[SERVICES] Use a proper security descriptor for the control pipes
authorEric Kohl <eric.kohl@reactos.org>
Sun, 4 Aug 2019 20:30:40 +0000 (22:30 +0200)
committerEric Kohl <eric.kohl@reactos.org>
Sun, 4 Aug 2019 20:30:40 +0000 (22:30 +0200)
base/system/services/database.c
base/system/services/security.c
base/system/services/services.h

index 460b748..7c41c54 100644 (file)
@@ -44,6 +44,7 @@ static DWORD
 ScmCreateNewControlPipe(PSERVICE_IMAGE pServiceImage)
 {
     WCHAR szControlPipeName[MAX_PATH + 1];
+    SECURITY_ATTRIBUTES SecurityAttributes;
     HKEY hServiceCurrentKey = INVALID_HANDLE_VALUE;
     DWORD ServiceCurrent = 0;
     DWORD KeyDisposition;
@@ -97,6 +98,10 @@ ScmCreateNewControlPipe(PSERVICE_IMAGE pServiceImage)
 
     DPRINT("PipeName: %S\n", szControlPipeName);
 
+    SecurityAttributes.nLength = sizeof(SecurityAttributes);
+    SecurityAttributes.lpSecurityDescriptor = pPipeSD;
+    SecurityAttributes.bInheritHandle = FALSE;
+
     pServiceImage->hControlPipe = CreateNamedPipeW(szControlPipeName,
                                                    PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED,
                                                    PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
@@ -104,7 +109,7 @@ ScmCreateNewControlPipe(PSERVICE_IMAGE pServiceImage)
                                                    8000,
                                                    4,
                                                    PipeTimeout,
-                                                   NULL);
+                                                   &SecurityAttributes);
     DPRINT("CreateNamedPipeW(%S) done\n", szControlPipeName);
     if (pServiceImage->hControlPipe == INVALID_HANDLE_VALUE)
     {
index b6a5469..b2639e9 100644 (file)
 #include <debug.h>
 
 static PSID pNullSid = NULL;
+static PSID pWorldSid = NULL;
 static PSID pLocalSystemSid = NULL;
 static PSID pAuthenticatedUserSid = NULL;
 static PSID pAliasAdminsSid = NULL;
 
 static PACL pDefaultDacl = NULL;
 static PACL pDefaultSacl = NULL;
+static PACL pPipeDacl = NULL;
 
 static PSECURITY_DESCRIPTOR pDefaultSD = NULL;
+PSECURITY_DESCRIPTOR pPipeSD = NULL;
 
 
 /* FUNCTIONS ****************************************************************/
@@ -33,6 +36,9 @@ ScmFreeSids(VOID)
     if (pNullSid != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, pNullSid);
 
+    if (pWorldSid != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, pWorldSid);
+
     if (pLocalSystemSid != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, pLocalSystemSid);
 
@@ -41,7 +47,6 @@ ScmFreeSids(VOID)
 
     if (pAliasAdminsSid != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, pAliasAdminsSid);
-
 }
 
 
@@ -66,6 +71,17 @@ ScmCreateSids(VOID)
     pSubAuthority = RtlSubAuthoritySid(pNullSid, 0);
     *pSubAuthority = SECURITY_NULL_RID;
 
+    /* Create the World SID */
+    pWorldSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
+    if (pWorldSid == NULL)
+    {
+        return ERROR_OUTOFMEMORY;
+    }
+
+    RtlInitializeSid(pWorldSid, &NullAuthority, 1);
+    pSubAuthority = RtlSubAuthoritySid(pWorldSid, 0);
+    *pSubAuthority = SECURITY_WORLD_RID;
+
     /* Create the LocalSystem SID */
     pLocalSystemSid = RtlAllocateHeap(RtlGetProcessHeap(), 0, ulLength1);
     if (pLocalSystemSid == NULL)
@@ -158,6 +174,21 @@ ScmCreateAcls(VOID)
                          FALSE,
                          TRUE);
 
+    /* Create the pipe DACL */
+    ulLength = sizeof(ACL) +
+               (sizeof(ACE) + RtlLengthSid(pWorldSid));
+
+    pPipeDacl = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, ulLength);
+    if (pPipeDacl == NULL)
+        return ERROR_OUTOFMEMORY;
+
+    RtlCreateAcl(pPipeDacl, ulLength, ACL_REVISION);
+
+    RtlAddAccessAllowedAce(pPipeDacl,
+                           ACL_REVISION,
+                           GENERIC_ALL,
+                           pWorldSid);
+
     return ERROR_SUCCESS;
 }
 
@@ -171,6 +202,9 @@ ScmFreeAcls(VOID)
 
     if (pDefaultSacl != NULL)
         RtlFreeHeap(RtlGetProcessHeap(), 0, pDefaultSacl);
+
+    if (pPipeDacl != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeDacl);
 }
 
 
@@ -231,6 +265,56 @@ ScmFreeDefaultSD(VOID)
 }
 
 
+static
+DWORD
+ScmCreatePipeSD(VOID)
+{
+    NTSTATUS Status;
+
+    /* Create the absolute security descriptor */
+    pPipeSD = RtlAllocateHeap(RtlGetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(SECURITY_DESCRIPTOR));
+    if (pPipeSD == NULL)
+        return ERROR_OUTOFMEMORY;
+
+    DPRINT("pPipeSD %p\n", pDefaultSD);
+
+    Status = RtlCreateSecurityDescriptor(pPipeSD,
+                                         SECURITY_DESCRIPTOR_REVISION);
+    if (!NT_SUCCESS(Status))
+        return RtlNtStatusToDosError(Status);
+
+    Status = RtlSetOwnerSecurityDescriptor(pPipeSD,
+                                           pLocalSystemSid,
+                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        return RtlNtStatusToDosError(Status);
+
+    Status = RtlSetGroupSecurityDescriptor(pPipeSD,
+                                           pLocalSystemSid,
+                                           FALSE);
+    if (!NT_SUCCESS(Status))
+        return RtlNtStatusToDosError(Status);
+
+    Status = RtlSetDaclSecurityDescriptor(pPipeSD,
+                                          TRUE,
+                                          pPipeDacl,
+                                          FALSE);
+    if (!NT_SUCCESS(Status))
+        return RtlNtStatusToDosError(Status);
+
+    return ERROR_SUCCESS;
+}
+
+
+static
+VOID
+ScmFreePipeSD(VOID)
+{
+    if (pPipeSD != NULL)
+        RtlFreeHeap(RtlGetProcessHeap(), 0, pPipeSD);
+}
+
+
 DWORD
 ScmCreateDefaultServiceSD(
     PSECURITY_DESCRIPTOR *ppSecurityDescriptor)
@@ -301,6 +385,10 @@ ScmInitializeSecurity(VOID)
     if (dwError != ERROR_SUCCESS)
         return dwError;
 
+    dwError = ScmCreatePipeSD();
+    if (dwError != ERROR_SUCCESS)
+        return dwError;
+
     return ERROR_SUCCESS;
 }
 
@@ -308,6 +396,7 @@ ScmInitializeSecurity(VOID)
 VOID
 ScmShutdownSecurity(VOID)
 {
+    ScmFreePipeSD();
     ScmFreeDefaultSD();
     ScmFreeAcls();
     ScmFreeSids();
index 9297c7c..4a1a0c0 100644 (file)
@@ -100,6 +100,7 @@ extern LIST_ENTRY GroupListHead;
 extern LIST_ENTRY ImageListHead;
 extern BOOL ScmInitialize;
 extern BOOL ScmShutdown;
+extern PSECURITY_DESCRIPTOR pPipeSD;
 
 
 /* FUNCTIONS ***************************************************************/