From 5138c07abd076e0fa90d70a175a3a822fb127ef5 Mon Sep 17 00:00:00 2001 From: Rod Widdowson Date: Fri, 28 Dec 2012 14:40:40 +0000 Subject: [PATCH] Windows: Only allow the local system account to speak to the redirector When we get the IOCTL_AFS_INITIALIZE_CONTROL_DEVICE IOCTL we check to see whether the calling process is the LOCAL_SYSTEM_SID (the one that services run at if they are not running as a specified SID). If we are not then the initialize fails ACCESS_DENIED. If the debug build ONLY, setting the AFS_DBG_DISABLE_SYSTEM_SID_CHECK bit in OpenAFSDebugFlags circumvents this check, allowing interactive debugging. Existing code stops two processes (or even handles) from trying to initialize the system. Change-Id: I2ef8ca3a0df908acba38b435178d0509e96d6114 Reviewed-on: http://gerrit.openafs.org/8842 Tested-by: BuildBot Tested-by: Jeffrey Altman Reviewed-by: Jeffrey Altman --- .../afsrdr/common/AFSRedirCommonDefines.h | 13 +++++----- src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp | 10 +++++++- .../afsrdr/kernel/fs/AFSProcessSupport.cpp | 25 +++++++++++++++++++ .../afsrdr/kernel/fs/Include/AFSCommon.h | 3 +++ 4 files changed, 44 insertions(+), 7 deletions(-) diff --git a/src/WINNT/afsrdr/common/AFSRedirCommonDefines.h b/src/WINNT/afsrdr/common/AFSRedirCommonDefines.h index 3493c096c..46520168a 100644 --- a/src/WINNT/afsrdr/common/AFSRedirCommonDefines.h +++ b/src/WINNT/afsrdr/common/AFSRedirCommonDefines.h @@ -158,12 +158,13 @@ // Debug information // -#define AFS_DBG_FLAG_BREAK_ON_ENTRY 0x00000001 // Only enabled in checked build -#define AFS_DBG_TRACE_TO_DEBUGGER 0x00000002 -#define AFS_DBG_FLAG_ENABLE_FORCE_CRASH 0x00000004 // Only enabled in checked build -#define AFS_DBG_BUGCHECK_EXCEPTION 0x00000008 -#define AFS_DBG_CLEAN_SHUTDOWN 0x00000010 -#define AFS_DBG_REQUIRE_CLEAN_SHUTDOWN 0x00000020 +#define AFS_DBG_FLAG_BREAK_ON_ENTRY 0x00000001 // Only enabled in checked build +#define AFS_DBG_TRACE_TO_DEBUGGER 0x00000002 +#define AFS_DBG_FLAG_ENABLE_FORCE_CRASH 0x00000004 // Only enabled in checked build +#define AFS_DBG_BUGCHECK_EXCEPTION 0x00000008 +#define AFS_DBG_CLEAN_SHUTDOWN 0x00000010 +#define AFS_DBG_REQUIRE_CLEAN_SHUTDOWN 0x00000020 +#define AFS_DBG_DISABLE_SYSTEM_SID_CHECK 0x00000040 // // Pool state diff --git a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp index c9f8528ea..9e4694936 100644 --- a/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp +++ b/src/WINNT/afsrdr/kernel/fs/AFSCommSupport.cpp @@ -407,11 +407,19 @@ AFSProcessControlRequest( IN PIRP Irp) case IOCTL_AFS_INITIALIZE_CONTROL_DEVICE: { + if ( !AFSIsUser( SeExports->SeLocalSystemSid) +#if DBG + && !BooleanFlagOn( AFSDebugFlags, AFS_DBG_DISABLE_SYSTEM_SID_CHECK) +#endif + ) + { + ntStatus = STATUS_ACCESS_DENIED; + break; + } // // Go intialize the pool // - ntStatus = AFSInitIrpPool(); if( !NT_SUCCESS( ntStatus)) diff --git a/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp b/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp index 22cf280ab..a81572423 100644 --- a/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp +++ b/src/WINNT/afsrdr/kernel/fs/AFSProcessSupport.cpp @@ -941,3 +941,28 @@ try_exit: return pThreadCB; } + +BOOLEAN +AFSIsUser( IN PSID Sid) +{ + SECURITY_SUBJECT_CONTEXT subjectContext; + PTOKEN_USER user; + PACCESS_TOKEN token; + BOOLEAN retVal = FALSE; + + SeCaptureSubjectContext( &subjectContext); + SeLockSubjectContext( &subjectContext); + + token = SeQuerySubjectContextToken( &subjectContext); + + if (NT_SUCCESS (SeQueryInformationToken( token, TokenUser, (PVOID*) &user))) + { + + retVal = RtlEqualSid( user->User.Sid, Sid); + + ExFreePool( user ); + } + SeUnlockSubjectContext( &subjectContext); + SeReleaseSubjectContext( &subjectContext); + return retVal; +} diff --git a/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h b/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h index 9af1fa761..5ccb7e1e8 100644 --- a/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h +++ b/src/WINNT/afsrdr/kernel/fs/Include/AFSCommon.h @@ -829,6 +829,9 @@ AFSThreadCB * AFSInitializeThreadCB( IN AFSProcessCB *ProcessCB, IN ULONGLONG ThreadId); +BOOLEAN +AFSIsUser( IN PSID Sid); + }; #endif /* _AFS_COMMON_H */ -- 2.39.5