Tricks of the Windows Game Programming Gurus (2nd Edition)

home *** CD-ROM | disk | FTP | other *** search

/ Tricks of the Windows Gam…ming Gurus (2nd Edition) / Disc2.iso / msdn_vcb / samples / vc98 / sdk / winbase / security / winnt / sd_flppy / floplock.c < prev next >

Wrap

C/C++ Source or Header | 1996-04-18 | 23.8 KB | 723 lines

/****************************************************************************\ * INCLUDES, DEFINES \****************************************************************************/ #define STRICT #include <windows.h> #include <stdio.h> #include <stdlib.h> #define PERR(api) printf("\n%s: Error %d from %s on line %d", \ __FILE__, GetLastError(), api, __LINE__); #define PMSG(msg) printf("\n%s line %d: %s", \ __FILE__, __LINE__, msg); // this event is signalled when the // worker thread ends // HANDLE hServDoneEvent = NULL; SERVICE_STATUS ssStatus; // current status of the service SERVICE_STATUS_HANDLE sshStatusHandle; DWORD dwGlobalErr; DWORD TID = 0; HANDLE threadHandle = NULL; HANDLE pipeHandle; /****************************************************************************\ * FUNCTION PROTOTYPES \****************************************************************************/ VOID WINAPI service_main(DWORD dwArgc, LPTSTR *lpszArgv); VOID WINAPI service_ctrl(DWORD dwCtrlCode); BOOL ReportStatusToSCMgr(DWORD dwCurrentState, DWORD dwWin32ExitCode, DWORD dwCheckPoint, DWORD dwWaitHint); VOID die(char *reason); VOID worker_thread(VOID *notUsed); VOID StopSimpleService(LPTSTR lpszMsg); BOOL WriteSD_ToA_File(PSECURITY_DESCRIPTOR psdAbsoluteSD, LPTSTR lpszFileName); /****************************************************************************\ * GLOBAL VARIABLES AND TYPEDEFS \****************************************************************************/ #define SZ_SD_BUF 100 #define SZ_SID_BUF 75 #define SZ_ACL_BUF 150 UCHAR ucAbsSDBuf [SZ_SD_BUF] = ""; UCHAR ucEvrSDBuf [SZ_SD_BUF] = ""; UCHAR ucSIDBuf [SZ_SID_BUF] = ""; UCHAR ucPwrUsrsSIDBuf [SZ_SID_BUF] = ""; UCHAR ucACLBuf [SZ_ACL_BUF] = ""; DWORD dwSID = SZ_SID_BUF; DWORD dwDACL = SZ_ACL_BUF; BOOL bFloppiesAreLocked; PSECURITY_DESCRIPTOR psdAbsoluteSD = (PSECURITY_DESCRIPTOR)&ucAbsSDBuf; PSECURITY_DESCRIPTOR psdEveryoneSD = (PSECURITY_DESCRIPTOR)&ucEvrSDBuf; PSID psidAdministrators = (PSID)&ucSIDBuf; PSID psidPowerUsers = (PSID)&ucPwrUsrsSIDBuf; PACL pNewDACL = (PACL)&ucACLBuf; // main() -- // all main does is call StartServiceCtrlDispatcher // to register the main service thread. When the // API returns, the service has stopped, so exit. // int main() { SERVICE_TABLE_ENTRY dispatchTable[] = { { TEXT("SimpleService"), (LPSERVICE_MAIN_FUNCTION)service_main }, { NULL, NULL } }; // check if Win32s, if so, display notice and terminate if( GetVersion() & 0x80000000 ) { MessageBox( NULL, "This application cannot run on Windows 3.1 or Windows 95.\n" "This application will now terminate.", "SD_FLPPY", MB_OK | MB_ICONSTOP | MB_SETFOREGROUND ); return( 1 ); } #define FILE_TO_REDIRECT_STDOUT_TO "c:\\floplock.out" // freopen(FILE_TO_REDIRECT_STDOUT_TO,"w+",stdout); if (!StartServiceCtrlDispatcher(dispatchTable)) { StopSimpleService("StartServiceCtrlDispatcher failed."); } } // service_main() -- // this function takes care of actually starting the service, // informing the service controller at each step along the way. // After launching the worker thread, it waits on the event // that the worker thread will signal at its termination. // VOID WINAPI service_main(DWORD dwArgc, LPTSTR *lpszArgv) { DWORD dwWait; SECURITY_ATTRIBUTES sa; // register our service control handler: // sshStatusHandle = RegisterServiceCtrlHandler( TEXT("SimpleService"), service_ctrl); if (!sshStatusHandle) goto cleanup; // SERVICE_STATUS members that don't change in example // ssStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS; ssStatus.dwServiceSpecificExitCode = 0; // report the status to Service Control Manager. // if (!ReportStatusToSCMgr( SERVICE_START_PENDING, // service state NO_ERROR, // exit code 1, // checkpoint 3000)) // wait hint goto cleanup; // create the event object. The control handler function signals // this event when it receives the "stop" control code. // hServDoneEvent = CreateEvent( NULL, // no security attributes TRUE, // manual reset event FALSE, // not-signalled NULL); // no name if (hServDoneEvent == (HANDLE)NULL) goto cleanup; // report the status to the service control manager. // if (!ReportStatusToSCMgr( SERVICE_START_PENDING, // service state NO_ERROR, // exit code 2, // checkpoint 3000)) // wait hint goto cleanup; // Create a security descriptor that allows only local Administrators // to do anything with the pipe. Since Domain administrators are // normally also local Administrators, this will serve most needs /************************************************************************\ * * Build SIDs of local Administrators and Power Users. Note that the Power * Users group is defined on Windows NT machines, but not on Advanced * Server machines. This means that we will on Advanced Server machines * have a DACL that has an ACE (for Power Users) that will never be used * \************************************************************************/ { SID_IDENTIFIER_AUTHORITY siaNtAuthority = SECURITY_NT_AUTHORITY; InitializeSid( psidAdministrators, &siaNtAuthority, 2 ); InitializeSid( psidPowerUsers, &siaNtAuthority, 2 ); *(GetSidSubAuthority( psidAdministrators, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; *(GetSidSubAuthority( psidPowerUsers, 0 )) = SECURITY_BUILTIN_DOMAIN_RID; *(GetSidSubAuthority( psidAdministrators, 1 )) = DOMAIN_ALIAS_RID_ADMINS; *(GetSidSubAuthority( psidPowerUsers, 1 )) = DOMAIN_ALIAS_RID_POWER_USERS; } /************************************************************************\ * * Initialize new DACL * \************************************************************************/ if (!InitializeAcl(pNewDACL, dwDACL, ACL_REVISION)) { StopSimpleService("InitializeAcl"); } /************************************************************************\ * * Allow All access for local Administrators only * \************************************************************************/ if (!AddAccessAllowedAce(pNewDACL, ACL_REVISION, FILE_ALL_ACCESS, psidAdministrators)) { StopSimpleService("AddAccessAllowedAce"); } /************************************************************************\ * * If we unlock the floppies when the service stops, then for the sake of * consistency, we have to also allow Power Users on the Admin-only DACL, * since Power Users can stop services. It would be inconsistent to try * to lock Power Users away from their floppies if Power Users could get * to the floppies simply by stopping the service * * It's still OK to use the same DACL for the pipe as for the floppies, * that is, it's OK to let Power Users on the DACL for the pipe too. The * reason is that it is not generally (and certainly not by default) the * case that an account is a member of Power Users on more than their own * machines. So, putting Power Users on the pipe let's Power Users admin * the floppies via the pipe only on the machines on which they are * actually Power Users, and again, on those machines they can stop the * floppy-locking service as well * \************************************************************************/ #define UNLOCK_AT_SERVICE_STOP (0==0) if (UNLOCK_AT_SERVICE_STOP) { if (!AddAccessAllowedAce(pNewDACL, ACL_REVISION, FILE_ALL_ACCESS, psidPowerUsers)) { StopSimpleService("AddAccessAllowedAce"); } } /************************************************************************\ * * Build SD in absolute format - first the Admins-only then the Everyone SD * \************************************************************************/ if (!InitializeSecurityDescriptor(psdAbsoluteSD, SECURITY_DESCRIPTOR_REVISION)) { StopSimpleService("InitializeSecurityDescriptor"); } if (!InitializeSecurityDescriptor(psdEveryoneSD, SECURITY_DESCRIPTOR_REVISION)) { StopSimpleService("InitializeSecurityDescriptor"); } /************************************************************************\ * * Set DACL into SD - first the Admins-only then the Everyone SD * \************************************************************************/ if (!SetSecurityDescriptorDacl(psdAbsoluteSD, TRUE, // fDaclPresent flag pNewDACL, FALSE)) // not a default DACL { StopSimpleService("SetSecurityDescriptorDacl"); } if (!SetSecurityDescriptorDacl(psdEveryoneSD, TRUE, // fDaclPresent flag (PACL)NULL, FALSE)) // not a default DACL { StopSimpleService("SetSecurityDescriptorDacl"); } /************************************************************************\ * * Check to see that SD is valid before attempting to write it to the file * \************************************************************************/ if (!IsValidSecurityDescriptor(psdAbsoluteSD)) { StopSimpleService("IsValidSecurityDescriptor"); } sa.nLength = sizeof(sa); sa.lpSecurityDescriptor = psdAbsoluteSD; sa.bInheritHandle = TRUE; // why not... we spawn no processes // open our named pipe... // pipeHandle = CreateNamedPipe( "\\\\.\\pipe\\sd_flppy", // name of pipe PIPE_ACCESS_DUPLEX, // pipe open mode PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, // pipe IO type 1, // number of instances 0, // size of outbuf (0 == allocate as necessary) 0, // size of inbuf 1000, // default time-out value &sa); // security attributes if (!pipeHandle) { StopSimpleService("CreateNamedPipe"); return; } // Set the same DACL onto the floppies // /************************************************************************\ * * Write SD to file system - first for A: then B: * \************************************************************************/ if (!WriteSD_ToA_File(psdAbsoluteSD,"\\\\.\\A:")) { StopSimpleService("Write of DACL to A: failed"); } if (!WriteSD_ToA_File(psdAbsoluteSD,"\\\\.\\B:")) { StopSimpleService("Write of DACL to B: failed"); } bFloppiesAreLocked = TRUE; /************************************************************************\ * * only works for CDROM drives if you revoke the SeChangeNotify privilege * from Everyone in user manager * \************************************************************************/ /* if (!WriteSD_ToA_File(psdAbsoluteSD,"\\\\.\\E:")) { StopSimpleService("Write of DACL to E: failed"); } */ /************************************************************************\ * * Works for COM ports as well - commented out as this samples is floppy only * \************************************************************************/ /* if (!WriteSD_ToA_File(psdAbsoluteSD,"COM1:")) { StopSimpleService("Write of DACL to COM1: failed"); } */ // start the thread that performs the work of the service. // threadHandle = CreateThread( NULL, // security attributes 0, // stack size (0 means inherit parent's stack size) (LPTHREAD_START_ROUTINE)worker_thread, NULL, // argument to thread 0, // thread creation flags &TID); // pointer to thread ID if (!threadHandle) goto cleanup; // report the status to the service control manager. // if (!ReportStatusToSCMgr( SERVICE_RUNNING, // service state NO_ERROR, // exit code 0, // checkpoint 0)) // wait hint goto cleanup; // wait indefinitely until hServDoneEvent is signaled. // dwWait = WaitForSingleObject( hServDoneEvent, // event object INFINITE); // wait indefinitely cleanup: if (hServDoneEvent != NULL) CloseHandle(hServDoneEvent); // try to report the stopped status to the service control manager. // if (sshStatusHandle != 0) (VOID)ReportStatusToSCMgr( SERVICE_STOPPED, dwGlobalErr, 0, 0); // When SERVICE MAIN FUNCTION returns in a single service // process, the StartServiceCtrlDispatcher function in // the main thread returns, terminating the process. // return; } // service_ctrl() -- // this function is called by the Service Controller whenever // someone calls ControlService in reference to our service. // VOID WINAPI service_ctrl(DWORD dwCtrlCode) { DWORD dwState = SERVICE_RUNNING; // Handle the requested control code. // switch(dwCtrlCode) { // Pause the service if it is running. // case SERVICE_CONTROL_PAUSE: if (ssStatus.dwCurrentState == SERVICE_RUNNING) { SuspendThread(threadHandle); dwState = SERVICE_PAUSED; } break; // Resume the paused service. // case SERVICE_CONTROL_CONTINUE: if (ssStatus.dwCurrentState == SERVICE_PAUSED) { ResumeThread(threadHandle); dwState = SERVICE_RUNNING; } break; // Stop the service. // case SERVICE_CONTROL_STOP: dwState = SERVICE_STOP_PENDING; // Report the status, specifying the checkpoint and waithint, // before setting the termination event. // ReportStatusToSCMgr( SERVICE_STOP_PENDING, // current state NO_ERROR, // exit code 1, // checkpoint 3000); // waithint if (UNLOCK_AT_SERVICE_STOP) { if (!WriteSD_ToA_File(psdEveryoneSD,"\\\\.\\A:")) { StopSimpleService("Unlock of A: failed, see log file"); } if (!WriteSD_ToA_File(psdEveryoneSD,"\\\\.\\B:")) { StopSimpleService("Unlock of B: failed, see log file"); } bFloppiesAreLocked = FALSE; } SetEvent(hServDoneEvent); return; // Update the service status. // case SERVICE_CONTROL_INTERROGATE: break; // invalid control code // default: break; } // send a status response. // ReportStatusToSCMgr(dwState, NO_ERROR, 0, 0); } // worker_thread() -- // this function does the actual nuts and bolts work that // the service requires. It will also Pause or Stop when // asked by the service_ctrl function. // VOID worker_thread(VOID *notUsed) { char inbuf[180]; char outbuf[180]; BOOL ret; DWORD bytesRead; DWORD bytesWritten; DWORD dwLen; // okay, our pipe has been created, let's enter the simple // processing loop... // while (1) { // wait for a connection... // ConnectNamedPipe(pipeHandle, NULL); // grab whatever's coming through the pipe... // ret = ReadFile( pipeHandle, // file to read from inbuf, // address of input buffer sizeof(inbuf), // number of bytes to read &bytesRead, // number of bytes read NULL); // overlapped stuff, not needed if (!ret) // pipe's broken... go back and reconnect // continue; switch (inbuf[0]) { case 'U': dwLen = sprintf(outbuf,"Floppies were unlocked"); if (!WriteSD_ToA_File(psdEveryoneSD,"\\\\.\\A:")) { dwLen += sprintf(outbuf+dwLen,", unlock of A: failed, see log file"); } if (!WriteSD_ToA_File(psdEveryoneSD,"\\\\.\\B:")) { dwLen += sprintf(outbuf+dwLen,", unlock of B: failed, see log file"); } bFloppiesAreLocked = FALSE; break; case 'L': dwLen = sprintf(outbuf,"Floppies were locked"); if (!WriteSD_ToA_File(psdAbsoluteSD,"\\\\.\\A:")) { dwLen += sprintf(outbuf+dwLen,", lock of A: failed, see log file"); } if (!WriteSD_ToA_File(psdAbsoluteSD,"\\\\.\\B:")) { dwLen += sprintf(outbuf+dwLen,", lock of B: failed, see log file"); } bFloppiesAreLocked = TRUE; break; case 'Q': if (bFloppiesAreLocked) { sprintf(outbuf,"Floppy status is: Locked"); } else { sprintf(outbuf,"Floppy status is: Unlocked"); } break; default : sprintf(outbuf,"Bad operation passed in"); } // send it back out... // ret = WriteFile( pipeHandle, // file to write to outbuf, // address of output buffer sizeof(outbuf), // number of bytes to write &bytesWritten, // number of bytes written NULL); // overlapped stuff, not needed if (!ret) // pipe's broken... go back and reconnect // continue; // drop the connection... // DisconnectNamedPipe(pipeHandle); } } // utility functions... // ReportStatusToSCMgr() -- // This function is called by the ServMainFunc() and // ServCtrlHandler() functions to update the service's status // to the service control manager. // BOOL ReportStatusToSCMgr(DWORD dwCurrentState, DWORD dwWin32ExitCode, DWORD dwCheckPoint, DWORD dwWaitHint) { BOOL fResult; // Disable control requests until the service is started. // if (dwCurrentState == SERVICE_START_PENDING) ssStatus.dwControlsAccepted = 0; else ssStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_PAUSE_CONTINUE; // These SERVICE_STATUS members are set from parameters. // ssStatus.dwCurrentState = dwCurrentState; ssStatus.dwWin32ExitCode = dwWin32ExitCode; ssStatus.dwCheckPoint = dwCheckPoint; ssStatus.dwWaitHint = dwWaitHint; // Report the status of the service to the service control manager. // if (!(fResult = SetServiceStatus( sshStatusHandle, // service reference handle &ssStatus))) { // SERVICE_STATUS structure // If an error occurs, stop the service. // StopSimpleService("SetServiceStatus"); } return fResult; } // The StopSimpleService function can be used by any thread to report an // error, or stop the service. // VOID StopSimpleService(LPTSTR lpszMsg) { CHAR chMsg[256]; HANDLE hEventSource; LPTSTR lpszStrings[2]; dwGlobalErr = GetLastError(); // Use event logging to log the error. // hEventSource = RegisterEventSource(NULL, TEXT("SimpleService")); sprintf(chMsg, "SimpleService error: %d", dwGlobalErr); lpszStrings[0] = chMsg; lpszStrings[1] = lpszMsg; if (hEventSource != NULL) { ReportEvent(hEventSource, // handle of event source EVENTLOG_ERROR_TYPE, // event type 0, // event category 0, // event ID NULL, // current user's SID 2, // strings in lpszStrings 0, // no bytes of raw data lpszStrings, // array of error strings NULL); // no raw data (VOID) DeregisterEventSource(hEventSource); } // Set a termination event to stop SERVICE MAIN FUNCTION. // SetEvent(hServDoneEvent); } /****************************************************************************\ * * FUNCTION: WriteSD_ToA_File * \****************************************************************************/ BOOL WriteSD_ToA_File(PSECURITY_DESCRIPTOR psdAbsoluteSD, LPTSTR lpszFileName) { DWORD dwErrorMode; BOOL bStatus; /**************************************************************************\ * * SetErrorMode so we don't get the error due to no floppy disk in the floppy * drive * \**************************************************************************/ dwErrorMode = SetErrorMode(SEM_FAILCRITICALERRORS); /**************************************************************************\ * * Write SD to file system * \**************************************************************************/ bStatus = SetFileSecurity(lpszFileName, (SECURITY_INFORMATION)(DACL_SECURITY_INFORMATION), psdAbsoluteSD); /**************************************************************************\ * * SetErrorMode back to its previous value * \**************************************************************************/ SetErrorMode(dwErrorMode); if (!bStatus) { if (ERROR_FILE_NOT_FOUND == GetLastError()) { printf("\nAttempted to lock %s, but it was not found",lpszFileName); } else { PERR("SetFileSecurity"); return(FALSE); } } return(TRUE); }