summaryrefslogtreecommitdiffhomepage
path: root/src/acl/ntapi_acl_helper.c
blob: 40fe4c48687d0ff8f3438d37d10f68e7ba096d4d (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
/********************************************************/
/*  ntapi: Native API core library                      */
/*  Copyright (C) 2013--2017  Z. Gilboa                 */
/*  Released under GPLv2 and GPLv3; see COPYING.NTAPI.  */
/********************************************************/

#include <psxtypes/psxtypes.h>
#include <ntapi/nt_status.h>
#include <ntapi/nt_object.h>
#include <ntapi/nt_acl.h>
#include "ntapi_impl.h"

#define __SID_SYSTEM			{1,1,{{0,0,0,0,0,5}},{18}}
#define __SID_OWNER_RIGHTS		{1,1,{{0,0,0,0,0,3}},{4}}
#define __SID_AUTHENTICATED_USERS	{1,1,{{0,0,0,0,0,5}},{11}}
#define __SID_ADMINISTRATORS		{1,2,{{0,0,0,0,0,5}},{32,544}}

static const nt_sid    sid_system       = __SID_SYSTEM;
static const nt_sid    sid_owner_rights = __SID_OWNER_RIGHTS;
static const nt_sid    sid_auth_users   = __SID_AUTHENTICATED_USERS;
static const nt_sid_os sid_admins       = __SID_ADMINISTRATORS;

static nt_access_allowed_ace * __acl_ace_init(
	nt_access_allowed_ace * ace,
	uint32_t		mask,
	const nt_sid *		sid,
	uint16_t *		aces)
{
	if (mask == 0)
		return ace;

	ace->mask             = mask;
	ace->header.ace_type  = NT_ACE_TYPE_ACCESS_ALLOWED;
	ace->header.ace_flags = 0;
	ace->header.ace_size  = sizeof(uint32_t) * sid->sub_authority_count
	                        + __offsetof(nt_access_allowed_ace,sid_start)
	                        + __offsetof(nt_sid,sub_authority);

	__ntapi->tt_sid_copy(
		(nt_sid *)&ace->sid_start,
		sid);

	(*aces)++;

	return (nt_access_allowed_ace *)((size_t)ace + ace->header.ace_size);
}

void __stdcall __ntapi_acl_init_common_descriptor(
	__out	nt_sd_common_buffer *	sd,
	__in	const nt_sid *		owner,
	__in	const nt_sid *		group,
	__in	const nt_sid *		other,
	__in	const nt_sid *		admin,
	__in	uint32_t		owner_access,
	__in	uint32_t		group_access,
	__in	uint32_t		other_access,
	__in	uint32_t		admin_access,
	__in	uint32_t		system_access)
{
	nt_access_allowed_ace * ace;
	uint16_t                ace_count        = 0;

	/* sd header */
	sd->sd.revision         = 1;
	sd->sd.sbz_1st          = 0;
	sd->sd.control          = NT_SE_SELF_RELATIVE | NT_SE_DACL_PRESENT;
	sd->sd.offset_owner     = __offsetof(nt_sd_common_buffer,owner);
	sd->sd.offset_group     = 0;
	sd->sd.offset_dacl      = __offsetof(nt_sd_common_buffer,dacl);
	sd->sd.offset_sacl      = 0;

	/* owner, group, other: default sid's */
	owner = owner ? owner : __ntapi_internals()->user;
	group = group ? group : owner;
	other = other ? other : &sid_auth_users;

	/* owner sid */
	__ntapi->tt_sid_copy(
		(nt_sid *)&sd->owner,
		owner);

	/* ace's */
	ace = (nt_access_allowed_ace *)&sd->buffer;
	ace = __acl_ace_init(ace,system_access,&sid_system,&ace_count);
	ace = __acl_ace_init(ace,owner_access,&sid_owner_rights,&ace_count);
	ace = __acl_ace_init(ace,group_access,group,&ace_count);
	ace = __acl_ace_init(ace,other_access,other,&ace_count);

	if (admin_access) {
		admin = admin ? admin : (nt_sid *)&sid_admins;
		ace   = __acl_ace_init(ace,admin_access,admin,&ace_count);
	}

	/* dacl */
	sd->dacl.acl_revision   = 0x02;
	sd->dacl.sbz_1st        = 0;
	sd->dacl.acl_size       = (uint16_t)((char *)ace - (char *)&sd->dacl);
	sd->dacl.ace_count      = ace_count;
	sd->dacl.sbz_2nd        = 0;
}