server: Add a new get_security_object call for getting the security descriptor of an object.

Use it to implement NtQuerySecurityObject.

server: Add a new get_security_object call for getting the security descriptor of an object.
5356bfde · Rob Shearman · Alexandre Julliard · 5af809ab · 5356bfde · 5356bfde
Commit 5356bfde authored Oct 02, 2007 by Rob Shearman Committed by Alexandre Julliard Oct 03, 2007
6 changed files
--- a/dlls/ntdll/om.c
+++ b/dlls/ntdll/om.c
@@ -162,152 +162,84 @@ NTSTATUS WINAPI NtSetInformationObject(IN HANDLE handle,
 *
 * An ntdll analogue to GetKernelObjectSecurity().
 *
- * NOTES
- *  only the lowest 4 bit of SecurityObjectInformationClass are used
- *  0x7-0xf returns STATUS_ACCESS_DENIED (even running with system privileges)
- *
- * FIXME
- *  We are constructing a fake sid (Administrators:Full, System:Full, Everyone:Read)
 */
 NTSTATUS WINAPI
 NtQuerySecurityObject(
 	IN HANDLE Object,
 	IN SECURITY_INFORMATION RequestedInformation,
-	OUT PSECURITY_DESCRIPTOR pSecurityDesriptor,
+	OUT PSECURITY_DESCRIPTOR pSecurityDescriptor,
 	IN ULONG Length,
 	OUT PULONG ResultLength)
 {
-	static const SID_IDENTIFIER_AUTHORITY localSidAuthority = {SECURITY_NT_AUTHORITY};
+    PISECURITY_DESCRIPTOR_RELATIVE psd = pSecurityDescriptor;
-	static const SID_IDENTIFIER_AUTHORITY worldSidAuthority = {SECURITY_WORLD_SID_AUTHORITY};
+    NTSTATUS status;
-	BYTE Buffer[256];
+    unsigned int buffer_size = 512;
-	PISECURITY_DESCRIPTOR_RELATIVE psd = (PISECURITY_DESCRIPTOR_RELATIVE)Buffer;
+    BOOLEAN need_more_memory = FALSE;
-	UINT BufferIndex = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
+    TRACE("(%p,0x%08x,%p,0x%08x,%p)\n",
-	FIXME("(%p,0x%08x,%p,0x%08x,%p) stub!\n",
+	Object, RequestedInformation, pSecurityDescriptor, Length, ResultLength);
-	Object, RequestedInformation, pSecurityDesriptor, Length, ResultLength);
+    do
-	RequestedInformation &= 0x0000000f;
+    {
+        char *buffer = RtlAllocateHeap(GetProcessHeap(), 0, buffer_size);
-	ZeroMemory(Buffer, 256);
+        if (!buffer)
-	RtlCreateSecurityDescriptor((PSECURITY_DESCRIPTOR)psd, SECURITY_DESCRIPTOR_REVISION);
+            return STATUS_NO_MEMORY;
-	psd->Control = SE_SELF_RELATIVE |
-	  ((RequestedInformation & DACL_SECURITY_INFORMATION) ? SE_DACL_PRESENT:0);
+        SERVER_START_REQ( get_security_object )
+        {
-	/* owner: administrator S-1-5-20-220*/
+            req->handle = Object;
-	if (OWNER_SECURITY_INFORMATION & RequestedInformation)
+            req->security_info = RequestedInformation;
-	{
+            wine_server_set_reply( req, buffer, buffer_size );
-	  SID* psid = (SID*)&(Buffer[BufferIndex]);
+            status = wine_server_call( req );
+            if (status == STATUS_SUCCESS)
-	  psd->Owner = BufferIndex;
+            {
-	  BufferIndex += RtlLengthRequiredSid(2);
+                struct security_descriptor *sd = (struct security_descriptor *)buffer;
+                if (reply->sd_len)
-	  psid->Revision = SID_REVISION;
+                {
-	  psid->SubAuthorityCount = 2;
+                    *ResultLength = sizeof(SECURITY_DESCRIPTOR_RELATIVE) +
-	  psid->IdentifierAuthority = localSidAuthority;
+                        sd->owner_len + sd->group_len + sd->sacl_len + sd->dacl_len;
-	  psid->SubAuthority[0] = SECURITY_BUILTIN_DOMAIN_RID;
+                    if (Length >= *ResultLength)
-	  psid->SubAuthority[1] = DOMAIN_ALIAS_RID_ADMINS;
+                    {
-	}
+                        psd->Revision = SECURITY_DESCRIPTOR_REVISION;
+                        psd->Sbz1 = 0;
-	/* group: built in domain S-1-5-12 */
+                        psd->Control = sd->control | SE_SELF_RELATIVE;
-	if (GROUP_SECURITY_INFORMATION & RequestedInformation)
+                        psd->Owner = sd->owner_len ? sizeof(SECURITY_DESCRIPTOR_RELATIVE) : 0;
-	{
+                        psd->Group = sd->group_len ? sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sd->owner_len : 0;
-	  SID* psid = (SID*) &(Buffer[BufferIndex]);
+                        psd->Sacl = sd->sacl_len ? sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sd->owner_len + sd->group_len : 0;
+                        psd->Dacl = sd->dacl_len ? sizeof(SECURITY_DESCRIPTOR_RELATIVE) + sd->owner_len + sd->group_len + sd->sacl_len : 0;
-	  psd->Group = BufferIndex;
+                        /* owner, group, sacl and dacl are the same type as in the server
-	  BufferIndex += RtlLengthRequiredSid(1);
+                         * and in the same order so we copy the memory in one block */
+                        memcpy((char *)pSecurityDescriptor + sizeof(SECURITY_DESCRIPTOR_RELATIVE),
-	  psid->Revision = SID_REVISION;
+                               buffer + sizeof(struct security_descriptor),
-	  psid->SubAuthorityCount = 1;
+                               sd->owner_len + sd->group_len + sd->sacl_len + sd->dacl_len);
-	  psid->IdentifierAuthority = localSidAuthority;
+                    }
-	  psid->SubAuthority[0] = SECURITY_LOCAL_SYSTEM_RID;
+                    else
-	}
+                        status = STATUS_BUFFER_TOO_SMALL;
+                }
-	/* discretionary ACL */
+                else
-	if (DACL_SECURITY_INFORMATION & RequestedInformation)
+                {
-	{
+                    *ResultLength = sizeof(SECURITY_DESCRIPTOR_RELATIVE);
-	  /* acl header */
+                    if (Length >= *ResultLength)
-	  PACL pacl = (PACL)&(Buffer[BufferIndex]);
+                    {
-	  PACCESS_ALLOWED_ACE pace;
+                        memset(psd, 0, sizeof(*psd));
-	  SID* psid;
+                        psd->Revision = SECURITY_DESCRIPTOR_REVISION;
+                        psd->Control = SE_SELF_RELATIVE;
-	  psd->Dacl = BufferIndex;
+                    }
+                    else
-	  pacl->AclRevision = MIN_ACL_REVISION;
+                        status = STATUS_BUFFER_TOO_SMALL;
-	  pacl->AceCount = 3;
+                }
-	  pacl->AclSize = BufferIndex; /* storing the start index temporary */
+            }
+            else if (status == STATUS_BUFFER_TOO_SMALL)
-	  BufferIndex += sizeof(ACL);
+            {
+                buffer_size = reply->sd_len;
-	  /* ACE System - full access */
+                need_more_memory = TRUE;
-	  pace = (PACCESS_ALLOWED_ACE)&(Buffer[BufferIndex]);
+            }
-	  BufferIndex += sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD);
+        }
+        SERVER_END_REQ;
-	  pace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
+        RtlFreeHeap(GetProcessHeap(), 0, buffer);
-	  pace->Header.AceFlags = CONTAINER_INHERIT_ACE;
+    } while (need_more_memory);
-	  pace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD) + RtlLengthRequiredSid(1);
-          pace->Mask = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL;
+    return status;
-	  pace->SidStart = BufferIndex;
-	  /* SID S-1-5-12 (System) */
-	  psid = (SID*)&(Buffer[BufferIndex]);
-	  BufferIndex += RtlLengthRequiredSid(1);
-	  psid->Revision = SID_REVISION;
-	  psid->SubAuthorityCount = 1;
-	  psid->IdentifierAuthority = localSidAuthority;
-	  psid->SubAuthority[0] = SECURITY_LOCAL_SYSTEM_RID;
-	  /* ACE Administrators - full access*/
-	  pace = (PACCESS_ALLOWED_ACE) &(Buffer[BufferIndex]);
-	  BufferIndex += sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD);
-	  pace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
-	  pace->Header.AceFlags = CONTAINER_INHERIT_ACE;
-	  pace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD) + RtlLengthRequiredSid(2);
-          pace->Mask = STANDARD_RIGHTS_ALL | SPECIFIC_RIGHTS_ALL;
-	  pace->SidStart = BufferIndex;
-	  /* S-1-5-12 (Administrators) */
-	  psid = (SID*)&(Buffer[BufferIndex]);
-	  BufferIndex += RtlLengthRequiredSid(2);
-	  psid->Revision = SID_REVISION;
-	  psid->SubAuthorityCount = 2;
-	  psid->IdentifierAuthority = localSidAuthority;
-	  psid->SubAuthority[0] = SECURITY_BUILTIN_DOMAIN_RID;
-	  psid->SubAuthority[1] = DOMAIN_ALIAS_RID_ADMINS;
-	  /* ACE Everyone - read access */
-	  pace = (PACCESS_ALLOWED_ACE)&(Buffer[BufferIndex]);
-	  BufferIndex += sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD);
-	  pace->Header.AceType = ACCESS_ALLOWED_ACE_TYPE;
-	  pace->Header.AceFlags = CONTAINER_INHERIT_ACE;
-	  pace->Header.AceSize = sizeof(ACCESS_ALLOWED_ACE)-sizeof(DWORD) + RtlLengthRequiredSid(1);
-	  pace->Mask = READ_CONTROL| 0x19;
-	  pace->SidStart = BufferIndex;
-	  /* SID S-1-1-0 (Everyone) */
-	  psid = (SID*)&(Buffer[BufferIndex]);
-	  BufferIndex += RtlLengthRequiredSid(1);
-	  psid->Revision = SID_REVISION;
-	  psid->SubAuthorityCount = 1;
-	  psid->IdentifierAuthority = worldSidAuthority;
-	  psid->SubAuthority[0] = 0;
-	  /* calculate used bytes */
-	  pacl->AclSize = BufferIndex - pacl->AclSize;
-	}
-	*ResultLength = BufferIndex;
-	TRACE("len=%u\n", *ResultLength);
-	if (Length < *ResultLength) return STATUS_BUFFER_TOO_SMALL;
-	memcpy(pSecurityDesriptor, Buffer, *ResultLength);
-	return STATUS_SUCCESS;
 }

--- a/include/wine/server_protocol.h
+++ b/include/wine/server_protocol.h
@@ -3832,6 +3832,19 @@ struct set_security_object_reply
    struct reply_header __header;
 };
+struct get_security_object_request
+{
+    struct request_header __header;
+    obj_handle_t    handle;
+    unsigned int    security_info;
+};
+struct get_security_object_reply
+{
+    struct reply_header __header;
+    unsigned int    sd_len;
+    /* VARARG(sd,security_descriptor); */
+};
 struct create_mailslot_request
 {
@@ -4376,6 +4389,7 @@ enum request
    REQ_get_token_user,
    REQ_get_token_groups,
    REQ_set_security_object,
+    REQ_get_security_object,
    REQ_create_mailslot,
    REQ_set_mailslot_info,
    REQ_create_directory,
@@ -4609,6 +4623,7 @@ union generic_request
    struct get_token_user_request get_token_user_request;
    struct get_token_groups_request get_token_groups_request;
    struct set_security_object_request set_security_object_request;
+    struct get_security_object_request get_security_object_request;
    struct create_mailslot_request create_mailslot_request;
    struct set_mailslot_info_request set_mailslot_info_request;
    struct create_directory_request create_directory_request;
@@ -4840,6 +4855,7 @@ union generic_reply
    struct get_token_user_reply get_token_user_reply;
    struct get_token_groups_reply get_token_groups_reply;
    struct set_security_object_reply set_security_object_reply;
+    struct get_security_object_reply get_security_object_reply;
    struct create_mailslot_reply create_mailslot_reply;
    struct set_mailslot_info_reply set_mailslot_info_reply;
    struct create_directory_reply create_directory_reply;
@@ -4864,6 +4880,6 @@ union generic_reply
    struct set_completion_info_reply set_completion_info_reply;
 };
-#define SERVER_PROTOCOL_VERSION 315
+#define SERVER_PROTOCOL_VERSION 316
 #endif /* __WINE_WINE_SERVER_PROTOCOL_H */
--- a/server/handle.c
+++ b/server/handle.c
@@ -615,3 +615,68 @@ DECL_HANDLER(set_security_object)
    set_object_sd( obj, sd, req->security_info );
    release_object( obj );
 }
+DECL_HANDLER(get_security_object)
+{
+    const struct security_descriptor *sd;
+    struct object *obj;
+    unsigned int access = READ_CONTROL;
+    struct security_descriptor req_sd;
+    int present;
+    const SID *owner, *group;
+    const ACL *sacl, *dacl;
+    if (req->security_info & SACL_SECURITY_INFORMATION)
+        access |= ACCESS_SYSTEM_SECURITY;
+    if (!(obj = get_handle_obj( current->process, req->handle, access, NULL ))) return;
+    sd = obj->sd;
+    if (sd)
+    {
+        req_sd.control = sd->control & ~SE_SELF_RELATIVE;
+        owner = sd_get_owner( sd );
+        if (req->security_info & OWNER_SECURITY_INFORMATION)
+            req_sd.owner_len = sd->owner_len;
+        group = sd_get_group( sd );
+        if (req->security_info & GROUP_SECURITY_INFORMATION)
+            req_sd.group_len = sd->group_len;
+        req_sd.control |= SE_SACL_PRESENT;
+        sacl = sd_get_sacl( sd, &present );
+        if (req->security_info & SACL_SECURITY_INFORMATION && present)
+            req_sd.sacl_len = sd->sacl_len;
+        else
+            req_sd.sacl_len = 0;
+        req_sd.control |= SE_DACL_PRESENT;
+        dacl = sd_get_dacl( sd, &present );
+        if (req->security_info & DACL_SECURITY_INFORMATION && present)
+            req_sd.dacl_len = sd->dacl_len;
+        else
+            req_sd.dacl_len = 0;
+        reply->sd_len = sizeof(req_sd) + req_sd.owner_len + req_sd.group_len +
+            req_sd.sacl_len + req_sd.dacl_len;
+        if (reply->sd_len <= get_reply_max_size())
+        {
+            char *ptr = set_reply_data_size(reply->sd_len);
+            memcpy( ptr, &req_sd, sizeof(req_sd) );
+            ptr += sizeof(req_sd);
+            memcpy( ptr, owner, req_sd.owner_len );
+            ptr += req_sd.owner_len;
+            memcpy( ptr, group, req_sd.group_len );
+            ptr += req_sd.group_len;
+            memcpy( ptr, sacl, req_sd.sacl_len );
+            ptr += req_sd.sacl_len;
+            memcpy( ptr, dacl, req_sd.dacl_len );
+        }
+        else
+            set_error(STATUS_BUFFER_TOO_SMALL);
+    }
+    release_object( obj );
+}
--- a/server/protocol.def
+++ b/server/protocol.def
@@ -2768,6 +2768,14 @@ enum message_type
    VARARG(sd,security_descriptor); /* security descriptor to set */
 @END
+@REQ(get_security_object)
+    obj_handle_t    handle;       /* handle to the object */
+    unsigned int    security_info; /* which parts of security descriptor to get */
+@REPLY
+    unsigned int    sd_len;         /* buffer size needed for sd */
+    VARARG(sd,security_descriptor); /* retrieved security descriptor */
+@END
 /* Create a mailslot */
 @REQ(create_mailslot)
    unsigned int   access;        /* wanted access rights */

--- a/server/request.h
+++ b/server/request.h
@@ -314,6 +314,7 @@ DECL_HANDLER(access_check);
 DECL_HANDLER(get_token_user);
 DECL_HANDLER(get_token_groups);
 DECL_HANDLER(set_security_object);
+DECL_HANDLER(get_security_object);
 DECL_HANDLER(create_mailslot);
 DECL_HANDLER(set_mailslot_info);
 DECL_HANDLER(create_directory);
@@ -546,6 +547,7 @@ static const req_handler req_handlers[REQ_NB_REQUESTS] =
    (req_handler)req_get_token_user,
    (req_handler)req_get_token_groups,
    (req_handler)req_set_security_object,
+    (req_handler)req_get_security_object,
    (req_handler)req_create_mailslot,
    (req_handler)req_set_mailslot_info,
    (req_handler)req_create_directory,

--- a/server/trace.c
+++ b/server/trace.c
@@ -3350,6 +3350,19 @@ static void dump_set_security_object_request( const struct set_security_object_r
    dump_varargs_security_descriptor( cur_size );
 }
+static void dump_get_security_object_request( const struct get_security_object_request *req )
+{
+    fprintf( stderr, " handle=%p,", req->handle );
+    fprintf( stderr, " security_info=%08x", req->security_info );
+}
+static void dump_get_security_object_reply( const struct get_security_object_reply *req )
+{
+    fprintf( stderr, " sd_len=%08x,", req->sd_len );
+    fprintf( stderr, " sd=" );
+    dump_varargs_security_descriptor( cur_size );
+}
 static void dump_create_mailslot_request( const struct create_mailslot_request *req )
 {
    fprintf( stderr, " access=%08x,", req->access );
@@ -3840,6 +3853,7 @@ static const dump_func req_dumpers[REQ_NB_REQUESTS] = {
    (dump_func)dump_get_token_user_request,
    (dump_func)dump_get_token_groups_request,
    (dump_func)dump_set_security_object_request,
+    (dump_func)dump_get_security_object_request,
    (dump_func)dump_create_mailslot_request,
    (dump_func)dump_set_mailslot_info_request,
    (dump_func)dump_create_directory_request,
@@ -4069,6 +4083,7 @@ static const dump_func reply_dumpers[REQ_NB_REQUESTS] = {
    (dump_func)dump_get_token_user_reply,
    (dump_func)dump_get_token_groups_reply,
    (dump_func)0,
+    (dump_func)dump_get_security_object_reply,
    (dump_func)dump_create_mailslot_reply,
    (dump_func)dump_set_mailslot_info_reply,
    (dump_func)dump_create_directory_reply,
@@ -4298,6 +4313,7 @@ static const char * const req_names[REQ_NB_REQUESTS] = {
    "get_token_user",
    "get_token_groups",
    "set_security_object",
+    "get_security_object",
    "create_mailslot",
    "set_mailslot_info",
    "create_directory",