mirror of
https://github.com/reactos/reactos.git
synced 2024-12-27 09:34:43 +00:00
[LSALIB][SECURE32][LSASRV] Improve the check for trusted/untrusted callers
- A caller of LsaRegisterLogonProcess is a trusted caller if the calling process has got the Tcb privilege, otherwise it is an untrusted caller. - A caller of LsaConnectUntrusted is always an untrusted caller. - A caller of LsapOpenLsaPort is always a trusted caller.
This commit is contained in:
parent
2d4c0b87b1
commit
ae7e375a4d
4 changed files with 27 additions and 6 deletions
|
@ -135,10 +135,24 @@ LsapCheckLogonProcess(PLSA_API_MSG RequestMsg,
|
||||||
TRACE("New LogonContext: %p\n", Context);
|
TRACE("New LogonContext: %p\n", Context);
|
||||||
|
|
||||||
Context->ClientProcessHandle = ProcessHandle;
|
Context->ClientProcessHandle = ProcessHandle;
|
||||||
Context->TrustedCaller = RequestMsg->ConnectInfo.TrustedCaller;
|
|
||||||
|
|
||||||
if (Context->TrustedCaller)
|
switch (RequestMsg->ConnectInfo.TrustedCaller)
|
||||||
Context->TrustedCaller = LsapIsTrustedClient(ProcessHandle);
|
{
|
||||||
|
case NO:
|
||||||
|
Context->TrustedCaller = FALSE;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case YES:
|
||||||
|
Context->TrustedCaller = TRUE;
|
||||||
|
break;
|
||||||
|
|
||||||
|
case CHECK:
|
||||||
|
default:
|
||||||
|
Context->TrustedCaller = LsapIsTrustedClient(ProcessHandle);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
TRACE("TrustedCaller: %u\n", Context->TrustedCaller);
|
||||||
|
|
||||||
*LogonContext = Context;
|
*LogonContext = Context;
|
||||||
|
|
||||||
|
|
|
@ -74,7 +74,7 @@ LsapOpenLsaPort(VOID)
|
||||||
sizeof(ConnectInfo));
|
sizeof(ConnectInfo));
|
||||||
|
|
||||||
ConnectInfo.CreateContext = FALSE;
|
ConnectInfo.CreateContext = FALSE;
|
||||||
ConnectInfo.TrustedCaller = TRUE;
|
ConnectInfo.TrustedCaller = YES;
|
||||||
|
|
||||||
ConnectInfoLength = sizeof(LSA_CONNECTION_INFO);
|
ConnectInfoLength = sizeof(LSA_CONNECTION_INFO);
|
||||||
Status = NtConnectPort(&LsaPortHandle,
|
Status = NtConnectPort(&LsaPortHandle,
|
||||||
|
@ -175,7 +175,7 @@ LsaConnectUntrusted(
|
||||||
ConnectInfoLength);
|
ConnectInfoLength);
|
||||||
|
|
||||||
ConnectInfo.CreateContext = TRUE;
|
ConnectInfo.CreateContext = TRUE;
|
||||||
ConnectInfo.TrustedCaller = FALSE;
|
ConnectInfo.TrustedCaller = NO;
|
||||||
|
|
||||||
Status = NtConnectPort(LsaHandle,
|
Status = NtConnectPort(LsaHandle,
|
||||||
&PortName,
|
&PortName,
|
||||||
|
|
|
@ -27,6 +27,12 @@ typedef enum _LSA_API_NUMBER
|
||||||
LSASS_REQUEST_MAXIMUM
|
LSASS_REQUEST_MAXIMUM
|
||||||
} LSA_API_NUMBER, *PLSA_API_NUMBER;
|
} LSA_API_NUMBER, *PLSA_API_NUMBER;
|
||||||
|
|
||||||
|
typedef enum _LSA_TRUSTED_CALLER
|
||||||
|
{
|
||||||
|
NO,
|
||||||
|
YES,
|
||||||
|
CHECK
|
||||||
|
} LSA_TRUSTED_CALLER;
|
||||||
|
|
||||||
typedef struct _LSA_CONNECTION_INFO
|
typedef struct _LSA_CONNECTION_INFO
|
||||||
{
|
{
|
||||||
|
@ -35,7 +41,7 @@ typedef struct _LSA_CONNECTION_INFO
|
||||||
ULONG Length;
|
ULONG Length;
|
||||||
CHAR LogonProcessNameBuffer[LSASS_MAX_LOGON_PROCESS_NAME_LENGTH + 1];
|
CHAR LogonProcessNameBuffer[LSASS_MAX_LOGON_PROCESS_NAME_LENGTH + 1];
|
||||||
BOOL CreateContext;
|
BOOL CreateContext;
|
||||||
BOOL TrustedCaller;
|
LSA_TRUSTED_CALLER TrustedCaller;
|
||||||
} LSA_CONNECTION_INFO, *PLSA_CONNECTION_INFO;
|
} LSA_CONNECTION_INFO, *PLSA_CONNECTION_INFO;
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -317,6 +317,7 @@ LsaRegisterLogonProcess(IN PLSA_STRING LogonProcessName,
|
||||||
ConnectInfo.Length = LogonProcessName->Length;
|
ConnectInfo.Length = LogonProcessName->Length;
|
||||||
ConnectInfo.LogonProcessNameBuffer[ConnectInfo.Length] = ANSI_NULL;
|
ConnectInfo.LogonProcessNameBuffer[ConnectInfo.Length] = ANSI_NULL;
|
||||||
ConnectInfo.CreateContext = TRUE;
|
ConnectInfo.CreateContext = TRUE;
|
||||||
|
ConnectInfo.TrustedCaller = CHECK;
|
||||||
|
|
||||||
Status = ZwConnectPort(LsaHandle,
|
Status = ZwConnectPort(LsaHandle,
|
||||||
&PortName,
|
&PortName,
|
||||||
|
|
Loading…
Reference in a new issue