/*++ Copyright (c) 1989 Microsoft Corporation Module Name: token.c Abstract: This module implements the initialization, open, duplicate and other services of the executive token object. Author: Jim Kelly (JimK) 5-April-1990 Environment: Kernel mode only. Revision History: v15: robertre updated ACL_REVISION --*/ #include "sep.h" #include #include "tokenp.h" #ifdef ALLOC_PRAGMA #pragma alloc_text(INIT,SepTokenInitialization) #pragma alloc_text(INIT,SeMakeSystemToken) #pragma alloc_text(PAGE,SeTokenType) #pragma alloc_text(PAGE,SepCreateToken) #pragma alloc_text(PAGE,SeTokenImpersonationLevel) #pragma alloc_text(PAGE,SeAssignPrimaryToken) #pragma alloc_text(PAGE,SeDeassignPrimaryToken) #pragma alloc_text(PAGE,SeExchangePrimaryToken) #pragma alloc_text(PAGE,SeGetTokenControlInformation) #pragma alloc_text(PAGE,SeSubProcessToken) #pragma alloc_text(PAGE,NtCreateToken) #pragma alloc_text(PAGE,SepTokenDeleteMethod) #pragma alloc_text(PAGE,SepIdAssignableAsOwner) #endif //////////////////////////////////////////////////////////////////////// // // // Global Variables // // // //////////////////////////////////////////////////////////////////////// // // Generic mapping of access types // GENERIC_MAPPING SepTokenMapping = { TOKEN_READ, TOKEN_WRITE, TOKEN_EXECUTE, TOKEN_ALL_ACCESS }; // // Address of token object type descriptor. // POBJECT_TYPE SepTokenObjectType; // // Used to track whether or not a system token has been created or not. // #if DBG BOOLEAN SystemTokenCreated = FALSE; #endif //DBG // // Token lock // ERESOURCE SepTokenLock; // // Used to control the active token diagnostic support provided // #ifdef TOKEN_DIAGNOSTICS_ENABLED ULONG TokenGlobalFlag = 0; #endif // TOKEN_DIAGNOSTICS_ENABLED //////////////////////////////////////////////////////////////////////// // // // Token Object Routines & Methods // // // //////////////////////////////////////////////////////////////////////// TOKEN_TYPE SeTokenType( IN PACCESS_TOKEN Token ) /*++ Routine Description: This function returns the type of an instance of a token (TokenPrimary, or TokenImpersonation). Arguments: Token - Points to the token whose type is to be returned. Return Value: The token's type. --*/ { PAGED_CODE(); return (((PTOKEN)Token)->TokenType); } SECURITY_IMPERSONATION_LEVEL SeTokenImpersonationLevel( IN PACCESS_TOKEN Token ) /*++ Routine Description: This function returns the impersonation level of a token. The token is assumed to be a TokenImpersonation type token. Arguments: Token - Points to the token whose impersonation level is to be returned. Return Value: The token's impersonation level. --*/ { PAGED_CODE(); return ((PTOKEN)Token)->ImpersonationLevel; } VOID SeAssignPrimaryToken( IN PEPROCESS Process, IN PACCESS_TOKEN Token ) /*++ Routine Description: This function establishes a primary token for a process. Arguments: Token - Points to the new primary token. Return Value: None. --*/ { NTSTATUS Status; PTOKEN NewToken = (PTOKEN)Token; PAGED_CODE(); ASSERT(NewToken->TokenType == TokenPrimary); ASSERT( !NewToken->TokenInUse ); // // Dereference the old token if there is one. // // Processes typically already have a token that must be // dereferenced. There are two cases where this may not // be the situation. First, during phase 0 system initialization, // the initial system process starts out without a token. Second, // if an error occurs during process creation, we may be cleaning // up a process that hasn't yet had a primary token assigned. // if (Process->Token != NULL) { SeDeassignPrimaryToken( Process ); } Process->Token=Token; NewToken->TokenInUse = TRUE; ObReferenceObject(NewToken); return; } VOID SeDeassignPrimaryToken( IN PEPROCESS Process ) /*++ Routine Description: This function causes a process reference to a token to be dropped. Arguments: Process - Points to the process whose primary token is no longer needed. This is probably only the case at process deletion or when a primary token is being replaced. Return Value: None. --*/ { PTOKEN OldToken = (PTOKEN)(Process->Token); PAGED_CODE(); ASSERT(OldToken->TokenType == TokenPrimary); ASSERT(OldToken->TokenInUse); OldToken->TokenInUse = FALSE; ObDereferenceObject( OldToken ); return; } NTSTATUS SeExchangePrimaryToken( IN PEPROCESS Process, IN PACCESS_TOKEN NewAccessToken, OUT PACCESS_TOKEN *OldAccessToken ) /*++ Routine Description: This function is used to perform the portions of changing a primary token that reference the internals of token structures. The new token is checked to make sure it is not already in use. The !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!! WARNING WARNING WARNING !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!! THIS ROUTINE MUST BE CALLED WITH THE GOBAL !!!!!!!! !!!!!!!! PROCESS SECURITY FIELDS LOCK HELD !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Arguments: Process - Points to the process whose primary token is being exchanged. NewAccessToken - Points to the process's new primary token. OldAccessToken - Receives a pointer to the process's current token. The caller is responsible for dereferencing this token when it is no longer needed. This can't be done while the process security locks are held. Return Value: STATUS_SUCCESS - Everything has been updated. STATUS_TOKEN_ALREADY_IN_USE - A primary token can only be used by a single process. That is, each process must have its own primary token. The token passed to be assigned as the primary token is already in use as a primary token. STATUS_BAD_TOKEN_TYPE - The new token is not a primary token. --*/ { NTSTATUS Status; PTOKEN OldToken = (PTOKEN)(Process->Token); PTOKEN NewToken = (PTOKEN)NewAccessToken; PAGED_CODE(); // // We need to access the security fields of both tokens. // Access to these fields is guarded by the global Process Security // fields lock. // ASSERT(OldToken->TokenType == TokenPrimary); ASSERT(OldToken->TokenInUse); // // Make sure the new token is a primary token... // if ( NewToken->TokenType != TokenPrimary ) { return(STATUS_BAD_TOKEN_TYPE); } // // and that it is not already in use... // if (NewToken->TokenInUse) { return(STATUS_TOKEN_ALREADY_IN_USE); } // // Switch the tokens // Process->Token=NewAccessToken; NewToken->TokenInUse = TRUE; ObReferenceObject(NewToken); // // Mark the token as "NOT USED" // OldToken->TokenInUse = FALSE; // // Return the pointer to the old token. The caller // is responsible for dereferencing it if they don't need it. // (*OldAccessToken) = OldToken; return (STATUS_SUCCESS); } VOID SeGetTokenControlInformation ( IN PACCESS_TOKEN Token, OUT PTOKEN_CONTROL TokenControl ) /*++ Routine Description: This routine is provided for communication session layers, or any other executive component that needs to keep track of whether a caller's security context has changed between calls. Communication session layers will need to check this, for some security quality of service modes, to determine whether or not a server's security context needs to be updated to reflect changes in the client's security context. This routine will also be useful to communications subsystems that need to retrieve client' authentication information from the local security authority in order to perform a remote authentication. Parameters: Token - Points to the token whose information is to be retrieved. TokenControl - Points to the buffer to receive the token control information. Return Value: None. --*/ { PAGED_CODE(); // // acquire exclusive access to the token // SepAcquireTokenReadLock( (PTOKEN)Token ); // // Grab the data and run // TokenControl->TokenId = ((TOKEN *)Token)->TokenId; TokenControl->AuthenticationId = ((TOKEN *)Token)->AuthenticationId; TokenControl->ModifiedId = ((TOKEN *)Token)->ModifiedId; TokenControl->TokenSource = ((TOKEN *)Token)->TokenSource; SepReleaseTokenReadLock( (PTOKEN)Token ); return; } PACCESS_TOKEN SeMakeSystemToken () /*++ Routine Description: This routine is provided for use by executive components DURING SYSTEM INITIALIZATION ONLY. It creates a token for use by system components. A system token has the following characteristics: - It has LOCAL_SYSTEM as its user ID - It has the following groups with the corresponding attributes: ADMINS_ALIAS EnabledByDefault | Enabled | Owner WORLD EnabledByDefault | Enabled | Mandatory ADMINISTRATORS (alias) Owner (disabled) - It has LOCAL_SYSTEM as its primary group. - It has the privileges shown in comments below. - It has protection that provides TOKEN_ALL_ACCESS to the LOCAL_SYSTEM ID. - It has a default ACL that grants GENERIC_ALL access to LOCAL_SYSTEM and GENERIC_EXECUTE to WORLD. Parameters: None. Return Value: Pointer to a system token. --*/ { NTSTATUS Status; PVOID Token; SID_AND_ATTRIBUTES UserId; TOKEN_PRIMARY_GROUP PrimaryGroup; PSID_AND_ATTRIBUTES GroupIds; LUID_AND_ATTRIBUTES Privileges[30]; PACL TokenAcl; PSID Owner; ULONG NormalGroupAttributes; ULONG OwnerGroupAttributes; ULONG Length; OBJECT_ATTRIBUTES TokenObjectAttributes; PSECURITY_DESCRIPTOR TokenSecurityDescriptor; ULONG BufferLength; PVOID Buffer; ULONG GroupIdsBuffer[128]; TIME_FIELDS TimeFields; LARGE_INTEGER NoExpiration; PAGED_CODE(); // // Make sure only one system token gets created. // #if DBG ASSERT( !SystemTokenCreated ); SystemTokenCreated = TRUE; #endif //DBG // // Set up expiration times // TimeFields.Year = 3000; TimeFields.Month = 1; TimeFields.Day = 1; TimeFields.Hour = 1; TimeFields.Minute = 1; TimeFields.Second = 1; TimeFields.Milliseconds = 1; TimeFields.Weekday = 1; RtlTimeFieldsToTime( &TimeFields, &NoExpiration ); // // // // The amount of memory used in the following is gross overkill, but // // it is freed up immediately after creating the token. // // // // GroupIds = (PSID_AND_ATTRIBUTES)ExAllocatePool( NonPagedPool, 512 ); GroupIds = (PSID_AND_ATTRIBUTES)GroupIdsBuffer; // // Set up the attributes to be assigned to groups // NormalGroupAttributes = (SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED ); OwnerGroupAttributes = (SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED | SE_GROUP_OWNER ); // // Set up the user ID // UserId.Sid = SeLocalSystemSid; UserId.Attributes = 0; // // Set up the groups // GroupIds->Sid = SeAliasAdminsSid; (GroupIds+1)->Sid = SeWorldSid; GroupIds->Attributes = OwnerGroupAttributes; (GroupIds+1)->Attributes = NormalGroupAttributes; ASSERT( (RtlLengthSid(GroupIds->Sid) + RtlLengthSid((GroupIds+1)->Sid) + 2*sizeof(ULONG)) <= 512 ); // // Privileges // // // The privileges in the system token are as follows: // // Privilege Name Attributes // -------------- ---------- // // SeTcbPrivilege enabled/enabled by default // SeCreateTokenPrivilege DISabled/NOT enabled by default // SeTakeOwnershipPrivilege DISabled/NOT enabled by default // SeCreatePagefilePrivilege enabled/enabled by default // SeLockMemoryPrivilege enabled/enabled by default // SeAssignPrimaryTokenPrivilege DISabled/NOT enabled by default // SeIncreaseQuotaPrivilege DISabled/NOT enabled by default // SeIncreaseBasePriorityPrivilege enabled/enabled by default // SeCreatePermanentPrivilege enabled/enabled by default // SeDebugPrivilege enabled/enabled by default // SeAuditPrivilege enabled/enabled by default // SeSecurityPrivilege DISabled/NOT enabled by default // SeSystemEnvironmentPrivilege DISabled/NOT enabled by default // SeChangeNotifyPrivilege enabled/enabled by default // SeBackupPrivilege DISabled/NOT enabled by default // SeRestorePrivilege DISabled/NOT enabled by default // SeShutdownPrivilege DISabled/NOT enabled by default // SeLoadDriverPrivilege DISabled/NOT enabled by default // SeProfileSingleProcessPrivilege enabled/enabled by default // SeSystemtimePrivilege DISabled/NOT enabled by default // Privileges[0].Luid = SeTcbPrivilege; Privileges[0].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[1].Luid = SeCreateTokenPrivilege; Privileges[1].Attributes = 0; // Only the LSA should enable this. Privileges[2].Luid = SeTakeOwnershipPrivilege; Privileges[2].Attributes = 0; Privileges[3].Luid = SeCreatePagefilePrivilege; Privileges[3].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[4].Luid = SeLockMemoryPrivilege; Privileges[4].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[5].Luid = SeAssignPrimaryTokenPrivilege; Privileges[5].Attributes = 0; // disabled, not enabled by default Privileges[6].Luid = SeIncreaseQuotaPrivilege; Privileges[6].Attributes = 0; // disabled, not enabled by default Privileges[7].Luid = SeIncreaseBasePriorityPrivilege; Privileges[7].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[8].Luid = SeCreatePermanentPrivilege; Privileges[8].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[9].Luid = SeDebugPrivilege; Privileges[9].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[10].Luid = SeAuditPrivilege; Privileges[10].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[11].Luid = SeSecurityPrivilege; Privileges[11].Attributes = 0; // disabled, not enabled by default Privileges[12].Luid = SeSystemEnvironmentPrivilege; Privileges[12].Attributes = 0; // disabled, not enabled by default Privileges[13].Luid = SeChangeNotifyPrivilege; Privileges[13].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[14].Luid = SeBackupPrivilege; Privileges[14].Attributes = 0; // disabled, not enabled by default Privileges[15].Luid = SeRestorePrivilege; Privileges[15].Attributes = 0; // disabled, not enabled by default Privileges[16].Luid = SeShutdownPrivilege; Privileges[16].Attributes = 0; // disabled, not enabled by default Privileges[17].Luid = SeLoadDriverPrivilege; Privileges[17].Attributes = 0; // disabled, not enabled by default Privileges[18].Luid = SeProfileSingleProcessPrivilege; Privileges[18].Attributes = (SE_PRIVILEGE_ENABLED_BY_DEFAULT | // Enabled by default SE_PRIVILEGE_ENABLED); // Enabled Privileges[19].Luid = SeSystemtimePrivilege; Privileges[19].Attributes = 0; // disabled, not enabled by default //BEFORE ADDING ANOTHER PRIVILEGE ^^ HERE ^^ CHECK THE ARRAY BOUND //ALSO INCREMENT THE PRIVILEGE COUNT IN THE SepCreateToken() call // // Establish the primary group and default owner // PrimaryGroup.PrimaryGroup = SeLocalSystemSid; // Primary group Owner = SeAliasAdminsSid; // Default owner // // Set up an ACL to protect token as well ... // give system full reign of terror. This includes user-mode components // running as part of the system. // Length = (ULONG)sizeof(ACL) + (ULONG)sizeof(ACCESS_ALLOWED_ACE) + SeLengthSid( SeLocalSystemSid ) + 8; // The 8 is just for good measure ASSERT( Length < 200 ); TokenAcl = (PACL)ExAllocatePoolWithTag(PagedPool, 200, 'cAeS'); Status = RtlCreateAcl( TokenAcl, Length, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) ); Status = RtlAddAccessAllowedAce ( TokenAcl, ACL_REVISION2, TOKEN_ALL_ACCESS, SeLocalSystemSid ); ASSERT( NT_SUCCESS(Status) ); TokenSecurityDescriptor = (PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag( PagedPool, SECURITY_DESCRIPTOR_MIN_LENGTH, 'dSeS' ); Status = RtlCreateSecurityDescriptor( TokenSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetDaclSecurityDescriptor ( TokenSecurityDescriptor, TRUE, TokenAcl, FALSE ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetOwnerSecurityDescriptor ( TokenSecurityDescriptor, SeAliasAdminsSid, FALSE // Owner defaulted ); ASSERT( NT_SUCCESS(Status) ); Status = RtlSetGroupSecurityDescriptor ( TokenSecurityDescriptor, SeAliasAdminsSid, FALSE // Group defaulted ); ASSERT( NT_SUCCESS(Status) ); // // Create the system token // #ifdef TOKEN_DEBUG //////////////////////////////////////////////////////////////////////////// // // Debug DbgPrint("\n Creating system token...\n"); // Debug // //////////////////////////////////////////////////////////////////////////// #endif //TOKEN_DEBUG InitializeObjectAttributes( &TokenObjectAttributes, NULL, 0, NULL, TokenSecurityDescriptor ); ASSERT(SeSystemDefaultDacl != NULL); Status = SepCreateToken( (PHANDLE)&Token, KernelMode, 0, // No handle created for system token &TokenObjectAttributes, TokenPrimary, (SECURITY_IMPERSONATION_LEVEL)NULL, &SeSystemAuthenticationId, &NoExpiration, &UserId, 2, // GroupCount GroupIds, 512, // see call to ExAllocatePool above 20, // privileges Privileges, sizeof(Privileges), Owner, PrimaryGroup.PrimaryGroup, SeSystemDefaultDacl, &SeSystemTokenSource, TRUE, // System token NULL, NULL ); ASSERT(NT_SUCCESS(Status)); // // Assign the security descriptor here, since we don't do it // in SepCreateToken for the System Token. // BufferLength = Length + sizeof(SECURITY_DESCRIPTOR) + 2 * SeLengthSid(SeAliasAdminsSid); Buffer = (PSECURITY_DESCRIPTOR)ExAllocatePoolWithTag( PagedPool, BufferLength, 'dSeS' ); Status = RtlAbsoluteToSelfRelativeSD( TokenSecurityDescriptor, Buffer, &BufferLength ); ASSERT(NT_SUCCESS(Status)); Status = ObAssignObjectSecurityDescriptor( Token, Buffer, PagedPool ); ASSERT(NT_SUCCESS(Status)); // // We can free the old one now. // ExFreePool( TokenAcl ); ExFreePool( TokenSecurityDescriptor ); return (PACCESS_TOKEN)Token; } NTSTATUS SeSubProcessToken ( IN PEPROCESS ParentProcess, OUT PACCESS_TOKEN *ChildToken ) /*++ Routine Description: This routine makes a token for a sub-process that is a duplicate of the parent process's token. Parameters: ParentProcess - Pointer to the parent process object. This is used to locate the parent process's primary token, and for logging purposes. ChildToken - Receives a pointer to the child process's token. Return Value: STATUS_SUCCESS - Indicates the sub-process's token has been created successfully. Other status values may be returned from memory allocation or object creation services used and typically indicate insufficient resources or quota on the requestor's part. --*/ { // // NOTE: THIS ROUTINE CAN BE MADE MUCH MORE EFFICIENT. // IT IS DONE IN A BRUTE FORCE FASHION FOR THE LARGE_INTEGER // BEING TO GET THINGS UP AND RUNNING. // // THE PERFORMANCE OF THIS ROUTINE DIRECTLY IMPACTS // THE PERFORMANCE OF SUB-PROCESS CREATION. // KPROCESSOR_MODE PreviousMode; PTOKEN ParentToken; PTOKEN NewToken; HANDLE NewTokenHandle; OBJECT_ATTRIBUTES PrimaryTokenAttributes; NTSTATUS Status; NTSTATUS IgnoreStatus; PAGED_CODE(); PreviousMode = KeGetPreviousMode(); InitializeObjectAttributes( &PrimaryTokenAttributes, NULL, 0, NULL, NULL ); #ifdef TOKEN_DEBUG DbgPrint("\nCreating sub-process token...\n"); DbgPrint("Parent token address = 0x%lx\n", ParentProcess->Token); #endif //TOKEN_DEBUG ParentToken = (PTOKEN)PsReferencePrimaryToken( ParentProcess ); Status = SepDuplicateToken( ParentToken, // ExistingToken &PrimaryTokenAttributes, // ObjectAttributes FALSE, // EffectiveOnly TokenPrimary, // TokenType (SECURITY_IMPERSONATION_LEVEL)NULL, // ImpersonationLevel KernelMode, // RequestorMode &NewToken // NewToken ); PsDereferencePrimaryToken( (PACCESS_TOKEN)ParentToken ); if (NT_SUCCESS(Status)) { // // Insert the new token object, up its ref count, and then // delete the new handle. // Status = ObInsertObject( NewToken, NULL, 0, 0, (PVOID *)NULL, &NewTokenHandle ); if (NT_SUCCESS(Status)) { //Status = ObReferenceObject( // NewToken // Object // ); Status = ObReferenceObjectByHandle( NewTokenHandle, // Handle DELETE, // DesiredAccess SepTokenObjectType, // ObjectType KernelMode, // AccessMode (PVOID *)ChildToken, // Object NULL // GrantedAccess ); if (NT_SUCCESS(Status)) { ((PTOKEN)NewToken)->TokenInUse = TRUE; IgnoreStatus = ZwClose( NewTokenHandle ); } // // At this point, either the token has a reference // outstanding (and no handles), or the reference // failed. If the reference failed, the status will // be returned indicating why. // } } return Status; } BOOLEAN SepTokenInitialization ( VOID ) /*++ Routine Description: This function creates the token object type descriptor at system initialization and stores the address of the object type descriptor in global storage. It also created token related global variables. Furthermore, some number of pseudo tokens are created during system initialization. These tokens are tracked down and replaced with real tokens. Arguments: None. Return Value: A value of TRUE is returned if the object type descriptor is successfully initialized. Otherwise a value of FALSE is returned. --*/ { OBJECT_TYPE_INITIALIZER ObjectTypeInitializer; NTSTATUS Status; UNICODE_STRING TypeName; PAGED_CODE(); // // Initialize string descriptor. // RtlInitUnicodeString(&TypeName, L"Token"); // // Create the global token lock // ExInitializeResource(&SepTokenLock); #if 0 BUG, BUG Need to get system default ACL to protect token object #endif // // Create object type descriptor. // RtlZeroMemory(&ObjectTypeInitializer,sizeof(ObjectTypeInitializer)); ObjectTypeInitializer.Length = sizeof(ObjectTypeInitializer); ObjectTypeInitializer.InvalidAttributes = OBJ_OPENLINK; ObjectTypeInitializer.GenericMapping = SepTokenMapping; ObjectTypeInitializer.SecurityRequired = TRUE; ObjectTypeInitializer.UseDefaultObject = TRUE; ObjectTypeInitializer.PoolType = PagedPool; ObjectTypeInitializer.ValidAccessMask = TOKEN_ALL_ACCESS; ObjectTypeInitializer.DeleteProcedure = SepTokenDeleteMethod; Status = ObCreateObjectType(&TypeName, &ObjectTypeInitializer, (PSECURITY_DESCRIPTOR)NULL, // BUG, BUG assign real protection &SepTokenObjectType ); #if 0 BUG, BUG Now track down all pseudo tokens used during system initialization BUG, BUG and replace them with real ones. #endif // // If the object type descriptor was successfully created, then // return a value of TRUE. Otherwise return a value of FALSE. // return (BOOLEAN)NT_SUCCESS(Status); } ////////////////////////////////////////////////////////////////////////// // // // Temporary, for Debug only // // // ////////////////////////////////////////////////////////////////////////// #ifdef TOKEN_DEBUG VOID SepDumpToken( IN PTOKEN T ) { ULONG Index; // // Dump a token // DbgPrint("\n"); DbgPrint(" address: 0x%lx \n", ((ULONG)T) ); DbgPrint(" TokenId: (0x%lx, 0x%lx) \n", T->TokenId.HighPart, T->TokenId.LowPart ); if ( (T->AuthenticationId.Data[0] == SeSystemAuthenticationId.Data[0]) && (T->AuthenticationId.Data[1] == SeSystemAuthenticationId.Data[1]) && (T->AuthenticationId.Data[2] == SeSystemAuthenticationId.Data[2]) && (T->AuthenticationId.Data[3] == SeSystemAuthenticationId.Data[3]) ) { DbgPrint(" AuthenticationId: SeSystemAuthenticationId \n"); } else { DbgPrint(" AuthenticationId: (0x%lx, 0x%lx, 0x%lx, 0x%lx) \n", T->AuthenticationId.Data[0], T->AuthenticationId.Data[1], T->AuthenticationId.Data[2], T->AuthenticationId.Data[3] ); } DbgPrint(" ExpirationTime: 0x%lx, 0x%lx \n", T->ExpirationTime.HighPart, T->ExpirationTime.LowPart ); if (T->TokenType == TokenPrimary) { DbgPrint(" TokenType: Primary \n"); } else { if (T->TokenType == TokenImpersonation) { DbgPrint(" TokenType: Impersonation \n"); } else { DbgPrint(" TokenType: (Unknown type, value = 0x%lx) \n", ((ULONG)T-TokenType) ); } } DbgPrint(" ImpersonationLevel: 0x%lx \n", ((ULONG)T->ImpersonationLevel) ); DbgPrint(" TokenSource: (not yet provided) \n"); DbgPrint(" DynamicCharged: 0x%lx \n", T->DynamicCharged); DbgPrint(" UserAndGroupCount: 0x%lx \n", T->UserAndGroupCount); DbgPrint(" PrivilegeCount: 0x%lx \n", T->PrivilegeCount); DbgPrint(" VariableLength: 0x%lx \n", T->VariableLength); DbgPrint(" ModifiedId: (0x%lx, 0x%lx) \n", T->ModifiedId.HighPart, T->ModifiedId.LowPart ); DbgPrint(" DynamicAvailable: 0x%lx \n", T->DynamicAvailable); DbgPrint(" DefaultOwnerIndex: 0x%lx \n", T->DefaultOwnerIndex); DbgPrint(" Address of DynamicPart: 0x%lx \n", (* (PULONG)((PVOID)(&(T->DynamicPart)))) ); DbgPrint(" Address of Default DACL: 0x%lx \n", (* (PULONG)((PVOID)(&(T->DefaultDacl)))) ); DbgPrint(" Address Of Variable Part: 0x%lx \n", &(T->VariablePart) ); DbgPrint("\n"); DbgPrint(" PrimaryGroup:\n"); DbgPrint(" Address: 0x%lx \n", (* (PULONG)((PVOID)(&(T->PrimaryGroup)))) ); DbgPrint(" Length: 0x%lx \n", SeLengthSid((T->PrimaryGroup)) ); DbgPrint("\n"); DbgPrint(" UserAndGroups: 0x%lx \n", (* (PULONG)((PVOID)(&(T->UserAndGroups)))) ); DbgPrint(" User ID - \n"); DbgPrint(" Address: 0x%lx \n", (* (PULONG)((PVOID)(&(T->UserAndGroups[0].Sid)))) ); DbgPrint(" Attributes: 0x%lx \n", (T->UserAndGroups[0].Attributes) ); DbgPrint(" Length: 0x%lx \n", SeLengthSid((T->UserAndGroups[0].Sid)) ); Index = 1; while (Index < T->UserAndGroupCount) { DbgPrint(" Group 0x%lx - \n", Index ); DbgPrint(" Address: 0x%lx \n", (* (PULONG)((PVOID)(&(T->UserAndGroups[Index].Sid)))) ); DbgPrint(" Attributes: 0x%lx \n", (T->UserAndGroups[Index].Attributes) ); DbgPrint(" Length: 0x%lx \n", SeLengthSid((T->UserAndGroups[Index].Sid)) ); Index += 1; } DbgPrint("\n"); DbgPrint(" Privileges: 0x%lx\n", (* (PULONG)((PVOID)(&(T->Privileges)))) ); Index = 0; while (Index < T->PrivilegeCount) { DbgPrint(" Privilege 0x%lx - \n", Index ); DbgPrint(" Address: 0x%lx \n", (&(T->Privileges[Index])) ); DbgPrint(" LUID: (0x%lx, 0x%lx) \n", T->Privileges[Index].Luid.HighPart, T->Privileges[Index].Luid.LowPart ); DbgPrint(" Attributes: 0x%lx \n", T->Privileges[Index].Attributes ); Index += 1; } return; } #endif //TOKEN_DEBUG NTSTATUS NtCreateToken( OUT PHANDLE TokenHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN TOKEN_TYPE TokenType, IN PLUID AuthenticationId, IN PLARGE_INTEGER ExpirationTime, IN PTOKEN_USER User, IN PTOKEN_GROUPS Groups, IN PTOKEN_PRIVILEGES Privileges, IN PTOKEN_OWNER Owner OPTIONAL, IN PTOKEN_PRIMARY_GROUP PrimaryGroup, IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, IN PTOKEN_SOURCE TokenSource ) /*++ Routine Description: Create a token object and return a handle opened for access to that token. This API requires SeCreateTokenPrivilege privilege. Arguments: TokenHandle - Receives the handle of the newly created token. DesiredAccess - Is an access mask indicating which access types the handle is to provide to the new object. ObjectAttributes - Points to the standard object attributes data structure. Refer to the NT Object Management Specification for a description of this data structure. If the token type is TokenImpersonation, then this parameter must specify the impersonation level of the token. TokenType - Type of token to be created. Privilege is required to create any type of token. AuthenticationId - Points to a LUID (or LUID) providing a unique identifier associated with the authentication. This is used within security only, for audit purposes. ExpirationTime - Time at which the token becomes invalid. If this value is specified as zero, then the token has no expiration time. User - Is the user SID to place in the token. Groups - Are the group SIDs to place in the token. Privileges - Are the privileges to place in the token. Owner - (Optionally) identifies an identifier that is to be used as the default owner for the token. If not provided, the user ID is made the default owner. PrimaryGroup - Identifies which of the group IDs is to be the primary group of the token. DefaultDacl - (optionally) establishes an ACL to be used as the default discretionary access protection for the token. TokenSource - Identifies the token source name string and identifier to be assigned to the token. Return Value: STATUS_SUCCESS - Indicates the operation was successful. STATUS_INVALID_OWNER - Indicates the ID provided to be assigned as the default owner of the token does not have an attribute indicating it may be assigned as an owner. STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided via the PrimaryGroup parameter was not among those assigned to the token in the Groups parameter. STATUS_BAD_IMPERSONATION_LEVEL - Indicates no impersonation level was provided when attempting to create a token of type TokenImpersonation. --*/ { KPROCESSOR_MODE PreviousMode; NTSTATUS Status; ULONG Ignore; HANDLE LocalHandle; BOOLEAN SecurityQosPresent = FALSE; SECURITY_ADVANCED_QUALITY_OF_SERVICE CapturedSecurityQos; LUID CapturedAuthenticationId; LARGE_INTEGER CapturedExpirationTime; PSID_AND_ATTRIBUTES CapturedUser = NULL; ULONG CapturedUserLength; ULONG CapturedGroupCount; PSID_AND_ATTRIBUTES CapturedGroups = NULL; ULONG CapturedGroupsLength; ULONG CapturedPrivilegeCount; PLUID_AND_ATTRIBUTES CapturedPrivileges = NULL; ULONG CapturedPrivilegesLength; PSID CapturedOwner = NULL; PSID CapturedPrimaryGroup = NULL; PACL CapturedDefaultDacl = NULL; TOKEN_SOURCE CapturedTokenSource; ULONG CapturedAddress; PAGED_CODE(); PreviousMode = KeGetPreviousMode(); if (PreviousMode != KernelMode) { // // Probe everything necessary for input to the capture subroutines. // try { ProbeForWriteHandle(TokenHandle); ProbeForRead( ExpirationTime, sizeof(LARGE_INTEGER), sizeof(ULONG) ); ProbeForRead( Groups, sizeof(TOKEN_GROUPS), sizeof(ULONG) ); ProbeForRead( Privileges, sizeof(TOKEN_PRIVILEGES), sizeof(ULONG) ); ProbeForRead( TokenSource, sizeof(TOKEN_SOURCE), sizeof(ULONG) ); if ( ARGUMENT_PRESENT(Owner) ) { ProbeForRead( Owner, sizeof(TOKEN_OWNER), sizeof(ULONG) ); } ProbeForRead( PrimaryGroup, sizeof(TOKEN_PRIMARY_GROUP), sizeof(ULONG) ); if ( ARGUMENT_PRESENT(DefaultDacl) ) { ProbeForRead( DefaultDacl, sizeof(TOKEN_DEFAULT_DACL), sizeof(ULONG) ); } ProbeForRead( AuthenticationId, sizeof(LUID), sizeof(ULONG) ); } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } // end_try } //end_if // // Capture the security quality of service. // This capture routine necessarily does some probing of its own. // Status = SeCaptureSecurityQos( ObjectAttributes, PreviousMode, &SecurityQosPresent, &CapturedSecurityQos ); if (!NT_SUCCESS(Status)) { return Status; } if (TokenType == TokenImpersonation) { if (!SecurityQosPresent) { return STATUS_BAD_IMPERSONATION_LEVEL; } // endif } // endif // // Capture the rest of the arguments. // These arguments have already been probed. // try { Status = STATUS_SUCCESS; // // Capture and validate AuthenticationID // RtlCopyLuid( &CapturedAuthenticationId, AuthenticationId ); // // Capture ExpirationTime // CapturedExpirationTime = (*ExpirationTime); // // Capture User // if (NT_SUCCESS(Status)) { Status = SeCaptureSidAndAttributesArray( &(User->User), 1, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedUser, &CapturedUserLength ); } // // Capture Groups // if (NT_SUCCESS(Status)) { CapturedGroupCount = Groups->GroupCount; Status = SeCaptureSidAndAttributesArray( (Groups->Groups), CapturedGroupCount, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedGroups, &CapturedGroupsLength ); } // // Capture Privileges // if (NT_SUCCESS(Status)) { CapturedPrivilegeCount = Privileges->PrivilegeCount; Status = SeCaptureLuidAndAttributesArray( (Privileges->Privileges), CapturedPrivilegeCount, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedPrivileges, &CapturedPrivilegesLength ); } // // Capture Owner // if ( ARGUMENT_PRESENT(Owner) && NT_SUCCESS(Status)) { CapturedAddress = (ULONG)(Owner->Owner); Status = SeCaptureSid( (PSID)CapturedAddress, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedOwner ); } // // Capture PrimaryGroup // if (NT_SUCCESS(Status)) { CapturedAddress = (ULONG)(PrimaryGroup->PrimaryGroup); Status = SeCaptureSid( (PSID)CapturedAddress, PreviousMode, NULL, 0, PagedPool, TRUE, &CapturedPrimaryGroup ); } // // Capture DefaultDacl // if ( ARGUMENT_PRESENT(DefaultDacl) && NT_SUCCESS(Status) ) { CapturedAddress = (ULONG)(DefaultDacl->DefaultDacl); if ((PVOID)CapturedAddress != NULL) { Status = SeCaptureAcl( (PACL)CapturedAddress, PreviousMode, NULL, 0, NonPagedPool, TRUE, &CapturedDefaultDacl, &Ignore ); } } // // Capture TokenSource // CapturedTokenSource = (*TokenSource); } except(EXCEPTION_EXECUTE_HANDLER) { if (CapturedUser != NULL) { SeReleaseSidAndAttributesArray( CapturedUser, PreviousMode, TRUE ); } if (CapturedGroups != NULL) { SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE ); } if (CapturedPrivileges != NULL) { SeReleaseLuidAndAttributesArray( CapturedPrivileges, PreviousMode, TRUE ); } if (CapturedOwner != NULL) { SeReleaseSid( CapturedOwner, PreviousMode, TRUE); } if (CapturedPrimaryGroup != NULL) { SeReleaseSid( CapturedPrimaryGroup, PreviousMode, TRUE); } if (CapturedDefaultDacl != NULL) { SeReleaseAcl( CapturedDefaultDacl, PreviousMode, TRUE); } if (SecurityQosPresent == TRUE) { SeFreeCapturedSecurityQos( &CapturedSecurityQos ); } return GetExceptionCode(); } // end_try{} // // Create the token // if (NT_SUCCESS(Status)) { Status = SepCreateToken( &LocalHandle, PreviousMode, DesiredAccess, ObjectAttributes, TokenType, CapturedSecurityQos.ImpersonationLevel, &CapturedAuthenticationId, &CapturedExpirationTime, CapturedUser, CapturedGroupCount, CapturedGroups, CapturedGroupsLength, CapturedPrivilegeCount, CapturedPrivileges, CapturedPrivilegesLength, CapturedOwner, CapturedPrimaryGroup, CapturedDefaultDacl, &CapturedTokenSource, FALSE, // Not a system token SecurityQosPresent ? CapturedSecurityQos.ProxyData : NULL, SecurityQosPresent ? CapturedSecurityQos.AuditData : NULL ); } // // Clean up the temporary capture buffers // if (CapturedUser != NULL) { SeReleaseSidAndAttributesArray( CapturedUser, PreviousMode, TRUE); } if (CapturedGroups != NULL) { SeReleaseSidAndAttributesArray( CapturedGroups, PreviousMode, TRUE); } if (CapturedPrivileges != NULL) { SeReleaseLuidAndAttributesArray( CapturedPrivileges, PreviousMode, TRUE); } if (CapturedOwner != NULL) { SeReleaseSid( CapturedOwner, PreviousMode, TRUE); } if (CapturedPrimaryGroup != NULL) { SeReleaseSid( CapturedPrimaryGroup, PreviousMode, TRUE); } if (CapturedDefaultDacl != NULL) { SeReleaseAcl( CapturedDefaultDacl, PreviousMode, TRUE); } if (SecurityQosPresent == TRUE) { SeFreeCapturedSecurityQos( &CapturedSecurityQos ); } // // Return the handle to this new token // if (NT_SUCCESS(Status)) { try { *TokenHandle = LocalHandle; } except(EXCEPTION_EXECUTE_HANDLER) { return GetExceptionCode(); } } return Status; } //////////////////////////////////////////////////////////////////////// // // // Token Private Routines // // // //////////////////////////////////////////////////////////////////////// VOID SepTokenDeleteMethod ( IN PVOID Token ) /*++ Routine Description: This function is the token object type-specific delete method. It is needed to ensure that all memory allocated for the token gets deallocated. Arguments: Token - Points to the token object being deleted. Return Value: None. --*/ { PAGED_CODE(); // // De-reference the logon session referenced by this token object // SepDeReferenceLogonSession( &(((TOKEN *)Token)->AuthenticationId) ); // // If the token has an associated Dynamic part, deallocate it. // if (ARGUMENT_PRESENT( ((TOKEN *)Token)->DynamicPart)) { ExFreePool( ((TOKEN *)Token)->DynamicPart ); } // // Free the Proxy and Global audit structures if present. // if (ARGUMENT_PRESENT(((TOKEN *) Token)->ProxyData)) { SepFreeProxyData( ((TOKEN *)Token)->ProxyData ); } if (ARGUMENT_PRESENT(((TOKEN *)Token)->AuditData )) { ExFreePool( (((TOKEN *)Token)->AuditData) ); } return; } NTSTATUS SepCreateToken( OUT PHANDLE TokenHandle, IN KPROCESSOR_MODE RequestorMode, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN TOKEN_TYPE TokenType, IN SECURITY_IMPERSONATION_LEVEL ImpersonationLevel OPTIONAL, IN PLUID AuthenticationId, IN PLARGE_INTEGER ExpirationTime, IN PSID_AND_ATTRIBUTES User, IN ULONG GroupCount, IN PSID_AND_ATTRIBUTES Groups, IN ULONG GroupsLength, IN ULONG PrivilegeCount, IN PLUID_AND_ATTRIBUTES Privileges, IN ULONG PrivilegesLength, IN PSID Owner OPTIONAL, IN PSID PrimaryGroup, IN PACL DefaultDacl OPTIONAL, IN PTOKEN_SOURCE TokenSource, IN BOOLEAN SystemToken, IN PSECURITY_TOKEN_PROXY_DATA ProxyData OPTIONAL, IN PSECURITY_TOKEN_AUDIT_DATA AuditData OPTIONAL ) /*++ Routine Description: Create a token object and return a handle opened for access to that token. This API implements the bulk of the work needed for NtCreateToken. All parameters except DesiredAccess and ObjectAttributes are assumed to have been probed and captured. The output parameter (TokenHandle) is expected to be returned to a safe address, rather than to a user mode address that may cause an exception. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! NOTE: This routine is also used to create the initial system token. In that case, the SystemToken parameter is TRUE and no handle is established to the token. Instead, a pointer to the token is returned via the TokenHandle parameter. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Arguments: TokenHandle - Receives the handle of the newly created token. If the SystemToken parameter is specified is true, then this parameter receives a pointer to the token instead of a handle to the token. RequestorMode - The mode of the caller on whose behalf the token is being created. DesiredAccess - Is an access mask indicating which access types the handle is to provide to the new object. ObjectAttributes - Points to the standard object attributes data structure. Refer to the NT Object Management Specification for a description of this data structure. TokenType - Type of token to be created. Privilege is required to create any type of token. ImpersonationLevel - If the token type is TokenImpersonation, then this parameter is used to specify the impersonation level of the token. AuthenticationId - Points to a LUID (or LUID) providing a unique identifier associated with the authentication. This is used within security only, for audit purposes. ExpirationTime - Time at which the token becomes invalid. If this value is specified as zero, then the token has no expiration time. User - Is the user SID to place in the token. GroupCount - Indicates the number of groups in the 'Groups' parameter. This value may be zero, in which case the 'Groups' parameter is ignored. Groups - Are the group SIDs, and their corresponding attributes, to place in the token. GroupsLength - Indicates the length, in bytes, of the array of groups to place in the token. PrivilegeCount - Indicates the number of privileges in the 'Privileges' parameter. This value may be zero, in which case the 'Privileges' parameter is ignored. Privileges - Are the privilege LUIDs, and their corresponding attributes, to place in the token. PrivilegesLength - Indicates the length, in bytes, of the array of privileges to place in the token. Owner - (Optionally) identifies an identifier that is to be used as the default owner for the token. If not provided, the user ID is made the default owner. PrimaryGroup - Identifies which of the group IDs is to be the primary group of the token. DefaultDacl - (optionally) establishes an ACL to be used as the default discretionary access protection for the token. TokenSource - Identifies the token source name string and identifier to be assigned to the token. Return Value: STATUS_SUCCESS - Indicates the operation was successful. STATUS_INVALID_OWNER - Indicates the ID provided to be assigned as the default owner of the token does not have an attribute indicating it may be assigned as an owner. STATUS_INVALID_PRIMARY_GROUP - Indicates the group ID provided via the PrimaryGroup parameter was not among those assigned to the token in the Groups parameter. STATUS_INVALID_PARAMETER - Indicates that a required parameter, such as User or PrimaryGroup, was not provided with a legitimate value. --*/ { PTOKEN Token; NTSTATUS Status; ULONG PagedPoolSize; ULONG PrimaryGroupLength; ULONG TokenBodyLength; ULONG VariableLength; ULONG DefaultOwnerIndex; ULONG NextFree; PSID NextSidFree; ULONG DynamicLength = TOKEN_DEFAULT_DYNAMIC_CHARGE; ULONG DynamicLengthUsed; ULONG SubAuthorityCount; ULONG GroupIndex; ULONG PrivilegeIndex; BOOLEAN OwnerFound; UCHAR TokenFlags = 0; ACCESS_STATE AccessState; AUX_ACCESS_DATA AuxData; LUID NewModifiedId; PAGED_CODE(); ASSERT( sizeof(SECURITY_IMPERSONATION_LEVEL) <= sizeof(ULONG) ); // // Make sure the Enabled and Enabled-by-default bits are set on every // mandatory group. // for (GroupIndex=0; GroupIndex < GroupCount; GroupIndex++) { if (Groups[GroupIndex].Attributes & SE_GROUP_MANDATORY) { Groups[GroupIndex].Attributes |= (SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT); } } // // Check to see if the token being created is going to be granted // SeChangeNotifyPrivilege. If so, set a flag in the TokenFlags field // so we can find this out quickly. // for (PrivilegeIndex = 0; PrivilegeIndex < PrivilegeCount; PrivilegeIndex++) { if (((RtlEqualLuid(&Privileges[PrivilegeIndex].Luid,&SeChangeNotifyPrivilege)) && (Privileges[PrivilegeIndex].Attributes & SE_PRIVILEGE_ENABLED))) { TokenFlags = TOKEN_HAS_TRAVERSE_PRIVILEGE; break; } } // // Get a ModifiedId to use // ExAllocateLocallyUniqueId( &NewModifiedId ); // // Validate the owner ID, if provided and establish the default // owner index. // if (!ARGUMENT_PRESENT(Owner)) { DefaultOwnerIndex = 0; } else { if ( RtlEqualSid( Owner, User->Sid ) ) { DefaultOwnerIndex = 0; } else { GroupIndex = 0; OwnerFound = FALSE; while ((GroupIndex < GroupCount) && (!OwnerFound)) { if ( RtlEqualSid( Owner, (Groups[GroupIndex].Sid) ) ) { // // Found a match - make sure it is assignable as owner. // if ( SepArrayGroupAttributes( Groups, GroupIndex ) & SE_GROUP_OWNER ) { DefaultOwnerIndex = GroupIndex + 1; OwnerFound = TRUE; } else { return STATUS_INVALID_OWNER; } // endif Owner attribute set } // endif owner = group GroupIndex += 1; } // endwhile if (!OwnerFound) { return STATUS_INVALID_OWNER; } // endif !OwnerFound } // endif owner = user } // endif owner specified // // Increment the reference count for this logon session // (fail if there is no corresponding logon session.) // Status = SepReferenceLogonSession( AuthenticationId ); if ( !NT_SUCCESS(Status) ) { return Status; } // // Calculate the length needed for the variable portion of the token // This includes the User ID, Group IDs, and Privileges // VariableLength = GroupsLength + PrivilegesLength; SubAuthorityCount = ((SID *)(User->Sid))->SubAuthorityCount; VariableLength += sizeof(SID_AND_ATTRIBUTES) + (ULONG)LongAlign(RtlLengthRequiredSid( SubAuthorityCount )); // // Calculate the length needed for the dynamic portion of the token // This includes the default Dacl and the primary group. // SubAuthorityCount = ((SID *)PrimaryGroup)->SubAuthorityCount; DynamicLengthUsed = (ULONG)LongAlign(RtlLengthRequiredSid( SubAuthorityCount )); if (ARGUMENT_PRESENT(DefaultDacl)) { DynamicLengthUsed += (ULONG)LongAlign(DefaultDacl->AclSize); } if (DynamicLengthUsed > DynamicLength) { DynamicLength = DynamicLengthUsed; } // // Now create the token body // TokenBodyLength = sizeof(TOKEN) + VariableLength; PagedPoolSize = TokenBodyLength + DynamicLength; Status = ObCreateObject( RequestorMode, // ProbeMode SepTokenObjectType, // ObjectType ObjectAttributes, // ObjectAttributes RequestorMode, // OwnershipMode NULL, // ParseContext TokenBodyLength, // ObjectBodySize PagedPoolSize, // PagedPoolCharge 0, // NonPagedPoolCharge (PVOID *)&Token // Return pointer to object ); if (!NT_SUCCESS(Status)) { SepDeReferenceLogonSession( AuthenticationId ); return Status; } // // After this point, we rely on token deletion to clean up the referenced // logon session if the creation fails. // // // Main Body initialization // ExAllocateLocallyUniqueId( &(Token->TokenId) ); Token->AuthenticationId = (*AuthenticationId); Token->TokenInUse = FALSE; Token->ModifiedId = NewModifiedId; Token->ExpirationTime = (*ExpirationTime); Token->TokenType = TokenType; Token->ImpersonationLevel = ImpersonationLevel; Token->TokenSource = (*TokenSource); Token->TokenFlags = TokenFlags; Token->DynamicCharged = DynamicLength; Token->DynamicAvailable = DynamicLength - DynamicLengthUsed; Token->DefaultOwnerIndex = DefaultOwnerIndex; Token->DefaultDacl = NULL; Token->VariableLength = VariableLength; // Ensure SepTokenDeleteMethod knows the buffers aren't allocated yet. Token->ProxyData = NULL; Token->AuditData = NULL; Token->DynamicPart = NULL; if (ARGUMENT_PRESENT( ProxyData )) { Status = SepCopyProxyData( &Token->ProxyData, ProxyData ); if (!NT_SUCCESS(Status)) { ObDereferenceObject( Token ); return( STATUS_NO_MEMORY ); } } else { Token->ProxyData = NULL; } if (ARGUMENT_PRESENT( AuditData )) { Token->AuditData = ExAllocatePool( PagedPool, sizeof( SECURITY_TOKEN_AUDIT_DATA )); if (Token->AuditData == NULL) { ObDereferenceObject( Token ); return( STATUS_NO_MEMORY ); } *(Token->AuditData) = *AuditData; } else { Token->AuditData = NULL; } // // Variable part initialization // Data is in the following order: // // Privileges array // User (SID_AND_ATTRIBUTES) // Groups (SID_AND_ATTRIBUTES) // SIDs // NextFree = (ULONG)(&Token->VariablePart); Token->Privileges = (PLUID_AND_ATTRIBUTES)NextFree; Token->PrivilegeCount = PrivilegeCount; RtlCopyLuidAndAttributesArray( PrivilegeCount, Privileges, (PLUID_AND_ATTRIBUTES)NextFree ); NextFree += (PrivilegeCount * (ULONG)sizeof(LUID_AND_ATTRIBUTES)); VariableLength -= ( (PrivilegeCount * (ULONG)sizeof(LUID_AND_ATTRIBUTES)) + (ULONG)sizeof(SID_AND_ATTRIBUTES) ); NextSidFree = (PSID)(NextFree + ((1 + GroupCount) * (ULONG)sizeof(SID_AND_ATTRIBUTES)) ); Token->UserAndGroups = (PSID_AND_ATTRIBUTES)NextFree; Token->UserAndGroupCount = 1 + GroupCount; Status = RtlCopySidAndAttributesArray( 1, User, VariableLength, (PSID_AND_ATTRIBUTES)NextFree, NextSidFree, &NextSidFree, &VariableLength ); ASSERT(NT_SUCCESS(Status)); NextFree += (ULONG)sizeof(SID_AND_ATTRIBUTES); VariableLength -= (GroupCount * (ULONG)sizeof(SID_AND_ATTRIBUTES)); Status = RtlCopySidAndAttributesArray( GroupCount, Groups, VariableLength, (PSID_AND_ATTRIBUTES)NextFree, NextSidFree, &NextSidFree, &VariableLength ); ASSERT(NT_SUCCESS(Status)); NextFree += (GroupCount * (ULONG)sizeof(SID_AND_ATTRIBUTES)); // // Dynamic part initialization // Data is in the following order: // // PrimaryGroup (SID) // Default Discreationary Acl (ACL) // Token->DynamicPart = (PULONG)ExAllocatePoolWithTag( PagedPool, DynamicLength, 'dTeS' ); // // The attempt to allocate the DynamicPart of the token may have // failed. Dereference the created object and exit with an error. // if (Token->DynamicPart == NULL) { ObDereferenceObject( Token ); return( STATUS_NO_MEMORY ); } NextFree = (ULONG)(Token->DynamicPart); Token->PrimaryGroup = (PSID)NextFree; PrimaryGroupLength = RtlLengthRequiredSid( ((SID *)PrimaryGroup)->SubAuthorityCount ); RtlCopySid( PrimaryGroupLength, (PSID)NextFree, PrimaryGroup ); NextFree += ((ULONG)LongAlign(PrimaryGroupLength)); if (ARGUMENT_PRESENT(DefaultDacl)) { Token->DefaultDacl = (PACL)NextFree; RtlMoveMemory( (PVOID)NextFree, (PVOID)DefaultDacl, DefaultDacl->AclSize ); } #ifdef TOKEN_DEBUG //////////////////////////////////////////////////////////////////////////// // // Debug SepDumpToken( Token ); // Debug // //////////////////////////////////////////////////////////////////////////// #endif //TOKEN_DEBUG // // Insert the token unless it is a system token. // if (!SystemToken) { Status = SeCreateAccessState( &AccessState, &AuxData, DesiredAccess, &SepTokenObjectType->TypeInfo.GenericMapping ); if ( NT_SUCCESS(Status) ) { BOOLEAN PrivilegeHeld; PrivilegeHeld = SeSinglePrivilegeCheck( SeCreateTokenPrivilege, KeGetPreviousMode() ); if (PrivilegeHeld) { Status = ObInsertObject( Token, &AccessState, 0, 0, (PVOID *)NULL, TokenHandle ); } else { Status = STATUS_PRIVILEGE_NOT_HELD; ObDereferenceObject( Token ); } SeDeleteAccessState( &AccessState ); } else { ObDereferenceObject( Token ); } } else { ASSERT( NT_SUCCESS( Status ) ); ObDeleteCapturedInsertInfo(Token); // // Return pointer instead of handle. // (*TokenHandle) = (HANDLE)Token; } return Status; } BOOLEAN SepIdAssignableAsOwner( IN PTOKEN Token, IN ULONG Index ) /*++ Routine Description: This routine returns a boolean value indicating whether the user or group ID in the specified token with the specified index is assignable as the owner of an object. If the index is 0, which is always the USER ID, then the ID is assignable as owner. Otherwise, the ID is that of a group, and it must have the "Owner" attribute set to be assignable. Arguments: Token - Pointer to a locked Token to use. Index - Index into the Token's UserAndGroupsArray. This value is assumed to be valid. Return Value: TRUE - Indicates the index corresponds to an ID that may be assigned as the owner of objects. FALSE - Indicates the index does not correspond to an ID that may be assigned as the owner of objects. --*/ { PAGED_CODE(); if (Index == 0) { return TRUE; } else { return (BOOLEAN) ( (SepTokenGroupAttributes(Token,Index) & SE_GROUP_OWNER) != 0 ); } }