https://git.reactos.org/?p=reactos.git;a=commitdiff;h=b28530d4acf3e3909fa89e...
commit b28530d4acf3e3909fa89eda14f4945a941de0b3 Author: George Bișoc george.bisoc@reactos.org AuthorDate: Sat Mar 13 14:33:15 2021 +0100 Commit: Victor Perevertkin victor@perevertkin.ru CommitDate: Thu Mar 25 02:30:46 2021 +0300
[NTOS:SE] Set up an ACL and SD for the anonymous logon --- ntoskrnl/include/internal/se.h | 2 ++ ntoskrnl/se/acl.c | 26 ++++++++++++++++++++++++++ ntoskrnl/se/sd.c | 14 ++++++++++++++ 3 files changed, 42 insertions(+)
diff --git a/ntoskrnl/include/internal/se.h b/ntoskrnl/include/internal/se.h index 56a1287d8bf..cb812c2fbdc 100644 --- a/ntoskrnl/include/internal/se.h +++ b/ntoskrnl/include/internal/se.h @@ -187,6 +187,7 @@ extern PACL SePublicDefaultUnrestrictedDacl; extern PACL SePublicOpenDacl; extern PACL SePublicOpenUnrestrictedDacl; extern PACL SeUnrestrictedDacl; +extern PACL SeSystemAnonymousLogonDacl;
/* SDs */ extern PSECURITY_DESCRIPTOR SePublicDefaultSd; @@ -195,6 +196,7 @@ extern PSECURITY_DESCRIPTOR SePublicOpenSd; extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd; extern PSECURITY_DESCRIPTOR SeSystemDefaultSd; extern PSECURITY_DESCRIPTOR SeUnrestrictedSd; +extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd;
#define SepAcquireTokenLockExclusive(Token) \ diff --git a/ntoskrnl/se/acl.c b/ntoskrnl/se/acl.c index 25635610a16..1da423b43c2 100644 --- a/ntoskrnl/se/acl.c +++ b/ntoskrnl/se/acl.c @@ -21,6 +21,7 @@ PACL SePublicDefaultUnrestrictedDacl = NULL; PACL SePublicOpenDacl = NULL; PACL SePublicOpenUnrestrictedDacl = NULL; PACL SeUnrestrictedDacl = NULL; +PACL SeSystemAnonymousLogonDacl = NULL;
/* FUNCTIONS ******************************************************************/
@@ -217,6 +218,31 @@ SepInitDACLs(VOID) GENERIC_READ | GENERIC_EXECUTE, SeRestrictedCodeSid);
+ /* create SystemAnonymousLogonDacl */ + AclLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(SeWorldSid)) + + (sizeof(ACE) + RtlLengthSid(SeAnonymousLogonSid)); + + SeSystemAnonymousLogonDacl = ExAllocatePoolWithTag(PagedPool, + AclLength, + TAG_ACL); + if (SeSystemAnonymousLogonDacl == NULL) + return FALSE; + + RtlCreateAcl(SeSystemAnonymousLogonDacl, + AclLength, + ACL_REVISION); + + RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl, + ACL_REVISION, + GENERIC_ALL, + SeWorldSid); + + RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl, + ACL_REVISION, + GENERIC_ALL, + SeAnonymousLogonSid); + return TRUE; }
diff --git a/ntoskrnl/se/sd.c b/ntoskrnl/se/sd.c index ccf17bb8388..dca0db419ff 100644 --- a/ntoskrnl/se/sd.c +++ b/ntoskrnl/se/sd.c @@ -21,6 +21,7 @@ PSECURITY_DESCRIPTOR SePublicOpenSd = NULL; PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd = NULL; PSECURITY_DESCRIPTOR SeSystemDefaultSd = NULL; PSECURITY_DESCRIPTOR SeUnrestrictedSd = NULL; +PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd = NULL;
/* PRIVATE FUNCTIONS **********************************************************/
@@ -107,6 +108,19 @@ SepInitSDs(VOID) SeUnrestrictedDacl, FALSE);
+ /* Create SystemAnonymousLogonSd */ + SeSystemAnonymousLogonSd = ExAllocatePoolWithTag(PagedPool, + sizeof(SECURITY_DESCRIPTOR), TAG_SD); + if (SeSystemAnonymousLogonSd == NULL) + return FALSE; + + RtlCreateSecurityDescriptor(SeSystemAnonymousLogonSd, + SECURITY_DESCRIPTOR_REVISION); + RtlSetDaclSecurityDescriptor(SeSystemAnonymousLogonSd, + TRUE, + SeSystemAnonymousLogonDacl, + FALSE); + return TRUE; }