-#ifdef HOST_WIN32
-
-static PSID
-GetAdministratorsSid (void)
-{
- SID_IDENTIFIER_AUTHORITY admins = SECURITY_NT_AUTHORITY;
- PSID pSid = NULL;
- if (!AllocateAndInitializeSid (&admins, 2, SECURITY_BUILTIN_DOMAIN_RID,
- DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pSid))
- return NULL;
- /* Note: this SID must be freed with FreeSid () */
- return pSid;
-}
-
-
-static PSID
-GetEveryoneSid (void)
-{
- SID_IDENTIFIER_AUTHORITY everyone = SECURITY_WORLD_SID_AUTHORITY;
- PSID pSid = NULL;
- if (!AllocateAndInitializeSid (&everyone, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSid))
- return NULL;
- /* Note: this SID must be freed with FreeSid () */
- return pSid;
-}
-
-
-static PSID
-GetCurrentUserSid (void)
-{
- PSID sid = NULL;
- guint32 size = 0;
- gpointer token = ves_icall_System_Security_Principal_WindowsIdentity_GetCurrentToken ();
-
- GetTokenInformation (token, TokenUser, NULL, size, (PDWORD)&size);
- if (size > 0) {
- TOKEN_USER *tu = g_malloc0 (size);
- if (GetTokenInformation (token, TokenUser, tu, size, (PDWORD)&size)) {
- DWORD length = GetLengthSid (tu->User.Sid);
- sid = (PSID) g_malloc0 (length);
- if (!CopySid (length, sid, tu->User.Sid)) {
- g_free (sid);
- sid = NULL;
- }
- }
- g_free (tu);
- }
- /* Note: this SID must be freed with g_free () */
- return sid;
-}
-
-
-static ACCESS_MASK
-GetRightsFromSid (PSID sid, PACL acl)
-{
- ACCESS_MASK rights = 0;
- TRUSTEE trustee;
-
- BuildTrusteeWithSidW (&trustee, sid);
- if (GetEffectiveRightsFromAcl (acl, &trustee, &rights) != ERROR_SUCCESS)
- return 0;
-
- return rights;
-}
-
-
-static gboolean
-IsMachineProtected (gunichar2 *path)
-{
- gboolean success = FALSE;
- PACL pDACL = NULL;
- PSID pEveryoneSid = NULL;
-
- DWORD dwRes = GetNamedSecurityInfoW (path, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, NULL);
- if (dwRes != ERROR_SUCCESS)
- return FALSE;
-
- /* We check that Everyone is still limited to READ-ONLY -
- but not if new entries have been added by an Administrator */
-
- pEveryoneSid = GetEveryoneSid ();
- if (pEveryoneSid) {
- ACCESS_MASK rights = GetRightsFromSid (pEveryoneSid, pDACL);
- /* http://msdn.microsoft.com/library/en-us/security/security/generic_access_rights.asp?frame=true */
- success = (rights == (READ_CONTROL | SYNCHRONIZE | FILE_READ_DATA | FILE_READ_EA | FILE_READ_ATTRIBUTES));
- FreeSid (pEveryoneSid);
- }
- /* Note: we don't need to check our own access -
- we'll know soon enough when reading the file */
-
- if (pDACL)
- LocalFree (pDACL);
-
- return success;
-}
-
-
-static gboolean
-IsUserProtected (gunichar2 *path)
-{
- gboolean success = FALSE;
- PACL pDACL = NULL;
- PSID pEveryoneSid = NULL;
- PSECURITY_DESCRIPTOR pSecurityDescriptor = NULL;
-
- DWORD dwRes = GetNamedSecurityInfoW (path, SE_FILE_OBJECT,
- DACL_SECURITY_INFORMATION, NULL, NULL, &pDACL, NULL, &pSecurityDescriptor);
- if (dwRes != ERROR_SUCCESS)
- return FALSE;
-
- /* We check that our original entries in the ACL are in place -
- but not if new entries have been added by the user */
-
- /* Everyone should be denied */
- pEveryoneSid = GetEveryoneSid ();
- if (pEveryoneSid) {
- ACCESS_MASK rights = GetRightsFromSid (pEveryoneSid, pDACL);
- success = (rights == 0);
- FreeSid (pEveryoneSid);
- }
- /* Note: we don't need to check our own access -
- we'll know soon enough when reading the file */
-
- if (pSecurityDescriptor)
- LocalFree (pSecurityDescriptor);
-
- return success;
-}
-
-
-static gboolean
-ProtectMachine (gunichar2 *path)
-{
- PSID pEveryoneSid = GetEveryoneSid ();
- PSID pAdminsSid = GetAdministratorsSid ();
- DWORD retval = -1;
-
- if (pEveryoneSid && pAdminsSid) {
- PACL pDACL = NULL;
- EXPLICIT_ACCESS ea [2];
- ZeroMemory (&ea, 2 * sizeof (EXPLICIT_ACCESS));
-
- /* grant all access to the BUILTIN\Administrators group */
- BuildTrusteeWithSidW (&ea [0].Trustee, pAdminsSid);
- ea [0].grfAccessPermissions = GENERIC_ALL;
- ea [0].grfAccessMode = SET_ACCESS;
- ea [0].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
- ea [0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
- ea [0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
-
- /* read-only access everyone */
- BuildTrusteeWithSidW (&ea [1].Trustee, pEveryoneSid);
- ea [1].grfAccessPermissions = GENERIC_READ;
- ea [1].grfAccessMode = SET_ACCESS;
- ea [1].grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
- ea [1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
- ea [1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
-
- retval = SetEntriesInAcl (2, ea, NULL, &pDACL);
- if (retval == ERROR_SUCCESS) {
- /* with PROTECTED_DACL_SECURITY_INFORMATION we */
- /* remove any existing ACL (like inherited ones) */
- retval = SetNamedSecurityInfo (path, SE_FILE_OBJECT,
- DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
- NULL, NULL, pDACL, NULL);
- }
- if (pDACL)
- LocalFree (pDACL);
- }
-
- if (pEveryoneSid)
- FreeSid (pEveryoneSid);
- if (pAdminsSid)
- FreeSid (pAdminsSid);
- return (retval == ERROR_SUCCESS);
-}
-
-
-static gboolean
-ProtectUser (gunichar2 *path)
-{
- DWORD retval = -1;
-
- PSID pCurrentSid = GetCurrentUserSid ();
- if (pCurrentSid) {
- PACL pDACL = NULL;
- EXPLICIT_ACCESS ea;
- ZeroMemory (&ea, sizeof (EXPLICIT_ACCESS));
-
- /* grant exclusive access to the current user */
- BuildTrusteeWithSidW (&ea.Trustee, pCurrentSid);
- ea.grfAccessPermissions = GENERIC_ALL;
- ea.grfAccessMode = SET_ACCESS;
- ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
- ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
- ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
-
- retval = SetEntriesInAcl (1, &ea, NULL, &pDACL);
- if (retval == ERROR_SUCCESS) {
- /* with PROTECTED_DACL_SECURITY_INFORMATION we
- remove any existing ACL (like inherited ones) */
- retval = SetNamedSecurityInfo (path, SE_FILE_OBJECT,
- DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION,
- NULL, NULL, pDACL, NULL);
- }
-
- if (pDACL)
- LocalFree (pDACL);
- g_free (pCurrentSid); /* g_malloc0 */
- }
-
- return (retval == ERROR_SUCCESS);
-}
-
-#else
-
-static gboolean