Commit graph

82008 commits

Author SHA1 Message Date
George Bișoc
55c117c4c9
[NTOS:SE] Deny access to the caller if access is not allowed by the object
There are two fundamental problems when it comes to access checks in ReactOS. First, the internal function SepAccessCheck which is the heart and brain of the whole access checks logic of the kernel warrants access to the calling thread of a process to an object even though access could not be given.

This can potentially leave security issues as we literally leave objects to be touched indiscriminately by anyone regardless of their ACEs in the DACL of a security descriptor. Second, the current access check code doesn't take into account the fact that an access token can have restricted SIDs. In such scenario we must perform additional access checks by iterating over the restricted SIDs of the primary token by comparing the SID equality and see if the group can be granted certain rights based on the ACE policy that represents the same SID.

Part of SepAccessCheck's code logic will be split for a separate private kernel routine, SepAnalyzeAcesFromDacl. The reasons for this are primarily two -- such code is subject to grow eventually as we'll support different type ACEs and handle them accordingly -- and we avoid further code duplicates. On Windows Server 2003 there are 5 different type of ACEs that are supported for access checks:

- ACCESS_DENIED_ACE_TYPE (supported by ReactOS)
- ACCESS_ALLOWED_ACE_TYPE (supported by ReactOS)
- ACCESS_DENIED_OBJECT_ACE_TYPE
- ACCESS_ALLOWED_OBJECT_ACE_TYPE
- ACCESS_ALLOWED_COMPOUND_ACE_TYPE

This gives the opportunity for us to have a semi serious kernel where security of objects are are taken into account, rather than giving access to everyone.

CORE-9174
CORE-9175
CORE-9184
CORE-14520
2022-05-06 10:09:53 +02:00
George Bișoc
f48191b4b5
[NTOS:SE] Enable support for principal and restricted SIDs
SepSidInTokenEx function already provides the necessary mechanism to handle scenario where a token has restricted SIDs or a principal SID is given to the call. There's no reason to have these redundant ASSERTs anymore.

In addition to that make sure if the SID is not a restricted and if that SID is the first element on the array and it's enabled, this is the primary user.
2022-05-06 10:09:53 +02:00
George Bișoc
bac67a65f2
[NTOS:SE] Implement SepGetSidFromAce
This function will be used to retrieve a security identifier from a valid access control entry in the kernel. Mostly and exclusively used within access checks related code and such.
2022-05-06 10:09:53 +02:00
George Bișoc
c93bf84747
[NTOS:SE] Add SepGetSidFromAce prototype & Niscellaneous Stuff 2022-05-06 10:09:52 +02:00
George Bișoc
bcf0aebb13
[XDK] Move security object related structures to appropriate place
ACCESS_ALLOWED_OBJECT_ACE and ACCESS_DENIED_OBJECT_ACE structures must be in the XDK section of SDK as these will be used in the future in the security subsystem of the kernel.
2022-05-06 10:09:52 +02:00
George Bișoc
9101a5dc6d
[NTOSKRNL] Add security access check rights pool tag 2022-05-06 10:09:52 +02:00
George Bișoc
f559f63063
[SERVICES] Assign a World identity authority for Everyone SID, not Null authority
The current code allocates memory and initializes the Everyone "World" security identifier but with a Null authority identifier. This is utterly wrong on so many levels, more so partly because a Null authority identifier is 0 so after the Everyone SID is initialized, it is actually initialized as S-1-0-0 instead of S-1-1-0.
2022-05-06 10:09:52 +02:00
George Bișoc
f340524ea4
[SERVICES] Grant ReactOS Setup component SYSTEM access
ReactOS Setup is an integral component that is part of the operating system responsible for the installation of ROS during 2nd installation stage. The situation with current master branch is like this -- the Services component always tries to create the process
on behalf of the logged in user with its own security context. That user doesn't have the privileges and access rights like SYSTEM thus the Services component tries to create the process but it fails to do so because of lacking of required access right, TOKEN_DUPLICATE, in order for the calling thread to impersonate as self.
2022-05-06 10:09:51 +02:00
George Bișoc
cd1070dfc4
[UMPNPMGR] Create a security descriptor for PnP installation device event 2022-05-06 10:09:51 +02:00
George Bișoc
fd25e2dc64
[POWRPROF] Create a security descriptor for power management semaphore 2022-05-06 10:09:51 +02:00
George Bișoc
56a2c0fec4
[RPCRT4] Set up a security descriptor for RPC named pipes
rpcrt4_create_pipe_security function will be held in charge to set up security descriptors specific for each named pipe upon creation in rpcrt4_conn_create_pipe. The descriptor is then freed after the pipe is no longer needed.
2022-05-06 10:09:51 +02:00
George Bișoc
eccae203e0
[DHCPCSVC] Set up a security descriptor for DHCP named pipe 2022-05-06 10:09:50 +02:00
George Bișoc
d862fa6fc8
[ADVAPI32] Implement security descriptor management in CreateProcessAsUserCommon internal function
Currently CreateProcessAsUserCommon doesn't set a default descriptor for the newly duplicated token object for the new process nor it sets any security information for both the process and thread. This is wrong, because when the process is created on behalf of the user's security context,
it still uses the previous security information of the creator that initially gave birth to the process. CreateDefaultProcessSecurityCommon function will serve as a placeholder until CreatePrivateObjectSecurity is implemented.
2022-05-06 10:09:50 +02:00
George Bișoc
e90e918039
[ADVAPI32] Soft rewrite of CreateProcessAsUserCommon
Refactor the function in such a way that it can jump to a single exit but most importantly, implement a "rinse and repeat" mechanism where we assign a primary token to process by disabling impersonation first and retry with impersonation later.

More info can be found in the documention within the code.
2022-05-06 10:09:50 +02:00
George Bișoc
bf40c7a310
[KERNEL32] Let KERNEL32 assign security to NLS section names
Currently Kernel32 doesn't make any server call to Basesrv in order to create NLS section names, instead it's Kernel32 itself that handles the job of NLS section names. With that said, let Kernel32 assign a security descriptor to NLS section names. See the FIXME comment on code for further dtails
2022-05-06 10:09:49 +02:00
George Bișoc
5696e4ba4d
[KERNEL32][BASESRV] Implement NLS section security
Implement code that deals with the security side of NLS, more specifically, create two security descriptors for NLS directory and NLS section names and let the server use such code.
2022-05-06 10:09:49 +02:00
George Bișoc
2092dc06bb
[WINLOGON][HACK] Allow network services access to default window station
HHHHHHHHHHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCKKKKKKKKKKKKKKKKKK!!!

There are two problems concerning with network services. First, a window station should be created for every network service process that gets started although this doesn't happen. Instead, network services like RPCSS and DNS service host process (svchost.exe) attempt to access the default window station (Winsta0).
This is because the access token of these two network service processes have an authentication ID that is uniquely generated. This is incorrect, because NetworkService is a special account with its own designed authentication ID for it. As a matter of fact, no window station is created for a network service and as such
both RPCSS and DNS svchost.exe attempt to access Winsta0 which they cannot.

The second problem, albeit not quite relevant to the first one but still worth mentioning nevertheless, is that network services have an access token that is primary which it should be an impersonation token. These problems all come from LSASS as LSA infrastructure is responsible for creating access tokens with security
context for objects.

For the moment being, add a hack on Winlogon that gives allow access to the default window station to network services. When LSASS and involved components are fixed, this hack must be removed.
2022-05-06 10:09:49 +02:00
George Bișoc
f96c39f6b0
[WINLOGON] Refactor the security management part
Refactor the security related code of Winlogon and move it to its own dedicated place, security.c. This includes code for preparation of security descriptors for window station and desktop objects when their created, helper functions which give allow access to such objects for the logged in user and whatnot.

==== DO NOTE ====
Currently new desktop security assignment fails because for whatever reason the system thinks the application desktop has no prior security even though a descriptor has been created for it before. See the FIXME comment on code for information.
2022-05-06 10:09:49 +02:00
George Bișoc
65a72fb527
[USER32] Capture the security descriptor from the caller when creating a window station
When creating a window station with CreateWindowStationW, the function ignores the security descriptor provided by the caller and instead it uses whatever descriptor the system can find.
2022-05-06 10:09:48 +02:00
George Bișoc
878c2f4444
[WIN32K:NTUSER] Implement security infrastructure for NTUSER component
Implement a base security infrastructure with code that sets up a security descriptor for the service that we're going to connect through it. Such service is based upon a desktop and a window station.

=== DOCUMENTATION REMARKS ===
The authenticated user, represented by an access token that describes its security context, is the main holder and has ultimate power against the default created desktop and window station objects in USER. The authenticated user in question
is the actual logged in user, this is the case when the server is impersonating a client. Administrators on the other hand have some share of power against default desktop but their power in question is extremely limited against the default
window station as admins can only just enumerate the available and valid handle stations within a desktop.
2022-05-06 10:09:48 +02:00
George Bișoc
bee9b2fcc6
[LSASRV] Set up a security descriptor for the token object
LSASS implements a default ACL inside the token structure field but it doesn't actually set a protective security descriptor for the token object itself. This happens so that the kernel gets whatever default ACLs it finds for the object which is incorrect.

SYSTEM has full and supreme control over tokens, administrators can only read the token as such. The logged in user of their own token has full access. Credits and courtesy goes to Thomas Faber for the patch.
2022-05-06 10:09:36 +02:00
Doug Lyons
de6c514c3e
[WIN32SS] Fix CF_DIB format not being saved to clipboard on Print Screen key (#3265)
Use pool to allocate (potentially huge) clipboard data buffers.
CORE-17318
2022-05-05 17:54:15 +02:00
Doug Lyons
cc0e2a3672
[SHELL32] Fix Shift-Delete to Permanently Delete Files and Folders (#4004)
CORE-17802
2022-05-05 17:30:06 +02:00
William Kent
212cbb6fff
[CABMAN] Make cabman exit with non-zero exit code if argument parsing fails (#4022)
Co-authored-by: Serge Gautherie <32623169+SergeGautherie@users.noreply.github.com>
2022-05-05 17:21:54 +02:00
William Kent
0ebad9f3c5
[TXT2NLS] Use delete[] to deallocate new[] output (#4022)
Per AppleClang 13.0 warning.
2022-05-05 17:21:54 +02:00
Thomas Csovcsity
860d3544af
[SHELL32] Folders: Adjust column sequence in details view (#4279)
Adjust column sequence in folder view to match WinXP and Win2k3 order.
CORE-11846
2022-05-05 17:05:18 +02:00
Serge Gautherie
beefb07d18
[BROWSEUI] Remove useless variable and unreachable code (#4483)
Addendum to 0c47416 (r72003).
CORE-12804

Co-authored-by: Victor Martinez Calvo <vicmarcal@gmail.com>
2022-05-05 16:45:56 +02:00
Raymond Czerny
e0b9d6d9cd
[SHELL32] CPrinterFolder: Validate string pointers properly. (#4486)
CORE-18174

Check string pointers before determining the length of strings.
2022-05-05 16:24:38 +02:00
Katayama Hirofumi MZ
056bb94edc
[NTUSER] NtUserBuildHwndList should return NTSTATUS (#4487)
A follow-up to #4485 (c2a51c7). CORE-18173
2022-05-05 22:53:15 +09:00
Katayama Hirofumi MZ
c2a51c7249
[NTUSER][USER32] Make NtUserBuildHwndList exclusive (#4485)
- Modify prototype of NtUserBuildHwndList function.
- Wrap the code by UserEnterExclusive(); and UserLeave();.
CORE-18173
2022-05-05 08:49:00 +09:00
Katayama Hirofumi MZ
bbc9a877cc [NTUSER] Add Win: comments to window.c
CORE-18173
2022-05-04 15:40:46 +09:00
Serge Gautherie
03422451b3 [REACTOS] Add '\n' to debug logs
on TRACE, WARN, FIXME and ERR calls.

Plus a few nit picks.
2022-05-04 03:28:38 +03:00
Vincent Franchomme
079131faca [DOC] Update 3rd Party Files (#4417) 2022-05-03 17:30:11 +02:00
Vincent Franchomme
6e0cf03d92 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.8.0 (#4417)
v1.8 (2022-03-12):

- Added minimal support for fs-verity
- ~~Added test suite~~ Not in ReactOS
- Fixed incorrect disk usage statistics
- Fixed potential crashes when renaming stream to file or file to stream
- Fixed potential crashes when querying hard links on file
- Fixed potential hang when opening oplocked file
- Fixed minor issues also uncovered by test suite
2022-05-03 17:30:11 +02:00
Vincent Franchomme
f5556fdc10 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.7.9 (#4417)
v1.7.9 (2021-10-02):

- Fixed deadlock when mounting on Windows 11
- Added support for BitLocker-encrypted volumes
- Improved filename checks when renaming or creating hard links
- Miscellaneous bug fixes
2022-05-03 17:30:11 +02:00
Vincent Franchomme
08d1009892 [PSDK][BOOTMGR] Import NTSTATUS definitions of BitLocker (#4417) 2022-05-03 17:30:11 +02:00
Vincent Franchomme
3cfd8ab775 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.7.8 (#4417)
v1.7.8.1 (2021-06-13):

- Fixed bug preventing new directories from appearing in listings
- Fixed Release version of driver still not working on XP

v1.7.8 (2021-06-09):

- ~~Upgraded zstd to version 1.5.0~~ Not in ReactOS as it introduces deprecated code
- Fixed regression stopping driver from working under XP
- Fixed compilation on clang
- Fixed corruption issue when Linux mount option inode_cache had been used
- Fixed recursion issue involving virtual directory \$Root
2022-05-03 17:30:11 +02:00
Vincent Franchomme
98654b54b4 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.7.7 (#4417)
v1.7.7 (2021-04-12):

- Fixed deadlock on high load
- Fixed free space issue when installing Genshin Impact
- Fixed issue when copying files with wildcards in command prompt
- Increased speed of directory lookups
2022-05-03 17:30:11 +02:00
Vincent Franchomme
c982533ea9 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.7.6 (#4417)
v1.7.6 (2021-01-14):

- Fixed race condition when booting with Quibble
- No longer need to restart Windows after initial installation
- Forced maximum file name to 255 UTF-8 characters, to match Linux driver
- Fixed issue where directories could be created with trailing backslash
- Fixed potential deadlock when Windows calls NtCreateSection during flush
- Miscellaneous bug fixes
2022-05-03 17:30:11 +02:00
Vincent Franchomme
b826992ab2 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.7.5 (#4417)
v1.7.5 (2020-10-31):

- Fixed text display issue in shell extension
- Added support for mingw 8
- Fixed LXSS permissions not working in new versions of Windows
- Fixed issue where truncating an inline file wouldn't change its size
- Fixed crash with Quibble where driver would try to use AVX2 before Windows had enabled it
2022-05-03 17:30:11 +02:00
Vincent Franchomme
0604273535 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.7.4 (#4417)
v1.7.4 (2020-08-23):

- Fixed issue when running compressed EXEs
- Changed build system to cmake
- Upgraded zstd to version 1.4.5
- Added support for FSCTL_GET_RETRIEVAL_POINTERS
- Miscellaneous bug fixes
2022-05-03 17:30:11 +02:00
Vincent Franchomme
174dfab667 [BTRFS][UBTRFS][SHELLBTRFS] Upgrade to 1.7.3 (#4417)
v1.7.3 (2020-05-24):

- Fixed crash when sending file change notifications
- Improved symlink handling with LXSS
- Added support for undocumented flag SL_IGNORE_READONLY_ATTRIBUTE
- Fixed corruption caused by edge case, where address allocated and freed in same flush
- Improved handling of free space tree
- Improved handling of very full volumes
- Fixed spurious warnings raised by GCC 10 static analyser
- Replaced multiplications and divisions with bit shift operations where appropriate
- Fixed combobox stylings in shell extension
2022-05-03 17:30:11 +02:00
Hermès Bélusca-Maïto
7ba5f703d2
[BROWSEUI_APITEST] Addendum to 7e22dc05. 2022-05-03 17:29:39 +02:00
Serge Gautherie
7e22dc05ca
[BROWSEUI][BROWSEUI_APITEST] SHExplorerParseCmdLine(): Sync and improve (#3231)
ROSTESTS-302

- SHCreateFromDesktop(): Sync declaration and spec.
- SHExplorerParseCmdLine(): Sync declaration, header and spec.
- SHExplorerParseCmdLine: Enforce 'UINT_PTR' return type.
Addendum to e39876d and 0f8439a.

- SHExplorerParseCmdLine: Replace '*EXPLORER_INFO'
- SHExplorerParseCmdLine: Fix x64 support; Fix some results.
2022-05-03 16:32:14 +02:00
Olaf Schmerse
25019525f8
[NEWDEV] Stop update driver wizard from changing device class (#4480)
CORE-18166

The update driver wizard should not change the device class by default,
especially when there is already a class set. This is the case when the
wizard gets called from the device manager.
2022-05-03 16:13:37 +02:00
Sahil Shahane
3e6b2972a9
[DISKPART] Fixed Volume Number & Label Issue (#4471)
CORE-18138

- Made Volume label to output only 11 characters at max.
- Made Volume numbering left-padded.
2022-05-03 16:06:02 +02:00
Raymond Czerny
1461ca403f
[SHELL32] Show system control applet in taskbar (#4437)
Display the control panel applet in the taskbar to allow better navigation between programs.
CORE-18137

This is proceeded by manipulating the window of the current instance of 'rundll32.exe':
- Set title text
- Set icon
- Show window (minimal)
- Engaging the corresponding button in the Taskbar.
2022-05-03 16:02:58 +02:00
Victor Martinez Calvo
b57be0a746
[GDI32] Fix GetObjectW() GDI_OBJECT_TYPE_BRUSH handling. (#4394)
This fixes the last GetObjectW apitest case:
ok_long(GetObjectA(hBrush, 0, &TestStruct), 0);

- When "cbSize" is "0", GetObjectW shouldn't return "sizeof(LOGBRUSH)" but 0.
- Rely in BRUSH::cjGetObject behavior which returns 0 when cjSize is 0.

Co-authored-by: Víctor Martínez Calvo <victormartinez@alub.io>
2022-05-03 16:00:21 +02:00
Russell Johnson
3e2df36561
[SHELL32] Add multiple status bar parts to the file browser (#4401)
The file browser now has a status bar like Windows Server 2003 does.
This includes the sizes of the files, as well as the location.
In certain folders (Network, Desktop, etc.) the status bar is hidden.

Currently it does not handle this in the same way as Windows Shell does,
however it's a good first step to make it work properly.

CORE-17603

Signed-off-by: Russell Johnson <russell.johnson@superdark.net>
Reviewed-by: Katayama Hirofumi MZ <katayama.hirofumi.mz@gmail.com>
Reviewed-by: Mark Jansen <mark.jansen@reactos.org>
Reviewed-by: Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org>	
Reviewed-by: Giannis Adamopoulos <gadamopoulos@reactos.org>	
Reviewed-by: Stanislav Motylkov <x86corez@gmail.com>
2022-05-03 16:52:23 +03:00
Katayama Hirofumi MZ
2ef605d428
[NTUSER] Fix UserDestroyInputContet (again and again) (#4482)
Add call of UserMarkObjectDestroy.
Fix hung-up. CORE-11700
2022-05-03 10:17:30 +09:00