Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


check if calling since process super-user or administrator

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hello:
I'm developper some IOCTL commands that I use on a Windows service.

I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.

Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?

Thank you.

Comments

  • Don_Burn_1Don_Burn_1 Member Posts: 4,311
    One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a
    look at the SeXXX operations, you can probably figure out a number of
    ways.


    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr



    "[email protected]" <[email protected]> wrote in
    message news:[email protected]:

    > Hello:
    > I'm developper some IOCTL commands that I use on a Windows service.
    >
    > I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.
    >
    > Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?
    >
    > Thank you.
  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,534
    A better way is to acl your device so that you only allow reads to admins and then in the ioctl definition, define that it requires read access (you can flip the logic for write if you want) instead of any access. Then the io manager will do the check for you, no additional code needed.

    d

    dent from a phine with no keynoard

    -----Original Message-----
    From: Don Burn
    Sent: Sunday, March 13, 2011 10:42 AM
    To: Windows System Software Devs Interest List
    Subject: Re:[ntdev] check if calling since process super-user or administrator


    One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a
    look at the SeXXX operations, you can probably figure out a number of
    ways.


    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr



    "[email protected]" <[email protected]> wrote in
    message news:[email protected]:

    > Hello:
    > I'm developper some IOCTL commands that I use on a Windows service.
    >
    > I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.
    >
    > Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?
    >
    > Thank you.


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
    d
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,157
    <QUOTE>
    A better way is to acl your device ... Then the io manager will
    do the check for you, no additional code needed.
    </QUOTE>

    What Doron proposes, above, really is THE solution. It avoids putting complicated policy code in your driver (where it really doesn't belong), and if you specify the ACL in your INF file you should be all set.

    Peter
    OSR

    Peter Viscarola
    OSR
    @OSRDrivers

  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    Be careful with SeTokenIsAdmin as this leaves it up to you to manually (separately) verify that the caller is impersonating with an impersonation level that delegates access to act on behalf of the user (i.e. SecurityImpersonation or higher).

    - S

    -----Original Message-----
    From: [email protected] [mailto:[email protected]] On Behalf Of Don Burn
    Sent: Sunday, March 13, 2011 10:41 AM
    To: Windows System Software Devs Interest List
    Subject: Re:[ntdev] check if calling since process super-user or administrator

    One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a look at the SeXXX operations, you can probably figure out a number of ways.


    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr



    "[email protected]" <[email protected]> wrote in message news:[email protected]:

    > Hello:
    > I'm developper some IOCTL commands that I use on a Windows service.
    >
    > I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.
    >
    > Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?
    >
    > Thank you.


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    I need an example
    CRASH machine!

    ...
    ...
    case IOCTL_CMD_SERVICE_SETOWN:
    {
    PDEVICE_EXTENSION_MOTHER pd;
    irp->IoStatus.Information=0;
    KdPrintf(("[VFUM] set own service\n"));
    pd=gm();
    if (pd!=NULL)
    {
    if (pd->hProcessService==NULL)
    {
    SECURITY_SUBJECT_CONTEXT sec={0};
    SeCaptureSubjectContext(&sec);
    SeLockSubjectContext(&sec);
    if (SeTokenIsAdmin(sec.ClientToken))
    {

    KdPrintf(("[VFUM] set own service OK\n"));
    pd->hProcessService=hpid;
    status=STATUS_SUCCESS;
    }
    else
    status=STATUS_ACCESS_DENIED;
    SeUnlockSubjectContext(&sec);
    SeReleaseSubjectContext(&sec);

    }
    else
    {
    KdPrintf(("[VFUM] set own service already executed\n"));
    status=STATUS_ACCESS_DENIED;
    }
    }
    else
    {
    status=STATUS_INTERNAL_ERROR;
    }
    }
    break;
    ...
    ...

    this code crash machine ; why ?
  • Alex_GrigAlex_Grig Member Posts: 3,238
    Drop this "Se" stuff altogether.

    Set an access control list (DACL) in the INF file for your driver, to only allow administrators write access, and read access to everybody.

    Make sure your "privileged" IOCTLs have FILE_WRITE_DATA attribute in their definition.

    That's all you have to do.
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    This is incorrect usage of SeTokenIsAdmin and will grant access to non-admin users in some cases. Please use a DACL instead.

    - S

    -----Original Message-----
    From: [email protected] [mailto:[email protected]] On Behalf Of [email protected]
    Sent: Tuesday, March 15, 2011 11:27 AM
    To: Windows System Software Devs Interest List
    Subject: RE:[ntdev] check if calling since process super-user or administrator

    I need an example
    CRASH machine!

    ...
    ...
    case IOCTL_CMD_SERVICE_SETOWN:
    {
    PDEVICE_EXTENSION_MOTHER pd;
    irp->IoStatus.Information=0;
    KdPrintf(("[VFUM] set own service\n"));
    pd=gm();
    if (pd!=NULL)
    {
    if (pd->hProcessService==NULL)
    {
    SECURITY_SUBJECT_CONTEXT sec={0};
    SeCaptureSubjectContext(&sec);
    SeLockSubjectContext(&sec);
    if (SeTokenIsAdmin(sec.ClientToken))
    {

    KdPrintf(("[VFUM] set own service OK\n"));
    pd->hProcessService=hpid;
    status=STATUS_SUCCESS;
    }
    else
    status=STATUS_ACCESS_DENIED;
    SeUnlockSubjectContext(&sec);
    SeReleaseSubjectContext(&sec);

    }
    else
    {
    KdPrintf(("[VFUM] set own service already executed\n"));
    status=STATUS_ACCESS_DENIED;
    }
    }
    else
    {
    status=STATUS_INTERNAL_ERROR;
    }
    }
    break;
    ...
    ...

    this code crash machine ; why ?

    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
  • Maxim_S._ShatskihMaxim_S._Shatskih Member Posts: 10,396
    > SeCaptureSubjectContext(&sec);
    > SeLockSubjectContext(&sec);
    > if (SeTokenIsAdmin(sec.ClientToken))

    Bad code.

    Instead, do the checks in CREATE only, not in IOCTL, and use Parameters.Create.SecurityContext

    --
    Maxim S. Shatskih
    Windows DDK MVP
    [email protected]
    http://www.storagecraft.com
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE