Fixed ICE-5678: replaced call to GetEffectiveRightsFromAcl by call to AutzAccessCheck

author: Bernard Normier <bernard@zeroc.com> 2014-09-15 16:23:07 -0400
committer: Bernard Normier <bernard@zeroc.com> 2014-09-15 16:23:07 -0400
commit: 2a9fb812a596dac6b2c1debfcbb2e0d415f5011a (patch)
tree: b88fe9f87c582915372666675d6763cd8dbd1cef /cpp/src
parent: Fixed Glacier2 typo, we were checking the Glacier.InstanceName property inste... (diff)
download: ice-2a9fb812a596dac6b2c1debfcbb2e0d415f5011a.tar.bz2
ice-2a9fb812a596dac6b2c1debfcbb2e0d415f5011a.tar.xz
ice-2a9fb812a596dac6b2c1debfcbb2e0d415f5011a.zip
2 files changed, 57 insertions, 25 deletions
diff --git a/cpp/src/iceserviceinstall/Makefile.mak b/cpp/src/iceserviceinstall/Makefile.mak
index f665f118965..cdf7b71bbdd 100755
--- a/cpp/src/iceserviceinstall/Makefile.mak
+++ b/cpp/src/iceserviceinstall/Makefile.mak
@@ -22,7 +22,7 @@ SRCS		= $(OBJS:.obj=.cpp)
 
 CPPFLAGS	= -I. -I.. $(CPPFLAGS) -DWIN32_LEAN_AND_MEAN
 
-LINKWITH	= /MANIFEST /MANIFESTUAC:"level='requireAdministrator' uiAccess='false'" $(LIBS)
+LINKWITH	= /MANIFEST /MANIFESTUAC:"level='requireAdministrator' uiAccess='false'" authz.lib $(LIBS)
 
 !if "$(GENERATE_PDB)" == "yes"
 PDBFLAGS       = /pdb:$(TOOL:.exe=.pdb)
diff --git a/cpp/src/iceserviceinstall/ServiceInstaller.cpp b/cpp/src/iceserviceinstall/ServiceInstaller.cpp
index 714a4b695a4..8766e3fbdbe 100644
--- a/cpp/src/iceserviceinstall/ServiceInstaller.cpp
+++ b/cpp/src/iceserviceinstall/ServiceInstaller.cpp
@@ -7,13 +7,13 @@
 //
 // **********************************************************************
 
-#include <IceUtil/DisableWarnings.h>
 #include <ServiceInstaller.h>
 #include <IceUtil/StringUtil.h>
 #include <IceUtil/FileUtil.h>
 
 #include <Aclapi.h>
 #include <Sddl.h>
+#include <authz.h>
 
 using namespace std;
 using namespace Ice;
@@ -49,7 +49,6 @@ IceServiceInstaller::IceServiceInstaller(int serviceType, const string& configFi
     _sid(0),
     _debug(false)
 {
-
     _serviceProperties->load(_configFile);
 
     //
@@ -505,7 +504,8 @@ IceServiceInstaller::fileExists(const string& path) const
         }
         else
         {
-            const char* msg = strerror(errno);
+            char msg[128];
+            strerror_s(msg, 128, errno);
             throw "Problem with " + path + ": " + msg;
         }
     }
@@ -514,38 +514,67 @@ IceServiceInstaller::fileExists(const string& path) const
 void
 IceServiceInstaller::grantPermissions(const string& path, SE_OBJECT_TYPE type, bool inherit, bool fullControl) const
 {
+    if(_debug)
+    {
+        Trace trace(_communicator->getLogger(), "IceServiceInstaller");
+        trace << "Granting access on " << path << " to " << _sidName;
+    }
+
     //
     // First retrieve the ACL for our file/directory/key
     //
-    PACL acl = 0;
+    PACL acl = 0; // will point to memory in sd
     PACL newAcl = 0;
     PSECURITY_DESCRIPTOR sd = 0;
-    //
-    // We don't support to use a string converter with this tool, so don't need to
-    // use string converters in calls to stringToWstring.
-    //
+
+    AUTHZ_RESOURCE_MANAGER_HANDLE manager = 0;
+    AUTHZ_CLIENT_CONTEXT_HANDLE clientContext = 0;
+
+    SECURITY_INFORMATION flags = DACL_SECURITY_INFORMATION | OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION;
+
     DWORD res = GetNamedSecurityInfoW(const_cast<wchar_t*>(IceUtil::stringToWstring(path).c_str()), type,
-                                      DACL_SECURITY_INFORMATION, 0, 0, &acl, 0, &sd);
+                                      flags, 0, 0, &acl, 0, &sd);
     if(res != ERROR_SUCCESS)
     {
         throw "Could not retrieve securify info for " + path + ": " + IceUtilInternal::errorToString(res);
     }
 
+    //
+    // Now check if _sid can access this file/dir/key
+    //
     try
     {
-        //
-        // Now check if _sid can read this file/dir/key
-        //
-        TRUSTEE_W trustee;
-        BuildTrusteeWithSidW(&trustee, _sid);
+        if(!AuthzInitializeResourceManager(AUTHZ_RM_FLAG_NO_AUDIT, 0, 0, 0, 0, &manager))
+        {
+            throw "AutzInitializeResourceManager failed: " + IceUtilInternal::lastErrorToString();
+        }
+
+        LUID unusedId = { 0 };
+        
+        if(!AuthzInitializeContextFromSid(0, _sid, manager, 0, unusedId, 0, &clientContext))
+        {
+            throw "AuthzInitializeContextFromSid failed: " + IceUtilInternal::lastErrorToString();
+        }
+
+        AUTHZ_ACCESS_REQUEST accessRequest = { 0 }; 
+        accessRequest.DesiredAccess = MAXIMUM_ALLOWED;
+        accessRequest.PrincipalSelfSid = 0;
+        accessRequest.ObjectTypeList = 0;
+        accessRequest.ObjectTypeListLength = 0;
+        accessRequest.OptionalArguments = 0; 
 
         ACCESS_MASK accessMask = 0;
-        res = GetEffectiveRightsFromAclW(acl, &trustee, &accessMask);
+        DWORD accessUnused = 0;
+        DWORD accessError = 0;
+        AUTHZ_ACCESS_REPLY accessReply = { 0 };
+        accessReply.ResultListLength = 1;
+        accessReply.GrantedAccessMask = &accessMask;
+        accessReply.SaclEvaluationResults = &accessUnused;
+        accessReply.Error = &accessError;
 
-        if(res != ERROR_SUCCESS)
+        if(!AuthzAccessCheck(0, clientContext, &accessRequest, 0, sd, 0, 0, &accessReply, 0))
         {
-            throw "Could not retrieve effective rights for " + _sidName + " on " + path + ": " + 
-                  IceUtilInternal::errorToString(res);
+            throw "AuthzAccessCheck failed: " + IceUtilInternal::lastErrorToString();
         }
 
         bool done = false;
@@ -563,7 +592,7 @@ IceServiceInstaller::grantPermissions(const string& path, SE_OBJECT_TYPE type, b
         }
         else
         {
-            done = (accessMask & READ_CONTROL);
+            done = (accessMask & READ_CONTROL) != 0;
         }
 
         if(done)
@@ -595,6 +624,9 @@ IceServiceInstaller::grantPermissions(const string& path, SE_OBJECT_TYPE type, b
             {
                 ea.grfInheritance = NO_INHERITANCE;
             }
+            
+            TRUSTEE_W trustee;
+            BuildTrusteeWithSidW(&trustee, _sid);
             ea.Trustee = trustee;
 
             //
@@ -605,11 +637,7 @@ IceServiceInstaller::grantPermissions(const string& path, SE_OBJECT_TYPE type, b
             {
                 throw "Could not modify ACL for " + path + ": " + IceUtilInternal::errorToString(res);
             }
-
-            //
-            // We don't support to use a string converter with this tool, so don't need to
-            // use string converters in calls to stringToWstring.
-            //
+            
             res = SetNamedSecurityInfoW(const_cast<wchar_t*>(IceUtil::stringToWstring(path).c_str()), type,
                                         DACL_SECURITY_INFORMATION, 0, 0, newAcl, 0);
             if(res != ERROR_SUCCESS)
@@ -627,11 +655,15 @@ IceServiceInstaller::grantPermissions(const string& path, SE_OBJECT_TYPE type, b
     }
     catch(...)
     {
+        AuthzFreeResourceManager(manager);
+        AuthzFreeContext(clientContext);
         LocalFree(sd);
         LocalFree(newAcl);
         throw;
     }
 
+    AuthzFreeResourceManager(manager);
+    AuthzFreeContext(clientContext);
     LocalFree(sd);
     LocalFree(newAcl);
 }
author	Bernard Normier <bernard@zeroc.com>	2014-09-15 16:23:07 -0400
committer	Bernard Normier <bernard@zeroc.com>	2014-09-15 16:23:07 -0400
commit	2a9fb812a596dac6b2c1debfcbb2e0d415f5011a (patch)
tree	b88fe9f87c582915372666675d6763cd8dbd1cef /cpp/src
parent	Fixed Glacier2 typo, we were checking the Glacier.InstanceName property inste... (diff)
download	ice-2a9fb812a596dac6b2c1debfcbb2e0d415f5011a.tar.bz2 ice-2a9fb812a596dac6b2c1debfcbb2e0d415f5011a.tar.xz ice-2a9fb812a596dac6b2c1debfcbb2e0d415f5011a.zip