- Initialize SepRmDbLock and create the system and anonymous logon sessions in Phase 0, right before the system process token is created.
- Implement functions to reference and dereference a logon session.
- Reference a logon session in SepCreateToken and SepDuplicateToken.
- Dereference a logon session in SepDeleteToken.
svn path=/trunk/; revision=69735
- Implement SeCheckAuditPrivilege and use it instead of SeSinglePrivilegeCheck, because the latter uses the effective token and we want the primary token
- Implement SePrivilegedServiceAuditAlarm
- Add and initialize missing SeLocalServiceSid and SeNetworkServiceSid
svn path=/trunk/; revision=62245
- Implement NtPrivilegedServiceAuditAlarm, the internal function SepAdtPrivilegedServiceAuditAlarm is not implemented yet.
- Stubplement SepAccessCheckAndAuditAlarm and make NtAccessCheckAndAuditAlarm, NtAccessCheckByTypeAndAuditAlarm, NtAccessCheckByTypeResultListAndAuditAlarm and NtAccessCheckByTypeResultListAndAuditAlarmByHandle (love that name) wrappers around it.
svn path=/trunk/; revision=61753
- Create the Security directory and the LSA_AUTHENTICATION_INITIALIZED event in SepInitializationPhase1().
- Get rid of SeInitSRM().
svn path=/trunk/; revision=61102
Fix TOO MANY !! :(((( "initialize" misspellings.
Note1: One remains in subsystems/csr/csrsrv/init.c, but will be corrected in my future csrss branch merging.
Note2: In ntoskrnl/se/semgr.c, one tries to create the "LSA_AUTHENTICATION_INITALIZED" event. This is ROS-SPECIFIC !!!! In the sense that it doesn't exist on Windows. Instead, the "LSA_AUTHENTICATION_INITIALIZED" exists. Correct that fact.
svn path=/trunk/; revision=58679
[NTOSKRNL]: As a side effect, implement SeCreateClientSecurityFromSubjectContext and SeGetTokenControlInformation, although most of the code was already there.
[NTOSKRNL]: One useful change, SE_GROUP_USE_FOR_DENY_ONLY (Deny Only Groups) are now handled correctly.
svn path=/trunk/; revision=57261
[NTOSKRNL]: If you're going to fake success when doing access checks, also grant the rights that would normally be refused, for consistency's sake. Should fix a bunch of the kernel32:synch tests (which have nothing to do with synch...).
svn path=/trunk/; revision=55737
[NTOS]: This will save ~280KB of RAM once we dump INIT from RAM in a future patch.
[NTOS]: Display current free RAM at certain checkpoints.
svn path=/trunk/; revision=49445
- Check access rights according to the DACL. Granted rights are removed from the remaining rights variable.
- Return success only if there are no more remaining rights. Return failure otherwise.
- Remove outdated code.
svn path=/trunk/; revision=46703
- Add the check for ACESSS_SYSTEM_SECURITY.
- Keep the desired access rights that have not been granted yet in the variable RemainingAccess.
- Handle the MAXIMUM_ALLOWED case if the DACL is empty.
svn path=/trunk/; revision=46689
- Check the SeTakeOwnership privilege only if WRITE_OWNER access is desired.
- Move the check for token ownership from SepAccessCheck because this check grants access rights rather than checking them.
svn path=/trunk/; revision=46683
- Move subject context locking to SeAccessCheck because NtAccessCheck already locks it.
- Do not use the captured security descriptor in NtAccessCheck yet, because SeCaptureSecurityDescriptor seems to create broken SDs.
svn path=/trunk/; revision=46626
- Capture the security descriptor before passing it to SepAccessCheck.
- Move the security descriptor check and the impersonation level check from SepAccessCheck to SeAccessCheck.
svn path=/trunk/; revision=46605
- Move kernel-mode check around, so we won't run it twice when calling NtAccessCheck.
- Fix a wrong check for security descriptors with a NULL-DACL.
svn path=/trunk/; revision=46602
NtAccessCheck:
- Fix returned status if the token is not an impersonation token.
- Add a check for the token impersonation level.
svn path=/trunk/; revision=46347
Impersonation failed because NtImpersonateThread was actually inverting the THREAD_IMPERSONATE rights, asking the client thread for the server's permissions, and vice versa. Fixing this resulted in yet another failure.
Analysis of this failure showed that even opening the server (ie: current) thread for THREAD_DIRECT_IMPERSONATION failed, which is unusual since the current thread should have access to all its rights. This is determined in PspCreateThread when the ETHREAD->GrantedAccess field is set.
Continuing onto this path, tracing revealed that GrantedAccess was merely 0x1607F and not 0x1F3FF as expected, meaning that not all rights were given, including the impersonate right (0x200), explaining the failure, but not the deeper reason behind it.
Attempting to identify which code path set this GrantedAccess, the SepAccessCheck routine came to light. A bug there caused MAXIMUM_ALLOWED accesses to fail in certain scenarios, such as when the object had no security descriptor, because MAXIMUM_ALLOWED would be granted as an absolute value, when instead of it is a flag that should grant GENERIC_ALL. Fixing that bug, the failure continued.
Further analysis identified that the Administrators SID was being found with GENERIC_READ + WRITE + EXECUTE access, and no SID was found for GENERIC_ALL access. This happened when searching the system token's default DACL, which is assigned to the kernel (but for kernel-mode callers, this check was skipped), smss, winlogon, etc.
The code for creating this system token was heavily hacked, so the function to create the system token, as well as NtCreateToken were refactored to use a common piece of token-creating code. Furthermode, the system token was correctly created with Local System as the user, and Administrators as one of the groups. Finally, SeDefaultDacl was used (already setup properly) instead of a badly configured Default DACL. The new shared code also correctly sets the SE_GROUP_ENABLED flag on all SE_GROUP_MANDATORY groups, and scans tokens to set the TOKEN_HAS_ADMIN_GROUP and TOKEN_HAS_TRAVERSE_PRIVILEGE flags which were not previously set.
With the correct system token and default DACL, the Local System SID was now found, but the failure continued. This was revealed to be due to an even deeper rooted problem, as the SepIsSidInToken routine checked for SE_GROUP_ENABLED before listing a SID as "present". Although this is correct for actual groups, the User SID will never have the SE_GROUP_ENABLED flag as it is not a group. This caused any granted access ACE belonging to a user (instead of a group) to be ignored, causing either access check failures, or limited rights returned (in the MAXIMUM_ALLOWED case).
Upon fixing this bug, the NtImpersonateThread call finally returned success, since the rights were now correct. Promptly upon calling NtOpenThreadToken to query the LUID however, the system ASSERTED with FALSE.
The code at fault was a line in NtOpenThreadTokenEx which forcefully ASSERTed if the impersonation code path was taken, presumably because this was never tested, and ReactOS would actually always fail impersonation attempts due to the bugs fixed above. This routine was thus quickly reworked to fix some mistakes (such as forgetting to actually impersonate the client, incorrect referencing/dereferencing of thread/tokens, and assumptions about DACL creation success).
Having fixed the NtOpenThreadTokenEx routine, the LUID query now went through for the impersonated token, but soon causing a user-mode crash, due to an incorrect parameter reference in the CsrGetProcessLuid function in the csrsrv code by Alex (which I copy/pasted to reduce code duplication).
Fixing this final bug finally allowed the correct LUID to be queried and I was able to continue development of not-yet-commited user-mode shutdown code.
svn path=/trunk/; revision=46028
- Add a hack which prints an annoying message and grants access when it should not be. Callers/bugs should be fixed and this commit reverted after that.
See issue #4169 for more details.
svn path=/trunk/; revision=44348
- Factor out working code from SeAccessCheck into SepAccessCheck, taking out addition parameter - LowerImpersonationLevel. The lowest level for SeAccessCheck remains SecurityImpersonation, but for NtAccessCheck it's lowered to SecurityIdentification. Name of this patch's author has been lost.
See issue #4169 for more details.
svn path=/trunk/; revision=44260
- Cleanup NtAccessCheck, properly set desired access when previous mode is kernel, remove a duplicate check that is performed in SeAccessCheck, and don't fail with STATUS_ACCESS_DENIED when the check succeeds but denies access -- the result of the access check is returned in the 'AccessStatus' parameter
svn path=/trunk/; revision=38510
Additionally, the code for the "Set" operation should actually go in SeSetSecurityDescriptorInfo API, which was unimplemented. By simply copying the code over, this API is now implemented, and the routine works as expected.
Also, the default method was not handling "delete" requests, but was ignoring them, resulting in memory leaks and never-dereferenced descriptors.
Thanks to Alex for finding these bugs. Alex also says SeSetSecurityDescriptorInfo should call the Rtl package (RtlSetObjectSecurity) but we don't implement those functions yet.
svn path=/trunk/; revision=32799
When returning STATUS_ACCESS_DENIED when required (currently disabled), ReactOS boots up to login screen on 3rd boot.
Now, we just need to fix callers.
svn path=/trunk/; revision=26130
- Create Phase 1 initialization for the SRM (SeInitSystem). Right now it inserts the system boot token into object manager, which is something we forgot to do before.
- Renamed ExPhase2Init to Phase1Initialization, since it's not Phase 2.
- Updated Phase 1 PS Initialization to get the KeLoaderBlock pointer and use it as a context parameter when calling Phase1Initialization.
- Split off Phase1Initialization into Phase1InitializationDiscard, which is the bulk of the phase 1 code (99% of it) and can be put in an .INIT section to be freed after boot.
- Modify parts of the Inbv setup code. Also implement support for /SOS, and try to mimic its behaviour on NT (not fully achieved). You will need /SOS to see boot messages on the screen! FreeLDR now adds this by default to the "Debug "configuration.
- Temporarily disable ReactOS Banner during boot. We will get this data from the .mc/.res file in a later patch instead of hard-coding it.
- Optimize calling and usage of ExpLoadInitialProcess.
- Add support for Y2K bug fix documented for Windows NT (/YEAR).
- Add support to detect WinPE/MiniNT/ReactOS Live CD.
- Add temporary debugging code to MmInit2 and some Mm functions to detect if these functions are being used too early, which could result in catastrophic to subtle bugs.
- Add more bugchecks when failures occur, and enhance others. Also add more codes to ntoskrnl.mc.
- Disable calls to ObfDereferenceDeviceMap since it's not yet implemented.
svn path=/trunk/; revision=25624
