
DWORD wLen = 0;
TRACE("%s %p %p %p\n", debugstr_a(lpSystemName), lpLuid, lpName, cchName);
RtlCreateUnicodeStringFromAsciiz(&lpSystemNameW, lpSystemName);
ret = LookupPrivilegeNameW(lpSystemNameW.Buffer, lpLuid, NULL, &wLen);
if (!ret && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
LPWSTR lpNameW = heap_alloc(wLen * sizeof(WCHAR));
ret = LookupPrivilegeNameW(lpSystemNameW.Buffer, lpLuid, lpNameW,
&wLen);
if (ret)
{
/* Windows crashes if cchName is NULL, so will I */
unsigned int len = WideCharToMultiByte(CP_ACP, 0, lpNameW, -1, lpName,
*cchName, NULL, NULL);
if (len == 0)
{
/* WideCharToMultiByte failed */
ret = FALSE;
}
else if (len > *cchName)
{
*cchName = len;
SetLastError(ERROR_INSUFFICIENT_BUFFER);
ret = FALSE;
}
else
{
/* WideCharToMultiByte succeeded, output length needs to be
* length not including NULL terminator
*/
*cchName = len - 1;
}
}
heap_free(lpNameW);
}
RtlFreeUnicodeString(&lpSystemNameW);
return ret;
}
/******************************************************************************
* LookupPrivilegeNameW [ADVAPI32.@]
*
* Retrieves the privilege name referred to by the LUID lpLuid.
*
* PARAMS
* lpSystemName [I] Name of the system
* lpLuid [I] Privilege value
* lpName [O] Name of the privilege
* cchName [I/O] Number of characters in lpName.
*
* RETURNS
* Success: TRUE. lpName contains the name of the privilege whose value is
* *lpLuid.
* Failure: FALSE.
*
* REMARKS
* Only well-known privilege names (those defined in winnt.h) can be retrieved
* using this function.
* If the length of lpName is too small, on return *cchName will contain the
* number of WCHARs needed to contain the privilege, including the NULL
* terminator, and GetLastError will return ERROR_INSUFFICIENT_BUFFER.
* On success, *cchName will contain the number of characters stored in
* lpName, NOT including the NULL terminator.
*/
BOOL WINAPI
LookupPrivilegeNameW( LPCWSTR lpSystemName, PLUID lpLuid, LPWSTR lpName,
LPDWORD cchName)
{
size_t privNameLen;
TRACE("%s,%p,%p,%p\n",debugstr_w(lpSystemName), lpLuid, lpName, cchName);
if (!ADVAPI_IsLocalComputer(lpSystemName))
{
SetLastError(RPC_S_SERVER_UNAVAILABLE);
return FALSE;
}
if (lpLuid->HighPart || (lpLuid->LowPart < SE_MIN_WELL_KNOWN_PRIVILEGE ||
lpLuid->LowPart > SE_MAX_WELL_KNOWN_PRIVILEGE))
{
SetLastError(ERROR_NO_SUCH_PRIVILEGE);
return FALSE;
}
privNameLen = strlenW(WellKnownPrivNames[lpLuid->LowPart]);
/* Windows crashes if cchName is NULL, so will I */
if (*cchName <= privNameLen)
{
*cchName = privNameLen + 1;
SetLastError(ERROR_INSUFFICIENT_BUFFER);
return FALSE;
}
else
{
strcpyW(lpName, WellKnownPrivNames[lpLuid->LowPart]);
*cchName = privNameLen;
return TRUE;
}
}
/******************************************************************************
* GetFileSecurityA [ADVAPI32.@]
*
* Obtains Specified information about the security of a file or directory.
*
* PARAMS
* lpFileName [I] Name of the file to get info for
* RequestedInformation [I] SE_ flags from "winnt.h"
* pSecurityDescriptor [O] Destination for security information
* nLength [I] Length of pSecurityDescriptor
* lpnLengthNeeded [O] Destination for length of returned security information
*
* RETURNS
* Success: TRUE. pSecurityDescriptor contains the requested information.
* Failure: FALSE. lpnLengthNeeded contains the required space to return the info.
*
* NOTES
* The information returned is constrained by the callers access rights and
* privileges.
*/
BOOL WINAPI
GetFileSecurityA( LPCSTR lpFileName,
SECURITY_INFORMATION RequestedInformation,
PSECURITY_DESCRIPTOR pSecurityDescriptor,
DWORD nLength, LPDWORD lpnLengthNeeded )
{
BOOL r;
LPWSTR name;
name = SERV_dup(lpFileName);
r = GetFileSecurityW( name, RequestedInformation, pSecurityDescriptor,
nLength, lpnLengthNeeded );
heap_free( name );
return r;
}
/******************************************************************************
* GetFileSecurityW [ADVAPI32.@]
*
* See GetFileSecurityA.
*/
BOOL WINAPI
GetFileSecurityW( LPCWSTR lpFileName,
SECURITY_INFORMATION RequestedInformation,
PSECURITY_DESCRIPTOR pSecurityDescriptor,
DWORD nLength, LPDWORD lpnLengthNeeded )
{
HANDLE hfile;
NTSTATUS status;
DWORD access = 0, err;
TRACE("(%s,%d,%p,%d,%p)\n", debugstr_w(lpFileName),
RequestedInformation, pSecurityDescriptor,
nLength, lpnLengthNeeded);
if (RequestedInformation & (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|
DACL_SECURITY_INFORMATION))
access |= READ_CONTROL;
if (RequestedInformation & SACL_SECURITY_INFORMATION)
access |= ACCESS_SYSTEM_SECURITY;
err = get_security_file( lpFileName, access, &hfile);
if (err)
{
SetLastError(err);
return FALSE;
}
status = NtQuerySecurityObject( hfile, RequestedInformation, pSecurityDescriptor,
nLength, lpnLengthNeeded );
CloseHandle( hfile );
return set_ntstatus( status );
}
/******************************************************************************
* LookupAccountSidA [ADVAPI32.@]
*/
BOOL WINAPI
LookupAccountSidA(
IN LPCSTR system,
IN PSID sid,
OUT LPSTR account,
IN OUT LPDWORD accountSize,
OUT LPSTR domain,
IN OUT LPDWORD domainSize,
OUT PSID_NAME_USE name_use )
{
DWORD len;
BOOL r;
LPWSTR systemW;
LPWSTR accountW = NULL;
LPWSTR domainW = NULL;
DWORD accountSizeW = *accountSize;
DWORD domainSizeW = *domainSize;
systemW = SERV_dup(system);
if (account)
accountW = heap_alloc( accountSizeW * sizeof(WCHAR) );
if (domain)
domainW = heap_alloc( domainSizeW * sizeof(WCHAR) );
r = LookupAccountSidW( systemW, sid, accountW, &accountSizeW, domainW, &domainSizeW, name_use );
if (r) {
if (accountW && *accountSize) {
len = WideCharToMultiByte( CP_ACP, 0, accountW, -1, NULL, 0, NULL, NULL );
WideCharToMultiByte( CP_ACP, 0, accountW, -1, account, len, NULL, NULL );
*accountSize = len;
} else
*accountSize = accountSizeW + 1;
if (domainW && *domainSize) {
len = WideCharToMultiByte( CP_ACP, 0, domainW, -1, NULL, 0, NULL, NULL );
WideCharToMultiByte( CP_ACP, 0, domainW, -1, domain, len, NULL, NULL );
*domainSize = len;
} else
*domainSize = domainSizeW + 1;
}
else
{
*accountSize = accountSizeW + 1;
*domainSize = domainSizeW + 1;
}
heap_free( systemW );
heap_free( accountW );
heap_free( domainW );
return r;
}
/******************************************************************************
* LookupAccountSidW [ADVAPI32.@]
*
* PARAMS
* system []
* sid []
* account []
* accountSize []
* domain []
* domainSize []
* name_use []
*/
BOOL WINAPI
LookupAccountSidW(
IN LPCWSTR system,
IN PSID sid,
OUT LPWSTR account,
IN OUT LPDWORD accountSize,
OUT LPWSTR domain,
IN OUT LPDWORD domainSize,
OUT PSID_NAME_USE name_use )
{
unsigned int i, j;
const WCHAR * ac = NULL;
const WCHAR * dm = NULL;
SID_NAME_USE use = 0;
LPWSTR computer_name = NULL;
LPWSTR account_name = NULL;
TRACE("(%s,sid=%s,%p,%p(%u),%p,%p(%u),%p)\n",
debugstr_w(system),debugstr_sid(sid),
account,accountSize,accountSize?*accountSize:0,
domain,domainSize,domainSize?*domainSize:0,
name_use);
if (!ADVAPI_IsLocalComputer(system)) {
FIXME("Only local computer supported!\n");
SetLastError(RPC_S_SERVER_UNAVAILABLE);
return FALSE;
}
/* check the well known SIDs first */
for (i = 0; i <= WinAccountProtectedUsersSid; i++) {
if (IsWellKnownSid(sid, i)) {
for (j = 0; j < ARRAY_SIZE(ACCOUNT_SIDS); j++) {
if (ACCOUNT_SIDS[j].type == i) {
ac = ACCOUNT_SIDS[j].account;
dm = ACCOUNT_SIDS[j].domain;
use = ACCOUNT_SIDS[j].name_use;
}
}
break;
}
}
if (dm == NULL) {
MAX_SID local;
/* check for the local computer next */
if (ADVAPI_GetComputerSid(&local)) {
DWORD size = MAX_COMPUTERNAME_LENGTH + 1;
BOOL result;
computer_name = heap_alloc(size * sizeof(WCHAR));
result = GetComputerNameW(computer_name, &size);
if (result) {
if (EqualSid(sid, &local)) {
dm = computer_name;
ac = Blank;
use = 3;
} else {
local.SubAuthorityCount++;
if (EqualPrefixSid(sid, &local)) {
dm = computer_name;
use = 1;
switch (((MAX_SID *)sid)->SubAuthority[4]) {
case DOMAIN_USER_RID_ADMIN:
ac = Administrator;
break;
case DOMAIN_USER_RID_GUEST:
ac = Guest;
break;
case DOMAIN_GROUP_RID_ADMINS:
ac = Domain_Admins;
break;
case DOMAIN_GROUP_RID_USERS:
ac = Domain_Users;
break;
case DOMAIN_GROUP_RID_GUESTS:
ac = Domain_Guests;
break;
case DOMAIN_GROUP_RID_COMPUTERS:
ac = Domain_Computers;
break;
case DOMAIN_GROUP_RID_CONTROLLERS:
ac = Domain_Controllers;
break;
case DOMAIN_GROUP_RID_CERT_ADMINS:
ac = Cert_Publishers;
break;
case DOMAIN_GROUP_RID_SCHEMA_ADMINS:
ac = Schema_Admins;
break;
case DOMAIN_GROUP_RID_ENTERPRISE_ADMINS:
ac = Enterprise_Admins;
break;
case DOMAIN_GROUP_RID_POLICY_ADMINS:
ac = Group_Policy_Creator_Owners;
break;
case DOMAIN_ALIAS_RID_RAS_SERVERS:
ac = RAS_and_IAS_Servers;
break;
case 1000: /* first user account */
size = UNLEN + 1;
account_name = heap_alloc(size * sizeof(WCHAR));
if (GetUserNameW(account_name, &size))
ac = account_name;
else
dm = NULL;
break;
default:
dm = NULL;
break;
}
}
}
}
}
}
if (dm) {
DWORD ac_len = lstrlenW(ac);
DWORD dm_len = lstrlenW(dm);
BOOL status = TRUE;
if (*accountSize > ac_len) {
if (account)
lstrcpyW(account, ac);
}
if (*domainSize > dm_len) {
if (domain)
lstrcpyW(domain, dm);
}
if ((*accountSize && *accountSize < ac_len) ||
(!account && !*accountSize && ac_len) ||
(*domainSize && *domainSize < dm_len) ||
(!domain && !*domainSize && dm_len))
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
status = FALSE;
}
if (*domainSize)
*domainSize = dm_len;
else
*domainSize = dm_len + 1;
if (*accountSize)
*accountSize = ac_len;
else
*accountSize = ac_len + 1;
heap_free(account_name);
heap_free(computer_name);
if (status) *name_use = use;
return status;
}
heap_free(account_name);
heap_free(computer_name);
SetLastError(ERROR_NONE_MAPPED);
return FALSE;
}
/******************************************************************************
* SetFileSecurityA [ADVAPI32.@]
*
* See SetFileSecurityW.
*/
BOOL WINAPI SetFileSecurityA( LPCSTR lpFileName,
SECURITY_INFORMATION RequestedInformation,
PSECURITY_DESCRIPTOR pSecurityDescriptor)
{
BOOL r;
LPWSTR name;
name = SERV_dup(lpFileName);
r = SetFileSecurityW( name, RequestedInformation, pSecurityDescriptor );
heap_free( name );
return r;
}
/******************************************************************************
* SetFileSecurityW [ADVAPI32.@]
*
* Sets the security of a file or directory.
*
* PARAMS
* lpFileName []
* RequestedInformation []
* pSecurityDescriptor []
*
* RETURNS
* Success: TRUE.
* Failure: FALSE.
*/
BOOL WINAPI
SetFileSecurityW( LPCWSTR lpFileName,
SECURITY_INFORMATION RequestedInformation,
PSECURITY_DESCRIPTOR pSecurityDescriptor )
{
HANDLE file;
DWORD access = 0, err;
NTSTATUS status;
TRACE("(%s, 0x%x, %p)\n", debugstr_w(lpFileName), RequestedInformation,
pSecurityDescriptor );
if (RequestedInformation & OWNER_SECURITY_INFORMATION ||
RequestedInformation & GROUP_SECURITY_INFORMATION)
access |= WRITE_OWNER;
if (RequestedInformation & SACL_SECURITY_INFORMATION)
access |= ACCESS_SYSTEM_SECURITY;
if (RequestedInformation & DACL_SECURITY_INFORMATION)
access |= WRITE_DAC;
err = get_security_file( lpFileName, access, &file);
if (err)
{
SetLastError(err);
return FALSE;
}
status = NtSetSecurityObject( file, RequestedInformation, pSecurityDescriptor );
CloseHandle( file );
return set_ntstatus( status );
}
/******************************************************************************
* QueryWindows31FilesMigration [ADVAPI32.@]
*
* PARAMS
* x1 []
*/
BOOL WINAPI
QueryWindows31FilesMigration( DWORD x1 )
{
FIXME("(%d):stub\n",x1);
return TRUE;
}
/******************************************************************************
* SynchronizeWindows31FilesAndWindowsNTRegistry [ADVAPI32.@]
*
* PARAMS
* x1 []
* x2 []
* x3 []
* x4 []
*/
BOOL WINAPI
SynchronizeWindows31FilesAndWindowsNTRegistry( DWORD x1, DWORD x2, DWORD x3,
DWORD x4 )
{
FIXME("(0x%08x,0x%08x,0x%08x,0x%08x):stub\n",x1,x2,x3,x4);
return TRUE;
}
/******************************************************************************
* NotifyBootConfigStatus [ADVAPI32.@]
*
* PARAMS
* x1 []
*/
BOOL WINAPI
NotifyBootConfigStatus( BOOL x1 )
{
FIXME("(0x%08d):stub\n",x1);
return TRUE;
}
/******************************************************************************
* RevertToSelf [ADVAPI32.@]
*
* Ends the impersonation of a user.
*
* PARAMS
* void []
*
* RETURNS
* Success: TRUE.
* Failure: FALSE.
*/
BOOL WINAPI
RevertToSelf( void )
{
HANDLE Token = NULL;
return set_ntstatus( NtSetInformationThread( GetCurrentThread(),
ThreadImpersonationToken, &Token, sizeof(Token) ) );
}
/******************************************************************************
* ImpersonateSelf [ADVAPI32.@]
*
* Makes an impersonation token that represents the process user and assigns
* to the current thread.
*
* PARAMS
* ImpersonationLevel [I] Level at which to impersonate.
*
* RETURNS
* Success: TRUE.
* Failure: FALSE.
*/
BOOL WINAPI
ImpersonateSelf(SECURITY_IMPERSONATION_LEVEL ImpersonationLevel)
{
return set_ntstatus( RtlImpersonateSelf( ImpersonationLevel ) );
}
/******************************************************************************
* ImpersonateLoggedOnUser [ADVAPI32.@]
*/
BOOL WINAPI ImpersonateLoggedOnUser(HANDLE hToken)
{
DWORD size;
NTSTATUS Status;
HANDLE ImpersonationToken;
TOKEN_TYPE Type;
static BOOL warn = TRUE;
if (warn)
{
FIXME( "(%p)\n", hToken );
warn = FALSE;
}
if (!GetTokenInformation( hToken, TokenType, &Type,
sizeof(TOKEN_TYPE), &size ))
return FALSE;
if (Type == TokenPrimary)
{
OBJECT_ATTRIBUTES ObjectAttributes;
InitializeObjectAttributes( &ObjectAttributes, NULL, 0, NULL, NULL );
Status = NtDuplicateToken( hToken,
TOKEN_IMPERSONATE | TOKEN_QUERY,
&ObjectAttributes,
SecurityImpersonation,
TokenImpersonation,
&ImpersonationToken );
if (Status != STATUS_SUCCESS)
{
ERR( "NtDuplicateToken failed with error 0x%08x\n", Status );
SetLastError( RtlNtStatusToDosError( Status ) );
return FALSE;
}
}
else
ImpersonationToken = hToken;
Status = NtSetInformationThread( GetCurrentThread(),
ThreadImpersonationToken,
&ImpersonationToken,
sizeof(ImpersonationToken) );
if (Type == TokenPrimary)
NtClose( ImpersonationToken );
if (Status != STATUS_SUCCESS)
{
ERR( "NtSetInformationThread failed with error 0x%08x\n", Status );
SetLastError( RtlNtStatusToDosError( Status ) );
return FALSE;
}
return TRUE;
}
/******************************************************************************
* ImpersonateAnonymousToken [ADVAPI32.@]
*/
BOOL WINAPI ImpersonateAnonymousToken( HANDLE thread )
{
TRACE("(%p)\n", thread);
return set_ntstatus( NtImpersonateAnonymousToken( thread ) );
}
/******************************************************************************
* AccessCheck [ADVAPI32.@]
*/
BOOL WINAPI
AccessCheck(
PSECURITY_DESCRIPTOR SecurityDescriptor,
HANDLE ClientToken,
DWORD DesiredAccess,
PGENERIC_MAPPING GenericMapping,
PPRIVILEGE_SET PrivilegeSet,
LPDWORD PrivilegeSetLength,
LPDWORD GrantedAccess,
LPBOOL AccessStatus)
{
NTSTATUS access_status;
BOOL ret = set_ntstatus( NtAccessCheck(SecurityDescriptor, ClientToken, DesiredAccess,
GenericMapping, PrivilegeSet, PrivilegeSetLength,
GrantedAccess, &access_status) );
if (ret) *AccessStatus = set_ntstatus( access_status );
return ret;
}
/******************************************************************************
* AccessCheckByType [ADVAPI32.@]
*/
BOOL WINAPI AccessCheckByType(
PSECURITY_DESCRIPTOR pSecurityDescriptor,
PSID PrincipalSelfSid,
HANDLE ClientToken,
DWORD DesiredAccess,
POBJECT_TYPE_LIST ObjectTypeList,
DWORD ObjectTypeListLength,
PGENERIC_MAPPING GenericMapping,
PPRIVILEGE_SET PrivilegeSet,
LPDWORD PrivilegeSetLength,
LPDWORD GrantedAccess,
LPBOOL AccessStatus)
{
FIXME("stub\n");
*AccessStatus = TRUE;
return !*AccessStatus;
}
/******************************************************************************
* MapGenericMask [ADVAPI32.@]
*
* Maps generic access rights into specific access rights according to the
* supplied mapping.
*
* PARAMS
* AccessMask [I/O] Access rights.
* GenericMapping [I] The mapping between generic and specific rights.
*
* RETURNS
* Nothing.
*/
VOID WINAPI MapGenericMask( PDWORD AccessMask, PGENERIC_MAPPING GenericMapping )
{
RtlMapGenericMask( AccessMask, GenericMapping );
}
/*************************************************************************
* SetKernelObjectSecurity [ADVAPI32.@]
*/
BOOL WINAPI SetKernelObjectSecurity (
IN HANDLE Handle,
IN SECURITY_INFORMATION SecurityInformation,
IN PSECURITY_DESCRIPTOR SecurityDescriptor )
{
return set_ntstatus (NtSetSecurityObject (Handle, SecurityInformation, SecurityDescriptor));
}
/******************************************************************************
* AddAuditAccessAce [ADVAPI32.@]
*/
BOOL WINAPI AddAuditAccessAce(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD dwAccessMask,
IN PSID pSid,
IN BOOL bAuditSuccess,
IN BOOL bAuditFailure)
{
return set_ntstatus( RtlAddAuditAccessAce(pAcl, dwAceRevision, dwAccessMask, pSid,
bAuditSuccess, bAuditFailure) );
}
/******************************************************************************
* AddAuditAccessAceEx [ADVAPI32.@]
*/
BOOL WINAPI AddAuditAccessAceEx(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD dwAceFlags,
IN DWORD dwAccessMask,
IN PSID pSid,
IN BOOL bAuditSuccess,
IN BOOL bAuditFailure)
{
return set_ntstatus( RtlAddAuditAccessAceEx(pAcl, dwAceRevision, dwAceFlags, dwAccessMask, pSid,
bAuditSuccess, bAuditFailure) );
}
/******************************************************************************
* AddAuditAccessObjectAce [ADVAPI32.@]
*/
BOOL WINAPI AddAuditAccessObjectAce(
IN OUT PACL pAcl,
IN DWORD dwAceRevision,
IN DWORD dwAceFlags,
IN DWORD dwAccessMask,
IN GUID* pObjectTypeGuid,
IN GUID* pInheritedObjectTypeGuid,
IN PSID pSid,
IN BOOL bAuditSuccess,
IN BOOL bAuditFailure)
{
return set_ntstatus( RtlAddAuditAccessObjectAce(pAcl, dwAceRevision, dwAceFlags, dwAccessMask,
pObjectTypeGuid, pInheritedObjectTypeGuid, pSid, bAuditSuccess, bAuditFailure) );
}
/******************************************************************************
* LookupAccountNameA [ADVAPI32.@]
*/
BOOL WINAPI
LookupAccountNameA(
IN LPCSTR system,
IN LPCSTR account,
OUT PSID sid,
OUT LPDWORD cbSid,
LPSTR ReferencedDomainName,
IN OUT LPDWORD cbReferencedDomainName,
OUT PSID_NAME_USE name_use )
{
BOOL ret;
UNICODE_STRING lpSystemW;
UNICODE_STRING lpAccountW;
LPWSTR lpReferencedDomainNameW = NULL;
RtlCreateUnicodeStringFromAsciiz(&lpSystemW, system);
RtlCreateUnicodeStringFromAsciiz(&lpAccountW, account);
if (ReferencedDomainName)
lpReferencedDomainNameW = heap_alloc(*cbReferencedDomainName * sizeof(WCHAR));
ret = LookupAccountNameW(lpSystemW.Buffer, lpAccountW.Buffer, sid, cbSid, lpReferencedDomainNameW,
cbReferencedDomainName, name_use);
if (ret && lpReferencedDomainNameW)
{
WideCharToMultiByte(CP_ACP, 0, lpReferencedDomainNameW, -1,
ReferencedDomainName, *cbReferencedDomainName+1, NULL, NULL);
}
RtlFreeUnicodeString(&lpSystemW);
RtlFreeUnicodeString(&lpAccountW);
heap_free(lpReferencedDomainNameW);
return ret;
}
/******************************************************************************
* lookup_user_account_name
*/
static BOOL lookup_user_account_name(PSID Sid, PDWORD cbSid, LPWSTR ReferencedDomainName,
LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse )
{
char buffer[sizeof(TOKEN_USER) + sizeof(SID) + sizeof(DWORD)*SID_MAX_SUB_AUTHORITIES];
DWORD len = sizeof(buffer);
HANDLE token;
BOOL ret;
PSID pSid;
WCHAR domainName[MAX_COMPUTERNAME_LENGTH + 1];
DWORD nameLen;
if (!OpenThreadToken(GetCurrentThread(), TOKEN_READ, TRUE, &token))
{
if (GetLastError() != ERROR_NO_TOKEN) return FALSE;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_READ, &token)) return FALSE;
}
ret = GetTokenInformation(token, TokenUser, buffer, len, &len);
CloseHandle( token );
if (!ret) return FALSE;
pSid = ((TOKEN_USER *)buffer)->User.Sid;
if (Sid != NULL && (*cbSid >= GetLengthSid(pSid)))
CopySid(*cbSid, Sid, pSid);
if (*cbSid < GetLengthSid(pSid))
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
ret = FALSE;
}
*cbSid = GetLengthSid(pSid);
nameLen = MAX_COMPUTERNAME_LENGTH + 1;
if (!GetComputerNameW(domainName, &nameLen))
{
domainName[0] = 0;
nameLen = 0;
}
if (*cchReferencedDomainName <= nameLen || !ret)
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
nameLen += 1;
ret = FALSE;
}
else if (ReferencedDomainName)
strcpyW(ReferencedDomainName, domainName);
*cchReferencedDomainName = nameLen;
if (ret)
*peUse = SidTypeUser;
return ret;
}
/******************************************************************************
* lookup_computer_account_name
*/
static BOOL lookup_computer_account_name(PSID Sid, PDWORD cbSid, LPWSTR ReferencedDomainName,
LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse )
{
MAX_SID local;
BOOL ret;
WCHAR domainName[MAX_COMPUTERNAME_LENGTH + 1];
DWORD nameLen;
if ((ret = ADVAPI_GetComputerSid(&local)))
{
if (Sid != NULL && (*cbSid >= GetLengthSid(&local)))
CopySid(*cbSid, Sid, &local);
if (*cbSid < GetLengthSid(&local))
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
ret = FALSE;
}
*cbSid = GetLengthSid(&local);
}
nameLen = MAX_COMPUTERNAME_LENGTH + 1;
if (!GetComputerNameW(domainName, &nameLen))
{
domainName[0] = 0;
nameLen = 0;
}
if (*cchReferencedDomainName <= nameLen || !ret)
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
nameLen += 1;
ret = FALSE;
}
else if (ReferencedDomainName)
strcpyW(ReferencedDomainName, domainName);
*cchReferencedDomainName = nameLen;
if (ret)
*peUse = SidTypeDomain;
return ret;
}
static void split_domain_account( const LSA_UNICODE_STRING *str, LSA_UNICODE_STRING *account,
LSA_UNICODE_STRING *domain )
{
WCHAR *p = str->Buffer + str->Length / sizeof(WCHAR) - 1;
while (p > str->Buffer && *p != '\\') p--;
if (*p == '\\')
{
domain->Buffer = str->Buffer;
domain->Length = (p - str->Buffer) * sizeof(WCHAR);
account->Buffer = p + 1;
account->Length = str->Length - ((p - str->Buffer + 1) * sizeof(WCHAR));
}
else
{
domain->Buffer = NULL;
domain->Length = 0;
account->Buffer = str->Buffer;
account->Length = str->Length;
}
}
static BOOL match_domain( ULONG idx, const LSA_UNICODE_STRING *domain )
{
ULONG len = strlenW( ACCOUNT_SIDS[idx].domain );
if (len == domain->Length / sizeof(WCHAR) && !strncmpiW( domain->Buffer, ACCOUNT_SIDS[idx].domain, len ))
return TRUE;
return FALSE;
}
static BOOL match_account( ULONG idx, const LSA_UNICODE_STRING *account )
{
ULONG len = strlenW( ACCOUNT_SIDS[idx].account );
if (len == account->Length / sizeof(WCHAR) && !strncmpiW( account->Buffer, ACCOUNT_SIDS[idx].account, len ))
return TRUE;
if (ACCOUNT_SIDS[idx].alias)
{
len = strlenW( ACCOUNT_SIDS[idx].alias );
if (len == account->Length / sizeof(WCHAR) && !strncmpiW( account->Buffer, ACCOUNT_SIDS[idx].alias, len ))
return TRUE;
}
return FALSE;
}
/*
* Helper function for LookupAccountNameW
*/
BOOL lookup_local_wellknown_name( const LSA_UNICODE_STRING *account_and_domain,
PSID Sid, LPDWORD cbSid,
LPWSTR ReferencedDomainName,
LPDWORD cchReferencedDomainName,
PSID_NAME_USE peUse, BOOL *handled )
{
PSID pSid;
LSA_UNICODE_STRING account, domain;
BOOL ret = TRUE;
ULONG i;
*handled = FALSE;
split_domain_account( account_and_domain, &account, &domain );
for (i = 0; i < ARRAY_SIZE(ACCOUNT_SIDS); i++)
{
/* check domain first */
if (domain.Buffer && !match_domain( i, &domain )) continue;
if (match_account( i, &account ))
{
DWORD len, sidLen = SECURITY_MAX_SID_SIZE;
if (!(pSid = heap_alloc( sidLen ))) return FALSE;
if ((ret = CreateWellKnownSid( ACCOUNT_SIDS[i].type, NULL, pSid, &sidLen )))
{
if (*cbSid < sidLen)
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
ret = FALSE;
}
else if (Sid)
{
CopySid(*cbSid, Sid, pSid);
}
*cbSid = sidLen;
}
len = strlenW( ACCOUNT_SIDS[i].domain );
if (*cchReferencedDomainName <= len || !ret)
{
SetLastError(ERROR_INSUFFICIENT_BUFFER);
len++;
ret = FALSE;
}
else if (ReferencedDomainName)
{
strcpyW( ReferencedDomainName, ACCOUNT_SIDS[i].domain );
}
*cchReferencedDomainName = len;
if (ret)
*peUse = ACCOUNT_SIDS[i].name_use;
heap_free(pSid);
*handled = TRUE;
return ret;
}
}
return ret;
}
BOOL lookup_local_user_name( const LSA_UNICODE_STRING *account_and_domain,
PSID Sid, LPDWORD cbSid,
LPWSTR ReferencedDomainName,
LPDWORD cchReferencedDomainName,
PSID_NAME_USE peUse, BOOL *handled )
{
DWORD nameLen;
LPWSTR userName = NULL;
LSA_UNICODE_STRING account, domain;
BOOL ret = TRUE;
*handled = FALSE;
split_domain_account( account_and_domain, &account, &domain );
/* Let the current Unix user id masquerade as first Windows user account */
nameLen = UNLEN + 1;
if (!(userName = heap_alloc( nameLen * sizeof(WCHAR) ))) return FALSE;
if (domain.Buffer)
{
/* check to make sure this account is on this computer */
if (GetComputerNameW( userName, &nameLen ) &&
(domain.Length / sizeof(WCHAR) != nameLen || strncmpW( domain.Buffer, userName, nameLen )))
{
SetLastError(ERROR_NONE_MAPPED);
ret = FALSE;
}
nameLen = UNLEN + 1;
}
if (GetUserNameW( userName, &nameLen ) &&
account.Length / sizeof(WCHAR) == nameLen - 1 && !strncmpW( account.Buffer, userName, nameLen - 1 ))
{
ret = lookup_user_account_name( Sid, cbSid, ReferencedDomainName, cchReferencedDomainName, peUse );
*handled = TRUE;
}
else
{
nameLen = UNLEN + 1;
if (GetComputerNameW( userName, &nameLen ) &&
account.Length / sizeof(WCHAR) == nameLen && !strncmpW( account.Buffer, userName , nameLen ))
{
ret = lookup_computer_account_name( Sid, cbSid, ReferencedDomainName, cchReferencedDomainName, peUse );
*handled = TRUE;
}
}
heap_free(userName);
return ret;
}
/******************************************************************************
* LookupAccountNameW [ADVAPI32.@]
*/
BOOL WINAPI LookupAccountNameW( LPCWSTR lpSystemName, LPCWSTR lpAccountName, PSID Sid,
LPDWORD cbSid, LPWSTR ReferencedDomainName,
LPDWORD cchReferencedDomainName, PSID_NAME_USE peUse )
{
BOOL ret, handled;
LSA_UNICODE_STRING account;
TRACE("%s %s %p %p %p %p %p\n", debugstr_w(lpSystemName), debugstr_w(lpAccountName),
Sid, cbSid, ReferencedDomainName, cchReferencedDomainName, peUse);
if (!ADVAPI_IsLocalComputer( lpSystemName ))
{
FIXME("remote computer not supported\n");
SetLastError( RPC_S_SERVER_UNAVAILABLE );
return FALSE;
}
if (!lpAccountName || !strcmpW( lpAccountName, Blank ))
{
lpAccountName = BUILTIN;
}
RtlInitUnicodeString( &account, lpAccountName );
/* Check well known SIDs first */
ret = lookup_local_wellknown_name( &account, Sid, cbSid, ReferencedDomainName,
cchReferencedDomainName, peUse, &handled );
if (handled)
return ret;
/* Check user names */
ret = lookup_local_user_name( &account, Sid, cbSid, ReferencedDomainName,
cchReferencedDomainName, peUse, &handled);
if (handled)
return ret;
SetLastError( ERROR_NONE_MAPPED );
return FALSE;
}
/******************************************************************************
* PrivilegeCheck [ADVAPI32.@]
*/
BOOL WINAPI PrivilegeCheck( HANDLE ClientToken, PPRIVILEGE_SET RequiredPrivileges, LPBOOL pfResult)
{
BOOL ret;
BOOLEAN Result;
TRACE("%p %p %p\n", ClientToken, RequiredPrivileges, pfResult);
ret = set_ntstatus (NtPrivilegeCheck (ClientToken, RequiredPrivileges, &Result));
if (ret)
*pfResult = Result;
return ret;
}
/******************************************************************************
* AccessCheckAndAuditAlarmA [ADVAPI32.@]
*/
BOOL WINAPI AccessCheckAndAuditAlarmA(LPCSTR Subsystem, LPVOID HandleId, LPSTR ObjectTypeName,
LPSTR ObjectName, PSECURITY_DESCRIPTOR SecurityDescriptor, DWORD DesiredAccess,
PGENERIC_MAPPING GenericMapping, BOOL ObjectCreation, LPDWORD GrantedAccess,
LPBOOL AccessStatus, LPBOOL pfGenerateOnClose)
{
FIXME("stub (%s,%p,%s,%s,%p,%08x,%p,%x,%p,%p,%p)\n", debugstr_a(Subsystem),
HandleId, debugstr_a(ObjectTypeName), debugstr_a(ObjectName),
SecurityDescriptor, DesiredAccess, GenericMapping,
ObjectCreation, GrantedAccess, AccessStatus, pfGenerateOnClose);
return TRUE;
}
/******************************************************************************
* AccessCheckAndAuditAlarmW [ADVAPI32.@]
*/
BOOL WINAPI AccessCheckAndAuditAlarmW(LPCWSTR Subsystem, LPVOID HandleId, LPWSTR ObjectTypeName,
LPWSTR ObjectName, PSECURITY_DESCRIPTOR SecurityDescriptor, DWORD DesiredAccess,
PGENERIC_MAPPING GenericMapping, BOOL ObjectCreation, LPDWORD GrantedAccess,
LPBOOL AccessStatus, LPBOOL pfGenerateOnClose)
{
FIXME("stub (%s,%p,%s,%s,%p,%08x,%p,%x,%p,%p,%p)\n", debugstr_w(Subsystem),
HandleId, debugstr_w(ObjectTypeName), debugstr_w(ObjectName),
SecurityDescriptor, DesiredAccess, GenericMapping,
ObjectCreation, GrantedAccess, AccessStatus, pfGenerateOnClose);
return TRUE;
}
BOOL WINAPI ObjectCloseAuditAlarmA(LPCSTR SubsystemName, LPVOID HandleId, BOOL GenerateOnClose)
{
FIXME("stub (%s,%p,%x)\n", debugstr_a(SubsystemName), HandleId, GenerateOnClose);
return TRUE;
}
BOOL WINAPI ObjectCloseAuditAlarmW(LPCWSTR SubsystemName, LPVOID HandleId, BOOL GenerateOnClose)
{
FIXME("stub (%s,%p,%x)\n", debugstr_w(SubsystemName), HandleId, GenerateOnClose);
return TRUE;
}
BOOL WINAPI ObjectDeleteAuditAlarmW(LPCWSTR SubsystemName, LPVOID HandleId, BOOL GenerateOnClose)
{
FIXME("stub (%s,%p,%x)\n", debugstr_w(SubsystemName), HandleId, GenerateOnClose);
return TRUE;
}
BOOL WINAPI ObjectOpenAuditAlarmA(LPCSTR SubsystemName, LPVOID HandleId, LPSTR ObjectTypeName,
LPSTR ObjectName, PSECURITY_DESCRIPTOR pSecurityDescriptor, HANDLE ClientToken, DWORD DesiredAccess,
DWORD GrantedAccess, PPRIVILEGE_SET Privileges, BOOL ObjectCreation, BOOL AccessGranted,
LPBOOL GenerateOnClose)
{
FIXME("stub (%s,%p,%s,%s,%p,%p,0x%08x,0x%08x,%p,%x,%x,%p)\n", debugstr_a(SubsystemName),
HandleId, debugstr_a(ObjectTypeName), debugstr_a(ObjectName), pSecurityDescriptor,
ClientToken, DesiredAccess, GrantedAccess, Privileges, ObjectCreation, AccessGranted,
GenerateOnClose);
return TRUE;
}
BOOL WINAPI ObjectOpenAuditAlarmW(LPCWSTR SubsystemName, LPVOID HandleId, LPWSTR ObjectTypeName,
LPWSTR ObjectName, PSECURITY_DESCRIPTOR pSecurityDescriptor, HANDLE ClientToken, DWORD DesiredAccess,
DWORD GrantedAccess, PPRIVILEGE_SET Privileges, BOOL ObjectCreation, BOOL AccessGranted,
LPBOOL GenerateOnClose)
{
FIXME("stub (%s,%p,%s,%s,%p,%p,0x%08x,0x%08x,%p,%x,%x,%p)\n", debugstr_w(SubsystemName),
HandleId, debugstr_w(ObjectTypeName), debugstr_w(ObjectName), pSecurityDescriptor,
ClientToken, DesiredAccess, GrantedAccess, Privileges, ObjectCreation, AccessGranted,
GenerateOnClose);
return TRUE;
}
BOOL WINAPI ObjectPrivilegeAuditAlarmA( LPCSTR SubsystemName, LPVOID HandleId, HANDLE ClientToken,
DWORD DesiredAccess, PPRIVILEGE_SET Privileges, BOOL AccessGranted)
{
FIXME("stub (%s,%p,%p,0x%08x,%p,%x)\n", debugstr_a(SubsystemName), HandleId, ClientToken,
DesiredAccess, Privileges, AccessGranted);
return TRUE;
}
BOOL WINAPI ObjectPrivilegeAuditAlarmW( LPCWSTR SubsystemName, LPVOID HandleId, HANDLE ClientToken,
DWORD DesiredAccess, PPRIVILEGE_SET Privileges, BOOL AccessGranted)
{
FIXME("stub (%s,%p,%p,0x%08x,%p,%x)\n", debugstr_w(SubsystemName), HandleId, ClientToken,
DesiredAccess, Privileges, AccessGranted);
return TRUE;
}
BOOL WINAPI PrivilegedServiceAuditAlarmA( LPCSTR SubsystemName, LPCSTR ServiceName, HANDLE ClientToken,
PPRIVILEGE_SET Privileges, BOOL AccessGranted)
{
FIXME("stub (%s,%s,%p,%p,%x)\n", debugstr_a(SubsystemName), debugstr_a(ServiceName),
ClientToken, Privileges, AccessGranted);
return TRUE;
}
BOOL WINAPI PrivilegedServiceAuditAlarmW( LPCWSTR SubsystemName, LPCWSTR ServiceName, HANDLE ClientToken,
PPRIVILEGE_SET Privileges, BOOL AccessGranted)
{
FIXME("stub %s,%s,%p,%p,%x)\n", debugstr_w(SubsystemName), debugstr_w(ServiceName),
ClientToken, Privileges, AccessGranted);
return TRUE;
}
/******************************************************************************
* GetSecurityInfo [ADVAPI32.@]
*
* Retrieves a copy of the security descriptor associated with an object.
*
* PARAMS
* hObject [I] A handle for the object.
* ObjectType [I] The type of object.
* SecurityInfo [I] A bitmask indicating what info to retrieve.
* ppsidOwner [O] If non-null, receives a pointer to the owner SID.
* ppsidGroup [O] If non-null, receives a pointer to the group SID.
* ppDacl [O] If non-null, receives a pointer to the DACL.
* ppSacl [O] If non-null, receives a pointer to the SACL.
* ppSecurityDescriptor [O] Receives a pointer to the security descriptor,
* which must be freed with LocalFree.
*
* RETURNS
* ERROR_SUCCESS if all's well, and a WIN32 error code otherwise.
*/
DWORD WINAPI GetSecurityInfo(
HANDLE hObject, SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo, PSID *ppsidOwner,
PSID *ppsidGroup, PACL *ppDacl, PACL *ppSacl,
PSECURITY_DESCRIPTOR *ppSecurityDescriptor
)
{
PSECURITY_DESCRIPTOR sd;
NTSTATUS status;
ULONG n1, n2;
BOOL present, defaulted;
/* A NULL descriptor is allowed if any one of the other pointers is not NULL */
if (!(ppsidOwner||ppsidGroup||ppDacl||ppSacl||ppSecurityDescriptor)) return ERROR_INVALID_PARAMETER;
/* If no descriptor, we have to check that there's a pointer for the requested information */
if( !ppSecurityDescriptor && (
((SecurityInfo & OWNER_SECURITY_INFORMATION) && !ppsidOwner)
|| ((SecurityInfo & GROUP_SECURITY_INFORMATION) && !ppsidGroup)
|| ((SecurityInfo & DACL_SECURITY_INFORMATION) && !ppDacl)
|| ((SecurityInfo & SACL_SECURITY_INFORMATION) && !ppSacl) ))
return ERROR_INVALID_PARAMETER;
switch (ObjectType)
{
case SE_SERVICE:
status = SERV_QueryServiceObjectSecurity(hObject, SecurityInfo, NULL, 0, &n1);
break;
default:
status = NtQuerySecurityObject(hObject, SecurityInfo, NULL, 0, &n1);
break;
}
if (status != STATUS_BUFFER_TOO_SMALL && status != STATUS_SUCCESS)
return RtlNtStatusToDosError(status);
sd = LocalAlloc(0, n1);
if (!sd)
return ERROR_NOT_ENOUGH_MEMORY;
switch (ObjectType)
{
case SE_SERVICE:
status = SERV_QueryServiceObjectSecurity(hObject, SecurityInfo, sd, n1, &n2);
break;
default:
status = NtQuerySecurityObject(hObject, SecurityInfo, sd, n1, &n2);
break;
}
if (status != STATUS_SUCCESS)
{
LocalFree(sd);
return RtlNtStatusToDosError(status);
}
if (ppsidOwner)
{
*ppsidOwner = NULL;
GetSecurityDescriptorOwner(sd, ppsidOwner, &defaulted);
}
if (ppsidGroup)
{
*ppsidGroup = NULL;
GetSecurityDescriptorGroup(sd, ppsidGroup, &defaulted);
}
if (ppDacl)
{
*ppDacl = NULL;
GetSecurityDescriptorDacl(sd, &present, ppDacl, &defaulted);
}
if (ppSacl)
{
*ppSacl = NULL;
GetSecurityDescriptorSacl(sd, &present, ppSacl, &defaulted);
}
if (ppSecurityDescriptor)
*ppSecurityDescriptor = sd;
/* The security descriptor (sd) cannot be freed if ppSecurityDescriptor is
* NULL, because native happily returns the SIDs and ACLs that are requested
* in this case.
*/
return ERROR_SUCCESS;
}
/******************************************************************************
* GetSecurityInfoExA [ADVAPI32.@]
*/
DWORD WINAPI GetSecurityInfoExA(
HANDLE hObject, SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo, LPCSTR lpProvider,
LPCSTR lpProperty, PACTRL_ACCESSA *ppAccessList,
PACTRL_AUDITA *ppAuditList, LPSTR *lppOwner, LPSTR *lppGroup
)
{
FIXME("stub!\n");
return ERROR_BAD_PROVIDER;
}
/******************************************************************************
* GetSecurityInfoExW [ADVAPI32.@]
*/
DWORD WINAPI GetSecurityInfoExW(
HANDLE hObject, SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo, LPCWSTR lpProvider,
LPCWSTR lpProperty, PACTRL_ACCESSW *ppAccessList,
PACTRL_AUDITW *ppAuditList, LPWSTR *lppOwner, LPWSTR *lppGroup
)
{
FIXME("stub!\n");
return ERROR_BAD_PROVIDER;
}
/******************************************************************************
* BuildExplicitAccessWithNameA [ADVAPI32.@]
*/
VOID WINAPI BuildExplicitAccessWithNameA( PEXPLICIT_ACCESSA pExplicitAccess,
LPSTR pTrusteeName, DWORD AccessPermissions,
ACCESS_MODE AccessMode, DWORD Inheritance )
{
TRACE("%p %s 0x%08x 0x%08x 0x%08x\n", pExplicitAccess, debugstr_a(pTrusteeName),
AccessPermissions, AccessMode, Inheritance);
pExplicitAccess->grfAccessPermissions = AccessPermissions;
pExplicitAccess->grfAccessMode = AccessMode;
pExplicitAccess->grfInheritance = Inheritance;
pExplicitAccess->Trustee.pMultipleTrustee = NULL;
pExplicitAccess->Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pExplicitAccess->Trustee.TrusteeForm = TRUSTEE_IS_NAME;
pExplicitAccess->Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
pExplicitAccess->Trustee.ptstrName = pTrusteeName;
}
/******************************************************************************
* BuildExplicitAccessWithNameW [ADVAPI32.@]
*/
VOID WINAPI BuildExplicitAccessWithNameW( PEXPLICIT_ACCESSW pExplicitAccess,
LPWSTR pTrusteeName, DWORD AccessPermissions,
ACCESS_MODE AccessMode, DWORD Inheritance )
{
TRACE("%p %s 0x%08x 0x%08x 0x%08x\n", pExplicitAccess, debugstr_w(pTrusteeName),
AccessPermissions, AccessMode, Inheritance);
pExplicitAccess->grfAccessPermissions = AccessPermissions;
pExplicitAccess->grfAccessMode = AccessMode;
pExplicitAccess->grfInheritance = Inheritance;
pExplicitAccess->Trustee.pMultipleTrustee = NULL;
pExplicitAccess->Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pExplicitAccess->Trustee.TrusteeForm = TRUSTEE_IS_NAME;
pExplicitAccess->Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
pExplicitAccess->Trustee.ptstrName = pTrusteeName;
}
/******************************************************************************
* BuildTrusteeWithObjectsAndNameA [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithObjectsAndNameA( PTRUSTEEA pTrustee, POBJECTS_AND_NAME_A pObjName,
SE_OBJECT_TYPE ObjectType, LPSTR ObjectTypeName,
LPSTR InheritedObjectTypeName, LPSTR Name )
{
DWORD ObjectsPresent = 0;
TRACE("%p %p 0x%08x %p %p %s\n", pTrustee, pObjName,
ObjectType, ObjectTypeName, InheritedObjectTypeName, debugstr_a(Name));
/* Fill the OBJECTS_AND_NAME structure */
pObjName->ObjectType = ObjectType;
if (ObjectTypeName != NULL)
{
ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
}
pObjName->InheritedObjectTypeName = InheritedObjectTypeName;
if (InheritedObjectTypeName != NULL)
{
ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
}
pObjName->ObjectsPresent = ObjectsPresent;
pObjName->ptstrName = Name;
/* Fill the TRUSTEE structure */
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_NAME;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = (LPSTR)pObjName;
}
/******************************************************************************
* BuildTrusteeWithObjectsAndNameW [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithObjectsAndNameW( PTRUSTEEW pTrustee, POBJECTS_AND_NAME_W pObjName,
SE_OBJECT_TYPE ObjectType, LPWSTR ObjectTypeName,
LPWSTR InheritedObjectTypeName, LPWSTR Name )
{
DWORD ObjectsPresent = 0;
TRACE("%p %p 0x%08x %p %p %s\n", pTrustee, pObjName,
ObjectType, ObjectTypeName, InheritedObjectTypeName, debugstr_w(Name));
/* Fill the OBJECTS_AND_NAME structure */
pObjName->ObjectType = ObjectType;
if (ObjectTypeName != NULL)
{
ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
}
pObjName->InheritedObjectTypeName = InheritedObjectTypeName;
if (InheritedObjectTypeName != NULL)
{
ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
}
pObjName->ObjectsPresent = ObjectsPresent;
pObjName->ptstrName = Name;
/* Fill the TRUSTEE structure */
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_NAME;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = (LPWSTR)pObjName;
}
/******************************************************************************
* BuildTrusteeWithObjectsAndSidA [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithObjectsAndSidA( PTRUSTEEA pTrustee, POBJECTS_AND_SID pObjSid,
GUID* pObjectGuid, GUID* pInheritedObjectGuid, PSID pSid )
{
DWORD ObjectsPresent = 0;
TRACE("%p %p %p %p %p\n", pTrustee, pObjSid, pObjectGuid, pInheritedObjectGuid, pSid);
/* Fill the OBJECTS_AND_SID structure */
if (pObjectGuid != NULL)
{
pObjSid->ObjectTypeGuid = *pObjectGuid;
ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
}
else
{
ZeroMemory(&pObjSid->ObjectTypeGuid,
sizeof(GUID));
}
if (pInheritedObjectGuid != NULL)
{
pObjSid->InheritedObjectTypeGuid = *pInheritedObjectGuid;
ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
}
else
{
ZeroMemory(&pObjSid->InheritedObjectTypeGuid,
sizeof(GUID));
}
pObjSid->ObjectsPresent = ObjectsPresent;
pObjSid->pSid = pSid;
/* Fill the TRUSTEE structure */
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_SID;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = (LPSTR) pObjSid;
}
/******************************************************************************
* BuildTrusteeWithObjectsAndSidW [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithObjectsAndSidW( PTRUSTEEW pTrustee, POBJECTS_AND_SID pObjSid,
GUID* pObjectGuid, GUID* pInheritedObjectGuid, PSID pSid )
{
DWORD ObjectsPresent = 0;
TRACE("%p %p %p %p %p\n", pTrustee, pObjSid, pObjectGuid, pInheritedObjectGuid, pSid);
/* Fill the OBJECTS_AND_SID structure */
if (pObjectGuid != NULL)
{
pObjSid->ObjectTypeGuid = *pObjectGuid;
ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
}
else
{
ZeroMemory(&pObjSid->ObjectTypeGuid,
sizeof(GUID));
}
if (pInheritedObjectGuid != NULL)
{
pObjSid->InheritedObjectTypeGuid = *pInheritedObjectGuid;
ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
}
else
{
ZeroMemory(&pObjSid->InheritedObjectTypeGuid,
sizeof(GUID));
}
pObjSid->ObjectsPresent = ObjectsPresent;
pObjSid->pSid = pSid;
/* Fill the TRUSTEE structure */
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_SID;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = (LPWSTR) pObjSid;
}
/******************************************************************************
* BuildTrusteeWithSidA [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithSidA(PTRUSTEEA pTrustee, PSID pSid)
{
TRACE("%p %p\n", pTrustee, pSid);
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_SID;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = pSid;
}
/******************************************************************************
* BuildTrusteeWithSidW [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithSidW(PTRUSTEEW pTrustee, PSID pSid)
{
TRACE("%p %p\n", pTrustee, pSid);
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_SID;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = pSid;
}
/******************************************************************************
* BuildTrusteeWithNameA [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithNameA(PTRUSTEEA pTrustee, LPSTR name)
{
TRACE("%p %s\n", pTrustee, debugstr_a(name) );
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_NAME;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = name;
}
/******************************************************************************
* BuildTrusteeWithNameW [ADVAPI32.@]
*/
VOID WINAPI BuildTrusteeWithNameW(PTRUSTEEW pTrustee, LPWSTR name)
{
TRACE("%p %s\n", pTrustee, debugstr_w(name) );
pTrustee->pMultipleTrustee = NULL;
pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
pTrustee->TrusteeForm = TRUSTEE_IS_NAME;
pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
pTrustee->ptstrName = name;
}
/******************************************************************************
* GetTrusteeFormA [ADVAPI32.@]
*/
TRUSTEE_FORM WINAPI GetTrusteeFormA(PTRUSTEEA pTrustee)
{
TRACE("(%p)\n", pTrustee);
if (!pTrustee)
return TRUSTEE_BAD_FORM;
return pTrustee->TrusteeForm;
}
/******************************************************************************
* GetTrusteeFormW [ADVAPI32.@]
*/
TRUSTEE_FORM WINAPI GetTrusteeFormW(PTRUSTEEW pTrustee)
{
TRACE("(%p)\n", pTrustee);
if (!pTrustee)
return TRUSTEE_BAD_FORM;
return pTrustee->TrusteeForm;
}
/******************************************************************************
* GetTrusteeNameA [ADVAPI32.@]
*/
LPSTR WINAPI GetTrusteeNameA(PTRUSTEEA pTrustee)
{
TRACE("(%p)\n", pTrustee);
if (!pTrustee)
return NULL;
return pTrustee->ptstrName;
}
/******************************************************************************
* GetTrusteeNameW [ADVAPI32.@]
*/
LPWSTR WINAPI GetTrusteeNameW(PTRUSTEEW pTrustee)
{
TRACE("(%p)\n", pTrustee);
if (!pTrustee)
return NULL;
return pTrustee->ptstrName;
}
/******************************************************************************
* GetTrusteeTypeA [ADVAPI32.@]
*/
TRUSTEE_TYPE WINAPI GetTrusteeTypeA(PTRUSTEEA pTrustee)
{
TRACE("(%p)\n", pTrustee);
if (!pTrustee)
return TRUSTEE_IS_UNKNOWN;
return pTrustee->TrusteeType;
}
/******************************************************************************
* GetTrusteeTypeW [ADVAPI32.@]
*/
TRUSTEE_TYPE WINAPI GetTrusteeTypeW(PTRUSTEEW pTrustee)
{
TRACE("(%p)\n", pTrustee);
if (!pTrustee)
return TRUSTEE_IS_UNKNOWN;
return pTrustee->TrusteeType;
}
BOOL WINAPI SetAclInformation( PACL pAcl, LPVOID pAclInformation,
DWORD nAclInformationLength,
ACL_INFORMATION_CLASS dwAclInformationClass )
{
FIXME("%p %p 0x%08x 0x%08x - stub\n", pAcl, pAclInformation,
nAclInformationLength, dwAclInformationClass);
return TRUE;
}
static DWORD trustee_name_A_to_W(TRUSTEE_FORM form, char *trustee_nameA, WCHAR **ptrustee_nameW)
{
switch (form)
{
case TRUSTEE_IS_NAME:
{
*ptrustee_nameW = SERV_dup(trustee_nameA);
return ERROR_SUCCESS;
}
case TRUSTEE_IS_OBJECTS_AND_NAME:
{
OBJECTS_AND_NAME_A *objA = (OBJECTS_AND_NAME_A *)trustee_nameA;
OBJECTS_AND_NAME_W *objW = NULL;
if (objA)
{
if (!(objW = heap_alloc( sizeof(OBJECTS_AND_NAME_W) )))
return ERROR_NOT_ENOUGH_MEMORY;
objW->ObjectsPresent = objA->ObjectsPresent;
objW->ObjectType = objA->ObjectType;
objW->ObjectTypeName = SERV_dup(objA->ObjectTypeName);
objW->InheritedObjectTypeName = SERV_dup(objA->InheritedObjectTypeName);
objW->ptstrName = SERV_dup(objA->ptstrName);
}
*ptrustee_nameW = (WCHAR *)objW;
return ERROR_SUCCESS;
}
/* These forms do not require conversion. */
case TRUSTEE_IS_SID:
case TRUSTEE_IS_OBJECTS_AND_SID:
*ptrustee_nameW = (WCHAR *)trustee_nameA;
return ERROR_SUCCESS;
default:
return ERROR_INVALID_PARAMETER;
}
}
static void free_trustee_name(TRUSTEE_FORM form, WCHAR *trustee_nameW)
{
switch (form)
{
case TRUSTEE_IS_NAME:
heap_free( trustee_nameW );
break;
case TRUSTEE_IS_OBJECTS_AND_NAME:
{
OBJECTS_AND_NAME_W *objW = (OBJECTS_AND_NAME_W *)trustee_nameW;
if (objW)
{
heap_free( objW->ptstrName );
heap_free( objW->InheritedObjectTypeName );
heap_free( objW->ObjectTypeName );
heap_free( objW );
}
break;
}
/* Other forms did not require allocation, so no freeing is necessary. */
default:
break;
}
}
static DWORD trustee_to_sid( DWORD nDestinationSidLength, PSID pDestinationSid, PTRUSTEEW pTrustee )
{
if (pTrustee->MultipleTrusteeOperation == TRUSTEE_IS_IMPERSONATE)
{
WARN("bad multiple trustee operation %d\n", pTrustee->MultipleTrusteeOperation);
return ERROR_INVALID_PARAMETER;
}
switch (pTrustee->TrusteeForm)
{
case TRUSTEE_IS_SID:
if (!CopySid(nDestinationSidLength, pDestinationSid, pTrustee->ptstrName))
{
WARN("bad sid %p\n", pTrustee->ptstrName);
return ERROR_INVALID_PARAMETER;
}
break;
case TRUSTEE_IS_NAME:
{
DWORD sid_size = nDestinationSidLength;
DWORD domain_size = MAX_COMPUTERNAME_LENGTH + 1;
SID_NAME_USE use;
if (!strcmpW( pTrustee->ptstrName, CURRENT_USER ))
{
if (!lookup_user_account_name( pDestinationSid, &sid_size, NULL, &domain_size, &use ))
{
return GetLastError();
}
}
else if (!LookupAccountNameW(NULL, pTrustee->ptstrName, pDestinationSid, &sid_size, NULL, &domain_size, &use))
{
WARN("bad user name %s\n", debugstr_w(pTrustee->ptstrName));
return ERROR_INVALID_PARAMETER;
}
break;
}
case TRUSTEE_IS_OBJECTS_AND_SID:
FIXME("TRUSTEE_IS_OBJECTS_AND_SID unimplemented\n");
break;
case TRUSTEE_IS_OBJECTS_AND_NAME:
FIXME("TRUSTEE_IS_OBJECTS_AND_NAME unimplemented\n");
break;
default:
WARN("bad trustee form %d\n", pTrustee->TrusteeForm);
return ERROR_INVALID_PARAMETER;
}
return ERROR_SUCCESS;
}
/******************************************************************************
* SetEntriesInAclA [ADVAPI32.@]
*/
DWORD WINAPI SetEntriesInAclA( ULONG count, PEXPLICIT_ACCESSA pEntries,
PACL OldAcl, PACL* NewAcl )
{
DWORD err = ERROR_SUCCESS;
EXPLICIT_ACCESSW *pEntriesW;
UINT alloc_index, free_index;
TRACE("%d %p %p %p\n", count, pEntries, OldAcl, NewAcl);
if (NewAcl)
*NewAcl = NULL;
if (!count && !OldAcl)
return ERROR_SUCCESS;
pEntriesW = heap_alloc( count * sizeof(EXPLICIT_ACCESSW) );
if (!pEntriesW)
return ERROR_NOT_ENOUGH_MEMORY;
for (alloc_index = 0; alloc_index < count; ++alloc_index)
{
pEntriesW[alloc_index].grfAccessPermissions = pEntries[alloc_index].grfAccessPermissions;
pEntriesW[alloc_index].grfAccessMode = pEntries[alloc_index].grfAccessMode;
pEntriesW[alloc_index].grfInheritance = pEntries[alloc_index].grfInheritance;
pEntriesW[alloc_index].Trustee.pMultipleTrustee = NULL; /* currently not supported */
pEntriesW[alloc_index].Trustee.MultipleTrusteeOperation = pEntries[alloc_index].Trustee.MultipleTrusteeOperation;
pEntriesW[alloc_index].Trustee.TrusteeForm = pEntries[alloc_index].Trustee.TrusteeForm;
pEntriesW[alloc_index].Trustee.TrusteeType = pEntries[alloc_index].Trustee.TrusteeType;
err = trustee_name_A_to_W( pEntries[alloc_index].Trustee.TrusteeForm,
pEntries[alloc_index].Trustee.ptstrName,
&pEntriesW[alloc_index].Trustee.ptstrName );
if (err != ERROR_SUCCESS)
{
if (err == ERROR_INVALID_PARAMETER)
WARN("bad trustee form %d for trustee %d\n",
pEntries[alloc_index].Trustee.TrusteeForm, alloc_index);
goto cleanup;
}
}
err = SetEntriesInAclW( count, pEntriesW, OldAcl, NewAcl );
cleanup:
/* Free any previously allocated trustee name buffers, taking into account
* a possible out-of-memory condition while building the EXPLICIT_ACCESSW
* list. */
for (free_index = 0; free_index < alloc_index; ++free_index)
free_trustee_name( pEntriesW[free_index].Trustee.TrusteeForm, pEntriesW[free_index].Trustee.ptstrName );
heap_free( pEntriesW );
return err;
}
/******************************************************************************
* SetEntriesInAclW [ADVAPI32.@]
*/
DWORD WINAPI SetEntriesInAclW( ULONG count, PEXPLICIT_ACCESSW pEntries,
PACL OldAcl, PACL* NewAcl )
{
ULONG i;
PSID *ppsid;
DWORD ret = ERROR_SUCCESS;
DWORD acl_size = sizeof(ACL);
NTSTATUS status;
TRACE("%d %p %p %p\n", count, pEntries, OldAcl, NewAcl);
if (NewAcl)
*NewAcl = NULL;
if (!count && !OldAcl)
return ERROR_SUCCESS;
/* allocate array of maximum sized sids allowed */
ppsid = heap_alloc(count * (sizeof(SID *) + FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES])));
if (!ppsid)
return ERROR_OUTOFMEMORY;
for (i = 0; i < count; i++)
{
ppsid[i] = (char *)&ppsid[count] + i * FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]);
TRACE("[%d]:\n\tgrfAccessPermissions = 0x%x\n\tgrfAccessMode = %d\n\tgrfInheritance = 0x%x\n\t"
"Trustee.pMultipleTrustee = %p\n\tMultipleTrusteeOperation = %d\n\tTrusteeForm = %d\n\t"
"Trustee.TrusteeType = %d\n\tptstrName = %p\n", i,
pEntries[i].grfAccessPermissions, pEntries[i].grfAccessMode, pEntries[i].grfInheritance,
pEntries[i].Trustee.pMultipleTrustee, pEntries[i].Trustee.MultipleTrusteeOperation,
pEntries[i].Trustee.TrusteeForm, pEntries[i].Trustee.TrusteeType,
pEntries[i].Trustee.ptstrName);
ret = trustee_to_sid( FIELD_OFFSET(SID, SubAuthority[SID_MAX_SUB_AUTHORITIES]), ppsid[i], &pEntries[i].Trustee);
if (ret)
goto exit;
/* Note: we overestimate the ACL size here as a tradeoff between
* instructions (simplicity) and memory */
switch (pEntries[i].grfAccessMode)
{
case GRANT_ACCESS:
case SET_ACCESS:
acl_size += FIELD_OFFSET(ACCESS_ALLOWED_ACE, SidStart) + GetLengthSid(ppsid[i]);
break;
case DENY_ACCESS:
acl_size += FIELD_OFFSET(ACCESS_DENIED_ACE, SidStart) + GetLengthSid(ppsid[i]);
break;
case SET_AUDIT_SUCCESS:
case SET_AUDIT_FAILURE:
acl_size += FIELD_OFFSET(SYSTEM_AUDIT_ACE, SidStart) + GetLengthSid(ppsid[i]);
break;
case REVOKE_ACCESS:
break;
default:
WARN("bad access mode %d for trustee %d\n", pEntries[i].grfAccessMode, i);
ret = ERROR_INVALID_PARAMETER;
goto exit;
}
}
if (OldAcl)
{
ACL_SIZE_INFORMATION size_info;
status = RtlQueryInformationAcl(OldAcl, &size_info, sizeof(size_info), AclSizeInformation);
if (status != STATUS_SUCCESS)
{
ret = RtlNtStatusToDosError(status);
goto exit;
}
acl_size += size_info.AclBytesInUse - sizeof(ACL);
}
*NewAcl = LocalAlloc(0, acl_size);
if (!*NewAcl)
{
ret = ERROR_OUTOFMEMORY;
goto exit;
}
status = RtlCreateAcl( *NewAcl, acl_size, ACL_REVISION );
if (status != STATUS_SUCCESS)
{
ret = RtlNtStatusToDosError(status);
goto exit;
}
for (i = 0; i < count; i++)
{
switch (pEntries[i].grfAccessMode)
{
case GRANT_ACCESS:
status = RtlAddAccessAllowedAceEx(*NewAcl, ACL_REVISION,
pEntries[i].grfInheritance,
pEntries[i].grfAccessPermissions,
ppsid[i]);
break;
case SET_ACCESS:
{
ULONG j;
BOOL add = TRUE;
if (OldAcl)
{
for (j = 0; ; j++)
{
const ACE_HEADER *existing_ace_header;
status = RtlGetAce(OldAcl, j, (LPVOID *)&existing_ace_header);
if (status != STATUS_SUCCESS)
break;
if (pEntries[i].grfAccessMode == SET_ACCESS &&
existing_ace_header->AceType == ACCESS_ALLOWED_ACE_TYPE &&
EqualSid(ppsid[i], &((ACCESS_ALLOWED_ACE *)existing_ace_header)->SidStart))
{
add = FALSE;
break;
}
}
}
if (add)
status = RtlAddAccessAllowedAceEx(*NewAcl, ACL_REVISION,
pEntries[i].grfInheritance,
pEntries[i].grfAccessPermissions,
ppsid[i]);
break;
}
case DENY_ACCESS:
status = RtlAddAccessDeniedAceEx(*NewAcl, ACL_REVISION,
pEntries[i].grfInheritance,
pEntries[i].grfAccessPermissions,
ppsid[i]);
break;
case SET_AUDIT_SUCCESS:
status = RtlAddAuditAccessAceEx(*NewAcl, ACL_REVISION,
pEntries[i].grfInheritance,
pEntries[i].grfAccessPermissions,
ppsid[i], TRUE, FALSE);
break;
case SET_AUDIT_FAILURE:
status = RtlAddAuditAccessAceEx(*NewAcl, ACL_REVISION,
pEntries[i].grfInheritance,
pEntries[i].grfAccessPermissions,
ppsid[i], FALSE, TRUE);
break;
default:
FIXME("unhandled access mode %d\n", pEntries[i].grfAccessMode);
}
}
if (OldAcl)
{
for (i = 0; ; i++)
{
BOOL add = TRUE;
ULONG j;
const ACE_HEADER *old_ace_header;
status = RtlGetAce(OldAcl, i, (LPVOID *)&old_ace_header);
if (status != STATUS_SUCCESS) break;
for (j = 0; j < count; j++)
{
if (pEntries[j].grfAccessMode == SET_ACCESS &&
old_ace_header->AceType == ACCESS_ALLOWED_ACE_TYPE &&
EqualSid(ppsid[j], &((ACCESS_ALLOWED_ACE *)old_ace_header)->SidStart))
{
status = RtlAddAccessAllowedAceEx(*NewAcl, ACL_REVISION, pEntries[j].grfInheritance, pEntries[j].grfAccessPermissions, ppsid[j]);
add = FALSE;
break;
}
else if (pEntries[j].grfAccessMode == REVOKE_ACCESS)
{
switch (old_ace_header->AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
if (EqualSid(ppsid[j], &((ACCESS_ALLOWED_ACE *)old_ace_header)->SidStart))
add = FALSE;
break;
case ACCESS_DENIED_ACE_TYPE:
if (EqualSid(ppsid[j], &((ACCESS_DENIED_ACE *)old_ace_header)->SidStart))
add = FALSE;
break;
case SYSTEM_AUDIT_ACE_TYPE:
if (EqualSid(ppsid[j], &((SYSTEM_AUDIT_ACE *)old_ace_header)->SidStart))
add = FALSE;
break;
case SYSTEM_ALARM_ACE_TYPE:
if (EqualSid(ppsid[j], &((SYSTEM_ALARM_ACE *)old_ace_header)->SidStart))
add = FALSE;
break;
default:
FIXME("unhandled ace type %d\n", old_ace_header->AceType);
}
if (!add)
break;
}
}
if (add)
status = RtlAddAce(*NewAcl, ACL_REVISION, 1, (PACE_HEADER)old_ace_header, old_ace_header->AceSize);
if (status != STATUS_SUCCESS)
{
WARN("RtlAddAce failed with error 0x%08x\n", status);
ret = RtlNtStatusToDosError(status);
break;
}
}
}
exit:
heap_free(ppsid);
return ret;
}
/******************************************************************************
* SetNamedSecurityInfoA [ADVAPI32.@]
*/
DWORD WINAPI SetNamedSecurityInfoA(LPSTR pObjectName,
SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo,
PSID psidOwner, PSID psidGroup, PACL pDacl, PACL pSacl)
{
LPWSTR wstr;
DWORD r;
TRACE("%s %d %d %p %p %p %p\n", debugstr_a(pObjectName), ObjectType,
SecurityInfo, psidOwner, psidGroup, pDacl, pSacl);
wstr = SERV_dup(pObjectName);
r = SetNamedSecurityInfoW( wstr, ObjectType, SecurityInfo, psidOwner,
psidGroup, pDacl, pSacl );
heap_free( wstr );
return r;
}
BOOL WINAPI SetPrivateObjectSecurity( SECURITY_INFORMATION SecurityInformation,
PSECURITY_DESCRIPTOR ModificationDescriptor,
PSECURITY_DESCRIPTOR* ObjectsSecurityDescriptor,
PGENERIC_MAPPING GenericMapping,
HANDLE Token )
{
FIXME("0x%08x %p %p %p %p - stub\n", SecurityInformation, ModificationDescriptor,
ObjectsSecurityDescriptor, GenericMapping, Token);
return TRUE;
}
BOOL WINAPI AreAllAccessesGranted( DWORD GrantedAccess, DWORD DesiredAccess )
{
return RtlAreAllAccessesGranted( GrantedAccess, DesiredAccess );
}
/******************************************************************************
* AreAnyAccessesGranted [ADVAPI32.@]
*
* Determines whether or not any of a set of specified access permissions have
* been granted or not.
*
* PARAMS
* GrantedAccess [I] The permissions that have been granted.
* DesiredAccess [I] The permissions that you want to have.
*
* RETURNS
* Nonzero if any of the permissions have been granted, zero if none of the
* permissions have been granted.
*/
BOOL WINAPI AreAnyAccessesGranted( DWORD GrantedAccess, DWORD DesiredAccess )
{
return RtlAreAnyAccessesGranted( GrantedAccess, DesiredAccess );
}
/******************************************************************************
* SetNamedSecurityInfoW [ADVAPI32.@]
*/
DWORD WINAPI SetNamedSecurityInfoW(LPWSTR pObjectName,
SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo,
PSID psidOwner, PSID psidGroup, PACL pDacl, PACL pSacl)
{
DWORD access = 0;
HANDLE handle;
DWORD err;
TRACE( "%s %d %d %p %p %p %p\n", debugstr_w(pObjectName), ObjectType,
SecurityInfo, psidOwner, psidGroup, pDacl, pSacl);
if (!pObjectName) return ERROR_INVALID_PARAMETER;
if (SecurityInfo & (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION))
access |= WRITE_OWNER;
if (SecurityInfo & DACL_SECURITY_INFORMATION)
access |= WRITE_DAC;
if (SecurityInfo & SACL_SECURITY_INFORMATION)
access |= ACCESS_SYSTEM_SECURITY;
switch (ObjectType)
{
case SE_SERVICE:
if (!(err = get_security_service( pObjectName, access, &handle )))
{
err = SetSecurityInfo( handle, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl );
CloseServiceHandle( handle );
}
break;
case SE_REGISTRY_KEY:
if (!(err = get_security_regkey( pObjectName, access, &handle )))
{
err = SetSecurityInfo( handle, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl );
RegCloseKey( handle );
}
break;
case SE_FILE_OBJECT:
if (SecurityInfo & DACL_SECURITY_INFORMATION)
access |= READ_CONTROL;
if (!(err = get_security_file( pObjectName, access, &handle )))
{
err = SetSecurityInfo( handle, ObjectType, SecurityInfo, psidOwner, psidGroup, pDacl, pSacl );
CloseHandle( handle );
}
break;
default:
FIXME( "Object type %d is not currently supported.\n", ObjectType );
return ERROR_SUCCESS;
}
return err;
}
/******************************************************************************
* GetExplicitEntriesFromAclA [ADVAPI32.@]
*/
DWORD WINAPI GetExplicitEntriesFromAclA( PACL pacl, PULONG pcCountOfExplicitEntries,
PEXPLICIT_ACCESSA* pListOfExplicitEntries)
{
FIXME("%p %p %p\n",pacl, pcCountOfExplicitEntries, pListOfExplicitEntries);
return ERROR_CALL_NOT_IMPLEMENTED;
}
/******************************************************************************
* GetExplicitEntriesFromAclW [ADVAPI32.@]
*/
DWORD WINAPI GetExplicitEntriesFromAclW( PACL pacl, PULONG count, PEXPLICIT_ACCESSW *list )
{
ACL_SIZE_INFORMATION sizeinfo;
EXPLICIT_ACCESSW *entries;
MAX_SID *sid_entries;
ACE_HEADER *ace;
NTSTATUS status;
int i;
TRACE("%p %p %p\n",pacl, count, list);
if (!count || !list)
return ERROR_INVALID_PARAMETER;
status = RtlQueryInformationAcl(pacl, &sizeinfo, sizeof(sizeinfo), AclSizeInformation);
if (status) return RtlNtStatusToDosError(status);
if (!sizeinfo.AceCount)
{
*count = 0;
*list = NULL;
return ERROR_SUCCESS;
}
entries = LocalAlloc(LMEM_FIXED | LMEM_ZEROINIT, (sizeof(EXPLICIT_ACCESSW) + sizeof(MAX_SID)) * sizeinfo.AceCount);
if (!entries) return ERROR_OUTOFMEMORY;
sid_entries = (MAX_SID *)(entries + sizeinfo.AceCount);
for (i = 0; i < sizeinfo.AceCount; i++)
{
status = RtlGetAce(pacl, i, (void**)&ace);
if (status) goto error;
switch (ace->AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
{
ACCESS_ALLOWED_ACE *allow = (ACCESS_ALLOWED_ACE *)ace;
entries[i].grfAccessMode = GRANT_ACCESS;
entries[i].grfInheritance = ace->AceFlags;
entries[i].grfAccessPermissions = allow->Mask;
CopySid(sizeof(MAX_SID), (PSID)&sid_entries[i], (PSID)&allow->SidStart);
entries[i].Trustee.pMultipleTrustee = NULL;
entries[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
entries[i].Trustee.TrusteeForm = TRUSTEE_IS_SID;
entries[i].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
entries[i].Trustee.ptstrName = (WCHAR *)&sid_entries[i];
break;
}
case ACCESS_DENIED_ACE_TYPE:
{
ACCESS_DENIED_ACE *deny = (ACCESS_DENIED_ACE *)ace;
entries[i].grfAccessMode = DENY_ACCESS;
entries[i].grfInheritance = ace->AceFlags;
entries[i].grfAccessPermissions = deny->Mask;
CopySid(sizeof(MAX_SID), (PSID)&sid_entries[i], (PSID)&deny->SidStart);
entries[i].Trustee.pMultipleTrustee = NULL;
entries[i].Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
entries[i].Trustee.TrusteeForm = TRUSTEE_IS_SID;
entries[i].Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
entries[i].Trustee.ptstrName = (WCHAR *)&sid_entries[i];
break;
}
default:
FIXME("Unhandled ace type %d\n", ace->AceType);
entries[i].grfAccessMode = NOT_USED_ACCESS;
continue;
}
}
*count = sizeinfo.AceCount;
*list = entries;
return ERROR_SUCCESS;
error:
LocalFree(entries);
return RtlNtStatusToDosError(status);
}
/******************************************************************************
* GetAuditedPermissionsFromAclA [ADVAPI32.@]
*/
DWORD WINAPI GetAuditedPermissionsFromAclA( PACL pacl, PTRUSTEEA pTrustee, PACCESS_MASK pSuccessfulAuditedRights,
PACCESS_MASK pFailedAuditRights)
{
FIXME("%p %p %p %p\n",pacl, pTrustee, pSuccessfulAuditedRights, pFailedAuditRights);
return ERROR_CALL_NOT_IMPLEMENTED;
}
/******************************************************************************
* GetAuditedPermissionsFromAclW [ADVAPI32.@]
*/
DWORD WINAPI GetAuditedPermissionsFromAclW( PACL pacl, PTRUSTEEW pTrustee, PACCESS_MASK pSuccessfulAuditedRights,
PACCESS_MASK pFailedAuditRights)
{
FIXME("%p %p %p %p\n",pacl, pTrustee, pSuccessfulAuditedRights, pFailedAuditRights);
return ERROR_CALL_NOT_IMPLEMENTED;
}
/******************************************************************************
* ParseAclStringFlags
*/
static DWORD ParseAclStringFlags(LPCWSTR* StringAcl)
{
DWORD flags = 0;
LPCWSTR szAcl = *StringAcl;
while (*szAcl && *szAcl != '(')
{
if (*szAcl == 'P')
{
flags |= SE_DACL_PROTECTED;
}
else if (*szAcl == 'A')
{
szAcl++;
if (*szAcl == 'R')
flags |= SE_DACL_AUTO_INHERIT_REQ;
else if (*szAcl == 'I')
flags |= SE_DACL_AUTO_INHERITED;
}
szAcl++;
}
*StringAcl = szAcl;
return flags;
}
/******************************************************************************
* ParseAceStringType
*/
static const ACEFLAG AceType[] =
{
{ SDDL_ALARM, SYSTEM_ALARM_ACE_TYPE },
{ SDDL_AUDIT, SYSTEM_AUDIT_ACE_TYPE },
{ SDDL_ACCESS_ALLOWED, ACCESS_ALLOWED_ACE_TYPE },
{ SDDL_ACCESS_DENIED, ACCESS_DENIED_ACE_TYPE },
{ SDDL_MANDATORY_LABEL,SYSTEM_MANDATORY_LABEL_ACE_TYPE },
/*
{ SDDL_OBJECT_ACCESS_ALLOWED, ACCESS_ALLOWED_OBJECT_ACE_TYPE },
{ SDDL_OBJECT_ACCESS_DENIED, ACCESS_DENIED_OBJECT_ACE_TYPE },
{ SDDL_OBJECT_ALARM, SYSTEM_ALARM_OBJECT_ACE_TYPE },
{ SDDL_OBJECT_AUDIT, SYSTEM_AUDIT_OBJECT_ACE_TYPE },
*/
{ NULL, 0 },
};
static BYTE ParseAceStringType(LPCWSTR* StringAcl)
{
UINT len = 0;
LPCWSTR szAcl = *StringAcl;
const ACEFLAG *lpaf = AceType;
while (*szAcl == ' ')
szAcl++;
while (lpaf->wstr &&
(len = strlenW(lpaf->wstr)) &&
strncmpW(lpaf->wstr, szAcl, len))
lpaf++;
if (!lpaf->wstr)
return 0;
*StringAcl = szAcl + len;
return lpaf->value;
}
/******************************************************************************
* ParseAceStringFlags
*/
static const ACEFLAG AceFlags[] =
{
{ SDDL_CONTAINER_INHERIT, CONTAINER_INHERIT_ACE },
{ SDDL_AUDIT_FAILURE, FAILED_ACCESS_ACE_FLAG },
{ SDDL_INHERITED, INHERITED_ACE },
{ SDDL_INHERIT_ONLY, INHERIT_ONLY_ACE },
{ SDDL_NO_PROPAGATE, NO_PROPAGATE_INHERIT_ACE },
{ SDDL_OBJECT_INHERIT, OBJECT_INHERIT_ACE },
{ SDDL_AUDIT_SUCCESS, SUCCESSFUL_ACCESS_ACE_FLAG },
{ NULL, 0 },
};
static BYTE ParseAceStringFlags(LPCWSTR* StringAcl)
{
UINT len = 0;
BYTE flags = 0;
LPCWSTR szAcl = *StringAcl;
while (*szAcl == ' ')
szAcl++;
while (*szAcl != ';')
{
const ACEFLAG *lpaf = AceFlags;
while (lpaf->wstr &&
(len = strlenW(lpaf->wstr)) &&
strncmpW(lpaf->wstr, szAcl, len))
lpaf++;
if (!lpaf->wstr)
return 0;
flags |= lpaf->value;
szAcl += len;
}
*StringAcl = szAcl;
return flags;
}
/******************************************************************************
* ParseAceStringRights
*/
static const ACEFLAG AceRights[] =
{
{ SDDL_GENERIC_ALL, GENERIC_ALL },
{ SDDL_GENERIC_READ, GENERIC_READ },
{ SDDL_GENERIC_WRITE, GENERIC_WRITE },
{ SDDL_GENERIC_EXECUTE, GENERIC_EXECUTE },
{ SDDL_READ_CONTROL, READ_CONTROL },
{ SDDL_STANDARD_DELETE, DELETE },
{ SDDL_WRITE_DAC, WRITE_DAC },
{ SDDL_WRITE_OWNER, WRITE_OWNER },
{ SDDL_READ_PROPERTY, ADS_RIGHT_DS_READ_PROP},
{ SDDL_WRITE_PROPERTY, ADS_RIGHT_DS_WRITE_PROP},
{ SDDL_CREATE_CHILD, ADS_RIGHT_DS_CREATE_CHILD},
{ SDDL_DELETE_CHILD, ADS_RIGHT_DS_DELETE_CHILD},
{ SDDL_LIST_CHILDREN, ADS_RIGHT_ACTRL_DS_LIST},
{ SDDL_SELF_WRITE, ADS_RIGHT_DS_SELF},
{ SDDL_LIST_OBJECT, ADS_RIGHT_DS_LIST_OBJECT},
{ SDDL_DELETE_TREE, ADS_RIGHT_DS_DELETE_TREE},
{ SDDL_CONTROL_ACCESS, ADS_RIGHT_DS_CONTROL_ACCESS},
{ SDDL_FILE_ALL, FILE_ALL_ACCESS },
{ SDDL_FILE_READ, FILE_GENERIC_READ },
{ SDDL_FILE_WRITE, FILE_GENERIC_WRITE },
{ SDDL_FILE_EXECUTE, FILE_GENERIC_EXECUTE },
{ SDDL_KEY_ALL, KEY_ALL_ACCESS },
{ SDDL_KEY_READ, KEY_READ },
{ SDDL_KEY_WRITE, KEY_WRITE },
{ SDDL_KEY_EXECUTE, KEY_EXECUTE },
{ SDDL_NO_READ_UP, SYSTEM_MANDATORY_LABEL_NO_READ_UP },
{ SDDL_NO_WRITE_UP, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP },
{ SDDL_NO_EXECUTE_UP, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP },
{ NULL, 0 },
};
static DWORD ParseAceStringRights(LPCWSTR* StringAcl)
{
UINT len = 0;
DWORD rights = 0;
LPCWSTR szAcl = *StringAcl;
while (*szAcl == ' ')
szAcl++;
if ((*szAcl == '0') && (*(szAcl + 1) == 'x'))
{
LPCWSTR p = szAcl;
while (*p && *p != ';')
p++;
if (p - szAcl <= 10 /* 8 hex digits + "0x" */ )
{
rights = strtoulW(szAcl, NULL, 16);
szAcl = p;
}
else
WARN("Invalid rights string format: %s\n", debugstr_wn(szAcl, p - szAcl));
}
else
{
while (*szAcl != ';')
{
const ACEFLAG *lpaf = AceRights;
while (lpaf->wstr &&
(len = strlenW(lpaf->wstr)) &&
strncmpW(lpaf->wstr, szAcl, len))
{
lpaf++;
}
if (!lpaf->wstr)
return 0;
rights |= lpaf->value;
szAcl += len;
}
}
*StringAcl = szAcl;
return rights;
}
/******************************************************************************
* ParseStringAclToAcl
*
* dacl_flags(string_ace1)(string_ace2)... (string_acen)
*/
static BOOL ParseStringAclToAcl(LPCWSTR StringAcl, LPDWORD lpdwFlags,
PACL pAcl, LPDWORD cBytes)
{
DWORD val;
DWORD sidlen;
DWORD length = sizeof(ACL);
DWORD acesize = 0;
DWORD acecount = 0;
PACCESS_ALLOWED_ACE pAce = NULL; /* pointer to current ACE */
DWORD error = ERROR_INVALID_ACL;
TRACE("%s\n", debugstr_w(StringAcl));
if (!StringAcl)
return FALSE;
if (pAcl) /* pAce is only useful if we're setting values */
pAce = (PACCESS_ALLOWED_ACE) (pAcl + 1);
/* Parse ACL flags */
*lpdwFlags = ParseAclStringFlags(&StringAcl);
/* Parse ACE */
while (*StringAcl == '(')
{
StringAcl++;
/* Parse ACE type */
val = ParseAceStringType(&StringAcl);
if (pAce)
pAce->Header.AceType = (BYTE) val;
if (*StringAcl != ';')
{
error = RPC_S_INVALID_STRING_UUID;
goto lerr;
}
StringAcl++;
/* Parse ACE flags */
val = ParseAceStringFlags(&StringAcl);
if (pAce)
pAce->Header.AceFlags = (BYTE) val;
if (*StringAcl != ';')
goto lerr;
StringAcl++;
/* Parse ACE rights */
val = ParseAceStringRights(&StringAcl);
if (pAce)
pAce->Mask = val;
if (*StringAcl != ';')
goto lerr;
StringAcl++;
/* Parse ACE object guid */
while (*StringAcl == ' ')
StringAcl++;
if (*StringAcl != ';')
{
FIXME("Support for *_OBJECT_ACE_TYPE not implemented\n");
goto lerr;
}
StringAcl++;
/* Parse ACE inherit object guid */
while (*StringAcl == ' ')
StringAcl++;
if (*StringAcl != ';')
{
FIXME("Support for *_OBJECT_ACE_TYPE not implemented\n");
goto lerr;
}
StringAcl++;
/* Parse ACE account sid */
if (ParseStringSidToSid(StringAcl, pAce ? &pAce->SidStart : NULL, &sidlen))
{
while (*StringAcl && *StringAcl != ')')
StringAcl++;
}
if (*StringAcl != ')')
goto lerr;
StringAcl++;
acesize = sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD) + sidlen;
length += acesize;
if (pAce)
{
pAce->Header.AceSize = acesize;
pAce = (PACCESS_ALLOWED_ACE)((LPBYTE)pAce + acesize);
}
acecount++;
}
*cBytes = length;
if (length > 0xffff)
{
ERR("ACL too large\n");
goto lerr;
}
if (pAcl)
{
pAcl->AclRevision = ACL_REVISION;
pAcl->Sbz1 = 0;
pAcl->AclSize = length;
pAcl->AceCount = acecount;
pAcl->Sbz2 = 0;
}
return TRUE;
lerr:
SetLastError(error);
WARN("Invalid ACE string format\n");
return FALSE;
}
/******************************************************************************
* ParseStringSecurityDescriptorToSecurityDescriptor
*/
static BOOL ParseStringSecurityDescriptorToSecurityDescriptor(
LPCWSTR StringSecurityDescriptor,
SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor,
LPDWORD cBytes)
{
BOOL bret = FALSE;
WCHAR toktype;
WCHAR *tok;
LPCWSTR lptoken;
LPBYTE lpNext = NULL;
DWORD len;
*cBytes = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
tok = heap_alloc( (lstrlenW(StringSecurityDescriptor) + 1) * sizeof(WCHAR));
if (SecurityDescriptor)
lpNext = (LPBYTE)(SecurityDescriptor + 1);
while (*StringSecurityDescriptor == ' ')
StringSecurityDescriptor++;
while (*StringSecurityDescriptor)
{
toktype = *StringSecurityDescriptor;
/* Expect char identifier followed by ':' */
StringSecurityDescriptor++;
if (*StringSecurityDescriptor != ':')
{
SetLastError(ERROR_INVALID_PARAMETER);
goto lend;
}
StringSecurityDescriptor++;
/* Extract token */
lptoken = StringSecurityDescriptor;
while (*lptoken && *lptoken != ':')
lptoken++;
if (*lptoken)
lptoken--;
len = lptoken - StringSecurityDescriptor;
memcpy( tok, StringSecurityDescriptor, len * sizeof(WCHAR) );
tok[len] = 0;
switch (toktype)
{
case 'O':
{
DWORD bytes;
if (!ParseStringSidToSid(tok, lpNext, &bytes))
goto lend;
if (SecurityDescriptor)
{
SecurityDescriptor->Owner = lpNext - (LPBYTE)SecurityDescriptor;
lpNext += bytes; /* Advance to next token */
}
*cBytes += bytes;
break;
}
case 'G':
{
DWORD bytes;
if (!ParseStringSidToSid(tok, lpNext, &bytes))
goto lend;
if (SecurityDescriptor)
{
SecurityDescriptor->Group = lpNext - (LPBYTE)SecurityDescriptor;
lpNext += bytes; /* Advance to next token */
}
*cBytes += bytes;
break;
}
case 'D':
{
DWORD flags;
DWORD bytes;
if (!ParseStringAclToAcl(tok, &flags, (PACL)lpNext, &bytes))
goto lend;
if (SecurityDescriptor)
{
SecurityDescriptor->Control |= SE_DACL_PRESENT | flags;
SecurityDescriptor->Dacl = lpNext - (LPBYTE)SecurityDescriptor;
lpNext += bytes; /* Advance to next token */
}
*cBytes += bytes;
break;
}
case 'S':
{
DWORD flags;
DWORD bytes;
if (!ParseStringAclToAcl(tok, &flags, (PACL)lpNext, &bytes))
goto lend;
if (SecurityDescriptor)
{
SecurityDescriptor->Control |= SE_SACL_PRESENT | flags;
SecurityDescriptor->Sacl = lpNext - (LPBYTE)SecurityDescriptor;
lpNext += bytes; /* Advance to next token */
}
*cBytes += bytes;
break;
}
default:
FIXME("Unknown token\n");
SetLastError(ERROR_INVALID_PARAMETER);
goto lend;
}
StringSecurityDescriptor = lptoken;
}
bret = TRUE;
lend:
heap_free(tok);
return bret;
}
/******************************************************************************
* ConvertStringSecurityDescriptorToSecurityDescriptorA [ADVAPI32.@]
*/
BOOL WINAPI ConvertStringSecurityDescriptorToSecurityDescriptorA(
LPCSTR StringSecurityDescriptor,
DWORD StringSDRevision,
PSECURITY_DESCRIPTOR* SecurityDescriptor,
PULONG SecurityDescriptorSize)
{
BOOL ret;
LPWSTR StringSecurityDescriptorW;
TRACE("%s, %u, %p, %p\n", debugstr_a(StringSecurityDescriptor), StringSDRevision,
SecurityDescriptor, SecurityDescriptorSize);
if(!StringSecurityDescriptor)
return FALSE;
StringSecurityDescriptorW = SERV_dup(StringSecurityDescriptor);
ret = ConvertStringSecurityDescriptorToSecurityDescriptorW(StringSecurityDescriptorW,
StringSDRevision, SecurityDescriptor,
SecurityDescriptorSize);
heap_free(StringSecurityDescriptorW);
return ret;
}
/******************************************************************************
* ConvertStringSecurityDescriptorToSecurityDescriptorW [ADVAPI32.@]
*/
BOOL WINAPI ConvertStringSecurityDescriptorToSecurityDescriptorW(
LPCWSTR StringSecurityDescriptor,
DWORD StringSDRevision,
PSECURITY_DESCRIPTOR* SecurityDescriptor,
PULONG SecurityDescriptorSize)
{
DWORD cBytes;
SECURITY_DESCRIPTOR* psd;
BOOL bret = FALSE;
TRACE("%s, %u, %p, %p\n", debugstr_w(StringSecurityDescriptor), StringSDRevision,
SecurityDescriptor, SecurityDescriptorSize);
if (GetVersion() & 0x80000000)
{
SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
goto lend;
}
else if (!StringSecurityDescriptor || !SecurityDescriptor)
{
SetLastError(ERROR_INVALID_PARAMETER);
goto lend;
}
else if (StringSDRevision != SID_REVISION)
{
SetLastError(ERROR_UNKNOWN_REVISION);
goto lend;
}
/* Compute security descriptor length */
if (!ParseStringSecurityDescriptorToSecurityDescriptor(StringSecurityDescriptor,
NULL, &cBytes))
goto lend;
psd = *SecurityDescriptor = LocalAlloc(GMEM_ZEROINIT, cBytes);
if (!psd) goto lend;
psd->Revision = SID_REVISION;
psd->Control |= SE_SELF_RELATIVE;
if (!ParseStringSecurityDescriptorToSecurityDescriptor(StringSecurityDescriptor,
(SECURITY_DESCRIPTOR_RELATIVE *)psd, &cBytes))
{
LocalFree(psd);
goto lend;
}
if (SecurityDescriptorSize)
*SecurityDescriptorSize = cBytes;
bret = TRUE;
lend:
TRACE(" ret=%d\n", bret);
return bret;
}
static void DumpString(LPCWSTR string, int cch, WCHAR **pwptr, ULONG *plen)
{
if (cch == -1)
cch = strlenW(string);
if (plen)
*plen += cch;
if (pwptr)
{
memcpy(*pwptr, string, sizeof(WCHAR)*cch);
*pwptr += cch;
}
}
static BOOL DumpSidNumeric(PSID psid, WCHAR **pwptr, ULONG *plen)
{
static const WCHAR fmt[] = { 'S','-','%','u','-','%','d',0 };
static const WCHAR subauthfmt[] = { '-','%','u',0 };
DWORD i;
WCHAR buf[26];
SID *pisid = psid;
if( !IsValidSid( psid ) || pisid->Revision != SDDL_REVISION)
{
SetLastError(ERROR_INVALID_SID);
return FALSE;
}
if (pisid->IdentifierAuthority.Value[0] ||
pisid->IdentifierAuthority.Value[1])
{
FIXME("not matching MS' bugs\n");
SetLastError(ERROR_INVALID_SID);
return FALSE;
}
sprintfW( buf, fmt, pisid->Revision,
MAKELONG(
MAKEWORD( pisid->IdentifierAuthority.Value[5],
pisid->IdentifierAuthority.Value[4] ),
MAKEWORD( pisid->IdentifierAuthority.Value[3],
pisid->IdentifierAuthority.Value[2] )
) );
DumpString(buf, -1, pwptr, plen);
for( i=0; i<pisid->SubAuthorityCount; i++ )
{
sprintfW( buf, subauthfmt, pisid->SubAuthority[i] );
DumpString(buf, -1, pwptr, plen);
}
return TRUE;
}
static BOOL DumpSid(PSID psid, WCHAR **pwptr, ULONG *plen)
{
size_t i;
for (i = 0; i < ARRAY_SIZE(WellKnownSids); i++)
{
if (WellKnownSids[i].wstr[0] && EqualSid(psid, (PSID)&(WellKnownSids[i].Sid.Revision)))
{
DumpString(WellKnownSids[i].wstr, 2, pwptr, plen);
return TRUE;
}
}
return DumpSidNumeric(psid, pwptr, plen);
}
static const LPCWSTR AceRightBitNames[32] = {
SDDL_CREATE_CHILD, /* 0 */
SDDL_DELETE_CHILD,
SDDL_LIST_CHILDREN,
SDDL_SELF_WRITE,
SDDL_READ_PROPERTY, /* 4 */
SDDL_WRITE_PROPERTY,
SDDL_DELETE_TREE,
SDDL_LIST_OBJECT,
SDDL_CONTROL_ACCESS, /* 8 */
NULL,
NULL,
NULL,
NULL, /* 12 */
NULL,
NULL,
NULL,
SDDL_STANDARD_DELETE, /* 16 */
SDDL_READ_CONTROL,
SDDL_WRITE_DAC,
SDDL_WRITE_OWNER,
NULL, /* 20 */
NULL,
NULL,
NULL,
NULL, /* 24 */
NULL,
NULL,
NULL,
SDDL_GENERIC_ALL, /* 28 */
SDDL_GENERIC_EXECUTE,
SDDL_GENERIC_WRITE,
SDDL_GENERIC_READ
};
static void DumpRights(DWORD mask, WCHAR **pwptr, ULONG *plen)
{
static const WCHAR fmtW[] = {'0','x','%','x',0};
WCHAR buf[15];
size_t i;
if (mask == 0)
return;
/* first check if the right have name */
for (i = 0; i < ARRAY_SIZE(AceRights); i++)
{
if (AceRights[i].wstr == NULL)
break;
if (mask == AceRights[i].value)
{
DumpString(AceRights[i].wstr, -1, pwptr, plen);
return;
}
}
/* then check if it can be built from bit names */
for (i = 0; i < 32; i++)
{
if ((mask & (1 << i)) && (AceRightBitNames[i] == NULL))
{
/* can't be built from bit names */
sprintfW(buf, fmtW, mask);
DumpString(buf, -1, pwptr, plen);
return;
}
}
/* build from bit names */
for (i = 0; i < 32; i++)
if (mask & (1 << i))
DumpString(AceRightBitNames[i], -1, pwptr, plen);
}
static BOOL DumpAce(LPVOID pace, WCHAR **pwptr, ULONG *plen)
{
ACCESS_ALLOWED_ACE *piace; /* all the supported ACEs have the same memory layout */
static const WCHAR openbr = '(';
static const WCHAR closebr = ')';
static const WCHAR semicolon = ';';
if (((PACE_HEADER)pace)->AceType > SYSTEM_ALARM_ACE_TYPE || ((PACE_HEADER)pace)->AceSize < sizeof(ACCESS_ALLOWED_ACE))
{
SetLastError(ERROR_INVALID_ACL);
return FALSE;
}
piace = pace;
DumpString(&openbr, 1, pwptr, plen);
switch (piace->Header.AceType)
{
case ACCESS_ALLOWED_ACE_TYPE:
DumpString(SDDL_ACCESS_ALLOWED, -1, pwptr, plen);
break;
case ACCESS_DENIED_ACE_TYPE:
DumpString(SDDL_ACCESS_DENIED, -1, pwptr, plen);
break;
case SYSTEM_AUDIT_ACE_TYPE:
DumpString(SDDL_AUDIT, -1, pwptr, plen);
break;
case SYSTEM_ALARM_ACE_TYPE:
DumpString(SDDL_ALARM, -1, pwptr, plen);
break;
}
DumpString(&semicolon, 1, pwptr, plen);
if (piace->Header.AceFlags & OBJECT_INHERIT_ACE)
DumpString(SDDL_OBJECT_INHERIT, -1, pwptr, plen);
if (piace->Header.AceFlags & CONTAINER_INHERIT_ACE)
DumpString(SDDL_CONTAINER_INHERIT, -1, pwptr, plen);
if (piace->Header.AceFlags & NO_PROPAGATE_INHERIT_ACE)
DumpString(SDDL_NO_PROPAGATE, -1, pwptr, plen);
if (piace->Header.AceFlags & INHERIT_ONLY_ACE)
DumpString(SDDL_INHERIT_ONLY, -1, pwptr, plen);
if (piace->Header.AceFlags & INHERITED_ACE)
DumpString(SDDL_INHERITED, -1, pwptr, plen);
if (piace->Header.AceFlags & SUCCESSFUL_ACCESS_ACE_FLAG)
DumpString(SDDL_AUDIT_SUCCESS, -1, pwptr, plen);
if (piace->Header.AceFlags & FAILED_ACCESS_ACE_FLAG)
DumpString(SDDL_AUDIT_FAILURE, -1, pwptr, plen);
DumpString(&semicolon, 1, pwptr, plen);
DumpRights(piace->Mask, pwptr, plen);
DumpString(&semicolon, 1, pwptr, plen);
/* objects not supported */
DumpString(&semicolon, 1, pwptr, plen);
/* objects not supported */
DumpString(&semicolon, 1, pwptr, plen);
if (!DumpSid(&piace->SidStart, pwptr, plen))
return FALSE;
DumpString(&closebr, 1, pwptr, plen);
return TRUE;
}
static BOOL DumpAcl(PACL pacl, WCHAR **pwptr, ULONG *plen, BOOL protected, BOOL autoInheritReq, BOOL autoInherited)
{
WORD count;
UINT i;
if (protected)
DumpString(SDDL_PROTECTED, -1, pwptr, plen);
if (autoInheritReq)
DumpString(SDDL_AUTO_INHERIT_REQ, -1, pwptr, plen);
if (autoInherited)
DumpString(SDDL_AUTO_INHERITED, -1, pwptr, plen);
if (pacl == NULL)
return TRUE;
if (!IsValidAcl(pacl))
return FALSE;
count = pacl->AceCount;
for (i = 0; i < count; i++)
{
LPVOID ace;
if (!GetAce(pacl, i, &ace))
return FALSE;
if (!DumpAce(ace, pwptr, plen))
return FALSE;
}
return TRUE;
}
static BOOL DumpOwner(PSECURITY_DESCRIPTOR SecurityDescriptor, WCHAR **pwptr, ULONG *plen)
{
static const WCHAR prefix[] = {'O',':',0};
BOOL bDefaulted;
PSID psid;
if (!GetSecurityDescriptorOwner(SecurityDescriptor, &psid, &bDefaulted))
return FALSE;
if (psid == NULL)
return TRUE;
DumpString(prefix, -1, pwptr, plen);
if (!DumpSid(psid, pwptr, plen))
return FALSE;
return TRUE;
}
static BOOL DumpGroup(PSECURITY_DESCRIPTOR SecurityDescriptor, WCHAR **pwptr, ULONG *plen)
{
static const WCHAR prefix[] = {'G',':',0};
BOOL bDefaulted;
PSID psid;
if (!GetSecurityDescriptorGroup(SecurityDescriptor, &psid, &bDefaulted))
return FALSE;
if (psid == NULL)
return TRUE;
DumpString(prefix, -1, pwptr, plen);
if (!DumpSid(psid, pwptr, plen))
return FALSE;
return TRUE;
}
static BOOL DumpDacl(PSECURITY_DESCRIPTOR SecurityDescriptor, WCHAR **pwptr, ULONG *plen)
{
static const WCHAR dacl[] = {'D',':',0};
SECURITY_DESCRIPTOR_CONTROL control;
BOOL present, defaulted;
DWORD revision;
PACL pacl;
if (!GetSecurityDescriptorDacl(SecurityDescriptor, &present, &pacl, &defaulted))
return FALSE;
if (!GetSecurityDescriptorControl(SecurityDescriptor, &control, &revision))
return FALSE;
if (!present)
return TRUE;
DumpString(dacl, 2, pwptr, plen);
if (!DumpAcl(pacl, pwptr, plen, control & SE_DACL_PROTECTED, control & SE_DACL_AUTO_INHERIT_REQ, control & SE_DACL_AUTO_INHERITED))
return FALSE;
return TRUE;
}
static BOOL DumpSacl(PSECURITY_DESCRIPTOR SecurityDescriptor, WCHAR **pwptr, ULONG *plen)
{
static const WCHAR sacl[] = {'S',':',0};
SECURITY_DESCRIPTOR_CONTROL control;
BOOL present, defaulted;
DWORD revision;
PACL pacl;
if (!GetSecurityDescriptorSacl(SecurityDescriptor, &present, &pacl, &defaulted))
return FALSE;
if (!GetSecurityDescriptorControl(SecurityDescriptor, &control, &revision))
return FALSE;
if (!present)
return TRUE;
DumpString(sacl, 2, pwptr, plen);
if (!DumpAcl(pacl, pwptr, plen, control & SE_SACL_PROTECTED, control & SE_SACL_AUTO_INHERIT_REQ, control & SE_SACL_AUTO_INHERITED))
return FALSE;
return TRUE;
}
/******************************************************************************
* ConvertSecurityDescriptorToStringSecurityDescriptorA [ADVAPI32.@]
*/
BOOL WINAPI ConvertSecurityDescriptorToStringSecurityDescriptorW(PSECURITY_DESCRIPTOR SecurityDescriptor, DWORD SDRevision, SECURITY_INFORMATION RequestedInformation, LPWSTR *OutputString, PULONG OutputLen)
{
ULONG len;
WCHAR *wptr, *wstr;
if (SDRevision != SDDL_REVISION_1)
{
ERR("Program requested unknown SDDL revision %d\n", SDRevision);
SetLastError(ERROR_UNKNOWN_REVISION);
return FALSE;
}
len = 0;
if (RequestedInformation & OWNER_SECURITY_INFORMATION)
if (!DumpOwner(SecurityDescriptor, NULL, &len))
return FALSE;
if (RequestedInformation & GROUP_SECURITY_INFORMATION)
if (!DumpGroup(SecurityDescriptor, NULL, &len))
return FALSE;
if (RequestedInformation & DACL_SECURITY_INFORMATION)
if (!DumpDacl(SecurityDescriptor, NULL, &len))
return FALSE;
if (RequestedInformation & SACL_SECURITY_INFORMATION)
if (!DumpSacl(SecurityDescriptor, NULL, &len))
return FALSE;
wstr = wptr = LocalAlloc(0, (len + 1)*sizeof(WCHAR));
if (RequestedInformation & OWNER_SECURITY_INFORMATION)
if (!DumpOwner(SecurityDescriptor, &wptr, NULL)) {
LocalFree (wstr);
return FALSE;
}
if (RequestedInformation & GROUP_SECURITY_INFORMATION)
if (!DumpGroup(SecurityDescriptor, &wptr, NULL)) {
LocalFree (wstr);
return FALSE;
}
if (RequestedInformation & DACL_SECURITY_INFORMATION)
if (!DumpDacl(SecurityDescriptor, &wptr, NULL)) {
LocalFree (wstr);
return FALSE;
}
if (RequestedInformation & SACL_SECURITY_INFORMATION)
if (!DumpSacl(SecurityDescriptor, &wptr, NULL)) {
LocalFree (wstr);
return FALSE;
}
*wptr = 0;
TRACE("ret: %s, %d\n", wine_dbgstr_w(wstr), len);
*OutputString = wstr;
if (OutputLen)
*OutputLen = strlenW(*OutputString)+1;
return TRUE;
}
/******************************************************************************
* ConvertSecurityDescriptorToStringSecurityDescriptorA [ADVAPI32.@]
*/
BOOL WINAPI ConvertSecurityDescriptorToStringSecurityDescriptorA(PSECURITY_DESCRIPTOR SecurityDescriptor, DWORD SDRevision, SECURITY_INFORMATION Information, LPSTR *OutputString, PULONG OutputLen)
{
LPWSTR wstr;
ULONG len;
if (ConvertSecurityDescriptorToStringSecurityDescriptorW(SecurityDescriptor, SDRevision, Information, &wstr, &len))
{
int lenA;
lenA = WideCharToMultiByte(CP_ACP, 0, wstr, len, NULL, 0, NULL, NULL);
*OutputString = heap_alloc(lenA);
WideCharToMultiByte(CP_ACP, 0, wstr, len, *OutputString, lenA, NULL, NULL);
LocalFree(wstr);
if (OutputLen != NULL)
*OutputLen = lenA;
return TRUE;
}
else
{
*OutputString = NULL;
if (OutputLen)
*OutputLen = 0;
return FALSE;
}
}
/******************************************************************************
* ConvertStringSidToSidW [ADVAPI32.@]
*/
BOOL WINAPI ConvertStringSidToSidW(LPCWSTR StringSid, PSID* Sid)
{
BOOL bret = FALSE;
DWORD cBytes;
TRACE("%s, %p\n", debugstr_w(StringSid), Sid);
if (GetVersion() & 0x80000000)
SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
else if (!StringSid || !Sid)
SetLastError(ERROR_INVALID_PARAMETER);
else if (ParseStringSidToSid(StringSid, NULL, &cBytes))
{
PSID pSid = *Sid = LocalAlloc(0, cBytes);
bret = ParseStringSidToSid(StringSid, pSid, &cBytes);
if (!bret)
LocalFree(*Sid);
}
return bret;
}
/******************************************************************************
* ConvertStringSidToSidA [ADVAPI32.@]
*/
BOOL WINAPI ConvertStringSidToSidA(LPCSTR StringSid, PSID* Sid)
{
BOOL bret = FALSE;
TRACE("%s, %p\n", debugstr_a(StringSid), Sid);
if (GetVersion() & 0x80000000)
SetLastError(ERROR_CALL_NOT_IMPLEMENTED);
else if (!StringSid || !Sid)
SetLastError(ERROR_INVALID_PARAMETER);
else
{
WCHAR *wStringSid = SERV_dup(StringSid);
bret = ConvertStringSidToSidW(wStringSid, Sid);
heap_free(wStringSid);
}
return bret;
}
/******************************************************************************
* ConvertSidToStringSidW [ADVAPI32.@]
*
* format of SID string is:
* S-<count>-<auth>-<subauth1>-<subauth2>-<subauth3>...
* where
* <rev> is the revision of the SID encoded as decimal
* <auth> is the identifier authority encoded as hex
* <subauthN> is the subauthority id encoded as decimal
*/
BOOL WINAPI ConvertSidToStringSidW( PSID pSid, LPWSTR *pstr )
{
DWORD len = 0;
LPWSTR wstr, wptr;
TRACE("%p %p\n", pSid, pstr );
len = 0;
if (!DumpSidNumeric(pSid, NULL, &len))
return FALSE;
wstr = wptr = LocalAlloc(0, (len+1) * sizeof(WCHAR));
DumpSidNumeric(pSid, &wptr, NULL);
*wptr = 0;
*pstr = wstr;
return TRUE;
}
/******************************************************************************
* ConvertSidToStringSidA [ADVAPI32.@]
*/
BOOL WINAPI ConvertSidToStringSidA(PSID pSid, LPSTR *pstr)
{
LPWSTR wstr = NULL;
LPSTR str;
UINT len;
TRACE("%p %p\n", pSid, pstr );
if( !ConvertSidToStringSidW( pSid, &wstr ) )
return FALSE;
len = WideCharToMultiByte( CP_ACP, 0, wstr, -1, NULL, 0, NULL, NULL );
str = LocalAlloc( 0, len );
WideCharToMultiByte( CP_ACP, 0, wstr, -1, str, len, NULL, NULL );
LocalFree( wstr );
*pstr = str;
return TRUE;
}
BOOL WINAPI ConvertToAutoInheritPrivateObjectSecurity(
PSECURITY_DESCRIPTOR pdesc,
PSECURITY_DESCRIPTOR cdesc,
PSECURITY_DESCRIPTOR* ndesc,
GUID* objtype,
BOOL isdir,
PGENERIC_MAPPING genmap )
{
FIXME("%p %p %p %p %d %p - stub\n", pdesc, cdesc, ndesc, objtype, isdir, genmap);
return FALSE;
}
BOOL WINAPI CreatePrivateObjectSecurityEx(
PSECURITY_DESCRIPTOR parent, PSECURITY_DESCRIPTOR creator, PSECURITY_DESCRIPTOR *out,
GUID *objtype, BOOL is_directory, ULONG flags, HANDLE token, PGENERIC_MAPPING mapping)
{
SECURITY_DESCRIPTOR_RELATIVE *relative;
DWORD needed, offset;
BYTE *buffer;
FIXME("%p %p %p %p %d %u %p %p - returns fake SECURITY_DESCRIPTOR\n", parent, creator, out,
objtype, is_directory, flags, token, mapping);
needed = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
needed += sizeof(sidWorld);
needed += sizeof(sidWorld);
needed += WINE_SIZE_OF_WORLD_ACCESS_ACL;
needed += WINE_SIZE_OF_WORLD_ACCESS_ACL;
if (!(buffer = heap_alloc( needed ))) return FALSE;
relative = (SECURITY_DESCRIPTOR_RELATIVE *)buffer;
if (!InitializeSecurityDescriptor( relative, SECURITY_DESCRIPTOR_REVISION ))
{
heap_free( buffer );
return FALSE;
}
relative->Control |= SE_SELF_RELATIVE;
offset = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
memcpy( buffer + offset, &sidWorld, sizeof(sidWorld) );
relative->Owner = offset;
offset += sizeof(sidWorld);
memcpy( buffer + offset, &sidWorld, sizeof(sidWorld) );
relative->Group = offset;
offset += sizeof(sidWorld);
GetWorldAccessACL( (ACL *)(buffer + offset) );
relative->Dacl = offset;
offset += WINE_SIZE_OF_WORLD_ACCESS_ACL;
GetWorldAccessACL( (ACL *)(buffer + offset) );
relative->Sacl = offset;
*out = relative;
return TRUE;
}
BOOL WINAPI CreatePrivateObjectSecurity(
PSECURITY_DESCRIPTOR parent, PSECURITY_DESCRIPTOR creator, PSECURITY_DESCRIPTOR *out,
BOOL is_container, HANDLE token, PGENERIC_MAPPING mapping)
{
return CreatePrivateObjectSecurityEx(parent, creator, out, NULL, is_container, 0, token, mapping);
}
BOOL WINAPI CreatePrivateObjectSecurityWithMultipleInheritance(
PSECURITY_DESCRIPTOR parent, PSECURITY_DESCRIPTOR creator, PSECURITY_DESCRIPTOR *out,
GUID **types, ULONG count, BOOL is_container, ULONG flags, HANDLE token, PGENERIC_MAPPING mapping)
{
FIXME(": semi-stub\n");
return CreatePrivateObjectSecurityEx(parent, creator, out, NULL, is_container, flags, token, mapping);
}
BOOL WINAPI DestroyPrivateObjectSecurity( PSECURITY_DESCRIPTOR* ObjectDescriptor )
{
FIXME("%p - stub\n", ObjectDescriptor);
heap_free( *ObjectDescriptor );
return TRUE;
}
/******************************************************************************
* CreateProcessWithLogonW
*/
BOOL WINAPI CreateProcessWithLogonW( LPCWSTR lpUsername, LPCWSTR lpDomain, LPCWSTR lpPassword, DWORD dwLogonFlags,
LPCWSTR lpApplicationName, LPWSTR lpCommandLine, DWORD dwCreationFlags, LPVOID lpEnvironment,
LPCWSTR lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation )
{
FIXME("%s %s %s 0x%08x %s %s 0x%08x %p %s %p %p stub\n", debugstr_w(lpUsername), debugstr_w(lpDomain),
debugstr_w(lpPassword), dwLogonFlags, debugstr_w(lpApplicationName),
debugstr_w(lpCommandLine), dwCreationFlags, lpEnvironment, debugstr_w(lpCurrentDirectory),
lpStartupInfo, lpProcessInformation);
return FALSE;
}
BOOL WINAPI CreateProcessWithTokenW(HANDLE token, DWORD logon_flags, LPCWSTR application_name, LPWSTR command_line,
DWORD creation_flags, void *environment, LPCWSTR current_directory, STARTUPINFOW *startup_info,
PROCESS_INFORMATION *process_information )
{
FIXME("%p 0x%08x %s %s 0x%08x %p %s %p %p - semi-stub\n", token,
logon_flags, debugstr_w(application_name), debugstr_w(command_line),
creation_flags, environment, debugstr_w(current_directory),
startup_info, process_information);
/* FIXME: check if handles should be inherited */
return CreateProcessW( application_name, command_line, NULL, NULL, FALSE, creation_flags, environment,
current_directory, startup_info, process_information );
}
/******************************************************************************
* DuplicateTokenEx [ADVAPI32.@]
*/
BOOL WINAPI DuplicateTokenEx(
HANDLE ExistingTokenHandle, DWORD dwDesiredAccess,
LPSECURITY_ATTRIBUTES lpTokenAttributes,
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
TOKEN_TYPE TokenType,
PHANDLE DuplicateTokenHandle )
{
OBJECT_ATTRIBUTES ObjectAttributes;
TRACE("%p 0x%08x 0x%08x 0x%08x %p\n", ExistingTokenHandle, dwDesiredAccess,
ImpersonationLevel, TokenType, DuplicateTokenHandle);
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
(lpTokenAttributes && lpTokenAttributes->bInheritHandle) ? OBJ_INHERIT : 0,
NULL,
lpTokenAttributes ? lpTokenAttributes->lpSecurityDescriptor : NULL );
return set_ntstatus( NtDuplicateToken( ExistingTokenHandle,
dwDesiredAccess,
&ObjectAttributes,
ImpersonationLevel,
TokenType,
DuplicateTokenHandle ) );
}
BOOL WINAPI DuplicateToken(
HANDLE ExistingTokenHandle,
SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
PHANDLE DuplicateTokenHandle )
{
return DuplicateTokenEx( ExistingTokenHandle, TOKEN_IMPERSONATE | TOKEN_QUERY,
NULL, ImpersonationLevel, TokenImpersonation,
DuplicateTokenHandle );
}
/******************************************************************************
* ComputeStringSidSize
*/
static DWORD ComputeStringSidSize(LPCWSTR StringSid)
{
if (StringSid[0] == 'S' && StringSid[1] == '-') /* S-R-I(-S)+ */
{
int ctok = 0;
while (*StringSid)
{
if (*StringSid == '-')
ctok++;
StringSid++;
}
if (ctok >= 3)
return GetSidLengthRequired(ctok - 2);
}
else /* String constant format - Only available in winxp and above */
{
unsigned int i;
for (i = 0; i < ARRAY_SIZE(WellKnownSids); i++)
if (!strncmpW(WellKnownSids[i].wstr, StringSid, 2))
return GetSidLengthRequired(WellKnownSids[i].Sid.SubAuthorityCount);
for (i = 0; i < ARRAY_SIZE(WellKnownRids); i++)
if (!strncmpW(WellKnownRids[i].wstr, StringSid, 2))
{
MAX_SID local;
ADVAPI_GetComputerSid(&local);
return GetSidLengthRequired(*GetSidSubAuthorityCount(&local) + 1);
}
}
return GetSidLengthRequired(0);
}
/******************************************************************************
* ParseStringSidToSid
*/
static BOOL ParseStringSidToSid(LPCWSTR StringSid, PSID pSid, LPDWORD cBytes)
{
BOOL bret = FALSE;
SID* pisid=pSid;
TRACE("%s, %p, %p\n", debugstr_w(StringSid), pSid, cBytes);
if (!StringSid)
{
SetLastError(ERROR_INVALID_PARAMETER);
TRACE("StringSid is NULL, returning FALSE\n");
return FALSE;
}
while (*StringSid == ' ')
StringSid++;
*cBytes = ComputeStringSidSize(StringSid);
if (!pisid) /* Simply compute the size */
{
TRACE("only size requested, returning TRUE with %d\n", *cBytes);
return TRUE;
}
if (StringSid[0] == 'S' && StringSid[1] == '-') /* S-R-I-S-S */
{
DWORD i = 0, identAuth;
DWORD csubauth = ((*cBytes - GetSidLengthRequired(0)) / sizeof(DWORD));
StringSid += 2; /* Advance to Revision */
pisid->Revision = atoiW(StringSid);
if (pisid->Revision != SDDL_REVISION)
{
TRACE("Revision %d is unknown\n", pisid->Revision);
goto lend; /* ERROR_INVALID_SID */
}
if (csubauth == 0)
{
TRACE("SubAuthorityCount is 0\n");
goto lend; /* ERROR_INVALID_SID */
}
pisid->SubAuthorityCount = csubauth;
/* Advance to identifier authority */
while (*StringSid && *StringSid != '-')
StringSid++;
if (*StringSid == '-')
StringSid++;
/* MS' implementation can't handle values greater than 2^32 - 1, so
* we don't either; assume most significant bytes are always 0
*/
pisid->IdentifierAuthority.Value[0] = 0;
pisid->IdentifierAuthority.Value[1] = 0;
identAuth = atoiW(StringSid);
pisid->IdentifierAuthority.Value[5] = identAuth & 0xff;
pisid->IdentifierAuthority.Value[4] = (identAuth & 0xff00) >> 8;
pisid->IdentifierAuthority.Value[3] = (identAuth & 0xff0000) >> 16;
pisid->IdentifierAuthority.Value[2] = (identAuth & 0xff000000) >> 24;
/* Advance to first sub authority */
while (*StringSid && *StringSid != '-')
StringSid++;
if (*StringSid == '-')
StringSid++;
while (*StringSid)
{
pisid->SubAuthority[i++] = atoiW(StringSid);
while (*StringSid && *StringSid != '-')
StringSid++;
if (*StringSid == '-')
StringSid++;
}
if (i != pisid->SubAuthorityCount)
goto lend; /* ERROR_INVALID_SID */
bret = TRUE;
}
else /* String constant format - Only available in winxp and above */
{
unsigned int i;
pisid->Revision = SDDL_REVISION;
for (i = 0; i < ARRAY_SIZE(WellKnownSids); i++)
if (!strncmpW(WellKnownSids[i].wstr, StringSid, 2))
{
DWORD j;
pisid->SubAuthorityCount = WellKnownSids[i].Sid.SubAuthorityCount;
pisid->IdentifierAuthority = WellKnownSids[i].Sid.IdentifierAuthority;
for (j = 0; j < WellKnownSids[i].Sid.SubAuthorityCount; j++)
pisid->SubAuthority[j] = WellKnownSids[i].Sid.SubAuthority[j];
bret = TRUE;
}
for (i = 0; i < ARRAY_SIZE(WellKnownRids); i++)
if (!strncmpW(WellKnownRids[i].wstr, StringSid, 2))
{
ADVAPI_GetComputerSid(pisid);
pisid->SubAuthority[pisid->SubAuthorityCount] = WellKnownRids[i].Rid;
pisid->SubAuthorityCount++;
bret = TRUE;
}
if (!bret)
FIXME("String constant not supported: %s\n", debugstr_wn(StringSid, 2));
}
lend:
if (!bret)
SetLastError(ERROR_INVALID_SID);
TRACE("returning %s\n", bret ? "TRUE" : "FALSE");
return bret;
}
/******************************************************************************
* GetNamedSecurityInfoA [ADVAPI32.@]
*/
DWORD WINAPI GetNamedSecurityInfoA(LPSTR pObjectName,
SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo,
PSID* ppsidOwner, PSID* ppsidGroup, PACL* ppDacl, PACL* ppSacl,
PSECURITY_DESCRIPTOR* ppSecurityDescriptor)
{
LPWSTR wstr;
DWORD r;
TRACE("%s %d %d %p %p %p %p %p\n", pObjectName, ObjectType, SecurityInfo,
ppsidOwner, ppsidGroup, ppDacl, ppSacl, ppSecurityDescriptor);
wstr = SERV_dup(pObjectName);
r = GetNamedSecurityInfoW( wstr, ObjectType, SecurityInfo, ppsidOwner,
ppsidGroup, ppDacl, ppSacl, ppSecurityDescriptor );
heap_free( wstr );
return r;
}
/******************************************************************************
* GetNamedSecurityInfoW [ADVAPI32.@]
*/
DWORD WINAPI GetNamedSecurityInfoW( LPWSTR name, SE_OBJECT_TYPE type,
SECURITY_INFORMATION info, PSID* owner, PSID* group, PACL* dacl,
PACL* sacl, PSECURITY_DESCRIPTOR* descriptor )
{
DWORD access = 0;
HANDLE handle;
DWORD err;
TRACE( "%s %d %d %p %p %p %p %p\n", debugstr_w(name), type, info, owner,
group, dacl, sacl, descriptor );
/* A NULL descriptor is allowed if any one of the other pointers is not NULL */
if (!name || !(owner||group||dacl||sacl||descriptor) ) return ERROR_INVALID_PARAMETER;
/* If no descriptor, we have to check that there's a pointer for the requested information */
if( !descriptor && (
((info & OWNER_SECURITY_INFORMATION) && !owner)
|| ((info & GROUP_SECURITY_INFORMATION) && !group)
|| ((info & DACL_SECURITY_INFORMATION) && !dacl)
|| ((info & SACL_SECURITY_INFORMATION) && !sacl) ))
return ERROR_INVALID_PARAMETER;
if (info & (OWNER_SECURITY_INFORMATION|GROUP_SECURITY_INFORMATION|DACL_SECURITY_INFORMATION))
access |= READ_CONTROL;
if (info & SACL_SECURITY_INFORMATION)
access |= ACCESS_SYSTEM_SECURITY;
switch (type)
{
case SE_SERVICE:
if (!(err = get_security_service( name, access, &handle )))
{
err = GetSecurityInfo( handle, type, info, owner, group, dacl, sacl, descriptor );
CloseServiceHandle( handle );
}
break;
case SE_REGISTRY_KEY:
if (!(err = get_security_regkey( name, access, &handle )))
{
err = GetSecurityInfo( handle, type, info, owner, group, dacl, sacl, descriptor );
RegCloseKey( handle );
}
break;
case SE_FILE_OBJECT:
if (!(err = get_security_file( name, access, &handle )))
{
err = GetSecurityInfo( handle, type, info, owner, group, dacl, sacl, descriptor );
CloseHandle( handle );
}
break;
default:
FIXME( "Object type %d is not currently supported.\n", type );
if (owner) *owner = NULL;
if (group) *group = NULL;
if (dacl) *dacl = NULL;
if (sacl) *sacl = NULL;
if (descriptor) *descriptor = NULL;
return ERROR_SUCCESS;
}
return err;
}
/******************************************************************************
* GetNamedSecurityInfoExW [ADVAPI32.@]
*/
DWORD WINAPI GetNamedSecurityInfoExW( LPCWSTR object, SE_OBJECT_TYPE type,
SECURITY_INFORMATION info, LPCWSTR provider, LPCWSTR property,
PACTRL_ACCESSW* access_list, PACTRL_AUDITW* audit_list, LPWSTR* owner, LPWSTR* group )
{
FIXME("(%s, %d, %d, %s, %s, %p, %p, %p, %p) stub\n", debugstr_w(object), type, info,
debugstr_w(provider), debugstr_w(property), access_list, audit_list, owner, group);
return ERROR_CALL_NOT_IMPLEMENTED;
}
/******************************************************************************
* GetNamedSecurityInfoExA [ADVAPI32.@]
*/
DWORD WINAPI GetNamedSecurityInfoExA( LPCSTR object, SE_OBJECT_TYPE type,
SECURITY_INFORMATION info, LPCSTR provider, LPCSTR property,
PACTRL_ACCESSA* access_list, PACTRL_AUDITA* audit_list, LPSTR* owner, LPSTR* group )
{
FIXME("(%s, %d, %d, %s, %s, %p, %p, %p, %p) stub\n", debugstr_a(object), type, info,
debugstr_a(provider), debugstr_a(property), access_list, audit_list, owner, group);
return ERROR_CALL_NOT_IMPLEMENTED;
}
/******************************************************************************
* DecryptFileW [ADVAPI32.@]
*/
BOOL WINAPI DecryptFileW(LPCWSTR lpFileName, DWORD dwReserved)
{
FIXME("(%s, %08x): stub\n", debugstr_w(lpFileName), dwReserved);
return TRUE;
}
/******************************************************************************
* DecryptFileA [ADVAPI32.@]
*/
BOOL WINAPI DecryptFileA(LPCSTR lpFileName, DWORD dwReserved)
{
FIXME("(%s, %08x): stub\n", debugstr_a(lpFileName), dwReserved);
return TRUE;
}
/******************************************************************************
* EncryptFileW [ADVAPI32.@]
*/
BOOL WINAPI EncryptFileW(LPCWSTR lpFileName)
{
FIXME("(%s): stub\n", debugstr_w(lpFileName));
return TRUE;
}
/******************************************************************************
* EncryptFileA [ADVAPI32.@]
*/
BOOL WINAPI EncryptFileA(LPCSTR lpFileName)
{
FIXME("(%s): stub\n", debugstr_a(lpFileName));
return TRUE;
}
/******************************************************************************
* FileEncryptionStatusW [ADVAPI32.@]
*/
BOOL WINAPI FileEncryptionStatusW(LPCWSTR lpFileName, LPDWORD lpStatus)
{
FIXME("(%s %p): stub\n", debugstr_w(lpFileName), lpStatus);
if (!lpStatus)
return FALSE;
*lpStatus = FILE_SYSTEM_NOT_SUPPORT;
return TRUE;
}
/******************************************************************************
* FileEncryptionStatusA [ADVAPI32.@]
*/
BOOL WINAPI FileEncryptionStatusA(LPCSTR lpFileName, LPDWORD lpStatus)
{
FIXME("(%s %p): stub\n", debugstr_a(lpFileName), lpStatus);
if (!lpStatus)
return FALSE;
*lpStatus = FILE_SYSTEM_NOT_SUPPORT;
return TRUE;
}
/******************************************************************************
* SetSecurityInfo [ADVAPI32.@]
*/
DWORD WINAPI SetSecurityInfo(HANDLE handle, SE_OBJECT_TYPE ObjectType,
SECURITY_INFORMATION SecurityInfo, PSID psidOwner,
PSID psidGroup, PACL pDacl, PACL pSacl)
{
SECURITY_DESCRIPTOR sd;
PACL dacl = pDacl;
NTSTATUS status;
if (!InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION))
return ERROR_INVALID_SECURITY_DESCR;
if (SecurityInfo & OWNER_SECURITY_INFORMATION)
SetSecurityDescriptorOwner(&sd, psidOwner, FALSE);
if (SecurityInfo & GROUP_SECURITY_INFORMATION)
SetSecurityDescriptorGroup(&sd, psidGroup, FALSE);
if (SecurityInfo & DACL_SECURITY_INFORMATION)
{
if (ObjectType == SE_FILE_OBJECT && pDacl)
{
SECURITY_DESCRIPTOR_CONTROL control;
PSECURITY_DESCRIPTOR psd;
OBJECT_NAME_INFORMATION *name_info;
DWORD size, rev;
status = NtQuerySecurityObject(handle, SecurityInfo, NULL, 0, &size);
if (status != STATUS_BUFFER_TOO_SMALL)
return RtlNtStatusToDosError(status);
psd = heap_alloc(size);
if (!psd)
return ERROR_NOT_ENOUGH_MEMORY;
status = NtQuerySecurityObject(handle, SecurityInfo, psd, size, &size);
if (status)
{
heap_free(psd);
return RtlNtStatusToDosError(status);
}
status = RtlGetControlSecurityDescriptor(psd, &control, &rev);
heap_free(psd);
if (status)
return RtlNtStatusToDosError(status);
/* TODO: copy some control flags to new sd */
/* inherit parent directory DACL */
if (!(control & SE_DACL_PROTECTED))
{
status = NtQueryObject(handle, ObjectNameInformation, NULL, 0, &size);
if (status != STATUS_INFO_LENGTH_MISMATCH)
return RtlNtStatusToDosError(status);
name_info = heap_alloc(size);
if (!name_info)
return ERROR_NOT_ENOUGH_MEMORY;
status = NtQueryObject(handle, ObjectNameInformation, name_info, size, NULL);
if (status)
{
heap_free(name_info);
return RtlNtStatusToDosError(status);
}
for (name_info->Name.Length-=2; name_info->Name.Length>0; name_info->Name.Length-=2)
if (name_info->Name.Buffer[name_info->Name.Length/2-1]=='\\' ||
name_info->Name.Buffer[name_info->Name.Length/2-1]=='/')
break;
if (name_info->Name.Length)
{
OBJECT_ATTRIBUTES attr;
IO_STATUS_BLOCK io;
HANDLE parent;
PSECURITY_DESCRIPTOR parent_sd;
ACL *parent_dacl;
DWORD err = ERROR_ACCESS_DENIED;
name_info->Name.Buffer[name_info->Name.Length/2] = 0;
attr.Length = sizeof(attr);
attr.RootDirectory = 0;
attr.Attributes = 0;
attr.ObjectName = &name_info->Name;
attr.SecurityDescriptor = NULL;
status = NtOpenFile(&parent, READ_CONTROL|SYNCHRONIZE, &attr, &io,
FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
FILE_OPEN_FOR_BACKUP_INTENT);
heap_free(name_info);
if (!status)
{
err = GetSecurityInfo(parent, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, &parent_dacl, NULL, &parent_sd);
CloseHandle(parent);
}
if (!err)
{
int i;
dacl = heap_alloc_zero(pDacl->AclSize+parent_dacl->AclSize);
if (!dacl)
{
LocalFree(parent_sd);
return ERROR_NOT_ENOUGH_MEMORY;
}
memcpy(dacl, pDacl, pDacl->AclSize);
dacl->AclSize = pDacl->AclSize+parent_dacl->AclSize;
for (i=0; i<parent_dacl->AceCount; i++)
{
ACE_HEADER *ace;
if (!GetAce(parent_dacl, i, (void*)&ace))
continue;
if (!(ace->AceFlags & (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)))
continue;
if ((ace->AceFlags & (OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE)) !=
(OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE))
{
FIXME("unsupported flags: %x\n", ace->AceFlags);
continue;
}
if (ace->AceFlags & NO_PROPAGATE_INHERIT_ACE)
ace->AceFlags &= ~(OBJECT_INHERIT_ACE|CONTAINER_INHERIT_ACE|NO_PROPAGATE_INHERIT_ACE);
ace->AceFlags &= ~INHERIT_ONLY_ACE;
ace->AceFlags |= INHERITED_ACE;
if(!AddAce(dacl, ACL_REVISION, MAXDWORD, ace, ace->AceSize))
WARN("error adding inherited ACE\n");
}
LocalFree(parent_sd);
}
}
else
heap_free(name_info);
}
}
SetSecurityDescriptorDacl(&sd, TRUE, dacl, FALSE);
}
if (SecurityInfo & SACL_SECURITY_INFORMATION)
SetSecurityDescriptorSacl(&sd, TRUE, pSacl, FALSE);
switch (ObjectType)
{
case SE_SERVICE:
FIXME("stub: Service objects are not supported at this time.\n");
status = STATUS_SUCCESS; /* Implement SetServiceObjectSecurity */
break;
default:
status = NtSetSecurityObject(handle, SecurityInfo, &sd);
break;
}
if (dacl != pDacl)
heap_free(dacl);
return RtlNtStatusToDosError(status);
}
/******************************************************************************
* SaferCreateLevel [ADVAPI32.@]
*/
BOOL WINAPI SaferCreateLevel(DWORD ScopeId, DWORD LevelId, DWORD OpenFlags,
SAFER_LEVEL_HANDLE* LevelHandle, LPVOID lpReserved)
{
FIXME("(%u, %x, %u, %p, %p) stub\n", ScopeId, LevelId, OpenFlags, LevelHandle, lpReserved);
*LevelHandle = (SAFER_LEVEL_HANDLE)0xdeadbeef;
return TRUE;
}
/******************************************************************************
* SaferComputeTokenFromLevel [ADVAPI32.@]
*/
BOOL WINAPI SaferComputeTokenFromLevel(SAFER_LEVEL_HANDLE handle, HANDLE token, PHANDLE access_token,
DWORD flags, LPVOID reserved)
{
FIXME("(%p, %p, %p, %x, %p) stub\n", handle, token, access_token, flags, reserved);
*access_token = (HANDLE)0xdeadbeef;
return TRUE;
}
/******************************************************************************
* SaferCloseLevel [ADVAPI32.@]
*/
BOOL WINAPI SaferCloseLevel(SAFER_LEVEL_HANDLE handle)
{
FIXME("(%p) stub\n", handle);
return TRUE;
}
/******************************************************************************
* TreeResetNamedSecurityInfoW [ADVAPI32.@]
*/
DWORD WINAPI TreeResetNamedSecurityInfoW( LPWSTR pObjectName,
SE_OBJECT_TYPE ObjectType, SECURITY_INFORMATION SecurityInfo,
PSID pOwner, PSID pGroup, PACL pDacl, PACL pSacl,
BOOL KeepExplicit, FN_PROGRESS fnProgress,
PROG_INVOKE_SETTING ProgressInvokeSetting, PVOID Args)
{
FIXME("(%s, %i, %i, %p, %p, %p, %p, %i, %p, %i, %p) stub\n",
debugstr_w(pObjectName), ObjectType, SecurityInfo, pOwner, pGroup,
pDacl, pSacl, KeepExplicit, fnProgress, ProgressInvokeSetting, Args);
return ERROR_SUCCESS;
}
/******************************************************************************
* SaferGetPolicyInformation [ADVAPI32.@]
*/
BOOL WINAPI SaferGetPolicyInformation(DWORD scope, SAFER_POLICY_INFO_CLASS class, DWORD size,
PVOID buffer, PDWORD required, LPVOID lpReserved)
{
FIXME("(%u %u %u %p %p %p) stub\n", scope, class, size, buffer, required, lpReserved);
return FALSE;
}
/******************************************************************************
* SaferSetLevelInformation [ADVAPI32.@]
*/
BOOL WINAPI SaferSetLevelInformation(SAFER_LEVEL_HANDLE handle, SAFER_OBJECT_INFO_CLASS infotype,
LPVOID buffer, DWORD size)
{
FIXME("(%p %u %p %u) stub\n", handle, infotype, buffer, size);
return FALSE;
}
/******************************************************************************
* LookupSecurityDescriptorPartsA [ADVAPI32.@]
*/
DWORD WINAPI LookupSecurityDescriptorPartsA(TRUSTEEA *owner, TRUSTEEA *group, ULONG *access_count,
EXPLICIT_ACCESSA *access_list, ULONG *audit_count,
EXPLICIT_ACCESSA *audit_list, SECURITY_DESCRIPTOR *descriptor)
{
FIXME("(%p %p %p %p %p %p %p) stub\n", owner, group, access_count,
access_list, audit_count, audit_list, descriptor);
return ERROR_CALL_NOT_IMPLEMENTED;
}
/******************************************************************************
* LookupSecurityDescriptorPartsW [ADVAPI32.@]
*/
DWORD WINAPI LookupSecurityDescriptorPartsW(TRUSTEEW *owner, TRUSTEEW *group, ULONG *access_count,
EXPLICIT_ACCESSW *access_list, ULONG *audit_count,
EXPLICIT_ACCESSW *audit_list, SECURITY_DESCRIPTOR *descriptor)
{
FIXME("(%p %p %p %p %p %p %p) stub\n", owner, group, access_count,
access_list, audit_count, audit_list, descriptor);
return ERROR_CALL_NOT_IMPLEMENTED;
}