[reactos] 04/05: [NTOS:SE] HACK: Temporarily add the Local group SID to the system token - Ros-diffs

4 Oct 2023

https://git.reactos.org/?p=reactos.git;a=commitdiff;h=09bfd96f3bdb8a190ddf51...
commit 09bfd96f3bdb8a190ddf51100204be19cbbc0b8c
Author:     George Bișoc george.bisoc@reactos.org
AuthorDate: Sun Oct 1 14:01:22 2023 +0200
Commit:     George Bișoc george.bisoc@reactos.org
CommitDate: Wed Oct 4 18:04:30 2023 +0200
[NTOS:SE] HACK: Temporarily add the Local group SID to the system token
Temporarily add the local group to the system token so that Virtualbox
    GA services can properly set up network drives for shared folders.
What happens is that a security descriptor has a DACL with only one ACE
    that grants access to Local SID (presumably coming from Vbox?)
    but the client token is that of the service which is a SYSTEM token.
    Perhaps we are not impersonating the right user or whatever else.
This is only a temporary placebo, until a proper solution is found.
CORE-18250
---
 ntoskrnl/se/token.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index dae5a411dff..83335415669 100644
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -1784,12 +1784,14 @@ SepCreateSystemProcessToken(VOID)
     {
         {SeAliasAdminsSid, OwnerAttributes},
         {SeWorldSid, GroupAttributes},
-        {SeAuthenticatedUsersSid, GroupAttributes}
+        {SeAuthenticatedUsersSid, GroupAttributes},
+        {SeLocalSid, SE_GROUP_ENABLED} // HACK: Temporarily add the local group. See CORE-18250.
     };
     GroupsLength = sizeof(SID_AND_ATTRIBUTES) +
                    SeLengthSid(Groups[0].Sid) +
                    SeLengthSid(Groups[1].Sid) +
-                   SeLengthSid(Groups[2].Sid);
+                   SeLengthSid(Groups[2].Sid) +
+                   SeLengthSid(Groups[3].Sid); // HACK
     ASSERT(GroupsLength <= (sizeof(Groups) * sizeof(ULONG)));
/* Setup the privileges */

    