Hi,
I’ve been out of the loop for a while as far as kernel development goes, so
I may have missed something, but I’ve recently begun attempting to figure
out how to adjust the access rights to a device object created by
NdisMRegisterDevice. Apparently NdisMRegisterDevice returns a device object
of type FILE_DEVICE_NETWORK (as it should). However, FILE_DEVICE_NETWORK’s
default security level prohibits non-administrative users from communicating
with the device object (CreateFile/DeviceIoControl). I believe the solution
lies in changing the security descriptor on the device object to one that
allows for GENERIC_ALL from both administrative and non-administrative
users. The problem with this solution is that ntddk.h seems to suggest that
I ought not touch the SecurityDescriptor attribute of the DEVICE_OBJECT.
One thing I attempted to try (just randomly) was changing the devices type
to FILE_DEVICE_UNKNOWN after calling NdisMRegisterDevice to create it.
This, of course, had no affect.
So to summarize: I’m looking for a way to modify a device object returned
from NdisMRegisterDevice in such a way that non-administrators have the same
rights as administrators.
Thanks for the help,
Matt Miller
xxxxx@positivenetworks.net
I had similar problem several years before and changed security decriptor
for device created using NdisMRegisterDevice. All info you need is here:
http://www.sysinternals.com/ntw2k/source/devsec.shtml.
Maybe there is a new way for XP, I vaguely remember to see some new APIs
regarding device security.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]
From:
xxxxx@positivenetworks.net[SMTP:xxxxx@positivenetworks.net]
Reply To: xxxxx@lists.osr.com
Sent: Tuesday, January 14, 2003 11:49 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] NdisMRegisterDevice & non-administrative access
Hi,
I’ve been out of the loop for a while as far as kernel development
goes, so
I may have missed something, but I’ve recently begun attempting to figure
out how to adjust the access rights to a device object created by
NdisMRegisterDevice. Apparently NdisMRegisterDevice returns a device
object
of type FILE_DEVICE_NETWORK (as it should). However,
FILE_DEVICE_NETWORK’s
default security level prohibits non-administrative users from
communicating
with the device object (CreateFile/DeviceIoControl). I believe the
solution
lies in changing the security descriptor on the device object to one that
allows for GENERIC_ALL from both administrative and non-administrative
users. The problem with this solution is that ntddk.h seems to suggest
that
I ought not touch the SecurityDescriptor attribute of the DEVICE_OBJECT.
One thing I attempted to try (just randomly) was changing the devices type
to FILE_DEVICE_UNKNOWN after calling NdisMRegisterDevice to create it.
This, of course, had no affect.
So to summarize: I’m looking for a way to modify a device object
returned
from NdisMRegisterDevice in such a way that non-administrators have the
same
rights as administrators.
Thanks for the help,
Matt Miller
xxxxx@positivenetworks.net
You are currently subscribed to ntdev as: michal.vodicka@st.com
To unsubscribe send a blank email to xxxxx@lists.osr.com