windows-nt/Source/XPSP1/NT/base/ntos/se/token.c

3992 lines
103 KiB
C
Raw Normal View History

2020-09-26 03:20:57 -05:00
/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
token.c
Abstract:
This module implements the initialization, open, duplicate and other
services of the executive token object.
Author:
Jim Kelly (JimK) 5-April-1990
Environment:
Kernel mode only.
Revision History:
v15: robertre
updated ACL_REVISION
--*/
#include "pch.h"
#pragma hdrstop
BOOLEAN
SepComparePrivilegeAndAttributeArrays(
IN PLUID_AND_ATTRIBUTES PrivilegeArray1,
IN ULONG Count1,
IN PLUID_AND_ATTRIBUTES PrivilegeArray2,
IN ULONG Count2
);
BOOLEAN
SepCompareSidAndAttributeArrays(
IN PSID_AND_ATTRIBUTES SidArray1,
IN ULONG Count1,
IN PSID_AND_ATTRIBUTES SidArray2,
IN ULONG Count2
);
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,SeTokenType)
#pragma alloc_text(PAGE,SeTokenIsAdmin)
#pragma alloc_text(PAGE,SeTokenIsRestricted)
#pragma alloc_text(PAGE,SeTokenImpersonationLevel)
#pragma alloc_text(PAGE,SeAssignPrimaryToken)
#pragma alloc_text(PAGE,SeDeassignPrimaryToken)
#pragma alloc_text(PAGE,SeExchangePrimaryToken)
#pragma alloc_text(PAGE,SeGetTokenControlInformation)
#pragma alloc_text(INIT,SeMakeSystemToken)
#pragma alloc_text(INIT,SeMakeAnonymousToken)
#pragma alloc_text(INIT,SeMakeAnonymousLogonToken)
#pragma alloc_text(PAGE,SeSubProcessToken)
#pragma alloc_text(INIT,SepTokenInitialization)
#pragma alloc_text(PAGE,NtCreateToken)
#pragma alloc_text(PAGE,SepTokenDeleteMethod)
#pragma alloc_text(PAGE,SepCreateToken)
#pragma alloc_text(PAGE,SepIdAssignableAsOwner)
#pragma alloc_text(PAGE,SeIsChildToken)
#pragma alloc_text(PAGE,SeIsChildTokenByPointer)
#pragma alloc_text(PAGE,NtImpersonateAnonymousToken)
#pragma alloc_text(PAGE,NtCompareTokens)
#pragma alloc_text(PAGE,SepComparePrivilegeAndAttributeArrays)
#pragma alloc_text(PAGE,SepCompareSidAndAttributeArrays)
#pragma alloc_text(PAGE,SeAddSaclToProcess)
#endif
////////////////////////////////////////////////////////////////////////
// //
// Global Variables //
// //
////////////////////////////////////////////////////////////////////////
//
// Generic mapping of access types
//
#ifdef ALLOC_DATA_PRAGMA
#pragma data_seg("PAGEDATA")
#pragma const_seg("INITCONST")
#endif
const GENERIC_MAPPING SepTokenMapping = { TOKEN_READ,
TOKEN_WRITE,
TOKEN_EXECUTE,
TOKEN_ALL_ACCESS
};
//
// Address of token object type descriptor.
//
POBJECT_TYPE SeTokenObjectType = NULL;
//
// Used to track whether or not a system token has been created or not.
//
#if DBG
BOOLEAN SystemTokenCreated = FALSE;
#endif //DBG
//
// Used to control the active token diagnostic support provided
//
#ifdef TOKEN_DIAGNOSTICS_ENABLED
ULONG TokenGlobalFlag = 0;
#endif // TOKEN_DIAGNOSTICS_ENABLED
////////////////////////////////////////////////////////////////////////
// //
// Token Object Routines & Methods //
// //
////////////////////////////////////////////////////////////////////////
TOKEN_TYPE
SeTokenType(
IN PACCESS_TOKEN Token
)
/*++
Routine Description:
This function returns the type of an instance of a token (TokenPrimary,
or TokenImpersonation).
Arguments:
Token - Points to the token whose type is to be returned.
Return Value:
The token's type.
--*/
{
PAGED_CODE();
return (((PTOKEN)Token)->TokenType);
}
NTKERNELAPI
BOOLEAN
SeTokenIsAdmin(
IN PACCESS_TOKEN Token
)
/*++
Routine Description:
Returns if the token is a member of the local admin group.
Arguments:
Token - Points to the token.
Return Value:
TRUE - Token contains the local admin group
FALSE - no admin.
--*/
{
PAGED_CODE();
return ((((PTOKEN)Token)->TokenFlags & TOKEN_HAS_ADMIN_GROUP) != 0 );
}
NTKERNELAPI
BOOLEAN
SeTokenIsRestricted(
IN PACCESS_TOKEN Token
)
/*++
Routine Description:
Returns if the token is a restricted token.
Arguments:
Token - Points to the token.
Return Value:
TRUE - Token contains restricted sids
FALSE - no admin.
--*/
{
PAGED_CODE();
return ((((PTOKEN)Token)->TokenFlags & TOKEN_IS_RESTRICTED) != 0 );
}
SECURITY_IMPERSONATION_LEVEL
SeTokenImpersonationLevel(
IN PACCESS_TOKEN Token
)
/*++
Routine Description:
This function returns the impersonation level of a token. The token
is assumed to be a TokenImpersonation type token.
Arguments:
Token - Points to the token whose impersonation level is to be returned.
Return Value:
The token's impersonation level.
--*/
{
PAGED_CODE();
return ((PTOKEN)Token)->ImpersonationLevel;
}
BOOLEAN
SepCheckTokenForCoreSystemSids(
IN PACCESS_TOKEN Token
)
/*++
Routine Description:
Perform an access-check against SepImportantProcessSd to
determine if the passed token has at least one of the sids present
in the ACEs of SepImportantProcessSd.
Arguments:
Token - a token
Return Value:
TRUE if Token has at least one of the required SIDs,
FALSE otherwise
Notes:
--*/
{
ACCESS_MASK GrantedAccess = 0;
NTSTATUS AccessStatus = STATUS_ACCESS_DENIED;
PAGED_CODE();
(void) SepAccessCheck(
SepImportantProcessSd,
NULL,
Token,
NULL,
SEP_QUERY_MEMBERSHIP,
NULL,
0,
&GenericMappingForMembershipCheck,
0,
KernelMode,
&GrantedAccess,
NULL,
&AccessStatus,
0,
NULL,
NULL
);
return AccessStatus == STATUS_SUCCESS;
}
VOID
SeAddSaclToProcess(
IN PEPROCESS Process,
IN PACCESS_TOKEN Token,
IN PVOID Reserved
)
/*++
Routine Description:
If 'Token' has at least one of the sids present in the ACEs
of SepImportantProcessSd, add a SACL to the security descriptor
of 'Process' as defined by SepProcessAuditSd.
Arguments:
Process - process to add SACL to
Token - token to examine
Return Value:
None
Notes:
--*/
{
NTSTATUS Status;
SECURITY_INFORMATION SecurityInformationSacl = SACL_SECURITY_INFORMATION;
POBJECT_HEADER ObjectHeader;
PAGED_CODE();
// quickly return if this feature is disabled
// (indicated by SeProcessAuditSd == NULL)
//
if ( SepProcessAuditSd == NULL ) {
return;
}
//
// if the token does not have core system sids then return
// without adding SACL.
// (see comment on SepImportantProcessSd in seglobal.c for more info)
//
if (!SepCheckTokenForCoreSystemSids( Token )) {
return;
}
ObjectHeader = OBJECT_TO_OBJECT_HEADER( Process );
//
// add SACL to existing security descriptor on 'Process'
//
Status = ObSetSecurityDescriptorInfo(
Process,
&SecurityInformationSacl,
SepProcessAuditSd,
&ObjectHeader->SecurityDescriptor,
NonPagedPool,
&ObjectHeader->Type->TypeInfo.GenericMapping
);
if (!NT_SUCCESS( Status )) {
//
// STATUS_NO_SECURITY_ON_OBJECT should be returned only once during
// boot when the initial system process is created.
//
if ( Status != STATUS_NO_SECURITY_ON_OBJECT ) {
ASSERT( L"SeAddSaclToProcess: ObSetSecurityDescriptorInfo failed" &&
FALSE );
//
// this will bugcheck if SepCrashOnAuditFail is TRUE
//
SepAuditFailed();
}
}
}
VOID
SeAssignPrimaryToken(
IN PEPROCESS Process,
IN PACCESS_TOKEN Token
)
/*++
Routine Description:
This function establishes a primary token for a process.
Arguments:
Token - Points to the new primary token.
Return Value:
None.
--*/
{
NTSTATUS
Status;
PTOKEN
NewToken = (PTOKEN)Token;
PAGED_CODE();
ASSERT(NewToken->TokenType == TokenPrimary);
ASSERT( !NewToken->TokenInUse );
//
// audit the assignment of a primary token, if requested
//
if (SeDetailedAuditing) {
SepAuditAssignPrimaryToken( Process, Token );
}
//
// If the token being assigned to the child process has
// any one of the following SIDs, then the process
// is considered to be a system process:
// -- SeLocalSystemSid
// -- SeLocalServiceSid
// -- SeNetworkServiceSid
//
// For such a process, add SACL to its security descriptor
// if that option is enabled. If the option is disabled,
// this function returns very quickly.
//
//SeAddSaclToProcess( Process, Token, NULL );
//
// Dereference the old token if there is one.
//
// Processes typically already have a token that must be
// dereferenced. There are two cases where this may not
// be the situation. First, during phase 0 system initialization,
// the initial system process starts out without a token. Second,
// if an error occurs during process creation, we may be cleaning
// up a process that hasn't yet had a primary token assigned.
//
if (!ExFastRefObjectNull (Process->Token)) {
SeDeassignPrimaryToken( Process );
}
ObReferenceObject(NewToken);
NewToken->TokenInUse = TRUE;
ObInitializeFastReference (&Process->Token, Token);
return;
}
VOID
SeDeassignPrimaryToken(
IN PEPROCESS Process
)
/*++
Routine Description:
This function causes a process reference to a token to be
dropped.
Arguments:
Process - Points to the process whose primary token is no longer needed.
This is probably only the case at process deletion or when
a primary token is being replaced.
Return Value:
None.
--*/
{
PTOKEN
OldToken = (PTOKEN) ObFastReplaceObject (&Process->Token, NULL);
PAGED_CODE();
ASSERT(OldToken->TokenType == TokenPrimary);
ASSERT(OldToken->TokenInUse);
OldToken->TokenInUse = FALSE;
ObDereferenceObject( OldToken );
return;
}
NTSTATUS
SeExchangePrimaryToken(
IN PEPROCESS Process,
IN PACCESS_TOKEN NewAccessToken,
OUT PACCESS_TOKEN *OldAccessToken
)
/*++
Routine Description:
This function is used to perform the portions of changing a primary
token that reference the internals of token structures.
The new token is checked to make sure it is not already in use.
The
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!! WARNING WARNING WARNING !!!!!!!!
!!!!!!!! !!!!!!!!
!!!!!!!! THIS ROUTINE MUST BE CALLED WITH THE GOBAL !!!!!!!!
!!!!!!!! PROCESS SECURITY FIELDS LOCK HELD !!!!!!!!
!!!!!!!! !!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Arguments:
Process - Points to the process whose primary token is being exchanged.
NewAccessToken - Points to the process's new primary token.
OldAccessToken - Receives a pointer to the process's current token.
The caller is responsible for dereferencing this token when
it is no longer needed. This can't be done while the process
security locks are held.
Return Value:
STATUS_SUCCESS - Everything has been updated.
STATUS_TOKEN_ALREADY_IN_USE - A primary token can only be used by a
single process. That is, each process must have its own primary
token. The token passed to be assigned as the primary token is
already in use as a primary token.
STATUS_BAD_TOKEN_TYPE - The new token is not a primary token.
--*/
{
NTSTATUS
Status;
PTOKEN
OldToken = (PTOKEN)ExFastRefGetObject (Process->Token);
PTOKEN
NewToken = (PTOKEN)NewAccessToken;
PAGED_CODE();
//
// We need to access the security fields of both tokens.
// Access to these fields is guarded by the global Process Security
// fields lock.
//
ASSERT(OldToken->TokenType == TokenPrimary);
ASSERT(OldToken->TokenInUse);
//
// Make sure the new token is a primary token...
//
if ( NewToken->TokenType != TokenPrimary ) {
return(STATUS_BAD_TOKEN_TYPE);
}
//
// and that it is not already in use...
//
if (NewToken->TokenInUse) {
return(STATUS_TOKEN_ALREADY_IN_USE);
}
//
// Ensure SessionId consistent for hydra
//
NewToken->SessionId = OldToken->SessionId ;
//
// audit the assignment of a primary token, if requested
//
if (SeDetailedAuditing) {
SepAuditAssignPrimaryToken( Process, NewToken );
}
//
// If the token being assigned to this process has
// any one of the following SIDs, then the process
// is considered to be a system process:
// -- SeLocalSystemSid
// -- SeLocalServiceSid
// -- SeNetworkServiceSid
//
// For such a process, add SACL to its security descriptor
// if that option is enabled. If the option is disabled,
// this function returns very quickly.
//
//SeAddSaclToProcess( Process, NewToken, NULL );
//
// Switch the tokens
//
NewToken->TokenInUse = TRUE;
ObReferenceObject(NewToken);
ObFastReplaceObject (&Process->Token, NewAccessToken);
//
// Mark the token as "NOT USED"
//
OldToken->TokenInUse = FALSE;
//
// Return the pointer to the old token. The caller
// is responsible for dereferencing it if they don't need it.
//
(*OldAccessToken) = OldToken;
return (STATUS_SUCCESS);
}
VOID
SeGetTokenControlInformation (
IN PACCESS_TOKEN Token,
OUT PTOKEN_CONTROL TokenControl
)
/*++
Routine Description:
This routine is provided for communication session layers, or
any other executive component that needs to keep track of
whether a caller's security context has changed between calls.
Communication session layers will need to check this, for some
security quality of service modes, to determine whether or not
a server's security context needs to be updated to reflect
changes in the client's security context.
This routine will also be useful to communications subsystems
that need to retrieve client' authentication information from
the local security authority in order to perform a remote
authentication.
Parameters:
Token - Points to the token whose information is to be retrieved.
TokenControl - Points to the buffer to receive the token control
information.
Return Value:
None.
--*/
{
PAGED_CODE();
//
// acquire exclusive access to the token
//
SepAcquireTokenReadLock( (PTOKEN)Token );
//
// Grab the data and run
//
TokenControl->TokenId = ((TOKEN *)Token)->TokenId;
TokenControl->AuthenticationId = ((TOKEN *)Token)->AuthenticationId;
TokenControl->ModifiedId = ((TOKEN *)Token)->ModifiedId;
TokenControl->TokenSource = ((TOKEN *)Token)->TokenSource;
SepReleaseTokenReadLock( (PTOKEN)Token );
return;
}
PACCESS_TOKEN
SeMakeSystemToken ()
/*++
Routine Description:
This routine is provided for use by executive components
DURING SYSTEM INITIALIZATION ONLY. It creates a token for
use by system components.
A system token has the following characteristics:
- It has LOCAL_SYSTEM as its user ID
- It has the following groups with the corresponding
attributes:
ADMINS_ALIAS EnabledByDefault |
Enabled |
Owner
WORLD EnabledByDefault |
Enabled |
Mandatory
ADMINISTRATORS (alias) Owner (disabled)
AUTHENTICATED_USER
EnabledByDefault |
Enabled |
Mandatory
- It has LOCAL_SYSTEM as its primary group.
- It has the privileges shown in comments below.
- It has protection that provides TOKEN_ALL_ACCESS to
the LOCAL_SYSTEM ID.
- It has a default ACL that grants GENERIC_ALL access
to LOCAL_SYSTEM and GENERIC_EXECUTE to WORLD.
Parameters:
None.
Return Value:
Pointer to a system token.
--*/
{
NTSTATUS Status;
PVOID Token;
SID_AND_ATTRIBUTES UserId;
TOKEN_PRIMARY_GROUP PrimaryGroup;
PSID_AND_ATTRIBUTES GroupIds;
ULONG GroupIdsLength;
LUID_AND_ATTRIBUTES Privileges[30];
PACL TokenAcl;
PSID Owner;
ULONG NormalGroupAttributes;
ULONG OwnerGroupAttributes;
ULONG Length;
OBJECT_ATTRIBUTES TokenObjectAttributes;
PSECURITY_DESCRIPTOR TokenSecurityDescriptor;
ULONG BufferLength;
PVOID Buffer;
ULONG_PTR GroupIdsBuffer[128 * sizeof(ULONG) / sizeof(ULONG_PTR)];
TIME_FIELDS TimeFields;
LARGE_INTEGER NoExpiration;
PAGED_CODE();
//
// Make sure only one system token gets created.
//
#if DBG
ASSERT( !SystemTokenCreated );
SystemTokenCreated = TRUE;
#endif //DBG
//
// Set up expiration times
//
TimeFields.Year = 3000;
TimeFields.Month = 1;
TimeFields.Day = 1;
TimeFields.Hour = 1;
TimeFields.Minute = 1;
TimeFields.Second = 1;
TimeFields.Milliseconds = 1;
TimeFields.Weekday = 1;
RtlTimeFieldsToTime( &TimeFields, &NoExpiration );
// //
// // The amount of memory used in the following is gross overkill, but
// // it is freed up immediately after creating the token.
// //
//
// GroupIds = (PSID_AND_ATTRIBUTES)ExAllocatePool( NonPagedPool, 512 );
GroupIds = (PSID_AND_ATTRIBUTES)GroupIdsBuffer;
//
// Set up the attributes to be assigned to groups
//
NormalGroupAttributes = (SE_GROUP_MANDATORY |
SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED
);
OwnerGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED |
SE_GROUP_OWNER
);
//
// Set up the user ID
//
UserId.Sid = SeLocalSystemSid;
UserId.Attributes = 0;
//
// Set up the groups
//
GroupIds->Sid = SeAliasAdminsSid;
(GroupIds+1)->Sid = SeWorldSid;
(GroupIds+2)->Sid = SeAuthenticatedUsersSid;
GroupIds->Attributes = OwnerGroupAttributes;
(GroupIds+1)->Attributes = NormalGroupAttributes;
(GroupIds+2)->Attributes = NormalGroupAttributes;
GroupIdsLength = (ULONG)LongAlignSize(SeLengthSid(GroupIds->Sid)) +
(ULONG)LongAlignSize(SeLengthSid((GroupIds+1)->Sid)) +
(ULONG)LongAlignSize(SeLengthSid((GroupIds+2)->Sid)) +
sizeof(SID_AND_ATTRIBUTES);
ASSERT( GroupIdsLength <= 128 * sizeof(ULONG) );
//
// Privileges
//
//
// The privileges in the system token are as follows:
//
// Privilege Name Attributes
// -------------- ----------
//
// SeTcbPrivilege enabled/enabled by default
// SeCreateTokenPrivilege DISabled/NOT enabled by default
// SeTakeOwnershipPrivilege DISabled/NOT enabled by default
// SeCreatePagefilePrivilege enabled/enabled by default
// SeLockMemoryPrivilege enabled/enabled by default
// SeAssignPrimaryTokenPrivilege DISabled/NOT enabled by default
// SeIncreaseQuotaPrivilege DISabled/NOT enabled by default
// SeIncreaseBasePriorityPrivilege enabled/enabled by default
// SeCreatePermanentPrivilege enabled/enabled by default
// SeDebugPrivilege enabled/enabled by default
// SeAuditPrivilege enabled/enabled by default
// SeSecurityPrivilege DISabled/NOT enabled by default
// SeSystemEnvironmentPrivilege DISabled/NOT enabled by default
// SeChangeNotifyPrivilege enabled/enabled by default
// SeBackupPrivilege DISabled/NOT enabled by default
// SeRestorePrivilege DISabled/NOT enabled by default
// SeShutdownPrivilege DISabled/NOT enabled by default
// SeLoadDriverPrivilege DISabled/NOT enabled by default
// SeProfileSingleProcessPrivilege enabled/enabled by default
// SeSystemtimePrivilege DISabled/NOT enabled by default
// SeUndockPrivilege DISabled/NOT enabled by default
//
// The following privileges are not present, and should never be present in
// the local system token:
//
// SeRemoteShutdownPrivilege no one can come in as local system
// SeSyncAgentPrivilege only users specified by the admin can
// be sync agents
// SeEnableDelegationPrivilege only users specified by the admin can
// enable delegation on accounts.
//
Privileges[0].Luid = SeTcbPrivilege;
Privileges[0].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[1].Luid = SeCreateTokenPrivilege;
Privileges[1].Attributes = 0; // Only the LSA should enable this.
Privileges[2].Luid = SeTakeOwnershipPrivilege;
Privileges[2].Attributes = 0;
Privileges[3].Luid = SeCreatePagefilePrivilege;
Privileges[3].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[4].Luid = SeLockMemoryPrivilege;
Privileges[4].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[5].Luid = SeAssignPrimaryTokenPrivilege;
Privileges[5].Attributes = 0; // disabled, not enabled by default
Privileges[6].Luid = SeIncreaseQuotaPrivilege;
Privileges[6].Attributes = 0; // disabled, not enabled by default
Privileges[7].Luid = SeIncreaseBasePriorityPrivilege;
Privileges[7].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[8].Luid = SeCreatePermanentPrivilege;
Privileges[8].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[9].Luid = SeDebugPrivilege;
Privileges[9].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[10].Luid = SeAuditPrivilege;
Privileges[10].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[11].Luid = SeSecurityPrivilege;
Privileges[11].Attributes = 0; // disabled, not enabled by default
Privileges[12].Luid = SeSystemEnvironmentPrivilege;
Privileges[12].Attributes = 0; // disabled, not enabled by default
Privileges[13].Luid = SeChangeNotifyPrivilege;
Privileges[13].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[14].Luid = SeBackupPrivilege;
Privileges[14].Attributes = 0; // disabled, not enabled by default
Privileges[15].Luid = SeRestorePrivilege;
Privileges[15].Attributes = 0; // disabled, not enabled by default
Privileges[16].Luid = SeShutdownPrivilege;
Privileges[16].Attributes = 0; // disabled, not enabled by default
Privileges[17].Luid = SeLoadDriverPrivilege;
Privileges[17].Attributes = 0; // disabled, not enabled by default
Privileges[18].Luid = SeProfileSingleProcessPrivilege;
Privileges[18].Attributes =
(SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default
SE_PRIVILEGE_ENABLED); // Enabled
Privileges[19].Luid = SeSystemtimePrivilege;
Privileges[19].Attributes = 0; // disabled, not enabled by default
Privileges[20].Luid = SeUndockPrivilege ;
Privileges[20].Attributes = 0 ; // disabled, not enabled by default
Privileges[21].Luid = SeManageVolumePrivilege ;
Privileges[21].Attributes = 0 ; // disabled, not enabled by default
//BEFORE ADDING ANOTHER PRIVILEGE ^^ HERE ^^ CHECK THE ARRAY BOUND
//ALSO INCREMENT THE PRIVILEGE COUNT IN THE SepCreateToken() call
//
// Establish the primary group and default owner
//
PrimaryGroup.PrimaryGroup = SeLocalSystemSid; // Primary group
Owner = SeAliasAdminsSid; // Default owner
//
// Set up an ACL to protect token as well ...
// give system full reign of terror. This includes user-mode components
// running as part of the system.
//
Length = (ULONG)sizeof(ACL) +
((ULONG)sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG)) +
SeLengthSid( SeLocalSystemSid ) ;
TokenAcl = (PACL)ExAllocatePoolWithTag(PagedPool, Length, 'cAeS');
if ( TokenAcl == NULL ) {
return NULL ;
}
Status = RtlCreateAcl( TokenAcl, Length, ACL_REVISION2);
ASSERT( NT_SUCCESS(Status) );
Status = RtlAddAccessAllowedAce (
TokenAcl,
ACL_REVISION2,
TOKEN_ALL_ACCESS,
SeLocalSystemSid
);
ASSERT( NT_SUCCESS(Status) );
TokenSecurityDescriptor =
(PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag(
PagedPool,
sizeof(SECURITY_DESCRIPTOR),
'dSeS'
);
if ( TokenSecurityDescriptor == NULL ) {
ExFreePool( TokenAcl );
return NULL ;
}
Status = RtlCreateSecurityDescriptor(
TokenSecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetDaclSecurityDescriptor (
TokenSecurityDescriptor,
TRUE,
TokenAcl,
FALSE
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetOwnerSecurityDescriptor (
TokenSecurityDescriptor,
SeAliasAdminsSid,
FALSE // Owner defaulted
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetGroupSecurityDescriptor (
TokenSecurityDescriptor,
SeAliasAdminsSid,
FALSE // Group defaulted
);
ASSERT( NT_SUCCESS(Status) );
//
// Create the system token
//
#ifdef TOKEN_DEBUG
////////////////////////////////////////////////////////////////////////////
//
// Debug
DbgPrint("\n Creating system token...\n");
// Debug
//
////////////////////////////////////////////////////////////////////////////
#endif //TOKEN_DEBUG
InitializeObjectAttributes(
&TokenObjectAttributes,
NULL,
0,
NULL,
TokenSecurityDescriptor
);
ASSERT(SeSystemDefaultDacl != NULL);
Status = SepCreateToken(
(PHANDLE)&Token,
KernelMode,
0, // No handle created for system token
&TokenObjectAttributes,
TokenPrimary,
(SECURITY_IMPERSONATION_LEVEL)0,
(PLUID)&SeSystemAuthenticationId,
&NoExpiration,
&UserId,
3, // GroupCount
GroupIds,
GroupIdsLength,
22, // privileges
Privileges,
Owner,
PrimaryGroup.PrimaryGroup,
SeSystemDefaultDacl,
(PTOKEN_SOURCE)&SeSystemTokenSource,
TRUE, // System token
NULL,
NULL
);
ASSERT(NT_SUCCESS(Status));
//
// We can free the old one now.
//
ExFreePool( TokenAcl );
ExFreePool( TokenSecurityDescriptor );
return (PACCESS_TOKEN)Token;
}
PACCESS_TOKEN
SeMakeAnonymousLogonTokenNoEveryone (
VOID
)
/*++
Routine Description:
This routine is provided for use by executive components
DURING SYSTEM INITIALIZATION ONLY. It creates a token for
use by system components.
A system token has the following characteristics:
- It has ANONYMOUS_LOGON as its user ID
- It has no privileges
- It has protection that provides TOKEN_ALL_ACCESS to
the WORLD ID.
- It has a default ACL that grants GENERIC_ALL access
to WORLD.
Parameters:
None.
Return Value:
Pointer to a system token.
--*/
{
NTSTATUS Status;
PVOID Token;
SID_AND_ATTRIBUTES UserId;
TOKEN_PRIMARY_GROUP PrimaryGroup;
PACL TokenAcl;
PSID Owner;
ULONG Length;
OBJECT_ATTRIBUTES TokenObjectAttributes;
PSECURITY_DESCRIPTOR TokenSecurityDescriptor;
TIME_FIELDS TimeFields;
LARGE_INTEGER NoExpiration;
PAGED_CODE();
//
// Set up expiration times
//
TimeFields.Year = 3000;
TimeFields.Month = 1;
TimeFields.Day = 1;
TimeFields.Hour = 1;
TimeFields.Minute = 1;
TimeFields.Second = 1;
TimeFields.Milliseconds = 1;
TimeFields.Weekday = 1;
RtlTimeFieldsToTime( &TimeFields, &NoExpiration );
//
// Set up the user ID
//
UserId.Sid = SeAnonymousLogonSid;
UserId.Attributes = 0;
//
// Establish the primary group and default owner
//
PrimaryGroup.PrimaryGroup = SeAnonymousLogonSid; // Primary group
//
// Set up an ACL to protect token as well ...
// Let everyone read/write. However, the token is dup'ed before we given
// anyone a handle to it.
//
Length = (ULONG)sizeof(ACL) +
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
SeLengthSid( SeWorldSid ) +
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
SeLengthSid( SeAnonymousLogonSid );
ASSERT( Length < 200 );
TokenAcl = (PACL)ExAllocatePoolWithTag(PagedPool, 200, 'cAeS');
if ( !TokenAcl ) {
return NULL ;
}
Status = RtlCreateAcl( TokenAcl, Length, ACL_REVISION2);
ASSERT( NT_SUCCESS(Status) );
Status = RtlAddAccessAllowedAce (
TokenAcl,
ACL_REVISION2,
TOKEN_ALL_ACCESS,
SeWorldSid
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlAddAccessAllowedAce (
TokenAcl,
ACL_REVISION2,
TOKEN_ALL_ACCESS,
SeAnonymousLogonSid
);
ASSERT( NT_SUCCESS(Status) );
TokenSecurityDescriptor =
(PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag(
PagedPool,
SECURITY_DESCRIPTOR_MIN_LENGTH,
'dSeS'
);
if ( !TokenSecurityDescriptor ) {
ExFreePool( TokenAcl );
return NULL ;
}
Status = RtlCreateSecurityDescriptor(
TokenSecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetDaclSecurityDescriptor (
TokenSecurityDescriptor,
TRUE,
TokenAcl,
FALSE
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetOwnerSecurityDescriptor (
TokenSecurityDescriptor,
SeWorldSid,
FALSE // Owner defaulted
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetGroupSecurityDescriptor (
TokenSecurityDescriptor,
SeWorldSid,
FALSE // Group defaulted
);
ASSERT( NT_SUCCESS(Status) );
//
// Create the system token
//
#ifdef TOKEN_DEBUG
////////////////////////////////////////////////////////////////////////////
//
// Debug
DbgPrint("\n Creating system token...\n");
// Debug
//
////////////////////////////////////////////////////////////////////////////
#endif //TOKEN_DEBUG
InitializeObjectAttributes(
&TokenObjectAttributes,
NULL,
0,
NULL,
TokenSecurityDescriptor
);
Status = SepCreateToken(
(PHANDLE)&Token,
KernelMode,
0, // No handle created for system token
&TokenObjectAttributes,
TokenPrimary,
(SECURITY_IMPERSONATION_LEVEL)0,
(PLUID)&SeAnonymousAuthenticationId,
&NoExpiration,
&UserId,
0, // GroupCount
NULL, // Group IDs
0, // Group byte count
0, // no privileges
NULL, // no Privileges,
NULL,
PrimaryGroup.PrimaryGroup,
TokenAcl,
(PTOKEN_SOURCE)&SeSystemTokenSource,
TRUE, // System token
NULL,
NULL
);
ASSERT(NT_SUCCESS(Status));
//
// We can free the old one now.
//
ExFreePool( TokenAcl );
ExFreePool( TokenSecurityDescriptor );
return (PACCESS_TOKEN)Token;
}
PACCESS_TOKEN
SeMakeAnonymousLogonToken (
VOID
)
/*++
Routine Description:
This routine is provided for use by executive components
DURING SYSTEM INITIALIZATION ONLY. It creates a token for
use by system components.
A system token has the following characteristics:
- It has ANONYMOUS_LOGON as its user ID
- It has the following groups with the corresponding
attributes:
WORLD EnabledByDefault |
Enabled |
Mandatory
- It has WORLD as its primary group.
- It has no privileges
- It has protection that provides TOKEN_ALL_ACCESS to
the WORLD ID.
- It has a default ACL that grants GENERIC_ALL access
to WORLD.
Parameters:
None.
Return Value:
Pointer to a system token.
--*/
{
NTSTATUS Status;
PVOID Token;
SID_AND_ATTRIBUTES UserId;
PSID_AND_ATTRIBUTES GroupIds;
TOKEN_PRIMARY_GROUP PrimaryGroup;
ULONG GroupIdsLength;
PACL TokenAcl;
PSID Owner;
ULONG NormalGroupAttributes;
ULONG Length;
OBJECT_ATTRIBUTES TokenObjectAttributes;
PSECURITY_DESCRIPTOR TokenSecurityDescriptor;
ULONG_PTR GroupIdsBuffer[128 * sizeof(ULONG) / sizeof(ULONG_PTR)];
TIME_FIELDS TimeFields;
LARGE_INTEGER NoExpiration;
PAGED_CODE();
//
// Set up expiration times
//
TimeFields.Year = 3000;
TimeFields.Month = 1;
TimeFields.Day = 1;
TimeFields.Hour = 1;
TimeFields.Minute = 1;
TimeFields.Second = 1;
TimeFields.Milliseconds = 1;
TimeFields.Weekday = 1;
RtlTimeFieldsToTime( &TimeFields, &NoExpiration );
GroupIds = (PSID_AND_ATTRIBUTES)GroupIdsBuffer;
//
// Set up the attributes to be assigned to groups
//
NormalGroupAttributes = (SE_GROUP_MANDATORY |
SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED
);
//
// Set up the user ID
//
UserId.Sid = SeAnonymousLogonSid;
UserId.Attributes = 0;
//
// Set up the groups
//
GroupIds->Sid = SeWorldSid;
GroupIds->Attributes = NormalGroupAttributes;
GroupIdsLength = (ULONG)LongAlignSize(SeLengthSid(GroupIds->Sid)) +
sizeof(SID_AND_ATTRIBUTES);
ASSERT( GroupIdsLength <= 128 * sizeof(ULONG) );
//
// Establish the primary group and default owner
//
PrimaryGroup.PrimaryGroup = SeAnonymousLogonSid; // Primary group
//
// Set up an ACL to protect token as well ...
// give system full reign of terror. This includes user-mode components
// running as part of the system.
// Let everyone read/write. However, the token is dup'ed before we given
// anyone a handle to it.
//
Length = (ULONG)sizeof(ACL) +
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
SeLengthSid( SeWorldSid ) +
(ULONG)sizeof(ACCESS_ALLOWED_ACE) +
SeLengthSid( SeAnonymousLogonSid );
ASSERT( Length < 200 );
TokenAcl = (PACL)ExAllocatePoolWithTag(PagedPool, 200, 'cAeS');
if ( !TokenAcl ) {
return NULL ;
}
Status = RtlCreateAcl( TokenAcl, Length, ACL_REVISION2);
ASSERT( NT_SUCCESS(Status) );
Status = RtlAddAccessAllowedAce (
TokenAcl,
ACL_REVISION2,
TOKEN_ALL_ACCESS,
SeWorldSid
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlAddAccessAllowedAce (
TokenAcl,
ACL_REVISION2,
TOKEN_ALL_ACCESS,
SeAnonymousLogonSid
);
ASSERT( NT_SUCCESS(Status) );
TokenSecurityDescriptor =
(PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag(
PagedPool,
SECURITY_DESCRIPTOR_MIN_LENGTH,
'dSeS'
);
if ( !TokenSecurityDescriptor ) {
ExFreePool( TokenAcl );
return NULL ;
}
Status = RtlCreateSecurityDescriptor(
TokenSecurityDescriptor,
SECURITY_DESCRIPTOR_REVISION
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetDaclSecurityDescriptor (
TokenSecurityDescriptor,
TRUE,
TokenAcl,
FALSE
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetOwnerSecurityDescriptor (
TokenSecurityDescriptor,
SeWorldSid,
FALSE // Owner defaulted
);
ASSERT( NT_SUCCESS(Status) );
Status = RtlSetGroupSecurityDescriptor (
TokenSecurityDescriptor,
SeWorldSid,
FALSE // Group defaulted
);
ASSERT( NT_SUCCESS(Status) );
//
// Create the system token
//
#ifdef TOKEN_DEBUG
////////////////////////////////////////////////////////////////////////////
//
// Debug
DbgPrint("\n Creating system token...\n");
// Debug
//
////////////////////////////////////////////////////////////////////////////
#endif //TOKEN_DEBUG
InitializeObjectAttributes(
&TokenObjectAttributes,
NULL,
0,
NULL,
TokenSecurityDescriptor
);
Status = SepCreateToken(
(PHANDLE)&Token,
KernelMode,
0, // No handle created for system token
&TokenObjectAttributes,
TokenPrimary,
(SECURITY_IMPERSONATION_LEVEL)0,
(PLUID)&SeAnonymousAuthenticationId,
&NoExpiration,
&UserId,
1, // GroupCount
GroupIds,
GroupIdsLength,
0, // no privileges
NULL, // no Privileges,
0, // no privileges
PrimaryGroup.PrimaryGroup,
TokenAcl,
(PTOKEN_SOURCE)&SeSystemTokenSource,
TRUE, // System token
NULL,
NULL
);
ASSERT(NT_SUCCESS(Status));
//
// We can free the old one now.
//
ExFreePool( TokenAcl );
ExFreePool( TokenSecurityDescriptor );
return (PACCESS_TOKEN)Token;
}
NTSTATUS
SeSubProcessToken (
IN PACCESS_TOKEN ParentToken,
OUT PACCESS_TOKEN *ChildToken,
IN BOOLEAN MarkAsActive
)
/*++
Routine Description:
This routine makes a token for a sub-process that is a duplicate
of the parent process's token.
Parameters:
ParentToken - Pointer to the parent token
ChildToken - Receives a pointer to the child process's token.
MarkAsActive - Mark the token as active
Return Value:
STATUS_SUCCESS - Indicates the sub-process's token has been created
successfully.
Other status values may be returned from memory allocation or object
creation services used and typically indicate insufficient resources
or quota on the requestor's part.
--*/
{
PTOKEN NewToken;
OBJECT_ATTRIBUTES PrimaryTokenAttributes;
NTSTATUS Status;
NTSTATUS IgnoreStatus;
PAGED_CODE();
InitializeObjectAttributes(
&PrimaryTokenAttributes,
NULL,
0,
NULL,
NULL
);
#ifdef TOKEN_DEBUG
DbgPrint("\nCreating sub-process token...\n");
DbgPrint("Parent token address = 0x%lx\n", ParentProcess->Token);
#endif //TOKEN_DEBUG
Status = SepDuplicateToken(
ParentToken, // ExistingToken
&PrimaryTokenAttributes, // ObjectAttributes
FALSE, // EffectiveOnly
TokenPrimary, // TokenType
(SECURITY_IMPERSONATION_LEVEL)0, // ImpersonationLevel
KernelMode, // RequestorMode
&NewToken // NewToken
);
if (NT_SUCCESS(Status)) {
//
// Insert the new token object, up its ref count but don't create a handle.
//
Status = ObInsertObject(
NewToken,
NULL,
0,
0,
NULL,
NULL);
if (NT_SUCCESS(Status)) {
NewToken->TokenInUse = MarkAsActive;
*ChildToken = NewToken;
} else {
//
// ObInsertObject dereferences the passed object if it
// fails, so we don't have to do any cleanup on NewToken
// here.
//
}
}
return Status;
}
BOOLEAN
SepTokenInitialization ( VOID )
/*++
Routine Description:
This function creates the token object type descriptor at system
initialization and stores the address of the object type descriptor
in global storage. It also created token related global variables.
Furthermore, some number of pseudo tokens are created during system
initialization. These tokens are tracked down and replaced with
real tokens.
Arguments:
None.
Return Value:
A value of TRUE is returned if the object type descriptor is
successfully initialized. Otherwise a value of FALSE is returned.
--*/
{
OBJECT_TYPE_INITIALIZER ObjectTypeInitializer;
NTSTATUS Status;
UNICODE_STRING TypeName;
PAGED_CODE();
//
// Initialize string descriptor.
//
RtlInitUnicodeString(&TypeName, L"Token");
#if 0
BUG, BUG Need to get system default ACL to protect token object
#endif
//
// Create object type descriptor.
//
RtlZeroMemory(&ObjectTypeInitializer,sizeof(ObjectTypeInitializer));
ObjectTypeInitializer.Length = sizeof(ObjectTypeInitializer);
ObjectTypeInitializer.InvalidAttributes = OBJ_OPENLINK;
ObjectTypeInitializer.GenericMapping = SepTokenMapping;
ObjectTypeInitializer.SecurityRequired = TRUE;
ObjectTypeInitializer.UseDefaultObject = TRUE;
ObjectTypeInitializer.PoolType = PagedPool;
ObjectTypeInitializer.ValidAccessMask = TOKEN_ALL_ACCESS;
ObjectTypeInitializer.DeleteProcedure = SepTokenDeleteMethod;
Status = ObCreateObjectType(&TypeName,
&ObjectTypeInitializer,
(PSECURITY_DESCRIPTOR)NULL, // BUG, BUG assign real protection
&SeTokenObjectType
);
#if 0
BUG, BUG Now track down all pseudo tokens used during system initialization
BUG, BUG and replace them with real ones.
#endif
//
// If the object type descriptor was successfully created, then
// return a value of TRUE. Otherwise return a value of FALSE.
//
return (BOOLEAN)NT_SUCCESS(Status);
}
//////////////////////////////////////////////////////////////////////////
// //
// Temporary, for Debug only //
// //
//////////////////////////////////////////////////////////////////////////
#ifdef TOKEN_DEBUG
VOID
SepDumpToken(
IN PTOKEN T
)
{
ULONG Index;
//
// Dump a token
//
DbgPrint("\n");
DbgPrint(" address: 0x%lx \n", ((ULONG)T) );
DbgPrint(" TokenId: (0x%lx, 0x%lx) \n",
T->TokenId.HighPart, T->TokenId.LowPart );
if ( (T->AuthenticationId.Data[0] == SeSystemAuthenticationId.Data[0]) &&
(T->AuthenticationId.Data[1] == SeSystemAuthenticationId.Data[1]) &&
(T->AuthenticationId.Data[2] == SeSystemAuthenticationId.Data[2]) &&
(T->AuthenticationId.Data[3] == SeSystemAuthenticationId.Data[3]) ) {
DbgPrint(" AuthenticationId: SeSystemAuthenticationId \n");
} else {
DbgPrint(" AuthenticationId: (0x%lx, 0x%lx, 0x%lx, 0x%lx) \n",
T->AuthenticationId.Data[0],
T->AuthenticationId.Data[1],
T->AuthenticationId.Data[2],
T->AuthenticationId.Data[3] );
}
DbgPrint(" ExpirationTime: 0x%lx, 0x%lx \n",
T->ExpirationTime.HighPart,
T->ExpirationTime.LowPart );
if (T->TokenType == TokenPrimary) {
DbgPrint(" TokenType: Primary \n");
} else {
if (T->TokenType == TokenImpersonation) {
DbgPrint(" TokenType: Impersonation \n");
} else {
DbgPrint(" TokenType: (Unknown type, value = 0x%lx) \n",
((ULONG)T-TokenType) );
}
}
DbgPrint(" ImpersonationLevel: 0x%lx \n",
((ULONG)T->ImpersonationLevel) );
DbgPrint(" TokenSource: (not yet provided) \n");
DbgPrint(" DynamicCharged: 0x%lx \n", T->DynamicCharged);
DbgPrint(" UserAndGroupCount: 0x%lx \n", T->UserAndGroupCount);
DbgPrint(" PrivilegeCount: 0x%lx \n", T->PrivilegeCount);
DbgPrint(" VariableLength: 0x%lx \n", T->VariableLength);
DbgPrint(" ModifiedId: (0x%lx, 0x%lx) \n",
T->ModifiedId.HighPart,
T->ModifiedId.LowPart );
DbgPrint(" DynamicAvailable: 0x%lx \n", T->DynamicAvailable);
DbgPrint(" DefaultOwnerIndex: 0x%lx \n", T->DefaultOwnerIndex);
DbgPrint(" Address of DynamicPart: 0x%lx \n",
(* (PULONG)((PVOID)(&(T->DynamicPart)))) );
DbgPrint(" Address of Default DACL: 0x%lx \n",
(* (PULONG)((PVOID)(&(T->DefaultDacl)))) );
DbgPrint(" Address Of Variable Part: 0x%lx \n",
&(T->VariablePart) );
DbgPrint("\n");
DbgPrint(" PrimaryGroup:\n");
DbgPrint(" Address: 0x%lx \n",
(* (PULONG)((PVOID)(&(T->PrimaryGroup)))) );
DbgPrint(" Length: 0x%lx \n",
SeLengthSid((T->PrimaryGroup)) );
DbgPrint("\n");
DbgPrint(" UserAndGroups: 0x%lx \n",
(* (PULONG)((PVOID)(&(T->UserAndGroups)))) );
DbgPrint(" User ID - \n");
DbgPrint(" Address: 0x%lx \n",
(* (PULONG)((PVOID)(&(T->UserAndGroups[0].Sid)))) );
DbgPrint(" Attributes: 0x%lx \n",
(T->UserAndGroups[0].Attributes) );
DbgPrint(" Length: 0x%lx \n",
SeLengthSid((T->UserAndGroups[0].Sid)) );
Index = 1;
while (Index < T->UserAndGroupCount) {
DbgPrint(" Group 0x%lx - \n", Index );
DbgPrint(" Address: 0x%lx \n",
(* (PULONG)((PVOID)(&(T->UserAndGroups[Index].Sid)))) );
DbgPrint(" Attributes: 0x%lx \n",
(T->UserAndGroups[Index].Attributes) );
DbgPrint(" Length: 0x%lx \n",
SeLengthSid((T->UserAndGroups[Index].Sid)) );
Index += 1;
}
Index = 0;
while (Index < T->RestrictedSidCount) {
DbgPrint(" Sid 0x%lx - \n", Index );
DbgPrint(" Address: 0x%lx \n",
(* (PULONG)((PVOID)(&(T->RestrictedSids[Index].Sid)))) );
DbgPrint(" Attributes: 0x%lx \n",
(T->RestrictedSids[Index].Attributes) );
DbgPrint(" Length: 0x%lx \n",
SeLengthSid((T->RestrictedSids[Index].Sid)) );
Index += 1;
}
DbgPrint("\n");
DbgPrint(" Privileges: 0x%lx\n",
(* (PULONG)((PVOID)(&(T->Privileges)))) );
Index = 0;
while (Index < T->PrivilegeCount) {
DbgPrint(" Privilege 0x%lx - \n", Index );
DbgPrint(" Address: 0x%lx \n",
(&(T->Privileges[Index])) );
DbgPrint(" LUID: (0x%lx, 0x%lx) \n",
T->Privileges[Index].Luid.HighPart,
T->Privileges[Index].Luid.LowPart );
DbgPrint(" Attributes: 0x%lx \n",
T->Privileges[Index].Attributes );
Index += 1;
}
return;
}
#endif //TOKEN_DEBUG
NTSTATUS
NtCreateToken(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN TOKEN_TYPE TokenType,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_OWNER Owner OPTIONAL,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL,
IN PTOKEN_SOURCE TokenSource
)
/*++
Routine Description:
Create a token object and return a handle opened for access to
that token. This API requires SeCreateTokenPrivilege privilege.
Arguments:
TokenHandle - Receives the handle of the newly created token.
DesiredAccess - Is an access mask indicating which access types
the handle is to provide to the new object.
ObjectAttributes - Points to the standard object attributes data
structure. Refer to the NT Object Management
Specification for a description of this data structure.
If the token type is TokenImpersonation, then this parameter
must specify the impersonation level of the token.
TokenType - Type of token to be created. Privilege is required
to create any type of token.
AuthenticationId - Points to a LUID (or LUID) providing a unique
identifier associated with the authentication. This is used
within security only, for audit purposes.
ExpirationTime - Time at which the token becomes invalid. If this
value is specified as zero, then the token has no expiration
time.
User - Is the user SID to place in the token.
Groups - Are the group SIDs to place in the token.
Privileges - Are the privileges to place in the token.
Owner - (Optionally) identifies an identifier that is to be used
as the default owner for the token. If not provided, the
user ID is made the default owner.
PrimaryGroup - Identifies which of the group IDs is to be the
primary group of the token.
DefaultDacl - (optionally) establishes an ACL to be used as the
default discretionary access protection for the token.
TokenSource - Identifies the token source name string and
identifier to be assigned to the token.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
STATUS_INVALID_OWNER - Indicates the ID provided to be assigned
as the default owner of the token does not have an attribute
indicating it may be assigned as an owner.
STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided
via the PrimaryGroup parameter was not among those assigned
to the token in the Groups parameter.
STATUS_BAD_IMPERSONATION_LEVEL - Indicates no impersonation level
was provided when attempting to create a token of type
TokenImpersonation.
--*/
{
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
ULONG Ignore;
HANDLE LocalHandle = NULL;
BOOLEAN SecurityQosPresent = FALSE;
SECURITY_ADVANCED_QUALITY_OF_SERVICE CapturedSecurityQos;
LUID CapturedAuthenticationId;
LARGE_INTEGER CapturedExpirationTime;
PSID_AND_ATTRIBUTES CapturedUser = NULL;
ULONG CapturedUserLength = 0;
ULONG CapturedGroupCount = 0;
PSID_AND_ATTRIBUTES CapturedGroups = NULL;
ULONG CapturedGroupsLength = 0;
ULONG CapturedPrivilegeCount = 0;
PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
ULONG CapturedPrivilegesLength = 0;
PSID CapturedOwner = NULL;
PSID CapturedPrimaryGroup = NULL;
PACL CapturedDefaultDacl = NULL;
TOKEN_SOURCE CapturedTokenSource;
PVOID CapturedAddress;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
//
// Probe everything necessary for input to the capture subroutines.
//
try {
ProbeForWriteHandle(TokenHandle);
ProbeForReadSmallStructure( ExpirationTime, sizeof(LARGE_INTEGER), sizeof(ULONG) );
ProbeForReadSmallStructure( Groups, sizeof(TOKEN_GROUPS), sizeof(ULONG) );
ProbeForReadSmallStructure( Privileges, sizeof(TOKEN_PRIVILEGES), sizeof(ULONG) );
ProbeForReadSmallStructure( TokenSource, sizeof(TOKEN_SOURCE), sizeof(ULONG) );
if ( ARGUMENT_PRESENT(Owner) ) {
ProbeForReadSmallStructure( Owner, sizeof(TOKEN_OWNER), sizeof(ULONG) );
}
ProbeForReadSmallStructure(
PrimaryGroup,
sizeof(TOKEN_PRIMARY_GROUP),
sizeof(ULONG)
);
if ( ARGUMENT_PRESENT(DefaultDacl) ) {
ProbeForReadSmallStructure(
DefaultDacl,
sizeof(TOKEN_DEFAULT_DACL),
sizeof(ULONG)
);
}
ProbeForReadSmallStructure(
AuthenticationId,
sizeof(LUID),
sizeof(ULONG)
);
} except(EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
} // end_try
} //end_if
//
// Capture the security quality of service.
// This capture routine necessarily does some probing of its own.
//
Status = SeCaptureSecurityQos(
ObjectAttributes,
PreviousMode,
&SecurityQosPresent,
&CapturedSecurityQos
);
if (!NT_SUCCESS(Status)) {
return Status;
}
if (TokenType == TokenImpersonation) {
if (!SecurityQosPresent) {
return STATUS_BAD_IMPERSONATION_LEVEL;
} // endif
} // endif
//
// Capture the rest of the arguments.
// These arguments have already been probed.
//
try {
Status = STATUS_SUCCESS;
//
// Capture and validate AuthenticationID
//
RtlCopyLuid( &CapturedAuthenticationId, AuthenticationId );
//
// Capture ExpirationTime
//
CapturedExpirationTime = (*ExpirationTime);
//
// Capture User
//
if (NT_SUCCESS(Status)) {
Status = SeCaptureSidAndAttributesArray(
&(User->User),
1,
PreviousMode,
NULL, 0,
PagedPool,
TRUE,
&CapturedUser,
&CapturedUserLength
);
}
//
// Capture Groups
//
if (NT_SUCCESS(Status)) {
CapturedGroupCount = Groups->GroupCount;
Status = SeCaptureSidAndAttributesArray(
(Groups->Groups),
CapturedGroupCount,
PreviousMode,
NULL, 0,
PagedPool,
TRUE,
&CapturedGroups,
&CapturedGroupsLength
);
}
//
// Capture Privileges
//
if (NT_SUCCESS(Status)) {
CapturedPrivilegeCount = Privileges->PrivilegeCount;
Status = SeCaptureLuidAndAttributesArray(
(Privileges->Privileges),
CapturedPrivilegeCount,
PreviousMode,
NULL, 0,
PagedPool,
TRUE,
&CapturedPrivileges,
&CapturedPrivilegesLength
);
}
//
// Capture Owner
//
if ( ARGUMENT_PRESENT(Owner) && NT_SUCCESS(Status)) {
CapturedAddress = Owner->Owner;
Status = SeCaptureSid(
(PSID)CapturedAddress,
PreviousMode,
NULL, 0,
PagedPool,
TRUE,
&CapturedOwner
);
}
//
// Capture PrimaryGroup
//
if (NT_SUCCESS(Status)) {
CapturedAddress = PrimaryGroup->PrimaryGroup;
Status = SeCaptureSid(
(PSID)CapturedAddress,
PreviousMode,
NULL, 0,
PagedPool,
TRUE,
&CapturedPrimaryGroup
);
}
//
// Capture DefaultDacl
//
if ( ARGUMENT_PRESENT(DefaultDacl) && NT_SUCCESS(Status) ) {
CapturedAddress = DefaultDacl->DefaultDacl;
if (CapturedAddress != NULL) {
Status = SeCaptureAcl(
(PACL)CapturedAddress,
PreviousMode,
NULL, 0,
NonPagedPool,
TRUE,
&CapturedDefaultDacl,
&Ignore
);
}
}
//
// Capture TokenSource
//
CapturedTokenSource = (*TokenSource);
} except(EXCEPTION_EXECUTE_HANDLER) {
if (CapturedUser != NULL) {
SeReleaseSidAndAttributesArray(
CapturedUser,
PreviousMode,
TRUE
);
}
if (CapturedGroups != NULL) {
SeReleaseSidAndAttributesArray(
CapturedGroups,
PreviousMode,
TRUE
);
}
if (CapturedPrivileges != NULL) {
SeReleaseLuidAndAttributesArray(
CapturedPrivileges,
PreviousMode,
TRUE
);
}
if (CapturedOwner != NULL) {
SeReleaseSid( CapturedOwner, PreviousMode, TRUE);
}
if (CapturedPrimaryGroup != NULL) {
SeReleaseSid( CapturedPrimaryGroup, PreviousMode, TRUE);
}
if (CapturedDefaultDacl != NULL) {
SeReleaseAcl( CapturedDefaultDacl, PreviousMode, TRUE);
}
if (SecurityQosPresent == TRUE) {
SeFreeCapturedSecurityQos( &CapturedSecurityQos );
}
return GetExceptionCode();
} // end_try{}
//
// Create the token
//
if (NT_SUCCESS(Status)) {
Status = SepCreateToken(
&LocalHandle,
PreviousMode,
DesiredAccess,
ObjectAttributes,
TokenType,
CapturedSecurityQos.ImpersonationLevel,
&CapturedAuthenticationId,
&CapturedExpirationTime,
CapturedUser,
CapturedGroupCount,
CapturedGroups,
CapturedGroupsLength,
CapturedPrivilegeCount,
CapturedPrivileges,
CapturedOwner,
CapturedPrimaryGroup,
CapturedDefaultDacl,
&CapturedTokenSource,
FALSE, // Not a system token
SecurityQosPresent ? CapturedSecurityQos.ProxyData : NULL,
SecurityQosPresent ? CapturedSecurityQos.AuditData : NULL
);
}
//
// Clean up the temporary capture buffers
//
if (CapturedUser != NULL) {
SeReleaseSidAndAttributesArray( CapturedUser, PreviousMode, TRUE);
}
if (CapturedGroups != NULL) {
SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE);
}
if (CapturedPrivileges != NULL) {
SeReleaseLuidAndAttributesArray( CapturedPrivileges, PreviousMode, TRUE);
}
if (CapturedOwner != NULL) {
SeReleaseSid( CapturedOwner, PreviousMode, TRUE);
}
if (CapturedPrimaryGroup != NULL) {
SeReleaseSid( CapturedPrimaryGroup, PreviousMode, TRUE);
}
if (CapturedDefaultDacl != NULL) {
SeReleaseAcl( CapturedDefaultDacl, PreviousMode, TRUE);
}
if (SecurityQosPresent == TRUE) {
SeFreeCapturedSecurityQos( &CapturedSecurityQos );
}
//
// Return the handle to this new token
//
if (NT_SUCCESS(Status)) {
try { *TokenHandle = LocalHandle; }
except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); }
}
return Status;
}
////////////////////////////////////////////////////////////////////////
// //
// Token Private Routines //
// //
////////////////////////////////////////////////////////////////////////
VOID
SepTokenDeleteMethod (
IN PVOID Token
)
/*++
Routine Description:
This function is the token object type-specific delete method.
It is needed to ensure that all memory allocated for the token
gets deallocated.
Arguments:
Token - Points to the token object being deleted.
Return Value:
None.
--*/
{
PAGED_CODE();
#if DBG || TOKEN_LEAK_MONITOR
SepRemoveTokenLogonSession( Token );
#endif
//
// De-reference the logon session referenced by this token object
//
if ((((TOKEN *)Token)->TokenFlags & TOKEN_SESSION_NOT_REFERENCED ) == 0 ) {
SepDeReferenceLogonSession( &(((TOKEN *)Token)->AuthenticationId) );
}
//
// If the token has an associated Dynamic part, deallocate it.
//
if (ARGUMENT_PRESENT( ((TOKEN *)Token)->DynamicPart)) {
ExFreePool( ((TOKEN *)Token)->DynamicPart );
}
//
// Free the Proxy and Global audit structures if present.
//
if (ARGUMENT_PRESENT(((TOKEN *) Token)->ProxyData)) {
SepFreeProxyData( ((TOKEN *)Token)->ProxyData );
}
if (ARGUMENT_PRESENT(((TOKEN *)Token)->AuditData )) {
ExFreePool( (((TOKEN *)Token)->AuditData) );
}
if (ARGUMENT_PRESENT(((TOKEN *)Token)->TokenLock )) {
ExDeleteResourceLite(((TOKEN *)Token)->TokenLock );
ExFreePool(((TOKEN *)Token)->TokenLock );
}
return;
}
NTSTATUS
SepCreateToken(
OUT PHANDLE TokenHandle,
IN KPROCESSOR_MODE RequestorMode,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
IN TOKEN_TYPE TokenType,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel OPTIONAL,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PSID_AND_ATTRIBUTES User,
IN ULONG GroupCount,
IN PSID_AND_ATTRIBUTES Groups,
IN ULONG GroupsLength,
IN ULONG PrivilegeCount,
IN PLUID_AND_ATTRIBUTES Privileges,
IN PSID Owner OPTIONAL,
IN PSID PrimaryGroup,
IN PACL DefaultDacl OPTIONAL,
IN PTOKEN_SOURCE TokenSource,
IN BOOLEAN SystemToken,
IN PSECURITY_TOKEN_PROXY_DATA ProxyData OPTIONAL,
IN PSECURITY_TOKEN_AUDIT_DATA AuditData OPTIONAL
)
/*++
Routine Description:
Create a token object and return a handle opened for access to
that token. This API implements the bulk of the work needed
for NtCreateToken.
All parameters except DesiredAccess and ObjectAttributes are assumed
to have been probed and captured.
The output parameter (TokenHandle) is expected to be returned to a
safe address, rather than to a user mode address that may cause an
exception.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
NOTE: This routine is also used to create the initial system token.
In that case, the SystemToken parameter is TRUE and no handle
is established to the token. Instead, a pointer to the token
is returned via the TokenHandle parameter.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Arguments:
TokenHandle - Receives the handle of the newly created token. If the
SystemToken parameter is specified is true, then this parameter
receives a pointer to the token instead of a handle to the token.
RequestorMode - The mode of the caller on whose behalf the token
is being created.
DesiredAccess - Is an access mask indicating which access types
the handle is to provide to the new object.
ObjectAttributes - Points to the standard object attributes data
structure. Refer to the NT Object Management
Specification for a description of this data structure.
TokenType - Type of token to be created. Privilege is required
to create any type of token.
ImpersonationLevel - If the token type is TokenImpersonation, then
this parameter is used to specify the impersonation level of
the token.
AuthenticationId - Points to a LUID (or LUID) providing a unique
identifier associated with the authentication. This is used
within security only, for audit purposes.
ExpirationTime - Time at which the token becomes invalid. If this
value is specified as zero, then the token has no expiration
time.
User - Is the user SID to place in the token.
GroupCount - Indicates the number of groups in the 'Groups' parameter.
This value may be zero, in which case the 'Groups' parameter is
ignored.
Groups - Are the group SIDs, and their corresponding attributes,
to place in the token.
GroupsLength - Indicates the length, in bytes, of the array of groups
to place in the token.
PrivilegeCount - Indicates the number of privileges in the 'Privileges'
parameter. This value may be zero, in which case the 'Privileges'
parameter is ignored.
Privileges - Are the privilege LUIDs, and their corresponding attributes,
to place in the token.
PrivilegesLength - Indicates the length, in bytes, of the array of
privileges to place in the token.
Owner - (Optionally) identifies an identifier that is to be used
as the default owner for the token. If not provided, the
user ID is made the default owner.
PrimaryGroup - Identifies which of the group IDs is to be the
primary group of the token.
DefaultDacl - (optionally) establishes an ACL to be used as the
default discretionary access protection for the token.
TokenSource - Identifies the token source name string and
identifier to be assigned to the token.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
STATUS_INVALID_OWNER - Indicates the ID provided to be assigned
as the default owner of the token does not have an attribute
indicating it may be assigned as an owner.
STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided
via the PrimaryGroup parameter was not among those assigned
to the token in the Groups parameter.
STATUS_INVALID_PARAMETER - Indicates that a required parameter,
such as User or PrimaryGroup, was not provided with a legitimate
value.
--*/
{
PTOKEN Token;
NTSTATUS Status;
ULONG PagedPoolSize;
ULONG PrimaryGroupLength;
ULONG TokenBodyLength;
ULONG VariableLength;
ULONG DefaultOwnerIndex = 0;
PUCHAR Where;
ULONG ComputedPrivLength;
PSID NextSidFree;
ULONG DynamicLength;
ULONG DynamicLengthUsed;
ULONG SubAuthorityCount;
ULONG GroupIndex;
ULONG PrivilegeIndex;
BOOLEAN OwnerFound;
UCHAR TokenFlags = 0;
ACCESS_STATE AccessState;
AUX_ACCESS_DATA AuxData;
LUID NewModifiedId;
PERESOURCE TokenLock;
#if DBG || TOKEN_LEAK_MONITOR
ULONG Frames;
#endif
PAGED_CODE();
ASSERT( sizeof(SECURITY_IMPERSONATION_LEVEL) <= sizeof(ULONG) );
//
// Make sure the Enabled and Enabled-by-default bits are set on every
// mandatory group.
//
// Also, check to see if the local administrators alias is present.
// if so, turn on the flag so that we can do restrictions later
//
for (GroupIndex=0; GroupIndex < GroupCount; GroupIndex++) {
if (Groups[GroupIndex].Attributes & SE_GROUP_MANDATORY) {
Groups[GroupIndex].Attributes |= (SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT);
}
if ( RtlEqualSid( SeAliasAdminsSid, Groups[GroupIndex].Sid ) )
{
TokenFlags |= TOKEN_HAS_ADMIN_GROUP ;
}
}
//
// Check to see if the token being created is going to be granted
// SeChangeNotifyPrivilege. If so, set a flag in the TokenFlags field
// so we can find this out quickly.
//
for (PrivilegeIndex = 0; PrivilegeIndex < PrivilegeCount; PrivilegeIndex++) {
if (((RtlEqualLuid(&Privileges[PrivilegeIndex].Luid,&SeChangeNotifyPrivilege))
&&
(Privileges[PrivilegeIndex].Attributes & SE_PRIVILEGE_ENABLED))) {
TokenFlags |= TOKEN_HAS_TRAVERSE_PRIVILEGE;
break;
}
}
//
// Get a ModifiedId to use
//
ExAllocateLocallyUniqueId( &NewModifiedId );
//
// Validate the owner ID, if provided and establish the default
// owner index.
//
if (!ARGUMENT_PRESENT(Owner)) {
DefaultOwnerIndex = 0;
} else {
if ( RtlEqualSid( Owner, User->Sid ) ) {
DefaultOwnerIndex = 0;
} else {
GroupIndex = 0;
OwnerFound = FALSE;
while ((GroupIndex < GroupCount) && (!OwnerFound)) {
if ( RtlEqualSid( Owner, (Groups[GroupIndex].Sid) ) ) {
//
// Found a match - make sure it is assignable as owner.
//
if ( SepArrayGroupAttributes( Groups, GroupIndex ) &
SE_GROUP_OWNER ) {
DefaultOwnerIndex = GroupIndex + 1;
OwnerFound = TRUE;
} else {
return STATUS_INVALID_OWNER;
} // endif Owner attribute set
} // endif owner = group
GroupIndex += 1;
} // endwhile
if (!OwnerFound) {
return STATUS_INVALID_OWNER;
} // endif !OwnerFound
} // endif owner = user
} // endif owner specified
//
// Increment the reference count for this logon session
// (fail if there is no corresponding logon session.)
//
Status = SepReferenceLogonSession( AuthenticationId );
if ( !NT_SUCCESS(Status) ) {
return Status;
}
TokenLock = (PERESOURCE)ExAllocatePoolWithTag( NonPagedPool, sizeof( ERESOURCE ), 'dTeS' );
if (TokenLock == NULL) {
SepDeReferenceLogonSession( AuthenticationId );
return( STATUS_INSUFFICIENT_RESOURCES );
}
//
// Calculate the length needed for the variable portion of the token
// This includes the User ID, Group IDs, and Privileges
//
//
// Align the privilege chunk by pointer alignment so that the SIDs will
// be correctly aligned. Align the Groups Length so that the SID_AND_ATTR
// array (which is
//
ComputedPrivLength = PrivilegeCount * sizeof( LUID_AND_ATTRIBUTES ) ;
ComputedPrivLength = ALIGN_UP( ComputedPrivLength, PVOID );
GroupsLength = ALIGN_UP( GroupsLength, PVOID );
VariableLength = GroupsLength + ComputedPrivLength +
ALIGN_UP( (GroupCount * sizeof( SID_AND_ATTRIBUTES )), PVOID ) ;
SubAuthorityCount = ((SID *)(User->Sid))->SubAuthorityCount;
VariableLength += sizeof(SID_AND_ATTRIBUTES) +
(ULONG)LongAlignSize(RtlLengthRequiredSid( SubAuthorityCount ));
//
// Calculate the length needed for the dynamic portion of the token
// This includes the default Dacl and the primary group.
//
SubAuthorityCount = ((SID *)PrimaryGroup)->SubAuthorityCount;
DynamicLengthUsed = (ULONG)LongAlignSize(RtlLengthRequiredSid( SubAuthorityCount ));
if (ARGUMENT_PRESENT(DefaultDacl)) {
DynamicLengthUsed += (ULONG)LongAlignSize(DefaultDacl->AclSize);
}
DynamicLength = DynamicLengthUsed;
//
// Now create the token body
//
TokenBodyLength = FIELD_OFFSET(TOKEN, VariablePart) + VariableLength;
if (DynamicLength < TOKEN_DEFAULT_DYNAMIC_CHARGE) {
PagedPoolSize = TokenBodyLength + TOKEN_DEFAULT_DYNAMIC_CHARGE;
} else {
PagedPoolSize = TokenBodyLength + DynamicLength;
}
Status = ObCreateObject(
RequestorMode, // ProbeMode
SeTokenObjectType, // ObjectType
ObjectAttributes, // ObjectAttributes
UserMode, // OwnershipMode
NULL, // ParseContext
TokenBodyLength, // ObjectBodySize
PagedPoolSize, // PagedPoolCharge
0, // NonPagedPoolCharge
(PVOID *)&Token // Return pointer to object
);
if (!NT_SUCCESS(Status)) {
ExFreePool( TokenLock );
SepDeReferenceLogonSession( AuthenticationId );
return Status;
}
//
// After this point, we rely on token deletion to clean up the referenced
// logon session if the creation fails.
//
//
// Main Body initialization
//
Token->TokenLock = TokenLock;
ExInitializeResourceLite( Token->TokenLock );
ExAllocateLocallyUniqueId( &(Token->TokenId) );
Token->ParentTokenId = RtlConvertLongToLuid(0);
Token->AuthenticationId = (*AuthenticationId);
Token->TokenInUse = FALSE;
Token->ModifiedId = NewModifiedId;
Token->ExpirationTime = (*ExpirationTime);
Token->TokenType = TokenType;
Token->ImpersonationLevel = ImpersonationLevel;
Token->TokenSource = (*TokenSource);
Token->TokenFlags = TokenFlags;
Token->SessionId = 0;
Token->DynamicCharged = PagedPoolSize - TokenBodyLength;
Token->DynamicAvailable = 0;
Token->DefaultOwnerIndex = DefaultOwnerIndex;
Token->DefaultDacl = NULL;
Token->VariableLength = VariableLength;
#if DBG || TOKEN_LEAK_MONITOR
Token->ProcessCid = PsGetCurrentThread()->Cid.UniqueProcess;
Token->ThreadCid = PsGetCurrentThread()->Cid.UniqueThread;
Token->CreateMethod = 0xC; // Create
RtlCopyMemory(
Token->ImageFileName,
PsGetCurrentProcess()->ImageFileName,
min(sizeof(Token->ImageFileName), sizeof(PsGetCurrentProcess()->ImageFileName))
);
Frames = RtlWalkFrameChain(
(PVOID)Token->CreateTrace,
TRACE_SIZE,
0
);
if (KeGetCurrentIrql() < DISPATCH_LEVEL) {
RtlWalkFrameChain(
(PVOID)&Token->CreateTrace[Frames],
TRACE_SIZE - Frames,
1
);
}
SepAddTokenLogonSession(Token);
#endif
// Ensure SepTokenDeleteMethod knows the buffers aren't allocated yet.
Token->ProxyData = NULL;
Token->AuditData = NULL;
Token->DynamicPart = NULL;
if (ARGUMENT_PRESENT( ProxyData )) {
Status = SepCopyProxyData(
&Token->ProxyData,
ProxyData
);
if (!NT_SUCCESS(Status)) {
ObDereferenceObject( Token );
return( STATUS_NO_MEMORY );
}
} else {
Token->ProxyData = NULL;
}
if (ARGUMENT_PRESENT( AuditData )) {
Token->AuditData = ExAllocatePool( PagedPool, sizeof( SECURITY_TOKEN_AUDIT_DATA ));
if (Token->AuditData == NULL) {
ObDereferenceObject( Token );
return( STATUS_NO_MEMORY );
}
*(Token->AuditData) = *AuditData;
} else {
Token->AuditData = NULL;
}
//
// Variable part initialization
// Data is in the following order:
//
// Privileges array
// User (SID_AND_ATTRIBUTES)
// Groups (SID_AND_ATTRIBUTES)
// Restricted Sids (SID_AND_ATTRIBUTES)
// SIDs
//
Where = (PUCHAR) & Token->VariablePart ;
Token->Privileges = (PLUID_AND_ATTRIBUTES) Where ;
Token->PrivilegeCount = PrivilegeCount ;
RtlCopyMemory(
Where,
Privileges,
PrivilegeCount * sizeof(LUID_AND_ATTRIBUTES) );
ASSERT( ComputedPrivLength >= PrivilegeCount * sizeof( LUID_AND_ATTRIBUTES ) );
Where += ComputedPrivLength ;
VariableLength -= ComputedPrivLength ;
ASSERT( (((ULONG_PTR) Where ) & (sizeof(PVOID) - 1)) == 0 );
//
// Now, copy the sid and attributes arrays.
//
NextSidFree = (PSID) (Where + (sizeof( SID_AND_ATTRIBUTES ) *
(GroupCount + 1) ) );
Token->UserAndGroups = (PSID_AND_ATTRIBUTES) Where ;
Token->UserAndGroupCount = GroupCount + 1 ;
ASSERT(VariableLength >= ((GroupCount + 1) * (ULONG)sizeof(SID_AND_ATTRIBUTES)));
VariableLength -= ((GroupCount + 1) * (ULONG)sizeof(SID_AND_ATTRIBUTES));
Status = RtlCopySidAndAttributesArray(
1,
User,
VariableLength,
(PSID_AND_ATTRIBUTES)Where,
NextSidFree,
&NextSidFree,
&VariableLength
);
Where += sizeof( SID_AND_ATTRIBUTES );
ASSERT( (((ULONG_PTR) Where ) & (sizeof(PVOID) - 1)) == 0 );
Status = RtlCopySidAndAttributesArray(
GroupCount,
Groups,
VariableLength,
(PSID_AND_ATTRIBUTES)Where,
NextSidFree,
&NextSidFree,
&VariableLength
);
ASSERT(NT_SUCCESS(Status));
Token->RestrictedSids = NULL;
Token->RestrictedSidCount = 0;
//
// Dynamic part initialization
// Data is in the following order:
//
// PrimaryGroup (SID)
// Default Discreationary Acl (ACL)
//
Token->DynamicPart = (PULONG)ExAllocatePoolWithTag( PagedPool, DynamicLength, 'dTeS' );
//
// The attempt to allocate the DynamicPart of the token may have
// failed. Dereference the created object and exit with an error.
//
if (Token->DynamicPart == NULL) {
ObDereferenceObject( Token );
return( STATUS_NO_MEMORY );
}
Where = (PUCHAR) Token->DynamicPart;
Token->PrimaryGroup = (PSID) Where;
PrimaryGroupLength = RtlLengthRequiredSid( ((SID *)PrimaryGroup)->SubAuthorityCount );
RtlCopySid( PrimaryGroupLength, (PSID)Where, PrimaryGroup );
Where += (ULONG)LongAlignSize(PrimaryGroupLength);
if (ARGUMENT_PRESENT(DefaultDacl)) {
Token->DefaultDacl = (PACL)Where;
RtlCopyMemory( (PVOID)Where,
(PVOID)DefaultDacl,
DefaultDacl->AclSize
);
}
#ifdef TOKEN_DEBUG
////////////////////////////////////////////////////////////////////////////
//
// Debug
SepDumpToken( Token );
// Debug
//
////////////////////////////////////////////////////////////////////////////
#endif //TOKEN_DEBUG
//
// Insert the token unless it is a system token.
//
if (!SystemToken) {
Status = SeCreateAccessState(
&AccessState,
&AuxData,
DesiredAccess,
&SeTokenObjectType->TypeInfo.GenericMapping
);
if ( NT_SUCCESS(Status) ) {
BOOLEAN PrivilegeHeld;
PrivilegeHeld = SeSinglePrivilegeCheck(
SeCreateTokenPrivilege,
KeGetPreviousMode()
);
if (PrivilegeHeld) {
Status = ObInsertObject( Token,
&AccessState,
0,
0,
(PVOID *)NULL,
TokenHandle
);
} else {
Status = STATUS_PRIVILEGE_NOT_HELD;
ObDereferenceObject( Token );
}
SeDeleteAccessState( &AccessState );
} else {
ObDereferenceObject( Token );
}
} else {
ASSERT( NT_SUCCESS( Status ) );
//
// Insert the token unless this is phase0 initialization. The system token is inserted later.
//
if (!ExFastRefObjectNull (PsGetCurrentProcess()->Token)) {
Status = ObInsertObject( Token,
NULL,
0,
0,
NULL,
NULL
);
}
if (NT_SUCCESS (Status)) {
//
// Return pointer instead of handle.
//
(*TokenHandle) = (HANDLE)Token;
} else {
(*TokenHandle) = NULL;
}
}
return Status;
}
BOOLEAN
SepIdAssignableAsOwner(
IN PTOKEN Token,
IN ULONG Index
)
/*++
Routine Description:
This routine returns a boolean value indicating whether the user
or group ID in the specified token with the specified index is
assignable as the owner of an object.
If the index is 0, which is always the USER ID, then the ID is
assignable as owner. Otherwise, the ID is that of a group, and
it must have the "Owner" attribute set to be assignable.
Arguments:
Token - Pointer to a locked Token to use.
Index - Index into the Token's UserAndGroupsArray. This value
is assumed to be valid.
Return Value:
TRUE - Indicates the index corresponds to an ID that may be assigned
as the owner of objects.
FALSE - Indicates the index does not correspond to an ID that may be
assigned as the owner of objects.
--*/
{
PAGED_CODE();
if (Index == 0) {
return TRUE;
} else {
return (BOOLEAN)
( (SepTokenGroupAttributes(Token,Index) & SE_GROUP_OWNER)
!= 0
);
}
}
NTSTATUS
SeIsChildToken(
IN HANDLE Token,
OUT PBOOLEAN IsChild
)
/*++
Routine Description:
This routine returns TRUE if the supplied token is a child of the caller's
process token. This is done by comparing the ParentTokenId field of the
supplied token to the TokenId field of the token from the current subject
context.
Arguments:
Token - Token to check for childhood
IsChild - Contains results of comparison.
TRUE - The supplied token is a child of the caller's token
FALSE- The supplied token is not a child of the caller's token
Returns:
Status codes from any NT services called.
--*/
{
PTOKEN CallerToken;
PTOKEN SuppliedToken;
LUID CallerTokenId;
LUID SuppliedParentTokenId;
NTSTATUS Status = STATUS_SUCCESS;
PEPROCESS Process;
*IsChild = FALSE;
//
// Capture the caller's token and get the token id
//
Process = PsGetCurrentProcess();
CallerToken = (PTOKEN) PsReferencePrimaryToken(Process);
SepAcquireTokenReadLock( CallerToken );
CallerTokenId = CallerToken->TokenId;
SepReleaseTokenReadLock( CallerToken );
PsDereferencePrimaryTokenEx(Process, CallerToken);
//
// Reference the supplied token and get the parent token id.
//
Status = ObReferenceObjectByHandle(
Token, // Handle
0, // DesiredAccess
SeTokenObjectType, // ObjectType
KeGetPreviousMode(), // AccessMode
(PVOID *)&SuppliedToken, // Object
NULL // GrantedAccess
);
if (NT_SUCCESS(Status))
{
SepAcquireTokenReadLock( SuppliedToken );
SuppliedParentTokenId = SuppliedToken->ParentTokenId;
SepReleaseTokenReadLock( SuppliedToken );
ObDereferenceObject(SuppliedToken);
//
// Check to see if the supplied token's parent ID is the ID
// of the caller.
//
if (RtlEqualLuid(
&SuppliedParentTokenId,
&CallerTokenId
)) {
*IsChild = TRUE;
}
}
return(Status);
}
NTSTATUS
SeIsChildTokenByPointer(
IN PACCESS_TOKEN Token,
OUT PBOOLEAN IsChild
)
/*++
Routine Description:
This routine returns TRUE if the supplied token is a child of the caller's
token. This is done by comparing the ParentTokenId field of the supplied
token to the TokenId field of the token from the current subject context.
Arguments:
Token - Token to check for childhood
IsChild - Contains results of comparison.
TRUE - The supplied token is a child of the caller's token
FALSE- The supplied token is not a child of the caller's token
Returns:
Status codes from any NT services called.
--*/
{
SECURITY_SUBJECT_CONTEXT SubjectSecurityContext;
PTOKEN CallerToken;
PTOKEN SuppliedToken;
LUID CallerTokenId;
LUID SuppliedParentTokenId;
NTSTATUS Status = STATUS_SUCCESS;
PEPROCESS Process;
*IsChild = FALSE;
//
// Capture the caller's token and get the token id
//
Process = PsGetCurrentProcess();
CallerToken = (PTOKEN) PsReferencePrimaryToken(Process);
SepAcquireTokenReadLock( CallerToken );
CallerTokenId = CallerToken->TokenId;
SepReleaseTokenReadLock( CallerToken );
PsDereferencePrimaryTokenEx(Process, CallerToken);
SuppliedToken = (PTOKEN) Token ;
SepAcquireTokenReadLock( SuppliedToken );
SuppliedParentTokenId = SuppliedToken->ParentTokenId;
SepReleaseTokenReadLock( SuppliedToken );
//
// Check to see if the supplied token's parent ID is the ID
// of the caller.
//
if (RtlEqualLuid(
&SuppliedParentTokenId,
&CallerTokenId
)) {
*IsChild = TRUE;
}
return(Status);
}
NTSTATUS
NtImpersonateAnonymousToken(
IN HANDLE ThreadHandle
)
/*++
Routine Description:
Impersonates the system's anonymous logon token on this thread.
Arguments:
ThreadHandle - Handle to the thread to do the impersonation.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
STATUS_INVALID_HANDLE - the thread handle is invalid.
STATUS_ACCESS_DENIED - The thread handle is not open for impersonation
access.
--*/
{
PETHREAD CallerThread = NULL;
NTSTATUS Status = STATUS_SUCCESS;
PACCESS_TOKEN Token = NULL;
PEPROCESS Process;
HANDLE hAnonymousToken = NULL;
ULONG RegValue;
#define EVERYONE_INCLUDES_ANONYMOUS 1
//
// Reference the caller's thread to make sure we can impersonate
//
Status = ObReferenceObjectByHandle(
ThreadHandle,
THREAD_IMPERSONATE,
PsThreadType,
KeGetPreviousMode(),
(PVOID *)&CallerThread,
NULL
);
if (!NT_SUCCESS(Status)) {
return Status;
}
//
// Check the AnonymousIncludesEveryone reg key setting.
//
Status = SepRegQueryDwordValue(
L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\Lsa",
L"EveryoneIncludesAnonymous",
&RegValue
);
if ( NT_SUCCESS( Status ) && ( RegValue == EVERYONE_INCLUDES_ANONYMOUS )) {
hAnonymousToken = SeAnonymousLogonToken;
} else {
hAnonymousToken = SeAnonymousLogonTokenNoEveryone;
};
//
// Reference the impersonation token to make sure we are allowed to
// impersonate it.
//
Status = ObReferenceObjectByPointer(
hAnonymousToken,
TOKEN_IMPERSONATE,
SeTokenObjectType,
KeGetPreviousMode()
);
if (!NT_SUCCESS(Status)) {
goto Cleanup;
}
ObDereferenceObject(hAnonymousToken);
Process = PsGetCurrentProcess();
Token = PsReferencePrimaryToken(Process);
//
// Do not allow anonymous impersonation if the primary token is restricted.
//
if (SeTokenIsRestricted(Token)) {
PsDereferencePrimaryToken(Token);
Status = STATUS_ACCESS_DENIED;
goto Cleanup;
}
PsDereferencePrimaryTokenEx(Process, Token);
//
// Do the impersonation. We want copy on open so the caller can't
// actually modify this system's copy of this token.
//
Status = PsImpersonateClient(
CallerThread,
hAnonymousToken,
TRUE, // copy on open
FALSE, // no effective only
SecurityImpersonation
);
Cleanup:
if (CallerThread != NULL) {
ObDereferenceObject(CallerThread);
}
return(Status);
}
#define SepEqualSidAndAttribute(a, b) \
((RtlEqualSid((a).Sid, (b).Sid)) && \
((((a).Attributes ^ (b).Attributes) & \
(SE_GROUP_ENABLED | SE_GROUP_USE_FOR_DENY_ONLY)) == 0) \
)
#define SepEqualLuidAndAttribute(a, b) \
((RtlEqualLuid(&(a).Luid, &(b).Luid)) && \
((((a).Attributes ^ (b).Attributes) & SE_PRIVILEGE_ENABLED) == 0) \
)
BOOLEAN
SepComparePrivilegeAndAttributeArrays(
IN PLUID_AND_ATTRIBUTES PrivilegeArray1,
IN ULONG Count1,
IN PLUID_AND_ATTRIBUTES PrivilegeArray2,
IN ULONG Count2
)
/*++
Routine Description:
This routine decides whether the given two privilege arrays are equivalent
from AccessCheck perspective.
Arguments:
PrivilegeArray1 - Privilege and attribute array from the first token.
Count1 - Number of elements from the first array.
PrivilegeArray2 - Privilege and attribute array from the second token.
Count2 - Number of elements from the second array.
Return Value:
TRUE - if the two arrays are equivalent
FALSE - otherwise
--*/
{
ULONG i = 0;
ULONG j = 0;
ULONG k = 0;
//
// If the number of privileges are not equal return FALSE.
//
if ( Count1 != Count2 ) {
return FALSE;
}
//
// In most cases when the privilege arrays are the same, the elements will
// be ordered in the same manner. Walk the two arrays till we get a mismatch
// or exhaust the number of entries in the array.
//
for ( k = 0; k < Count1; k++ ) {
if ( !SepEqualLuidAndAttribute(PrivilegeArray1[k], PrivilegeArray2[k]) ) {
break;
}
}
//
// If the arrays are identical return TRUE.
//
if ( k == Count1 ) {
return TRUE;
}
//
// Check if all the elements in the first array are present in the second.
//
for ( i = k; i < Count1; i++ ) {
for ( j = k; j < Count2; j++ ) {
if ( SepEqualLuidAndAttribute(PrivilegeArray1[i], PrivilegeArray2[j]) ) {
break;
}
}
//
// The second array does not contain ith element from the first.
//
if ( j == Count2 ) {
return FALSE;
}
}
//
// Check if all the elements in the second array are present in the first.
//
for ( i = k; i < Count2; i++ ) {
for ( j = k; j < Count1; j++ ) {
if ( SepEqualLuidAndAttribute(PrivilegeArray2[i], PrivilegeArray1[j]) ) {
break;
}
}
//
// The first array does not contain ith element from the second.
//
if ( j == Count1 ) {
return FALSE;
}
}
//
// If we are here, one array is a permutation of the other. Return TRUE.
//
return TRUE;
}
BOOLEAN
SepCompareSidAndAttributeArrays(
IN PSID_AND_ATTRIBUTES SidArray1,
IN ULONG Count1,
IN PSID_AND_ATTRIBUTES SidArray2,
IN ULONG Count2
)
/*++
Routine Description:
This routine decides whether the given two sid and attribute arrays are
equivalentfrom AccessCheck perspective.
Arguments:
SidArray1 - Sid and attribute array from the first token.
Count1 - Number of elements from the first array.
SidArray2 - Sid and attribute array from the second token.
Count2 - Number of elements from the second array.
Return Value:
TRUE - if the two arrays are equivalent
FALSE - otherwise
--*/
{
ULONG i = 0;
ULONG j = 0;
ULONG k = 0;
//
// If the number of groups sids are not equal return FALSE.
//
if ( Count1 != Count2 ) {
return FALSE;
}
//
// In most cases when the sid arrays are the same, the elements will
// be ordered in the same manner. Walk the two arrays till we get a mismatch
// or exhaust the number of entries in the array.
//
for ( k = 0; k < Count1; k++ ) {
if ( !SepEqualSidAndAttribute(SidArray1[k], SidArray2[k]) ) {
break;
}
}
//
// If the arrays are identical return TRUE.
//
if ( k == Count1 ) {
return TRUE;
}
//
// Check if all the elements in the first array are present in the second.
//
for ( i = k; i < Count1; i++ ) {
for ( j = k; j < Count2; j++ ) {
if ( SepEqualSidAndAttribute(SidArray1[i], SidArray2[j]) ) {
break;
}
}
//
// The second array does not contain ith element from the first.
//
if ( j == Count2 ) {
return FALSE;
}
}
//
// Check if all the elements in the second array are present in the first.
//
for ( i = k; i < Count2; i++ ) {
for ( j = k; j < Count1; j++ ) {
if ( SepEqualSidAndAttribute(SidArray2[i], SidArray1[j]) ) {
break;
}
}
//
// The first array does not contain ith element from the second.
//
if ( j == Count1 ) {
return FALSE;
}
}
//
// If we are here, one array is a permutation of the other. Return TRUE.
//
return TRUE;
}
NTSTATUS
NtCompareTokens(
IN HANDLE FirstTokenHandle,
IN HANDLE SecondTokenHandle,
OUT PBOOLEAN Equal
)
/*++
Routine Description:
This routine decides whether the given two tokens are equivalent from
AccessCheck perspective.
Two tokens are considered equal if all of the below are true.
1. Every sid present in one token is the present in the other and vice-versa.
The access check attributes (SE_GROUP_ENABLED and SE_GROUP_USE_FOR_DENY_ONLY)
for these sids should match too.
2. Either none or both the tokens are restricted.
3. If both tokens are restricted then 1 should hold true for RestrictedSids.
4. Every privilege present in the one token should be present in the other
and vice-versa.
Arguments:
FirstTokenHandle - Handle to the first token. The caller must have TOKEN_QUERY
access to the token.
SecondTokenHandle - Handle to the second token. The caller must have TOKEN_QUERY
access to the token.
Equal - To return whether the two tokens are equivalent from AccessCheck
viewpoint.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
--*/
{
PTOKEN TokenOne = NULL;
PTOKEN TokenTwo = NULL;
BOOLEAN RetVal = FALSE;
NTSTATUS Status = STATUS_SUCCESS;
KPROCESSOR_MODE PreviousMode;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
if (PreviousMode != KernelMode) {
try {
ProbeForWriteBoolean(Equal);
} except(EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
} // end_try
} //end_if
//
// If its the same handle, return TRUE.
//
if ( FirstTokenHandle == SecondTokenHandle ) {
RetVal = TRUE;
goto Cleanup;
}
//
// Reference the first token handle with TOKEN_QUERY access so that it does
// not go away.
//
Status = ObReferenceObjectByHandle(
FirstTokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SeTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&TokenOne, // Object
NULL // GrantedAccess
);
if (!NT_SUCCESS(Status)) {
TokenOne = NULL;
goto Cleanup;
}
//
// Reference the second token handle with TOKEN_QUERY access so that it does
// not go away.
//
Status = ObReferenceObjectByHandle(
SecondTokenHandle, // Handle
TOKEN_QUERY, // DesiredAccess
SeTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&TokenTwo, // Object
NULL // GrantedAccess
);
if (!NT_SUCCESS(Status)) {
TokenTwo = NULL;
goto Cleanup;
}
//
// Acquire read lock on the first token.
//
SepAcquireTokenReadLock( TokenOne );
//
// Acquire read lock on the second token.
//
SepAcquireTokenReadLock( TokenTwo );
//
// Compare the user sid as well as its relevant attributes.
//
if ( !SepEqualSidAndAttribute(TokenOne->UserAndGroups[0], TokenTwo->UserAndGroups[0]) ) {
goto Cleanup1;
}
//
// Continue if both tokens are unrestricted OR
// if both tokens are restricted and Restricted arrays are equal.
// Else return UNEQUAL.
//
if ( SeTokenIsRestricted( (PACCESS_TOKEN) TokenOne )) {
if ( !SeTokenIsRestricted( (PACCESS_TOKEN) TokenTwo )) {
goto Cleanup1;
}
RetVal = SepCompareSidAndAttributeArrays(
TokenOne->RestrictedSids,
TokenOne->RestrictedSidCount,
TokenTwo->RestrictedSids,
TokenTwo->RestrictedSidCount
);
if (!RetVal) {
goto Cleanup1;
}
} else {
if ( SeTokenIsRestricted( (PACCESS_TOKEN) TokenTwo )) {
goto Cleanup1;
}
}
//
// Compare the sid arrays.
//
RetVal = SepCompareSidAndAttributeArrays(
TokenOne->UserAndGroups+1,
TokenOne->UserAndGroupCount-1,
TokenTwo->UserAndGroups+1,
TokenTwo->UserAndGroupCount-1
);
if (!RetVal) {
goto Cleanup1;
}
//
// Compare the privilege arrays.
//
RetVal = SepComparePrivilegeAndAttributeArrays(
TokenOne->Privileges,
TokenOne->PrivilegeCount,
TokenTwo->Privileges,
TokenTwo->PrivilegeCount
);
Cleanup1:
SepReleaseTokenReadLock( TokenOne );
SepReleaseTokenReadLock( TokenTwo );
Cleanup:
if ( TokenOne != NULL) {
ObDereferenceObject( TokenOne );
}
if ( TokenTwo != NULL) {
ObDereferenceObject( TokenTwo );
}
try {
*Equal = RetVal;
} except(EXCEPTION_EXECUTE_HANDLER) {
Status = GetExceptionCode();
}
return Status;
}