4. Проверка и получение прав доступа субъекта к объекту

The AccessCheck function is used by a server application to check a client's access to an object against the access control associated with the object.

BOOL AccessCheck(

PSECURITY_DESCRIPTOR pSecurityDescriptor, // pointer to security descriptor

HANDLE ClientToken, // handle to client access token

DWORD DesiredAccess, // access mask to request

PGENERIC_MAPPING GenericMapping, // address of generic-mapping structure

PPRIVILEGE_SET PrivilegeSet, // address of privilege-set structure

LPDWORD PrivilegeSetLength, // size of privilege-set structure

LPDWORD GrantedAccess, // address of granted access mask

LPBOOL AccessStatus // address of flag indicating whether access granted );

The GENERIC_MAPPING structure defines the mapping of generic access rights to specific and standard access rights for an object. When a client application requests generic access to an object, that request is mapped to the access rights defined in this structure.

typedef struct _GENERIC_MAPPING { // gm

ACCESS_MASK GenericRead;

ACCESS_MASK GenericWrite;

ACCESS_MASK GenericExecute;

ACCESS_MASK GenericAll;

} GENERIC_MAPPING;

The ACCESS_MASK structure is one doubleword value containing standard, specific, and generic rights. These rights are used in access-control entries (ACEs) and are the primary means of specifying the requested or granted access to an object.

typedef DWORD ACCESS_MASK;

The bits in this value are allocated as follows:

Bits Meaning

0 through 15 Specific rights. Contains the access mask specific to the object type associated with the mask.

16 through 23 Standard rights. Contains the object's standard access rights and can be a combination of the following predefined flags:

Bit Flag Meaning

16 DELETE Delete access

17 READ_CONTROL Read access to the owner, group, and discretionary access-control list (ACL) of the security descriptor

18 WRITE_DAC Write access to the discretionary access-control list (ACL)

19 WRITE_OWNER Write access to owner

20 SYNCHRONIZE Windows NT: Synchronize access

Bits Meaning

24 Access system security (ACCESS_SYSTEM_SECURITY). This flag is not a typical access type. It is used to indicate access to a system ACL. This type of access requires the calling process to have a specific privilege.

25 Maximum allowed (MAXIMUM_ALLOWED)

26 through 27 Reserved

28 Generic all (GENERIC_ALL)

29 Generic execute (GENERIC_EXECUTE)

30 Generic write (GENERIC_WRITE)

31 Generic read (GENERIC_READ)

The PRIVILEGE_SET structure specifies a set of privileges. It is also used to indicate which, if any, privileges are held by a user or group requesting access to an object.

typedef struct _PRIVILEGE_SET { // ps

DWORD PrivilegeCount;

DWORD Control;

LUID_AND_ATTRIBUTES Privilege[ANYSIZE_ARRAY];

} PRIVILEGE_SET;

The MapGenericMask function maps the generic access rights in an access mask to specific and standard access rights. The function applies a mapping supplied in a GENERIC_MAPPING structure.

VOID MapGenericMask(

PDWORD AccessMask, // address of access mask

PGENERIC_MAPPING GenericMapping // address of GENERIC_MAPPING structure

);

The AreAnyAccessesGranted function tests whether any of a set of requested access rights has been granted. The access rights are represented as bit flags in a 32-bit access mask.

BOOL AreAnyAccessesGranted(

DWORD GrantedAccess, // access mask for granted access rights

DWORD DesiredAccess // access mask for access rights requested );

The AreAllAccessesGranted function checks whether a set of requested access rights has been granted. The access rights are represented as bit flags in a 32-bit access mask.

BOOL AreAllAccessesGranted(

DWORD GrantedAccess, // access mask for granted access rights

DWORD DesiredAccess // access mask for requested access rights );

The GetEffectiveRightsFromAcl function retrieves the effective access rights that an ACL allows for a specified trustee. The trustee's effective access rights are the access rights that the ACL grants to the trustee or to any groups of which the trustee is a member. The function does not consider the security privileges held by the trustee in determining the effective access rights.

DWORD GetEffectiveRightsFromAcl(

PACL pacl, // ACL to get trustee's rights from

PTRUSTEE pTrustee, // trustee to get rights for

PACCESS_MASK pAccessRights // receives trustee's access rights );

The LookupPrivilegeDisplayName function retrieves a displayable name representing a specified privilege.

BOOL LookupPrivilegeDisplayName(

LPCTSTR lpSystemName, // pointer to string specifying the system

LPCTSTR lpName, // pointer to string specifying the privilege

LPTSTR lpDisplayName, // pointer to string receiving the displayable name

LPDWORD cbDisplayName, // pointer to size of string for displayable name

LPDWORD lpLanguageId // pointer to language identifier );

The LookupPrivilegeName function retrieves the name corresponding to the privilege represented on a specific system by a specified locally unique identifier (LUID).

BOOL LookupPrivilegeName(

LPCTSTR lpSystemName, // address of string specifying the system

PLUID lpLuid, // address of locally unique identifier

LPTSTR lpName, // address of string specifying the privilege

LPDWORD cbName // address of size of string for displayable name );

The LookupPrivilegeValue function retrieves the locally unique identifier (LUID) used on a specified system to locally represent the specified privilege name.

BOOL LookupPrivilegeValue(

LPCTSTR lpSystemName, // address of string specifying the system

LPCTSTR lpName, // address of string specifying the privilege

PLUID lpLuid // address of locally unique identifier );

////////////////////////////////////////////////////////////////////////

// //

// NT Defined Privileges //

// //

////////////////////////////////////////////////////////////////////////

#define SE_CREATE_TOKEN_NAME TEXT("SeCreateTokenPrivilege")

#define SE_ASSIGNPRIMARYTOKEN_NAME TEXT("SeAssignPrimaryTokenPrivilege")

#define SE_LOCK_MEMORY_NAME TEXT("SeLockMemoryPrivilege")

#define SE_INCREASE_QUOTA_NAME TEXT("SeIncreaseQuotaPrivilege")

#define SE_UNSOLICITED_INPUT_NAME TEXT("SeUnsolicitedInputPrivilege")

#define SE_MACHINE_ACCOUNT_NAME TEXT("SeMachineAccountPrivilege")

#define SE_TCB_NAME TEXT("SeTcbPrivilege")

#define SE_SECURITY_NAME TEXT("SeSecurityPrivilege")

#define SE_TAKE_OWNERSHIP_NAME TEXT("SeTakeOwnershipPrivilege")

#define SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege")

#define SE_SYSTEM_PROFILE_NAME TEXT("SeSystemProfilePrivilege")

#define SE_SYSTEMTIME_NAME TEXT("SeSystemtimePrivilege")

#define SE_PROF_SINGLE_PROCESS_NAME TEXT("SeProfileSingleProcessPrivilege")

#define SE_INC_BASE_PRIORITY_NAME TEXT("SeIncreaseBasePriorityPrivilege")

#define SE_CREATE_PAGEFILE_NAME TEXT("SeCreatePagefilePrivilege")

#define SE_CREATE_PERMANENT_NAME TEXT("SeCreatePermanentPrivilege")

#define SE_BACKUP_NAME TEXT("SeBackupPrivilege")

#define SE_RESTORE_NAME TEXT("SeRestorePrivilege")

#define SE_SHUTDOWN_NAME TEXT("SeShutdownPrivilege")

#define SE_DEBUG_NAME TEXT("SeDebugPrivilege")

#define SE_AUDIT_NAME TEXT("SeAuditPrivilege")

#define SE_SYSTEM_ENVIRONMENT_NAME TEXT("SeSystemEnvironmentPrivilege")

#define SE_CHANGE_NOTIFY_NAME TEXT("SeChangeNotifyPrivilege")

#define SE_REMOTE_SHUTDOWN_NAME TEXT("SeRemoteShutdownPrivilege")

#define SE_UNDOCK_NAME TEXT("SeUndockPrivilege")

#define SE_SYNC_AGENT_NAME TEXT("SeSyncAgentPrivilege")

#define SE_ENABLE_DELEGATION_NAME TEXT("SeEnableDelegationPrivilege")