Rob,
Perhaps I should clarify - the concept of “least privilege” is one of the
security reference monitor and not of policy mechanisms that are layered on
top of the OS. Thus, there are no “special privileges” that the security
reference monitor enables by default - although there ARE privileges that
are enabled by other OS components (e.g., the Win32 subsystem) in order to
implement their semantics (traverse privilege is my standard example, which
is actually related to SeChangeNotifyPrivilege, since you cannot know about
what changed if you cannot get to the object that changed).
If you call NtAdjustTokenPrivileges and specify DisableAllPrivileges as
TRUE, you will end up with no privileges.
As for the fact that it sets the ENABLED_BY_DEFAULT bit, this is not used by
the security reference monitor. I suspect that it is used by the subsystem
for computing the privilege set in the new token for the new process. Of
course, the implication is that it is enabled by default by the Security
Reference Monitor, but that isn’t the case.
The confusing thing here is that the security concept (least privilege) is
implemented as part of the OS, but the policy on top of this doesn’t match
the same semantics.
Confused? Well, that’s security for you - try describing how ACLs work to
someone someday.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Wednesday, March 27, 2002 5:21 PM
To: File Systems Developers
Subject: [ntfsd] RE: Some confusion regarding create flags
While I agree with the philosophy that ALL privileges SHOULD be disabled by
default, the reality is they aren’t. I’m sure this was the philosophy
behind the design, but the implementation did not hold true.
In fact, the SeChangeNotifyPrivilege is enabled by default as documented in
the Platform SDK. The Platform SDK states, “SE_CHANGE_NOTIFY_NAME Required
to receive notifications of changes to files or directories. This privilege
also causes the system to skip all traversal access checks. It is enabled by
default for all users. User Right: Bypass traverse checking.” If you run
this sample program I whipped up, you will find the Platform SDK is correct.
In particular, look at the special flag SE_PRIVILEGE_ENABLED_BY_DEFAULT.
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
void Win32Error(char *fn, bool fatal = true)
{
fprintf(stderr, “WIN32 function %s() returned %d\n”, fn, GetLastError());
if (true == fatal)
exit(EXIT_FAILURE);
}
void main(int argc, char **argv)
{
char *exeName = argv[0];
struct {
TOKEN_PRIVILEGES tokenPrivileges;
LUID_AND_ATTRIBUTES vector[1024];
} tokenPrivilegesQuery;
TOKEN_PRIVILEGES *tokenPrivileges = &tokenPrivilegesQuery.tokenPrivileges;
HANDLE token;
if (FALSE == OpenProcessToken(GetCurrentProcess(),
TOKEN_QUERY,
&token
))
{
Win32Error(“OpenProcessToken”);
}
DWORD length;
if (FALSE == GetTokenInformation(token,
TokenPrivileges,
tokenPrivileges,
sizeof(tokenPrivilegesQuery),
&length
))
{
Win32Error(“GetTokenInformation”);
}
TCHAR name[1024];
DWORD characters, attributes;
for (int i = 0; i < tokenPrivileges->PrivilegeCount; ++i)
{
characters = sizeof(name) / sizeof(TCHAR);
if (FALSE == LookupPrivilegeName(NULL,
&tokenPrivileges->Privileges[i].Luid,
name,
&characters
))
{
Win32Error(“LookupPrivilegeName”);
}
attributes = tokenPrivileges->Privileges[i].Attributes;
printf(“Privelege "%s" is %s%s\n”,
name,
attributes & SE_PRIVILEGE_ENABLED ? “enabled” : “disabled”,
attributes & SE_PRIVILEGE_ENABLED_BY_DEFAULT ? " by default" :
“”);
}
if (FALSE == CloseHandle(token))
Win32Error(“CloseHandle”);
exit(EXIT_SUCCESS);
}
-----Original Message-----
From: Tony Mason [mailto:xxxxx@osr.com]
Sent: Friday, March 22, 2002 4:07 PM
To: File Systems Developers
Subject: [ntfsd] RE: Some confusion regarding create flags
Actually ALL privileges are, by default, disabled. This is an important
security concept (“least privilege”) that requires program actively enable
security privileges to take advantage of them.
There was an article in The NT Insider some time back (two years ago?) that
gave code examples for enabling and disabling specific privileges.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: Fuller, Rob [mailto:xxxxx@inin.com]
Sent: Friday, March 22, 2002 2:15 PM
To: File Systems Developers
Subject: [ntfsd] RE: Some confusion regarding create flags
It’s not quite that simple, but close. Not only does the user have to be a
member of the backup group, their process must explicitly enable the backup
privileges on the thread or process token. The backup and restore
privileges are disabled by default.
-----Original Message-----
From: Jamey Kirby [mailto:xxxxx@storagecraft.com]
Sent: Friday, March 22, 2002 2:02 PM
To: File Systems Developers
Subject: [ntfsd] RE: Some confusion regarding create flags
OK, I get it.
It all depends on whether or not the user is a member of the backup
group. This is critical in using the BACKUP_INTENT flag properly.
Jamey Kirby
StorageCraft, inc.
xxxxx@storagecraft.com
www.storagecraft.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Jamey Kirby
Sent: Friday, March 22, 2002 10:42 AM
To: File Systems Developers
Subject: [ntfsd] Some confusion regarding create flags
It looks like MS overloads the BACKUP_INTENT flag to get around some
security issues when creating a new directory or opening an existing
directory for enumeration.
From what I can tell, via the debugger, the Win32 API DeleteFile() sets
the FILE_LIST_DIRECTORY flag and the BACKUP_INTENT flag. It also appears
that the MS kernel does a security check before it sends a file to the
FSD with BI set. If the user has backup privileges, the flag is
propagated to the FSD. If the user does not have backup privileges, the
BACKUP_INTENT flag is cleared before the request is sent to the FSD.
This means, to me, that if I am a backup user and I call DeleteFile(),
the BI flag is going to get propagated to the FSD; regardless of whether
or not the file is being used for backup purposes.
Does anyone have a better interpretation of what I am experiencing?
Jamey Kirby
StorageCraft, inc.
xxxxx@storagecraft.com
www.storagecraft.com
—
You are currently subscribed to ntfsd as: xxxxx@storagecraft.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%
—
You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to %%email.unsub%%</stdio.h></stdlib.h></windows.h>