in hadoop-common-project/hadoop-common/src/main/winutils/libwinutils.c [1062:1273]
static DWORD GetWindowsDACLs(__in INT unixMask,
__in PSID pOwnerSid, __in PSID pGroupSid, __out PACL *ppNewDACL)
{
DWORD winUserAccessDenyMask;
DWORD winUserAccessAllowMask;
DWORD winGroupAccessDenyMask;
DWORD winGroupAccessAllowMask;
DWORD winOtherAccessAllowMask;
PSID pEveryoneSid = NULL;
DWORD cbEveryoneSidSize = SECURITY_MAX_SID_SIZE;
PSID pSystemSid = NULL;
DWORD cbSystemSidSize = SECURITY_MAX_SID_SIZE;
BOOL bAddSystemAcls = FALSE;
PSID pAdministratorsSid = NULL;
DWORD cbAdministratorsSidSize = SECURITY_MAX_SID_SIZE;
BOOL bAddAdministratorsAcls = FALSE;
PSID pCreatorOwnerSid = NULL;
DWORD cbCreatorOwnerSidSize = SECURITY_MAX_SID_SIZE;
PACL pNewDACL = NULL;
DWORD dwNewAclSize = 0;
DWORD ret = ERROR_SUCCESS;
GetWindowsAccessMask(unixMask,
&winUserAccessAllowMask, &winUserAccessDenyMask,
&winGroupAccessAllowMask, &winGroupAccessDenyMask,
&winOtherAccessAllowMask);
// Create a well-known SID for the Everyone group
//
if ((pEveryoneSid = LocalAlloc(LPTR, cbEveryoneSidSize)) == NULL)
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!CreateWellKnownSid(WinWorldSid, NULL, pEveryoneSid, &cbEveryoneSidSize))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
// Create a well-known SID for the Administrators group
//
if ((pAdministratorsSid = LocalAlloc(LPTR, cbAdministratorsSidSize)) == NULL)
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL,
pAdministratorsSid, &cbAdministratorsSidSize))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!EqualSid(pAdministratorsSid, pOwnerSid)
&& !EqualSid(pAdministratorsSid, pGroupSid))
bAddAdministratorsAcls = TRUE;
// Create a well-known SID for the SYSTEM
//
if ((pSystemSid = LocalAlloc(LPTR, cbSystemSidSize)) == NULL)
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!CreateWellKnownSid(WinLocalSystemSid, NULL,
pSystemSid, &cbSystemSidSize))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!EqualSid(pSystemSid, pOwnerSid)
&& !EqualSid(pSystemSid, pGroupSid))
bAddSystemAcls = TRUE;
// Create a well-known SID for the Creator Owner
//
if ((pCreatorOwnerSid = LocalAlloc(LPTR, cbCreatorOwnerSidSize)) == NULL)
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!CreateWellKnownSid(WinCreatorOwnerSid, NULL,
pCreatorOwnerSid, &cbCreatorOwnerSidSize))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
// Create the new DACL
//
dwNewAclSize = sizeof(ACL);
dwNewAclSize += sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(pOwnerSid) - sizeof(DWORD);
if (winUserAccessDenyMask)
dwNewAclSize += sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pOwnerSid) - sizeof(DWORD);
dwNewAclSize += sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(pGroupSid) - sizeof(DWORD);
if (winGroupAccessDenyMask)
dwNewAclSize += sizeof(ACCESS_DENIED_ACE) +
GetLengthSid(pGroupSid) - sizeof(DWORD);
dwNewAclSize += sizeof(ACCESS_ALLOWED_ACE) +
GetLengthSid(pEveryoneSid) - sizeof(DWORD);
if (bAddSystemAcls)
{
dwNewAclSize += sizeof(ACCESS_ALLOWED_ACE) +
cbSystemSidSize - sizeof(DWORD);
}
if (bAddAdministratorsAcls)
{
dwNewAclSize += sizeof(ACCESS_ALLOWED_ACE) +
cbAdministratorsSidSize - sizeof(DWORD);
}
dwNewAclSize += sizeof(ACCESS_ALLOWED_ACE) +
cbCreatorOwnerSidSize - sizeof(DWORD);
pNewDACL = (PACL)LocalAlloc(LPTR, dwNewAclSize);
if (pNewDACL == NULL)
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!InitializeAcl(pNewDACL, dwNewAclSize, ACL_REVISION))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!AddAccessAllowedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
GENERIC_ALL, pCreatorOwnerSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (bAddSystemAcls &&
!AddAccessAllowedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
GENERIC_ALL, pSystemSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (bAddAdministratorsAcls &&
!AddAccessAllowedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
GENERIC_ALL, pAdministratorsSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (winUserAccessDenyMask &&
!AddAccessDeniedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
winUserAccessDenyMask, pOwnerSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!AddAccessAllowedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
winUserAccessAllowMask, pOwnerSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (winGroupAccessDenyMask &&
!AddAccessDeniedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
winGroupAccessDenyMask, pGroupSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!AddAccessAllowedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
winGroupAccessAllowMask, pGroupSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
if (!AddAccessAllowedAceEx(pNewDACL, ACL_REVISION,
CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE,
winOtherAccessAllowMask, pEveryoneSid))
{
ret = GetLastError();
goto GetWindowsDACLsEnd;
}
*ppNewDACL = pNewDACL;
GetWindowsDACLsEnd:
LocalFree(pEveryoneSid);
LocalFree(pAdministratorsSid);
LocalFree(pSystemSid);
LocalFree(pCreatorOwnerSid);
if (ret != ERROR_SUCCESS) LocalFree(pNewDACL);
return ret;
}