/*++
Copyright (c) 1989 Microsoft Corporation
Module Name:
tokendup.c
Abstract:
This module implements the token duplication service.
Author:
Jim Kelly (JimK) 5-April-1990
Environment:
Kernel mode only.
Revision History:
--*/
//#ifndef TOKEN_DEBUG
//#define TOKEN_DEBUG
//#endif
#include "sep.h"
#include "seopaque.h"
#include "tokenp.h"
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE,NtDuplicateToken)
#pragma alloc_text(PAGE,SepDuplicateToken)
#pragma alloc_text(PAGE,SepMakeTokenEffectiveOnly)
#pragma alloc_text(PAGE,SeCopyClientToken)
#endif
�
NTSTATUS
NtDuplicateToken(
IN HANDLE ExistingTokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN BOOLEAN EffectiveOnly,
IN TOKEN_TYPE TokenType,
OUT PHANDLE NewTokenHandle
)
/*++
Routine Description:
Create a new token that is a duplicate of an existing token.
Arguments:
ExistingTokenHandle - Is a handle to a token already open for
TOKEN_DUPLICATE access.
DesiredAccess - Is an access mask indicating which access types
are desired to the newly created token. If specified as zero,
the granted access mask of the existing token handle
is used as the desired access mask for the new token.
ObjectAttributes - Points to the standard object attributes data
structure. Refer to the NT Object Management
Specification for a description of this data structure.
If the new token type is TokenImpersonation, then this
parameter may be used to specify the impersonation level
of the new token. If no value is provided, and the source
token is an impersonation token, then the impersonation level
of the source will become that of the target as well. If the
source token is a primary token, then an impersonation level
must be explicitly provided.
If the token being duplicated is an impersonation token, and
an impersonation level is explicitly provided for the target,
then the value provided must not be greater than that of the
source token. For example, an Identification level token can
not be duplicated to produce a Delegation level token.
EffectiveOnly - Is a boolean flag indicating whether the entire
source token should be duplicated into the target token or
just the effective (currently enabled) part of the token.
This provides a means for a caller of a protected subsystem
to limit which privileges and optional groups are made
available to the protected subsystem. A value of TRUE
indicates only the currently enabled parts of the source
token are to be duplicated. Otherwise, the entire source
token is duplicated.
TokenType - Indicates which type of object the new object is to
be created as (primary or impersonation). If you are duplicating
an Impersonation token to produce a Primary token, then
the Impersonation token must have an impersonation level of
either DELEGATE or IMPERSONATE.
NewTokenHandle - Receives the handle of the newly created token.
Return Value:
STATUS_SUCCESS - Indicates the operation was successful.
STATUS_INVALID_PARAMETER - Indicates one or more of the parameter values
was invalid. This value is returned if the target token is not
an impersonation token.
STATUS_BAD_IMPERSONATION_LEVEL - Indicates the impersonation level
requested for the duplicate token is not compatible with the
level of the source token. The duplicate token may not be assigned
a level greater than that of the source token.
--*/
{
PTOKEN Token;
PTOKEN NewToken;
KPROCESSOR_MODE PreviousMode;
NTSTATUS Status;
SECURITY_ADVANCED_QUALITY_OF_SERVICE SecurityQos;
BOOLEAN SecurityQosPresent = FALSE;
HANDLE LocalHandle;
OBJECT_HANDLE_INFORMATION HandleInformation;
ACCESS_MASK EffectiveDesiredAccess;
PAGED_CODE();
PreviousMode = KeGetPreviousMode();
//
// Probe parameters
//
if (PreviousMode != KernelMode) {
try {
//
// Make sure the TokenType is valid
//
if ( (TokenType < TokenPrimary) && (TokenType > TokenImpersonation) ) {
return(STATUS_INVALID_PARAMETER);
}
//
// Make sure we can write the handle
//
ProbeForWriteHandle(NewTokenHandle);
} except(EXCEPTION_EXECUTE_HANDLER) {
return GetExceptionCode();
} // end_try
} //end_if
Status = SeCaptureSecurityQos(
ObjectAttributes,
PreviousMode,
&SecurityQosPresent,
&SecurityQos
);
if (!NT_SUCCESS(Status)) {
return Status;
}
//
// Check the handle's access to the existing token and get
// a pointer to that token. Pick up the default desired
// access mask from the handle while we're at it.
//
Status = ObReferenceObjectByHandle(
ExistingTokenHandle, // Handle
TOKEN_DUPLICATE, // DesiredAccess
SepTokenObjectType, // ObjectType
PreviousMode, // AccessMode
(PVOID *)&Token, // Object
&HandleInformation // GrantedAccess
);
if ( !NT_SUCCESS(Status) ) {
if (SecurityQosPresent) {
SeFreeCapturedSecurityQos( &SecurityQos );
}
return Status;
}
#ifdef TOKEN_DEBUG
////////////////////////////////////////////////////////////////////////////
//
// Debug
SepAcquireTokenReadLock( Token );
DbgPrint("\n");
DbgPrint("\n");
DbgPrint("Token being duplicated: \n");
SepDumpToken( Token );
SepReleaseTokenReadLock( Token );
// Debug
//
////////////////////////////////////////////////////////////////////////////
#endif //TOKEN_DEBUG
//
// Check to see if an alternate desired access mask was provided.
//
if (ARGUMENT_PRESENT(DesiredAccess)) {
EffectiveDesiredAccess = DesiredAccess;
} else {
EffectiveDesiredAccess = HandleInformation.GrantedAccess;
}
//
// If no impersonation level was specified, pick one up from
// the source token.
//
if ( !SecurityQosPresent ) {
SecurityQos.ImpersonationLevel = Token->ImpersonationLevel;
}
if (Token->TokenType == TokenImpersonation) {
//
// Make sure a legitimate transformation is being requested:
//
// (1) The impersonation level of a target duplicate must not
// exceed that of the source token.
//
//
ASSERT( SecurityDelegation > SecurityImpersonation );
ASSERT( SecurityImpersonation > SecurityIdentification );
ASSERT( SecurityIdentification > SecurityAnonymous );
if ( (SecurityQos.ImpersonationLevel > Token->ImpersonationLevel) ) {
ObDereferenceObject( (PVOID)Token );
if (SecurityQosPresent) {
SeFreeCapturedSecurityQos( &SecurityQos );
}
return STATUS_BAD_IMPERSONATION_LEVEL;
}
}
//
// If we are producing a Primary token from an impersonation
// token, then specify an impersonation level of at least
// Impersonate.
//
if ( (Token->TokenType == TokenImpersonation) &&
(TokenType == TokenPrimary) &&
(Token->ImpersonationLevel < SecurityImpersonation)
) {
ObDereferenceObject( (PVOID)Token );
if (SecurityQosPresent) {
SeFreeCapturedSecurityQos( &SecurityQos );
}
return STATUS_BAD_IMPERSONATION_LEVEL;
}
//
// Duplicate the existing token
//
NewToken = NULL;
Status = SepDuplicateToken(
Token,
ObjectAttributes,
EffectiveOnly,
TokenType,
SecurityQos.ImpersonationLevel,
PreviousMode,
&NewToken
);
if (NT_SUCCESS(Status)) {
//
// Insert the new token
//
Status = ObInsertObject( NewToken,
NULL,
EffectiveDesiredAccess,
0,
(PVOID *)NULL,
&LocalHandle
);
if (!NT_SUCCESS( Status )) {
DbgPrint( "SE: ObInsertObject failed (%x) for token at %x\n", Status, NewToken );
}
} else
if (NewToken != NULL) {
DbgPrint( "SE: SepDuplicateToken failed (%x) but allocated token at %x\n", Status, NewToken );
}
//
// We no longer need our reference to the source token
//
ObDereferenceObject( (PVOID)Token );
if (SecurityQosPresent) {
SeFreeCapturedSecurityQos( &SecurityQos );
}
// BUGWARNING Probably need to audit here
//
// Return the new handle
//
if (NT_SUCCESS(Status)) {
try { *NewTokenHandle = LocalHandle; }
except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); }
}
return Status;
}
�
NTSTATUS
SepDuplicateToken(
IN PTOKEN ExistingToken,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN BOOLEAN EffectiveOnly,
IN TOKEN_TYPE TokenType,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel OPTIONAL,
IN KPROCESSOR_MODE RequestorMode,
OUT PTOKEN *DuplicateToken
)
/*++
Routine Description:
This routine does the bulk of the work to actually duplicate
a token. This routine assumes all access validation and argument
probing (except the ObjectAttributes) has been performed.
THE CALLER IS RESPONSIBLE FOR CHECKING SUBJECT RIGHTS TO CREATE THE
TYPE OF TOKEN BEING CREATED.
This routine acquires a read lock on the token being duplicated.
Arguments:
ExistingToken - Points to the token to be duplicated.
ObjectAttributes - Points to the standard object attributes data
structure. Refer to the NT Object Management
Specification for a description of this data structure.
The security Quality Of Service of the object attributes are ignored.
This information must be specified using parameters to this
routine.
EffectiveOnly - Is a boolean flag indicating whether the entire
source token should be duplicated into the target token or
just the effective (currently enabled) part of the token.
This provides a means for a caller of a protected subsystem
to limit which privileges and optional groups are made
available to the protected subsystem. A value of TRUE
indicates only the currently enabled parts of the source
token are to be duplicated. Otherwise, the entire source
token is duplicated.
TokenType - Indicates the type of token to make the duplicate token.
ImpersonationLevel - This value specifies the impersonation level
to assign to the duplicate token. If the TokenType of the
duplicate is not TokenImpersonation then this parameter is
ignored. Otherwise, it is must be provided.
RequestorMode - Mode of client requesting the token be duplicated.
DuplicateToken - Receives a pointer to the duplicate token.
The token has not yet been inserted into any object table.
No exceptions are expected when tring to set this OUT value.
Return Value:
STATUS_SUCCESS - The service successfully completed the requested
operation.
--*/
{
NTSTATUS Status;
PTOKEN NewToken;
PULONG DynamicPart;
ULONG PagedPoolSize;
ULONG NonPagedPoolSize;
ULONG TokenBodyLength;
ULONG FieldOffset;
ULONG Index;
PSECURITY_TOKEN_PROXY_DATA NewProxyData;
PSECURITY_TOKEN_AUDIT_DATA NewAuditData;
PAGED_CODE();
ASSERT( sizeof(SECURITY_IMPERSONATION_LEVEL) <= sizeof(ULONG) );
if ( TokenType == TokenImpersonation ) {
ASSERT( SecurityDelegation > SecurityImpersonation );
ASSERT( SecurityImpersonation > SecurityIdentification );
ASSERT( SecurityIdentification > SecurityAnonymous );
if ( (ImpersonationLevel > SecurityDelegation) ||
(ImpersonationLevel < SecurityAnonymous) ) {
return STATUS_BAD_IMPERSONATION_LEVEL;
}
}
//
// Increment the reference count for this logon session
// This can not fail, since there is already a token in this logon
// session.
//
Status = SepReferenceLogonSession( &(ExistingToken->AuthenticationId) );
ASSERT( NT_SUCCESS(Status) );
//
// Note that the size of the dynamic portion of a token can not change
// once established.
//
//
// Allocate the dynamic portion
//
DynamicPart = (PULONG)ExAllocatePoolWithTag(
PagedPool,
ExistingToken->DynamicCharged,
'dTeS'
);
if (DynamicPart == NULL) {
SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) );
return( STATUS_INSUFFICIENT_RESOURCES );
}
if (ARGUMENT_PRESENT(ExistingToken->ProxyData)) {
Status = SepCopyProxyData(
&NewProxyData,
ExistingToken->ProxyData
);
if (!NT_SUCCESS(Status)) {
SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) );
ExFreePool( DynamicPart );
return( Status );
}
} else {
NewProxyData = NULL;
}
if (ARGUMENT_PRESENT( ExistingToken->AuditData )) {
NewAuditData = ExAllocatePool( PagedPool, sizeof( SECURITY_TOKEN_AUDIT_DATA ));
if (NewAuditData == NULL) {
SepFreeProxyData( NewProxyData );
SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) );
ExFreePool( DynamicPart );
return( STATUS_INSUFFICIENT_RESOURCES );
} else {
*NewAuditData = *(ExistingToken->AuditData);
}
} else {
NewAuditData = NULL;
}
//
// Create a new object
//
TokenBodyLength = (ULONG)sizeof(TOKEN) +
ExistingToken->VariableLength;
NonPagedPoolSize = TokenBodyLength;
PagedPoolSize = ExistingToken->DynamicCharged;
Status = ObCreateObject(
RequestorMode, // ProbeMode
SepTokenObjectType, // ObjectType
ObjectAttributes, // ObjectAttributes
RequestorMode, // OwnershipMode
NULL, // ParseContext
TokenBodyLength, // ObjectBodySize
PagedPoolSize, // PagedPoolCharge
NonPagedPoolSize, // NonPagedPoolCharge
(PVOID *)&NewToken // Return pointer to object
);
if (!NT_SUCCESS(Status)) {
SepDeReferenceLogonSession( &(ExistingToken->AuthenticationId) );
ExFreePool( DynamicPart );
SepFreeProxyData( NewProxyData );
if (NewAuditData != NULL) {
ExFreePool( NewAuditData );
}
return Status;
}
//
// acquire exclusive access to the source token
//
SepAcquireTokenReadLock( ExistingToken );
//
// Main Body initialization
//
//
// The following fields are unchanged from the source token.
// Although some may change if EffectiveOnly has been specified.
//
NewToken->AuthenticationId = ExistingToken->AuthenticationId;
NewToken->ModifiedId = ExistingToken->ModifiedId;
NewToken->ExpirationTime = ExistingToken->ExpirationTime;
NewToken->TokenSource = ExistingToken->TokenSource;
NewToken->DynamicCharged = ExistingToken->DynamicCharged;
NewToken->DynamicAvailable = ExistingToken->DynamicAvailable;
NewToken->DefaultOwnerIndex = ExistingToken->DefaultOwnerIndex;
NewToken->UserAndGroupCount = ExistingToken->UserAndGroupCount;
NewToken->PrivilegeCount = ExistingToken->PrivilegeCount;
NewToken->VariableLength = ExistingToken->VariableLength;
NewToken->TokenFlags = ExistingToken->TokenFlags;
NewToken->ProxyData = NewProxyData;
NewToken->AuditData = NewAuditData;
//
// The following fields differ in the new token.
//
ExAllocateLocallyUniqueId( &(NewToken->TokenId) );
NewToken->TokenInUse = FALSE;
NewToken->TokenType = TokenType;
NewToken->ImpersonationLevel = ImpersonationLevel;
//
// Copy and initialize the variable part.
// The variable part is assumed to be position independent.
//
RtlMoveMemory( (PVOID)&(NewToken->VariablePart),
(PVOID)&(ExistingToken->VariablePart),
ExistingToken->VariableLength
);
//
// Set the address of the UserAndGroups array.
//
ASSERT( ARGUMENT_PRESENT(ExistingToken->UserAndGroups ) );
ASSERT( (ULONG)(ExistingToken->UserAndGroups) >=
(ULONG)(&(ExistingToken->VariablePart)) );
FieldOffset = (ULONG)(ExistingToken->UserAndGroups) -
(ULONG)(&(ExistingToken->VariablePart));
NewToken->UserAndGroups =
(PSID_AND_ATTRIBUTES)(FieldOffset + (ULONG)(&(NewToken->VariablePart)) );
//
// Now go through and change the address of each SID pointer
// for the user and groups
//
Index = 0;
while (Index < ExistingToken->UserAndGroupCount) {
FieldOffset = (ULONG)(ExistingToken->UserAndGroups[Index].Sid) -
(ULONG)(&(ExistingToken->VariablePart));
NewToken->UserAndGroups[Index].Sid =
(PSID)( FieldOffset + (ULONG)(&(NewToken->VariablePart)) );
Index += 1;
}
//
// If present, set the address of the privileges
//
if (ExistingToken->PrivilegeCount > 0) {
ASSERT( ARGUMENT_PRESENT(ExistingToken->Privileges ) );
ASSERT( (ULONG)(ExistingToken->Privileges) >=
(ULONG)(&(ExistingToken->VariablePart)) );
FieldOffset = (ULONG)(ExistingToken->Privileges) -
(ULONG)(&(ExistingToken->VariablePart));
NewToken->Privileges = (PLUID_AND_ATTRIBUTES)(
FieldOffset +
(ULONG)(&(NewToken->VariablePart))
);
} else {
NewToken->Privileges = NULL;
}
//
// Copy and initialize the dynamic part.
// The dynamic part is assumed to be position independent.
//
RtlMoveMemory( (PVOID)DynamicPart,
(PVOID)(ExistingToken->DynamicPart),
ExistingToken->DynamicCharged
);
NewToken->DynamicPart = DynamicPart;
//
// If present, set the address of the default Dacl
//
if (ARGUMENT_PRESENT(ExistingToken->DefaultDacl)) {
ASSERT( (ULONG)(ExistingToken->DefaultDacl) >=
(ULONG)(ExistingToken->DynamicPart) );
FieldOffset = (ULONG)(ExistingToken->DefaultDacl) -
(ULONG)(ExistingToken->DynamicPart);
NewToken->DefaultDacl = (PACL)(FieldOffset + (ULONG)DynamicPart);
} else {
NewToken->DefaultDacl = NULL;
}
//
// Set the address of the primary group
//
ASSERT(ARGUMENT_PRESENT(ExistingToken->PrimaryGroup));
ASSERT( (ULONG)(ExistingToken->PrimaryGroup) >=
(ULONG)(ExistingToken->DynamicPart) );
FieldOffset = (ULONG)(ExistingToken->PrimaryGroup) -
(ULONG)(ExistingToken->DynamicPart);
NewToken->PrimaryGroup = (PACL)(FieldOffset + (ULONG)(DynamicPart));
//
// For the time being, take the easy way to generating an "EffectiveOnly"
// duplicate. That is, use the same space required of the original, just
// eliminate any IDs or privileges not active.
//
// Ultimately, if duplication becomes a common operation, then it will be
// worthwhile to recalculate the actual space needed and copy only the
// effective IDs/privileges into the new token.
//
if (EffectiveOnly) {
SepMakeTokenEffectiveOnly( NewToken );
}
#ifdef TOKEN_DEBUG
////////////////////////////////////////////////////////////////////////////
//
// Debug
DbgPrint("\n");
DbgPrint("\n");
DbgPrint("\n");
DbgPrint("Duplicate token:\n");
SepDumpToken( NewToken );
// Debug
//
////////////////////////////////////////////////////////////////////////////
#endif //TOKEN_DEBUG
//
// Release the source token.
//
SepReleaseTokenReadLock( ExistingToken );
(*DuplicateToken) = NewToken;
return Status;
}
�
VOID
SepMakeTokenEffectiveOnly(
IN PTOKEN Token
)
/*++
Routine Description:
This routine eliminates all but the effective groups and privileges from
a token. It does this by moving elements of the SID and privileges arrays
to overwrite lapsed IDs/privileges, and then reducing the array element
counts. This results in wasted memory within the token object.
One side effect of this routine is that a token that initially had a
default owner ID corresponding to a lapsed group will be changed so
that the default owner ID is the user ID.
THIS ROUTINE MUST BE CALLED ONLY AS PART OF TOKEN CREATION (FOR TOKENS
WHICH HAVE NOT YET BEEN INSERTED INTO AN OBJECT TABLE.) THIS ROUTINE
MODIFIES READ ONLY TOKEN FIELDS.
Note that since we are operating on a token that is not yet visible
to the user, we do not bother acquiring a read lock on the token
being modified.
Arguments:
Token - Points to the token to be made effective only.
Return Value:
None.
--*/
{
ULONG Index;
ULONG ElementCount;
PAGED_CODE();
//
// Walk the privilege array, discarding any lapsed privileges
//
ElementCount = Token->PrivilegeCount;
Index = 0;
while (Index < ElementCount) {
//
// If this privilege is not enabled, replace it with the one at
// the end of the array and reduce the size of the array by one.
// Otherwise, move on to the next entry in the array.
//
if ( !(SepTokenPrivilegeAttributes(Token,Index) & SE_PRIVILEGE_ENABLED)
) {
(Token->Privileges)[Index] =
(Token->Privileges)[ElementCount - 1];
ElementCount -= 1;
} else {
Index += 1;
}
} // endwhile
Token->PrivilegeCount = ElementCount;
//
// Walk the UserAndGroups array (except for the first entry, which is
// the user - and can't be disabled) discarding any lapsed groups.
//
ElementCount = Token->UserAndGroupCount;
ASSERT( ElementCount >= 1 ); // Must be at least a user ID
Index = 1; // Start at the first group, not the user ID.
while (Index < ElementCount) {
//
// If this group is not enabled, replace it with the one at
// the end of the array and reduce the size of the array by one.
//
if ( !(SepTokenGroupAttributes(Token, Index) & SE_GROUP_ENABLED) ){
(Token->UserAndGroups)[Index] =
(Token->UserAndGroups)[ElementCount - 1];
ElementCount -= 1;
} else {
Index += 1;
}
} // endwhile
Token->UserAndGroupCount = ElementCount;
return;
}
�
NTSTATUS
SeCopyClientToken(
IN PACCESS_TOKEN ClientToken,
IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel,
IN KPROCESSOR_MODE RequestorMode,
OUT PACCESS_TOKEN *DuplicateToken
)
/*++
Routine Description:
This routine copies a client's token as part of establishing a client
context for impersonation.
The result will be an impersonation token.
No handles to the new token are established.
The token will be an exact duplicate of the source token. It is the
caller's responsibility to ensure an effective only copy of the token
is produced when the token is opened, if necessary.
Arguments:
ClientToken - Points to the token to be duplicated. This may be either
a primary or impersonation token.
ImpersonationLevel - The impersonation level to be assigned to the new
token.
RequestorMode - Mode to be assigned as the owner mode of the new token.
DuplicateToken - Receives a pointer to the duplicate token.
The token has not yet been inserted into any object table.
No exceptions are expected when tring to set this OUT value.
Return Value:
STATUS_SUCCESS - The service successfully completed the requested
operation.
--*/
{
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
PTOKEN NewToken;
PAGED_CODE();
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
0,
NULL,
NULL
);
Status = SepDuplicateToken(
(PTOKEN)ClientToken, // ExistingToken
&ObjectAttributes, // ObjectAttributes
FALSE, // EffectiveOnly
TokenImpersonation, // TokenType (target)
ImpersonationLevel, // ImpersonationLevel
RequestorMode, // RequestorMode
&NewToken // DuplicateToken
);
(*DuplicateToken) = (PACCESS_TOKEN)NewToken;
return Status;
}
