I am experiencing something strange with ACLs on a device object. Would
really like to understand if I am doing something wrong.
I have a device object which was created using IoCreateDevice and not
IoCreateDeviceSecure. The device does have a symbolic link and is
accessible from user-mode.
I am trying to remove any access to that device through user mode via a
kernel driver, however I am not in control of the device object itself
(cant change it to IoCrateDeviceSecure).
I have used the technique similar to this post :
http://blogs.msdn.com/b/doronh/archive/2007/10/16/setting-a-security-descriptor-on-a-legacy-device-object.aspx
Basically I have opened the device Object with WRITE_DAC (using
ObOpenObjectByPointer) Create empty ACEs for all the require sids and
finally set them using ZwSetSecuirtyObject using the device object handle.
This works perfectly when trying to open the device via user mode using
this :
CreateFile(“\\.\DeviceName”,…
I get ACCESS_DENIED as expect. Also the driver which created the device
never been triggered with its dispatch function IRP_MJ_CREATE (as expected)
However, if I’ll do :
CreateFile(“\\.\DeviceName\randomstring”,…
The operation success, and the driver which created the device
IRP_MJ_CREATE been called with a FileObject “randomstring”.
I am trying to understand how come removing all ACLs from the device allows
this ? and if it make sense , how can I make sure it wont ?
Thanks in advance.
This is standard behavior if the device object does not have the
FILE_DEVICE_SECURE_OPEN bit set. See this MSDN article:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff542068(v=vs.85).aspx
-scott
OSR
@OSRDrivers
“Elad Zucker” wrote in message news:xxxxx@ntdev…
I am experiencing something strange with ACLs on a device object. Would
really like to understand if I am doing something wrong.
I have a device object which was created using IoCreateDevice and not
IoCreateDeviceSecure. The device does have a symbolic link and is accessible
from user-mode.
I am trying to remove any access to that device through user mode via a
kernel driver, however I am not in control of the device object itself (cant
change it to IoCrateDeviceSecure).
I have used the technique similar to this post :
http://blogs.msdn.com/b/doronh/archive/2007/10/16/setting-a-security-descriptor-on-a-legacy-device-object.aspx
Basically I have opened the device Object with WRITE_DAC (using
ObOpenObjectByPointer) Create empty ACEs for all the require sids and
finally set them using ZwSetSecuirtyObject using the device object handle.
This works perfectly when trying to open the device via user mode using this
:
CreateFile(“\\.\DeviceName”,…
I get ACCESS_DENIED as expect. Also the driver which created the device
never been triggered with its dispatch function IRP_MJ_CREATE (as expected)
However, if I’ll do :
CreateFile(“\\.\DeviceName\randomstring”,…
The operation success, and the driver which created the device IRP_MJ_CREATE
been called with a FileObject “randomstring”.
I am trying to understand how come removing all ACLs from the device allows
this ? and if it make sense , how can I make sure it wont ?
Thanks in advance.
Thank you so much Scott !
Any idea why by default windows does not make the security check for access
within the namespace ? This is a behavior that I doubt someone will
explicitly want by default…
On Wed, Feb 4, 2015 at 3:52 PM, Scott Noone wrote:
> This is standard behavior if the device object does not have the
> FILE_DEVICE_SECURE_OPEN bit set. See this MSDN article:
>
> https://msdn.microsoft.com/en-us/library/windows/hardware/
> ff542068(v=vs.85).aspx
>
> -scott
> OSR
> @OSRDrivers
>
> “Elad Zucker” wrote in message news:xxxxx@ntdev.
> …
>
> I am experiencing something strange with ACLs on a device object. Would
> really like to understand if I am doing something wrong.
>
> I have a device object which was created using IoCreateDevice and not
> IoCreateDeviceSecure. The device does have a symbolic link and is
> accessible from user-mode.
>
> I am trying to remove any access to that device through user mode via a
> kernel driver, however I am not in control of the device object itself
> (cant change it to IoCrateDeviceSecure).
>
> I have used the technique similar to this post : http://blogs.msdn.com/b/
> doronh/archive/2007/10/16/setting-a-security-descriptor-
> on-a-legacy-device-object.aspx
>
> Basically I have opened the device Object with WRITE_DAC (using
> ObOpenObjectByPointer) Create empty ACEs for all the require sids and
> finally set them using ZwSetSecuirtyObject using the device object handle.
>
> This works perfectly when trying to open the device via user mode using
> this :
> CreateFile(“\\.\DeviceName”,…
>
> I get ACCESS_DENIED as expect. Also the driver which created the device
> never been triggered with its dispatch function IRP_MJ_CREATE (as expected)
>
> However, if I’ll do :
> CreateFile(“\\.\DeviceName\randomstring”,…
>
> The operation success, and the driver which created the device
> IRP_MJ_CREATE been called with a FileObject “randomstring”.
>
> I am trying to understand how come removing all ACLs from the device
> allows this ? and if it make sense , how can I make sure it wont ?
>
> Thanks in advance.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
In the original design,it was assume anyone who managed a namespace would do the checks in their driver. When it was realized adding a namespace was a general escape hatch, it was an app compat risk to alter the default behavior. Hence the secure open flag and the new api
d
Bent from my phone
From: Elad Zuckermailto:xxxxx
Sent: ?2/?4/?2015 6:59 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: Re: [ntdev] Setting permissions on a device object.
Thank you so much Scott !
Any idea why by default windows does not make the security check for access within the namespace ? This is a behavior that I doubt someone will explicitly want by default…
On Wed, Feb 4, 2015 at 3:52 PM, Scott Noone > wrote:
This is standard behavior if the device object does not have the FILE_DEVICE_SECURE_OPEN bit set. See this MSDN article:
https://msdn.microsoft.com/en-us/library/windows/hardware/ff542068(v=vs.85).aspx
-scott
OSR
@OSRDrivers
“Elad Zucker” > wrote in message news:xxxxx@ntdev…
I am experiencing something strange with ACLs on a device object. Would really like to understand if I am doing something wrong.
I have a device object which was created using IoCreateDevice and not IoCreateDeviceSecure. The device does have a symbolic link and is accessible from user-mode.
I am trying to remove any access to that device through user mode via a kernel driver, however I am not in control of the device object itself (cant change it to IoCrateDeviceSecure).
I have used the technique similar to this post : http://blogs.msdn.com/b/doronh/archive/2007/10/16/setting-a-security-descriptor-on-a-legacy-device-object.aspx
Basically I have opened the device Object with WRITE_DAC (using ObOpenObjectByPointer) Create empty ACEs for all the require sids and finally set them using ZwSetSecuirtyObject using the device object handle.
This works perfectly when trying to open the device via user mode using this :
CreateFile(“\\.\DeviceName”,…
I get ACCESS_DENIED as expect. Also the driver which created the device never been triggered with its dispatch function IRP_MJ_CREATE (as expected)
However, if I’ll do :
CreateFile(“\\.\DeviceName\randomstring”,…
The operation success, and the driver which created the device IRP_MJ_CREATE been called with a FileObject “randomstring”.
I am trying to understand how come removing all ACLs from the device allows this ? and if it make sense , how can I make sure it wont ?
Thanks in advance.
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>
Yes, it felt like that
thanks for the explanation !
On Wed, Feb 4, 2015 at 5:12 PM, Doron Holan
wrote:
> In the original design,it was assume anyone who managed a namespace
> would do the checks in their driver. When it was realized adding a
> namespace was a general escape hatch, it was an app compat risk to alter
> the default behavior. Hence the secure open flag and the new api
>
> d
>
> Bent from my phone
> ------------------------------
> From: Elad Zucker
> Sent: 2/4/2015 6:59 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] Setting permissions on a device object.
>
> Thank you so much Scott !
>
> Any idea why by default windows does not make the security check for
> access within the namespace ? This is a behavior that I doubt someone will
> explicitly want by default…
>
> On Wed, Feb 4, 2015 at 3:52 PM, Scott Noone wrote:
>
>> This is standard behavior if the device object does not have the
>> FILE_DEVICE_SECURE_OPEN bit set. See this MSDN article:
>>
>> https://msdn.microsoft.com/en-us/library/windows/hardware/
>> ff542068(v=vs.85).aspx
>>
>> -scott
>> OSR
>> @OSRDrivers
>>
>> “Elad Zucker” wrote in message news:xxxxx@ntdev…
>>
>>
>> I am experiencing something strange with ACLs on a device object. Would
>> really like to understand if I am doing something wrong.
>>
>> I have a device object which was created using IoCreateDevice and not
>> IoCreateDeviceSecure. The device does have a symbolic link and is
>> accessible from user-mode.
>>
>> I am trying to remove any access to that device through user mode via a
>> kernel driver, however I am not in control of the device object itself
>> (cant change it to IoCrateDeviceSecure).
>>
>> I have used the technique similar to this post : http://blogs.msdn.com/b/
>> doronh/archive/2007/10/16/setting-a-security-descriptor-
>> on-a-legacy-device-object.aspx
>>
>> Basically I have opened the device Object with WRITE_DAC (using
>> ObOpenObjectByPointer) Create empty ACEs for all the require sids and
>> finally set them using ZwSetSecuirtyObject using the device object handle.
>>
>> This works perfectly when trying to open the device via user mode using
>> this :
>> CreateFile(“\\.\DeviceName”,…
>>
>> I get ACCESS_DENIED as expect. Also the driver which created the device
>> never been triggered with its dispatch function IRP_MJ_CREATE (as expected)
>>
>> However, if I’ll do :
>> CreateFile(“\\.\DeviceName\randomstring”,…
>>
>> The operation success, and the driver which created the device
>> IRP_MJ_CREATE been called with a FileObject “randomstring”.
>>
>> I am trying to understand how come removing all ACLs from the device
>> allows this ? and if it make sense , how can I make sure it wont ?
>>
>> Thanks in advance.
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>