[ekohl] 61493: [LSASRV][MSV1_0] - Create the privilege set for the logon token based on the users group membrships. - Remove the hard-coded privilege set.
2 Jan
2014
2 Jan
'14
8:02 p.m.
Author: ekohl
Date: Thu Jan 2 20:02:33 2014
New Revision: 61493
URL: http://svn.reactos.org/svn/reactos?rev=61493&view=rev
Log:
[LSASRV][MSV1_0]
- Create the privilege set for the logon token based on the users group membrships.
- Remove the hard-coded privilege set.
Modified:
trunk/reactos/dll/win32/lsasrv/authpackage.c
trunk/reactos/dll/win32/msv1_0/msv1_0.c
Modified: trunk/reactos/dll/win32/lsasrv/authpackage.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/authpacka…
==============================================================================
--- trunk/reactos/dll/win32/lsasrv/authpackage.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/lsasrv/authpackage.c [iso-8859-1] Thu Jan 2 20:02:33 2014
@@ -94,12 +94,20 @@
PLSA_AP_LOGON_USER_INTERNAL LsaApLogonUser;
} AUTH_PACKAGE, *PAUTH_PACKAGE;
+VOID
+NTAPI
+LsaIFree_LSAPR_PRIVILEGE_SET(IN PLSAPR_PRIVILEGE_SET Ptr);
/* GLOBALS *****************************************************************/
static LIST_ENTRY PackageListHead;
static ULONG PackageId;
static LSA_DISPATCH_TABLE DispatchTable;
+
+#define CONST_LUID(x1, x2) {x1, x2}
+static const LUID SeChangeNotifyPrivilege = CONST_LUID(SE_CHANGE_NOTIFY_PRIVILEGE, 0);
+static const LUID SeCreateGlobalPrivilege = CONST_LUID(SE_CREATE_GLOBAL_PRIVILEGE, 0);
+static const LUID SeImpersonatePrivilege = CONST_LUID(SE_IMPERSONATE_PRIVILEGE, 0);
/* FUNCTIONS ***************************************************************/
@@ -930,6 +938,137 @@
LsapLocalSystemSid);
TokenInfo1->DefaultDacl.DefaultDacl = Dacl;
+ }
+
+ return STATUS_SUCCESS;
+}
+
+
+static
+NTSTATUS
+LsapAddPrivilegeToTokenPrivileges(PTOKEN_PRIVILEGES *TokenPrivileges,
+ PLSAPR_LUID_AND_ATTRIBUTES Privilege)
+{
+ PTOKEN_PRIVILEGES LocalPrivileges;
+ ULONG Length, TokenPrivilegeCount, i;
+ NTSTATUS Status = STATUS_SUCCESS;
+
+ if (*TokenPrivileges == NULL)
+ {
+ Length = sizeof(TOKEN_PRIVILEGES) +
+ (1 - ANYSIZE_ARRAY) * sizeof(LUID_AND_ATTRIBUTES);
+ LocalPrivileges = RtlAllocateHeap(RtlGetProcessHeap(),
+ 0,
+ Length);
+ if (LocalPrivileges == NULL)
+ return STATUS_INSUFFICIENT_RESOURCES;
+
+ LocalPrivileges->PrivilegeCount = 1;
+ LocalPrivileges->Privileges[0].Luid = Privilege->Luid;
+ LocalPrivileges->Privileges[0].Attributes = Privilege->Attributes;
+ }
+ else
+ {
+ TokenPrivilegeCount = (*TokenPrivileges)->PrivilegeCount;
+
+ for (i = 0; i < TokenPrivilegeCount; i++)
+ {
+ if (RtlEqualLuid(&(*TokenPrivileges)->Privileges[i].Luid,
&Privilege->Luid))
+ return STATUS_SUCCESS;
+ }
+
+ Length = sizeof(TOKEN_PRIVILEGES) +
+ (TokenPrivilegeCount + 1 - ANYSIZE_ARRAY) *
sizeof(LUID_AND_ATTRIBUTES);
+ LocalPrivileges = RtlAllocateHeap(RtlGetProcessHeap(),
+ 0,
+ Length);
+ if (LocalPrivileges == NULL)
+ return STATUS_INSUFFICIENT_RESOURCES;
+
+ LocalPrivileges->PrivilegeCount = TokenPrivilegeCount + 1;
+ for (i = 0; i < TokenPrivilegeCount; i++)
+ {
+ LocalPrivileges->Privileges[i].Luid =
(*TokenPrivileges)->Privileges[i].Luid;
+ LocalPrivileges->Privileges[i].Attributes =
(*TokenPrivileges)->Privileges[i].Attributes;
+ }
+
+ LocalPrivileges->Privileges[TokenPrivilegeCount].Luid = Privilege->Luid;
+ LocalPrivileges->Privileges[TokenPrivilegeCount].Attributes =
Privilege->Attributes;
+
+ RtlFreeHeap(RtlGetProcessHeap(), 0, *TokenPrivileges);
+ }
+
+ *TokenPrivileges = LocalPrivileges;
+
+ return Status;
+}
+
+static
+NTSTATUS
+LsapSetPrivileges(
+ IN PVOID TokenInformation,
+ IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType)
+{
+ PLSA_TOKEN_INFORMATION_V1 TokenInfo1;
+ LSAPR_HANDLE PolicyHandle = NULL;
+ LSAPR_HANDLE AccountHandle = NULL;
+ PLSAPR_PRIVILEGE_SET Privileges = NULL;
+ ULONG i, j;
+ NTSTATUS Status;
+
+ if (TokenInformationType == LsaTokenInformationV1)
+ {
+ TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation;
+
+ Status = LsarOpenPolicy(NULL,
+ NULL,
+ 0,
+ &PolicyHandle);
+ if (!NT_SUCCESS(Status))
+ return Status;
+
+ for (i = 0; i < TokenInfo1->Groups->GroupCount; i++)
+ {
+ Status = LsarOpenAccount(PolicyHandle,
+ TokenInfo1->Groups->Groups[i].Sid,
+ ACCOUNT_VIEW,
+ &AccountHandle);
+ if (NT_SUCCESS(Status))
+ {
+ Status = LsarEnumeratePrivilegesAccount(AccountHandle,
+ &Privileges);
+ if (NT_SUCCESS(Status))
+ {
+ for (j = 0; j < Privileges->PrivilegeCount; j++)
+ {
+ Status =
LsapAddPrivilegeToTokenPrivileges(&TokenInfo1->Privileges,
+
&(Privileges->Privilege[j]));
+ if (!NT_SUCCESS(Status))
+ return Status;
+ }
+
+ LsaIFree_LSAPR_PRIVILEGE_SET(Privileges);
+ Privileges = NULL;
+ }
+ }
+
+ LsarClose(&AccountHandle);
+ }
+
+ LsarClose(&PolicyHandle);
+
+ if (TokenInfo1->Privileges != NULL)
+ {
+ for (i = 0; i < TokenInfo1->Privileges->PrivilegeCount; i++)
+ {
+ if (RtlEqualLuid(&TokenInfo1->Privileges->Privileges[i].Luid,
&SeChangeNotifyPrivilege) ||
+ RtlEqualLuid(&TokenInfo1->Privileges->Privileges[i].Luid,
&SeCreateGlobalPrivilege) ||
+ RtlEqualLuid(&TokenInfo1->Privileges->Privileges[i].Luid,
&SeImpersonatePrivilege))
+ {
+ TokenInfo1->Privileges->Privileges[i].Attributes |=
SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT;
+ }
+ }
+ }
}
return STATUS_SUCCESS;
@@ -1108,6 +1247,14 @@
goto done;
}
+ Status = LsapSetPrivileges(TokenInformation,
+ TokenInformationType);
+ if (!NT_SUCCESS(Status))
+ {
+ ERR("LsapSetPrivileges() failed (Status 0x%08lx)\n", Status);
+ goto done;
+ }
+
if (TokenInformationType == LsaTokenInformationV1)
{
TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation;
Modified: trunk/reactos/dll/win32/msv1_0/msv1_0.c
URL:
http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msv1_0/msv1_0.c?…
==============================================================================
--- trunk/reactos/dll/win32/msv1_0/msv1_0.c [iso-8859-1] (original)
+++ trunk/reactos/dll/win32/msv1_0/msv1_0.c [iso-8859-1] Thu Jan 2 20:02:33 2014
@@ -383,92 +383,6 @@
static
NTSTATUS
-BuildTokenPrivileges(PTOKEN_PRIVILEGES *TokenPrivileges)
-{
- /* FIXME shouldn't use hard-coded list of privileges */
- static struct
- {
- LPCWSTR PrivName;
- DWORD Attributes;
- }
- DefaultPrivs[] =
- {
- { L"SeMachineAccountPrivilege", 0 },
- { L"SeSecurityPrivilege", 0 },
- { L"SeTakeOwnershipPrivilege", 0 },
- { L"SeLoadDriverPrivilege", 0 },
- { L"SeSystemProfilePrivilege", 0 },
- { L"SeSystemtimePrivilege", 0 },
- { L"SeProfileSingleProcessPrivilege", 0 },
- { L"SeIncreaseBasePriorityPrivilege", 0 },
- { L"SeCreatePagefilePrivilege", 0 },
- { L"SeBackupPrivilege", 0 },
- { L"SeRestorePrivilege", 0 },
- { L"SeShutdownPrivilege", 0 },
- { L"SeDebugPrivilege", 0 },
- { L"SeSystemEnvironmentPrivilege", 0 },
- { L"SeChangeNotifyPrivilege", SE_PRIVILEGE_ENABLED |
SE_PRIVILEGE_ENABLED_BY_DEFAULT },
- { L"SeRemoteShutdownPrivilege", 0 },
- { L"SeUndockPrivilege", 0 },
- { L"SeEnableDelegationPrivilege", 0 },
- { L"SeImpersonatePrivilege", SE_PRIVILEGE_ENABLED |
SE_PRIVILEGE_ENABLED_BY_DEFAULT },
- { L"SeCreateGlobalPrivilege", SE_PRIVILEGE_ENABLED |
SE_PRIVILEGE_ENABLED_BY_DEFAULT }
- };
- PTOKEN_PRIVILEGES Privileges = NULL;
- ULONG i;
- RPC_UNICODE_STRING PrivilegeName;
- LSAPR_HANDLE PolicyHandle = NULL;
- NTSTATUS Status = STATUS_SUCCESS;
-
- Status = LsaIOpenPolicyTrusted(&PolicyHandle);
- if (!NT_SUCCESS(Status))
- {
- goto done;
- }
-
- /* Allocate and initialize token privileges */
- Privileges = DispatchTable.AllocateLsaHeap(sizeof(TOKEN_PRIVILEGES) +
- sizeof(DefaultPrivs) /
sizeof(DefaultPrivs[0]) *
- sizeof(LUID_AND_ATTRIBUTES));
- if (Privileges == NULL)
- {
- Status = STATUS_INSUFFICIENT_RESOURCES;
- goto done;
- }
-
- Privileges->PrivilegeCount = 0;
- for (i = 0; i < sizeof(DefaultPrivs) / sizeof(DefaultPrivs[0]); i++)
- {
- PrivilegeName.Length = wcslen(DefaultPrivs[i].PrivName) * sizeof(WCHAR);
- PrivilegeName.MaximumLength = PrivilegeName.Length + sizeof(WCHAR);
- PrivilegeName.Buffer = (LPWSTR)DefaultPrivs[i].PrivName;
-
- Status = LsarLookupPrivilegeValue(PolicyHandle,
- &PrivilegeName,
-
&Privileges->Privileges[Privileges->PrivilegeCount].Luid);
- if (!NT_SUCCESS(Status))
- {
- WARN("Can't set privilege %S\n", DefaultPrivs[i].PrivName);
- }
- else
- {
- Privileges->Privileges[Privileges->PrivilegeCount].Attributes =
DefaultPrivs[i].Attributes;
- Privileges->PrivilegeCount++;
- }
- }
-
- *TokenPrivileges = Privileges;
-
-done:
- if (PolicyHandle != NULL)
- LsarClose(&PolicyHandle);
-
- return Status;
-}
-
-
-static
-NTSTATUS
BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation,
PRPC_SID AccountDomainSid,
PSAMPR_USER_INFO_BUFFER UserInfo)
@@ -502,10 +416,6 @@
Status = BuildTokenGroups(&Buffer->Groups,
(PSID)AccountDomainSid);
- if (!NT_SUCCESS(Status))
- goto done;
-
- Status = BuildTokenPrivileges(&Buffer->Privileges);
if (!NT_SUCCESS(Status))
goto done;
@@ -532,9 +442,6 @@
if (Buffer->PrimaryGroup.PrimaryGroup != NULL)
DispatchTable.FreeLsaHeap(Buffer->PrimaryGroup.PrimaryGroup);
-
- if (Buffer->Privileges != NULL)
- DispatchTable.FreeLsaHeap(Buffer->Privileges);
if (Buffer->DefaultDacl.DefaultDacl != NULL)
DispatchTable.FreeLsaHeap(Buffer->DefaultDacl.DefaultDacl);
3964
days inactive
3964
days old
0 comments
1 participants
participants (1)
-
ekohl@svn.reactos.org