[ekohl] 61493: [LSASRV][MSV1_0] - Create the privilege set for the logon token based on the users group membrships. - Remove the hard-coded privilege set.
Author: ekohl Date: Thu Jan 2 20:02:33 2014 New Revision: 61493
URL: http://svn.reactos.org/svn/reactos?rev=61493&view=rev Log: [LSASRV][MSV1_0] - Create the privilege set for the logon token based on the users group membrships. - Remove the hard-coded privilege set.
Modified: trunk/reactos/dll/win32/lsasrv/authpackage.c trunk/reactos/dll/win32/msv1_0/msv1_0.c
Modified: trunk/reactos/dll/win32/lsasrv/authpackage.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/lsasrv/authpackag... ============================================================================== --- trunk/reactos/dll/win32/lsasrv/authpackage.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/lsasrv/authpackage.c [iso-8859-1] Thu Jan 2 20:02:33 2014 @@ -94,12 +94,20 @@ PLSA_AP_LOGON_USER_INTERNAL LsaApLogonUser; } AUTH_PACKAGE, *PAUTH_PACKAGE;
+VOID +NTAPI +LsaIFree_LSAPR_PRIVILEGE_SET(IN PLSAPR_PRIVILEGE_SET Ptr);
/* GLOBALS *****************************************************************/
static LIST_ENTRY PackageListHead; static ULONG PackageId; static LSA_DISPATCH_TABLE DispatchTable; + +#define CONST_LUID(x1, x2) {x1, x2} +static const LUID SeChangeNotifyPrivilege = CONST_LUID(SE_CHANGE_NOTIFY_PRIVILEGE, 0); +static const LUID SeCreateGlobalPrivilege = CONST_LUID(SE_CREATE_GLOBAL_PRIVILEGE, 0); +static const LUID SeImpersonatePrivilege = CONST_LUID(SE_IMPERSONATE_PRIVILEGE, 0);
/* FUNCTIONS ***************************************************************/ @@ -930,6 +938,137 @@ LsapLocalSystemSid);
TokenInfo1->DefaultDacl.DefaultDacl = Dacl; + } + + return STATUS_SUCCESS; +} + + +static +NTSTATUS +LsapAddPrivilegeToTokenPrivileges(PTOKEN_PRIVILEGES *TokenPrivileges, + PLSAPR_LUID_AND_ATTRIBUTES Privilege) +{ + PTOKEN_PRIVILEGES LocalPrivileges; + ULONG Length, TokenPrivilegeCount, i; + NTSTATUS Status = STATUS_SUCCESS; + + if (*TokenPrivileges == NULL) + { + Length = sizeof(TOKEN_PRIVILEGES) + + (1 - ANYSIZE_ARRAY) * sizeof(LUID_AND_ATTRIBUTES); + LocalPrivileges = RtlAllocateHeap(RtlGetProcessHeap(), + 0, + Length); + if (LocalPrivileges == NULL) + return STATUS_INSUFFICIENT_RESOURCES; + + LocalPrivileges->PrivilegeCount = 1; + LocalPrivileges->Privileges[0].Luid = Privilege->Luid; + LocalPrivileges->Privileges[0].Attributes = Privilege->Attributes; + } + else + { + TokenPrivilegeCount = (*TokenPrivileges)->PrivilegeCount; + + for (i = 0; i < TokenPrivilegeCount; i++) + { + if (RtlEqualLuid(&(*TokenPrivileges)->Privileges[i].Luid, &Privilege->Luid)) + return STATUS_SUCCESS; + } + + Length = sizeof(TOKEN_PRIVILEGES) + + (TokenPrivilegeCount + 1 - ANYSIZE_ARRAY) * sizeof(LUID_AND_ATTRIBUTES); + LocalPrivileges = RtlAllocateHeap(RtlGetProcessHeap(), + 0, + Length); + if (LocalPrivileges == NULL) + return STATUS_INSUFFICIENT_RESOURCES; + + LocalPrivileges->PrivilegeCount = TokenPrivilegeCount + 1; + for (i = 0; i < TokenPrivilegeCount; i++) + { + LocalPrivileges->Privileges[i].Luid = (*TokenPrivileges)->Privileges[i].Luid; + LocalPrivileges->Privileges[i].Attributes = (*TokenPrivileges)->Privileges[i].Attributes; + } + + LocalPrivileges->Privileges[TokenPrivilegeCount].Luid = Privilege->Luid; + LocalPrivileges->Privileges[TokenPrivilegeCount].Attributes = Privilege->Attributes; + + RtlFreeHeap(RtlGetProcessHeap(), 0, *TokenPrivileges); + } + + *TokenPrivileges = LocalPrivileges; + + return Status; +} + +static +NTSTATUS +LsapSetPrivileges( + IN PVOID TokenInformation, + IN LSA_TOKEN_INFORMATION_TYPE TokenInformationType) +{ + PLSA_TOKEN_INFORMATION_V1 TokenInfo1; + LSAPR_HANDLE PolicyHandle = NULL; + LSAPR_HANDLE AccountHandle = NULL; + PLSAPR_PRIVILEGE_SET Privileges = NULL; + ULONG i, j; + NTSTATUS Status; + + if (TokenInformationType == LsaTokenInformationV1) + { + TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation; + + Status = LsarOpenPolicy(NULL, + NULL, + 0, + &PolicyHandle); + if (!NT_SUCCESS(Status)) + return Status; + + for (i = 0; i < TokenInfo1->Groups->GroupCount; i++) + { + Status = LsarOpenAccount(PolicyHandle, + TokenInfo1->Groups->Groups[i].Sid, + ACCOUNT_VIEW, + &AccountHandle); + if (NT_SUCCESS(Status)) + { + Status = LsarEnumeratePrivilegesAccount(AccountHandle, + &Privileges); + if (NT_SUCCESS(Status)) + { + for (j = 0; j < Privileges->PrivilegeCount; j++) + { + Status = LsapAddPrivilegeToTokenPrivileges(&TokenInfo1->Privileges, + &(Privileges->Privilege[j])); + if (!NT_SUCCESS(Status)) + return Status; + } + + LsaIFree_LSAPR_PRIVILEGE_SET(Privileges); + Privileges = NULL; + } + } + + LsarClose(&AccountHandle); + } + + LsarClose(&PolicyHandle); + + if (TokenInfo1->Privileges != NULL) + { + for (i = 0; i < TokenInfo1->Privileges->PrivilegeCount; i++) + { + if (RtlEqualLuid(&TokenInfo1->Privileges->Privileges[i].Luid, &SeChangeNotifyPrivilege) || + RtlEqualLuid(&TokenInfo1->Privileges->Privileges[i].Luid, &SeCreateGlobalPrivilege) || + RtlEqualLuid(&TokenInfo1->Privileges->Privileges[i].Luid, &SeImpersonatePrivilege)) + { + TokenInfo1->Privileges->Privileges[i].Attributes |= SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT; + } + } + } }
return STATUS_SUCCESS; @@ -1108,6 +1247,14 @@ goto done; }
+ Status = LsapSetPrivileges(TokenInformation, + TokenInformationType); + if (!NT_SUCCESS(Status)) + { + ERR("LsapSetPrivileges() failed (Status 0x%08lx)\n", Status); + goto done; + } + if (TokenInformationType == LsaTokenInformationV1) { TokenInfo1 = (PLSA_TOKEN_INFORMATION_V1)TokenInformation;
Modified: trunk/reactos/dll/win32/msv1_0/msv1_0.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/msv1_0/msv1_0.c?r... ============================================================================== --- trunk/reactos/dll/win32/msv1_0/msv1_0.c [iso-8859-1] (original) +++ trunk/reactos/dll/win32/msv1_0/msv1_0.c [iso-8859-1] Thu Jan 2 20:02:33 2014 @@ -383,92 +383,6 @@
static NTSTATUS -BuildTokenPrivileges(PTOKEN_PRIVILEGES *TokenPrivileges) -{ - /* FIXME shouldn't use hard-coded list of privileges */ - static struct - { - LPCWSTR PrivName; - DWORD Attributes; - } - DefaultPrivs[] = - { - { L"SeMachineAccountPrivilege", 0 }, - { L"SeSecurityPrivilege", 0 }, - { L"SeTakeOwnershipPrivilege", 0 }, - { L"SeLoadDriverPrivilege", 0 }, - { L"SeSystemProfilePrivilege", 0 }, - { L"SeSystemtimePrivilege", 0 }, - { L"SeProfileSingleProcessPrivilege", 0 }, - { L"SeIncreaseBasePriorityPrivilege", 0 }, - { L"SeCreatePagefilePrivilege", 0 }, - { L"SeBackupPrivilege", 0 }, - { L"SeRestorePrivilege", 0 }, - { L"SeShutdownPrivilege", 0 }, - { L"SeDebugPrivilege", 0 }, - { L"SeSystemEnvironmentPrivilege", 0 }, - { L"SeChangeNotifyPrivilege", SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { L"SeRemoteShutdownPrivilege", 0 }, - { L"SeUndockPrivilege", 0 }, - { L"SeEnableDelegationPrivilege", 0 }, - { L"SeImpersonatePrivilege", SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT }, - { L"SeCreateGlobalPrivilege", SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT } - }; - PTOKEN_PRIVILEGES Privileges = NULL; - ULONG i; - RPC_UNICODE_STRING PrivilegeName; - LSAPR_HANDLE PolicyHandle = NULL; - NTSTATUS Status = STATUS_SUCCESS; - - Status = LsaIOpenPolicyTrusted(&PolicyHandle); - if (!NT_SUCCESS(Status)) - { - goto done; - } - - /* Allocate and initialize token privileges */ - Privileges = DispatchTable.AllocateLsaHeap(sizeof(TOKEN_PRIVILEGES) + - sizeof(DefaultPrivs) / sizeof(DefaultPrivs[0]) * - sizeof(LUID_AND_ATTRIBUTES)); - if (Privileges == NULL) - { - Status = STATUS_INSUFFICIENT_RESOURCES; - goto done; - } - - Privileges->PrivilegeCount = 0; - for (i = 0; i < sizeof(DefaultPrivs) / sizeof(DefaultPrivs[0]); i++) - { - PrivilegeName.Length = wcslen(DefaultPrivs[i].PrivName) * sizeof(WCHAR); - PrivilegeName.MaximumLength = PrivilegeName.Length + sizeof(WCHAR); - PrivilegeName.Buffer = (LPWSTR)DefaultPrivs[i].PrivName; - - Status = LsarLookupPrivilegeValue(PolicyHandle, - &PrivilegeName, - &Privileges->Privileges[Privileges->PrivilegeCount].Luid); - if (!NT_SUCCESS(Status)) - { - WARN("Can't set privilege %S\n", DefaultPrivs[i].PrivName); - } - else - { - Privileges->Privileges[Privileges->PrivilegeCount].Attributes = DefaultPrivs[i].Attributes; - Privileges->PrivilegeCount++; - } - } - - *TokenPrivileges = Privileges; - -done: - if (PolicyHandle != NULL) - LsarClose(&PolicyHandle); - - return Status; -} - - -static -NTSTATUS BuildTokenInformationBuffer(PLSA_TOKEN_INFORMATION_V1 *TokenInformation, PRPC_SID AccountDomainSid, PSAMPR_USER_INFO_BUFFER UserInfo) @@ -502,10 +416,6 @@
Status = BuildTokenGroups(&Buffer->Groups, (PSID)AccountDomainSid); - if (!NT_SUCCESS(Status)) - goto done; - - Status = BuildTokenPrivileges(&Buffer->Privileges); if (!NT_SUCCESS(Status)) goto done;
@@ -532,9 +442,6 @@
if (Buffer->PrimaryGroup.PrimaryGroup != NULL) DispatchTable.FreeLsaHeap(Buffer->PrimaryGroup.PrimaryGroup); - - if (Buffer->Privileges != NULL) - DispatchTable.FreeLsaHeap(Buffer->Privileges);
if (Buffer->DefaultDacl.DefaultDacl != NULL) DispatchTable.FreeLsaHeap(Buffer->DefaultDacl.DefaultDacl);
-
ekohl@svn.reactos.org