Windows: Police the DEBUG TRACE ioctls

When we get a IOCTL_AFS_GET_TRACE_BUFFER, a IOCTL_AFS_CONFIGURE_DEBUG_TRACE
or a IOCTL_AFS_FORCE_CRASH, we check to see whether the caller is in the
Administrators group and if it isn't we fail the request with ACCESS_DENIED.

NOTE that this does not check whether the user has done the "run as admin"
thing.  We actually need to determine which priviledges are appropriate to
this action and use that rather than group membership to police these actions
and this will be added in a later patch.  Meanwhile this represents a
significant increment in security from previously.

Change-Id: I0997e59a82735735674d8edee7a7a68d241e6ef8
Reviewed-on: http://gerrit.openafs.org/8843
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
Tested-by: Jeffrey Altman <jaltman@your-file-system.com>

diff --git a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp
index 210c7a2f3af2e3482714d95457972783eb49b1e1..cb3cde77abbdf44833d5cbf998ced54100b938a5 100644 (file)
--- a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp
+++ b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp
@@ -557,6 +557,13 @@ AFSProcessControlRequest( IN PIRP Irp)
 
                 AFSTraceConfigCB *pTraceInfo = (AFSTraceConfigCB *)Irp->AssociatedIrp.SystemBuffer;
 
+                if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid))
+                {
+
+                    ntStatus = STATUS_ACCESS_DENIED;
+                    break;
+                }
+
                 if( pTraceInfo == NULL ||
                     pIrpSp->Parameters.DeviceIoControl.InputBufferLength < sizeof( AFSTraceConfigCB))
                 {
@@ -574,6 +581,13 @@ AFSProcessControlRequest( IN PIRP Irp)
             case IOCTL_AFS_GET_TRACE_BUFFER:
             {
 
+                if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid))
+                {
+
+                    ntStatus = STATUS_ACCESS_DENIED;
+                    break;
+                }
+
                 if( pIrpSp->Parameters.DeviceIoControl.OutputBufferLength == 0)
                 {
 
@@ -592,6 +606,13 @@ AFSProcessControlRequest( IN PIRP Irp)
             case IOCTL_AFS_FORCE_CRASH:
             {
 
+                if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid))
+                {
+
+                    ntStatus = STATUS_ACCESS_DENIED;
+                    break;
+                }
+
 #if DBG
 
                 if( BooleanFlagOn( AFSDebugFlags, AFS_DBG_FLAG_ENABLE_FORCE_CRASH))

diff --git a/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp b/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp
index b8b57977e7249cd9e2be0ed5efe6eb8a55a98ee9..19c3e944bd00d78e41ea8c693fb1dae992317958 100644 (file)
--- a/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp
+++ b/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp
@@ -969,6 +969,34 @@ AFSIsUser( IN PSID Sid)
     return retVal;
 }
 
+BOOLEAN
+AFSIsInGroup(PSID Sid)
+{
+    SECURITY_SUBJECT_CONTEXT subjectContext;
+    PTOKEN_GROUPS groups;
+    PACCESS_TOKEN token;
+    BOOLEAN retVal = FALSE;
+
+    SeCaptureSubjectContext( &subjectContext );
+    SeLockSubjectContext( &subjectContext );
+
+    token = SeQuerySubjectContextToken( &subjectContext );
+
+    if (NT_SUCCESS(SeQueryInformationToken(token, TokenGroups, (PVOID*) &groups)))
+    {
+        ULONG i;
+        for (i = 0; !retVal && i < groups->GroupCount; i++)
+        {
+            retVal = RtlEqualSid(Sid, groups->Groups[i].Sid);
+        }
+
+        ExFreePool( groups );
+    }
+    SeUnlockSubjectContext( &subjectContext );
+    SeReleaseSubjectContext( &subjectContext );
+    return retVal;
+}
+
 VOID
 AFSRegisterService( void)
 {

diff --git a/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h b/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h
index 4673732e2052339b6457a70391ea8835705f3b61..3f6b920f87faa4a420369267e49c2202de20d70e 100644 (file)
--- a/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h
+++ b/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h
@@ -832,6 +832,9 @@ AFSInitializeThreadCB( IN AFSProcessCB *ProcessCB,
 BOOLEAN
 AFSIsUser( IN PSID Sid);
 
+BOOLEAN
+AFSIsInGroup(IN PSID Sid);
+
 VOID
 AFSRegisterService( void);