From: Rod Widdowson Date: Fri, 28 Dec 2012 15:00:15 +0000 (+0000) Subject: Windows: Police the DEBUG TRACE ioctls X-Git-Tag: upstream/1.8.0_pre1^2~1649 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=dd672fffe9bfef6bd872b008e7f3e3dd5f904a80;p=packages%2Fo%2Fopenafs.git Windows: Police the DEBUG TRACE ioctls When we get a IOCTL_AFS_GET_TRACE_BUFFER, a IOCTL_AFS_CONFIGURE_DEBUG_TRACE or a IOCTL_AFS_FORCE_CRASH, we check to see whether the caller is in the Administrators group and if it isn't we fail the request with ACCESS_DENIED. NOTE that this does not check whether the user has done the "run as admin" thing. We actually need to determine which priviledges are appropriate to this action and use that rather than group membership to police these actions and this will be added in a later patch. Meanwhile this represents a significant increment in security from previously. Change-Id: I0997e59a82735735674d8edee7a7a68d241e6ef8 Reviewed-on: http://gerrit.openafs.org/8843 Tested-by: BuildBot Reviewed-by: Jeffrey Altman Tested-by: Jeffrey Altman --- diff --git a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp index 210c7a2f3..cb3cde77a 100644 --- a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp +++ b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp @@ -557,6 +557,13 @@ AFSProcessControlRequest( IN PIRP Irp) AFSTraceConfigCB *pTraceInfo = (AFSTraceConfigCB *)Irp->AssociatedIrp.SystemBuffer; + if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) + { + + ntStatus = STATUS_ACCESS_DENIED; + break; + } + if( pTraceInfo == NULL || pIrpSp->Parameters.DeviceIoControl.InputBufferLength < sizeof( AFSTraceConfigCB)) { @@ -574,6 +581,13 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_GET_TRACE_BUFFER: { + if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) + { + + ntStatus = STATUS_ACCESS_DENIED; + break; + } + if( pIrpSp->Parameters.DeviceIoControl.OutputBufferLength == 0) { @@ -592,6 +606,13 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_FORCE_CRASH: { + if ( !AFSIsInGroup( SeExports->SeAliasAdminsSid)) + { + + ntStatus = STATUS_ACCESS_DENIED; + break; + } + #if DBG if( BooleanFlagOn( AFSDebugFlags, AFS_DBG_FLAG_ENABLE_FORCE_CRASH)) diff --git a/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp b/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp index b8b57977e..19c3e944b 100644 --- a/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp +++ b/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp @@ -969,6 +969,34 @@ AFSIsUser( IN PSID Sid) return retVal; } +BOOLEAN +AFSIsInGroup(PSID Sid) +{ + SECURITY_SUBJECT_CONTEXT subjectContext; + PTOKEN_GROUPS groups; + PACCESS_TOKEN token; + BOOLEAN retVal = FALSE; + + SeCaptureSubjectContext( &subjectContext ); + SeLockSubjectContext( &subjectContext ); + + token = SeQuerySubjectContextToken( &subjectContext ); + + if (NT_SUCCESS(SeQueryInformationToken(token, TokenGroups, (PVOID*) &groups))) + { + ULONG i; + for (i = 0; !retVal && i < groups->GroupCount; i++) + { + retVal = RtlEqualSid(Sid, groups->Groups[i].Sid); + } + + ExFreePool( groups ); + } + SeUnlockSubjectContext( &subjectContext ); + SeReleaseSubjectContext( &subjectContext ); + return retVal; +} + VOID AFSRegisterService( void) { diff --git a/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h b/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h index 4673732e2..3f6b920f8 100644 --- a/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h +++ b/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h @@ -832,6 +832,9 @@ AFSInitializeThreadCB( IN AFSProcessCB *ProcessCB, BOOLEAN AFSIsUser( IN PSID Sid); +BOOLEAN +AFSIsInGroup(IN PSID Sid); + VOID AFSRegisterService( void);