mirror of
https://github.com/reactos/reactos.git
synced 2024-12-26 00:54:40 +00:00
[LSALIB][SECURE32][LSASRV] Improve the check for trusted/untrusted callers
- A caller of LsaRegisterLogonProcess is a trusted caller if the calling process has got the Tcb privilege, otherwise it is an untrusted caller. - A caller of LsaConnectUntrusted is always an untrusted caller. - A caller of LsapOpenLsaPort is always a trusted caller.
This commit is contained in:
parent
2d4c0b87b1
commit
ae7e375a4d
4 changed files with 27 additions and 6 deletions
|
@ -135,10 +135,24 @@ LsapCheckLogonProcess(PLSA_API_MSG RequestMsg,
|
|||
TRACE("New LogonContext: %p\n", Context);
|
||||
|
||||
Context->ClientProcessHandle = ProcessHandle;
|
||||
Context->TrustedCaller = RequestMsg->ConnectInfo.TrustedCaller;
|
||||
|
||||
if (Context->TrustedCaller)
|
||||
Context->TrustedCaller = LsapIsTrustedClient(ProcessHandle);
|
||||
switch (RequestMsg->ConnectInfo.TrustedCaller)
|
||||
{
|
||||
case NO:
|
||||
Context->TrustedCaller = FALSE;
|
||||
break;
|
||||
|
||||
case YES:
|
||||
Context->TrustedCaller = TRUE;
|
||||
break;
|
||||
|
||||
case CHECK:
|
||||
default:
|
||||
Context->TrustedCaller = LsapIsTrustedClient(ProcessHandle);
|
||||
break;
|
||||
}
|
||||
|
||||
TRACE("TrustedCaller: %u\n", Context->TrustedCaller);
|
||||
|
||||
*LogonContext = Context;
|
||||
|
||||
|
|
|
@ -74,7 +74,7 @@ LsapOpenLsaPort(VOID)
|
|||
sizeof(ConnectInfo));
|
||||
|
||||
ConnectInfo.CreateContext = FALSE;
|
||||
ConnectInfo.TrustedCaller = TRUE;
|
||||
ConnectInfo.TrustedCaller = YES;
|
||||
|
||||
ConnectInfoLength = sizeof(LSA_CONNECTION_INFO);
|
||||
Status = NtConnectPort(&LsaPortHandle,
|
||||
|
@ -175,7 +175,7 @@ LsaConnectUntrusted(
|
|||
ConnectInfoLength);
|
||||
|
||||
ConnectInfo.CreateContext = TRUE;
|
||||
ConnectInfo.TrustedCaller = FALSE;
|
||||
ConnectInfo.TrustedCaller = NO;
|
||||
|
||||
Status = NtConnectPort(LsaHandle,
|
||||
&PortName,
|
||||
|
|
|
@ -27,6 +27,12 @@ typedef enum _LSA_API_NUMBER
|
|||
LSASS_REQUEST_MAXIMUM
|
||||
} LSA_API_NUMBER, *PLSA_API_NUMBER;
|
||||
|
||||
typedef enum _LSA_TRUSTED_CALLER
|
||||
{
|
||||
NO,
|
||||
YES,
|
||||
CHECK
|
||||
} LSA_TRUSTED_CALLER;
|
||||
|
||||
typedef struct _LSA_CONNECTION_INFO
|
||||
{
|
||||
|
@ -35,7 +41,7 @@ typedef struct _LSA_CONNECTION_INFO
|
|||
ULONG Length;
|
||||
CHAR LogonProcessNameBuffer[LSASS_MAX_LOGON_PROCESS_NAME_LENGTH + 1];
|
||||
BOOL CreateContext;
|
||||
BOOL TrustedCaller;
|
||||
LSA_TRUSTED_CALLER TrustedCaller;
|
||||
} LSA_CONNECTION_INFO, *PLSA_CONNECTION_INFO;
|
||||
|
||||
|
||||
|
|
|
@ -317,6 +317,7 @@ LsaRegisterLogonProcess(IN PLSA_STRING LogonProcessName,
|
|||
ConnectInfo.Length = LogonProcessName->Length;
|
||||
ConnectInfo.LogonProcessNameBuffer[ConnectInfo.Length] = ANSI_NULL;
|
||||
ConnectInfo.CreateContext = TRUE;
|
||||
ConnectInfo.TrustedCaller = CHECK;
|
||||
|
||||
Status = ZwConnectPort(LsaHandle,
|
||||
&PortName,
|
||||
|
|
Loading…
Reference in a new issue