Intravision/reactos
1
0
Fork 0
mirror of https://github.com/reactos/reactos.git synced 2025-04-21 20:50:29 +00:00
Code Issues Projects Releases Packages Wiki Activity

[NTOS:SE] Grant the SYSTEM process the missing privileges

Browse source 
- Add the missing privileges to the SYSTEM privileges which might be needed,
notably SeUndockPrivilege, SeManageVolumePrivilege, SeCreateGlobalPrivilege and
SeImpersonatePrivilege.

Specifically SeImpersonatePrivilege is important here because with it we
allow system components of the core OS to perform certain system tasks.

- Declare the Groups array with a maximum of 3 elements in SepCreateSystemProcessToken
and 1 element in SepCreateSystemAnonymousLogonToken respectively, because previously
this array was oversized with most of free space left as a waste.

- Avoid hardcoding the size value of the Privilege array, instead initialize it
by hand and compute the exact number of elements with RTL_NUMBER_OF.
This commit is contained in:
George Bișoc 2023-06-06 18:07:39 +02:00
parent d8bfe2a261
commit f483e42f89
No known key found for this signature in database
GPG key ID: 688C4FBE25D7DEF6
1 changed files with 44 additions and 79 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

123
ntoskrnl/se/token.c
View file

@ -3,7 +3,7 @@
* LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
* PURPOSE: Security access token implementation base support routines * PURPOSE: Security access token implementation base support routines
* COPYRIGHT: Copyright David Welch <welch@cwcom.net> * COPYRIGHT: Copyright David Welch <welch@cwcom.net>
* Copyright 2021-2022 George Bișoc <george.bisoc@reactos.org> * Copyright 2021-2023 George Bișoc <george.bisoc@reactos.org>
*/ */
/* INCLUDES *******************************************************************/ /* INCLUDES *******************************************************************/
@ -1752,16 +1752,13 @@ PTOKEN
NTAPI NTAPI
SepCreateSystemProcessToken(VOID) SepCreateSystemProcessToken(VOID)
{ {
LUID_AND_ATTRIBUTES Privileges[25];
ULONG GroupAttributes, OwnerAttributes; ULONG GroupAttributes, OwnerAttributes;
SID_AND_ATTRIBUTES Groups[32];
LARGE_INTEGER Expiration; LARGE_INTEGER Expiration;
SID_AND_ATTRIBUTES UserSid; SID_AND_ATTRIBUTES UserSid;
ULONG GroupsLength; ULONG GroupsLength;
PSID PrimaryGroup; PSID PrimaryGroup;
OBJECT_ATTRIBUTES ObjectAttributes; OBJECT_ATTRIBUTES ObjectAttributes;
PSID Owner; PSID Owner;
ULONG i;
PTOKEN Token; PTOKEN Token;
NTSTATUS Status; NTSTATUS Status;
@ -1783,80 +1780,46 @@ SepCreateSystemProcessToken(VOID)
Owner = SeAliasAdminsSid; Owner = SeAliasAdminsSid;
/* Groups are Administrators, World, and Authenticated Users */ /* Groups are Administrators, World, and Authenticated Users */
Groups[0].Sid = SeAliasAdminsSid; SID_AND_ATTRIBUTES Groups[] =
Groups[0].Attributes = OwnerAttributes; {
Groups[1].Sid = SeWorldSid; {SeAliasAdminsSid, OwnerAttributes},
Groups[1].Attributes = GroupAttributes; {SeWorldSid, GroupAttributes},
Groups[2].Sid = SeAuthenticatedUsersSid; {SeAuthenticatedUsersSid, GroupAttributes}
Groups[2].Attributes = GroupAttributes; };
GroupsLength = sizeof(SID_AND_ATTRIBUTES) + GroupsLength = sizeof(SID_AND_ATTRIBUTES) +
SeLengthSid(Groups[0].Sid) + SeLengthSid(Groups[0].Sid) +
SeLengthSid(Groups[1].Sid) + SeLengthSid(Groups[1].Sid) +
SeLengthSid(Groups[2].Sid); SeLengthSid(Groups[2].Sid);
ASSERT(GroupsLength <= sizeof(Groups)); ASSERT(GroupsLength <= (sizeof(Groups) * sizeof(ULONG)));
/* Setup the privileges */ /* Setup the privileges */
i = 0; LUID_AND_ATTRIBUTES Privileges[] =
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED; {
Privileges[i++].Luid = SeTcbPrivilege; {SeTcbPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
{SeCreateTokenPrivilege, 0},
Privileges[i].Attributes = 0; {SeTakeOwnershipPrivilege, 0},
Privileges[i++].Luid = SeCreateTokenPrivilege; {SeCreatePagefilePrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
{SeLockMemoryPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
Privileges[i].Attributes = 0; {SeAssignPrimaryTokenPrivilege, 0},
Privileges[i++].Luid = SeTakeOwnershipPrivilege; {SeIncreaseQuotaPrivilege, 0},
{SeIncreaseBasePriorityPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED; {SeCreatePermanentPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
Privileges[i++].Luid = SeCreatePagefilePrivilege; {SeDebugPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
{SeAuditPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED; {SeSecurityPrivilege, 0},
Privileges[i++].Luid = SeLockMemoryPrivilege; {SeSystemEnvironmentPrivilege, 0},
{SeChangeNotifyPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
Privileges[i].Attributes = 0; {SeBackupPrivilege, 0},
Privileges[i++].Luid = SeAssignPrimaryTokenPrivilege; {SeRestorePrivilege, 0},
{SeShutdownPrivilege, 0},
Privileges[i].Attributes = 0; {SeLoadDriverPrivilege, 0},
Privileges[i++].Luid = SeIncreaseQuotaPrivilege; {SeProfileSingleProcessPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
{SeSystemtimePrivilege, 0},
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED; {SeUndockPrivilege, 0},
Privileges[i++].Luid = SeIncreaseBasePriorityPrivilege; {SeManageVolumePrivilege, 0},
{SeImpersonatePrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED; {SeCreateGlobalPrivilege, SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED},
Privileges[i++].Luid = SeCreatePermanentPrivilege; };
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
Privileges[i++].Luid = SeDebugPrivilege;
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
Privileges[i++].Luid = SeAuditPrivilege;
Privileges[i].Attributes = 0;
Privileges[i++].Luid = SeSecurityPrivilege;
Privileges[i].Attributes = 0;
Privileges[i++].Luid = SeSystemEnvironmentPrivilege;
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
Privileges[i++].Luid = SeChangeNotifyPrivilege;
Privileges[i].Attributes = 0;
Privileges[i++].Luid = SeBackupPrivilege;
Privileges[i].Attributes = 0;
Privileges[i++].Luid = SeRestorePrivilege;
Privileges[i].Attributes = 0;
Privileges[i++].Luid = SeShutdownPrivilege;
Privileges[i].Attributes = 0;
Privileges[i++].Luid = SeLoadDriverPrivilege;
Privileges[i].Attributes = SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_ENABLED;
Privileges[i++].Luid = SeProfileSingleProcessPrivilege;
Privileges[i].Attributes = 0;
Privileges[i++].Luid = SeSystemtimePrivilege;
ASSERT(i == 20);
/* Setup the object attributes */ /* Setup the object attributes */
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
@ -1872,10 +1835,10 @@ SepCreateSystemProcessToken(VOID)
&SeSystemAuthenticationId, &SeSystemAuthenticationId,
&Expiration, &Expiration,
&UserSid, &UserSid,
3, RTL_NUMBER_OF(Groups),
Groups, Groups,
GroupsLength, GroupsLength,
20, RTL_NUMBER_OF(Privileges),
Privileges, Privileges,
Owner, Owner,
PrimaryGroup, PrimaryGroup,
@ -1902,7 +1865,7 @@ CODE_SEG("INIT")
PTOKEN PTOKEN
SepCreateSystemAnonymousLogonToken(VOID) SepCreateSystemAnonymousLogonToken(VOID)
{ {
SID_AND_ATTRIBUTES Groups[32], UserSid; SID_AND_ATTRIBUTES UserSid;
PSID PrimaryGroup; PSID PrimaryGroup;
PTOKEN Token; PTOKEN Token;
ULONG GroupsLength; ULONG GroupsLength;
@ -1921,11 +1884,13 @@ SepCreateSystemAnonymousLogonToken(VOID)
PrimaryGroup = SeAnonymousLogonSid; PrimaryGroup = SeAnonymousLogonSid;
/* The only group for the token is the World */ /* The only group for the token is the World */
Groups[0].Sid = SeWorldSid; SID_AND_ATTRIBUTES Groups[] =
Groups[0].Attributes = SE_GROUP_ENABLED | SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT; {
{SeWorldSid, SE_GROUP_ENABLED | SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT}
};
GroupsLength = sizeof(SID_AND_ATTRIBUTES) + GroupsLength = sizeof(SID_AND_ATTRIBUTES) +
SeLengthSid(Groups[0].Sid); SeLengthSid(Groups[0].Sid);
ASSERT(GroupsLength <= sizeof(Groups)); ASSERT(GroupsLength <= (sizeof(Groups) * sizeof(ULONG)));
/* Initialise the object attributes for the token */ /* Initialise the object attributes for the token */
InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
@ -1941,7 +1906,7 @@ SepCreateSystemAnonymousLogonToken(VOID)
&SeAnonymousAuthenticationId, &SeAnonymousAuthenticationId,
&Expiration, &Expiration,
&UserSid, &UserSid,
1, RTL_NUMBER_OF(Groups),
Groups, Groups,
GroupsLength, GroupsLength,
0, 0,