[wxWidgets.git] / utils / Install / packzip / nt.c

/*

  Copyright (c) 1996  Scott Field

  Module Name:

    nt.c

  Abstract:

    This module implements WinNT security descriptor operations for the
    Win32 Info-ZIP project.  Operation such as setting file security,
    using/querying local and remote privileges, and queuing of operations
    is performed here.  The contents of this module are only relevant
    when the code is running on Windows NT, and the target volume supports
    persistent Acl storage.

    User privileges that allow accessing certain privileged aspects of the
    security descriptor (such as the Sacl) are only used if the user specified
    to do so.

  Author:

    Scott Field (sfield@microsoft.com)

  Last revised:  18 Jan 97

 */

#define WIN32_LEAN_AND_MEAN
#define UNZIP_INTERNAL
#include "unzip.h"
#include <windows.h>
#ifdef __RSXNT__
#  include "rsxntwin.h"
#endif
#include "nt.h"


#ifdef NTSD_EAS         /* This file is only needed for NTSD handling */

/* Borland C++ does not define FILE_SHARE_DELETE. Others also? */
#ifndef FILE_SHARE_DELETE
#  define FILE_SHARE_DELETE 0x00000004
#endif


/* private prototypes */

static BOOL Initialize(VOID);
#if 0   /* currently unused */
static BOOL Shutdown(VOID);
#endif
static BOOL DeferSet(char *resource, PVOLUMECAPS VolumeCaps, uch *buffer);
static VOID GetRemotePrivilegesSet(CHAR *FileName, PDWORD dwRemotePrivileges);
static VOID InitLocalPrivileges(VOID);


BOOL bInitialized = FALSE;  /* module level stuff initialized? */
HANDLE hInitMutex = NULL;   /* prevent multiple initialization */

BOOL g_bRestorePrivilege = FALSE;   /* for local set file security override */
BOOL g_bSaclPrivilege = FALSE;      /* for local set sacl operations, only when
                                       restore privilege not present */

/* our single cached volume capabilities structure that describes the last
   volume root we encountered.  A single entry like this works well in the
   zip/unzip scenario for a number of reasons:
   1. typically one extraction path during unzip.
   2. typically process one volume at a time during zip, and then move
      on to the next.
   3. no cleanup code required and no memory leaks.
   4. simple code.

   This approach should be reworked to a linked list approach if we expect to
   be called by many threads which are processing a variety of input/output
   volumes, since lock contention and stale data may become a bottleneck. */

VOLUMECAPS g_VolumeCaps;
CRITICAL_SECTION VolumeCapsLock;


/* our deferred set structure linked list element, used for making a copy
   of input data which is used at a later time to process the original input
   at a time when it makes more sense. eg, applying security to newly created
   directories, after all files have been placed in such directories. */

CRITICAL_SECTION SetDeferLock;

typedef struct _DEFERRED_SET {
    struct _DEFERRED_SET *Next;
    uch *buffer;                /* must point to DWORD aligned block */
    PVOLUMECAPS VolumeCaps;
    char *resource;
} DEFERRED_SET, *PDEFERRED_SET, *LPDEFERRED_SET;

PDEFERRED_SET pSetHead = NULL;
PDEFERRED_SET pSetTail;

static BOOL Initialize(VOID)
{
    HANDLE hMutex;
    HANDLE hOldMutex;

    if(bInitialized) return TRUE;

    hMutex = CreateMutex(NULL, TRUE, NULL);
    if(hMutex == NULL) return FALSE;

    hOldMutex = (HANDLE)InterlockedExchange((LPLONG)&hInitMutex, (LONG)hMutex);

    if(hOldMutex != NULL) {
        /* somebody setup the mutex already */
        InterlockedExchange((LPLONG)&hInitMutex, (LONG)hOldMutex);

        CloseHandle(hMutex); /* close new, un-needed mutex */

        /* wait for initialization to complete and return status */
        WaitForSingleObject(hOldMutex, INFINITE);
        ReleaseMutex(hOldMutex);

        return bInitialized;
    }

    /* initialize module level resources */

    InitializeCriticalSection( &SetDeferLock );

    InitializeCriticalSection( &VolumeCapsLock );
    memset(&g_VolumeCaps, 0, sizeof(VOLUMECAPS));

    InitLocalPrivileges();

    bInitialized = TRUE;

    ReleaseMutex(hMutex); /* release correct mutex */

    return TRUE;
}

#if 0   /* currently not used ! */
static BOOL Shutdown(VOID)
{
    /* really need to free critical sections, disable enabled privilges, etc,
       but doing so brings up possibility of race conditions if those resources
       are about to be used.  The easiest way to handle this is let these
       resources be freed when the process terminates... */

    return TRUE;
}
#endif /* never */


static BOOL DeferSet(char *resource, PVOLUMECAPS VolumeCaps, uch *buffer)
{
    PDEFERRED_SET psd;
    DWORD cbDeferSet;
    DWORD cbResource;
    DWORD cbBuffer;

    if(!bInitialized) if(!Initialize()) return FALSE;

    cbResource = lstrlenA(resource) + 1;
    cbBuffer = GetSecurityDescriptorLength((PSECURITY_DESCRIPTOR)buffer);
    cbDeferSet = sizeof(DEFERRED_SET) + cbBuffer + sizeof(VOLUMECAPS) +
      cbResource;

    psd = (PDEFERRED_SET)HeapAlloc(GetProcessHeap(), 0, cbDeferSet);
    if(psd == NULL) return FALSE;

    psd->Next = NULL;
    psd->buffer = (uch *)(psd+1);
    psd->VolumeCaps = (PVOLUMECAPS)((char *)psd->buffer + cbBuffer);
    psd->resource = (char *)((char *)psd->VolumeCaps + sizeof(VOLUMECAPS));

    memcpy(psd->buffer, buffer, cbBuffer);
    memcpy(psd->VolumeCaps, VolumeCaps, sizeof(VOLUMECAPS));
    psd->VolumeCaps->bProcessDefer = TRUE;
    memcpy(psd->resource, resource, cbResource);

    /* take defer lock */
    EnterCriticalSection( &SetDeferLock );

    /* add element at tail of list */

    if(pSetHead == NULL) {
        pSetHead = psd;
    } else {
        pSetTail->Next = psd;
    }

    pSetTail = psd;

    /* release defer lock */
    LeaveCriticalSection( &SetDeferLock );

    return TRUE;
}

BOOL ProcessDefer(PDWORD dwDirectoryCount, PDWORD dwBytesProcessed,
                  PDWORD dwDirectoryFail, PDWORD dwBytesFail)
{
    PDEFERRED_SET This;
    PDEFERRED_SET Next;

    *dwDirectoryCount = 0;
    *dwBytesProcessed = 0;

    *dwDirectoryFail = 0;
    *dwBytesFail = 0;

    if(!bInitialized) return TRUE; /* nothing to do */

    EnterCriticalSection( &SetDeferLock );

    This = pSetHead;

    while(This) {

        if(SecuritySet(This->resource, This->VolumeCaps, This->buffer)) {
            (*dwDirectoryCount)++;
            *dwBytesProcessed +=
              GetSecurityDescriptorLength((PSECURITY_DESCRIPTOR)This->buffer);
        } else {
            (*dwDirectoryFail)++;
            *dwBytesFail +=
              GetSecurityDescriptorLength((PSECURITY_DESCRIPTOR)This->buffer);
        }

        Next = This->Next;
        HeapFree(GetProcessHeap(), 0, This);
        This = Next;
    }

    pSetHead = NULL;

    LeaveCriticalSection( &SetDeferLock );

    return TRUE;
}

BOOL ValidateSecurity(uch *securitydata)
{
    PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)securitydata;
    PACL pAcl;
    PSID pSid;
    BOOL bAclPresent;
    BOOL bDefaulted;

    if(!IsWinNT()) return TRUE; /* don't do anything if not on WinNT */

    if(!IsValidSecurityDescriptor(sd)) return FALSE;

    /* verify Dacl integrity */

    if(!GetSecurityDescriptorDacl(sd, &bAclPresent, &pAcl, &bDefaulted))
        return FALSE;

    if(bAclPresent) {
        if(!IsValidAcl(pAcl)) return FALSE;
    }

    /* verify Sacl integrity */

    if(!GetSecurityDescriptorSacl(sd, &bAclPresent, &pAcl, &bDefaulted))
        return FALSE;

    if(bAclPresent) {
        if(!IsValidAcl(pAcl)) return FALSE;
    }

    /* verify owner integrity */

    if(!GetSecurityDescriptorOwner(sd, &pSid, &bDefaulted))
        return FALSE;

    if(pSid != NULL) {
        if(!IsValidSid(pSid)) return FALSE;
    }

    /* verify group integrity */

    if(!GetSecurityDescriptorGroup(sd, &pSid, &bDefaulted))
        return FALSE;

    if(pSid != NULL) {
        if(!IsValidSid(pSid)) return FALSE;
    }

    return TRUE;
}

static VOID GetRemotePrivilegesSet(char *FileName, PDWORD dwRemotePrivileges)
{
    HANDLE hFile;

    *dwRemotePrivileges = 0;

    /* see if we have the SeRestorePrivilege */

    hFile = CreateFileA(
        FileName,
        ACCESS_SYSTEM_SECURITY | WRITE_DAC | WRITE_OWNER | READ_CONTROL,
        FILE_SHARE_READ | FILE_SHARE_DELETE, /* no sd updating allowed here */
        NULL,
        OPEN_EXISTING,
        FILE_FLAG_BACKUP_SEMANTICS,
        NULL
        );

    if(hFile != INVALID_HANDLE_VALUE) {
        /* no remote way to determine SeRestorePrivilege -- just try a
           read/write to simulate it */
        SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION |
          SACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION |
          GROUP_SECURITY_INFORMATION;
        PSECURITY_DESCRIPTOR sd;
        DWORD cbBuf = 0;

        GetKernelObjectSecurity(hFile, si, NULL, cbBuf, &cbBuf);

        if(ERROR_INSUFFICIENT_BUFFER == GetLastError()) {
            if((sd = HeapAlloc(GetProcessHeap(), 0, cbBuf)) != NULL) {
                if(GetKernelObjectSecurity(hFile, si, sd, cbBuf, &cbBuf)) {
                    if(SetKernelObjectSecurity(hFile, si, sd))
                        *dwRemotePrivileges |= OVERRIDE_RESTORE;
                }
                HeapFree(GetProcessHeap(), 0, sd);
            }
        }

        CloseHandle(hFile);
    } else {

        /* see if we have the SeSecurityPrivilege */
        /* note we don't need this if we have SeRestorePrivilege */

        hFile = CreateFileA(
            FileName,
            ACCESS_SYSTEM_SECURITY,
            FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, /* max */
            NULL,
            OPEN_EXISTING,
            0,
            NULL
            );

        if(hFile != INVALID_HANDLE_VALUE) {
            CloseHandle(hFile);
            *dwRemotePrivileges |= OVERRIDE_SACL;
        }
    }
}


BOOL GetVolumeCaps(
    char *rootpath,         /* filepath, or NULL */
    char *name,             /* filename associated with rootpath */
    PVOLUMECAPS VolumeCaps  /* result structure describing capabilities */
    )
{
    char TempRootPath[MAX_PATH + 1];
    DWORD cchTempRootPath = 0;
    BOOL bSuccess = TRUE;   /* assume success until told otherwise */

    if(!bInitialized) if(!Initialize()) return FALSE;

    /* process the input path to produce a consistent path suitable for
       compare operations and also suitable for certain picky Win32 API
       that don't like forward slashes */

    if(rootpath != NULL && rootpath[0] != '\0') {
        DWORD i;

        cchTempRootPath = lstrlen(rootpath);
        if(cchTempRootPath > MAX_PATH) return FALSE;

        /* copy input, converting forward slashes to back slashes as we go */

        for(i = 0 ; i <= cchTempRootPath ; i++) {
            if(rootpath[i] == '/') TempRootPath[i] = '\\';
            else TempRootPath[i] = rootpath[i];
        }

        /* check for UNC and Null terminate or append trailing \ as
           appropriate */

        /* possible valid UNCs we are passed follow:
           \\machine\foo\bar (path is \\machine\foo\)
           \\machine\foo     (path is \\machine\foo\)
           \\machine\foo\
           \\.\c$\     (FIXFIX: Win32API doesn't like this - GetComputerName())
           LATERLATER: handling mounted DFS drives in the future will require
                       slightly different logic which isn't available today.
                       This is required because directories can point at
                       different servers which have differing capabilities.
         */

        if(TempRootPath[0] == '\\' && TempRootPath[1] == '\\') {
            DWORD slash = 0;

            for(i = 2 ; i < cchTempRootPath ; i++) {
                if(TempRootPath[i] == '\\') {
                    slash++;

                    if(slash == 2) {
                        i++;
                        TempRootPath[i] = '\0';
                        cchTempRootPath = i;
                        break;
                    }
                }
            }

            /* if there was only one slash found, just tack another onto the
               end */

            if(slash == 1 && TempRootPath[cchTempRootPath] != '\\') {
                TempRootPath[cchTempRootPath] = TempRootPath[0]; /* '\' */
                TempRootPath[cchTempRootPath+1] = '\0';
                cchTempRootPath++;
            }

        } else {

            if(TempRootPath[1] == ':') {

                /* drive letter specified, truncate to root */
                TempRootPath[2] = '\\';
                TempRootPath[3] = '\0';
                cchTempRootPath = 3;
            } else {

                /* must be file on current drive */
                TempRootPath[0] = '\0';
                cchTempRootPath = 0;
            }

        }

    } /* if path != NULL */

    /* grab lock protecting cached entry */
    EnterCriticalSection( &VolumeCapsLock );

    if(!g_VolumeCaps.bValid ||
       lstrcmpi(g_VolumeCaps.RootPath, TempRootPath) != 0)
    {

        /* no match found, build up new entry */

        DWORD dwFileSystemFlags;
        DWORD dwRemotePrivileges = 0;
        BOOL bRemote = FALSE;

        /* release lock during expensive operations */
        LeaveCriticalSection( &VolumeCapsLock );

        bSuccess = GetVolumeInformation(
            (TempRootPath[0] == '\0') ? NULL : TempRootPath,
            NULL, 0,
            NULL, NULL,
            &dwFileSystemFlags,
            NULL, 0);


        /* only if target volume supports Acls, and we were told to use
           privileges do we need to go out and test for the remote case */

        if(bSuccess && (dwFileSystemFlags & FS_PERSISTENT_ACLS) &&
           VolumeCaps->bUsePrivileges)
        {
            if(GetDriveType( (TempRootPath[0] == '\0') ? NULL : TempRootPath )
               == DRIVE_REMOTE)
            {
                bRemote = TRUE;

                /* make a determination about our remote capabilities */

                GetRemotePrivilegesSet(name, &dwRemotePrivileges);
            }
        }

        /* always take the lock again, since we release it below */
        EnterCriticalSection( &VolumeCapsLock );

        /* replace the existing data if successful */
        if(bSuccess) {

            lstrcpynA(g_VolumeCaps.RootPath, TempRootPath, cchTempRootPath+1);
            g_VolumeCaps.bProcessDefer = FALSE;
            g_VolumeCaps.dwFileSystemFlags = dwFileSystemFlags;
            g_VolumeCaps.bRemote = bRemote;
            g_VolumeCaps.dwRemotePrivileges = dwRemotePrivileges;
            g_VolumeCaps.bValid = TRUE;
        }
    }

    if(bSuccess) {
        /* copy input elements */
        g_VolumeCaps.bUsePrivileges = VolumeCaps->bUsePrivileges;
        g_VolumeCaps.dwFileAttributes = VolumeCaps->dwFileAttributes;

        /* give caller results */
        memcpy(VolumeCaps, &g_VolumeCaps, sizeof(VOLUMECAPS));
    } else {
        g_VolumeCaps.bValid = FALSE;
    }

    LeaveCriticalSection( &VolumeCapsLock ); /* release lock */

    return bSuccess;
}


BOOL SecuritySet(char *resource, PVOLUMECAPS VolumeCaps, uch *securitydata)
{
    HANDLE hFile;
    DWORD dwDesiredAccess = 0;
    DWORD dwFlags = 0;
    PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)securitydata;
    SECURITY_DESCRIPTOR_CONTROL sdc;
    SECURITY_INFORMATION RequestedInfo = 0;
    DWORD dwRev;
    BOOL bRestorePrivilege = FALSE;
    BOOL bSaclPrivilege = FALSE;
    BOOL bSuccess;

    if(!bInitialized) if(!Initialize()) return FALSE;

    /* defer directory processing */

    if(VolumeCaps->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
        if(!VolumeCaps->bProcessDefer) {
            return DeferSet(resource, VolumeCaps, securitydata);
        } else {
            /* opening a directory requires FILE_FLAG_BACKUP_SEMANTICS */
            dwFlags |= FILE_FLAG_BACKUP_SEMANTICS;
        }
    }

    /* evaluate the input security desriptor and act accordingly */

    if(!IsValidSecurityDescriptor(sd))
        return FALSE;

    if(!GetSecurityDescriptorControl(sd, &sdc, &dwRev))
        return FALSE;

    /* setup privilege usage based on if told we can use privileges, and if so,
       what privileges we have */

    if(VolumeCaps->bUsePrivileges) {
        if(VolumeCaps->bRemote) {
            /* use remotely determined privileges */
            if(VolumeCaps->dwRemotePrivileges & OVERRIDE_RESTORE)
                bRestorePrivilege = TRUE;

            if(VolumeCaps->dwRemotePrivileges & OVERRIDE_SACL)
                bSaclPrivilege = TRUE;

        } else {
            /* use local privileges */
            bRestorePrivilege = g_bRestorePrivilege;
            bSaclPrivilege = g_bSaclPrivilege;
        }
    }


    /* if a Dacl is present write Dacl out */
    /* if we have SeRestorePrivilege, write owner and group info out */

    if(sdc & SE_DACL_PRESENT) {
        dwDesiredAccess |= WRITE_DAC;
        RequestedInfo |= DACL_SECURITY_INFORMATION;

        if(bRestorePrivilege) {
            dwDesiredAccess |= WRITE_OWNER;
            RequestedInfo |= (OWNER_SECURITY_INFORMATION |
              GROUP_SECURITY_INFORMATION);
        }
    }

    /* if a Sacl is present and we have either SeRestorePrivilege or
       SeSystemSecurityPrivilege try to write Sacl out */

    if((sdc & SE_SACL_PRESENT) && (bRestorePrivilege || bSaclPrivilege)) {
        dwDesiredAccess |= ACCESS_SYSTEM_SECURITY;
        RequestedInfo |= SACL_SECURITY_INFORMATION;
    }

    if(RequestedInfo == 0)  /* nothing to do */
        return FALSE;

    if(bRestorePrivilege)
        dwFlags |= FILE_FLAG_BACKUP_SEMANTICS;

    hFile = CreateFileA(
        resource,
        dwDesiredAccess,
        FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,/* max sharing */
        NULL,
        OPEN_EXISTING,
        dwFlags,
        NULL
        );

    if(hFile == INVALID_HANDLE_VALUE)
        return FALSE;

    bSuccess = SetKernelObjectSecurity(hFile, RequestedInfo, sd);

    CloseHandle(hFile);

    return bSuccess;
}

static VOID InitLocalPrivileges(VOID)
{
    HANDLE hToken;
    TOKEN_PRIVILEGES tp;

    /* try to enable some interesting privileges that give us the ability
       to get some security information that we normally cannot.

       note that enabling privileges is only relevant on the local machine;
       when accessing files that are on a remote machine, any privileges
       that are present on the remote machine get enabled by default. */

    if(!OpenProcessToken(GetCurrentProcess(),
        TOKEN_QUERY | TOKEN_ADJUST_PRIVILEGES, &hToken))
        return;

    tp.PrivilegeCount = 1;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    if(LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &tp.Privileges[0].Luid)) {

        /* try to enable SeRestorePrivilege; if this succeeds, we can write
           all aspects of the security descriptor */

        if(AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL) &&
           GetLastError() == ERROR_SUCCESS) g_bRestorePrivilege = TRUE;

    }

    /* try to enable SeSystemSecurityPrivilege, if SeRestorePrivilege not
       present; if this succeeds, we can write the Sacl */

    if(!g_bRestorePrivilege &&
        LookupPrivilegeValue(NULL, SE_SECURITY_NAME, &tp.Privileges[0].Luid)) {

        if(AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL) &&
           GetLastError() == ERROR_SUCCESS) g_bSaclPrivilege = TRUE;
    }

    CloseHandle(hToken);
}
#endif /* NTSD_EAS */
Commit	Line	Data
f6bcfd97 BP	1	/*
	2
	3	Copyright (c) 1996 Scott Field
	4
	5	Module Name:
	6
	7	nt.c
	8
	9	Abstract:
	10
	11	This module implements WinNT security descriptor operations for the
	12	Win32 Info-ZIP project. Operation such as setting file security,
	13	using/querying local and remote privileges, and queuing of operations
	14	is performed here. The contents of this module are only relevant
	15	when the code is running on Windows NT, and the target volume supports
	16	persistent Acl storage.
	17
	18	User privileges that allow accessing certain privileged aspects of the
	19	security descriptor (such as the Sacl) are only used if the user specified
	20	to do so.
	21
	22	Author:
	23
	24	Scott Field (sfield@microsoft.com)
	25
	26	Last revised: 18 Jan 97
	27
	28	*/
	29
	30	#define WIN32_LEAN_AND_MEAN
	31	#define UNZIP_INTERNAL
	32	#include "unzip.h"
	33	#include <windows.h>
	34	#ifdef __RSXNT__
	35	# include "rsxntwin.h"
	36	#endif
	37	#include "nt.h"
	38
	39
	40	#ifdef NTSD_EAS /* This file is only needed for NTSD handling */
	41
	42	/* Borland C++ does not define FILE_SHARE_DELETE. Others also? */
	43	#ifndef FILE_SHARE_DELETE
	44	# define FILE_SHARE_DELETE 0x00000004
	45	#endif
	46
	47
	48	/* private prototypes */
	49
	50	static BOOL Initialize(VOID);
	51	#if 0 /* currently unused */
	52	static BOOL Shutdown(VOID);
	53	#endif
	54	static BOOL DeferSet(char resource, PVOLUMECAPS VolumeCaps, uch buffer);
	55	static VOID GetRemotePrivilegesSet(CHAR *FileName, PDWORD dwRemotePrivileges);
	56	static VOID InitLocalPrivileges(VOID);
	57
	58
	59	BOOL bInitialized = FALSE; /* module level stuff initialized? */
	60	HANDLE hInitMutex = NULL; /* prevent multiple initialization */
	61
	62	BOOL g_bRestorePrivilege = FALSE; /* for local set file security override */
	63	BOOL g_bSaclPrivilege = FALSE; /* for local set sacl operations, only when
	64	restore privilege not present */
65
66	/* our single cached volume capabilities structure that describes the last
67	volume root we encountered. A single entry like this works well in the
68	zip/unzip scenario for a number of reasons:
69	1. typically one extraction path during unzip.
70	2. typically process one volume at a time during zip, and then move
71	on to the next.
72	3. no cleanup code required and no memory leaks.
73	4. simple code.
74
75	This approach should be reworked to a linked list approach if we expect to
76	be called by many threads which are processing a variety of input/output
77	volumes, since lock contention and stale data may become a bottleneck. */
78
79	VOLUMECAPS g_VolumeCaps;
80	CRITICAL_SECTION VolumeCapsLock;
81
82
83	/* our deferred set structure linked list element, used for making a copy
84	of input data which is used at a later time to process the original input
85	at a time when it makes more sense. eg, applying security to newly created
86	directories, after all files have been placed in such directories. */
87
88	CRITICAL_SECTION SetDeferLock;
89
90	typedef struct _DEFERRED_SET {
91	struct _DEFERRED_SET *Next;
92	uch buffer; / must point to DWORD aligned block */
93	PVOLUMECAPS VolumeCaps;
94	char *resource;
95	} DEFERRED_SET, PDEFERRED_SET, LPDEFERRED_SET;
96
97	PDEFERRED_SET pSetHead = NULL;
98	PDEFERRED_SET pSetTail;
99
100	static BOOL Initialize(VOID)
101	{
102	HANDLE hMutex;
103	HANDLE hOldMutex;
104
105	if(bInitialized) return TRUE;
106
107	hMutex = CreateMutex(NULL, TRUE, NULL);
108	if(hMutex == NULL) return FALSE;
109
110	hOldMutex = (HANDLE)InterlockedExchange((LPLONG)&hInitMutex, (LONG)hMutex);
111
112	if(hOldMutex != NULL) {
113	/* somebody setup the mutex already */
114	InterlockedExchange((LPLONG)&hInitMutex, (LONG)hOldMutex);
115
116	CloseHandle(hMutex); /* close new, un-needed mutex */
117
118	/* wait for initialization to complete and return status */
119	WaitForSingleObject(hOldMutex, INFINITE);
120	ReleaseMutex(hOldMutex);
121
122	return bInitialized;
123	}
124
125	/* initialize module level resources */
126
127	InitializeCriticalSection( &SetDeferLock );
128
129	InitializeCriticalSection( &VolumeCapsLock );
130	memset(&g_VolumeCaps, 0, sizeof(VOLUMECAPS));
131
132	InitLocalPrivileges();
133
134	bInitialized = TRUE;
135
136	ReleaseMutex(hMutex); /* release correct mutex */
137
138	return TRUE;
139	}
140
141	#if 0 /* currently not used ! */
142	static BOOL Shutdown(VOID)
143	{
144	/* really need to free critical sections, disable enabled privilges, etc,
145	but doing so brings up possibility of race conditions if those resources
146	are about to be used. The easiest way to handle this is let these
147	resources be freed when the process terminates... */
148
149	return TRUE;
150	}
151	#endif /* never */
152
153
154	static BOOL DeferSet(char resource, PVOLUMECAPS VolumeCaps, uch buffer)
155	{
156	PDEFERRED_SET psd;
157	DWORD cbDeferSet;
158	DWORD cbResource;
159	DWORD cbBuffer;
160
161	if(!bInitialized) if(!Initialize()) return FALSE;
162
163	cbResource = lstrlenA(resource) + 1;
164	cbBuffer = GetSecurityDescriptorLength((PSECURITY_DESCRIPTOR)buffer);
165	cbDeferSet = sizeof(DEFERRED_SET) + cbBuffer + sizeof(VOLUMECAPS) +
166	cbResource;
167
168	psd = (PDEFERRED_SET)HeapAlloc(GetProcessHeap(), 0, cbDeferSet);
169	if(psd == NULL) return FALSE;
170
171	psd->Next = NULL;
172	psd->buffer = (uch *)(psd+1);
173	psd->VolumeCaps = (PVOLUMECAPS)((char *)psd->buffer + cbBuffer);
174	psd->resource = (char )((char )psd->VolumeCaps + sizeof(VOLUMECAPS));
175
176	memcpy(psd->buffer, buffer, cbBuffer);
177	memcpy(psd->VolumeCaps, VolumeCaps, sizeof(VOLUMECAPS));
178	psd->VolumeCaps->bProcessDefer = TRUE;
179	memcpy(psd->resource, resource, cbResource);
180
181	/* take defer lock */
182	EnterCriticalSection( &SetDeferLock );
183
184	/* add element at tail of list */
185
186	if(pSetHead == NULL) {
187	pSetHead = psd;
188	} else {
189	pSetTail->Next = psd;
190	}
191
192	pSetTail = psd;
193
194	/* release defer lock */
195	LeaveCriticalSection( &SetDeferLock );
196
197	return TRUE;
198	}
199
200	BOOL ProcessDefer(PDWORD dwDirectoryCount, PDWORD dwBytesProcessed,
201	PDWORD dwDirectoryFail, PDWORD dwBytesFail)
202	{
203	PDEFERRED_SET This;
204	PDEFERRED_SET Next;
205
206	*dwDirectoryCount = 0;
207	*dwBytesProcessed = 0;
208
209	*dwDirectoryFail = 0;
210	*dwBytesFail = 0;
211
212	if(!bInitialized) return TRUE; /* nothing to do */
213
214	EnterCriticalSection( &SetDeferLock );
215
216	This = pSetHead;
217
218	while(This) {
219
220	if(SecuritySet(This->resource, This->VolumeCaps, This->buffer)) {
221	(*dwDirectoryCount)++;
222	*dwBytesProcessed +=
223	GetSecurityDescriptorLength((PSECURITY_DESCRIPTOR)This->buffer);
224	} else {
225	(*dwDirectoryFail)++;
226	*dwBytesFail +=
227	GetSecurityDescriptorLength((PSECURITY_DESCRIPTOR)This->buffer);
228	}
229
230	Next = This->Next;
231	HeapFree(GetProcessHeap(), 0, This);
232	This = Next;
233	}
234
235	pSetHead = NULL;
236
237	LeaveCriticalSection( &SetDeferLock );
238
239	return TRUE;
240	}
241
242	BOOL ValidateSecurity(uch *securitydata)
243	{
244	PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)securitydata;
245	PACL pAcl;
246	PSID pSid;
247	BOOL bAclPresent;
248	BOOL bDefaulted;
249
250	if(!IsWinNT()) return TRUE; /* don't do anything if not on WinNT */
251
252	if(!IsValidSecurityDescriptor(sd)) return FALSE;
253
254	/* verify Dacl integrity */
255
256	if(!GetSecurityDescriptorDacl(sd, &bAclPresent, &pAcl, &bDefaulted))
257	return FALSE;
258
259	if(bAclPresent) {
260	if(!IsValidAcl(pAcl)) return FALSE;
261	}
262
263	/* verify Sacl integrity */
264
265	if(!GetSecurityDescriptorSacl(sd, &bAclPresent, &pAcl, &bDefaulted))
266	return FALSE;
267
268	if(bAclPresent) {
269	if(!IsValidAcl(pAcl)) return FALSE;
270	}
271
272	/* verify owner integrity */
273
274	if(!GetSecurityDescriptorOwner(sd, &pSid, &bDefaulted))
275	return FALSE;
276
277	if(pSid != NULL) {
278	if(!IsValidSid(pSid)) return FALSE;
279	}
280
281	/* verify group integrity */
282
283	if(!GetSecurityDescriptorGroup(sd, &pSid, &bDefaulted))
284	return FALSE;
285
286	if(pSid != NULL) {
287	if(!IsValidSid(pSid)) return FALSE;
288	}
289
290	return TRUE;
291	}
292
293	static VOID GetRemotePrivilegesSet(char *FileName, PDWORD dwRemotePrivileges)
294	{
295	HANDLE hFile;
296
297	*dwRemotePrivileges = 0;
298
299	/* see if we have the SeRestorePrivilege */
300
301	hFile = CreateFileA(
302	FileName,
303	ACCESS_SYSTEM_SECURITY \| WRITE_DAC \| WRITE_OWNER \| READ_CONTROL,
304	FILE_SHARE_READ \| FILE_SHARE_DELETE, /* no sd updating allowed here */
305	NULL,
306	OPEN_EXISTING,
307	FILE_FLAG_BACKUP_SEMANTICS,
308	NULL
309	);
310
311	if(hFile != INVALID_HANDLE_VALUE) {
312	/* no remote way to determine SeRestorePrivilege -- just try a
313	read/write to simulate it */
314	SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION \|
315	SACL_SECURITY_INFORMATION \| OWNER_SECURITY_INFORMATION \|
316	GROUP_SECURITY_INFORMATION;
317	PSECURITY_DESCRIPTOR sd;
318	DWORD cbBuf = 0;
319
320	GetKernelObjectSecurity(hFile, si, NULL, cbBuf, &cbBuf);
321
322	if(ERROR_INSUFFICIENT_BUFFER == GetLastError()) {
323	if((sd = HeapAlloc(GetProcessHeap(), 0, cbBuf)) != NULL) {
324	if(GetKernelObjectSecurity(hFile, si, sd, cbBuf, &cbBuf)) {
325	if(SetKernelObjectSecurity(hFile, si, sd))
326	*dwRemotePrivileges \|= OVERRIDE_RESTORE;
327	}
328	HeapFree(GetProcessHeap(), 0, sd);
329	}
330	}
331
332	CloseHandle(hFile);
333	} else {
334
335	/* see if we have the SeSecurityPrivilege */
336	/* note we don't need this if we have SeRestorePrivilege */
337
338	hFile = CreateFileA(
339	FileName,
340	ACCESS_SYSTEM_SECURITY,
341	FILE_SHARE_READ \| FILE_SHARE_WRITE \| FILE_SHARE_DELETE, /* max */
342	NULL,
343	OPEN_EXISTING,
344	0,
345	NULL
346	);
347
348	if(hFile != INVALID_HANDLE_VALUE) {
349	CloseHandle(hFile);
350	*dwRemotePrivileges \|= OVERRIDE_SACL;
351	}
352	}
353	}
354
355
356	BOOL GetVolumeCaps(
357	char rootpath, / filepath, or NULL */
358	char name, / filename associated with rootpath */
359	PVOLUMECAPS VolumeCaps /* result structure describing capabilities */
360	)
361	{
362	char TempRootPath[MAX_PATH + 1];
363	DWORD cchTempRootPath = 0;
364	BOOL bSuccess = TRUE; /* assume success until told otherwise */
365
366	if(!bInitialized) if(!Initialize()) return FALSE;
367
368	/* process the input path to produce a consistent path suitable for
369	compare operations and also suitable for certain picky Win32 API
370	that don't like forward slashes */
371
372	if(rootpath != NULL && rootpath[0] != '\0') {
373	DWORD i;
374
375	cchTempRootPath = lstrlen(rootpath);
376	if(cchTempRootPath > MAX_PATH) return FALSE;
377
378	/* copy input, converting forward slashes to back slashes as we go */
379
380	for(i = 0 ; i <= cchTempRootPath ; i++) {
381	if(rootpath[i] == '/') TempRootPath[i] = '\\';
382	else TempRootPath[i] = rootpath[i];
383	}
384
385	/* check for UNC and Null terminate or append trailing \ as
386	appropriate */
387
388	/* possible valid UNCs we are passed follow:
389	\\machine\foo\bar (path is \\machine\foo\)
390	\\machine\foo (path is \\machine\foo\)
391	\\machine\foo\
392	\\.\c$\ (FIXFIX: Win32API doesn't like this - GetComputerName())
393	LATERLATER: handling mounted DFS drives in the future will require
394	slightly different logic which isn't available today.
395	This is required because directories can point at
396	different servers which have differing capabilities.
397	*/
398
399	if(TempRootPath[0] == '\\' && TempRootPath[1] == '\\') {
400	DWORD slash = 0;
401
402	for(i = 2 ; i < cchTempRootPath ; i++) {
403	if(TempRootPath[i] == '\\') {
404	slash++;
405
406	if(slash == 2) {
407	i++;
408	TempRootPath[i] = '\0';
409	cchTempRootPath = i;
410	break;
411	}
412	}
413	}
414
415	/* if there was only one slash found, just tack another onto the
416	end */
417
418	if(slash == 1 && TempRootPath[cchTempRootPath] != '\\') {
419	TempRootPath[cchTempRootPath] = TempRootPath[0]; /* '\' */
420	TempRootPath[cchTempRootPath+1] = '\0';
421	cchTempRootPath++;
422	}
423
424	} else {
425
426	if(TempRootPath[1] == ':') {
427
428	/* drive letter specified, truncate to root */
429	TempRootPath[2] = '\\';
430	TempRootPath[3] = '\0';
431	cchTempRootPath = 3;
432	} else {
433
434	/* must be file on current drive */
435	TempRootPath[0] = '\0';
436	cchTempRootPath = 0;
437	}
438
439	}
440
441	} /* if path != NULL */
442
443	/* grab lock protecting cached entry */
444	EnterCriticalSection( &VolumeCapsLock );
445
446	if(!g_VolumeCaps.bValid \|\|
447	lstrcmpi(g_VolumeCaps.RootPath, TempRootPath) != 0)
448	{
449
450	/* no match found, build up new entry */
451
452	DWORD dwFileSystemFlags;
453	DWORD dwRemotePrivileges = 0;
454	BOOL bRemote = FALSE;
455
456	/* release lock during expensive operations */
457	LeaveCriticalSection( &VolumeCapsLock );
458
459	bSuccess = GetVolumeInformation(
460	(TempRootPath[0] == '\0') ? NULL : TempRootPath,
461	NULL, 0,
462	NULL, NULL,
463	&dwFileSystemFlags,
464	NULL, 0);
465
466
467	/* only if target volume supports Acls, and we were told to use
468	privileges do we need to go out and test for the remote case */
469
470	if(bSuccess && (dwFileSystemFlags & FS_PERSISTENT_ACLS) &&
471	VolumeCaps->bUsePrivileges)
472	{
473	if(GetDriveType( (TempRootPath[0] == '\0') ? NULL : TempRootPath )
474	== DRIVE_REMOTE)
475	{
476	bRemote = TRUE;
477
478	/* make a determination about our remote capabilities */
479
480	GetRemotePrivilegesSet(name, &dwRemotePrivileges);
481	}
482	}
483
484	/* always take the lock again, since we release it below */
485	EnterCriticalSection( &VolumeCapsLock );
486
487	/* replace the existing data if successful */
488	if(bSuccess) {
489
490	lstrcpynA(g_VolumeCaps.RootPath, TempRootPath, cchTempRootPath+1);
491	g_VolumeCaps.bProcessDefer = FALSE;
492	g_VolumeCaps.dwFileSystemFlags = dwFileSystemFlags;
493	g_VolumeCaps.bRemote = bRemote;
494	g_VolumeCaps.dwRemotePrivileges = dwRemotePrivileges;
495	g_VolumeCaps.bValid = TRUE;
496	}
497	}
498
499	if(bSuccess) {
500	/* copy input elements */
501	g_VolumeCaps.bUsePrivileges = VolumeCaps->bUsePrivileges;
502	g_VolumeCaps.dwFileAttributes = VolumeCaps->dwFileAttributes;
503
504	/* give caller results */
505	memcpy(VolumeCaps, &g_VolumeCaps, sizeof(VOLUMECAPS));
506	} else {
507	g_VolumeCaps.bValid = FALSE;
508	}
509
510	LeaveCriticalSection( &VolumeCapsLock ); /* release lock */
511
512	return bSuccess;
513	}
514
515
516	BOOL SecuritySet(char resource, PVOLUMECAPS VolumeCaps, uch securitydata)
517	{
518	HANDLE hFile;
519	DWORD dwDesiredAccess = 0;
520	DWORD dwFlags = 0;
521	PSECURITY_DESCRIPTOR sd = (PSECURITY_DESCRIPTOR)securitydata;
522	SECURITY_DESCRIPTOR_CONTROL sdc;
523	SECURITY_INFORMATION RequestedInfo = 0;
524	DWORD dwRev;
525	BOOL bRestorePrivilege = FALSE;
526	BOOL bSaclPrivilege = FALSE;
527	BOOL bSuccess;
528
529	if(!bInitialized) if(!Initialize()) return FALSE;
530
531	/* defer directory processing */
532
533	if(VolumeCaps->dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
534	if(!VolumeCaps->bProcessDefer) {
535	return DeferSet(resource, VolumeCaps, securitydata);
536	} else {
537	/* opening a directory requires FILE_FLAG_BACKUP_SEMANTICS */
538	dwFlags \|= FILE_FLAG_BACKUP_SEMANTICS;
539	}
540	}
541
542	/* evaluate the input security desriptor and act accordingly */
543
544	if(!IsValidSecurityDescriptor(sd))
545	return FALSE;
546
547	if(!GetSecurityDescriptorControl(sd, &sdc, &dwRev))
548	return FALSE;
549
550	/* setup privilege usage based on if told we can use privileges, and if so,
551	what privileges we have */
552
553	if(VolumeCaps->bUsePrivileges) {
554	if(VolumeCaps->bRemote) {
555	/* use remotely determined privileges */
556	if(VolumeCaps->dwRemotePrivileges & OVERRIDE_RESTORE)
557	bRestorePrivilege = TRUE;
558
559	if(VolumeCaps->dwRemotePrivileges & OVERRIDE_SACL)
560	bSaclPrivilege = TRUE;
561
562	} else {
563	/* use local privileges */
564	bRestorePrivilege = g_bRestorePrivilege;
565	bSaclPrivilege = g_bSaclPrivilege;
566	}
567	}
568
569
570	/* if a Dacl is present write Dacl out */
571	/* if we have SeRestorePrivilege, write owner and group info out */
572
573	if(sdc & SE_DACL_PRESENT) {
574	dwDesiredAccess \|= WRITE_DAC;
575	RequestedInfo \|= DACL_SECURITY_INFORMATION;
576
577	if(bRestorePrivilege) {
578	dwDesiredAccess \|= WRITE_OWNER;
579	RequestedInfo \|= (OWNER_SECURITY_INFORMATION \|
580	GROUP_SECURITY_INFORMATION);
581	}
582	}
583
584	/* if a Sacl is present and we have either SeRestorePrivilege or
585	SeSystemSecurityPrivilege try to write Sacl out */
586
587	if((sdc & SE_SACL_PRESENT) && (bRestorePrivilege \|\| bSaclPrivilege)) {
588	dwDesiredAccess \|= ACCESS_SYSTEM_SECURITY;
589	RequestedInfo \|= SACL_SECURITY_INFORMATION;
590	}
591
592	if(RequestedInfo == 0) /* nothing to do */
593	return FALSE;
594
595	if(bRestorePrivilege)
596	dwFlags \|= FILE_FLAG_BACKUP_SEMANTICS;
597
598	hFile = CreateFileA(
599	resource,
600	dwDesiredAccess,
601	FILE_SHARE_READ \| FILE_SHARE_WRITE \| FILE_SHARE_DELETE,/* max sharing */
602	NULL,
603	OPEN_EXISTING,
604	dwFlags,
605	NULL
606	);
607
608	if(hFile == INVALID_HANDLE_VALUE)
609	return FALSE;
610
611	bSuccess = SetKernelObjectSecurity(hFile, RequestedInfo, sd);
612
613	CloseHandle(hFile);
614
615	return bSuccess;
616	}
617
618	static VOID InitLocalPrivileges(VOID)
619	{
620	HANDLE hToken;
621	TOKEN_PRIVILEGES tp;
622
623	/* try to enable some interesting privileges that give us the ability
624	to get some security information that we normally cannot.
625
626	note that enabling privileges is only relevant on the local machine;
627	when accessing files that are on a remote machine, any privileges
628	that are present on the remote machine get enabled by default. */
629
630	if(!OpenProcessToken(GetCurrentProcess(),
631	TOKEN_QUERY \| TOKEN_ADJUST_PRIVILEGES, &hToken))
632	return;
633
634	tp.PrivilegeCount = 1;
635	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
636
637	if(LookupPrivilegeValue(NULL, SE_RESTORE_NAME, &tp.Privileges[0].Luid)) {
638
639	/* try to enable SeRestorePrivilege; if this succeeds, we can write
640	all aspects of the security descriptor */
641
642	if(AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL) &&
643	GetLastError() == ERROR_SUCCESS) g_bRestorePrivilege = TRUE;
644
645	}
646
647	/* try to enable SeSystemSecurityPrivilege, if SeRestorePrivilege not
648	present; if this succeeds, we can write the Sacl */
649
650	if(!g_bRestorePrivilege &&
651	LookupPrivilegeValue(NULL, SE_SECURITY_NAME, &tp.Privileges[0].Luid)) {
652
653	if(AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL) &&
654	GetLastError() == ERROR_SUCCESS) g_bSaclPrivilege = TRUE;
655	}
656
657	CloseHandle(hToken);
658	}
659	#endif /* NTSD_EAS */