24 Mar
2021
24 Mar
'21
11:30 p.m.
https://git.reactos.org/?p=reactos.git;a=commitdiff;h=fe0f9d8646083e367b402…
commit fe0f9d8646083e367b402e6e709b39d6785af6b3
Author: George Bișoc <george.bisoc(a)reactos.org>
AuthorDate: Sat Mar 13 20:11:58 2021 +0100
Commit: Victor Perevertkin <victor(a)perevertkin.ru>
CommitDate: Thu Mar 25 02:30:46 2021 +0300
[NTOS:SE] Implement SepCreateSystemAnonymousLogonToken and
SepCreateSystemAnonymousLogonTokenNoEveryone functions
These private functions are needed to set up two different kinds of system's
anonymous logon tokens: one that includes everyone in the group and the other that
doesn't. These functions are needed as next step closer to the
implementation of NtImpersonateAnonymousToken system call.
---
ntoskrnl/include/internal/se.h | 6 ++
ntoskrnl/se/token.c | 140 +++++++++++++++++++++++++++++++++++++++--
2 files changed, 140 insertions(+), 6 deletions(-)
diff --git a/ntoskrnl/include/internal/se.h b/ntoskrnl/include/internal/se.h
index cb812c2fbdc..8f73dce719c 100644
--- a/ntoskrnl/include/internal/se.h
+++ b/ntoskrnl/include/internal/se.h
@@ -335,6 +335,12 @@ PTOKEN
NTAPI
SepCreateSystemProcessToken(VOID);
+PTOKEN
+SepCreateSystemAnonymousLogonToken(VOID);
+
+PTOKEN
+SepCreateSystemAnonymousLogonTokenNoEveryone(VOID);
+
BOOLEAN
NTAPI
SeDetailedAuditingWithToken(IN PTOKEN Token);
diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index 872e5e15d0d..bd56397225f 100644
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -1,10 +1,9 @@
/*
- * COPYRIGHT: See COPYING in the top level directory
- * PROJECT: ReactOS kernel
- * FILE: ntoskrnl/se/token.c
- * PURPOSE: Security manager
- *
- * PROGRAMMERS: David Welch <welch(a)cwcom.net>
+ * PROJECT: ReactOS Kernel
+ * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later)
+ * PURPOSE: Security token implementation support
+ * COPYRIGHT: Copyright David Welch <welch(a)cwcom.net>
+ * Copyright 2021 George Bișoc <george.bisoc(a)reactos.org>
*/
/* INCLUDES *******************************************************************/
@@ -1530,6 +1529,135 @@ SepCreateSystemProcessToken(VOID)
return Token;
}
+/**
+ * @brief
+ * Creates the anonymous logon token for the system. The difference between this
+ * token and the other one is the inclusion of everyone SID group (being SeWorldSid).
+ * The other token lacks such group.
+ *
+ * @return
+ * Returns the system's anonymous logon token if the operations have
+ * completed successfully.
+ */
+CODE_SEG("INIT")
+PTOKEN
+SepCreateSystemAnonymousLogonToken(VOID)
+{
+ SID_AND_ATTRIBUTES Groups[32], UserSid;
+ PSID PrimaryGroup;
+ PTOKEN Token;
+ ULONG GroupsLength;
+ LARGE_INTEGER Expiration;
+ OBJECT_ATTRIBUTES ObjectAttributes;
+ NTSTATUS Status;
+
+ /* The token never expires */
+ Expiration.QuadPart = -1;
+
+ /* The user is the anonymous logon */
+ UserSid.Sid = SeAnonymousLogonSid;
+ UserSid.Attributes = 0;
+
+ /* The primary group is also the anonymous logon */
+ PrimaryGroup = SeAnonymousLogonSid;
+
+ /* The only group for the token is the World */
+ Groups[0].Sid = SeWorldSid;
+ Groups[0].Attributes = SE_GROUP_ENABLED | SE_GROUP_MANDATORY |
SE_GROUP_ENABLED_BY_DEFAULT;
+ GroupsLength = sizeof(SID_AND_ATTRIBUTES) +
+ SeLengthSid(Groups[0].Sid);
+ ASSERT(GroupsLength <= sizeof(Groups));
+
+ /* Initialise the object attributes for the token */
+ InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
+ ASSERT(SeSystemAnonymousLogonDacl != NULL);
+
+ /* Create token */
+ Status = SepCreateToken((PHANDLE)&Token,
+ KernelMode,
+ 0,
+ &ObjectAttributes,
+ TokenPrimary,
+ SecurityAnonymous,
+ &SeAnonymousAuthenticationId,
+ &Expiration,
+ &UserSid,
+ 1,
+ Groups,
+ GroupsLength,
+ 0,
+ NULL,
+ NULL,
+ PrimaryGroup,
+ SeSystemAnonymousLogonDacl,
+ &SeSystemTokenSource,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+
+ /* Return the anonymous logon token */
+ return Token;
+}
+
+/**
+ * @brief
+ * Creates the anonymous logon token for the system. This kind of token
+ * doesn't include the everyone SID group (being SeWorldSid).
+ *
+ * @return
+ * Returns the system's anonymous logon token if the operations have
+ * completed successfully.
+ */
+CODE_SEG("INIT")
+PTOKEN
+SepCreateSystemAnonymousLogonTokenNoEveryone(VOID)
+{
+ SID_AND_ATTRIBUTES UserSid;
+ PSID PrimaryGroup;
+ PTOKEN Token;
+ LARGE_INTEGER Expiration;
+ OBJECT_ATTRIBUTES ObjectAttributes;
+ NTSTATUS Status;
+
+ /* The token never expires */
+ Expiration.QuadPart = -1;
+
+ /* The user is the anonymous logon */
+ UserSid.Sid = SeAnonymousLogonSid;
+ UserSid.Attributes = 0;
+
+ /* The primary group is also the anonymous logon */
+ PrimaryGroup = SeAnonymousLogonSid;
+
+ /* Initialise the object attributes for the token */
+ InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL);
+ ASSERT(SeSystemAnonymousLogonDacl != NULL);
+
+ /* Create token */
+ Status = SepCreateToken((PHANDLE)&Token,
+ KernelMode,
+ 0,
+ &ObjectAttributes,
+ TokenPrimary,
+ SecurityAnonymous,
+ &SeAnonymousAuthenticationId,
+ &Expiration,
+ &UserSid,
+ 0,
+ NULL,
+ 0,
+ 0,
+ NULL,
+ NULL,
+ PrimaryGroup,
+ SeSystemAnonymousLogonDacl,
+ &SeSystemTokenSource,
+ TRUE);
+ ASSERT(Status == STATUS_SUCCESS);
+
+ /* Return the anonymous (not including everyone) logon token */
+ return Token;
+}
+
/* PUBLIC FUNCTIONS ***********************************************************/
/*