From f2c0c51f781495be0d28a75e5d7a786bbe9dddda Mon Sep 17 00:00:00 2001 From: Peter Scott Date: Wed, 7 Dec 2011 20:29:00 -0500 Subject: [PATCH] Windows: include owner/group in Security DACL Include the World (Everyone) SID as the owner and group for all files in AFS. FIXES 130343 Change-Id: I01d697d7a6dea8e0bea67b81c14597c197b4241d Reviewed-on: http://gerrit.openafs.org/6236 Tested-by: BuildBot Reviewed-by: Jeffrey Altman Tested-by: Jeffrey Altman --- src/WINNT/afsrdr/kernel/lib/AFSData.cpp | 4 ++ src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp | 64 +++++++++++++++++++ src/WINNT/afsrdr/kernel/lib/AFSInit.cpp | 7 ++ .../afsrdr/kernel/lib/Include/AFSDefines.h | 6 ++ .../afsrdr/kernel/lib/Include/AFSExtern.h | 4 ++ 5 files changed, 85 insertions(+) diff --git a/src/WINNT/afsrdr/kernel/lib/AFSData.cpp b/src/WINNT/afsrdr/kernel/lib/AFSData.cpp index 377a3ef2b..d892c12dd 100644 --- a/src/WINNT/afsrdr/kernel/lib/AFSData.cpp +++ b/src/WINNT/afsrdr/kernel/lib/AFSData.cpp @@ -114,4 +114,8 @@ PAFSRtlSetSaclSecurityDescriptor AFSRtlSetSaclSecurityDescriptor = NULL; SECURITY_DESCRIPTOR *AFSDefaultSD = NULL; +PAFSRtlSetGroupSecurityDescriptor AFSRtlSetGroupSecurityDescriptor = NULL; + +SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY}; + } diff --git a/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp b/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp index 6d6b126e5..4146ced5a 100644 --- a/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp +++ b/src/WINNT/afsrdr/kernel/lib/AFSGeneric.cpp @@ -8083,10 +8083,35 @@ AFSCreateDefaultSecurityDescriptor() SECURITY_DESCRIPTOR *pSecurityDescr = NULL; ULONG ulSDLength = 0; SECURITY_DESCRIPTOR *pRelativeSecurityDescr = NULL; + PSID pWorldSID = NULL; + ULONG *pulSubAuthority = NULL; + ULONG ulWorldSIDLEngth = 0; __Enter { + ulWorldSIDLEngth = RtlLengthRequiredSid( 1); + + pWorldSID = (PSID)ExAllocatePoolWithTag( PagedPool, + ulWorldSIDLEngth, + AFS_GENERIC_MEMORY_29_TAG); + + if( pWorldSID == NULL) + { + AFSPrint( "AFSCreateDefaultSecurityDescriptor unable to allocate World SID\n"); + try_return( ntStatus = STATUS_INSUFFICIENT_RESOURCES); + } + + RtlZeroMemory( pWorldSID, + ulWorldSIDLEngth); + + RtlInitializeSid( pWorldSID, + &SeWorldSidAuthority, + 1); + + pulSubAuthority = RtlSubAuthoritySid(pWorldSID, 0); + *pulSubAuthority = SECURITY_WORLD_RID; + if( AFSRtlSetSaclSecurityDescriptor == NULL) { @@ -8206,6 +8231,39 @@ AFSCreateDefaultSecurityDescriptor() } } + // + // Add in the group and owner to the SD + // + + if( AFSRtlSetGroupSecurityDescriptor != NULL) + { + ntStatus = AFSRtlSetGroupSecurityDescriptor( pSecurityDescr, + pWorldSID, + FALSE); + + if( !NT_SUCCESS( ntStatus)) + { + + AFSPrint( "AFSCreateDefaultSecurityDescriptor RtlSetGroupSecurityDescriptor failed ntStatus %08lX\n", + ntStatus); + + try_return( ntStatus); + } + } + + ntStatus = RtlSetOwnerSecurityDescriptor( pSecurityDescr, + pWorldSID, + FALSE); + + if( !NT_SUCCESS( ntStatus)) + { + + AFSPrint( "AFSCreateDefaultSecurityDescriptor RtlSetOwnerSecurityDescriptor failed ntStatus %08lX\n", + ntStatus); + + try_return( ntStatus); + } + if( !RtlValidSecurityDescriptor( pSecurityDescr)) { @@ -8268,6 +8326,11 @@ try_exit: { ExFreePool( pACE); } + + if( pWorldSID != NULL) + { + ExFreePool( pWorldSID); + } } return ntStatus; @@ -8304,3 +8367,4 @@ AFSRetrieveParentPath( IN UNICODE_STRING *FullFileName, return; } + diff --git a/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp b/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp index 658a89200..98a59411f 100644 --- a/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp +++ b/src/WINNT/afsrdr/kernel/lib/AFSInit.cpp @@ -147,7 +147,14 @@ DriverEntry( PDRIVER_OBJECT DriverObject, AFSRtlSetSaclSecurityDescriptor = (PAFSRtlSetSaclSecurityDescriptor)MmGetSystemRoutineAddress( &uniRoutine); } + #endif + + RtlInitUnicodeString( &uniRoutine, + L"RtlSetGroupSecurityDescriptor"); + + AFSRtlSetGroupSecurityDescriptor = (PAFSRtlSetGroupSecurityDescriptor)MmGetSystemRoutineAddress( &uniRoutine); + ntStatus = AFSCreateDefaultSecurityDescriptor(); if( !NT_SUCCESS( ntStatus)) diff --git a/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h b/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h index 8f070c1c1..510718b4c 100644 --- a/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h +++ b/src/WINNT/afsrdr/kernel/lib/Include/AFSDefines.h @@ -86,6 +86,12 @@ NTSTATUS PACL Sacl, BOOLEAN SaclDefaulted); +typedef +NTSTATUS +(*PAFSRtlSetGroupSecurityDescriptor)( IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID Group OPTIONAL, + IN BOOLEAN GroupDefaulted); + // // Worker thread count // diff --git a/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h b/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h index 37c4fb6e6..f38652bbb 100644 --- a/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h +++ b/src/WINNT/afsrdr/kernel/lib/Include/AFSExtern.h @@ -97,6 +97,10 @@ extern PAFSRtlSetSaclSecurityDescriptor AFSRtlSetSaclSecurityDescriptor; extern SECURITY_DESCRIPTOR *AFSDefaultSD; +extern PAFSRtlSetGroupSecurityDescriptor AFSRtlSetGroupSecurityDescriptor; + +extern SID_IDENTIFIER_AUTHORITY SeWorldSidAuthority; + } #endif /* _AFS_EXTERN_H */ -- 2.39.5