/* Parameters for (repeated) creation of named pipe objects */
PSECURITY_DESCRIPTOR psd;
- PSID networksid;
PACL acl;
char *pipename;
CloseHandle(ps->connect_ovl.hEvent);
sfree(ps->error);
sfree(ps->pipename);
- if (ps->networksid)
- LocalFree(ps->networksid);
if (ps->acl)
LocalFree(ps->acl);
if (ps->psd)
ret->error = NULL;
ret->psd = NULL;
ret->pipename = dupstr(pipename);
- ret->networksid = NULL;
ret->acl = NULL;
assert(strncmp(pipename, "\\\\.\\pipe\\", 9) == 0);
assert(strchr(pipename + 9, '\\') == NULL);
if (!make_private_security_descriptor(GENERIC_READ | GENERIC_WRITE,
- &ret->psd, &ret->networksid,
- &ret->acl, &ret->error)) {
+ &ret->psd, &ret->acl, &ret->error)) {
goto cleanup;
}
int make_private_security_descriptor(DWORD permissions,
PSECURITY_DESCRIPTOR *psd,
- PSID *networksid,
PACL *acl,
char **error)
{
+ SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY nt_auth = SECURITY_NT_AUTHORITY;
EXPLICIT_ACCESS ea[3];
int acl_err;
int ret = FALSE;
+ /* Initialised once, then kept around to reuse forever */
+ static PSID worldsid, networksid, usersid;
+
*psd = NULL;
- *networksid = NULL;
*acl = NULL;
*error = NULL;
goto cleanup;
}
- if (!AllocateAndInitializeSid(&nt_auth, 1, SECURITY_NETWORK_RID,
- 0, 0, 0, 0, 0, 0, 0, networksid)) {
- *error = dupprintf("unable to construct SID for "
- "local same-user access only: %s",
- win_strerror(GetLastError()));
- goto cleanup;
+ if (!usersid) {
+ if ((usersid = get_user_sid()) == NULL) {
+ *error = dupprintf("unable to construct SID for current user: %s",
+ win_strerror(GetLastError()));
+ goto cleanup;
+ }
+ }
+
+ if (!worldsid) {
+ if (!AllocateAndInitializeSid(&world_auth, 1, SECURITY_WORLD_RID,
+ 0, 0, 0, 0, 0, 0, 0, &worldsid)) {
+ *error = dupprintf("unable to construct SID for world: %s",
+ win_strerror(GetLastError()));
+ goto cleanup;
+ }
+ }
+
+ if (!networksid) {
+ if (!AllocateAndInitializeSid(&nt_auth, 1, SECURITY_NETWORK_RID,
+ 0, 0, 0, 0, 0, 0, 0, &networksid)) {
+ *error = dupprintf("unable to construct SID for "
+ "local same-user access only: %s",
+ win_strerror(GetLastError()));
+ goto cleanup;
+ }
}
memset(ea, 0, sizeof(ea));
ea[0].grfAccessPermissions = permissions;
ea[0].grfAccessMode = REVOKE_ACCESS;
ea[0].grfInheritance = NO_INHERITANCE;
- ea[0].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
- ea[0].Trustee.ptstrName = "EVERYONE";
+ ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ ea[0].Trustee.ptstrName = (LPTSTR)worldsid;
ea[1].grfAccessPermissions = permissions;
ea[1].grfAccessMode = GRANT_ACCESS;
ea[1].grfInheritance = NO_INHERITANCE;
- ea[1].Trustee.TrusteeForm = TRUSTEE_IS_NAME;
- ea[1].Trustee.ptstrName = "CURRENT_USER";
+ ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+ ea[1].Trustee.ptstrName = (LPTSTR)usersid;
ea[2].grfAccessPermissions = permissions;
ea[2].grfAccessMode = REVOKE_ACCESS;
ea[2].grfInheritance = NO_INHERITANCE;
ea[2].Trustee.TrusteeForm = TRUSTEE_IS_SID;
- ea[2].Trustee.ptstrName = (LPTSTR)*networksid;
+ ea[2].Trustee.ptstrName = (LPTSTR)networksid;
acl_err = p_SetEntriesInAclA(3, ea, NULL, acl);
if (acl_err != ERROR_SUCCESS || *acl == NULL) {
LocalFree(*psd);
*psd = NULL;
}
- if (*networksid) {
- LocalFree(*networksid);
- *networksid = NULL;
- }
if (*acl) {
LocalFree(*acl);
*acl = NULL;
* servers, i.e. allowing access only to the current user id and also
* only local (i.e. not over SMB) connections.
*
- * If this function returns TRUE, then 'psd', 'networksid' and 'acl'
- * will all have been filled in with memory allocated using LocalAlloc
- * (and hence must be freed later using LocalFree). If it returns
- * FALSE, then instead 'error' has been filled with a dynamically
- * allocated error message.
+ * If this function returns TRUE, then 'psd' and 'acl' will have been
+ * filled in with memory allocated using LocalAlloc (and hence must be
+ * freed later using LocalFree). If it returns FALSE, then instead
+ * 'error' has been filled with a dynamically allocated error message.
*/
int make_private_security_descriptor(DWORD permissions,
PSECURITY_DESCRIPTOR *psd,
- PSID *networksid,
PACL *acl,
char **error);