2 * winsecur.c: implementation of winsecur.h.
10 #if !defined NO_SECURITY
12 #define WINSECUR_GLOBAL
17 static int attempted = FALSE;
18 static int successful;
19 static HMODULE advapi;
23 advapi = load_system32_dll("advapi32.dll");
24 successful = advapi &&
25 GET_WINDOWS_FUNCTION(advapi, GetSecurityInfo) &&
26 GET_WINDOWS_FUNCTION(advapi, OpenProcessToken) &&
27 GET_WINDOWS_FUNCTION(advapi, GetTokenInformation) &&
28 GET_WINDOWS_FUNCTION(advapi, InitializeSecurityDescriptor) &&
29 GET_WINDOWS_FUNCTION(advapi, SetSecurityDescriptorOwner) &&
30 GET_WINDOWS_FUNCTION(advapi, SetEntriesInAclA);
37 static int attempted = FALSE;
38 static int successful;
43 crypt = load_system32_dll("crypt32.dll");
45 GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
50 PSID get_user_sid(void)
52 HANDLE proc = NULL, tok = NULL;
53 TOKEN_USER *user = NULL;
55 PSID sid = NULL, ret = NULL;
60 if ((proc = OpenProcess(MAXIMUM_ALLOWED, FALSE,
61 GetCurrentProcessId())) == NULL)
64 if (!p_OpenProcessToken(proc, TOKEN_QUERY, &tok))
67 if (!p_GetTokenInformation(tok, TokenUser, NULL, 0, &toklen) &&
68 GetLastError() != ERROR_INSUFFICIENT_BUFFER)
71 if ((user = (TOKEN_USER *)LocalAlloc(LPTR, toklen)) == NULL)
74 if (!p_GetTokenInformation(tok, TokenUser, user, toklen, &toklen))
77 sidlen = GetLengthSid(user->User.Sid);
79 sid = (PSID)smalloc(sidlen);
81 if (!CopySid(sidlen, sid, user->User.Sid))
84 /* Success. Move sid into the return value slot, and null it out
85 * to stop the cleanup code freeing it. */
102 int make_private_security_descriptor(DWORD permissions,
103 PSECURITY_DESCRIPTOR *psd,
107 SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY;
108 SID_IDENTIFIER_AUTHORITY nt_auth = SECURITY_NT_AUTHORITY;
109 EXPLICIT_ACCESS ea[3];
113 /* Initialised once, then kept around to reuse forever */
114 static PSID worldsid, networksid, usersid;
121 *error = dupprintf("unable to load advapi32.dll");
126 if ((usersid = get_user_sid()) == NULL) {
127 *error = dupprintf("unable to construct SID for current user: %s",
128 win_strerror(GetLastError()));
134 if (!AllocateAndInitializeSid(&world_auth, 1, SECURITY_WORLD_RID,
135 0, 0, 0, 0, 0, 0, 0, &worldsid)) {
136 *error = dupprintf("unable to construct SID for world: %s",
137 win_strerror(GetLastError()));
143 if (!AllocateAndInitializeSid(&nt_auth, 1, SECURITY_NETWORK_RID,
144 0, 0, 0, 0, 0, 0, 0, &networksid)) {
145 *error = dupprintf("unable to construct SID for "
146 "local same-user access only: %s",
147 win_strerror(GetLastError()));
152 memset(ea, 0, sizeof(ea));
153 ea[0].grfAccessPermissions = permissions;
154 ea[0].grfAccessMode = REVOKE_ACCESS;
155 ea[0].grfInheritance = NO_INHERITANCE;
156 ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
157 ea[0].Trustee.ptstrName = (LPTSTR)worldsid;
158 ea[1].grfAccessPermissions = permissions;
159 ea[1].grfAccessMode = GRANT_ACCESS;
160 ea[1].grfInheritance = NO_INHERITANCE;
161 ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
162 ea[1].Trustee.ptstrName = (LPTSTR)usersid;
163 ea[2].grfAccessPermissions = permissions;
164 ea[2].grfAccessMode = REVOKE_ACCESS;
165 ea[2].grfInheritance = NO_INHERITANCE;
166 ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
167 ea[2].Trustee.ptstrName = (LPTSTR)networksid;
169 acl_err = p_SetEntriesInAclA(3, ea, NULL, acl);
170 if (acl_err != ERROR_SUCCESS || *acl == NULL) {
171 *error = dupprintf("unable to construct ACL: %s",
172 win_strerror(acl_err));
176 *psd = (PSECURITY_DESCRIPTOR)
177 LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
179 *error = dupprintf("unable to allocate security descriptor: %s",
180 win_strerror(GetLastError()));
184 if (!InitializeSecurityDescriptor(*psd, SECURITY_DESCRIPTOR_REVISION)) {
185 *error = dupprintf("unable to initialise security descriptor: %s",
186 win_strerror(GetLastError()));
190 if (!SetSecurityDescriptorOwner(*psd, usersid, FALSE)) {
191 *error = dupprintf("unable to set owner in security descriptor: %s",
192 win_strerror(GetLastError()));
196 if (!SetSecurityDescriptorDacl(*psd, TRUE, *acl, FALSE)) {
197 *error = dupprintf("unable to set DACL in security descriptor: %s",
198 win_strerror(GetLastError()));
221 #endif /* !defined NO_SECURITY */