/*++
Copyright (c) 1996 Microsoft Corporation
Module Name:
applyacl.c
Abstract:
Routines to apply default ACLs to system files and directories
during setup.
Author:
Ted Miller (tedm) 16-Feb-1996
Revision History:
--*/
#include "setupp.h"
#pragma hdrstop
#define MAXULONG 0xffffffff
//
// Universal well known SIDs
//
PSID NullSid;
PSID WorldSid;
PSID LocalSid;
PSID CreatorOwnerSid;
PSID CreatorGroupSid;
//
// SIDs defined by NT
//
PSID DialupSid;
PSID NetworkSid;
PSID BatchSid;
PSID InteractiveSid;
PSID ServiceSid;
PSID LocalSystemSid;
PSID AliasAdminsSid;
PSID AliasUsersSid;
PSID AliasGuestsSid;
PSID AliasPowerUsersSid;
PSID AliasAccountOpsSid;
PSID AliasSystemOpsSid;
PSID AliasPrintOpsSid;
PSID AliasBackupOpsSid;
PSID AliasReplicatorSid;
typedef struct _ACE_DATA {
ACCESS_MASK AccessMask;
PSID *Sid;
UCHAR AceType;
UCHAR AceFlags;
} ACE_DATA, *PACE_DATA;
//
// This structure is valid for access allowed, access denied, audit,
// and alarm ACEs.
//
typedef struct _ACE {
ACE_HEADER Header;
ACCESS_MASK Mask;
//
// The SID follows in the buffer
//
} ACE, *PACE;
//
// Number of ACEs currently defined for files and directories.
//
#define DIRS_AND_FILES_ACE_COUNT 19
//
// Table describing the data to put into each ACE.
//
// This table will be read during initialization and used to construct a
// series of ACEs. The index of each ACE in the Aces array defined below
// corresponds to the ordinals used in the ACL section of perms.inf
//
ACE_DATA AceDataTableForDirsAndFiles[DIRS_AND_FILES_ACE_COUNT] = {
//
// Index 0 is unused
//
{ 0,NULL,0,0 },
//
// ACE 1
// (for files and directories)
//
{
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
&AliasAccountOpsSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE
},
//
// ACE 2
// (for files and directories)
//
{
GENERIC_ALL,
&AliasAdminsSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 3
// (for files and directories)
//
{
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
&AliasAdminsSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE
},
//
// ACE 4
// (for files and directories)
//
{
GENERIC_ALL,
&CreatorOwnerSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 5
// (for files and directories)
//
{
GENERIC_ALL,
&NetworkSid,
ACCESS_DENIED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 6
// (for files and directories)
//
{
GENERIC_ALL,
&AliasPrintOpsSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 7
// (for files and directories)
//
{
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
&AliasReplicatorSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 8
// (for files and directories)
//
{
GENERIC_READ | GENERIC_EXECUTE,
&AliasReplicatorSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 9
// (for files and directories)
//
{
GENERIC_ALL,
&AliasSystemOpsSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 10
// (for files and directories)
//
{
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
&AliasSystemOpsSid,
ACCESS_ALLOWED_ACE_TYPE,
OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
},
//
// ACE 11
// (for files and directories)
//
{
GENERIC_ALL,
&WorldSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 12
// (for files and directories)
//
{
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE,
&WorldSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE
},
//
// ACE 13
// (for files and directories)
//
{
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
&WorldSid,
ACCESS_ALLOWED_ACE_TYPE,
OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
},
//
// ACE 14
// (for files and directories)
//
{
GENERIC_READ | GENERIC_EXECUTE,
&WorldSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE
},
//
// ACE 15
// (for files and directories)
//
{
GENERIC_READ | GENERIC_EXECUTE,
&WorldSid,
ACCESS_ALLOWED_ACE_TYPE,
OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
},
//
// ACE 16
// (for files and directories)
//
{
GENERIC_READ | GENERIC_EXECUTE | GENERIC_WRITE,
&WorldSid,
ACCESS_ALLOWED_ACE_TYPE,
OBJECT_INHERIT_ACE | CONTAINER_INHERIT_ACE
},
//
// ACE 17
// (for files and directories)
//
{
GENERIC_ALL,
&LocalSystemSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
},
//
// ACE 18
// (for files and directories)
//
{
GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE | DELETE,
&AliasPowerUsersSid,
ACCESS_ALLOWED_ACE_TYPE,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE
}
};
//
// Array of ACEs to be applied to the objects (files and directories).
// They will be initialized during program startup based on the data in the
// AceDataTable. The index of each element corresponds to the
// ordinals used in the [ACL] section of perms.inf.
//
PACE AcesForDirsAndFiles[DIRS_AND_FILES_ACE_COUNT];
//
// Array that contains the size of each ACE in the
// array AcesForDirsAndFiles. These sizes are needed
// in order to allocate a buffer of the right size
// when we build an ACL.
//
ULONG AceSizesForDirsAndFiles[DIRS_AND_FILES_ACE_COUNT];
VOID
TearDownAces(
IN OUT PACE* AcesArray,
IN ULONG ArrayCount
);
VOID
TearDownSids(
VOID
);
DWORD
InitializeSids(
VOID
)
/*++
Routine Description:
This function initializes the global variables used by and exposed
by security.
Arguments:
None.
Return Value:
Win32 error indicating outcome.
--*/
{
SID_IDENTIFIER_AUTHORITY NullSidAuthority = SECURITY_NULL_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY WorldSidAuthority = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY LocalSidAuthority = SECURITY_LOCAL_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY CreatorSidAuthority = SECURITY_CREATOR_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
BOOL b = TRUE;
//
// Ensure the SIDs are in a well-known state
//
NullSid = NULL;
WorldSid = NULL;
LocalSid = NULL;
CreatorOwnerSid = NULL;
CreatorGroupSid = NULL;
DialupSid = NULL;
NetworkSid = NULL;
BatchSid = NULL;
InteractiveSid = NULL;
ServiceSid = NULL;
LocalSystemSid = NULL;
AliasAdminsSid = NULL;
AliasUsersSid = NULL;
AliasGuestsSid = NULL;
AliasPowerUsersSid = NULL;
AliasAccountOpsSid = NULL;
AliasSystemOpsSid = NULL;
AliasPrintOpsSid = NULL;
AliasBackupOpsSid = NULL;
AliasReplicatorSid = NULL;
//
// Allocate and initialize the universal SIDs
//
b = b && AllocateAndInitializeSid(
&NullSidAuthority,
1,
SECURITY_NULL_RID,
0,0,0,0,0,0,0,
&NullSid
);
b = b && AllocateAndInitializeSid(
&WorldSidAuthority,
1,
SECURITY_WORLD_RID,
0,0,0,0,0,0,0,
&WorldSid
);
b = b && AllocateAndInitializeSid(
&LocalSidAuthority,
1,
SECURITY_LOCAL_RID,
0,0,0,0,0,0,0,
&LocalSid
);
b = b && AllocateAndInitializeSid(
&CreatorSidAuthority,
1,
SECURITY_CREATOR_OWNER_RID,
0,0,0,0,0,0,0,
&CreatorOwnerSid
);
b = b && AllocateAndInitializeSid(
&CreatorSidAuthority,
1,
SECURITY_CREATOR_GROUP_RID,
0,0,0,0,0,0,0,
&CreatorGroupSid
);
//
// Allocate and initialize the NT defined SIDs
//
b = b && AllocateAndInitializeSid(
&NtAuthority,
1,
SECURITY_DIALUP_RID,
0,0,0,0,0,0,0,
&DialupSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
1,
SECURITY_NETWORK_RID,
0,0,0,0,0,0,0,
&NetworkSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
1,
SECURITY_BATCH_RID,
0,0,0,0,0,0,0,
&BatchSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
1,
SECURITY_INTERACTIVE_RID,
0,0,0,0,0,0,0,
&InteractiveSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
1,
SECURITY_SERVICE_RID,
0,0,0,0,0,0,0,
&ServiceSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
1,
SECURITY_LOCAL_SYSTEM_RID,
0,0,0,0,0,0,0,
&LocalSystemSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0,0,0,0,0,0,
&AliasAdminsSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_USERS,
0,0,0,0,0,0,
&AliasUsersSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_GUESTS,
0,0,0,0,0,0,
&AliasGuestsSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_POWER_USERS,
0,0,0,0,0,0,
&AliasPowerUsersSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ACCOUNT_OPS,
0,0,0,0,0,0,
&AliasAccountOpsSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_SYSTEM_OPS,
0,0,0,0,0,0,
&AliasSystemOpsSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_PRINT_OPS,
0,0,0,0,0,0,
&AliasPrintOpsSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_BACKUP_OPS,
0,0,0,0,0,0,
&AliasBackupOpsSid
);
b = b && AllocateAndInitializeSid(
&NtAuthority,
2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_REPLICATOR,
0,0,0,0,0,0,
&AliasReplicatorSid
);
if(!b) {
TearDownSids();
}
return(b ? NO_ERROR : GetLastError());
}
VOID
TearDownSids(
VOID
)
{
if(NullSid) {
FreeSid(NullSid);
}
if(WorldSid) {
FreeSid(WorldSid);
}
if(LocalSid) {
FreeSid(LocalSid);
}
if(CreatorOwnerSid) {
FreeSid(CreatorOwnerSid);
}
if(CreatorGroupSid) {
FreeSid(CreatorGroupSid);
}
if(DialupSid) {
FreeSid(DialupSid);
}
if(NetworkSid) {
FreeSid(NetworkSid);
}
if(BatchSid) {
FreeSid(BatchSid);
}
if(InteractiveSid) {
FreeSid(InteractiveSid);
}
if(ServiceSid) {
FreeSid(ServiceSid);
}
if(LocalSystemSid) {
FreeSid(LocalSystemSid);
}
if(AliasAdminsSid) {
FreeSid(AliasAdminsSid);
}
if(AliasUsersSid) {
FreeSid(AliasUsersSid);
}
if(AliasGuestsSid) {
FreeSid(AliasGuestsSid);
}
if(AliasPowerUsersSid) {
FreeSid(AliasPowerUsersSid);
}
if(AliasAccountOpsSid) {
FreeSid(AliasAccountOpsSid);
}
if(AliasSystemOpsSid) {
FreeSid(AliasSystemOpsSid);
}
if(AliasPrintOpsSid) {
FreeSid(AliasPrintOpsSid);
}
if(AliasBackupOpsSid) {
FreeSid(AliasBackupOpsSid);
}
if(AliasReplicatorSid) {
FreeSid(AliasReplicatorSid);
}
}
DWORD
InitializeAces(
IN OUT PACE_DATA DataTable,
IN OUT PACE* AcesArray,
IN OUT PULONG AceSizesArray,
IN ULONG ArrayCount
)
/*++
Routine Description:
Initializes the array of ACEs as described in the DataTable
Arguments:
DataTable - Pointer to the array that contains the data
describing each ACE.
AcesArray - Array that will contain the ACEs.
AceSizesArray - Array that contains the sizes for each ACE.
ArrayCount - Number of elements in each array.
Return Value:
Win32 error code indicating outcome.
--*/
{
unsigned u;
DWORD Length;
DWORD rc;
BOOL b;
DWORD SidLength;
//
// Initialize to a known state.
//
ZeroMemory(AcesArray,ArrayCount*sizeof(PACE));
//
// Create ACEs for each item in the data table.
// This involves merging the ace data with the SID data, which
// are initialized in an earlier step.
//
for(u=1; u<ArrayCount; u++) {
SidLength = GetLengthSid(*(DataTable[u].Sid));
Length = SidLength + sizeof(ACE) + sizeof(ACCESS_MASK)- sizeof(ULONG);
AceSizesArray[u] = Length;
AcesArray[u] = malloc(Length);
if(!AcesArray[u]) {
TearDownAces(AcesArray, ArrayCount);
return(ERROR_NOT_ENOUGH_MEMORY);
}
AcesArray[u]->Header.AceType = DataTable[u].AceType;
AcesArray[u]->Header.AceFlags = DataTable[u].AceFlags;
AcesArray[u]->Header.AceSize = (WORD)Length;
AcesArray[u]->Mask = DataTable[u].AccessMask;
b = CopySid(
SidLength, // Length - sizeof(ACE) + sizeof(ULONG),
(PUCHAR)AcesArray[u] + sizeof(ACE),
*(DataTable[u].Sid)
);
if(!b) {
rc = GetLastError();
TearDownAces(AcesArray, ArrayCount);
return(rc);
}
}
return(NO_ERROR);
}
VOID
TearDownAces(
IN OUT PACE* AcesArray,
IN ULONG ArrayCount
)
/*++
Routine Description:
Destroys the array of ACEs as described in the DataTable
Arguments:
None
Return Value:
None
--*/
{
unsigned u;
for(u=1; u<ArrayCount; u++) {
if(AcesArray[u]) {
free(AcesArray[u]);
}
}
}
ULONG
ApplyAclToDirOrFile(
IN PCWSTR FullPath,
IN PULONG AcesToApply,
IN ULONG ArraySize
)
/*++
Routine Description:
Applies an ACL to a specified file or directory.
Arguments:
FullPath - supplies full win32 path to the file or directory
to receive the ACL
AcesIndexArray - Array that contains the index to the ACEs to be used in the ACL.
ArraySize - Number of elements in the array.
Return Value:
--*/
{
DWORD AceCount;
DWORD Ace;
INT AceIndex;
DWORD rc;
SECURITY_DESCRIPTOR SecurityDescriptor;
PACL Acl;
UCHAR AclBuffer[2048];
BOOL b;
PCWSTR AclSection;
ACL_SIZE_INFORMATION AclSizeInfo;
//
// Initialize a security descriptor and an ACL.
// We use a large static buffer to contain the ACL.
//
Acl = (PACL)AclBuffer;
if(!InitializeAcl(Acl,sizeof(AclBuffer),ACL_REVISION2)
|| !InitializeSecurityDescriptor(&SecurityDescriptor,SECURITY_DESCRIPTOR_REVISION)) {
return(GetLastError());
}
//
// Build up the DACL from the indices on the list we just looked up
// in the ACL section.
//
rc = NO_ERROR;
AceCount = ArraySize;
for(Ace=0; Ace < AceCount; Ace++) {
AceIndex = AcesToApply[ Ace ];
if((AceIndex == 0) || (AceIndex >= DIRS_AND_FILES_ACE_COUNT)) {
return(ERROR_INVALID_DATA);
}
b = AddAce(
Acl,
ACL_REVISION2,
MAXULONG,
AcesForDirsAndFiles[AceIndex],
AcesForDirsAndFiles[AceIndex]->Header.AceSize
);
//
// Track first error we encounter.
//
if(!b) {
rc = GetLastError();
}
}
if(rc != NO_ERROR) {
return(rc);
}
//
// Truncate the ACL, since only a fraction of the size we originally
// allocated for it is likely to be in use.
//
if(!GetAclInformation(Acl,&AclSizeInfo,sizeof(ACL_SIZE_INFORMATION),AclSizeInformation)) {
return(GetLastError());
}
Acl->AclSize = (WORD)AclSizeInfo.AclBytesInUse;
//
// Add the ACL to the security descriptor as the DACL
//
if(!SetSecurityDescriptorDacl(&SecurityDescriptor,TRUE,Acl,FALSE)) {
return(GetLastError());
}
//
// Finally, apply the security descriptor.
//
rc = SetFileSecurity(FullPath,DACL_SECURITY_INFORMATION,&SecurityDescriptor)
? NO_ERROR
: GetLastError();
return(rc);
}
DWORD
ApplySecurityToRepairInfo(
)
/*++
Routine Description:
Arguments:
Return Value:
--*/
{
DWORD d, TempError;
WCHAR Directory[MAX_PATH];
BOOL SetAclsNt;
DWORD FsFlags;
DWORD Result;
BOOL b;
ULONG Count;
PWSTR Files[] = {
L"sam",
L"security",
L"software",
L"system",
L"default",
L"ntuser.dat",
L"sam._",
L"security._",
L"software._",
L"system._",
L"default._",
L"ntuser.da_"
};
//
// Get the file system of the system drive.
// On x86 get the file system of the system partition.
//
d = NO_ERROR;
SetAclsNt = FALSE;
Result = GetWindowsDirectory(Directory,MAX_PATH);
if(Result == 0) {
MYASSERT(FALSE);
return( GetLastError());
}
Directory[3] = 0;
//
// ApplySecurity to directories and files, if needed
//
b = GetVolumeInformation(Directory,NULL,0,NULL,NULL,&FsFlags,NULL,0);
if(b && (FsFlags & FS_PERSISTENT_ACLS)) {
SetAclsNt = TRUE;
}
if(SetAclsNt) {
//
// Initialize SIDs
//
d = InitializeSids();
if(d != NO_ERROR) {
return(d);
}
//
// Initialize ACEs
//
d = InitializeAces(AceDataTableForDirsAndFiles, AcesForDirsAndFiles, AceSizesForDirsAndFiles, DIRS_AND_FILES_ACE_COUNT);
if(d != NO_ERROR) {
TearDownSids();
return(d);
}
//
// Go do the real work.
//
for( Count = 0; Count < sizeof( Files ) / sizeof( PWSTR ); Count++ ) {
ULONG AcesToApply[] = { 2,
17
};
GetWindowsDirectory(Directory,MAX_PATH);
wcscat( Directory, L"\\repair\\" );
wcscat( Directory, Files[ Count ] );
TempError = ApplyAclToDirOrFile( Directory, AcesToApply, sizeof( AcesToApply) / sizeof( ULONG ) );
if( TempError != NO_ERROR ) {
if( d == NO_ERROR ) {
d = TempError;
}
}
}
//
// Clean up.
//
TearDownAces(AcesForDirsAndFiles, DIRS_AND_FILES_ACE_COUNT);
TearDownSids();
}
return(d);
}