https://git.reactos.org/?p=reactos.git;a=commitdiff;h=b28530d4acf3e3909fa89…
commit b28530d4acf3e3909fa89eda14f4945a941de0b3
Author: George Bișoc <george.bisoc(a)reactos.org>
AuthorDate: Sat Mar 13 14:33:15 2021 +0100
Commit: Victor Perevertkin <victor(a)perevertkin.ru>
CommitDate: Thu Mar 25 02:30:46 2021 +0300
[NTOS:SE] Set up an ACL and SD for the anonymous logon
---
ntoskrnl/include/internal/se.h | 2 ++
ntoskrnl/se/acl.c | 26 ++++++++++++++++++++++++++
ntoskrnl/se/sd.c | 14 ++++++++++++++
3 files changed, 42 insertions(+)
diff --git a/ntoskrnl/include/internal/se.h b/ntoskrnl/include/internal/se.h
index 56a1287d8bf..cb812c2fbdc 100644
--- a/ntoskrnl/include/internal/se.h
+++ b/ntoskrnl/include/internal/se.h
@@ -187,6 +187,7 @@ extern PACL SePublicDefaultUnrestrictedDacl;
extern PACL SePublicOpenDacl;
extern PACL SePublicOpenUnrestrictedDacl;
extern PACL SeUnrestrictedDacl;
+extern PACL SeSystemAnonymousLogonDacl;
/* SDs */
extern PSECURITY_DESCRIPTOR SePublicDefaultSd;
@@ -195,6 +196,7 @@ extern PSECURITY_DESCRIPTOR SePublicOpenSd;
extern PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd;
extern PSECURITY_DESCRIPTOR SeSystemDefaultSd;
extern PSECURITY_DESCRIPTOR SeUnrestrictedSd;
+extern PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd;
#define SepAcquireTokenLockExclusive(Token) \
diff --git a/ntoskrnl/se/acl.c b/ntoskrnl/se/acl.c
index 25635610a16..1da423b43c2 100644
--- a/ntoskrnl/se/acl.c
+++ b/ntoskrnl/se/acl.c
@@ -21,6 +21,7 @@ PACL SePublicDefaultUnrestrictedDacl = NULL;
PACL SePublicOpenDacl = NULL;
PACL SePublicOpenUnrestrictedDacl = NULL;
PACL SeUnrestrictedDacl = NULL;
+PACL SeSystemAnonymousLogonDacl = NULL;
/* FUNCTIONS ******************************************************************/
@@ -217,6 +218,31 @@ SepInitDACLs(VOID)
GENERIC_READ | GENERIC_EXECUTE,
SeRestrictedCodeSid);
+ /* create SystemAnonymousLogonDacl */
+ AclLength = sizeof(ACL) +
+ (sizeof(ACE) + RtlLengthSid(SeWorldSid)) +
+ (sizeof(ACE) + RtlLengthSid(SeAnonymousLogonSid));
+
+ SeSystemAnonymousLogonDacl = ExAllocatePoolWithTag(PagedPool,
+ AclLength,
+ TAG_ACL);
+ if (SeSystemAnonymousLogonDacl == NULL)
+ return FALSE;
+
+ RtlCreateAcl(SeSystemAnonymousLogonDacl,
+ AclLength,
+ ACL_REVISION);
+
+ RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeWorldSid);
+
+ RtlAddAccessAllowedAce(SeSystemAnonymousLogonDacl,
+ ACL_REVISION,
+ GENERIC_ALL,
+ SeAnonymousLogonSid);
+
return TRUE;
}
diff --git a/ntoskrnl/se/sd.c b/ntoskrnl/se/sd.c
index ccf17bb8388..dca0db419ff 100644
--- a/ntoskrnl/se/sd.c
+++ b/ntoskrnl/se/sd.c
@@ -21,6 +21,7 @@ PSECURITY_DESCRIPTOR SePublicOpenSd = NULL;
PSECURITY_DESCRIPTOR SePublicOpenUnrestrictedSd = NULL;
PSECURITY_DESCRIPTOR SeSystemDefaultSd = NULL;
PSECURITY_DESCRIPTOR SeUnrestrictedSd = NULL;
+PSECURITY_DESCRIPTOR SeSystemAnonymousLogonSd = NULL;
/* PRIVATE FUNCTIONS **********************************************************/
@@ -107,6 +108,19 @@ SepInitSDs(VOID)
SeUnrestrictedDacl,
FALSE);
+ /* Create SystemAnonymousLogonSd */
+ SeSystemAnonymousLogonSd = ExAllocatePoolWithTag(PagedPool,
+ sizeof(SECURITY_DESCRIPTOR),
TAG_SD);
+ if (SeSystemAnonymousLogonSd == NULL)
+ return FALSE;
+
+ RtlCreateSecurityDescriptor(SeSystemAnonymousLogonSd,
+ SECURITY_DESCRIPTOR_REVISION);
+ RtlSetDaclSecurityDescriptor(SeSystemAnonymousLogonSd,
+ TRUE,
+ SeSystemAnonymousLogonDacl,
+ FALSE);
+
return TRUE;
}