https://git.reactos.org/?p=reactos.git;a=commitdiff;h=8abbdd28080615ffc1bf6… commit 8abbdd28080615ffc1bf6e39ae227a43605d11da Author: Eric Kohl &lt;eric.kohl(a)reactos.org&gt; AuthorDate: Sun Aug 4 22:30:40 2019 +0200 Commit: Eric Kohl &lt;eric.kohl(a)reactos.org&gt; CommitDate: Sun Aug 4 22:30:40 2019 +0200 [SERVICES] Use a proper security descriptor for the control pipes --- base/system/services/database.c | 7 +++- base/system/services/security.c | 91 ++++++++++++++++++++++++++++++++++++++++- base/system/services/services.h | 1 + 3 files changed, 97 insertions(+), 2 deletions(-) diff --git a/base/system/services/database.c b/base/system/services/database.c index 460b74886a5..7c41c54eb9f 100644 --- a/base/system/services/database.c +++ b/base/system/services/database.c @@ -44,6 +44,7 @@ static DWORD ScmCreateNewControlPipe(PSERVICE_IMAGE pServiceImage) { WCHAR szControlPipeName[MAX_PATH + 1]; + SECURITY_ATTRIBUTES SecurityAttributes; HKEY hServiceCurrentKey = INVALID_HANDLE_VALUE; DWORD ServiceCurrent = 0; DWORD KeyDisposition; @@ -97,6 +98,10 @@ ScmCreateNewControlPipe(PSERVICE_IMAGE pServiceImage) DPRINT("PipeName: %S\n", szControlPipeName); + SecurityAttributes.nLength = sizeof(SecurityAttributes); + SecurityAttributes.lpSecurityDescriptor = pPipeSD; + SecurityAttributes.bInheritHandle = FALSE; + pServiceImage->hControlPipe = CreateNamedPipeW(szControlPipeName, PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT, @@ -104,7 +109,7 @@ ScmCreateNewControlPipe(PSERVICE_IMAGE pServiceImage) 8000, 4, PipeTimeout, - NULL); + &SecurityAttributes); DPRINT("CreateNamedPipeW(%S) done\n", szControlPipeName); if (pServiceImage->hControlPipe == INVALID_HANDLE_VALUE) { diff --git a/base/system/services/security.c b/base/system/services/security.c index b6a54694143..b2639e95a20 100644 --- a/base/system/services/security.c +++ b/base/system/services/security.c @@ -14,14 +14,17 @@ #include <debug.h> static PSID pNullSid = NULL; +static PSID pWorldSid = NULL; static PSID pLocalSystemSid = NULL; static PSID pAuthenticatedUserSid = NULL; static PSID pAliasAdminsSid = NULL; static PACL pDefaultDacl = NULL; static PACL pDefaultSacl = NULL; +static PACL pPipeDacl = NULL; static PSECURITY_DESCRIPTOR pDefaultSD = NULL; +PSECURITY_DESCRIPTOR pPipeSD = NULL; /* FUNCTIONS ****************************************************************/ @@ -33,6 +36,9 @@ ScmFreeSids(VOID) if (pNullSid != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid); + if (pWorldSid != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, pWorldSid); + if (pLocalSystemSid != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid); @@ -41,7 +47,6 @@ ScmFreeSids(VOID) if (pAliasAdminsSid != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid); - } @@ -66,6 +71,17 @@ ScmCreateSids(VOID) pSubAuthority = RtlSubAuthoritySid(pNullSid, 0); *pSubAuthority = SECURITY_NULL_RID; + /* Create the World SID */ + pWorldSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1); + if (pWorldSid == NULL) + { + return ERROR_OUTOFMEMORY; + } + + RtlInitializeSid(pWorldSid, &NullAuthority, 1); + pSubAuthority = RtlSubAuthoritySid(pWorldSid, 0); + *pSubAuthority = SECURITY_WORLD_RID; + /* Create the LocalSystem SID */ pLocalSystemSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1); if (pLocalSystemSid == NULL) @@ -158,6 +174,21 @@ ScmCreateAcls(VOID) FALSE, TRUE); + /* Create the pipe DACL */ + ulLength = sizeof(ACL) + + (sizeof(ACE) + RtlLengthSid(pWorldSid)); + + pPipeDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength); + if (pPipeDacl == NULL) + return ERROR_OUTOFMEMORY; + + RtlCreateAcl(pPipeDacl, ulLength, ACL_REVISION); + + RtlAddAccessAllowedAce(pPipeDacl, + ACL_REVISION, + GENERIC_ALL, + pWorldSid); + return ERROR_SUCCESS; } @@ -171,6 +202,9 @@ ScmFreeAcls(VOID) if (pDefaultSacl != NULL) RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl); + + if (pPipeDacl != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeDacl); } @@ -231,6 +265,56 @@ ScmFreeDefaultSD(VOID) } +static +DWORD +ScmCreatePipeSD(VOID) +{ + NTSTATUS Status; + + /* Create the absolute security descriptor */ + pPipeSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR)); + if (pPipeSD == NULL) + return ERROR_OUTOFMEMORY; + + DPRINT("pPipeSD %p\n", pDefaultSD); + + Status = RtlCreateSecurityDescriptor(pPipeSD, + SECURITY_DESCRIPTOR_REVISION); + if (!NT_SUCCESS(Status)) + return RtlNtStatusToDosError(Status); + + Status = RtlSetOwnerSecurityDescriptor(pPipeSD, + pLocalSystemSid, + FALSE); + if (!NT_SUCCESS(Status)) + return RtlNtStatusToDosError(Status); + + Status = RtlSetGroupSecurityDescriptor(pPipeSD, + pLocalSystemSid, + FALSE); + if (!NT_SUCCESS(Status)) + return RtlNtStatusToDosError(Status); + + Status = RtlSetDaclSecurityDescriptor(pPipeSD, + TRUE, + pPipeDacl, + FALSE); + if (!NT_SUCCESS(Status)) + return RtlNtStatusToDosError(Status); + + return ERROR_SUCCESS; +} + + +static +VOID +ScmFreePipeSD(VOID) +{ + if (pPipeSD != NULL) + RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeSD); +} + + DWORD ScmCreateDefaultServiceSD( PSECURITY_DESCRIPTOR *ppSecurityDescriptor) @@ -301,6 +385,10 @@ ScmInitializeSecurity(VOID) if (dwError != ERROR_SUCCESS) return dwError; + dwError = ScmCreatePipeSD(); + if (dwError != ERROR_SUCCESS) + return dwError; + return ERROR_SUCCESS; } @@ -308,6 +396,7 @@ ScmInitializeSecurity(VOID) VOID ScmShutdownSecurity(VOID) { + ScmFreePipeSD(); ScmFreeDefaultSD(); ScmFreeAcls(); ScmFreeSids(); diff --git a/base/system/services/services.h b/base/system/services/services.h index 9297c7ce999..4a1a0c0827c 100644 --- a/base/system/services/services.h +++ b/base/system/services/services.h @@ -100,6 +100,7 @@ extern LIST_ENTRY GroupListHead; extern LIST_ENTRY ImageListHead; extern BOOL ScmInitialize; extern BOOL ScmShutdown; +extern PSECURITY_DESCRIPTOR pPipeSD; /* FUNCTIONS ***************************************************************/