mirrors
/
tigervnc
mirror of https://github.com/TigerVNC/tigervnc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 37 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4299 Commits
15 Branches
Tree: 41bf43b0b9
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '41bf43b0b9'
${ noResults }
tigervnc/win/rfb_win32/Security.cxx

Security.cxx 6.1KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182 
  1. /* Copyright (C) 2002-2005 RealVNC Ltd.  All Rights Reserved.

  2.  * 

  3.  * This is free software; you can redistribute it and/or modify

  4.  * it under the terms of the GNU General Public License as published by

  5.  * the Free Software Foundation; either version 2 of the License, or

  6.  * (at your option) any later version.

  7.  * 

  8.  * This software is distributed in the hope that it will be useful,

  9.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  10.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  11.  * GNU General Public License for more details.

  12.  * 

  13.  * You should have received a copy of the GNU General Public License

  14.  * along with this software; if not, write to the Free Software

  15.  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

  16.  * USA.

  17.  */

  18. 

  19. // -=- Security.cxx

  20. 

  21. #include <rfb_win32/Security.h>

  22. #include <rfb/LogWriter.h>

  23. 

  24. #include <lmcons.h>

  25. #include <accctrl.h>

  26. #include <list>

  27. 

  28. using namespace rfb;

  29. using namespace rfb::win32;

  30. 

  31. static LogWriter vlog("SecurityWin32");

  32. 

  33. 

  34. Trustee::Trustee(const TCHAR* name,

  35.                  TRUSTEE_FORM form,

  36.                  TRUSTEE_TYPE type) {

  37.   pMultipleTrustee = 0;

  38.   MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;

  39.   TrusteeForm = form;

  40.   TrusteeType = type;

  41.   ptstrName = (TCHAR*)name;

  42. }

  43. 

  44. 

  45. ExplicitAccess::ExplicitAccess(const TCHAR* name,

  46.                                TRUSTEE_FORM type,

  47.                                DWORD perms,

  48.                                ACCESS_MODE mode,

  49.                                DWORD inherit) {

  50.   Trustee = rfb::win32::Trustee(name, type);

  51.   grfAccessPermissions = perms;

  52.   grfAccessMode = mode;

  53.   grfInheritance = inherit;

  54. }

  55. 

  56. 

  57. AccessEntries::AccessEntries() : entries(0), entry_count(0) {}

  58. 

  59. AccessEntries::~AccessEntries() {

  60.   delete [] entries;

  61. }

  62. 

  63. void AccessEntries::allocMinEntries(int count) {

  64.   if (count > entry_count) {

  65.     EXPLICIT_ACCESS* new_entries = new EXPLICIT_ACCESS[entry_count+1];

  66.     if (entries) {

  67.       memcpy(new_entries, entries, sizeof(EXPLICIT_ACCESS) * entry_count);

  68.       delete entries;

  69.     }

  70.     entries = new_entries;

  71.   }

  72. }

  73. 

  74. void AccessEntries::addEntry(const TCHAR* trusteeName,

  75.                              DWORD permissions,

  76.                              ACCESS_MODE mode) {

  77.   allocMinEntries(entry_count+1);

  78.   ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));

  79.   entries[entry_count] = ExplicitAccess(trusteeName, TRUSTEE_IS_NAME, permissions, mode);

  80.   entry_count++;

  81. }

  82. 

  83. void AccessEntries::addEntry(const PSID sid,

  84.                              DWORD permissions,

  85.                              ACCESS_MODE mode) {

  86.   allocMinEntries(entry_count+1);

  87.   ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));

  88.   entries[entry_count] = ExplicitAccess((TCHAR*)sid, TRUSTEE_IS_SID, permissions, mode);

  89.   entry_count++;

  90. }

  91. 

  92. 

  93. PSID Sid::copySID(const PSID sid) {

  94.   if (!IsValidSid(sid))

  95.     throw rdr::Exception("invalid SID in copyPSID");

  96.   PSID buf = (PSID)new rdr::U8[GetLengthSid(sid)];

  97.   if (!CopySid(GetLengthSid(sid), buf, sid))

  98.     throw rdr::SystemException("CopySid failed", GetLastError());

  99.   return buf;

  100. }

  101. 

  102. void Sid::setSID(const PSID sid) {

  103.   delete [] buf;

  104.   buf = (rdr::U8*)copySID(sid);

  105. }

  106. 

  107. void Sid::getUserNameAndDomain(TCHAR** name, TCHAR** domain) {

  108.   DWORD nameLen = 0;

  109.   DWORD domainLen = 0;

  110.   SID_NAME_USE use;

  111.   LookupAccountSid(0, (PSID)buf, 0, &nameLen, 0, &domainLen, &use);

  112.   if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)

  113.     throw rdr::SystemException("Unable to determine SID name lengths", GetLastError());

  114.   vlog.info("nameLen=%lu, domainLen=%lu, use=%d", nameLen, domainLen, use);

  115.   *name = new TCHAR[nameLen];

  116.   *domain = new TCHAR[domainLen];

  117.   if (!LookupAccountSid(0, (PSID)buf, *name, &nameLen, *domain, &domainLen, &use))

  118.     throw rdr::SystemException("Unable to lookup account SID", GetLastError());

  119. }

  120. 

  121. 

  122. Sid::Administrators::Administrators() {

  123.   PSID sid = 0;

  124.   SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };

  125.   if (!AllocateAndInitializeSid(&ntAuth, 2,

  126.                                 SECURITY_BUILTIN_DOMAIN_RID,

  127.                                 DOMAIN_ALIAS_RID_ADMINS,

  128.                                 0, 0, 0, 0, 0, 0, &sid)) 

  129.     throw rdr::SystemException("Sid::Administrators", GetLastError());

  130.   setSID(sid);

  131.   FreeSid(sid);

  132. }

  133. 

  134. Sid::SYSTEM::SYSTEM() {

  135.   PSID sid = 0;

  136.   SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };

  137.   if (!AllocateAndInitializeSid(&ntAuth, 1,

  138.                                 SECURITY_LOCAL_SYSTEM_RID,

  139.                                 0, 0, 0, 0, 0, 0, 0, &sid))

  140.           throw rdr::SystemException("Sid::SYSTEM", GetLastError());

  141.   setSID(sid);

  142.   FreeSid(sid);

  143. }

  144. 

  145. Sid::FromToken::FromToken(HANDLE h) {

  146.   DWORD required = 0;

  147.   GetTokenInformation(h, TokenUser, 0, 0, &required);

  148.   rdr::U8Array tmp(required);

  149.   if (!GetTokenInformation(h, TokenUser, tmp.buf, required, &required))

  150.     throw rdr::SystemException("GetTokenInformation", GetLastError());

  151.   TOKEN_USER* tokenUser = (TOKEN_USER*)tmp.buf;

  152.   setSID(tokenUser->User.Sid);

  153. }

  154. 

  155. 

  156. PACL rfb::win32::CreateACL(const AccessEntries& ae, PACL existing_acl) {

  157.   PACL new_dacl;

  158.   DWORD result;

  159.   if ((result = SetEntriesInAcl(ae.entry_count, ae.entries, existing_acl, &new_dacl)) != ERROR_SUCCESS)

  160.     throw rdr::SystemException("SetEntriesInAcl", result);

  161.   return new_dacl;

  162. }

  163. 

  164. 

  165. PSECURITY_DESCRIPTOR rfb::win32::CreateSdWithDacl(const PACL dacl) {

  166.   SECURITY_DESCRIPTOR absSD;

  167.   if (!InitializeSecurityDescriptor(&absSD, SECURITY_DESCRIPTOR_REVISION))

  168.     throw rdr::SystemException("InitializeSecurityDescriptor", GetLastError());

  169.   Sid::SYSTEM owner;

  170.   if (!SetSecurityDescriptorOwner(&absSD, owner, FALSE))

  171.     throw rdr::SystemException("SetSecurityDescriptorOwner", GetLastError());

  172.   Sid::Administrators group;

  173.   if (!SetSecurityDescriptorGroup(&absSD, group, FALSE))

  174.     throw rdr::SystemException("SetSecurityDescriptorGroupp", GetLastError());

  175.   if (!SetSecurityDescriptorDacl(&absSD, TRUE, dacl, FALSE))

  176.     throw rdr::SystemException("SetSecurityDescriptorDacl", GetLastError());

  177.   DWORD sdSize = GetSecurityDescriptorLength(&absSD);

  178.   SecurityDescriptorPtr sd(sdSize);

  179.   if (!MakeSelfRelativeSD(&absSD, (PSECURITY_DESCRIPTOR)sd.ptr, &sdSize))

  180.     throw rdr::SystemException("MakeSelfRelativeSD", GetLastError());

  181.   return sd.takeSD();

  182. }