Yes, to only allow programs that REALLY REALLY REALLY REALLY ….. need to do so to trigger the hard-error “shutdown” BSOD from user-mode to do so, and these programs would better be only those that run only in SYSTEM rights, and more exactly these include CSRSS, WINLOGON and SMSS when something very bad happen to them.
I would not appreciate, for example, that when I run a program under a not-so privileged account (like, some random user account) that has just the shutdown privilege to shut the computer down properly, that this program suddently “BSODS” my machine.
To these programs, I say “f$ck these!”
Regards,
Hermès
De : Ros-dev [mailto:ros-dev-bounces@
reactos.org ] De la part de Alex Ionescu
Envoyé : lundi 2 avril 2018 04:20
À : ReactOS Development List; Hermès Bélusca-Maïto
Cc : Linda Wang
Objet : Re: [ros-dev] [ros-diffs] 02/08: [NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD.
Is there a point to this blatant behavior change?
Best regards,
Alex Ionescu
On Sun, Apr 1, 2018 at 3:04 PM, Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.
org > wrote:https://git.reactos.org/?p=
reactos.git;a=commitdiff;h= f0729b30bb79d6f538cf2b9578ff8e be7989f8d3
commit f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3
Author: Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org >
AuthorDate: Sun Apr 1 14:46:19 2018 +0200
Commit: Hermès Bélusca-Maïto <hermes.belusca-maito@reactos.org >
CommitDate: Sun Apr 1 22:39:31 2018 +0200
[NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD.
---
ntoskrnl/ex/harderr.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/ntoskrnl/ex/harderr.c b/ntoskrnl/ex/harderr.c
index 84f409a1bb..a5200e3e74 100644
--- a/ntoskrnl/ex/harderr.c
+++ b/ntoskrnl/ex/harderr.c
@@ -132,8 +132,18 @@ ExpRaiseHardError(IN NTSTATUS ErrorStatus,
/* Check if this error will shutdown the system */
if (ValidResponseOptions == OptionShutdownSystem)
{
- /* Check for privilege */
- if (!SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
+ /*
+ * Check if we have the privileges.
+ *
+ * NOTE: In addition to the Shutdown privilege we also check whether
+ * the caller has the Tcb privilege. The purpose is to allow only
+ * SYSTEM processes to "shutdown" the system on hard errors (BSOD)
+ * while forbidding regular processes to do so. This behaviour differs
+ * from Windows, where any user-mode process, as soon as it has the
+ * Shutdown privilege, can trigger a hard-error BSOD.
+ */
+ if (!SeSinglePrivilegeCheck(SeTcbPrivilege, PreviousMode) ||
+ !SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode))
{
/* No rights */
*Response = ResponseNotHandled;
_______________________________________________
Ros-dev mailing list
Ros-dev@reactos.org
http://www.reactos.org/mailman/listinfo/ros-dev