Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1754 lines
47 KiB

/*++
Copyright (c) 1992 Microsoft Corporation
Module Name:
scsec.cxx
Abstract:
This module contains security related routines:
RQueryServiceObjectSecurity
RSetServiceObjectSecurity
ScCreateScManagerObject
ScCreateScServiceObject
ScGrantAccess
ScPrivilegeCheckAndAudit
ScAccessValidate
ScAccessCheckAndAudit
ScGetPrivilege
ScReleasePrivilege
Author:
Rita Wong (ritaw) 10-Mar-1992
Environment:
Calls NT native APIs.
Revision History:
10-Mar-1992 ritaw
created
16-Apr-1992 JohnRo
Process services which are marked for delete accordingly.
06-Aug-1992 Danl
Fixed a debug print statement. It indicated it was from the
ScLoadDeviceDriver function - rather than in ScGetPrivilege.
21-Jan-1995 AnirudhS
Added ScGrantAccess and ScPrivilegeCheckAndAudit.
--*/
#include "precomp.hxx"
#include "scconfig.h" // ScOpenServiceConfigKey
#include "scsec.h" // Object names and security functions
#include "control.h" // SERVICE_SET_STATUS
#include "account.h" // ScLookupServiceAccount
#include "align.h" // ROUND_UP_COUNT
#define PRIVILEGE_BUF_SIZE 512
//-------------------------------------------------------------------//
// //
// Static global variables //
// //
//-------------------------------------------------------------------//
//
// Security descriptor of the SCManager objects to control user accesses
// to the Service Control Manager and its database.
//
PSECURITY_DESCRIPTOR ScManagerSd;
//
// Structure that describes the mapping of Generic access rights to
// object specific access rights for the ScManager object.
//
GENERIC_MAPPING ScManagerObjectMapping = {
STANDARD_RIGHTS_READ | // Generic read
SC_MANAGER_ENUMERATE_SERVICE |
SC_MANAGER_QUERY_LOCK_STATUS,
STANDARD_RIGHTS_WRITE | // Generic write
SC_MANAGER_CREATE_SERVICE |
SC_MANAGER_MODIFY_BOOT_CONFIG,
STANDARD_RIGHTS_EXECUTE | // Generic execute
SC_MANAGER_CONNECT |
SC_MANAGER_LOCK,
SC_MANAGER_ALL_ACCESS // Generic all
};
//
// Structure that describes the mapping of generic access rights to
// object specific access rights for the Service object.
//
GENERIC_MAPPING ScServiceObjectMapping = {
STANDARD_RIGHTS_READ | // Generic read
SERVICE_QUERY_CONFIG |
SERVICE_QUERY_STATUS |
SERVICE_ENUMERATE_DEPENDENTS |
SERVICE_INTERROGATE,
STANDARD_RIGHTS_WRITE | // Generic write
SERVICE_CHANGE_CONFIG,
STANDARD_RIGHTS_EXECUTE | // Generic execute
SERVICE_START |
SERVICE_STOP |
SERVICE_PAUSE_CONTINUE |
SERVICE_USER_DEFINED_CONTROL,
SERVICE_ALL_ACCESS // Generic all
};
//-------------------------------------------------------------------//
// //
// Functions //
// //
//-------------------------------------------------------------------//
DWORD
RQueryServiceObjectSecurity(
IN SC_RPC_HANDLE hService,
IN SECURITY_INFORMATION dwSecurityInformation,
OUT LPBYTE lpSecurityDescriptor,
IN DWORD cbBufSize,
OUT LPDWORD pcbBytesNeeded
)
/*++
Routine Description:
This is the worker function for QueryServiceObjectSecurity API.
It returns the security descriptor information of a service
object.
Arguments:
hService - Supplies the context handle to an existing service object.
dwSecurityInformation - Supplies the bitwise flags describing the
security information being queried.
lpSecurityInformation - Supplies the output buffer from the user
which security descriptor information will be written to on
return.
cbBufSize - Supplies the size of lpSecurityInformation buffer.
pcbBytesNeeded - Returns the number of bytes needed of the
lpSecurityInformation buffer to get all the requested
information.
Return Value:
NO_ERROR - The operation was successful.
ERROR_INVALID_HANDLE - The specified handle was invalid.
ERROR_ACCESS_DENIED - The specified handle was not opened for
either READ_CONTROL or ACCESS_SYSTEM_SECURITY
access.
ERROR_INVALID_PARAMETER - The dwSecurityInformation parameter is
invalid.
ERROR_INSUFFICIENT_BUFFER - The specified output buffer is smaller
than the required size returned in pcbBytesNeeded. None of
the security descriptor is returned.
Note:
It is expected that the RPC Stub functions will find the following
parameter problems:
Bad pointers for lpSecurityDescriptor, and pcbBytesNeeded.
--*/
{
NTSTATUS ntstatus;
ACCESS_MASK DesiredAccess = 0;
PSECURITY_DESCRIPTOR ServiceSd;
DWORD ServiceSdSize = 0;
//
// Check the handle.
//
if (!ScIsValidServiceHandle(hService))
{
return ERROR_INVALID_HANDLE;
}
//
// Check the validity of dwSecurityInformation
//
if ((dwSecurityInformation == 0) ||
((dwSecurityInformation &
(OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION |
SACL_SECURITY_INFORMATION)) != dwSecurityInformation))
{
return ERROR_INVALID_PARAMETER;
}
//
// Set the desired access based on the requested SecurityInformation
//
if (dwSecurityInformation & SACL_SECURITY_INFORMATION) {
DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
if (dwSecurityInformation & (DACL_SECURITY_INFORMATION |
OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION)) {
DesiredAccess |= READ_CONTROL;
}
//
// Was the handle opened for the requested access?
//
if (! RtlAreAllAccessesGranted(
((LPSC_HANDLE_STRUCT)hService)->AccessGranted,
DesiredAccess
)) {
return ERROR_ACCESS_DENIED;
}
//
//
RtlZeroMemory(lpSecurityDescriptor, cbBufSize);
//
// Get the database lock for reading
//
CServiceRecordSharedLock RLock;
//
// The most up-to-date service security descriptor is always kept in
// the service record.
//
ServiceSd =
((LPSC_HANDLE_STRUCT)hService)->Type.ScServiceObject.ServiceRecord->ServiceSd;
//
// Retrieve the appropriate security information from ServiceSd
// and place it in the user supplied buffer.
//
ntstatus = RtlQuerySecurityObject(
ServiceSd,
dwSecurityInformation,
(PSECURITY_DESCRIPTOR) lpSecurityDescriptor,
cbBufSize,
&ServiceSdSize
);
if (! NT_SUCCESS(ntstatus)) {
if (ntstatus == STATUS_BAD_DESCRIPTOR_FORMAT) {
//
// Internal error: our security descriptor is bad!
//
SC_LOG0(ERROR,
"RQueryServiceObjectSecurity: Our security descriptor is bad!\n");
ASSERT(FALSE);
return ERROR_GEN_FAILURE;
}
else if (ntstatus == STATUS_BUFFER_TOO_SMALL) {
//
// Return the required size to the user
//
*pcbBytesNeeded = ServiceSdSize;
return ERROR_INSUFFICIENT_BUFFER;
}
else {
return RtlNtStatusToDosError(ntstatus);
}
}
//
// Return the required size to the user
//
*pcbBytesNeeded = ServiceSdSize;
return NO_ERROR;
}
DWORD
RSetServiceObjectSecurity(
IN SC_RPC_HANDLE hService,
IN SECURITY_INFORMATION dwSecurityInformation,
IN LPBYTE lpSecurityDescriptor,
IN DWORD cbBufSize
)
/*++
Routine Description:
This is the worker function for SetServiceObjectSecurity API.
It modifies the security descriptor information of a service
object.
Arguments:
hService - Supplies the context handle to the service.
dwSecurityInformation - Supplies the bitwise flags of security
information being queried.
lpSecurityInformation - Supplies a buffer which contains a
well-formed self-relative security descriptor.
cbBufSize - Supplies the size of lpSecurityInformation buffer.
Return Value:
NO_ERROR - The operation was successful.
ERROR_INVALID_HANDLE - The specified handle was invalid.
ERROR_ACCESS_DENIED - The specified handle was not opened for
either WRITE_OWNER, WRITE_DAC, or ACCESS_SYSTEM_SECURITY
access.
ERROR_INVALID_PARAMETER - The lpSecurityDescriptor or dwSecurityInformation
parameter is invalid.
Note:
It is expected that the RPC Stub functions will find the following
parameter problems:
Bad pointers for lpSecurityDescriptor.
--*/
{
DWORD status;
NTSTATUS ntstatus;
RPC_STATUS rpcstatus;
ACCESS_MASK DesiredAccess = 0;
LPSERVICE_RECORD serviceRecord;
HANDLE ClientTokenHandle = NULL;
LPBYTE lpTempSD = lpSecurityDescriptor;
UNREFERENCED_PARAMETER(cbBufSize); // for RPC marshalling code
//
// Check the handle.
//
if (!ScIsValidServiceHandle(hService))
{
return ERROR_INVALID_HANDLE;
}
//
// Silently ignore flags we don't understand that may come
// from higher-level object managers.
//
dwSecurityInformation &= (OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION |
DACL_SECURITY_INFORMATION |
SACL_SECURITY_INFORMATION);
if (dwSecurityInformation == 0)
{
return NO_ERROR;
}
#ifdef _WIN64
if (PtrToUlong(lpSecurityDescriptor) & (sizeof(PVOID) - 1))
{
//
// SD isn't properly aligned. Alloc an aligned heap buffer
// and copy it in to fix things up.
//
lpTempSD = (LPBYTE) LocalAlloc(LMEM_FIXED, cbBufSize);
if (lpTempSD == NULL)
{
status = ERROR_NOT_ENOUGH_MEMORY;
goto CleanExit;
}
RtlCopyMemory(lpTempSD, lpSecurityDescriptor, cbBufSize);
}
#endif // _WIN64
//
// Check the validity of lpSecurityInformation
//
if (! RtlValidRelativeSecurityDescriptor(
(PSECURITY_DESCRIPTOR) lpTempSD,
cbBufSize,
dwSecurityInformation
))
{
status = ERROR_INVALID_PARAMETER;
goto CleanExit;
}
//
// Set the desired access based on the specified SecurityInformation
//
if (dwSecurityInformation & SACL_SECURITY_INFORMATION) {
DesiredAccess |= ACCESS_SYSTEM_SECURITY;
}
if (dwSecurityInformation & (OWNER_SECURITY_INFORMATION |
GROUP_SECURITY_INFORMATION)) {
DesiredAccess |= WRITE_OWNER;
}
if (dwSecurityInformation & DACL_SECURITY_INFORMATION) {
DesiredAccess |= WRITE_DAC;
}
//
// Make sure the specified fields are present in the provided
// security descriptor.
// Security descriptors must have owner and group fields.
//
if (dwSecurityInformation & OWNER_SECURITY_INFORMATION)
{
if (((PISECURITY_DESCRIPTOR_RELATIVE) lpTempSD)->Owner == 0)
{
status = ERROR_INVALID_PARAMETER;
goto CleanExit;
}
}
if (dwSecurityInformation & GROUP_SECURITY_INFORMATION)
{
if (((PISECURITY_DESCRIPTOR_RELATIVE) lpTempSD)->Group == 0)
{
status = ERROR_INVALID_PARAMETER;
goto CleanExit;
}
}
//
// Was the handle opened for the requested access?
//
if (! RtlAreAllAccessesGranted(
((LPSC_HANDLE_STRUCT)hService)->AccessGranted,
DesiredAccess
))
{
status = ERROR_ACCESS_DENIED;
goto CleanExit;
}
//
// Is this service marked for delete?
//
serviceRecord =
((LPSC_HANDLE_STRUCT)hService)->Type.ScServiceObject.ServiceRecord;
SC_ASSERT( serviceRecord != NULL );
if (DELETE_FLAG_IS_SET(serviceRecord))
{
status = ERROR_SERVICE_MARKED_FOR_DELETE;
goto CleanExit;
}
//
// If caller wants to replace the owner, get a handle to the impersonation
// token.
//
if (dwSecurityInformation & OWNER_SECURITY_INFORMATION)
{
if ((rpcstatus = RpcImpersonateClient(NULL)) != RPC_S_OK)
{
SC_LOG1(
ERROR,
"RSetServiceObjectSecurity: Failed to impersonate client " FORMAT_RPC_STATUS "\n",
rpcstatus
);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_IMPERSONATE,
rpcstatus
);
status = rpcstatus;
goto CleanExit;
}
ntstatus = NtOpenThreadToken(
NtCurrentThread(),
TOKEN_QUERY,
TRUE, // OpenAsSelf
&ClientTokenHandle
);
//
// Stop impersonating the client
//
if ((rpcstatus = RpcRevertToSelf()) != RPC_S_OK) {
SC_LOG1(
ERROR,
"RSetServiceObjectSecurity: Failed to revert to self " FORMAT_RPC_STATUS "\n",
rpcstatus
);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_REVERT,
rpcstatus
);
ASSERT(FALSE);
status = rpcstatus;
goto CleanExit;
}
if (! NT_SUCCESS(ntstatus))
{
SC_LOG(ERROR,
"RSetServiceObjectSecurity: NtOpenThreadToken failed %08lx\n",
ntstatus);
status = RtlNtStatusToDosError(ntstatus);
goto CleanExit;
}
}
{
CServiceRecordExclusiveLock RLock;
//
// Replace the service security descriptor with the appropriate
// security information specified in the caller supplied security
// descriptor. This routine may reallocate the memory needed to
// contain the new service security descriptor.
//
ntstatus = RtlSetSecurityObject(
dwSecurityInformation,
(PSECURITY_DESCRIPTOR) lpTempSD,
&serviceRecord->ServiceSd,
&ScServiceObjectMapping,
ClientTokenHandle
);
status = RtlNtStatusToDosError(ntstatus);
if (! NT_SUCCESS(ntstatus))
{
SC_LOG1(ERROR,
"RSetServiceObjectSecurity: RtlSetSecurityObject failed %08lx\n",
ntstatus);
}
else
{
HKEY ServiceKey;
//
// Write new security descriptor to the registry
//
status = ScOpenServiceConfigKey(
serviceRecord->ServiceName,
KEY_WRITE,
FALSE,
&ServiceKey
);
if (status == NO_ERROR)
{
status = ScWriteSd(
ServiceKey,
serviceRecord->ServiceSd
);
if (status != NO_ERROR)
{
SC_LOG1(ERROR,
"RSetServiceObjectSecurity: ScWriteSd failed %lu\n",
status);
}
ScRegFlushKey(ServiceKey);
ScRegCloseKey(ServiceKey);
}
}
}
CleanExit:
#ifdef _WIN64
if (lpTempSD != lpSecurityDescriptor)
{
LocalFree(lpTempSD);
}
#endif // _WIN64
if (ClientTokenHandle != NULL)
{
NtClose(ClientTokenHandle);
}
return status;
}
DWORD
ScCreateScManagerObject(
VOID
)
/*++
Routine Description:
This function creates the security descriptor which represents
the ScManager object for both the "ServiceActive" and
"ServicesFailed" databases.
Arguments:
None.
Return Value:
Returns values from calls to:
ScCreateUserSecurityObject
--*/
{
NTSTATUS ntstatus;
ULONG Privilege = SE_SECURITY_PRIVILEGE;
//
// World has SC_MANAGER_CONNECT access and GENERIC_READ access.
// Local admins are allowed GENERIC_ALL access.
//
#define SC_MANAGER_OBJECT_ACES 5 // Number of ACEs in this DACL
SC_ACE_DATA AceData[SC_MANAGER_OBJECT_ACES] = {
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
SC_MANAGER_CONNECT |
GENERIC_READ, &AuthenticatedUserSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
SC_MANAGER_CONNECT |
GENERIC_READ |
SC_MANAGER_MODIFY_BOOT_CONFIG, &LocalSystemSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_ALL, &AliasAdminsSid},
{SYSTEM_AUDIT_ACE_TYPE, 0, FAILED_ACCESS_ACE_FLAG,
GENERIC_ALL, &WorldSid},
{SYSTEM_AUDIT_ACE_TYPE, INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE,
FAILED_ACCESS_ACE_FLAG,
GENERIC_ALL, &WorldSid}
};
//
// You need to have SE_SECURITY_PRIVILEGE privilege to create the SD with a
// SACL
//
ntstatus = ScGetPrivilege(1, &Privilege);
if (ntstatus != NO_ERROR) {
SC_LOG1(ERROR, "ScCreateScManagerObject: ScGetPrivilege Failed %d\n",
ntstatus);
RevertToSelf();
return(ntstatus);
}
ntstatus = ScCreateUserSecurityObject(
NULL, // Parent SD
AceData,
SC_MANAGER_OBJECT_ACES,
LocalSystemSid,
LocalSystemSid,
TRUE, // IsDirectoryObject
TRUE, // UseImpersonationToken
&ScManagerObjectMapping,
&ScManagerSd
);
#undef SC_MANAGER_OBJECT_ACES
if (! NT_SUCCESS(ntstatus)) {
SC_LOG(
ERROR,
"ScCreateScManagerObject: ScCreateUserSecurityObject failed " FORMAT_NTSTATUS "\n",
ntstatus
);
}
ScReleasePrivilege();
return RtlNtStatusToDosError(ntstatus);
}
DWORD
ScCreateScServiceObject(
OUT PSECURITY_DESCRIPTOR *ServiceSd
)
/*++
Routine Description:
This function creates the security descriptor which represents
the Service object.
Arguments:
ServiceSd - Returns service object security descriptor.
Return Value:
Returns values from calls to:
ScCreateUserSecurityObject
--*/
{
NTSTATUS ntstatus;
//
// Authenticated users have read access.
// Local system has service start/stop and all read access.
// Power user has service start and all read access (Workstation and Server).
// Admin and SystemOp (DC) are allowed all access.
//
#define SC_SERVICE_OBJECT_ACES 4 // Number of ACEs in this DACL
SC_ACE_DATA AceData[SC_SERVICE_OBJECT_ACES] = {
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_READ | GENERIC_EXECUTE,
&LocalSystemSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_ALL,
&AliasAdminsSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
GENERIC_READ | SERVICE_USER_DEFINED_CONTROL,
&AuthenticatedUserSid},
{ACCESS_ALLOWED_ACE_TYPE, 0, 0,
0,
0}
};
switch(USER_SHARED_DATA->NtProductType)
{
case NtProductWinNt:
case NtProductServer:
//
// Power users are only on Workstation and Server
//
AceData[SC_SERVICE_OBJECT_ACES - 1].Mask = GENERIC_READ | GENERIC_EXECUTE;
AceData[SC_SERVICE_OBJECT_ACES - 1].Sid = &AliasPowerUsersSid;
break;
case NtProductLanManNt:
//
// System Ops (Server Operators) are only on a DC
//
AceData[SC_SERVICE_OBJECT_ACES - 1].Mask = GENERIC_ALL;
AceData[SC_SERVICE_OBJECT_ACES - 1].Sid = &AliasSystemOpsSid;
break;
default:
//
// A new product type has been added -- add code to cover it
//
SC_ASSERT(FALSE);
break;
}
ntstatus = ScCreateUserSecurityObject(
ScManagerSd, // ParentSD
AceData,
SC_SERVICE_OBJECT_ACES,
LocalSystemSid,
LocalSystemSid,
FALSE, // IsDirectoryObject
FALSE, // UseImpersonationToken
&ScServiceObjectMapping,
ServiceSd
);
#undef SC_SERVICE_OBJECT_ACES
return RtlNtStatusToDosError(ntstatus);
}
DWORD
ScGrantAccess(
IN OUT LPSC_HANDLE_STRUCT ContextHandle,
IN ACCESS_MASK DesiredAccess
)
/*++
Routine Description:
This function is called when a new service is created. It validates
the access desired by the caller for the new service handle and
computes the granted access to be stored in the context handle
structure. Since this is object creation, all requested accesses,
except for ACCESS_SYSTEM_SECURITY, are granted automatically.
Arguments:
DesiredAccess - Supplies the client requested desired access.
ContextHandle - On return, the granted access is written back to this
location if this call succeeds.
Return Value:
Returns values from calls to the following, mapped to Win32 error codes:
ScPrivilegeCheckAndAudit
--*/
{
NTSTATUS Status = STATUS_SUCCESS;
ACCESS_MASK AccessToGrant = DesiredAccess;
//
// If MAXIMUM_ALLOWED is requested, add GENERIC_ALL
//
if (AccessToGrant & MAXIMUM_ALLOWED) {
AccessToGrant &= ~MAXIMUM_ALLOWED;
AccessToGrant |= GENERIC_ALL;
}
//
// If ACCESS_SYSTEM_SECURITY is requested, check that we have
// SE_SECURITY_PRIVILEGE.
//
if (AccessToGrant & ACCESS_SYSTEM_SECURITY) {
Status = ScPrivilegeCheckAndAudit(
SE_SECURITY_PRIVILEGE, // check for this privilege
ContextHandle, // client's handle to the object
// (used for auditing only)
DesiredAccess // (used for auditing only)
);
}
if (NT_SUCCESS(Status)) {
//
// Map the generic bits to specific and standard bits.
//
RtlMapGenericMask(
&AccessToGrant,
&ScServiceObjectMapping
);
//
// Return the computed access mask.
//
ContextHandle->AccessGranted = AccessToGrant;
}
return(RtlNtStatusToDosError(Status));
}
NTSTATUS
ScPrivilegeCheckAndAudit(
IN ULONG PrivilegeId,
IN PVOID ObjectHandle,
IN ACCESS_MASK DesiredAccess
)
/*++
Routine Description:
This function is only called from ScGrantAccess. It checks if the given
well known privilege is enabled for an impersonated client. It also
generates an audit for the attempt to use the privilege.
Arguments:
PrivilegeId - Specifies the well known Privilege Id
ObjectHandle - Client's handle to the object (used for auditing)
DesiredAccess - Access that the client requested to the object (used
for auditing)
Return Value:
NTSTATUS - Standard Nt Result Code
STATUS_SUCCESS - The call completed successfully and the client
is either trusted or has the necessary privilege enabled.
STATUS_PRIVILEGE_NOT_HELD - The client does not have the necessary
privilege.
--*/
{
NTSTATUS Status, SecondaryStatus;
HANDLE ClientToken = NULL;
//
// Impersonate the client.
//
Status = I_RpcMapWin32Status(RpcImpersonateClient( NULL ));
if (NT_SUCCESS(Status)) {
//
// Open the current thread's impersonation token (if any).
//
Status = NtOpenThreadToken(
NtCurrentThread(),
TOKEN_QUERY,
TRUE,
&ClientToken
);
if (NT_SUCCESS(Status)) {
PRIVILEGE_SET Privilege;
BOOLEAN PrivilegeHeld = FALSE;
UNICODE_STRING Subsystem;
//
// OK, we have a token open. Now check for the specified privilege.
// On return, PrivilegeHeld indicates whether the client has the
// privilege, and whether we will allow the operation to succeed.
//
Privilege.PrivilegeCount = 1;
Privilege.Control = PRIVILEGE_SET_ALL_NECESSARY;
Privilege.Privilege[0].Luid = RtlConvertLongToLuid(PrivilegeId);
Privilege.Privilege[0].Attributes = 0;
Status = NtPrivilegeCheck(
ClientToken,
&Privilege,
&PrivilegeHeld
);
SC_ASSERT(NT_SUCCESS(Status));
//
// Audit the attempt to use the privilege.
//
RtlInitUnicodeString(&Subsystem, SC_MANAGER_AUDIT_NAME);
Status = NtPrivilegeObjectAuditAlarm(
&Subsystem, // Subsystem name
PrivilegeHeld ? ObjectHandle : NULL,
// Object handle, to display in
// the audit log
ClientToken, // Client's token
DesiredAccess, // Access desired by client
&Privilege, // Privileges attempted to use
PrivilegeHeld // Whether access was granted
);
SC_ASSERT(NT_SUCCESS(Status));
if ( !PrivilegeHeld ) {
Status = STATUS_PRIVILEGE_NOT_HELD;
}
//
// Close the client token.
//
SecondaryStatus = NtClose( ClientToken );
ASSERT(NT_SUCCESS(SecondaryStatus));
}
//
// Stop impersonating the client.
//
SecondaryStatus = I_RpcMapWin32Status(RpcRevertToSelf());
}
return Status;
}
DWORD
ScAccessValidate(
IN OUT LPSC_HANDLE_STRUCT ContextHandle,
IN ACCESS_MASK DesiredAccess
)
/*++
Routine Description:
This function is called due to an open request. It validates the
desired access based on the object type specified in the context
handle structure. If the requested access is granted, it is
written into the context handle structure.
Arguments:
ContextHandle - Supplies a pointer to the context handle structure
which contains information about the object. On return, the
granted access is written back to this structure if this
call succeeds.
DesiredAccess - Supplies the client requested desired access.
Return Value:
ERROR_GEN_FAILURE - Object type is unrecognizable. An internal
error has occured.
Returns values from calls to:
ScAccessCheckAndAudit
Notes:
The supplied ContextHandle must be verified to be valid (i.e., non-NULL)
BEFORE calling this routine.
--*/
{
ACCESS_MASK RequestedAccess = DesiredAccess;
if (ContextHandle->Signature == SC_SIGNATURE) {
//
// Map the generic bits to specific and standard bits.
//
RtlMapGenericMask(&RequestedAccess, &ScManagerObjectMapping);
//
// Check to see if requested access is granted to client
//
return ScAccessCheckAndAudit(
(LPWSTR) SC_MANAGER_AUDIT_NAME,
(LPWSTR) SC_MANAGER_OBJECT_TYPE_NAME,
ContextHandle->Type.ScManagerObject.DatabaseName,
ContextHandle,
ScManagerSd,
RequestedAccess,
&ScManagerObjectMapping
);
}
else if (ContextHandle->Signature == SERVICE_SIGNATURE) {
//
// Special-case the status access check instead of adding the right
// for the service to set its own status to the service's default SD
// because of the following reasons:
//
// 1. This check is tighter -- since an SC_HANDLE can be used
// remotely, this prevents SetServiceStatus from now being
// called remotely because the LUIDs won't match.
//
// 2. Modifying the SD would require lots of extra work for SDs
// that are stored in the registry -- the SCM would have to
// detect that there's no SERVICE_SET_STATUS access ACL on
// the SD and add it (also in calls to SetServiceObjectSecurity).
//
// Note that if the user specifies extraneous access bits (i.e.,
// SERVICE_SET_STATUS & <other bits>), it will be rejected by the
// ScAccessCheckAndAudit call below.
//
if (DesiredAccess == SERVICE_SET_STATUS) {
DWORD dwError = ScStatusAccessCheck(ContextHandle->Type.ScServiceObject.ServiceRecord);
if (dwError == NO_ERROR) {
ContextHandle->AccessGranted = SERVICE_SET_STATUS;
}
return dwError;
}
//
// Map the generic bits to specific and standard bits.
//
RtlMapGenericMask(&RequestedAccess, &ScServiceObjectMapping);
//
// Check to see if requested access is granted to client
//
return ScAccessCheckAndAudit(
(LPWSTR) SC_MANAGER_AUDIT_NAME,
(LPWSTR) SC_SERVICE_OBJECT_TYPE_NAME,
ContextHandle->Type.ScServiceObject.ServiceRecord->ServiceName,
ContextHandle,
ContextHandle->Type.ScServiceObject.ServiceRecord->ServiceSd,
RequestedAccess,
&ScServiceObjectMapping
);
}
else {
//
// Unknown object type. This should not happen!
//
SC_LOG(ERROR, "ScAccessValidate: Unknown object type, signature=0x%08lx\n",
ContextHandle->Signature);
ASSERT(FALSE);
return ERROR_GEN_FAILURE;
}
}
DWORD
ScAccessCheckAndAudit(
IN LPWSTR SubsystemName,
IN LPWSTR ObjectTypeName,
IN LPWSTR ObjectName,
IN OUT LPSC_HANDLE_STRUCT ContextHandle,
IN PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ACCESS_MASK DesiredAccess,
IN PGENERIC_MAPPING GenericMapping
)
/*++
Routine Description:
This function impersonates the caller so that it can perform access
validation using NtAccessCheckAndAuditAlarm; and reverts back to
itself before returning.
Arguments:
SubsystemName - Supplies a name string identifying the subsystem
calling this routine.
ObjectTypeName - Supplies the name of the type of the object being
accessed.
ObjectName - Supplies the name of the object being accessed.
ContextHandle - Supplies the context handle to the object. On return, if
this call succeeds, the granted access is written to the AccessGranted
field of this structure, and the SC_HANDLE_GENERATE_ON_CLOSE bit of the
Flags field indicates whether NtCloseAuditAlarm must be called when
this handle is closed.
SecurityDescriptor - A pointer to the Security Descriptor against which
acccess is to be checked.
DesiredAccess - Supplies desired acccess mask. This mask must have been
previously mapped to contain no generic accesses.
GenericMapping - Supplies a pointer to the generic mapping associated
with this object type.
Return Value:
NT status mapped to Win32 errors.
--*/
{
NTSTATUS NtStatus;
RPC_STATUS RpcStatus;
UNICODE_STRING Subsystem;
UNICODE_STRING ObjectType;
UNICODE_STRING Object;
BOOLEAN GenerateOnClose;
NTSTATUS AccessStatus;
RtlInitUnicodeString(&Subsystem, SubsystemName);
RtlInitUnicodeString(&ObjectType, ObjectTypeName);
RtlInitUnicodeString(&Object, ObjectName);
if ((RpcStatus = RpcImpersonateClient(NULL)) != RPC_S_OK)
{
SC_LOG1(ERROR, "ScAccessCheckAndAudit: Failed to impersonate client " FORMAT_RPC_STATUS "\n",
RpcStatus);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_IMPERSONATE,
RpcStatus
);
return RpcStatus;
}
NtStatus = NtAccessCheckAndAuditAlarm(
&Subsystem,
(PVOID) ContextHandle,
&ObjectType,
&Object,
SecurityDescriptor,
DesiredAccess,
GenericMapping,
FALSE,
&ContextHandle->AccessGranted, // return access granted
&AccessStatus,
&GenerateOnClose
);
if ((RpcStatus = RpcRevertToSelf()) != RPC_S_OK)
{
SC_LOG(ERROR, "ScAccessCheckAndAudit: Fail to revert to self %08lx\n",
RpcStatus);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_REVERT,
RpcStatus
);
ASSERT(FALSE);
return RpcStatus;
}
if (! NT_SUCCESS(NtStatus)) {
if (NtStatus != STATUS_ACCESS_DENIED) {
SC_LOG1(
ERROR,
"ScAccessCheckAndAudit: Error calling NtAccessCheckAndAuditAlarm " FORMAT_NTSTATUS "\n",
NtStatus
);
}
return ERROR_ACCESS_DENIED;
}
if (GenerateOnClose)
{
ContextHandle->Flags |= SC_HANDLE_GENERATE_ON_CLOSE;
}
if (AccessStatus != STATUS_SUCCESS) {
SC_LOG(SECURITY, "ScAccessCheckAndAudit: Access status is %08lx\n",
AccessStatus);
return ERROR_ACCESS_DENIED;
}
SC_LOG(SECURITY, "ScAccessCheckAndAudit: Object name %ws\n", ObjectName);
SC_LOG(SECURITY, " Granted access %08lx\n",
ContextHandle->AccessGranted);
return NO_ERROR;
}
DWORD
ScStatusAccessCheck(
IN LPSERVICE_RECORD lpServiceRecord OPTIONAL
)
{
RPC_STATUS RpcStatus;
DWORD dwStatus;
HANDLE hThreadToken = NULL;
SC_ASSERT(lpServiceRecord == NULL || ScServiceRecordLock.Have());
//
// If OpenService is called for SERVICE_SET_STATUS access on a
// service that's not running, the ImageRecord will be NULL
//
if (lpServiceRecord != NULL && lpServiceRecord->ImageRecord == NULL)
{
return ERROR_SERVICE_NOT_ACTIVE;
}
RpcStatus = RpcImpersonateClient(NULL);
if (RpcStatus != RPC_S_OK)
{
SC_LOG1(ERROR,
"ScStatusAccessCheck: Failed to impersonate client " FORMAT_RPC_STATUS "\n",
RpcStatus);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_IMPERSONATE,
RpcStatus
);
return RpcStatus;
}
if (!OpenThreadToken(GetCurrentThread(),
TOKEN_QUERY,
TRUE, // Open as self
&hThreadToken))
{
dwStatus = GetLastError();
SC_LOG1(ERROR,
"ScStatusAccessCheck: OpenThreadToken FAILED %d\n",
dwStatus);
}
else
{
TOKEN_STATISTICS TokenStats;
if (!GetTokenInformation(hThreadToken,
TokenStatistics, // Information wanted
&TokenStats,
sizeof(TokenStats), // Buffer size
&dwStatus)) // Size required
{
dwStatus = GetLastError();
SC_LOG1(ERROR,
"ScCreateImageRecord: GetTokenInformation FAILED %d\n",
dwStatus);
}
else
{
LUID SystemLuid = SYSTEM_LUID;
if (RtlEqualLuid(&TokenStats.AuthenticationId,
lpServiceRecord ? &lpServiceRecord->ImageRecord->AccountLuid :
&SystemLuid))
{
dwStatus = NO_ERROR;
}
else
{
dwStatus = ERROR_ACCESS_DENIED;
}
}
CloseHandle(hThreadToken);
}
RpcStatus = RpcRevertToSelf();
if (RpcStatus != RPC_S_OK)
{
SC_LOG(ERROR,
"ScStatusAccessCheck: Fail to revert to self %08lx\n",
RpcStatus);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_REVERT,
RpcStatus
);
ASSERT(FALSE);
return RpcStatus;
}
return dwStatus;
}
DWORD
ScGetPrivilege(
IN DWORD numPrivileges,
IN PULONG pulPrivileges
)
/*++
Routine Description:
This function alters the privilege level for the current thread.
It does this by duplicating the token for the current thread, and then
applying the new privileges to that new token, then the current thread
impersonates with that new token.
Privileges can be relinquished by calling ScReleasePrivilege().
Arguments:
numPrivileges - This is a count of the number of privileges in the
array of privileges.
pulPrivileges - This is a pointer to the array of privileges that are
desired. This is an array of ULONGs.
Return Value:
NO_ERROR - If the operation was completely successful.
Otherwise, it returns mapped return codes from the various NT
functions that are called.
--*/
{
DWORD status;
NTSTATUS ntStatus;
HANDLE ourToken;
HANDLE newToken;
OBJECT_ATTRIBUTES Obja;
SECURITY_QUALITY_OF_SERVICE SecurityQofS;
ULONG returnLen;
PTOKEN_PRIVILEGES pTokenPrivilege = NULL;
DWORD i;
//
// Initialize the Privileges Structure
//
pTokenPrivilege = (PTOKEN_PRIVILEGES) LocalAlloc(
LMEM_FIXED,
sizeof(TOKEN_PRIVILEGES) +
(sizeof(LUID_AND_ATTRIBUTES) *
numPrivileges)
);
if (pTokenPrivilege == NULL) {
status = GetLastError();
SC_LOG(ERROR,"ScGetPrivilege:LocalAlloc Failed %d\n", status);
return(status);
}
pTokenPrivilege->PrivilegeCount = numPrivileges;
for (i = 0; i < numPrivileges; i++) {
pTokenPrivilege->Privileges[i].Luid = RtlConvertLongToLuid(
pulPrivileges[i]);
pTokenPrivilege->Privileges[i].Attributes = SE_PRIVILEGE_ENABLED;
}
//
// Initialize Object Attribute Structure.
//
InitializeObjectAttributes(&Obja,NULL,0L,NULL,NULL);
//
// Initialize Security Quality Of Service Structure
//
SecurityQofS.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
SecurityQofS.ImpersonationLevel = SecurityImpersonation;
SecurityQofS.ContextTrackingMode = FALSE; // Snapshot client context
SecurityQofS.EffectiveOnly = FALSE;
Obja.SecurityQualityOfService = &SecurityQofS;
//
// Open our own Token
//
ntStatus = NtOpenProcessToken(
NtCurrentProcess(),
TOKEN_DUPLICATE,
&ourToken);
if (!NT_SUCCESS(ntStatus)) {
SC_LOG(ERROR, "ScGetPrivilege: NtOpenThreadToken Failed "
"FORMAT_NTSTATUS" "\n", ntStatus);
LocalFree(pTokenPrivilege);
return(RtlNtStatusToDosError(ntStatus));
}
//
// Duplicate that Token
//
ntStatus = NtDuplicateToken(
ourToken,
TOKEN_IMPERSONATE | TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
&Obja,
FALSE, // Duplicate the entire token
TokenImpersonation, // TokenType
&newToken); // Duplicate token
if (!NT_SUCCESS(ntStatus)) {
SC_LOG(ERROR, "ScGetPrivilege: NtDuplicateToken Failed "
"FORMAT_NTSTATUS" "\n", ntStatus);
LocalFree(pTokenPrivilege);
NtClose(ourToken);
return(RtlNtStatusToDosError(ntStatus));
}
//
// Add new privileges
//
ntStatus = NtAdjustPrivilegesToken(
newToken, // TokenHandle
FALSE, // DisableAllPrivileges
pTokenPrivilege, // NewState
0, // Size of previous state buffer
NULL, // No info on previous state
&returnLen); // numBytes required for buffer.
if (!NT_SUCCESS(ntStatus)) {
SC_LOG(ERROR, "ScGetPrivilege: NtAdjustPrivilegesToken Failed "
"FORMAT_NTSTATUS" "\n", ntStatus);
LocalFree(pTokenPrivilege);
NtClose(ourToken);
NtClose(newToken);
return(RtlNtStatusToDosError(ntStatus));
}
//
// Begin impersonating with the new token
//
ntStatus = NtSetInformationThread(
NtCurrentThread(),
ThreadImpersonationToken,
(PVOID)&newToken,
(ULONG)sizeof(HANDLE));
if (!NT_SUCCESS(ntStatus)) {
SC_LOG(ERROR, "ScGetPrivilege: NtAdjustPrivilegesToken Failed "
"FORMAT_NTSTATUS" "\n", ntStatus);
LocalFree(pTokenPrivilege);
NtClose(ourToken);
NtClose(newToken);
return(RtlNtStatusToDosError(ntStatus));
}
LocalFree(pTokenPrivilege);
NtClose(ourToken);
NtClose(newToken);
return(NO_ERROR);
}
DWORD
ScReleasePrivilege(
VOID
)
/*++
Routine Description:
This function relinquishes privileges obtained by calling ScGetPrivilege().
Arguments:
none
Return Value:
NO_ERROR - If the operation was completely successful.
Otherwise, it returns mapped return codes from the various NT
functions that are called.
--*/
{
NTSTATUS ntStatus;
HANDLE NewToken;
//
// Revert To Self.
//
NewToken = NULL;
ntStatus = NtSetInformationThread(
NtCurrentThread(),
ThreadImpersonationToken,
(PVOID)&NewToken,
(ULONG)sizeof(HANDLE));
if ( !NT_SUCCESS(ntStatus) ) {
return(RtlNtStatusToDosError(ntStatus));
}
return(NO_ERROR);
}
DWORD
ScGetClientSid(
OUT PTOKEN_USER *UserInfo
)
/*++
Routine Description:
This function looks up the SID of the API caller by impersonating
the caller.
Arguments:
UserInfo - Receives a pointer to a buffer allocated by this routine
which contains the TOKEN_USER information of the caller.
Return Value:
Returns the NT error mapped to Win32
--*/
{
DWORD status;
NTSTATUS ntstatus;
RPC_STATUS rpcstatus;
HANDLE CurrentThreadToken = NULL;
DWORD UserInfoSize;
*UserInfo = NULL;
if ((rpcstatus = RpcImpersonateClient(NULL)) != RPC_S_OK)
{
SC_LOG1(
ERROR,
"ScGetUserSid: Failed to impersonate client " FORMAT_RPC_STATUS "\n",
rpcstatus
);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_IMPERSONATE,
rpcstatus
);
return ((DWORD) rpcstatus);
}
ntstatus = NtOpenThreadToken(
NtCurrentThread(),
TOKEN_QUERY,
TRUE, // Use service controller's security
// context to open thread token
&CurrentThreadToken
);
status = RtlNtStatusToDosError(ntstatus);
if (! NT_SUCCESS(ntstatus)) {
SC_LOG1(ERROR, "ScGetUserSid: NtOpenThreadToken failed "
FORMAT_NTSTATUS "\n", ntstatus);
goto Cleanup;
}
//
// Call NtQueryInformationToken the first time with 0 input size to
// get size of returned information.
//
ntstatus = NtQueryInformationToken(
CurrentThreadToken,
TokenUser, // User information class
(PVOID) *UserInfo, // Output
0,
&UserInfoSize
);
if (ntstatus != STATUS_BUFFER_TOO_SMALL) {
SC_LOG1(ERROR, "ScGetUserSid: NtQueryInformationToken failed "
FORMAT_NTSTATUS ". Expected BUFFER_TOO_SMALL.\n", ntstatus);
status = RtlNtStatusToDosError(ntstatus);
goto Cleanup;
}
//
// Allocate buffer of returned size
//
*UserInfo = (PTOKEN_USER)LocalAlloc(
LMEM_ZEROINIT,
(UINT) UserInfoSize
);
if (*UserInfo == NULL) {
SC_LOG1(ERROR, "ScGetUserSid: LocalAlloc failed " FORMAT_DWORD
"\n", GetLastError());
status = ERROR_NOT_ENOUGH_MEMORY;
goto Cleanup;
}
//
// Call NtQueryInformationToken again with the correct buffer size.
//
ntstatus = NtQueryInformationToken(
CurrentThreadToken,
TokenUser, // User information class
(PVOID) *UserInfo, // Output
UserInfoSize,
&UserInfoSize
);
status = RtlNtStatusToDosError(ntstatus);
if (! NT_SUCCESS(ntstatus)) {
SC_LOG1(ERROR, "ScGetUserSid: NtQueryInformationToken failed "
FORMAT_NTSTATUS "\n", ntstatus);
LocalFree(*UserInfo);
*UserInfo = NULL;
}
Cleanup:
if (CurrentThreadToken != NULL)
{
NtClose(CurrentThreadToken);
}
if ((rpcstatus = RpcRevertToSelf()) != RPC_S_OK)
{
SC_LOG1(
ERROR,
"ScGetUserSid: Failed to revert to self " FORMAT_RPC_STATUS "\n",
rpcstatus
);
ScLogEvent(
NEVENT_CALL_TO_FUNCTION_FAILED,
SC_RPC_REVERT,
rpcstatus
);
SC_ASSERT(FALSE);
return ((DWORD) rpcstatus);
}
return status;
}