[ros-diffs] [mbosma] 30331: Fix CreateLogoffSecurityAttributes. It does still not work because SetEntriesInAcl is not implemented yet.

Sat Nov 10 16:56:36 CET 2007

Author: mbosma
Date: Sat Nov 10 18:56:36 2007
New Revision: 30331

URL: http://svn.reactos.org/svn/reactos?rev=30331&view=rev
Log:
Fix CreateLogoffSecurityAttributes. It does still not work because SetEntriesInAcl is not implemented yet.

Modified:
    trunk/reactos/base/system/winlogon/sas.c
    trunk/reactos/base/system/winlogon/winlogon.h

Modified: trunk/reactos/base/system/winlogon/sas.c
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/system/winlogon/sas.c?rev=30331&r1=30330&r2=30331&view=diff
==============================================================================

--- trunk/reactos/base/system/winlogon/sas.c (original)
+++ trunk/reactos/base/system/winlogon/sas.c Sat Nov 10 18:56:36 2007
@@ -319,7 +319,7 @@
 CreateLogoffSecurityAttributes(
 	OUT PSECURITY_ATTRIBUTES* ppsa)
 {
-	/* The following code is no only incomplete, it's a mess and uncompilable */
+	/* The following code is not working yet and messy */
 	/* Still, it gives some ideas about data types and functions involved and */
 	/* required to set up a SECURITY_DESCRIPTOR for a SECURITY_ATTRIBUTES */
 	/* instance for a thread, to allow that  thread to ImpersonateLoggedOnUser(). */
@@ -328,7 +328,9 @@
 	PSECURITY_ATTRIBUTES psa = 0;
 	BYTE* pMem;
 	PACL pACL;
-	//EXPLICIT_ACCESS ea[2];
+	EXPLICIT_ACCESS Access;
+	PSID pEveryoneSID = NULL;
+	static SID_IDENTIFIER_AUTHORITY WorldAuthority = { SECURITY_WORLD_SID_AUTHORITY };
 
 	*ppsa = NULL;
 
@@ -351,6 +353,16 @@
 	// while the user's SID obviously must be created for each new user.
 	// Might as well store it when the user logs on?
 
+	if(!AllocateAndInitializeSid(&WorldAuthority, 
+				     1,
+				     SECURITY_WORLD_RID,
+				     0, 0, 0, 0, 0, 0, 0,
+				     &pEveryoneSID))	 
+	{
+		DPRINT("Failed to initialize security descriptor for logoff thread!\n");
+		return STATUS_UNSUCCESSFUL;
+	}
+
 	/* set up the required security attributes to be able to shut down */
 	/* To save space and time, allocate a single block of memory holding */
 	/* both SECURITY_ATTRIBUTES and SECURITY_DESCRIPTOR */
@@ -372,6 +384,25 @@
 	SecurityDescriptor = (PSECURITY_DESCRIPTOR)(pMem + sizeof(SECURITY_ATTRIBUTES));
 	pACL = (PACL)(((PBYTE)SecurityDescriptor) + SECURITY_DESCRIPTOR_MIN_LENGTH);
 
+	// Initialize an EXPLICIT_ACCESS structure for an ACE.
+	// The ACE will allow this thread to log off (and shut down the system, currently).
+	ZeroMemory(&Access, sizeof(Access));
+	Access.grfAccessPermissions = THREAD_SET_THREAD_TOKEN;
+	Access.grfAccessMode = SET_ACCESS; // GRANT_ACCESS?
+	Access.grfInheritance = NO_INHERITANCE;
+	Access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
+	Access.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+	Access.Trustee.ptstrName = pEveryoneSID;
+
+	if (SetEntriesInAcl(1, &Access, NULL, &pACL) != ERROR_SUCCESS) 
+	{
+        // SetEntriesInAcl is not implemented yet
+        DPRINT1 ("Failed to set Access Rights for logoff thread. Logging out will most likely fail.\n");
+
+		HeapFree(GetProcessHeap(), 0, pMem);
+		return STATUS_UNSUCCESSFUL;
+	}
+
 	if (!InitializeSecurityDescriptor(SecurityDescriptor, SECURITY_DESCRIPTOR_REVISION))
 	{
 		HeapFree(GetProcessHeap(), 0, pMem);
@@ -379,18 +410,7 @@
 		return STATUS_UNSUCCESSFUL;
 	}
 
-	// Initialize an EXPLICIT_ACCESS structure for an ACE.
-	// The ACE will allow this thread to log off (and shut down the system, currently).
-#if 0
-	ZeroMemory(ea, sizeof(ea));
-	ea[0].grfAccessPermissions = THREAD_SET_THREAD_TOKEN;
-	ea[0].grfAccessMode = SET_ACCESS; // GRANT_ACCESS?
-	ea[0].grfInheritance= NO_INHERITANCE;
-	ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
-	ea[0].Trustee.TrusteeType = TRUSTEE_IS_USER;
-	ea[0].Trustee.ptstrName  = (LPTSTR) pEveryoneSID;
-
-	if (!SetSecurityDescriptorDacl(pSD,
+	if (!SetSecurityDescriptorDacl(SecurityDescriptor,
 	        TRUE,     // bDaclPresent flag
 	        pACL,
 	        FALSE))   // not a default DACL
@@ -399,7 +419,6 @@
 		HeapFree(GetProcessHeap(), 0, pMem);
 		return STATUS_UNSUCCESSFUL;
 	}
-#endif
 
 	psa->nLength = sizeof(SECURITY_ATTRIBUTES);
 	psa->lpSecurityDescriptor = SecurityDescriptor;
@@ -447,14 +466,9 @@
 	Status = CreateLogoffSecurityAttributes(&psa);
 	if (!NT_SUCCESS(Status))
 	{
-		WARN("Failed to create a required security descriptor. Status 0x%08x\n", Status);
-#if 1
-		WARN("Attempting to continue without it.\n");
-#else
-		ERR("Aborting logoff\n");
+		ERR("Failed to create a required security descriptor. Status 0x%08x\n", Status);
 		HeapFree(GetProcessHeap(), 0, LSData);
 		return Status;
-#endif
 	}
 
 	/* Run logoff thread */

Modified: trunk/reactos/base/system/winlogon/winlogon.h
URL: http://svn.reactos.org/svn/reactos/trunk/reactos/base/system/winlogon/winlogon.h?rev=30331&r1=30330&r2=30331&view=diff
==============================================================================
--- trunk/reactos/base/system/winlogon/winlogon.h (original)
+++ trunk/reactos/base/system/winlogon/winlogon.h Sat Nov 10 18:56:36 2007
@@ -36,6 +36,8 @@
 #include <exfuncs.h>
 #include <setypes.h>
 #include <ntsecapi.h>
+#include <accctrl.h>
+#include <aclapi.h>
 
 #include <reactos/winlogon.h>
 


