From 32ec331902bc3f278c10257a129f2620ae7d30b0 Mon Sep 17 00:00:00 2001 From: midipix Date: Mar 30 2018 01:56:42 +0000 Subject: acl helper interfaces: added ntapi_acl_init_common_descriptor_meta(). --- diff --git a/include/ntapi/nt_acl.h b/include/ntapi/nt_acl.h index fac3109..c0ebb9f 100644 --- a/include/ntapi/nt_acl.h +++ b/include/ntapi/nt_acl.h @@ -51,6 +51,10 @@ typedef enum _nt_sid_name_use { #define NT_ACE_SUCCESSFUL_ACCESS_ACE_FLAG (0x40) #define NT_ACE_FAILED_ACCESS_ACE_FLAG (0x80) +/* acl_init_common_descriptor_meta option bits */ +#define NT_ACL_INIT_COMMON_DESCRIPTION_META_QUERY_MODE (0x00) +#define NT_ACL_INIT_COMMON_DESCRIPTION_META_STRICT_MODE (0x01) + typedef struct _nt_ace_header { unsigned char ace_type; unsigned char ace_flags; @@ -129,8 +133,6 @@ typedef struct _nt_sd_common_meta { nt_sid * owner; nt_sid * group; nt_acl * dacl; - nt_access_allowed_ace * system_ace; - nt_sid * system_sid; nt_access_allowed_ace * owner_ace; nt_sid * owner_sid; nt_access_allowed_ace * group_ace; @@ -139,6 +141,7 @@ typedef struct _nt_sd_common_meta { nt_sid * other_sid; nt_access_allowed_ace * admin_ace; nt_sid * admin_sid; + uint32_t system_acc; } nt_sd_common_meta; typedef struct _nt_sd_common_buffer { @@ -163,4 +166,9 @@ typedef void __stdcall ntapi_acl_init_common_descriptor( __in uint32_t admin_access, __in uint32_t system_access); +typedef int32_t __stdcall ntapi_acl_init_common_descriptor_meta( + __out nt_sd_common_meta * meta, + __in nt_sd * sd, + __in uint32_t options); + #endif diff --git a/include/ntapi/ntapi.h b/include/ntapi/ntapi.h index fbd5694..a4c4b66 100644 --- a/include/ntapi/ntapi.h +++ b/include/ntapi/ntapi.h @@ -561,6 +561,7 @@ typedef struct _ntapi_vtbl { /* nt_acl.h */ ntapi_acl_init_common_descriptor * acl_init_common_descriptor; + ntapi_acl_init_common_descriptor_meta * acl_init_common_descriptor_meta; /* nt_vfd.h */ ntapi_vfd_dev_name_init * vfd_dev_name_init; diff --git a/src/acl/ntapi_acl_helper.c b/src/acl/ntapi_acl_helper.c index 40fe4c4..024dbd4 100644 --- a/src/acl/ntapi_acl_helper.c +++ b/src/acl/ntapi_acl_helper.c @@ -98,3 +98,175 @@ void __stdcall __ntapi_acl_init_common_descriptor( sd->dacl.ace_count = ace_count; sd->dacl.sbz_2nd = 0; } + +static int32_t __acl_init_common_meta_impl( + __out nt_sd_common_meta * meta, + __in nt_sd * sd) +{ + int i; + nt_sid * sid; + nt_acl * acl; + nt_access_allowed_ace * ace; + unsigned char * value; + unsigned char sacnt; + char * mark = (char *)sd; + + meta->sd = sd; + meta->owner = sd->offset_owner ? (nt_sid *)(mark + sd->offset_owner) : 0; + meta->group = 0; + meta->dacl = sd->offset_dacl ? (nt_acl *)(mark + sd->offset_dacl) : 0; + + meta->owner_ace = 0; + meta->owner_sid = 0; + meta->group_ace = 0; + meta->group_sid = 0; + meta->other_ace = 0; + meta->other_sid = 0; + meta->admin_ace = 0; + meta->admin_sid = 0; + meta->system_acc = 0; + + if (!meta->owner) + return NT_STATUS_INVALID_OWNER; + + if (!(acl = meta->dacl)) + return NT_STATUS_SUCCESS; + + if (acl->ace_count == 0) + return NT_STATUS_SUCCESS; + + if (acl->ace_count > 5) + return NT_STATUS_NOT_SUPPORTED; + + ace = (nt_access_allowed_ace *)&acl[1]; + + for (i=0; iace_count; i++) { + if (ace->header.ace_type != NT_ACE_TYPE_ACCESS_ALLOWED) + return NT_STATUS_NOT_SUPPORTED; + + mark = (char *)ace + ace->header.ace_size; + ace = (nt_access_allowed_ace *)mark; + } + + ace = (nt_access_allowed_ace *)&acl[1]; + + for (i=0; iace_count; i++) { + sid = (nt_sid *)&ace->sid_start; + value = sid->identifier_authority.value; + + if (!(__ntapi->tt_sid_compare(sid,&sid_system))) + meta->system_acc = ace->mask; + + else if (!(__ntapi->tt_sid_compare(sid,&sid_owner_rights))) { + if (meta->owner_ace) + return NT_STATUS_INVALID_ACL; + + meta->owner_ace = ace; + meta->owner_sid = sid; + } + + else if (!(__ntapi->tt_sid_compare(sid,&sid_auth_users))) { + if (meta->other_ace) + return NT_STATUS_INVALID_ACL; + + meta->other_ace = ace; + meta->other_sid = sid; + } + + else if (!(__ntapi->tt_sid_compare(sid,meta->owner))) { + if (meta->group_ace) + return NT_STATUS_INVALID_ACL; + + meta->group_ace = ace; + meta->group_sid = sid; + } + + else if (!(__ntapi->tt_sid_compare(sid,(nt_sid *)&sid_admins))) { + if (meta->admin_ace) + return NT_STATUS_INVALID_ACL; + + meta->admin_ace = ace; + meta->admin_sid = sid; + } + + else if ((value[0] == 0) && (value[1] == 0) + && (value[2] == 0) && (value[3] == 0) + && (value[4] == 0) && (value[5] == 5) + && (sid->sub_authority[0] == 21) + && ((sacnt = sid->sub_authority_count)) + && (sid->sub_authority[sacnt - 1] == 500)) { + if (meta->admin_ace) + return NT_STATUS_INVALID_ACL; + + meta->admin_ace = ace; + meta->admin_sid = sid; + } + + else { + if (meta->group_ace) + return NT_STATUS_INVALID_ACL; + + meta->group_ace = ace; + meta->group_sid = sid; + meta->group = sid; + } + + mark = (char *)ace + ace->header.ace_size; + ace = (nt_access_allowed_ace *)mark; + } + + return NT_STATUS_SUCCESS; +} + +static int32_t __acl_init_common_meta_strict( + __out nt_sd_common_meta * meta, + __in nt_sd * sd) +{ + int32_t status; + nt_sd_common_meta m; + + if ((status = __acl_init_common_meta_impl(&m,sd))) + return status; + + meta->sd = m.sd; + meta->owner = m.owner; + meta->group = m.group; + meta->dacl = m.dacl; + + meta->owner_ace = m.owner_ace; + meta->owner_sid = m.owner_sid; + meta->group_ace = m.group_ace; + meta->group_sid = m.group_sid; + meta->other_ace = m.other_ace; + meta->other_sid = m.other_sid; + meta->admin_ace = m.admin_ace; + meta->admin_sid = m.admin_sid; + meta->system_acc = 0; + + return NT_STATUS_SUCCESS; +} + +static int32_t __acl_init_common_meta_query( + __out nt_sd_common_meta * meta, + __in nt_sd * sd) +{ + __acl_init_common_meta_impl(meta,sd); + return NT_STATUS_SUCCESS; +} + +int32_t __stdcall __ntapi_acl_init_common_descriptor_meta( + __out nt_sd_common_meta * meta, + __in nt_sd * sd, + __in uint32_t options) +{ + switch (options) { + case NT_ACL_INIT_COMMON_DESCRIPTION_META_QUERY_MODE: + return __acl_init_common_meta_query(meta,sd); + + case NT_ACL_INIT_COMMON_DESCRIPTION_META_STRICT_MODE: + return __acl_init_common_meta_strict(meta,sd); + + default: + return NT_STATUS_INVALID_PARAMETER; + } +} diff --git a/src/internal/ntapi.c b/src/internal/ntapi.c index aaf1b33..af9d4c0 100644 --- a/src/internal/ntapi.c +++ b/src/internal/ntapi.c @@ -355,6 +355,7 @@ static int32_t __fastcall __ntapi_init_once(ntapi_vtbl ** pvtbl) /* nt_acl.h */ __ntapi->acl_init_common_descriptor = __ntapi_acl_init_common_descriptor; + __ntapi->acl_init_common_descriptor_meta = __ntapi_acl_init_common_descriptor_meta; /* nt_vfd.h */ __ntapi->vfd_dev_name_init = __ntapi_vfd_dev_name_init; diff --git a/src/internal/ntapi_fnapi.h b/src/internal/ntapi_fnapi.h index 5aaae4c..90d9338 100644 --- a/src/internal/ntapi_fnapi.h +++ b/src/internal/ntapi_fnapi.h @@ -222,6 +222,7 @@ ntapi_dsr_internal_client_connect __ntapi_dsr_internal_client_connect; /* nt_acl.h */ ntapi_acl_init_common_descriptor __ntapi_acl_init_common_descriptor; +ntapi_acl_init_common_descriptor_meta __ntapi_acl_init_common_descriptor_meta; /* nt_vfd.h */ ntapi_vfd_dev_name_init __ntapi_vfd_dev_name_init;