Jump to content
  • Advertisement

Archived

This topic is now archived and is closed to further replies.

the_grip

Win32 Security Programming question

This topic is 6133 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

We have two Citrix servers running on NT 4.0 Term Server. One of these servers is an old server that we are trying to migrate to the other (new) server. Currently, there are some products installed that function fine on the old server, but on the new server only Admins can run them. This obviously is a security issue, as we lock down the computers pretty tightly. Here are my questions… 1. Is there a program out there that will compare directory and file security between two drives or computers? 2. I am writing my own program for #1 in the meantime, but I am having trouble iterating through all the ACEs in the ACLs for each directory or file. I get a pointer to the SID in each ACE, but when I try to look up the groups or users I get junk responses. I did a GetLastError and found the error code to be 998 (ERROR_NOACCESS – Invalid access to memory location). Here is the relevant code snippet below: (right now I’m focusing on directories exclusively)
      
CString ProcessItemSecurity(DIRECTORYINFO **pDirInfo)
{
	DIRECTORYINFO *pDir = *pDirInfo;
	CString sReturnValue =pDir->m_sDirectoryPath + "\n\t";
	DWORD FType = pDir->FType;
	TCHAR sUsrNm [ACCT_NAME_SIZE], sGrpNm [ACCT_NAME_SIZE];
	TCHAR  PermString [] = _T("---------");
	const TCHAR RWX [] = {'r','w','x'}, FileTypeChar [] = {' ','d'};	
	LPCSTR lpFileName = pDir->m_sDirectoryPath;
	PSECURITY_DESCRIPTOR pSD = NULL;
	DWORD LenNeeded, PBits, iAce;
	BOOL DaclF, AclDefF, OwnerDefF, GroupDefF;
	BYTE DAcl [ACL_SIZE];
	PACL pAcl = (PACL) &DAcl;
	ACL_SIZE_INFORMATION ASizeInfo;
	PACCESS_ALLOWED_ACE pAce;
	BYTE AType;
	HANDLE ProcHeap = GetProcessHeap ();
	PSID pOwnerSid, pGroupSid;
	TCHAR RefDomain [2] [DOM_SIZE];
	DWORD RefDomCnt [2] = {DOM_SIZE, DOM_SIZE};
	DWORD AcctSize [2] = {ACCT_NAME_SIZE, ACCT_NAME_SIZE};
	SID_NAME_USE sNamUse [] = {SidTypeUser, SidTypeGroup};

	GetFileSecurity(lpFileName, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
		pSD, 0, &LenNeeded); //get the size needed for the PSECURITY_DESCRIPTOR

	pSD = HeapAlloc(ProcHeap, HEAP_GENERATE_EXCEPTIONS, LenNeeded);
	
	GetFileSecurity(lpFileName, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
		pSD, LenNeeded, &LenNeeded); //now we have the size needed, so get the PSECURITY_DESCRIPTOR

	GetSecurityDescriptorDacl(pSD, &DaclF, &pAcl, &AclDefF); //get the DACL

	if(pAcl!=NULL)
	{
		GetAclInformation(pAcl, &ASizeInfo, sizeof(ACL_SIZE_INFORMATION), AclSizeInformation);  //get ACL info

	
		//Compute the permissions from the ACL...

		PBits = 0;
		for(iAce = 0; iAce<ASizeInfo.AceCount; iAce++)
		{
			GetAce(pAcl, iAce, (LPVOID*)&pAce);
			AType = pAce->Header.AceType;
			if(AType==ACCESS_ALLOWED_ACE_TYPE)
				PBits |= (0x1 << (8-iAce));  //in octal


			if(PBits==0xFFFFFFFF) PBits = 0;
			for (int i = 0; i < 9; i++) 
			{
				if ((PBits / (1 << (8 - i)) % 2) == 1)
				PermString [i] = RWX [i % 3];
			}
			
			pSD=(PSID)&((PACCESS_ALLOWED_ACE)pAce)->SidStart;
			GetSecurityDescriptorOwner(pSD, &pOwnerSid, &OwnerDefF);
			GetSecurityDescriptorGroup(pSD, &pGroupSid, &GroupDefF);
***************here are where the errors creep in (error 998)
			LookupAccountSid(NULL, pOwnerSid, sUsrNm, &AcctSize[0], RefDomain[0], &RefDomCnt[0], &sNamUse[0]);
			LookupAccountSid(NULL, pGroupSid, sGrpNm, &AcctSize[1], RefDomain[1], &RefDomCnt[1], &sNamUse[1]);
			//_tprintf (_T ("%c%s %s %s"), FileTypeChar[FType-1], PermString, sUsrNm, sGrpNm);

			sReturnValue += FileTypeChar[FType-1];
			sReturnValue += PermString;
			sReturnValue += " ";
			sReturnValue += sUsrNm;
			sReturnValue += " ";
			sReturnValue += sGrpNm;
			sReturnValue += "\n\t";
			_tprintf("%s", sReturnValue);

		}
	}
	else
	{
		PBits = 0;
		//Find the name of the owner and owning group...

		GetSecurityDescriptorOwner(pSD, &pOwnerSid, &OwnerDefF);
		GetSecurityDescriptorGroup(pSD, &pGroupSid, &GroupDefF);
		LookupAccountSid(NULL, pOwnerSid, sUsrNm, &AcctSize[0], RefDomain[0], &RefDomCnt[0], &sNamUse[0]);
		LookupAccountSid(NULL, pGroupSid, sGrpNm, &AcctSize[1], RefDomain[1], &RefDomCnt[1], &sNamUse[1]);
		if(PBits==0xFFFFFFFF) PBits = 0;
		sReturnValue += FileTypeChar[FType-1];
		sReturnValue += PermString;
		sReturnValue += " ";
		sReturnValue += sUsrNm;
		sReturnValue += " ";
		sReturnValue += sGrpNm;
		sReturnValue += "\n\t";
	}
//	CString sItemType = "Item Type: ";

//	if(pDir->FType==TYPE_DIR) sItemType += "Directory";

//	else if(pDir->FType==TYPE_FILE) sItemType += "File";

//

//						 + sSeparator + " "

//						 + sItemType + " " 

//						 + sSeparator + " " 

//						 + sAccess + " "

//						 + sUserString + " "

//						 + sUsrNm + " "

//						 + sSeparator + " "

//						 + sGroupString + " "

//						 + sGrpNm + "\n";

//	if(bVerboseOutput) _tprintf(_T("%s %s %s %s %s %s %s %s %s %s\n"), &pDir->m_sDirectoryPath, sSeparator, sItemType, sSeparator, sAccess, sUserString, sUsrNm, sSeparator, sGroupString, sGrpNm);

	if(bVerboseOutput) _tprintf(_T("%s\n"), sReturnValue);
//	getc(stdin);

	HeapFree (ProcHeap, 0, pSD);
	return sReturnValue;
}
    
3. Lastly, how do i obtain sharing info? Thanks!!!! Edited by - the_grip on September 7, 2001 12:10:02 PM

Share this post


Link to post
Share on other sites
Advertisement

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

Participate in the game development conversation and more when you create an account on GameDev.net!

Sign me up!