X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=windows%2Fwinsecur.c;h=df93a74c5baa4954ecabdb669200f7e8e7af0718;hb=5471539a6738484b48fb938c88dce547a3e4b299;hp=27f04dd59e1c4da05796428205141c6c2257aa02;hpb=9803b6acb036baea881abb9550c527bfca911cba;p=PuTTY.git diff --git a/windows/winsecur.c b/windows/winsecur.c index 27f04dd5..df93a74c 100644 --- a/windows/winsecur.c +++ b/windows/winsecur.c @@ -101,17 +101,19 @@ PSID get_user_sid(void) int make_private_security_descriptor(DWORD permissions, PSECURITY_DESCRIPTOR *psd, - PSID *networksid, PACL *acl, char **error) { + SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY nt_auth = SECURITY_NT_AUTHORITY; EXPLICIT_ACCESS ea[3]; int acl_err; int ret = FALSE; + /* Initialised once, then kept around to reuse forever */ + static PSID worldsid, networksid, usersid; + *psd = NULL; - *networksid = NULL; *acl = NULL; *error = NULL; @@ -120,30 +122,49 @@ int make_private_security_descriptor(DWORD permissions, goto cleanup; } - if (!AllocateAndInitializeSid(&nt_auth, 1, SECURITY_NETWORK_RID, - 0, 0, 0, 0, 0, 0, 0, networksid)) { - *error = dupprintf("unable to construct SID for " - "local same-user access only: %s", - win_strerror(GetLastError())); - goto cleanup; + if (!usersid) { + if ((usersid = get_user_sid()) == NULL) { + *error = dupprintf("unable to construct SID for current user: %s", + win_strerror(GetLastError())); + goto cleanup; + } + } + + if (!worldsid) { + if (!AllocateAndInitializeSid(&world_auth, 1, SECURITY_WORLD_RID, + 0, 0, 0, 0, 0, 0, 0, &worldsid)) { + *error = dupprintf("unable to construct SID for world: %s", + win_strerror(GetLastError())); + goto cleanup; + } + } + + if (!networksid) { + if (!AllocateAndInitializeSid(&nt_auth, 1, SECURITY_NETWORK_RID, + 0, 0, 0, 0, 0, 0, 0, &networksid)) { + *error = dupprintf("unable to construct SID for " + "local same-user access only: %s", + win_strerror(GetLastError())); + goto cleanup; + } } memset(ea, 0, sizeof(ea)); ea[0].grfAccessPermissions = permissions; ea[0].grfAccessMode = REVOKE_ACCESS; ea[0].grfInheritance = NO_INHERITANCE; - ea[0].Trustee.TrusteeForm = TRUSTEE_IS_NAME; - ea[0].Trustee.ptstrName = "EVERYONE"; + ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID; + ea[0].Trustee.ptstrName = (LPTSTR)worldsid; ea[1].grfAccessPermissions = permissions; ea[1].grfAccessMode = GRANT_ACCESS; ea[1].grfInheritance = NO_INHERITANCE; - ea[1].Trustee.TrusteeForm = TRUSTEE_IS_NAME; - ea[1].Trustee.ptstrName = "CURRENT_USER"; + ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID; + ea[1].Trustee.ptstrName = (LPTSTR)usersid; ea[2].grfAccessPermissions = permissions; ea[2].grfAccessMode = REVOKE_ACCESS; ea[2].grfInheritance = NO_INHERITANCE; ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID; - ea[2].Trustee.ptstrName = (LPTSTR)*networksid; + ea[2].Trustee.ptstrName = (LPTSTR)networksid; acl_err = p_SetEntriesInAclA(3, ea, NULL, acl); if (acl_err != ERROR_SUCCESS || *acl == NULL) { @@ -166,6 +187,12 @@ int make_private_security_descriptor(DWORD permissions, goto cleanup; } + if (!SetSecurityDescriptorOwner(*psd, usersid, FALSE)) { + *error = dupprintf("unable to set owner in security descriptor: %s", + win_strerror(GetLastError())); + goto cleanup; + } + if (!SetSecurityDescriptorDacl(*psd, TRUE, *acl, FALSE)) { *error = dupprintf("unable to set DACL in security descriptor: %s", win_strerror(GetLastError())); @@ -180,10 +207,6 @@ int make_private_security_descriptor(DWORD permissions, LocalFree(*psd); *psd = NULL; } - if (*networksid) { - LocalFree(*networksid); - *networksid = NULL; - } if (*acl) { LocalFree(*acl); *acl = NULL;