mirrors
/
tigervnc
mirror of https://github.com/TigerVNC/tigervnc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 37 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4499 Commits
15 Branches
Tree: 969f927220
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '969f927220'
${ noResults }
tigervnc/win/rfb_win32/Security.cxx

Security.cxx 6.1KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186 
  1. /* Copyright (C) 2002-2005 RealVNC Ltd.  All Rights Reserved.

  2.  * 

  3.  * This is free software; you can redistribute it and/or modify

  4.  * it under the terms of the GNU General Public License as published by

  5.  * the Free Software Foundation; either version 2 of the License, or

  6.  * (at your option) any later version.

  7.  * 

  8.  * This software is distributed in the hope that it will be useful,

  9.  * but WITHOUT ANY WARRANTY; without even the implied warranty of

  10.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  11.  * GNU General Public License for more details.

  12.  * 

  13.  * You should have received a copy of the GNU General Public License

  14.  * along with this software; if not, write to the Free Software

  15.  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,

  16.  * USA.

  17.  */

  18. 

  19. // -=- Security.cxx

  20. 

  21. #ifdef HAVE_CONFIG_H

  22. #include <config.h>

  23. #endif

  24. 

  25. #include <rfb_win32/Security.h>

  26. #include <rfb/LogWriter.h>

  27. 

  28. #include <lmcons.h>

  29. #include <accctrl.h>

  30. #include <list>

  31. 

  32. using namespace rfb;

  33. using namespace rfb::win32;

  34. 

  35. static LogWriter vlog("SecurityWin32");

  36. 

  37. 

  38. Trustee::Trustee(const TCHAR* name,

  39.                  TRUSTEE_FORM form,

  40.                  TRUSTEE_TYPE type) {

  41.   pMultipleTrustee = 0;

  42.   MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;

  43.   TrusteeForm = form;

  44.   TrusteeType = type;

  45.   ptstrName = (TCHAR*)name;

  46. }

  47. 

  48. 

  49. ExplicitAccess::ExplicitAccess(const TCHAR* name,

  50.                                TRUSTEE_FORM type,

  51.                                DWORD perms,

  52.                                ACCESS_MODE mode,

  53.                                DWORD inherit) {

  54.   Trustee = rfb::win32::Trustee(name, type);

  55.   grfAccessPermissions = perms;

  56.   grfAccessMode = mode;

  57.   grfInheritance = inherit;

  58. }

  59. 

  60. 

  61. AccessEntries::AccessEntries() : entries(0), entry_count(0) {}

  62. 

  63. AccessEntries::~AccessEntries() {

  64.   delete [] entries;

  65. }

  66. 

  67. void AccessEntries::allocMinEntries(int count) {

  68.   if (count > entry_count) {

  69.     EXPLICIT_ACCESS* new_entries = new EXPLICIT_ACCESS[entry_count+1];

  70.     if (entries) {

  71.       memcpy(new_entries, entries, sizeof(EXPLICIT_ACCESS) * entry_count);

  72.       delete entries;

  73.     }

  74.     entries = new_entries;

  75.   }

  76. }

  77. 

  78. void AccessEntries::addEntry(const TCHAR* trusteeName,

  79.                              DWORD permissions,

  80.                              ACCESS_MODE mode) {

  81.   allocMinEntries(entry_count+1);

  82.   ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));

  83.   entries[entry_count] = ExplicitAccess(trusteeName, TRUSTEE_IS_NAME, permissions, mode);

  84.   entry_count++;

  85. }

  86. 

  87. void AccessEntries::addEntry(const PSID sid,

  88.                              DWORD permissions,

  89.                              ACCESS_MODE mode) {

  90.   allocMinEntries(entry_count+1);

  91.   ZeroMemory(&entries[entry_count], sizeof(EXPLICIT_ACCESS));

  92.   entries[entry_count] = ExplicitAccess((TCHAR*)sid, TRUSTEE_IS_SID, permissions, mode);

  93.   entry_count++;

  94. }

  95. 

  96. 

  97. PSID Sid::copySID(const PSID sid) {

  98.   if (!IsValidSid(sid))

  99.     throw rdr::Exception("invalid SID in copyPSID");

  100.   PSID buf = (PSID)new rdr::U8[GetLengthSid(sid)];

  101.   if (!CopySid(GetLengthSid(sid), buf, sid))

  102.     throw rdr::SystemException("CopySid failed", GetLastError());

  103.   return buf;

  104. }

  105. 

  106. void Sid::setSID(const PSID sid) {

  107.   delete [] buf;

  108.   buf = (rdr::U8*)copySID(sid);

  109. }

  110. 

  111. void Sid::getUserNameAndDomain(TCHAR** name, TCHAR** domain) {

  112.   DWORD nameLen = 0;

  113.   DWORD domainLen = 0;

  114.   SID_NAME_USE use;

  115.   LookupAccountSid(0, (PSID)buf, 0, &nameLen, 0, &domainLen, &use);

  116.   if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)

  117.     throw rdr::SystemException("Unable to determine SID name lengths", GetLastError());

  118.   vlog.info("nameLen=%lu, domainLen=%lu, use=%d", nameLen, domainLen, use);

  119.   *name = new TCHAR[nameLen];

  120.   *domain = new TCHAR[domainLen];

  121.   if (!LookupAccountSid(0, (PSID)buf, *name, &nameLen, *domain, &domainLen, &use))

  122.     throw rdr::SystemException("Unable to lookup account SID", GetLastError());

  123. }

  124. 

  125. 

  126. Sid::Administrators::Administrators() {

  127.   PSID sid = 0;

  128.   SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };

  129.   if (!AllocateAndInitializeSid(&ntAuth, 2,

  130.                                 SECURITY_BUILTIN_DOMAIN_RID,

  131.                                 DOMAIN_ALIAS_RID_ADMINS,

  132.                                 0, 0, 0, 0, 0, 0, &sid)) 

  133.     throw rdr::SystemException("Sid::Administrators", GetLastError());

  134.   setSID(sid);

  135.   FreeSid(sid);

  136. }

  137. 

  138. Sid::SYSTEM::SYSTEM() {

  139.   PSID sid = 0;

  140.   SID_IDENTIFIER_AUTHORITY ntAuth = { SECURITY_NT_AUTHORITY };

  141.   if (!AllocateAndInitializeSid(&ntAuth, 1,

  142.                                 SECURITY_LOCAL_SYSTEM_RID,

  143.                                 0, 0, 0, 0, 0, 0, 0, &sid))

  144.           throw rdr::SystemException("Sid::SYSTEM", GetLastError());

  145.   setSID(sid);

  146.   FreeSid(sid);

  147. }

  148. 

  149. Sid::FromToken::FromToken(HANDLE h) {

  150.   DWORD required = 0;

  151.   GetTokenInformation(h, TokenUser, 0, 0, &required);

  152.   rdr::U8Array tmp(required);

  153.   if (!GetTokenInformation(h, TokenUser, tmp.buf, required, &required))

  154.     throw rdr::SystemException("GetTokenInformation", GetLastError());

  155.   TOKEN_USER* tokenUser = (TOKEN_USER*)tmp.buf;

  156.   setSID(tokenUser->User.Sid);

  157. }

  158. 

  159. 

  160. PACL rfb::win32::CreateACL(const AccessEntries& ae, PACL existing_acl) {

  161.   PACL new_dacl;

  162.   DWORD result;

  163.   if ((result = SetEntriesInAcl(ae.entry_count, ae.entries, existing_acl, &new_dacl)) != ERROR_SUCCESS)

  164.     throw rdr::SystemException("SetEntriesInAcl", result);

  165.   return new_dacl;

  166. }

  167. 

  168. 

  169. PSECURITY_DESCRIPTOR rfb::win32::CreateSdWithDacl(const PACL dacl) {

  170.   SECURITY_DESCRIPTOR absSD;

  171.   if (!InitializeSecurityDescriptor(&absSD, SECURITY_DESCRIPTOR_REVISION))

  172.     throw rdr::SystemException("InitializeSecurityDescriptor", GetLastError());

  173.   Sid::SYSTEM owner;

  174.   if (!SetSecurityDescriptorOwner(&absSD, owner, FALSE))

  175.     throw rdr::SystemException("SetSecurityDescriptorOwner", GetLastError());

  176.   Sid::Administrators group;

  177.   if (!SetSecurityDescriptorGroup(&absSD, group, FALSE))

  178.     throw rdr::SystemException("SetSecurityDescriptorGroupp", GetLastError());

  179.   if (!SetSecurityDescriptorDacl(&absSD, TRUE, dacl, FALSE))

  180.     throw rdr::SystemException("SetSecurityDescriptorDacl", GetLastError());

  181.   DWORD sdSize = GetSecurityDescriptorLength(&absSD);

  182.   SecurityDescriptorPtr sd(sdSize);

  183.   if (!MakeSelfRelativeSD(&absSD, (PSECURITY_DESCRIPTOR)sd.ptr, &sdSize))

  184.     throw rdr::SystemException("MakeSelfRelativeSD", GetLastError());

  185.   return sd.takeSD();

  186. }