https://git.reactos.org/?p=reactos.git;a=commitdiff;h=fe0f9d8646083e367b402e...

commit fe0f9d8646083e367b402e6e709b39d6785af6b3 Author: George Bișoc george.bisoc@reactos.org AuthorDate: Sat Mar 13 20:11:58 2021 +0100 Commit: Victor Perevertkin victor@perevertkin.ru CommitDate: Thu Mar 25 02:30:46 2021 +0300

[NTOS:SE] Implement SepCreateSystemAnonymousLogonToken and SepCreateSystemAnonymousLogonTokenNoEveryone functions

These private functions are needed to set up two different kinds of system's anonymous logon tokens: one that includes everyone in the group and the other that doesn't. These functions are needed as next step closer to the implementation of NtImpersonateAnonymousToken system call. --- ntoskrnl/include/internal/se.h | 6 ++ ntoskrnl/se/token.c | 140 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 140 insertions(+), 6 deletions(-)

diff --git a/ntoskrnl/include/internal/se.h b/ntoskrnl/include/internal/se.h index cb812c2fbdc..8f73dce719c 100644 --- a/ntoskrnl/include/internal/se.h +++ b/ntoskrnl/include/internal/se.h @@ -335,6 +335,12 @@ PTOKEN NTAPI SepCreateSystemProcessToken(VOID);

+PTOKEN +SepCreateSystemAnonymousLogonToken(VOID); + +PTOKEN +SepCreateSystemAnonymousLogonTokenNoEveryone(VOID); + BOOLEAN NTAPI SeDetailedAuditingWithToken(IN PTOKEN Token); diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c index 872e5e15d0d..bd56397225f 100644 --- a/ntoskrnl/se/token.c +++ b/ntoskrnl/se/token.c @@ -1,10 +1,9 @@ /* - * COPYRIGHT: See COPYING in the top level directory - * PROJECT: ReactOS kernel - * FILE: ntoskrnl/se/token.c - * PURPOSE: Security manager - * - * PROGRAMMERS: David Welch welch@cwcom.net + * PROJECT: ReactOS Kernel + * LICENSE: GPL-2.0-or-later (https://spdx.org/licenses/GPL-2.0-or-later) + * PURPOSE: Security token implementation support + * COPYRIGHT: Copyright David Welch welch@cwcom.net + * Copyright 2021 George Bișoc george.bisoc@reactos.org */

/* INCLUDES *******************************************************************/ @@ -1530,6 +1529,135 @@ SepCreateSystemProcessToken(VOID) return Token; }

+/** + * @brief + * Creates the anonymous logon token for the system. The difference between this + * token and the other one is the inclusion of everyone SID group (being SeWorldSid). + * The other token lacks such group. + * + * @return + * Returns the system's anonymous logon token if the operations have + * completed successfully. + */ +CODE_SEG("INIT") +PTOKEN +SepCreateSystemAnonymousLogonToken(VOID) +{ + SID_AND_ATTRIBUTES Groups[32], UserSid; + PSID PrimaryGroup; + PTOKEN Token; + ULONG GroupsLength; + LARGE_INTEGER Expiration; + OBJECT_ATTRIBUTES ObjectAttributes; + NTSTATUS Status; + + /* The token never expires */ + Expiration.QuadPart = -1; + + /* The user is the anonymous logon */ + UserSid.Sid = SeAnonymousLogonSid; + UserSid.Attributes = 0; + + /* The primary group is also the anonymous logon */ + PrimaryGroup = SeAnonymousLogonSid; + + /* The only group for the token is the World */ + Groups[0].Sid = SeWorldSid; + Groups[0].Attributes = SE_GROUP_ENABLED | SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT; + GroupsLength = sizeof(SID_AND_ATTRIBUTES) + + SeLengthSid(Groups[0].Sid); + ASSERT(GroupsLength <= sizeof(Groups)); + + /* Initialise the object attributes for the token */ + InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); + ASSERT(SeSystemAnonymousLogonDacl != NULL); + + /* Create token */ + Status = SepCreateToken((PHANDLE)&Token, + KernelMode, + 0, + &ObjectAttributes, + TokenPrimary, + SecurityAnonymous, + &SeAnonymousAuthenticationId, + &Expiration, + &UserSid, + 1, + Groups, + GroupsLength, + 0, + NULL, + NULL, + PrimaryGroup, + SeSystemAnonymousLogonDacl, + &SeSystemTokenSource, + TRUE); + ASSERT(Status == STATUS_SUCCESS); + + /* Return the anonymous logon token */ + return Token; +} + +/** + * @brief + * Creates the anonymous logon token for the system. This kind of token + * doesn't include the everyone SID group (being SeWorldSid). + * + * @return + * Returns the system's anonymous logon token if the operations have + * completed successfully. + */ +CODE_SEG("INIT") +PTOKEN +SepCreateSystemAnonymousLogonTokenNoEveryone(VOID) +{ + SID_AND_ATTRIBUTES UserSid; + PSID PrimaryGroup; + PTOKEN Token; + LARGE_INTEGER Expiration; + OBJECT_ATTRIBUTES ObjectAttributes; + NTSTATUS Status; + + /* The token never expires */ + Expiration.QuadPart = -1; + + /* The user is the anonymous logon */ + UserSid.Sid = SeAnonymousLogonSid; + UserSid.Attributes = 0; + + /* The primary group is also the anonymous logon */ + PrimaryGroup = SeAnonymousLogonSid; + + /* Initialise the object attributes for the token */ + InitializeObjectAttributes(&ObjectAttributes, NULL, 0, NULL, NULL); + ASSERT(SeSystemAnonymousLogonDacl != NULL); + + /* Create token */ + Status = SepCreateToken((PHANDLE)&Token, + KernelMode, + 0, + &ObjectAttributes, + TokenPrimary, + SecurityAnonymous, + &SeAnonymousAuthenticationId, + &Expiration, + &UserSid, + 0, + NULL, + 0, + 0, + NULL, + NULL, + PrimaryGroup, + SeSystemAnonymousLogonDacl, + &SeSystemTokenSource, + TRUE); + ASSERT(Status == STATUS_SUCCESS); + + /* Return the anonymous (not including everyone) logon token */ + return Token; +} + /* PUBLIC FUNCTIONS ***********************************************************/

/*