Hello. So a bit of context - I have a FS minifilter that is monitoring I/O on the pre/post path, so I have all those struct members if need be. On the Post path where I’m mainly operating, I’m checking the SD/ACL/ACE of the specified FileObject being accessed. But since my process is running from an admin, my token privileges are too high. I want the access checks to be done based on the standard user that got elevated.
I started going down the route of manually trying to check the ACCESS_MASK and building the Desired/Granted/Remaining Access and Allow/Deny based on masks in Dacl/Ace looping, and basing it from SIDs in the standard user token groups, but this is getting very complex, and I feel I will mess up the checks, hence looking at the use of APIs again.
So what APIs could I use to do the checks … SeAccessCheck( “But I need security context of user, and current one is an admin” )? Do I need my thread to impersonate the standard user? Ideas…?
The last option is to have a UM component, where the minifilter passes paths to a UM process and have it simply check OpenFile for R/W, then return the result to the minifilter. I haven’t tested this but unfortunately I will be blocking loads of operations, as post processing is based on this result.
Well, the very fist idea that gets into my head is asking FS-related questions on NTFSD, rather than NTDEV, in the first place
On the Post path where I’m mainly operating, I’m checking the SD/ACL/ACE of the specified FileObject being accessed.
But since my process is running from an admin, my token privileges are too high. I want the access checks to be done
based on the standard user that got elevated.
Concerning the above part, it does not really seem (at least to me) to make sense the way your question has been presented.
First of all, what is “your process”, taking into consideration that post callbacks are invoked in arbitrary thread context? Second, what is a “standard user” and how (and by whom) does it get “elevated”? Let’s face it - in order for a process to run at Admin privilege level (for example, if you launch it via RunAs utility) one needs to enter Admin’s password, which means that the user that may do something like that is actually an Admin…
Well, the very fist idea that gets into my head is asking FS-related questions on NTFSD, rather than NTDEV, in the first place
On the Post path where I’m mainly operating, I’m checking the SD/ACL/ACE of the specified FileObject being accessed.
But since my process is running from an admin, my token privileges are too high. I want the access checks to be done
based on the standard user that got elevated.
Concerning the above part, it does not really seem (at least to me) to make sense the way your question has been presented.
First of all, what is “your process”, taking into consideration that post callbacks are invoked in arbitrary thread context? Second, what is a “standard user” and how (and by whom) does it get “elevated”? Let’s face it - in order for a process to run at Admin privilege level (for example, if you launch it via RunAs utility) one needs to enter Admin’s password, which means that the user that may do something like that is actually an Admin…
Anton Bassov
This question is about file access checks from kernel, the minifilter was merely the side context. It doesn’t really matter what thread is hijacked to execute the callback, it could be a High Integrity thread, MI, LI, MI with a DebugToken, again the calling process accessing it is not of concern.
My question is related to checking the access privileges based on the logged on standard user (yes an admin might have typed the password in for him to elevate him), any process could be accessing the file, however I would like to cross-correlate at the same time whether the “standard user” (not the elevated admin) can R/W to the file being operated upon in the callback. And the APIs related to access checks like SeAccessCheck operate on a SECURITY_SUBJECT_CONTEXT which are obtained from the current process. Hence why I wondered if impersonating a (non-elevated?) thread will somehow help here.