check if calling since process super-user or administrator

Hello:
I’m developper some IOCTL commands that I use on a Windows service.

I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.

Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?

Thank you.

One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a
look at the SeXXX operations, you can probably figure out a number of
ways.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@sivaller.no-ip.org” wrote in
message news:xxxxx@ntdev:

> Hello:
> I’m developper some IOCTL commands that I use on a Windows service.
>
> I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.
>
> Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?
>
> Thank you.

A better way is to acl your device so that you only allow reads to admins and then in the ioctl definition, define that it requires read access (you can flip the logic for write if you want) instead of any access. Then the io manager will do the check for you, no additional code needed.

d

dent from a phine with no keynoard

-----Original Message-----
From: Don Burn
Sent: Sunday, March 13, 2011 10:42 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] check if calling since process super-user or administrator

One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a
look at the SeXXX operations, you can probably figure out a number of
ways.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@sivaller.no-ip.org” wrote in
message news:xxxxx@ntdev:

> Hello:
> I’m developper some IOCTL commands that I use on a Windows service.
>
> I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.
>
> Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?
>
> Thank you.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

What Doron proposes, above, really is THE solution. It avoids putting complicated policy code in your driver (where it really doesn’t belong), and if you specify the ACL in your INF file you should be all set.

Peter
OSR

Be careful with SeTokenIsAdmin as this leaves it up to you to manually (separately) verify that the caller is impersonating with an impersonation level that delegates access to act on behalf of the user (i.e. SecurityImpersonation or higher).

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Sunday, March 13, 2011 10:41 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] check if calling since process super-user or administrator

One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a look at the SeXXX operations, you can probably figure out a number of ways.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

xxxxx@sivaller.no-ip.org” wrote in message news:xxxxx@ntdev:

> Hello:
> I’m developper some IOCTL commands that I use on a Windows service.
>
> I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator.
>
> Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator?
>
> Thank you.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I need an example
CRASH machine!



case IOCTL_CMD_SERVICE_SETOWN:
{
PDEVICE_EXTENSION_MOTHER pd;
irp->IoStatus.Information=0;
KdPrintf((“[VFUM] set own service\n”));
pd=gm();
if (pd!=NULL)
{
if (pd->hProcessService==NULL)
{
SECURITY_SUBJECT_CONTEXT sec={0};
SeCaptureSubjectContext(&sec);
SeLockSubjectContext(&sec);
if (SeTokenIsAdmin(sec.ClientToken))
{

KdPrintf((“[VFUM] set own service OK\n”));
pd->hProcessService=hpid;
status=STATUS_SUCCESS;
}
else
status=STATUS_ACCESS_DENIED;
SeUnlockSubjectContext(&sec);
SeReleaseSubjectContext(&sec);

}
else
{
KdPrintf((“[VFUM] set own service already executed\n”));
status=STATUS_ACCESS_DENIED;
}
}
else
{
status=STATUS_INTERNAL_ERROR;
}
}
break;

this code crash machine ; why ?

Drop this “Se” stuff altogether.

Set an access control list (DACL) in the INF file for your driver, to only allow administrators write access, and read access to everybody.

Make sure your “privileged” IOCTLs have FILE_WRITE_DATA attribute in their definition.

That’s all you have to do.

This is incorrect usage of SeTokenIsAdmin and will grant access to non-admin users in some cases. Please use a DACL instead.

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@sivaller.no-ip.org
Sent: Tuesday, March 15, 2011 11:27 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] check if calling since process super-user or administrator

I need an example
CRASH machine!



case IOCTL_CMD_SERVICE_SETOWN:
{
PDEVICE_EXTENSION_MOTHER pd;
irp->IoStatus.Information=0;
KdPrintf((“[VFUM] set own service\n”));
pd=gm();
if (pd!=NULL)
{
if (pd->hProcessService==NULL)
{
SECURITY_SUBJECT_CONTEXT sec={0};
SeCaptureSubjectContext(&sec);
SeLockSubjectContext(&sec);
if (SeTokenIsAdmin(sec.ClientToken))
{

KdPrintf((“[VFUM] set own service OK\n”));
pd->hProcessService=hpid;
status=STATUS_SUCCESS;
}
else
status=STATUS_ACCESS_DENIED;
SeUnlockSubjectContext(&sec);
SeReleaseSubjectContext(&sec);

}
else
{
KdPrintf((“[VFUM] set own service already executed\n”));
status=STATUS_ACCESS_DENIED;
}
}
else
{
status=STATUS_INTERNAL_ERROR;
}
}
break;

this code crash machine ; why ?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> SeCaptureSubjectContext(&sec);

SeLockSubjectContext(&sec);
if (SeTokenIsAdmin(sec.ClientToken))

Bad code.

Instead, do the checks in CREATE only, not in IOCTL, and use Parameters.Create.SecurityContext


Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com