forked from project-jedi/jcl
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSecurity.dtx
298 lines (298 loc) · 14.2 KB
/
Security.dtx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
@@Windows_Specific.Security
<GROUP Windows_Specific>
<TITLE Security>
<TOPICORDER 400>
--------------------------------------------------------------------------------
@@Windows_Specific.Security.AccessControl
<GROUP Windows_Specific.Security>
<TITLE Access Control>
<TOPICORDER 100>
--------------------------------------------------------------------------------
@@AccountInformation
<GROUP Windows_Specific.Security>
<TITLE Account Information>
<TOPICORDER 200>
--------------------------------------------------------------------------------
@@Windows_Specific.Security.Privileges
<GROUP Windows_Specific.Security>
<TITLE Privileges>
<TOPICORDER 300>
--------------------------------------------------------------------------------
@@AllowRegKeyForEveryone
<GROUP Windows_Specific.Security.AccessControl>
Summary:
Allows full access to everyone for a registry key.
Description:
AllowRegKeyForEveryone sets the dacl of the specified registry key to NULL thereby
granting full access to everyone. Be careful with this one because you can do
real damage on the registry!
Parameters:
Key - The rootkey of the specified path. Can be one of the HKEY_XXX constants.
Path - Path of the registry key for which to set full access to everyone.
Result:
If the function succeeds it returns True, otherwise it returns False.
Notes:
Under Windows 95/98/Millenium Edition, this function does nothing; in addition, it always returns True.
Donator:
John C Molyneux
--------------------------------------------------------------------------------
@@CreateNullDacl
<GROUP Windows_Specific.Security.AccessControl>
Summary:
Initializes a security attributes structure for NULL access and optional inheritability.
Description:
CreateNullDacl initializes a TSecurityAttributes structure for the creation of
an optionally inheritable object with a NULL dacl.
The TSecurityAttributes lpSecurityDescriptor member is initialized with a NULL
dacl. This will result in the created object allowing full access to everyone.
Make sure you read the Notes section for memory issues.
Parameters:
Sa - The TSecurityAttributes structure to initialize.
Inheritable - Specifies inheritability. The bInheritHandle member of Sa is set to the same value as the Inheritable parameter.
Result:
A pointer to the passed in TSecurityAttributes structure. This allows you to write
code such as CreateFile(..., CreateNullDacl(Sa, True), ...).
Notes:
The caller is responsible for freeing the memory associated with the lpSecurityDescriptor
member of the TSecurityAttributes member. Use FreeMem(Sa.lpSecurityDescriptor).
Under Windows 95/98/Millenium Edition, this function always returns nil.
See also:
CreateInheritable
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@CreateInheritable
<GROUP Windows_Specific.Security.AccessControl>
Summary:
Initializes a security attributes structure for inheritable object creation.
Description:
CreateInheritable initializes a TSecurityAttributes structure for
the creation of an inheritable object. Meaning the bInheritHandle member is set
to True allowing processes spawned by the current process to inherit the handle
to the object that was created with this TSecurityAttributes structure.
Parameters:
Sa - The TSecurityAttributes structure whose fInheritHandle member to set to True resulting in an inheritable object.
Result:
A pointer to the passed in TSecurityAttributes structure. This allows you to write
code such as CreateFile(..., CreateInheritable(Sa), ...).
Notes:
Under Windows 95/98/Millenium Edition, this function always returns nil.
See also:
CreateNullDacl
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@IsPrivilegeEnabled
<GROUP Windows_Specific.Security.Privileges>
Summary:
Tests if the specified Privilege is enabled.
Description:
IsPrivilegeEnabled tests whether the specified privilege is enabled for the current
thread. If the thread is currently impersonating a client the test is made against
the credentials of that client, otherwise the test is made against the credentials
of the user associated with the process that the calling thread runs in.
Parameters:
Privilege - The privilege to check for. This is one of the SE_Xxx constants as documented in the Platform SDK under Security | Access Control | Access Control | Access Control Reference | Windows NT Privileges. For example, you can pass in SE_DEBUG_NAME to test if the debugging privilege is enabled.
Result:
If the specified privilege is enabled for the calling thread then the function
returns True, otherwise the function returns False - this is also the return
value if the function fails in retrieving the status of the specified privilege.
Notes:
Under Windows 95/98/Millenium Edition, this function does nothing; in addition,
it always returns True.
See also:
EnableProcessPrivilege
EnableThreadPrivilege
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@EnableProcessPrivilege
<GROUP Windows_Specific.Security.Privileges>
Summary:
Enables or disables a privilege for the process.
Description:
EnableProcessPrivilege enables or disables the specified privilege for the
current process. You can, for example, enable the debug privilege by using this
function. The user associated with the calling process must already have
TOKEN_ADJUST_PRIVILEGES access.
Parameters:
Enable - If True the function attempts to enable the specified privilege. If False the function attempts to disable the specified privilege.
Privilege - The privilege to enable/disable. This is one of the SE_Xxx constants as documented in the Platform SDK under Security | Access Control | Access Control | Access Control Reference | Windows NT Privileges. For example, you can pass in SE_DEBUG_NAME to enable or disable the debugging privilege.
Result:
If the function succeeds the result is True, otherwise the result is False. Failure
is usually caused by the caller not having sufficient access rights (i.e. TOKEN_ADJUST_PRIVILEGE)
to enable or disable privileges.
Notes:
Under Windows 95/98/Millenium Edition, this function always returns True.
See also:
EnableThreadPrivilege
IsPrivilegeEnabled
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@EnableThreadPrivilege
<GROUP Windows_Specific.Security.Privileges>
Summary:
Enables or disables a privilege for the thread.
Description:
EnableThreadPrivilege enables or disables the specified privilege for the
calling thread. You can, for example, enable the debug privilege by using this
function. The user associated with the calling process must already have
TOKEN_ADJUST_PRIVILEGES access. If the thread is currently impersonating a client
then the client must have the appropriate access.
Parameters:
Enable - If True the function attempts to enable the specified privilege. If False the function attempts to disable the specified privilege.
Privilege - The privilege to enable/disable. This is one of the SE_Xxx constants as documented in the Platform SDK under Security | Access Control | Access Control | Access Control Reference | Windows NT Privileges. For example, you can pass in SE_DEBUG_NAME to enable or disable the debugging privilege.
Result:
If the function succeeds the result is True, otherwise the result is False. Failure
is usually caused by the caller not having sufficient access rights (i.e. TOKEN_ADJUST_PRIVILEGE)
to enable or disable privileges.
See also:
EnableProcessPrivilege
IsPrivilegeEnabled
Notes:
Under Windows 95/98/Millenium Edition, this function does nothing; in addition,
it always returns True.
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@IsAdministrator
<GROUP Windows_Specific.Security.Privileges>
Summary:
Tests whether the process is running in the user context of a local administrator.
Description:
The IsAdministrator function tests if the calling process is running in the
context of a user with local administrative rights. That is, if the user is an
administrator.
Result:
If the process is running in the user context of a local administrator the function
returns True, otherwise it returns False.
Notes:
Under Windows 95/98/Millenium Edition, this function always returns True.
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@LookupAccountBySid
<GROUP AccountInformation>
Summary:
Returns the name and domain of an alias, user or group.
Description:
LookupAccountBySid looks up the domain and account-name of the principal identified
by the supplied security identifier. This principal can be an alias, user or group
either local or domain. If the function fails it raises an exception (EOSError).
Parameters:
Sid - Security Identifier of the account for which to lookup the domain and account-name.
Name - Returns the account-name of the principal identified by Sid.
Domain - Returns the domain-name in which the principal identified by Sid is located (if any).
Notes:
Under Windows 95/98/Millenium Edition, LookupAccountBySid always returns empty strings.
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@QueryTokenInformation
<GROUP AccountInformation>
Summary:
Wrapper for the GetTokenInformation Windows API function.
Description:
QueryTokenInformation is a wrapper for the GetTokenInformation Windows API function
which relieves the user of buffer management. For more information about the purpose
of this funcion look up the GetTokenInformation function in the Platform SDK. If
the function fails it raises an exception.
Parameters:
Token - Handle to an access token to query for information.
InformationClass - The type of information to retrieve.
Buffer - Upon success reveices a buffer containing the requested information. This buffer must be freed by the caller by using the FreeMem function. Upon failure the buffer is undefined and should not be freed.
Notes:
Under Windows 95/98/Millenium Edition, QueryTokenInformation always sets Buffer to nil.
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@GetInteractiveUserName
<GROUP AccountInformation>
Summary:
Returns the name of the interactive user.
Description:
Returns the name of the interactive user (if any) in the form <domain>\<username>.
If the function fails it raises and exception (also true when the shell is
not running, ie no user is interactively logged on). This function, unlike
the much easier GetUserName, can be called from a service running in the
localsystem security context. It can not be called from a service running in
another security context unless appropriate measures have been taken to grant
the service sufficient access (PROCESS_ALL_ACCESS for the shell process and
TOKEN_QUERY for the interactive user account token). That's kind of difficult
to achieve so it's safe to say, don't use this function from any service
accept one running in the localsystem security context.
Result:
The name of the interactively logged on user, if any, in the format domain\username.
Notes:
Under Windows 95/98/Millenium Edition, this function always returns an empty string.
Donator:
Marcel van Brakel
--------------------------------------------------------------------------------
@@GetPrivilegeDisplayName
<GROUP Windows_Specific.Security.Privileges>
Summary:
Wrapper around the LookupPrivilegeDisplayName Windows API function.
Description:
The GetPrivilegeDisplayName function retrieves the display name that represents a specified
privilege on the local system.
Parameters:
PrivilegeName - the name of the privilege, as defined in Winnt.h. For example, this parameter
could specify 'SeRemoteShutdownPrivilege'.
Result:
A string that specifies the privilege display name, or an empty string if the function failed.
For example, if the PrivilegeName parameter is 'SeRemoteShutdownPrivilege', the privilege display
name is 'Force shutdown from a remote system.'
Notes:
Under Windows 95/98/Millenium Edition, this function always returns an empty string.
Donator:
Anonymous
--------------------------------------------------------------------------------
@@GetUserObjectName
<GROUP Windows_Specific.Security.Privileges>
Summary:
Returns the name of the specified object.
Description:
Parameters:
hUserObject - Handle to the window station or desktop object for which to return information.
This handle is returned by the CreateWindowStation, OpenWindowStation, CreateDesktop, or OpenDesktop function.
Result:
The name of the specified object, or an empty string if the function failed.
Notes:
Under Windows 95/98/Millenium Edition, this function always returns an empty result.
Donator:
Anonymous
--------------------------------------------------------------------------------
@@SetUserObjectFullAccess
<GROUP Windows_Specific.Security.Privileges>
Summary:
Permits full access to a user object.
Description:
The SetUserObjectFullAccess function permits full access to a user object.
This can be, for example, a window or a DDE conversation.
Parameters:
hUserObject - Handle to a user object for which full access is to be granted.
Result:
True on success, False otherwise.
Notes:
Under Windows 95/98/Millenium Edition, this function does nothing; in addition,
it always returns True.
Donator:
Anonymous
--------------------------------------------------------------------------------
@@IsUACEnabled
<GROUP SystemInformationRoutines.UserAccountControl>
Summary:
Checks if UAC (User Account Control) is enabled or not on Windows Vista or
Windows Server 2008 or Windows 7 or Windows Server 2008 R2.
Description:
Checks if UAC (User Account Control) is enabled or not on Windows Vista or
Windows Server 2008 or Windows 7 or Windows Server 2008 R2.
UAC is enabled by default on Windows versions supporting this technology.
Result:
Returns True if UAC is enabled and OS version is Windows Vista or Windows Server 2008 or
Windows 7 or Windows Server 2008 R2.
Returns False if UAC is disabled or OS version is not Windows Vista nor Windows Server 2008 or
Windows 7 or Windows Server 2008 R2.
Donator:
Jean-Fabien Connault