From b8eeedbce423520ef6a7ae029145caedd7ed2104 Mon Sep 17 00:00:00 2001 From: midipix Date: Tue, 20 Mar 2018 00:03:37 +0000 Subject: ipc and keyed object directories: support multi-user env. via sec. descriptor. --- src/object/ntapi_tt_keyed_object_directory.c | 86 +++++++++++++++++++++++++++- 1 file changed, 83 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/object/ntapi_tt_keyed_object_directory.c b/src/object/ntapi_tt_keyed_object_directory.c index c744326..c34d8ec 100644 --- a/src/object/ntapi_tt_keyed_object_directory.c +++ b/src/object/ntapi_tt_keyed_object_directory.c @@ -8,6 +8,7 @@ #include #include #include +#include #include "ntapi_impl.h" typedef ntapi_zw_open_directory_object objdir_open_fn; @@ -19,6 +20,77 @@ static nt_keyed_objdir_name __template_name = {__NT_BASED_NAMED_OBJECTS, {0}}; +static nt_access_allowed_ace * __ipc_ace_init( + nt_access_allowed_ace * ace, + uint32_t mask, + const nt_sid * sid) +{ + ace->mask = mask; + ace->header.ace_type = NT_ACE_TYPE_ACCESS_ALLOWED; + ace->header.ace_flags = 0; + ace->header.ace_size = sizeof(uint32_t) * sid->sub_authority_count + + __offsetof(nt_access_allowed_ace,sid_start) + + __offsetof(nt_sid,sub_authority); + + __ntapi->tt_sid_copy( + (nt_sid *)&ace->sid_start, + sid); + + return (nt_access_allowed_ace *)((size_t)ace + ace->header.ace_size); +} + +static void __ipc_sd_init(nt_sd_common_buffer * sd, int fdir) +{ + nt_access_allowed_ace * ace; + uint32_t mask_system; + uint32_t mask_owner; + uint32_t mask_other; + + /* access mask */ + if (fdir) { + mask_system = NT_SEC_READ_CONTROL + | NT_DIRECTORY_QUERY + | NT_DIRECTORY_TRAVERSE + | NT_DIRECTORY_CREATE_OBJECT + | NT_DIRECTORY_CREATE_SUBDIRECTORY; + + mask_owner = NT_DIRECTORY_ALL_ACCESS; + mask_other = mask_system; + } else { + mask_system = NT_SYMBOLIC_LINK_ALL_ACCESS; + mask_owner = NT_SYMBOLIC_LINK_ALL_ACCESS; + mask_other = NT_SYMBOLIC_LINK_QUERY; + } + + /* sd header */ + sd->sd.revision = 1; + sd->sd.sbz_1st = 0; + sd->sd.control = NT_SE_SELF_RELATIVE | NT_SE_DACL_PRESENT; + sd->sd.offset_owner = __offsetof(nt_sd_common_buffer,owner); + sd->sd.offset_group = 0; + sd->sd.offset_dacl = __offsetof(nt_sd_common_buffer,dacl); + sd->sd.offset_sacl = 0; + + /* owner sid */ + __ntapi->tt_sid_copy( + (nt_sid *)&sd->owner, + __ntapi_internals()->sid); + + + /* ace's for LOCAL_SYSTEM, AUTHENTICATED_USERS, and process token user */ + ace = (nt_access_allowed_ace *)&sd->buffer; + ace = __ipc_ace_init(ace,mask_system,&(nt_sid){1,1,{{0,0,0,0,0,5}},{18}}); + ace = __ipc_ace_init(ace,mask_other,&(nt_sid){1,1,{{0,0,0,0,0,5}},{11}}); + ace = __ipc_ace_init(ace,mask_owner,(nt_sid *)&sd->owner); + + sd->dacl.acl_revision = 0x02; + sd->dacl.sbz_1st = 0; + sd->dacl.acl_size = (uint16_t)((char *)ace - (char *)&sd->dacl); + sd->dacl.ace_count = 3; + sd->dacl.sbz_2nd = 0; + +} + static int32_t __stdcall __tt_create_ipc_object_directory( __out void ** hdir, __in uint32_t desired_access, @@ -28,6 +100,7 @@ static int32_t __stdcall __tt_create_ipc_object_directory( int32_t status; nt_ipc_objdir_name objdir_name; nt_unicode_string name; + nt_sd_common_buffer sd; nt_oa oa; nt_sqos sqos = { sizeof(sqos), @@ -35,6 +108,8 @@ static int32_t __stdcall __tt_create_ipc_object_directory( NT_SECURITY_TRACKING_DYNAMIC, 1}; + __ipc_sd_init(&sd,1); + __ntapi->tt_generic_memcpy( &objdir_name, &__template_name, @@ -62,7 +137,7 @@ static int32_t __stdcall __tt_create_ipc_object_directory( oa.obj_attr = NT_OBJ_INHERIT | NT_OBJ_OPENIF | NT_OBJ_CASE_INSENSITIVE; - oa.sec_desc = 0; + oa.sec_desc = &sd.sd; oa.sec_qos = &sqos; status = __ntapi->zw_create_directory_object( @@ -84,6 +159,7 @@ static int32_t __stdcall __tt_create_keyed_object_directory( { nt_keyed_objdir_name objdir_name; nt_unicode_string name; + nt_sd_common_buffer sd; nt_oa oa; nt_sqos sqos = { sizeof(sqos), @@ -91,6 +167,8 @@ static int32_t __stdcall __tt_create_keyed_object_directory( NT_SECURITY_TRACKING_DYNAMIC, 1}; + __ipc_sd_init(&sd,1); + __ntapi->tt_generic_memcpy( &objdir_name, &__template_name, @@ -120,7 +198,7 @@ static int32_t __stdcall __tt_create_keyed_object_directory( oa.root_dir = 0; oa.obj_name = &name; oa.obj_attr = NT_OBJ_INHERIT; - oa.sec_desc = 0; + oa.sec_desc = &sd.sd; oa.sec_qos = &sqos; return openfn(hdir,desired_access,&oa); @@ -138,6 +216,7 @@ static int32_t __stdcall __tt_create_object_directory_entry( int32_t status; nt_oa oa; nt_unicode_string name; + nt_sd_common_buffer sd; wchar16_t keystr[8]; uintptr_t buffer[2048/sizeof(uintptr_t)]; nt_sqos sqos = { @@ -155,6 +234,7 @@ static int32_t __stdcall __tt_create_object_directory_entry( target_name = (nt_unicode_string *)buffer; } + __ipc_sd_init(&sd,0); __ntapi->tt_uint32_to_hex_utf16(key,keystr); name.strlen = sizeof(keystr); @@ -165,7 +245,7 @@ static int32_t __stdcall __tt_create_object_directory_entry( oa.root_dir = hdir; oa.obj_name = &name; oa.obj_attr = 0; - oa.sec_desc = 0; + oa.sec_desc = &sd.sd; oa.sec_qos = &sqos; return __ntapi->zw_create_symbolic_link_object( -- cgit v1.2.3