From 623093eaaac59ac958f9a4d030b8297d989503c2 Mon Sep 17 00:00:00 2001 From: David Welch Date: Wed, 5 Jan 2000 21:57:00 +0000 Subject: [PATCH] Implemented more security functions Moved general security types into new header file Implemented ThreadImpersonationToken info class Bug fixes to queuing code svn path=/trunk/; revision=919 --- reactos/include/base.h | 26 --- reactos/include/ddk/psfuncs.h | 15 ++ reactos/include/ddk/pstypes.h | 47 ++-- reactos/include/ddk/sefuncs.h | 14 +- reactos/include/ddk/setypes.h | 128 +++-------- reactos/include/ddk/zw.h | 52 +---- reactos/include/security.h | 154 +++++++++++++ reactos/include/structs.h | 52 +---- reactos/lib/advapi32/sec/sec.c | 2 + reactos/ntoskrnl/io/queue.c | 2 +- reactos/ntoskrnl/ke/kqueue.c | 2 +- reactos/ntoskrnl/ps/create.c | 189 +++++++++++++++- reactos/ntoskrnl/ps/process.c | 22 ++ reactos/ntoskrnl/ps/tinfo.c | 171 +++++++-------- reactos/ntoskrnl/se/acl.c | 4 +- reactos/ntoskrnl/se/semgr.c | 389 ++++++++++++++++++++++++++------- reactos/ntoskrnl/se/sid.c | 5 +- reactos/ntoskrnl/se/token.c | 173 ++++++++++++++- 18 files changed, 1016 insertions(+), 431 deletions(-) create mode 100644 reactos/include/security.h diff --git a/reactos/include/base.h b/reactos/include/base.h index b08ad1d432b..3ddb3261fe4 100644 --- a/reactos/include/base.h +++ b/reactos/include/base.h @@ -88,17 +88,6 @@ typedef CHAR *PCH; typedef void *HANDLE; typedef char CCHAR; -typedef enum _SECURITY_IMPERSONATION_LEVEL { - SecurityAnonymous, - SecurityIdentification, - SecurityImpersonation, - SecurityDelegation -} SECURITY_IMPERSONATION_LEVEL; - -typedef enum tagTOKEN_TYPE { - TokenPrimary = 1, - TokenImpersonation -} TOKEN_TYPE; #define FALSE 0 #define TRUE 1 @@ -403,21 +392,6 @@ typedef enum _SID_NAME_USE { SidTypeUnknown } SID_NAME_USE, *PSID_NAME_USE; -#define TOKEN_INFORMATION_CLASS_DEFINED 1 - -typedef enum _TOKEN_INFORMATION_CLASS { - TokenUser = 1, - TokenGroups, - TokenPrivileges, - TokenOwner, - TokenPrimaryGroup, - TokenDefaultDacl, - TokenSource, - TokenType, - TokenImpersonationLevel, - TokenStatistics -} TOKEN_INFORMATION_CLASS; - #endif /* ! defined (RC_INVOKED) */ /* diff --git a/reactos/include/ddk/psfuncs.h b/reactos/include/ddk/psfuncs.h index c1f4d57ce72..81acdd92bb4 100644 --- a/reactos/include/ddk/psfuncs.h +++ b/reactos/include/ddk/psfuncs.h @@ -1,4 +1,11 @@ +PACCESS_TOKEN PsReferenceEffectiveToken(PETHREAD Thread, + PTOKEN_TYPE TokenType, + PUCHAR b, + PSECURITY_IMPERSONATION_LEVEL Level); + +NTSTATUS PsOpenTokenOfProcess(HANDLE ProcessHandle, + PACCESS_TOKEN* Token); HANDLE PsGetCurrentProcessId(VOID); HANDLE PsGetCurrentThreadId(VOID); @@ -41,3 +48,11 @@ PACCESS_TOKEN PsReferenceImpersonationToken(PETHREAD Thread, SECURITY_IMPERSONATION_LEVEL* Level); PACCESS_TOKEN PsReferencePrimaryToken(PEPROCESS Process); +NTSTATUS PsAssignImpersonationToken(PETHREAD Thread, + HANDLE TokenHandle); + +VOID PsImpersonateClient(PETHREAD Thread, + PACCESS_TOKEN Token, + UCHAR b, + UCHAR c, + SECURITY_IMPERSONATION_LEVEL Level); diff --git a/reactos/include/ddk/pstypes.h b/reactos/include/ddk/pstypes.h index ab56e427e26..2279bc31596 100644 --- a/reactos/include/ddk/pstypes.h +++ b/reactos/include/ddk/pstypes.h @@ -271,30 +271,31 @@ typedef struct _TOP_LEVEL_IRP typedef struct { - PACCESS_TOKEN Token; - UCHAR Unknown1; - UCHAR Unknown2; - UCHAR Pad[2]; - SECURITY_IMPERSONATION_LEVEL Level; -} IMPERSONATION_INFO, *PIMPERSONATION_INFO; + PACCESS_TOKEN Token; // 0x0 + UCHAR Unknown1; // 0x4 + UCHAR Unknown2; // 0x5 + UCHAR Pad[2]; // 0x6 + SECURITY_IMPERSONATION_LEVEL Level; // 0x8 +} PS_IMPERSONATION_INFO, *PPS_IMPERSONATION_INFO; -typedef struct _ETHREAD { - KTHREAD Tcb; - TIME CreateTime; - TIME ExitTime; - NTSTATUS ExitStatus; - LIST_ENTRY PostBlockList; - LIST_ENTRY TerminationPortList; - ULONG ActiveTimerListLock; - PVOID ActiveTimerListHead; - CLIENT_ID Cid; - PLARGE_INTEGER LpcReplySemaphore; - PVOID LpcReplyMessage; - PLARGE_INTEGER LpcReplyMessageId; - PIMPERSONATION_INFO ImpersonationInfo; - LIST_ENTRY IrpList; // - TOP_LEVEL_IRP TopLevelIrp; - ULONG ReadClusterSize; +typedef struct _ETHREAD +{ + KTHREAD Tcb; + TIME CreateTime; + TIME ExitTime; + NTSTATUS ExitStatus; + LIST_ENTRY PostBlockList; + LIST_ENTRY TerminationPortList; + ULONG ActiveTimerListLock; + PVOID ActiveTimerListHead; + CLIENT_ID Cid; + PLARGE_INTEGER LpcReplySemaphore; + PVOID LpcReplyMessage; + PLARGE_INTEGER LpcReplyMessageId; + PPS_IMPERSONATION_INFO ImpersonationInfo; + LIST_ENTRY IrpList; // + TOP_LEVEL_IRP TopLevelIrp; + ULONG ReadClusterSize; UCHAR ForwardClusterOnly; UCHAR DisablePageFaultClustering; UCHAR DeadThread; diff --git a/reactos/include/ddk/sefuncs.h b/reactos/include/ddk/sefuncs.h index f2a83f71eae..906f45bfff5 100644 --- a/reactos/include/ddk/sefuncs.h +++ b/reactos/include/ddk/sefuncs.h @@ -1,6 +1,6 @@ #ifndef _INCLUDE_DDK_SEFUNCS_H #define _INCLUDE_DDK_SEFUNCS_H -/* $Id: sefuncs.h,v 1.3 1999/12/26 17:22:18 ea Exp $ */ +/* $Id: sefuncs.h,v 1.4 2000/01/05 21:56:58 dwelch Exp $ */ NTSTATUS STDCALL RtlCreateSecurityDescriptor (PSECURITY_DESCRIPTOR SecurityDescriptor, ULONG Revision); BOOLEAN STDCALL RtlValidSecurityDescriptor (PSECURITY_DESCRIPTOR SecurityDescriptor); ULONG STDCALL RtlLengthSecurityDescriptor (PSECURITY_DESCRIPTOR SecurityDescriptor); @@ -16,7 +16,7 @@ PULONG STDCALL RtlSubAuthoritySid (PSID Sid, ULONG SubAuthority); BOOLEAN STDCALL RtlEqualSid(PSID Sid1, PSID Sid2); NTSTATUS STDCALL RtlAbsoluteToSelfRelativeSD (PSECURITY_DESCRIPTOR AbsSD, PSECURITY_DESCRIPTOR RelSD, PULONG BufferLength); BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, - IN PSECURITY_DESCRIPTOR_CONTEXT SubjectSecurityContext, + IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, @@ -35,4 +35,14 @@ NTSTATUS STDCALL SeDeassignSecurity (PSECURITY_DESCRIPTOR* SecurityDescriptor); BOOLEAN STDCALL SeSinglePrivilegeCheck (LUID PrivilegeValue, KPROCESSOR_MODE PreviousMode); ULONG STDCALL RtlLengthSid (PSID Sid); NTSTATUS STDCALL RtlCopySid(ULONG BufferLength, PSID Src, PSID Dest); + +VOID SeImpersonateClient(PSE_SOME_STRUCT2 a, + PETHREAD Thread); + +NTSTATUS SeCreateClientSecurity(PETHREAD Thread, + PSECURITY_QUALITY_OF_SERVICE Qos, + ULONG e, + PSE_SOME_STRUCT2 f); + + #endif /* ndef _INCLUDE_DDK_SEFUNCS_H */ diff --git a/reactos/include/ddk/setypes.h b/reactos/include/ddk/setypes.h index 881f92e9846..152a15fafc1 100644 --- a/reactos/include/ddk/setypes.h +++ b/reactos/include/ddk/setypes.h @@ -1,4 +1,4 @@ -/* $Id: setypes.h,v 1.3 1999/12/26 17:22:18 ea Exp $ +/* $Id: setypes.h,v 1.4 2000/01/05 21:56:58 dwelch Exp $ * * COPYRIGHT: See COPYING in the top level directory for details * PROJECT: ReactOS kernel @@ -12,6 +12,8 @@ #ifndef __INCLUDE_DDK_SETYPES_H #define __INCLUDE_DDK_SETYPES_H +#include + /* SID */ #define SECURITY_NULL_RID (0L) #define SECURITY_WORLD_RID (0L) @@ -82,93 +84,24 @@ #define SE_PRIVILEGE_USED_FOR_ACCESS (0x80000000L) #define PRIVILEGE_SET_ALL_NECESSARY (0x1) -typedef ULONG ACCESS_MASK; -typedef ULONG ACCESS_MODE, *PACCESS_MODE; - -typedef struct _SECURITY_QUALITY_OF_SERVICE { - DWORD Length; - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; - /* SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; */ - WINBOOL ContextTrackingMode; - BOOLEAN EffectiveOnly; -} SECURITY_QUALITY_OF_SERVICE; - -typedef SECURITY_QUALITY_OF_SERVICE* PSECURITY_QUALITY_OF_SERVICE; - -typedef struct _ACE_HEADER -{ - CHAR AceType; - CHAR AceFlags; - USHORT AceSize; - ACCESS_MASK AccessMask; -} ACE_HEADER, *PACE_HEADER; - -typedef struct -{ - ACE_HEADER Header; -} ACE, *PACE; - -typedef struct _SID_IDENTIFIER_AUTHORITY -{ - BYTE Value[6]; -} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; - -#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} - -typedef struct _SID -{ - UCHAR Revision; - UCHAR SubAuthorityCount; - SID_IDENTIFIER_AUTHORITY IdentifierAuthority; - ULONG SubAuthority[1]; -} SID, *PSID; - -typedef struct _ACL { - UCHAR AclRevision; - UCHAR Sbz1; - USHORT AclSize; - USHORT AceCount; - USHORT Sbz2; -} ACL, *PACL; - -typedef USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL; - -typedef struct _SECURITY_DESCRIPTOR_CONTEXT -{ -} SECURITY_DESCRIPTOR_CONTEXT, *PSECURITY_DESCRIPTOR_CONTEXT; - -typedef LARGE_INTEGER LUID, *PLUID; - -typedef struct _LUID_AND_ATTRIBUTES -{ - LUID Luid; - DWORD Attributes; -} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES; - -typedef struct _TOKEN_SOURCE -{ - CHAR SourceName[8]; - LARGE_INTEGER Unknown; - LUID SourceIdentifier; -} TOKEN_SOURCE, *PTOKEN_SOURCE; - - typedef struct _ACCESS_TOKEN { TOKEN_SOURCE TokenSource; // 0x00 + LUID TokenId; // 0x10 LUID AuthenticationId; // 0x18 - LARGE_INTEGER ExpirationTime; // 0x20 + LARGE_INTEGER ExpirationTime; // 0x20 LUID ModifiedId; // 0x28 - ULONG UserAndGroupCount; // 0x30 - ULONG PrivilegeCount; // 0x34 - ULONG VariableLength; // 0x38 - ULONG DynamicCharged; // 0x3C - ULONG DynamicAvailable; // 0x40 - ULONG DefaultOwnerIndex; // 0x44 - ULONG Unknown[2]; // 0x48 - PLUID_AND_ATTRIBUTES Privileges; // 0x50 - ULONG Unknown1; // 0x54 - PACL DefaultDacl; // 0x58 + ULONG UserAndGroupCount; // 0x30 + ULONG PrivilegeCount; // 0x34 + ULONG VariableLength; // 0x38 + ULONG DynamicCharged; // 0x3C + ULONG DynamicAvailable; // 0x40 + ULONG DefaultOwnerIndex; // 0x44 + PSID_AND_ATTRIBUTES UserAndGroups; // 0x48 + PSID PrimaryGroup; // 0x4C + PLUID_AND_ATTRIBUTES Privileges; // 0x50 + ULONG Unknown1; // 0x54 + PACL DefaultDacl; // 0x58 TOKEN_TYPE TokenType; // 0x5C SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; // 0x60 UCHAR TokenFlags; // 0x64 @@ -188,23 +121,28 @@ typedef struct _SECURITY_SUBJECT_CONTEXT PVOID ProcessAuditId; // 0xC } SECURITY_SUBJECT_CONTEXT, *PSECURITY_SUBJECT_CONTEXT; - -typedef struct _SECURITY_DESCRIPTOR { - UCHAR Revision; - UCHAR Sbz1; - SECURITY_DESCRIPTOR_CONTROL Control; - PSID Owner; - PSID Group; - PACL Sacl; - PACL Dacl; -} SECURITY_DESCRIPTOR, *PSECURITY_DESCRIPTOR; - BOOLEAN STDCALL RtlValidSid (PSID Sid); - /* * from ntoskrnl/se/token.c: */ extern struct _OBJECT_TYPE* SeTokenType; +typedef struct +{ + ULONG Unknown1; // 0x0 + SECURITY_IMPERSONATION_LEVEL Level; // 0x4 + UCHAR ContextTrackingMode; // 0x8 + UCHAR EffectiveOnly; // 0x9 + UCHAR Unknown5; // 0xa + UCHAR Unknown6; // 0xb + PACCESS_TOKEN Token; // 0xc + UCHAR Unknown8; // 0x10 + UCHAR Unknown9; // 0x11 + UCHAR Unknown10; // 0x12 + UCHAR Pad[1]; // 0x13 + ULONG Unknown11; // 0x14 +} SE_SOME_STRUCT2, *PSE_SOME_STRUCT2; + + #endif diff --git a/reactos/include/ddk/zw.h b/reactos/include/ddk/zw.h index eeb8208ca8b..f58afb44aa8 100644 --- a/reactos/include/ddk/zw.h +++ b/reactos/include/ddk/zw.h @@ -1,5 +1,5 @@ -/* $Id: zw.h,v 1.24 1999/12/18 17:48:21 dwelch Exp $ +/* $Id: zw.h,v 1.25 2000/01/05 21:56:58 dwelch Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -17,57 +17,7 @@ #ifndef __DDK_ZW_H #define __DDK_ZW_H -#if defined(WIN32_LEAN_AND_MEAN) && !defined(TOKEN_INFORMATION_CLASS_DEFINED) - -typedef enum _TOKEN_INFORMATION_CLASS { - TokenUser = 1, - TokenGroups, - TokenPrivileges, - TokenOwner, - TokenPrimaryGroup, - TokenDefaultDacl, - TokenSource, - TokenType, - TokenImpersonationLevel, - TokenStatistics -} TOKEN_INFORMATION_CLASS; -typedef struct _SID_AND_ATTRIBUTES { - PSID Sid; - DWORD Attributes; -} SID_AND_ATTRIBUTES ; - -typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; -typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY; - -typedef struct _TOKEN_DEFAULT_DACL { - PACL DefaultDacl; -} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; - -typedef struct _TOKEN_GROUPS { - DWORD GroupCount; - SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; -} TOKEN_GROUPS, *PTOKEN_GROUPS, *LPTOKEN_GROUPS; - -typedef struct _TOKEN_OWNER { - PSID Owner; -} TOKEN_OWNER, *PTOKEN_OWNER; - -typedef struct _TOKEN_PRIMARY_GROUP { - PSID PrimaryGroup; -} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; - -typedef struct _TOKEN_PRIVILEGES { - DWORD PrivilegeCount; - LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; -} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES, *LPTOKEN_PRIVILEGES; - -typedef struct _TOKEN_USER { - SID_AND_ATTRIBUTES User; -} TOKEN_USER, *PTOKEN_USER; - -#endif - #define LCID ULONG #define SECURITY_INFORMATION ULONG diff --git a/reactos/include/security.h b/reactos/include/security.h new file mode 100644 index 00000000000..7ab0ca808dc --- /dev/null +++ b/reactos/include/security.h @@ -0,0 +1,154 @@ +#ifndef __INCLUDE_SECURITY_H +#define __INCLUDE_SECURITY_H + +typedef enum _TOKEN_INFORMATION_CLASS { + TokenUser = 1, + TokenGroups, + TokenPrivileges, + TokenOwner, + TokenPrimaryGroup, + TokenDefaultDacl, + TokenSource, + TokenType, + TokenImpersonationLevel, + TokenStatistics +} TOKEN_INFORMATION_CLASS; + +typedef ULONG SECURITY_IMPERSONATION_LEVEL, *PSECURITY_IMPERSONATION_LEVEL; + +#define SecurityAnonymous ((SECURITY_IMPERSONATION_LEVEL)1) +#define SecurityIdentification ((SECURITY_IMPERSONATION_LEVEL)2) +#define SecurityImpersonation ((SECURITY_IMPERSONATION_LEVEL)3) +#define SecurityDelegation ((SECURITY_IMPERSONATION_LEVEL)4) + +typedef ULONG TOKEN_TYPE, *PTOKEN_TYPE; + +#define TokenPrimary ((TOKEN_TYPE)1) +#define TokenImpersonation ((TOKEN_TYPE)2) + +typedef ULONG ACCESS_MASK; +typedef ULONG ACCESS_MODE, *PACCESS_MODE; + +typedef struct _SECURITY_QUALITY_OF_SERVICE { + DWORD Length; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + /* SECURITY_CONTEXT_TRACKING_MODE ContextTrackingMode; */ + WINBOOL ContextTrackingMode; + BOOLEAN EffectiveOnly; +} SECURITY_QUALITY_OF_SERVICE; + +typedef SECURITY_QUALITY_OF_SERVICE* PSECURITY_QUALITY_OF_SERVICE; + +typedef struct _ACE_HEADER +{ + CHAR AceType; + CHAR AceFlags; + USHORT AceSize; + ACCESS_MASK AccessMask; +} ACE_HEADER, *PACE_HEADER; + +typedef struct +{ + ACE_HEADER Header; +} ACE, *PACE; + +typedef struct _SID_IDENTIFIER_AUTHORITY +{ + BYTE Value[6]; +} SID_IDENTIFIER_AUTHORITY, *PSID_IDENTIFIER_AUTHORITY; + +#define SECURITY_WORLD_SID_AUTHORITY {0,0,0,0,0,1} + +typedef struct _SID +{ + UCHAR Revision; + UCHAR SubAuthorityCount; + SID_IDENTIFIER_AUTHORITY IdentifierAuthority; + ULONG SubAuthority[1]; +} SID, *PSID; + +typedef struct _ACL { + UCHAR AclRevision; + UCHAR Sbz1; + USHORT AclSize; + USHORT AceCount; + USHORT Sbz2; +} ACL, *PACL; + +typedef USHORT SECURITY_DESCRIPTOR_CONTROL, *PSECURITY_DESCRIPTOR_CONTROL; + +typedef struct _SECURITY_DESCRIPTOR_CONTEXT +{ +} SECURITY_DESCRIPTOR_CONTEXT, *PSECURITY_DESCRIPTOR_CONTEXT; + +typedef LARGE_INTEGER LUID, *PLUID; + +typedef struct _SECURITY_DESCRIPTOR { + UCHAR Revision; + UCHAR Sbz1; + SECURITY_DESCRIPTOR_CONTROL Control; + PSID Owner; + PSID Group; + PACL Sacl; + PACL Dacl; +} SECURITY_DESCRIPTOR, *PSECURITY_DESCRIPTOR; + +typedef struct _LUID_AND_ATTRIBUTES +{ + LUID Luid; + DWORD Attributes; +} LUID_AND_ATTRIBUTES, *PLUID_AND_ATTRIBUTES; + +typedef struct _TOKEN_SOURCE { + CHAR SourceName[8]; + LUID SourceIdentifier; +} TOKEN_SOURCE, *PTOKEN_SOURCE; + +typedef struct _SID_AND_ATTRIBUTES { + PSID Sid; + DWORD Attributes; +} SID_AND_ATTRIBUTES, *PSID_AND_ATTRIBUTES; + +typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; +typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY; + +typedef struct _TOKEN_USER { + SID_AND_ATTRIBUTES User; +} TOKEN_USER, *PTOKEN_USER; + +typedef struct _TOKEN_PRIMARY_GROUP { + PSID PrimaryGroup; +} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; + +typedef struct _TOKEN_GROUPS { + DWORD GroupCount; + SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; +} TOKEN_GROUPS, *PTOKEN_GROUPS, *LPTOKEN_GROUPS; + +typedef struct _TOKEN_PRIVILEGES { + DWORD PrivilegeCount; + LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; +} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES, *LPTOKEN_PRIVILEGES; + +typedef struct _TOKEN_OWNER { + PSID Owner; +} TOKEN_OWNER, *PTOKEN_OWNER; + +typedef struct _TOKEN_DEFAULT_DACL { + PACL DefaultDacl; +} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; + +typedef struct _TOKEN_STATISTICS { + LUID TokenId; + LUID AuthenticationId; + LARGE_INTEGER ExpirationTime; + TOKEN_TYPE TokenType; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + DWORD DynamicCharged; + DWORD DynamicAvailable; + DWORD GroupCount; + DWORD PrivilegeCount; + LUID ModifiedId; +} TOKEN_STATISTICS, *PTOKEN_STATISTICS; + +#endif /* __INCLUDE_SECURITY_H */ diff --git a/reactos/include/structs.h b/reactos/include/structs.h index 57c736c2387..69fb609f428 100644 --- a/reactos/include/structs.h +++ b/reactos/include/structs.h @@ -53,7 +53,7 @@ typedef union _ULARGE_INTEGER ULONGLONG QuadPart; } ULARGE_INTEGER, *PULARGE_INTEGER; -#include +#include typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; @@ -3880,15 +3880,6 @@ typedef struct _SHNAMEMAPPING { int cchNewPath; } SHNAMEMAPPING, *LPSHNAMEMAPPING; -typedef struct _SID_AND_ATTRIBUTES { - PSID Sid; - DWORD Attributes; -} SID_AND_ATTRIBUTES ; - -typedef SID_AND_ATTRIBUTES SID_AND_ATTRIBUTES_ARRAY[ANYSIZE_ARRAY]; -typedef SID_AND_ATTRIBUTES_ARRAY *PSID_AND_ATTRIBUTES_ARRAY; - - typedef struct tagSOUNDSENTRY { UINT cbSize; DWORD dwFlags; @@ -4155,46 +4146,7 @@ typedef struct _TOKEN_CONTROL { LUID ModifiedId; TOKEN_SOURCE TokenSource; } TOKEN_CONTROL, *PTOKEN_CONTROL ; - -typedef struct _TOKEN_DEFAULT_DACL { - PACL DefaultDacl; -} TOKEN_DEFAULT_DACL, *PTOKEN_DEFAULT_DACL; - -typedef struct _TOKEN_GROUPS { - DWORD GroupCount; - SID_AND_ATTRIBUTES Groups[ANYSIZE_ARRAY]; -} TOKEN_GROUPS, *PTOKEN_GROUPS, *LPTOKEN_GROUPS; - -typedef struct _TOKEN_OWNER { - PSID Owner; -} TOKEN_OWNER, *PTOKEN_OWNER; - -typedef struct _TOKEN_PRIMARY_GROUP { - PSID PrimaryGroup; -} TOKEN_PRIMARY_GROUP, *PTOKEN_PRIMARY_GROUP; - -typedef struct _TOKEN_PRIVILEGES { - DWORD PrivilegeCount; - LUID_AND_ATTRIBUTES Privileges[ANYSIZE_ARRAY]; -} TOKEN_PRIVILEGES, *PTOKEN_PRIVILEGES, *LPTOKEN_PRIVILEGES; - -typedef struct _TOKEN_STATISTICS { - LUID TokenId; - LUID AuthenticationId; - LARGE_INTEGER ExpirationTime; - TOKEN_TYPE TokenType; - SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; - DWORD DynamicCharged; - DWORD DynamicAvailable; - DWORD GroupCount; - DWORD PrivilegeCount; - LUID ModifiedId; -} TOKEN_STATISTICS, *PTOKEN_STATISTICS; - -typedef struct _TOKEN_USER { - SID_AND_ATTRIBUTES User; -} TOKEN_USER, *PTOKEN_USER; - + typedef struct { UINT cbSize; UINT uFlags; diff --git a/reactos/lib/advapi32/sec/sec.c b/reactos/lib/advapi32/sec/sec.c index 38edce972bf..3cb66f84c3b 100644 --- a/reactos/lib/advapi32/sec/sec.c +++ b/reactos/lib/advapi32/sec/sec.c @@ -18,7 +18,9 @@ GetSecurityDescriptorLength ( PSECURITY_DESCRIPTOR pSecurityDescriptor ) { +#if 0 return RtlLengthSecurityDescriptor(pSecurityDescriptor); + #endif } diff --git a/reactos/ntoskrnl/io/queue.c b/reactos/ntoskrnl/io/queue.c index 9daf6587d0b..9fc20d38581 100644 --- a/reactos/ntoskrnl/io/queue.c +++ b/reactos/ntoskrnl/io/queue.c @@ -10,7 +10,7 @@ #include -#define NDEBUG +//#define NDEBUG #include /* FUNCTIONS *****************************************************************/ diff --git a/reactos/ntoskrnl/ke/kqueue.c b/reactos/ntoskrnl/ke/kqueue.c index 907393173b5..e3e4244118c 100644 --- a/reactos/ntoskrnl/ke/kqueue.c +++ b/reactos/ntoskrnl/ke/kqueue.c @@ -12,7 +12,7 @@ #include -#define NDEBUG +//#define NDEBUG #include /* FUNCTIONS *****************************************************************/ diff --git a/reactos/ntoskrnl/ps/create.c b/reactos/ntoskrnl/ps/create.c index ec496d3dab6..4c7858c7dc5 100644 --- a/reactos/ntoskrnl/ps/create.c +++ b/reactos/ntoskrnl/ps/create.c @@ -1,4 +1,4 @@ -/* $Id: create.c,v 1.6 1999/12/26 15:50:51 dwelch Exp $ +/* $Id: create.c,v 1.7 2000/01/05 21:57:00 dwelch Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -43,6 +43,193 @@ extern LIST_ENTRY PiThreadListHead; /* FUNCTIONS ***************************************************************/ +NTSTATUS PsAssignImpersonationToken(PETHREAD Thread, + HANDLE TokenHandle) +{ + PACCESS_TOKEN Token; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + NTSTATUS Status; + + if (TokenHandle != NULL) + { + Status = ObReferenceObjectByHandle(TokenHandle, + 0, + SeTokenType, + UserMode, + (PVOID*)&Token, + NULL); + if (!NT_SUCCESS(Status)) + { + return(Status); + } + ImpersonationLevel = Token->ImpersonationLevel; + } + else + { + Token = NULL; + ImpersonationLevel = 0; + } + + PsImpersonateClient(Thread, + Token, + 0, + 0, + ImpersonationLevel); + if (Token != NULL) + { + ObDereferenceObject(Token); + } + return(STATUS_SUCCESS); +} + +VOID PsRevertToSelf(PETHREAD Thread) +{ + if (Thread->ActiveImpersonationInfo != 0) + { + Thread->ActiveImpersonationInfo = 0; + ObDereferenceObject(Thread->ImpersonationInfo->Token); + } +} + +VOID PsImpersonateClient(PETHREAD Thread, + PACCESS_TOKEN Token, + UCHAR b, + UCHAR c, + SECURITY_IMPERSONATION_LEVEL Level) +{ + if (Token == 0) + { + if (Thread->ActiveImpersonationInfo != 0) + { + Thread->ActiveImpersonationInfo = 0; + if (Thread->ImpersonationInfo->Token != NULL) + { + ObDereferenceObject(Thread->ImpersonationInfo->Token); + } + } + return; + } + if (Thread->ActiveImpersonationInfo == 0 || + Thread->ImpersonationInfo == NULL) + { + Thread->ImpersonationInfo = ExAllocatePool(NonPagedPool, + sizeof(PS_IMPERSONATION_INFO)); + } + Thread->ImpersonationInfo->Level = Level; + Thread->ImpersonationInfo->Unknown2 = c; + Thread->ImpersonationInfo->Unknown1 = b; + Thread->ImpersonationInfo->Token = Token; + ObReferenceObjectByPointer(Token, + 0, + SeTokenType, + KernelMode); + Thread->ActiveImpersonationInfo = 1; +} + +PACCESS_TOKEN PsReferenceEffectiveToken(PETHREAD Thread, + PTOKEN_TYPE TokenType, + PUCHAR b, + PSECURITY_IMPERSONATION_LEVEL Level) +{ + PEPROCESS Process; + PACCESS_TOKEN Token; + + if (Thread->ActiveImpersonationInfo == 0) + { + Process = Thread->ThreadsProcess; + *TokenType = TokenPrimary; + *b = 0; + Token = Process->Token; + } + else + { + Token = Thread->ImpersonationInfo->Token; + *TokenType = TokenImpersonation; + *b = Thread->ImpersonationInfo->Unknown2; + *Level = Thread->ImpersonationInfo->Level; + } + return(Token); +} + +NTSTATUS STDCALL NtImpersonateThread (IN HANDLE ThreadHandle, + IN HANDLE ThreadToImpersonateHandle, + IN PSECURITY_QUALITY_OF_SERVICE + SecurityQualityOfService) +{ + PETHREAD Thread; + PETHREAD ThreadToImpersonate; + NTSTATUS Status; + SE_SOME_STRUCT2 b; + + Status = ObReferenceObjectByHandle(ThreadHandle, + 0, + PsThreadType, + UserMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + { + return(Status); + } + + Status = ObReferenceObjectByHandle(ThreadToImpersonateHandle, + 0, + PsThreadType, + UserMode, + (PVOID*)&ThreadToImpersonate, + NULL); + if (!NT_SUCCESS(Status)) + { + ObDereferenceObject(Thread); + return(Status); + } + + Status = SeCreateClientSecurity(ThreadToImpersonate, + SecurityQualityOfService, + 0, + &b); + if (!NT_SUCCESS(Status)) + { + ObDereferenceObject(Thread); + ObDereferenceObject(ThreadToImpersonate); + return(Status); + } + + SeImpersonateClient(&b, Thread); + if (b.Token != NULL) + { + ObDereferenceObject(b.Token); + } + return(STATUS_SUCCESS); +} + +NTSTATUS STDCALL NtOpenThreadToken(IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle) +{ +#if 0 + PETHREAD Thread; + NTSTATUS Status; + PACCESS_TOKEN Token; + + Status = ObReferenceObjectByHandle(ThreadHandle, + 0, + PsThreadType, + UserMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + { + return(Status); + } + + Token = PsReferencePrimaryToken(Thread->ThreadsProcess); + SepCreateImpersonationTokenDacl(Token); +#endif + return(STATUS_UNSUCCESSFUL); +} + PACCESS_TOKEN PsReferenceImpersonationToken(PETHREAD Thread, PULONG Unknown1, PULONG Unknown2, diff --git a/reactos/ntoskrnl/ps/process.c b/reactos/ntoskrnl/ps/process.c index 79724d66283..270ed468aae 100644 --- a/reactos/ntoskrnl/ps/process.c +++ b/reactos/ntoskrnl/ps/process.c @@ -36,6 +36,28 @@ static ULONG PiNextProcessUniqueId = 0; /* FUNCTIONS *****************************************************************/ +NTSTATUS STDCALL NtOpenProcessToken(IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle) +{ + PACCESS_TOKEN Token; + NTSTATUS Status; + + Status = PsOpenTokenOfProcess(ProcessHandle, + &Token); + if (!NT_SUCCESS(Status)) + { + return(Status); + } + Status = ObCreateHandle(PsGetCurrentProcess(), + Token, + DesiredAccess, + FALSE, + ProcessHandle); + ObDereferenceObject(Token); + return(Status); +} + PACCESS_TOKEN PsReferencePrimaryToken(PEPROCESS Process) { ObReferenceObjectByPointer(Process->Token, diff --git a/reactos/ntoskrnl/ps/tinfo.c b/reactos/ntoskrnl/ps/tinfo.c index 77961e65f37..4dc9795b460 100644 --- a/reactos/ntoskrnl/ps/tinfo.c +++ b/reactos/ntoskrnl/ps/tinfo.c @@ -17,98 +17,91 @@ /* FUNCTIONS *****************************************************************/ -NTSTATUS -STDCALL -NtSetInformationThread ( - HANDLE ThreadHandle, - THREADINFOCLASS ThreadInformationClass, - PVOID ThreadInformation, - ULONG ThreadInformationLength - ) +NTSTATUS STDCALL NtSetInformationThread(HANDLE ThreadHandle, + THREADINFOCLASS ThreadInformationClass, + PVOID ThreadInformation, + ULONG ThreadInformationLength) { - PETHREAD Thread; - NTSTATUS Status; - PTHREAD_BASIC_INFORMATION ThreadBasicInformationP; + PETHREAD Thread; + NTSTATUS Status; + PTHREAD_BASIC_INFORMATION ThreadBasicInformationP; - Status = ObReferenceObjectByHandle( - ThreadHandle, - THREAD_SET_INFORMATION, - PsThreadType, - UserMode, - (PVOID*) & Thread, - NULL - ); - if (Status != STATUS_SUCCESS) - { - return Status; - } - - switch (ThreadInformationClass) - { - case ThreadBasicInformation: - ThreadBasicInformationP = - (PTHREAD_BASIC_INFORMATION) ThreadInformation; - ThreadBasicInformationP->ExitStatus = - Thread->ExitStatus; - ThreadBasicInformationP->TebBaseAddress = - Thread->Tcb.Teb; - ThreadBasicInformationP->AffinityMask = - Thread->Tcb.Affinity; - ThreadBasicInformationP->BasePriority = - Thread->Tcb.BasePriority; - ThreadBasicInformationP->UniqueThreadId = - (ULONG) Thread->Cid.UniqueThread; - Status = STATUS_SUCCESS; - break; - - case ThreadTimes: - break; - - case ThreadPriority: - KeSetPriorityThread( - & Thread->Tcb, - * (KPRIORITY *) ThreadInformation - ); - Status = STATUS_SUCCESS; - break; - - case ThreadBasePriority: - break; - - case ThreadAffinityMask: - break; - - case ThreadImpersonationToken: - break; - - case ThreadDescriptorTableEntry: - UNIMPLEMENTED; - break; - - case ThreadEventPair: - UNIMPLEMENTED; - break; - - case ThreadQuerySetWin32StartAddress: - break; - - case ThreadZeroTlsCell: - break; - - case ThreadPerformanceCount: - break; - - case ThreadAmILastThread: - break; - - case ThreadPriorityBoost: - break; - - default: - Status = STATUS_UNSUCCESSFUL; - } - ObDereferenceObject(Thread); + Status = ObReferenceObjectByHandle(ThreadHandle, + THREAD_SET_INFORMATION, + PsThreadType, + UserMode, + (PVOID*)&Thread, + NULL); + if (!NT_SUCCESS(Status)) + { return Status; + } + + switch (ThreadInformationClass) + { + case ThreadBasicInformation: + ThreadBasicInformationP = + (PTHREAD_BASIC_INFORMATION) ThreadInformation; + ThreadBasicInformationP->ExitStatus = + Thread->ExitStatus; + ThreadBasicInformationP->TebBaseAddress = + Thread->Tcb.Teb; + ThreadBasicInformationP->AffinityMask = + Thread->Tcb.Affinity; + ThreadBasicInformationP->BasePriority = + Thread->Tcb.BasePriority; + ThreadBasicInformationP->UniqueThreadId = + (ULONG) Thread->Cid.UniqueThread; + Status = STATUS_SUCCESS; + break; + + case ThreadTimes: + break; + + case ThreadPriority: + KeSetPriorityThread(&Thread->Tcb, *(KPRIORITY *)ThreadInformation); + Status = STATUS_SUCCESS; + break; + + case ThreadBasePriority: + break; + + case ThreadAffinityMask: + break; + + case ThreadImpersonationToken: + Status = PsAssignImpersonationToken(Thread, + *((PHANDLE)ThreadInformation)); + break; + + case ThreadDescriptorTableEntry: + UNIMPLEMENTED; + break; + + case ThreadEventPair: + UNIMPLEMENTED; + break; + + case ThreadQuerySetWin32StartAddress: + break; + + case ThreadZeroTlsCell: + break; + + case ThreadPerformanceCount: + break; + + case ThreadAmILastThread: + break; + + case ThreadPriorityBoost: + break; + + default: + Status = STATUS_UNSUCCESSFUL; + } + ObDereferenceObject(Thread); + return Status; } diff --git a/reactos/ntoskrnl/se/acl.c b/reactos/ntoskrnl/se/acl.c index b0e75699755..2f89608c784 100644 --- a/reactos/ntoskrnl/se/acl.c +++ b/reactos/ntoskrnl/se/acl.c @@ -1,4 +1,4 @@ -/* $Id: acl.c,v 1.2 1999/12/26 17:22:19 ea Exp $ +/* $Id: acl.c,v 1.3 2000/01/05 21:57:00 dwelch Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -94,7 +94,7 @@ NTSTATUS RtlpAddKnownAce(PACL Acl, Ace->Header.AceType = Type; Ace->Header.AceSize = RtlLengthSid(Sid) + sizeof(ACE); Ace->Header.AccessMask = AccessMask; - RtlCopySid(RtlLengthSid(Sid), Sid, (PSID)Ace + 1); + RtlCopySid(RtlLengthSid(Sid), (PSID)Ace + 1, Sid); Acl->AceCount++; Acl->AclRevision = Revision; return(STATUS_SUCCESS); diff --git a/reactos/ntoskrnl/se/semgr.c b/reactos/ntoskrnl/se/semgr.c index db5c501469c..06c00a0462e 100644 --- a/reactos/ntoskrnl/se/semgr.c +++ b/reactos/ntoskrnl/se/semgr.c @@ -1,4 +1,4 @@ -/* $Id: semgr.c,v 1.13 1999/12/26 17:22:19 ea Exp $ +/* $Id: semgr.c,v 1.14 2000/01/05 21:57:00 dwelch Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -17,6 +17,266 @@ /* FUNCTIONS ***************************************************************/ +VOID SepReferenceLogonSession(PLUID AuthenticationId) +{ + UNIMPLEMENTED; +} + +VOID SepDeReferenceLogonSession(PLUID AuthenticationId) +{ + UNIMPLEMENTED; +} + +VOID SepFreeProxyData(PVOID ProxyData) +{ + UNIMPLEMENTED; +} + +NTSTATUS SepCopyProxyData(PVOID* Dest, PVOID Src) +{ + UNIMPLEMENTED; +} + +NTSTATUS SepDuplicationToken(PACCESS_TOKEN Token, + PULONG a, + ULONG b, + TOKEN_TYPE TokenType, + SECURITY_IMPERSONATION_LEVEL Level, + ULONG d, + PACCESS_TOKEN* e) +{ +#if 0 + PVOID mem1; + PVOID mem2; + PVOID f; + PACCESS_TOKEN g; + NTSTATUS Status; + + if (TokenType == 2 && + (Level > 3 || Level < 0)) + { + return(STATUS_UNSUCCESSFUL); + } + + SepReferenceLogonSession(&Token->AuthenticationId); + + mem1 = ExAllocatePool(NonPagedPool, Token->DynamicCharged); + if (mem1 == NULL) + { + SepDeReferenceLogonSession(&Token->AuthenticationId); + return(STATUS_UNSUCCESSFUL); + } + if (Token->ProxyData != NULL) + { + Status = SepCopyProxyData(&f, Token->ProxyData); + if (!NT_SUCCESS(Status)) + { + SepDeReferenceLogonSession(&Token->AuthenticationId); + ExFreePool(mem1); + return(Status); + } + } + else + { + f = 0; + } + if (Token->AuditData != NULL) + { + mem2 = ExAllocatePool(NonPagedPool, 0xc); + if (mem2 == NULL) + { + SepFreeProxyData(f); + SepDeReferenceLogonSession(&Token->AuthenticationId); + ExFreePool(mem1); + return(STATUS_UNSUCCESSFUL); + } + memcpy(mem2, Token->AuditData, 0xc); + } + else + { + mem2 = NULL; + } + + Status = ObCreateObject(d, + SeTokenType, + b, + d, + 0, + Token->VariableLength + 0x78, + Token->DynamicCharged, + Token->VariableLength + 0x78, + &g); + if (!NT_SUCCESS(Status)) + { + SepDeReferenceLogonSession(Token->AuthenticationId); + ExFreePool(mem1); + SepFreeProxyData(f); + if (mem2 != NULL) + { + ExFreePool(mem2); + } + return(Status); + } + + g->TokenId = Token->TokenId; + g->ModifiedId = Token->ModifiedId; + g->ExpirationTime = Token->ExpirationTime; + memcpy(&g->TokenSource, &Token->TokenSource, sizeof(TOKEN_SOURCE)); + g->DynamicCharged = Token->DynamicCharged; + g->DynamicAvailable = Token->DynamicAvailable; + g->DefaultOwnerIndex = Token->DefaultOwnerIndex; + g->UserAndGroupCount = Token->UserAndGroupCount; + g->PrivilegeCount = Token->PrivilegeCount; + g->VariableLength = Token->VariableLength; + g->TokenFlags = Token->TokenFlags; + g->ProxyData = f; + g->AuditData = mem2; + //g->TokenId = ExInterlockedExchangeAdd(); + g->TokenInUse = 0; + g->TokenType = TokenType; + g->ImpersonationLevel = Level; + memmove(g->VariablePart, Token->VariablePart, Token->VariableLength); + /* ... */ + *e = g; + return(STATUS_SUCCESS); +#endif + UNIMPLEMENTED; +} + +NTSTATUS SeCopyClientToken(PACCESS_TOKEN Token, + SECURITY_IMPERSONATION_LEVEL Level, + ULONG a, + PACCESS_TOKEN* b) +{ + ULONG c; + PACCESS_TOKEN d; + NTSTATUS Status; + + c = 18; + Status = SepDuplicationToken(Token, + &c, + 0, + TokenImpersonation, + Level, + a, + &d); + *b = d; + return(Status); +} + +NTSTATUS SeCreateClientSecurity(PETHREAD Thread, + PSECURITY_QUALITY_OF_SERVICE Qos, + ULONG e, + PSE_SOME_STRUCT2 f) +{ + TOKEN_TYPE TokenType; + UCHAR b; + SECURITY_IMPERSONATION_LEVEL ImpersonationLevel; + PACCESS_TOKEN Token; + ULONG g; + PACCESS_TOKEN NewToken; + + Token = PsReferenceEffectiveToken(Thread, + &TokenType, + &b, + &ImpersonationLevel); + if (TokenType != 2) + { + f->Unknown9 = Qos->EffectiveOnly; + } + else + { + if (Qos->ImpersonationLevel > ImpersonationLevel) + { + if (Token != NULL) + { + ObDereferenceObject(Token); + } + return(STATUS_UNSUCCESSFUL); + } + if (ImpersonationLevel == 0 || + ImpersonationLevel == 1 || + (e != 0 && ImpersonationLevel != 3)) + { + if (Token != NULL) + { + ObDereferenceObject(Token); + } + return(STATUS_UNSUCCESSFUL); + } + if (b != 0 || + Qos->EffectiveOnly != 0) + { + f->Unknown9 = 1; + } + else + { + f->Unknown9 = 0; + } + } + + if (Qos->ContextTrackingMode == 0) + { + f->Unknown8 = 0; + g = SeCopyClientToken(Token, ImpersonationLevel, 0, &NewToken); + if (g >= 0) + { +// ObDeleteCapturedInsertInfo(NewToken); + } + if (TokenType == TokenPrimary || Token != NULL) + { + ObDereferenceObject(Token); + } + if (g < 0) + { + return(g); + } + } + else + { + f->Unknown8 = 1; + if (e != 0) + { +// SeGetTokenControlInformation(Token, &f->Unknown11); + } + NewToken = Token; + } + f->Unknown1 = 0xc; + f->Level = Qos->ImpersonationLevel; + f->ContextTrackingMode = Qos->ContextTrackingMode; + f->EffectiveOnly = Qos->EffectiveOnly; + f->Unknown10 = e; + f->Token = NewToken; + + return(STATUS_SUCCESS); +} + + +VOID SeImpersonateClient(PSE_SOME_STRUCT2 a, + PETHREAD Thread) +{ + UCHAR b; + + if (a->Unknown8 == 0) + { + b = a->EffectiveOnly; + } + else + { + b = a->Unknown9; + } + if (Thread == NULL) + { + Thread = PsGetCurrentThread(); + } + PsImpersonateClient(Thread, + a->Token, + 1, + (ULONG)b, + a->Level); +} + + NTSTATUS STDCALL NtPrivilegeCheck (IN HANDLE ClientToken, @@ -27,15 +287,12 @@ NTSTATUS STDCALL NtPrivilegeCheck (IN HANDLE ClientToken, } -NTSTATUS -STDCALL -NtPrivilegedServiceAuditAlarm ( - IN PUNICODE_STRING SubsystemName, - IN PUNICODE_STRING ServiceName, - IN HANDLE ClientToken, - IN PPRIVILEGE_SET Privileges, - IN BOOLEAN AccessGranted - ) +NTSTATUS STDCALL NtPrivilegedServiceAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PUNICODE_STRING ServiceName, + IN HANDLE ClientToken, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted) { UNIMPLEMENTED; } @@ -74,44 +331,6 @@ NtOpenObjectAuditAlarm ( UNIMPLEMENTED; } - -NTSTATUS -STDCALL -NtOpenProcessToken ( - IN HANDLE ProcessHandle, - IN ACCESS_MASK DesiredAccess, - OUT PHANDLE TokenHandle - ) -{ - UNIMPLEMENTED; -} - - -NTSTATUS -STDCALL -NtOpenThreadToken ( - IN HANDLE ThreadHandle, - IN ACCESS_MASK DesiredAccess, - IN BOOLEAN OpenAsSelf, - OUT PHANDLE TokenHandle - ) -{ - UNIMPLEMENTED; -} - - - - -NTSTATUS STDCALL NtImpersonateThread (IN HANDLE ThreadHandle, - IN HANDLE ThreadToImpersonate, - IN PSECURITY_QUALITY_OF_SERVICE - SecurityQualityOfService) -{ - UNIMPLEMENTED; -} - - - NTSTATUS STDCALL NtAccessCheckAndAuditAlarm ( @@ -130,33 +349,6 @@ NtAccessCheckAndAuditAlarm ( } -NTSTATUS -STDCALL -NtAdjustGroupsToken ( - IN HANDLE TokenHandle, - IN BOOLEAN ResetToDefault, - IN PTOKEN_GROUPS NewState, - IN ULONG BufferLength, - OUT PTOKEN_GROUPS PreviousState OPTIONAL, - OUT PULONG ReturnLength - ) -{ - UNIMPLEMENTED; -} - - -NTSTATUS -STDCALL -NtAdjustPrivilegesToken(IN HANDLE TokenHandle, - IN BOOLEAN DisableAllPrivileges, - IN PTOKEN_PRIVILEGES NewState, - IN ULONG BufferLength, - OUT PTOKEN_PRIVILEGES PreviousState, - OUT PULONG ReturnLength) -{ - UNIMPLEMENTED; -} - NTSTATUS STDCALL NtAllocateUuids ( @@ -202,7 +394,11 @@ NtDeleteObjectAuditAlarm ( VOID STDCALL SeReleaseSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext) { - + ObDereferenceObject(SubjectContext->PrimaryToken); + if (SubjectContext->ClientToken != NULL) + { + ObDereferenceObject(SubjectContext->ClientToken); + } } VOID STDCALL SeCaptureSubjectContext (PSECURITY_SUBJECT_CONTEXT SubjectContext) @@ -337,17 +533,42 @@ NTSTATUS STDCALL SeDeassignSecurity(PSECURITY_DESCRIPTOR* SecurityDescriptor) } NTSTATUS STDCALL SeAssignSecurity(PSECURITY_DESCRIPTOR ParentDescriptor, - PSECURITY_DESCRIPTOR ExplicitDescriptor, - BOOLEAN IsDirectoryObject, - PSECURITY_SUBJECT_CONTEXT SubjectContext, - PGENERIC_MAPPING GenericMapping, - POOL_TYPE PoolType) + PSECURITY_DESCRIPTOR ExplicitDescriptor, + BOOLEAN IsDirectoryObject, + PSECURITY_SUBJECT_CONTEXT SubjectContext, + PGENERIC_MAPPING GenericMapping, + POOL_TYPE PoolType) { UNIMPLEMENTED; } +BOOLEAN SepSidInToken(PACCESS_TOKEN Token, + PSID Sid) +{ + ULONG i; + + if (Token->UserAndGroupCount == 0) + { + return(FALSE); + } + + for (i=0; iUserAndGroupCount; i++) + { + if (RtlEqualSid(Sid, Token->UserAndGroups[i].Sid)) + { + if (i == 0 || + (!(Token->UserAndGroups[i].Attributes & 0x4))) + { + return(TRUE); + } + return(FALSE); + } + } + return(FALSE); +} + BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, - IN PSECURITY_DESCRIPTOR_CONTEXT SubjectSecurityContext, + IN PSECURITY_SUBJECT_CONTEXT SubjectSecurityContext, IN BOOLEAN SubjectContextLocked, IN ACCESS_MASK DesiredAccess, IN ACCESS_MASK PreviouslyGrantedAccess, @@ -406,7 +627,7 @@ BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, Sid = (PSID)(CurrentAce + 1); if (CurrentAce->Header.AceType == ACCESS_DENIED_ACE_TYPE) { - if (RtlEqualSid(Sid, NULL)) + if (SepSidInToken(SubjectSecurityContext->ClientToken, Sid)) { *AccessStatus = STATUS_ACCESS_DENIED; *GrantedAccess = 0; @@ -415,7 +636,7 @@ BOOLEAN STDCALL SeAccessCheck (IN PSECURITY_DESCRIPTOR SecurityDescriptor, } if (CurrentAce->Header.AceType == ACCESS_ALLOWED_ACE_TYPE) { - if (RtlEqualSid(Sid, NULL)) + if (SepSidInToken(SubjectSecurityContext->ClientToken, Sid)) { CurrentAccess = CurrentAccess | CurrentAce->Header.AccessMask; diff --git a/reactos/ntoskrnl/se/sid.c b/reactos/ntoskrnl/se/sid.c index 56bf65a0c8e..8e3dc3accc4 100644 --- a/reactos/ntoskrnl/se/sid.c +++ b/reactos/ntoskrnl/se/sid.c @@ -1,4 +1,4 @@ -/* $Id: sid.c,v 1.2 1999/12/26 17:22:19 ea Exp $ +/* $Id: sid.c,v 1.3 2000/01/05 21:57:00 dwelch Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -79,8 +79,7 @@ ULONG STDCALL RtlLengthSid (PSID Sid) return(sizeof(SID) + (Sid->SubAuthorityCount-1)*4); } - -NTSTATUS STDCALL RtlCopySid (ULONG BufferLength, PSID Src, PSID Dest) +NTSTATUS STDCALL RtlCopySid (ULONG BufferLength, PSID Dest, PSID Src) { if (BufferLength < RtlLengthSid(Src)) { diff --git a/reactos/ntoskrnl/se/token.c b/reactos/ntoskrnl/se/token.c index a4e85d6ef3e..592bb544f94 100644 --- a/reactos/ntoskrnl/se/token.c +++ b/reactos/ntoskrnl/se/token.c @@ -1,4 +1,4 @@ -/* $Id: token.c,v 1.2 1999/12/26 17:22:19 ea Exp $ +/* $Id: token.c,v 1.3 2000/01/05 21:57:00 dwelch Exp $ * * COPYRIGHT: See COPYING in the top level directory * PROJECT: ReactOS kernel @@ -47,6 +47,36 @@ VOID SeInitializeTokenManager(VOID) } +NTSTATUS RtlCopySidAndAttributesArray(ULONG Count, // ebp + 8 + PSID_AND_ATTRIBUTES Src, // ebp + C + ULONG MaxLength, // ebp + 10 + PSID_AND_ATTRIBUTES Dest, // ebp + 14 + PVOID e, // ebp + 18 + PVOID* f, // ebp + 1C + PULONG g) // ebp + 20 +{ + ULONG Length; // ebp - 4 + ULONG i; + + Length = MaxLength; + + for (i=0; i Length) + { + return(STATUS_UNSUCCESSFUL); + } + Length = Length - RtlLengthSid(Src[i].Sid); + Dest[i].Sid = e; + Dest[i].Attributes = Src[i].Attributes; + RtlCopySid(RtlLengthSid(Src[i].Sid), e, Src[i].Sid); + e = e + RtlLengthSid(Src[i].Sid) + sizeof(ULONG); + } + *f = e; + *g = Length; + return(STATUS_SUCCESS); +} + NTSTATUS STDCALL NtQueryInformationToken(IN HANDLE TokenHandle, IN TOKEN_INFORMATION_CLASS TokenInformationClass, @@ -56,9 +86,13 @@ NTSTATUS STDCALL NtQueryInformationToken(IN HANDLE TokenHandle, { NTSTATUS Status; PACCESS_TOKEN Token; + PVOID UnusedInfo; + PVOID EndMem; + PTOKEN_GROUPS PtrTokenGroups; + PTOKEN_DEFAULT_DACL PtrDefaultDacl; + PTOKEN_STATISTICS PtrTokenStatistics; Status = ObReferenceObjectByHandle(TokenHandle, -// TOKEN_QUERY_INFORMATION, 0, SeTokenType, UserMode, @@ -69,6 +103,98 @@ NTSTATUS STDCALL NtQueryInformationToken(IN HANDLE TokenHandle, return(Status); } + switch (TokenInformationClass) + { + case TokenUser: + Status = RtlCopySidAndAttributesArray(1, + Token->UserAndGroups, + TokenInformationLength, + TokenInformation, + TokenInformation + 8, + &UnusedInfo, + ReturnLength); + if (!NT_SUCCESS(Status)) + { + ObDereferenceObject(Token); + return(Status); + } + break; + + + case TokenGroups: + EndMem = TokenInformation + + Token->UserAndGroupCount * sizeof(SID_AND_ATTRIBUTES); + PtrTokenGroups = (PTOKEN_GROUPS)TokenInformation; + PtrTokenGroups->GroupCount = Token->UserAndGroupCount - 1; + Status = RtlCopySidAndAttributesArray(Token->UserAndGroupCount - 1, + &Token->UserAndGroups[1], + TokenInformationLength, + PtrTokenGroups->Groups, + EndMem, + &UnusedInfo, + ReturnLength); + if (!NT_SUCCESS(Status)) + { + ObDereferenceObject(Token); + return(Status); + } + break; + + case TokenPrivileges: + break; + + case TokenOwner: + ((PTOKEN_OWNER)TokenInformation)->Owner = + (PSID)(((PTOKEN_OWNER)TokenInformation) + 1); + RtlCopySid(TokenInformationLength - sizeof(TOKEN_OWNER), + ((PTOKEN_OWNER)TokenInformation)->Owner, + Token->UserAndGroups[Token->DefaultOwnerIndex].Sid); + break; + + case TokenPrimaryGroup: + ((PTOKEN_PRIMARY_GROUP)TokenInformation)->PrimaryGroup = + (PSID)(((PTOKEN_PRIMARY_GROUP)TokenInformation) + 1); + RtlCopySid(TokenInformationLength - sizeof(TOKEN_OWNER), + ((PTOKEN_PRIMARY_GROUP)TokenInformation)->PrimaryGroup, + Token->PrimaryGroup); + break; + + case TokenDefaultDacl: + PtrDefaultDacl = (PTOKEN_DEFAULT_DACL)TokenInformation; + PtrDefaultDacl->DefaultDacl = (PACL)(PtrDefaultDacl + 1); + memmove(PtrDefaultDacl->DefaultDacl, + Token->DefaultDacl, + Token->DefaultDacl->AclSize); + break; + + case TokenSource: + memcpy(TokenInformation, &Token->TokenSource, sizeof(TOKEN_SOURCE)); + break; + + case TokenType: + *((PTOKEN_TYPE)TokenInformation) = Token->TokenType; + break; + + case TokenImpersonationLevel: + *((PSECURITY_IMPERSONATION_LEVEL)TokenInformation) = + Token->ImpersonationLevel; + break; + + case TokenStatistics: + PtrTokenStatistics = (PTOKEN_STATISTICS)TokenInformation; + PtrTokenStatistics->TokenId = Token->TokenId; + PtrTokenStatistics->AuthenticationId = Token->AuthenticationId; + PtrTokenStatistics->ExpirationTime = Token->ExpirationTime; + PtrTokenStatistics->TokenType = Token->TokenType; + PtrTokenStatistics->ImpersonationLevel = Token->ImpersonationLevel; + PtrTokenStatistics->DynamicCharged = Token->DynamicCharged; + PtrTokenStatistics->DynamicAvailable = Token->DynamicAvailable; + PtrTokenStatistics->GroupCount = Token->UserAndGroupCount - 1; + PtrTokenStatistics->PrivilegeCount = Token->PrivilegeCount; + PtrTokenStatistics->ModifiedId = Token->ModifiedId; + break; + } + ObDereferenceObject(Token); return(STATUS_SUCCESS); } @@ -102,6 +228,29 @@ NtDuplicateToken ( UNIMPLEMENTED; } +NTSTATUS STDCALL NtAdjustGroupsToken(IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState, + IN ULONG BufferLength, + OUT PTOKEN_GROUPS PreviousState OPTIONAL, + OUT PULONG ReturnLength) +{ + UNIMPLEMENTED; +} + + +NTSTATUS +STDCALL +NtAdjustPrivilegesToken(IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN PTOKEN_PRIVILEGES NewState, + IN ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState, + OUT PULONG ReturnLength) +{ + UNIMPLEMENTED; +} + NTSTATUS STDCALL NtCreateToken(OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, @@ -116,7 +265,25 @@ NTSTATUS STDCALL NtCreateToken(OUT PHANDLE TokenHandle, IN PTOKEN_DEFAULT_DACL TokenDefaultDacl, IN PTOKEN_SOURCE TokenSource) { - UNIMPLEMENTED; +#if 0 + PACCESS_TOKEN AccessToken; + NTSTATUS Status; + + Status = ObCreateObject(TokenHandle, + DesiredAccess, + ObjectAttributes, + SeTokenType); + if (!NT_SUCCESS(Status)) + { + return(Status); + } + + AccessToken->TokenType = TokenType; + RtlCopyLuid(&AccessToken->AuthenticationId, AuthenticationId); + AccessToken->ExpirationTime = *ExpirationTime; + AccessToken-> +#endif + UNIMPLEMENTED; }