Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1522 lines
47 KiB

  1. /*++
  2. Copyright (c) 1989 Microsoft Corporation
  3. Module Name:
  4. tokenadj.c
  5. Abstract:
  6. This module implements the services that perform individual adjustments
  7. on token objects.
  8. Author:
  9. Jim Kelly (JimK) 15-June-1990
  10. Environment:
  11. Kernel mode only.
  12. Revision History:
  13. --*/
  14. #include "pch.h"
  15. #pragma hdrstop
  16. #ifdef ALLOC_PRAGMA
  17. #pragma alloc_text(PAGE,NtAdjustPrivilegesToken)
  18. #pragma alloc_text(PAGE,NtAdjustGroupsToken)
  19. #pragma alloc_text(PAGE,SepAdjustPrivileges)
  20. #pragma alloc_text(PAGE,SepAdjustGroups)
  21. #endif
  22. ////////////////////////////////////////////////////////////////////////
  23. // //
  24. // Token Object Routines & Methods //
  25. // //
  26. ////////////////////////////////////////////////////////////////////////
  27. NTSTATUS
  28. NtAdjustPrivilegesToken (
  29. IN HANDLE TokenHandle,
  30. IN BOOLEAN DisableAllPrivileges,
  31. IN PTOKEN_PRIVILEGES NewState OPTIONAL,
  32. IN ULONG BufferLength OPTIONAL,
  33. OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
  34. OUT PULONG ReturnLength
  35. )
  36. /*++
  37. Routine Description:
  38. This routine is used to disable or enable privileges in the
  39. specified token. The absence of some of the privileges listed to
  40. be changed won't effect the successful modification of the
  41. privileges that are in the token. The previous enabled/disabled
  42. state of changed privileges may optionally be capture (for
  43. resetting later).
  44. TOKEN_ADJUST_PRIVILEGES access is required to enable or disable
  45. privileges in a token.
  46. Arguments:
  47. TokenHandle - Provides a handle to the token to operate on.
  48. DisableAllPrivileges - This boolean parameter may be
  49. used to disable all privileges assigned to the token. If
  50. this parameter is specified as TRUE, then the NewState parameter is
  51. ignored.
  52. NewState - This (optional) parameter points to a TOKEN_PRIVILEGES
  53. data structure containing the privileges whose states are to
  54. be adjusted (disabled or enabled). Only the Enabled flag of
  55. the attributes associated with each privilege is used. It
  56. provides the new value that is to be assigned to the
  57. privilege in the token.
  58. BufferLength - This optional parameter indicates the length (in
  59. bytes) of the PreviousState buffer. This value must be
  60. provided if the PreviousState parameter is provided.
  61. PreviousState - This (optional) parameter points to a buffer to
  62. receive the state of any privileges actually changed by this
  63. request. This information is formated as a TOKEN_PRIVILEGES
  64. data structure which may be passed as the NewState parameter
  65. in a subsequent call to this routine to restore the original
  66. state of those privilges. TOKEN_QUERY access is needed to
  67. use this parameter.
  68. If this buffer does not contain enough space to receive the
  69. complete list of modified privileges, then no privilege
  70. states are changed and STATUS_BUFFER_TOO_SMALL is returned.
  71. In this case, the ReturnLength OUT parameter will
  72. contain the actual number of bytes needed to hold the
  73. information.
  74. ReturnLength - Indicates the actual number of bytes needed to
  75. contain the previous privilege state information.
  76. This parameter is ignored if the PreviousState argument is not
  77. passed.
  78. Return Value:
  79. STATUS_SUCCESS - The service successfully completed the requested
  80. operation.
  81. STATUS_NOT_ALL_ASSIGNED - This NT_SUCCESS severity return status
  82. indicates that not all the specified privileges are currently
  83. assigned to the caller. All specified privileges that are
  84. currently assigned have been successfully adjusted.
  85. STATUS_BUFFER_TOO_SMALL - Indicates the optional buffer provided
  86. to receive the previous states of changed privileges wasn't
  87. large enough to receive that information. No changes to
  88. privilege states has been made. The number of bytes needed
  89. to hold the state change information is returned via the
  90. ReturnLength parameter.
  91. STATUS_INVALID_PARAMETER - Indicates neither the DisableAllPrivileges
  92. parameter was specified as true, nor was an explicit NewState
  93. provided.
  94. --*/
  95. {
  96. KPROCESSOR_MODE PreviousMode;
  97. NTSTATUS Status;
  98. PTOKEN Token;
  99. ACCESS_MASK DesiredAccess;
  100. ULONG CapturedPrivilegeCount = 0;
  101. PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL;
  102. ULONG CapturedPrivilegesLength = 0;
  103. ULONG LocalReturnLength = 0;
  104. ULONG ChangeCount = 0;
  105. BOOLEAN ChangesMade = FALSE;
  106. ULONG ParameterLength = 0;
  107. PAGED_CODE();
  108. //
  109. // The semantics of the PreviousState parameter leads to a two-pass
  110. // approach to adjusting privileges. The first pass simply checks
  111. // to see which privileges will change and counts them. This allows
  112. // the amount of space needed to be calculated and returned. If
  113. // the caller's PreviousState return buffer is not large enough, then
  114. // an error is returned without making any modifications. Otherwise,
  115. // a second pass is made to actually make the changes.
  116. //
  117. //
  118. if (!DisableAllPrivileges && !ARGUMENT_PRESENT(NewState)) {
  119. return STATUS_INVALID_PARAMETER;
  120. }
  121. //
  122. // Get previous processor mode and probe parameters if necessary.
  123. //
  124. PreviousMode = KeGetPreviousMode();
  125. if (PreviousMode != KernelMode) {
  126. try {
  127. //
  128. // Make sure we can see all of the new state
  129. //
  130. if (!DisableAllPrivileges) {
  131. ProbeForReadSmallStructure(
  132. NewState,
  133. sizeof(TOKEN_PRIVILEGES),
  134. sizeof(ULONG)
  135. );
  136. CapturedPrivilegeCount = NewState->PrivilegeCount;
  137. ParameterLength = (ULONG)sizeof(TOKEN_PRIVILEGES) +
  138. ( (CapturedPrivilegeCount - ANYSIZE_ARRAY) *
  139. (ULONG)sizeof(LUID_AND_ATTRIBUTES) );
  140. ProbeForRead(
  141. NewState,
  142. ParameterLength,
  143. sizeof(ULONG)
  144. );
  145. }
  146. //
  147. // Check the PreviousState buffer for writeability
  148. //
  149. if (ARGUMENT_PRESENT(PreviousState)) {
  150. ProbeForWrite(
  151. PreviousState,
  152. BufferLength,
  153. sizeof(ULONG)
  154. );
  155. ProbeForWriteUlong(ReturnLength);
  156. }
  157. } except(EXCEPTION_EXECUTE_HANDLER) {
  158. return GetExceptionCode();
  159. }
  160. } else {
  161. if (!DisableAllPrivileges) {
  162. CapturedPrivilegeCount = NewState->PrivilegeCount;
  163. }
  164. }
  165. //
  166. // Capture NewState if passed.
  167. //
  168. if (!DisableAllPrivileges) {
  169. try {
  170. Status = SeCaptureLuidAndAttributesArray(
  171. (NewState->Privileges),
  172. CapturedPrivilegeCount,
  173. PreviousMode,
  174. NULL, 0,
  175. PagedPool,
  176. TRUE,
  177. &CapturedPrivileges,
  178. &CapturedPrivilegesLength
  179. );
  180. } except(EXCEPTION_EXECUTE_HANDLER) {
  181. return GetExceptionCode();
  182. }
  183. if (!NT_SUCCESS(Status)) {
  184. return Status;
  185. }
  186. }
  187. //
  188. // Reference the token object and validate the caller's right
  189. // to adjust the privileges.
  190. //
  191. if (ARGUMENT_PRESENT(PreviousState)) {
  192. DesiredAccess = (TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY);
  193. } else {
  194. DesiredAccess = TOKEN_ADJUST_PRIVILEGES;
  195. }
  196. Status = ObReferenceObjectByHandle(
  197. TokenHandle, // Handle
  198. DesiredAccess, // DesiredAccess
  199. SeTokenObjectType, // ObjectType
  200. PreviousMode, // AccessMode
  201. (PVOID *)&Token, // Object
  202. NULL // GrantedAccess
  203. );
  204. if ( !NT_SUCCESS(Status) ) {
  205. if (CapturedPrivileges != NULL) {
  206. SeReleaseLuidAndAttributesArray(
  207. CapturedPrivileges,
  208. PreviousMode,
  209. TRUE
  210. );
  211. }
  212. return Status;
  213. }
  214. //
  215. // Gain exclusive access to the token.
  216. //
  217. SepAcquireTokenWriteLock( Token );
  218. //
  219. // First pass through the privileges list - just count the changes
  220. //
  221. Status = SepAdjustPrivileges(
  222. Token,
  223. FALSE, // Don't make changes this pass
  224. DisableAllPrivileges,
  225. CapturedPrivilegeCount,
  226. CapturedPrivileges,
  227. PreviousState,
  228. &LocalReturnLength,
  229. &ChangeCount,
  230. &ChangesMade
  231. );
  232. if (ARGUMENT_PRESENT(PreviousState)) {
  233. try {
  234. (*ReturnLength) = LocalReturnLength;
  235. } except(EXCEPTION_EXECUTE_HANDLER) {
  236. SepReleaseTokenWriteLock( Token, FALSE );
  237. ObDereferenceObject( Token );
  238. if (CapturedPrivileges != NULL) {
  239. SeReleaseLuidAndAttributesArray(
  240. CapturedPrivileges,
  241. PreviousMode,
  242. TRUE
  243. );
  244. }
  245. return GetExceptionCode();
  246. }
  247. }
  248. //
  249. // Make sure there is enough room to return any requested
  250. // information.
  251. //
  252. if (ARGUMENT_PRESENT(PreviousState)) {
  253. if (LocalReturnLength > BufferLength) {
  254. SepReleaseTokenWriteLock( Token, FALSE );
  255. ObDereferenceObject( Token );
  256. if (CapturedPrivileges != NULL) {
  257. SeReleaseLuidAndAttributesArray(
  258. CapturedPrivileges,
  259. PreviousMode,
  260. TRUE
  261. );
  262. }
  263. return STATUS_BUFFER_TOO_SMALL;
  264. }
  265. }
  266. //
  267. // Second pass through the privileges list - Make the changes.
  268. //
  269. // Note that the internal routine attempts to write the previous
  270. // state directly to the caller's buffer - and so may get an exception.
  271. //
  272. try {
  273. Status = SepAdjustPrivileges(
  274. Token,
  275. TRUE, // Make the changes this pass
  276. DisableAllPrivileges,
  277. CapturedPrivilegeCount,
  278. CapturedPrivileges,
  279. PreviousState,
  280. &LocalReturnLength,
  281. &ChangeCount,
  282. &ChangesMade
  283. );
  284. if (ARGUMENT_PRESENT(PreviousState)) {
  285. PreviousState->PrivilegeCount = ChangeCount;
  286. }
  287. } except(EXCEPTION_EXECUTE_HANDLER) {
  288. SepReleaseTokenWriteLock( Token, TRUE );
  289. ObDereferenceObject( Token );
  290. if (CapturedPrivileges != NULL) {
  291. SeReleaseLuidAndAttributesArray(
  292. CapturedPrivileges,
  293. PreviousMode,
  294. TRUE
  295. );
  296. }
  297. return GetExceptionCode();
  298. }
  299. SepReleaseTokenWriteLock( Token, ChangesMade );
  300. ObDereferenceObject( Token );
  301. if (CapturedPrivileges != NULL) {
  302. SeReleaseLuidAndAttributesArray(
  303. CapturedPrivileges,
  304. PreviousMode,
  305. TRUE
  306. );
  307. }
  308. return Status;
  309. }
  310. NTSTATUS
  311. NtAdjustGroupsToken (
  312. IN HANDLE TokenHandle,
  313. IN BOOLEAN ResetToDefault,
  314. IN PTOKEN_GROUPS NewState OPTIONAL,
  315. IN ULONG BufferLength OPTIONAL,
  316. OUT PTOKEN_GROUPS PreviousState OPTIONAL,
  317. OUT PULONG ReturnLength
  318. )
  319. /*++
  320. Routine Description:
  321. This routine is used to disable or enable groups in the specified
  322. token. The absence of some of the groups listed to be changed
  323. won't effect the successful modification of the groups that are in
  324. the token. The previous enabled/disabled state of changed groups
  325. may optionally be capture (for resetting later).
  326. TOKEN_ADJUST_GROUPS access is required to enable or disable groups
  327. in a token
  328. Note that mandatory groups can not be disabled. An attempt
  329. disable any mandatory groups will cause the call to fail, leaving
  330. the state of all groups unchanged.
  331. Arguments:
  332. TokenHandle - Provides a handle to the token to operate on.
  333. ResetToDefault - The parameter indicates whether all the groups
  334. in the token are to be reset to their default enabled/disabled
  335. state.
  336. NewState - This parameter points to a TOKEN_GROUPS data structure
  337. containing the groups whose states are to be adjusted
  338. (disabled or enabled). Only the Enabled flag of the
  339. attributes associated with each group is used. It provides
  340. the new value that is to be assigned to the group in the
  341. token. If the ResetToDefault argument is specified as TRUE,
  342. then this argument is ignored. Otherwise, it must be passed.
  343. BufferLength - This optional parameter indicates the length (in
  344. bytes) of the PreviousState buffer. This value must be
  345. provided if the PreviousState parameter is provided.
  346. PreviousState - This (optional) parameter points to a buffer to
  347. receive the state of any groups actually changed by this
  348. request. This information is formated as a TOKEN_GROUPS data
  349. structure which may be passed as the NewState parameter in a
  350. subsequent call to NtAdjustGroups to restore the original state
  351. of those groups. TOKEN_QUERY access is needed to use this
  352. parameter.
  353. If this buffer does not contain enough space to receive the
  354. complete list of modified groups, then no group states are
  355. changed and STATUS_BUFFER_TOO_SMALL is returned. In this
  356. case, the ReturnLength return parameter will contain the
  357. actual number of bytes needed to hold the information.
  358. ReturnLength - Indicates the actual number of bytes needed to
  359. contain the previous group state information.
  360. This parameter is ignored if the PreviousState argument is not
  361. passed.
  362. Return Value:
  363. STATUS_SUCCESS - The service successfully completed the requested
  364. operation.
  365. STATUS_NOT_ALL_ASSIGNED - This NT_SUCCESS severity return status
  366. indicates that not all the specified groups are currently
  367. assigned to the caller. All specified groups that are
  368. currently assigned have been successfully adjusted.
  369. STATUS_CANT_DISABLE_MANDATORY - Indicates an attempt was made to
  370. disable a mandatory group. The states of all groups remains
  371. unchanged.
  372. STATUS_BUFFER_TOO_SMALL - Indicates the optional buffer provided
  373. to receive the previous states of changed group wasn't large
  374. enough to receive that information. No changes to group
  375. states has been made. The number of bytes needed to hold the
  376. state change information is returned via the ReturnLength
  377. parameter.
  378. STATUS_INVALID_PARAMETER - Indicates neither the ResetToDefault
  379. parameter was specified as true, nor was an explicit NewState
  380. provided.
  381. --*/
  382. {
  383. KPROCESSOR_MODE PreviousMode;
  384. NTSTATUS Status;
  385. PTOKEN Token;
  386. ACCESS_MASK DesiredAccess;
  387. ULONG CapturedGroupCount = 0;
  388. PSID_AND_ATTRIBUTES CapturedGroups = NULL;
  389. ULONG CapturedGroupsLength = 0;
  390. ULONG LocalReturnLength;
  391. ULONG ChangeCount;
  392. BOOLEAN ChangesMade;
  393. PSID SidBuffer = NULL;
  394. PAGED_CODE();
  395. //
  396. // The semantics of the PreviousState parameter and the
  397. // STATUS_CANT_DISABLE_MANDATORY completion status leads to a two-pass
  398. // approach to adjusting groups. The first pass simply checks
  399. // to see which groups will change and counts them. This allows
  400. // the amount of space needed to be calculated and returned. If
  401. // the caller's PreviousState return buffer is not large enough, or
  402. // one of the specified groups is a mandatory group, then an error
  403. // is returned without making any modifications. Otherwise, a second
  404. // pass is made to actually make the changes.
  405. //
  406. if (!ResetToDefault && !ARGUMENT_PRESENT(NewState)) {
  407. return STATUS_INVALID_PARAMETER;
  408. }
  409. //
  410. // Get previous processor mode and probe parameters if necessary.
  411. //
  412. PreviousMode = KeGetPreviousMode();
  413. if (PreviousMode != KernelMode) {
  414. try {
  415. if (!ResetToDefault) {
  416. ProbeForReadSmallStructure(
  417. NewState,
  418. sizeof(TOKEN_GROUPS),
  419. sizeof(ULONG)
  420. );
  421. }
  422. if (ARGUMENT_PRESENT(PreviousState)) {
  423. ProbeForWrite(
  424. PreviousState,
  425. BufferLength,
  426. sizeof(ULONG)
  427. );
  428. //
  429. // This parameter is only used if PreviousState
  430. // is present
  431. //
  432. ProbeForWriteUlong(ReturnLength);
  433. }
  434. } except(EXCEPTION_EXECUTE_HANDLER) {
  435. return GetExceptionCode();
  436. }
  437. }
  438. //
  439. // Capture NewState.
  440. //
  441. if (!ResetToDefault) {
  442. try {
  443. CapturedGroupCount = NewState->GroupCount;
  444. Status = SeCaptureSidAndAttributesArray(
  445. &(NewState->Groups[0]),
  446. CapturedGroupCount,
  447. PreviousMode,
  448. NULL, 0,
  449. PagedPool,
  450. TRUE,
  451. &CapturedGroups,
  452. &CapturedGroupsLength
  453. );
  454. if (!NT_SUCCESS(Status)) {
  455. return Status;
  456. }
  457. } except(EXCEPTION_EXECUTE_HANDLER) {
  458. return GetExceptionCode();
  459. } // endtry
  460. } // endif !ResetToDefault
  461. //
  462. // Reference the token object and validate the caller's right
  463. // to adjust the groups.
  464. //
  465. if (ARGUMENT_PRESENT(PreviousState)) {
  466. DesiredAccess = (TOKEN_ADJUST_GROUPS | TOKEN_QUERY);
  467. } else {
  468. DesiredAccess = TOKEN_ADJUST_GROUPS;
  469. }
  470. Status = ObReferenceObjectByHandle(
  471. TokenHandle, // Handle
  472. DesiredAccess, // DesiredAccess
  473. SeTokenObjectType, // ObjectType
  474. PreviousMode, // AccessMode
  475. (PVOID *)&Token, // Object
  476. NULL // GrantedAccess
  477. );
  478. if ( !NT_SUCCESS(Status) ) {
  479. if (ARGUMENT_PRESENT(CapturedGroups)) {
  480. SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE );
  481. }
  482. return Status;
  483. }
  484. //
  485. // Gain exclusive access to the token.
  486. //
  487. SepAcquireTokenWriteLock( Token );
  488. //
  489. // First pass through the groups list.
  490. //
  491. // This pass is always necessary for groups to make sure the caller
  492. // isn't trying to do anything illegal to mandatory groups.
  493. //
  494. Status = SepAdjustGroups(
  495. Token,
  496. FALSE, // Don't make changes this pass
  497. ResetToDefault,
  498. CapturedGroupCount,
  499. CapturedGroups,
  500. PreviousState,
  501. NULL, // Not returning SIDs this call
  502. &LocalReturnLength,
  503. &ChangeCount,
  504. &ChangesMade
  505. );
  506. if (ARGUMENT_PRESENT(PreviousState)) {
  507. try {
  508. (*ReturnLength) = LocalReturnLength;
  509. } except(EXCEPTION_EXECUTE_HANDLER) {
  510. SepReleaseTokenWriteLock( Token, FALSE );
  511. ObDereferenceObject( Token );
  512. if (ARGUMENT_PRESENT(CapturedGroups)) {
  513. SeReleaseSidAndAttributesArray(
  514. CapturedGroups,
  515. PreviousMode,
  516. TRUE
  517. );
  518. }
  519. return GetExceptionCode();
  520. }
  521. }
  522. //
  523. // Make sure we didn't encounter an error
  524. //
  525. if (!NT_SUCCESS(Status)) {
  526. SepReleaseTokenWriteLock( Token, FALSE );
  527. ObDereferenceObject( Token );
  528. if (ARGUMENT_PRESENT(CapturedGroups)) {
  529. SeReleaseSidAndAttributesArray(
  530. CapturedGroups,
  531. PreviousMode,
  532. TRUE
  533. );
  534. }
  535. return Status;
  536. }
  537. //
  538. // Make sure there is enough room to return requested information.
  539. // Also go on to calculate where the SID values go.
  540. //
  541. if (ARGUMENT_PRESENT(PreviousState)) {
  542. if (LocalReturnLength > BufferLength) {
  543. SepReleaseTokenWriteLock( Token, FALSE );
  544. ObDereferenceObject( Token );
  545. if (ARGUMENT_PRESENT(CapturedGroups)) {
  546. SeReleaseSidAndAttributesArray(
  547. CapturedGroups,
  548. PreviousMode,
  549. TRUE
  550. );
  551. }
  552. return STATUS_BUFFER_TOO_SMALL;
  553. }
  554. //
  555. // Calculate where the SIDs can be placed in the PreviousState
  556. // buffer.
  557. //
  558. SidBuffer = (PSID)(LongAlignPtr(
  559. (PCHAR)PreviousState + (ULONG)sizeof(TOKEN_GROUPS) +
  560. (ChangeCount * (ULONG)sizeof(SID_AND_ATTRIBUTES)) -
  561. (ANYSIZE_ARRAY * (ULONG)sizeof(SID_AND_ATTRIBUTES))
  562. ) );
  563. }
  564. //
  565. // Second pass through the groups list.
  566. //
  567. try {
  568. Status = SepAdjustGroups(
  569. Token,
  570. TRUE, // Make changes in this pass
  571. ResetToDefault,
  572. CapturedGroupCount,
  573. CapturedGroups,
  574. PreviousState,
  575. SidBuffer,
  576. &LocalReturnLength,
  577. &ChangeCount,
  578. &ChangesMade
  579. );
  580. if (ARGUMENT_PRESENT(PreviousState)) {
  581. PreviousState->GroupCount = ChangeCount;
  582. }
  583. } except(EXCEPTION_EXECUTE_HANDLER) {
  584. //SepFreeToken( Token, TRUE );
  585. SepReleaseTokenWriteLock( Token, TRUE );
  586. ObDereferenceObject( Token );
  587. if (ARGUMENT_PRESENT(CapturedGroups)) {
  588. SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE );
  589. }
  590. return GetExceptionCode();
  591. }
  592. //SepFreeToken( Token, ChangesMade );
  593. SepReleaseTokenWriteLock( Token, ChangesMade );
  594. ObDereferenceObject( Token );
  595. if (ARGUMENT_PRESENT(CapturedGroups)) {
  596. SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE );
  597. }
  598. return Status;
  599. }
  600. NTSTATUS
  601. SepAdjustPrivileges(
  602. IN PTOKEN Token,
  603. IN BOOLEAN MakeChanges,
  604. IN BOOLEAN DisableAllPrivileges,
  605. IN ULONG PrivilegeCount OPTIONAL,
  606. IN PLUID_AND_ATTRIBUTES NewState OPTIONAL,
  607. OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL,
  608. OUT PULONG ReturnLength,
  609. OUT PULONG ChangeCount,
  610. OUT PBOOLEAN ChangesMade
  611. )
  612. /*++
  613. Routine Description:
  614. This routine is used to walk the privileges array in a token as a
  615. result of a request to adjust privileges.
  616. If the MakeChanges parameter is FALSE, this routine simply determines
  617. what changes are needed and how much space is necessary to save the
  618. current state of changed privileges.
  619. If the MakeChanges parameter is TRUE, this routine will not only
  620. calculate the space necessary to save the current state, but will
  621. actually make the changes.
  622. This routine makes the following assumptions:
  623. 1) The token is locked for exclusive access.
  624. 2) The PrivilegeCount and NewState parameters (if passed) are captured
  625. and accesses to them will not result in access violations.
  626. 4) Any access violations encountered may leave the request
  627. partially completed. It is the calling routine's responsibility
  628. to catch exceptions.
  629. 5) The calling routine is responsible for inrementing the token's
  630. ModifiedId field.
  631. Arguments:
  632. Token - Pointer to the token to act upon.
  633. MakeChanges - A boolean value indicating whether the changes should
  634. actually be made, or just evaluated. A value of TRUE indicates
  635. the changes should be made.
  636. DisableAllPrivilegs - A boolean value indicating whether all privileges
  637. are to be disabled, or only select, specified privileges. A value
  638. of TRUE indicates all privileges are to be disabled.
  639. PrivilegeCount - This parameter is required only if the NewState parameter
  640. is used. In that case, this parameter indicates how many entries are
  641. in the NewState parameter.
  642. NewState - This parameter is ignored if the DisableAllPrivileges
  643. argument is TRUE. If the DisableAllPrivileges argument is FALSE,
  644. then this parameter must be provided and specifies the new state
  645. to set privileges to (enabled or disabled).
  646. PreviousState - This (optional) parameter points to a buffer to
  647. receive the state of any privileges actually changed by this
  648. request. This information is formated as a TOKEN_PRIVILEGES data
  649. structure which may be passed as the NewState parameter in a
  650. subsequent call to NtAdjustPrivileges to restore the original state
  651. of those privileges. It is the caller's responsibility to make
  652. sure this buffer is large enough to receive all the state
  653. information.
  654. ReturnLength - Points to a buffer to receive the number of bytes needed
  655. to retrieve the previous state information of changed privileges.
  656. This parameter is ignored if the PreviousState argument is not
  657. passed.
  658. ChangeCount - Points to a ULONG to receive the number of privileges
  659. which were adjusted (or would be adjusted, if changes are made).
  660. ChangesMade - Points to a boolean flag which is to receive an indication
  661. as to whether any changes were made as a result of this call. This
  662. is expected to be used to decide whether or not to increment the
  663. token's ModifiedId field.
  664. Return Value:
  665. STATUS_SUCCESS - Call completed sccessfully.
  666. STATUS_NOT_ALL_ASSIGNED - Indicates not all the specified adjustments
  667. have been made (or could be made, if update wasn't requested).
  668. --*/
  669. {
  670. NTSTATUS CompletionStatus = STATUS_SUCCESS;
  671. ULONG OldIndex;
  672. ULONG NewIndex;
  673. BOOLEAN Found;
  674. ULONG MatchCount = 0;
  675. LUID_AND_ATTRIBUTES CurrentPrivilege;
  676. PAGED_CODE();
  677. //
  678. // Walk through the privileges array to determine which need to be
  679. // adjusted.
  680. //
  681. OldIndex = 0;
  682. (*ChangeCount) = 0;
  683. (*ChangesMade) = FALSE;
  684. while (OldIndex < Token->PrivilegeCount) {
  685. CurrentPrivilege = (Token->Privileges)[OldIndex];
  686. if (DisableAllPrivileges) {
  687. if (SepTokenPrivilegeAttributes(Token,OldIndex) &
  688. SE_PRIVILEGE_ENABLED ) {
  689. //
  690. // Change, if necessary (saving previous state if
  691. // appropriate).
  692. //
  693. if (MakeChanges) {
  694. if (ARGUMENT_PRESENT(PreviousState)) {
  695. PreviousState->Privileges[(*ChangeCount)] =
  696. CurrentPrivilege;
  697. }
  698. SepTokenPrivilegeAttributes(Token,OldIndex) &=
  699. ~SE_PRIVILEGE_ENABLED;
  700. } //endif make changes
  701. //
  702. // increment the number of changes
  703. //
  704. (*ChangeCount) += 1;
  705. } // endif privilege enabled
  706. } else {
  707. //
  708. // Selective adjustments - this is a little trickier
  709. // Compare the current privilege to each of those in
  710. // the NewState array. If a match is found, then adjust
  711. // the current privilege appropriately.
  712. //
  713. NewIndex = 0;
  714. Found = FALSE;
  715. while ( (NewIndex < PrivilegeCount) && !Found) {
  716. //
  717. // Look for a comparison
  718. //
  719. if (RtlEqualLuid(&CurrentPrivilege.Luid,&NewState[NewIndex].Luid)) {
  720. Found = TRUE;
  721. MatchCount += 1;
  722. //
  723. // Check if the caller wants the privilege removed. We give
  724. // SE_PRIVILEGE_REMOVED a preferance over any other flags.
  725. //
  726. if ( (SepArrayPrivilegeAttributes( NewState, NewIndex ) &
  727. SE_PRIVILEGE_REMOVED) ) {
  728. //
  729. // Change, if necessary. There is no need to save the
  730. // previous state. This is a one way journey.
  731. //
  732. if (MakeChanges) {
  733. //
  734. // if this is one of the recorded privileges, then
  735. // delete its corresponding bit in TokenFlags
  736. //
  737. if (RtlEqualLuid(&CurrentPrivilege.Luid,
  738. &SeChangeNotifyPrivilege)) {
  739. Token->TokenFlags &= ~TOKEN_HAS_TRAVERSE_PRIVILEGE;
  740. } else if (RtlEqualLuid(&CurrentPrivilege.Luid,
  741. &SeBackupPrivilege)) {
  742. Token->TokenFlags &= ~TOKEN_HAS_BACKUP_PRIVILEGE;
  743. } else if (RtlEqualLuid(&CurrentPrivilege.Luid,
  744. &SeRestorePrivilege)) {
  745. Token->TokenFlags &= ~TOKEN_HAS_RESTORE_PRIVILEGE;
  746. } else if (RtlEqualLuid( &CurrentPrivilege.Luid,
  747. &SeImpersonatePrivilege)) {
  748. Token->TokenFlags &= ~TOKEN_HAS_IMPERSONATE_PRIVILEGE;
  749. }
  750. //
  751. // Swap this privilege with the last one.
  752. //
  753. if (OldIndex + 1 != Token->PrivilegeCount) {
  754. LUID_AND_ATTRIBUTES TempLuidAttr;
  755. TempLuidAttr = Token->Privileges[OldIndex];
  756. Token->Privileges[OldIndex] = Token->Privileges[Token->PrivilegeCount-1];
  757. Token->Privileges[Token->PrivilegeCount-1] = TempLuidAttr;
  758. }
  759. //
  760. // We just lost a privilege. Make note of it.
  761. //
  762. Token->PrivilegeCount--;
  763. OldIndex--;
  764. (*ChangesMade) = TRUE;
  765. } //endif make changes
  766. //
  767. // Note: Do NOT increment the number of changes
  768. //
  769. //
  770. // Check if there is a state change from/to enabled to/from
  771. // disabled
  772. //
  773. } else if ( (SepArrayPrivilegeAttributes( NewState, NewIndex ) &
  774. SE_PRIVILEGE_ENABLED)
  775. !=
  776. (SepTokenPrivilegeAttributes(Token,OldIndex) &
  777. SE_PRIVILEGE_ENABLED) ) {
  778. //
  779. // Change, if necessary (saving previous state if
  780. // appropriate).
  781. //
  782. if (MakeChanges) {
  783. if (ARGUMENT_PRESENT(PreviousState)) {
  784. PreviousState->Privileges[(*ChangeCount)] =
  785. CurrentPrivilege;
  786. }
  787. SepTokenPrivilegeAttributes(Token,OldIndex) &=
  788. ~(SepTokenPrivilegeAttributes(Token,OldIndex)
  789. & SE_PRIVILEGE_ENABLED);
  790. SepTokenPrivilegeAttributes(Token,OldIndex) |=
  791. (SepArrayPrivilegeAttributes(NewState,NewIndex)
  792. & SE_PRIVILEGE_ENABLED);
  793. //
  794. // if this is SeChangeNotifyPrivilege, then
  795. // change its corresponding bit in TokenFlags
  796. // Note that Backup and Restore privileges do not
  797. // care about Enabled/Disabled state.
  798. //
  799. if (RtlEqualLuid(&CurrentPrivilege.Luid,
  800. &SeChangeNotifyPrivilege)) {
  801. Token->TokenFlags ^= TOKEN_HAS_TRAVERSE_PRIVILEGE;
  802. } else if ( RtlEqualLuid( &CurrentPrivilege.Luid,
  803. &SeImpersonatePrivilege)) {
  804. Token->TokenFlags ^= TOKEN_HAS_IMPERSONATE_PRIVILEGE ;
  805. }
  806. } //endif make changes
  807. //
  808. // increment the number of changes
  809. //
  810. (*ChangeCount) += 1;
  811. }
  812. } // endif found
  813. NewIndex += 1;
  814. } // endwhile searching NewState
  815. } // endelse
  816. OldIndex += 1;
  817. } // endwhile privileges in token
  818. //
  819. // If we disabled all privileges, then clear the TokenFlags flag
  820. // corresponding to the SeChangeNotifyPrivilege privilege.
  821. //
  822. if (DisableAllPrivileges) {
  823. Token->TokenFlags &= ~TOKEN_HAS_TRAVERSE_PRIVILEGE;
  824. }
  825. //
  826. // Set completion status appropriately if some not assigned
  827. //
  828. if (!DisableAllPrivileges) {
  829. if (MatchCount < PrivilegeCount) {
  830. CompletionStatus = STATUS_NOT_ALL_ASSIGNED;
  831. }
  832. }
  833. //
  834. // Indicate whether changes were made
  835. //
  836. if ((*ChangeCount) > 0 && MakeChanges) {
  837. (*ChangesMade) = TRUE;
  838. }
  839. //
  840. // Calculate the space needed to return previous state information
  841. //
  842. if (ARGUMENT_PRESENT(PreviousState)) {
  843. (*ReturnLength) = (ULONG)sizeof(TOKEN_PRIVILEGES) +
  844. ((*ChangeCount) * (ULONG)sizeof(LUID_AND_ATTRIBUTES)) -
  845. (ANYSIZE_ARRAY * (ULONG)sizeof(LUID_AND_ATTRIBUTES));
  846. }
  847. return CompletionStatus;
  848. }
  849. NTSTATUS
  850. SepAdjustGroups(
  851. IN PTOKEN Token,
  852. IN BOOLEAN MakeChanges,
  853. IN BOOLEAN ResetToDefault,
  854. IN ULONG GroupCount,
  855. IN PSID_AND_ATTRIBUTES NewState OPTIONAL,
  856. OUT PTOKEN_GROUPS PreviousState OPTIONAL,
  857. OUT PSID SidBuffer OPTIONAL,
  858. OUT PULONG ReturnLength,
  859. OUT PULONG ChangeCount,
  860. OUT PBOOLEAN ChangesMade
  861. )
  862. /*++
  863. Routine Description:
  864. This routine is used to walk the groups array in a token as a
  865. result of a request to adjust groups.
  866. If the MakeChanges parameter is FALSE, this routine simply determines
  867. what changes are needed and how much space is necessary to save the
  868. current state of changed groups.
  869. If the MakeChanges parameter is TRUE, this routine will not only
  870. calculate the space necessary to save the current state, but will
  871. actually make the changes.
  872. This routine makes the following assumptions:
  873. 1) The token is locked for exclusive access.
  874. 2) The NewState parameter is captured and accesses
  875. to it will not result in access violations.
  876. 4) Any access violations encountered may leave the request
  877. partially completed. It is the calling routine's responsibility
  878. to catch exceptions.
  879. 5) The calling routine is responsible for inrementing the token's
  880. ModifiedId field.
  881. Arguments:
  882. Token - Pointer to the token to act upon.
  883. MakeChanges - A boolean value indicating whether the changes should
  884. actually be made, or just evaluated. A value of TRUE indicates
  885. the changes should be made.
  886. ResetToDefault - Indicates that the groups are to be reset to their
  887. default enabled/disabled state.
  888. GroupCount - This parameter is required only if the NewState parameter
  889. is used. In that case, this parameter indicates how many entries are
  890. in the NewState parameter.
  891. NewState - This parameter points to a SID_AND_ATTRIBUTES array
  892. containing the groups whose states are to be adjusted
  893. (disabled or enabled). Only the Enabled flag of the
  894. attributes associated with each group is used. It provides
  895. the new value that is to be assigned to the group in the
  896. token. If the ResetToDefault argument is specified as TRUE,
  897. then this argument is ignored. Otherwise, it must be passed.
  898. PreviousState - This (optional) parameter points to a buffer to
  899. receive the state of any groups actually changed by this
  900. request. This information is formated as a TOKEN_GROUPS data
  901. structure which may be passed as the NewState parameter in a
  902. subsequent call to NtAdjustGroups to restore the original state
  903. of those groups. It is the caller's responsibility to make
  904. sure this buffer is large enough to receive all the state
  905. information.
  906. SidBuffer - Pointer to buffer to receive the SID values corresponding
  907. to the groups returned in the PreviousState argument.
  908. ReturnLength - Points to a buffer to receive the number of bytes needed
  909. to retrieve the previous state information of changed privileges.
  910. This parameter is ignored if the PreviousState argument is not
  911. passed.
  912. ChangeCount - Points to a ULONG to receive the number of groups
  913. which were adjusted (or would be adjusted, if changes are made).
  914. ChangesMade - Points to a boolean flag which is to receive an indication
  915. as to whether any changes were made as a result of this call. This
  916. is expected to be used to decide whether or not to increment the
  917. token's ModifiedId field.
  918. Return Value:
  919. STATUS_SUCCESS - Call completed sccessfully.
  920. STATUS_NOT_ALL_ASSIGNED - Indicates not all the specified adjustments
  921. have been made (or could be made, if update wasn't requested).
  922. STATUS_CANT_DISABLE_MANDATORY - Not all adjustments were made (or could
  923. be made, if update not requested) because an attempt was made to
  924. disable a mandatory group. The state of the groups is left
  925. in an underterministic state if update was requested.
  926. --*/
  927. {
  928. NTSTATUS CompletionStatus = STATUS_SUCCESS;
  929. ULONG OldIndex;
  930. ULONG NewIndex;
  931. ULONG SidLength;
  932. ULONG LocalReturnLength = 0;
  933. PSID NextSid;
  934. BOOLEAN Found;
  935. ULONG MatchCount = 0;
  936. BOOLEAN EnableGroup;
  937. BOOLEAN DisableGroup;
  938. ULONG TokenGroupAttributes;
  939. SID_AND_ATTRIBUTES CurrentGroup;
  940. PAGED_CODE();
  941. //
  942. // NextSid is used to copy group SID values if asked for previous state.
  943. //
  944. NextSid = SidBuffer;
  945. //
  946. // Walk through the groups array to determine which need to be
  947. // adjusted.
  948. //
  949. OldIndex = 1; // Don't evaluate the 0th entry (user ID)
  950. (*ChangeCount) = 0;
  951. while (OldIndex < Token->UserAndGroupCount) {
  952. CurrentGroup = Token->UserAndGroups[OldIndex];
  953. if (ResetToDefault) {
  954. TokenGroupAttributes = SepTokenGroupAttributes(Token,OldIndex);
  955. //
  956. // If the group is enabled by default and currently disabled,
  957. // then we must enable it.
  958. //
  959. EnableGroup = (BOOLEAN)( (TokenGroupAttributes & SE_GROUP_ENABLED_BY_DEFAULT)
  960. && !(TokenGroupAttributes & SE_GROUP_ENABLED));
  961. //
  962. // If the group is disabled by default and currently enabled,
  963. // then we must disable it.
  964. //
  965. DisableGroup = (BOOLEAN)( !(TokenGroupAttributes & SE_GROUP_ENABLED_BY_DEFAULT)
  966. && (TokenGroupAttributes & SE_GROUP_ENABLED));
  967. if ( EnableGroup || DisableGroup ) {
  968. SidLength = SeLengthSid( CurrentGroup.Sid );
  969. SidLength = (ULONG)LongAlignSize(SidLength);
  970. LocalReturnLength += SidLength;
  971. //
  972. // Change, if necessary (saving previous state if
  973. // appropriate).
  974. //
  975. if (MakeChanges) {
  976. if (ARGUMENT_PRESENT(PreviousState)) {
  977. (*(PreviousState)).Groups[(*ChangeCount)].Attributes =
  978. CurrentGroup.Attributes;
  979. (*(PreviousState)).Groups[(*ChangeCount)].Sid =
  980. NextSid;
  981. RtlCopySid( SidLength, NextSid, CurrentGroup.Sid );
  982. NextSid = (PSID)((ULONG_PTR)NextSid + SidLength);
  983. }
  984. if (EnableGroup) {
  985. SepTokenGroupAttributes(Token,OldIndex) |= SE_GROUP_ENABLED;
  986. } else {
  987. SepTokenGroupAttributes(Token,OldIndex) &= ~SE_GROUP_ENABLED;
  988. }
  989. } //endif make changes
  990. //
  991. // increment the number of changes
  992. //
  993. (*ChangeCount) += 1;
  994. } // endif group enabled
  995. } else {
  996. //
  997. // Selective adjustments - this is a little trickier
  998. // Compare the current group to each of those in
  999. // the NewState array. If a match is found, then adjust
  1000. // the current group appropriately.
  1001. //
  1002. NewIndex = 0;
  1003. Found = FALSE;
  1004. while ( (NewIndex < GroupCount) && !Found) {
  1005. //
  1006. // Look for a comparison
  1007. //
  1008. if (RtlEqualSid(
  1009. CurrentGroup.Sid,
  1010. NewState[NewIndex].Sid
  1011. ) ) {
  1012. Found = TRUE;
  1013. MatchCount += 1;
  1014. //
  1015. // See if it needs to be changed
  1016. //
  1017. if ( (SepArrayGroupAttributes( NewState, NewIndex ) &
  1018. SE_GROUP_ENABLED ) !=
  1019. (SepTokenGroupAttributes(Token,OldIndex) &
  1020. SE_GROUP_ENABLED ) ) {
  1021. //
  1022. // Make sure group is not mandatory
  1023. //
  1024. if (SepTokenGroupAttributes(Token,OldIndex) &
  1025. SE_GROUP_MANDATORY ) {
  1026. return STATUS_CANT_DISABLE_MANDATORY;
  1027. }
  1028. //
  1029. // Make sure group is not deny-only
  1030. //
  1031. if (SepTokenGroupAttributes(Token,OldIndex) &
  1032. SE_GROUP_USE_FOR_DENY_ONLY ) {
  1033. return STATUS_CANT_ENABLE_DENY_ONLY;
  1034. }
  1035. SidLength = SeLengthSid( CurrentGroup.Sid );
  1036. SidLength = (ULONG)LongAlignSize(SidLength);
  1037. LocalReturnLength += SidLength;
  1038. //
  1039. // Change, if necessary (saving previous state if
  1040. // appropriate).
  1041. //
  1042. if (MakeChanges) {
  1043. if (ARGUMENT_PRESENT(PreviousState)) {
  1044. PreviousState->Groups[(*ChangeCount)].Attributes =
  1045. CurrentGroup.Attributes;
  1046. PreviousState->Groups[(*ChangeCount)].Sid =
  1047. NextSid;
  1048. RtlCopySid( SidLength, NextSid, CurrentGroup.Sid );
  1049. NextSid = (PSID)((ULONG_PTR)NextSid + SidLength);
  1050. }
  1051. SepTokenGroupAttributes(Token,OldIndex) &=
  1052. ~(SepTokenGroupAttributes(Token,OldIndex)
  1053. & SE_GROUP_ENABLED);
  1054. SepTokenGroupAttributes(Token,OldIndex) |=
  1055. (SepArrayGroupAttributes(NewState,NewIndex)
  1056. & SE_GROUP_ENABLED);
  1057. } //endif make changes
  1058. //
  1059. // increment the number of changes
  1060. //
  1061. (*ChangeCount) += 1;
  1062. } // endif change needed
  1063. } // endif found
  1064. NewIndex += 1;
  1065. } // endwhile searching NewState
  1066. } // endelse
  1067. OldIndex += 1;
  1068. } // endwhile more groups in token
  1069. //
  1070. // Set completion status appropriately if some not assigned
  1071. //
  1072. if (!ResetToDefault) {
  1073. if (MatchCount < GroupCount) {
  1074. CompletionStatus = STATUS_NOT_ALL_ASSIGNED;
  1075. }
  1076. }
  1077. //
  1078. // Indicate whether changes were made
  1079. //
  1080. if ((*ChangeCount) > 0 && MakeChanges) {
  1081. (*ChangesMade) = TRUE;
  1082. } else {
  1083. (*ChangesMade) = FALSE;
  1084. }
  1085. //
  1086. // Calculate the space needed to return previous state information
  1087. // (The SID lengths have already been added up in LocalReturnLength).
  1088. //
  1089. if (ARGUMENT_PRESENT(PreviousState)) {
  1090. (*ReturnLength) = LocalReturnLength +
  1091. (ULONG)sizeof(TOKEN_GROUPS) +
  1092. ((*ChangeCount) * (ULONG)sizeof(SID_AND_ATTRIBUTES)) -
  1093. (ANYSIZE_ARRAY * (ULONG)sizeof(SID_AND_ATTRIBUTES));
  1094. }
  1095. return CompletionStatus;
  1096. }