Closing handle

NTFSD
1

Hello,
imagine this scenario - user opens file and gets handle (called
PublicHandle). This time, we create different handle only for our
purposes called PrivateHandle.

Now, when user closes his PublicHandle, we can close
PrivateHandle as well. Here is one problem - our PrivateHandle is
present in user’s process handle table, so that SYSTEM can see it
and sometimes close it.

Do you have any suggestions on when System (no one else can now
about this handle) “kills” handles? I can so far identify only
ObProcessKill().

Optional Result: Make PrivateHandle remain in memory until
PublicHandle isn’t cleaned up.

Thanks Ondra.

Centrum pro milovn?ky pen?z http://finance.centrum.cz

2

Why is the handle present in the user process handle table? Do you need to access it from the user process?

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of OndøejŠeveèek
Sent: Tuesday, September 10, 2002 8:50 AM
To: File Systems Developers
Subject: [ntfsd] Closing handle

Hello,
imagine this scenario - user opens file and gets handle (called
PublicHandle). This time, we create different handle only for our
purposes called PrivateHandle.

Now, when user closes his PublicHandle, we can close
PrivateHandle as well. Here is one problem - our PrivateHandle is
present in user’s process handle table, so that SYSTEM can see it
and sometimes close it.

Do you have any suggestions on when System (no one else can now
about this handle) “kills” handles? I can so far identify only
ObProcessKill().

Optional Result: Make PrivateHandle remain in memory until
PublicHandle isn’t cleaned up.

Thanks Ondra.

Centrum pro milovníky peněz http://finance.centrum.cz

You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%

3

If this handle is opened in kernel mode, by default you are bypassing certain access checks, and unless you explicitly request access checks (OBJ_FORCE_ACCESS_CHECK), you should set the OBJ_KERNEL_HANDLE Attribute for this handle so that it will be placed in the SYSTEM process’ handle table and not in the user’s process handle table. That closes a potential security hole where you have exposed a privileged handle to a potentially unprivileged user.

If the user’s process dies, it’s PublicHandle will be cleaned up by the system as it releases the process’ resources. Your filter should get the IRP_MJ_CLEANUP call, just as if it was closed through a CloseHandle() call and you can cleanup your PrivateHandle at that time. The system doesn’t know that your PrivateHandle is at all associated with the PublicHandle or this user’s process and will not do any cleanup for you when the user’s process terminates.

In a properly running system, the SYSTEM process should never terminate, therefore, system handles you have opened remain open until you explicitly close them.

Molly Brown
Microsoft Corporation

This posting is provided “AS IS” with no implied warranties and confers no rights.

-----Original Message-----
From: “Ondrej?evecek” [mailto:xxxxx@centrum.cz]
Sent: Tuesday, September 10, 2002 8:50 AM
To: File Systems Developers
Subject: [ntfsd] Closing handle

Hello,
imagine this scenario - user opens file and gets handle (called
PublicHandle). This time, we create different handle only for our
purposes called PrivateHandle.

Now, when user closes his PublicHandle, we can close
PrivateHandle as well. Here is one problem - our PrivateHandle is
present in user’s process handle table, so that SYSTEM can see it
and sometimes close it.

Do you have any suggestions on when System (no one else can now
about this handle) “kills” handles? I can so far identify only
ObProcessKill().

Optional Result: Make PrivateHandle remain in memory until
PublicHandle isn’t cleaned up.

Thanks Ondra.

Centrum pro milovn?ky pen?z http://finance.centrum.cz

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com To unsubscribe send a blank email to %%email.unsub%%