Home
My Posts

Archive
Login
Signup

Recent Posts

Free subdomains

Want your own xyz.kpaste.net sub-domain for your community? Just type the address into your browser address bar (foo.xyz.kpaste.net is also supported).

Suggestions/Bugs?

Email us at . Try to include as much info as possible.

About

Pastebin is a tool for collaborative debugging or editing.

 

msnfs41client: Patches for impersonation logging and Win32 privileges, 2024-04-24
Posted by Anonymous on Wed 24th Apr 2024 15:55
raw | new post

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting: None Bash C C++ CSS Diff HTML mIRC Script Perl PHP Python Smarty XML ---------------------------- ABAP Actionscript ADA Apache Log AppleScript APT sources.list ASM ASP AutoIT Bash C C# C++ C++ (with QT) CSS Diff HTML INI (Config Files) Java Javascript Lua Make mIRC Script MySQL NSIS Perl PHP Python Q(uick)BASIC robots Ruby Ruby on Rails SDLBasic Smarty SQL TCL Text VB.NET Visual BASIC Visual Fox Pro Visual Prolog Windows Registry Files XML Xorg.conf

To highlight particular lines, prefix each line with {%HIGHLIGHT}
From 753a66deb92a2b12e0dc1d68889344325207ceb4 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 24 Apr 2024 16:35:26 +0200 Subject: [PATCH 1/2] daemon: |logprintf()| should print src of token user/group info |logprintf()| should print te source of token user/group info, i.e. whether this is an impersonation token, anon token or a process token. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- daemon/daemon_debug.c | 33 ++++++++++++++++++++++++++++----- 1 file changed, 28 insertions(+), 5 deletions(-) diff --git a/daemon/daemon_debug.c b/daemon/daemon_debug.c index b35bfee..54fb411 100644 --- a/daemon/daemon_debug.c +++ b/daemon/daemon_debug.c @@ -90,14 +90,32 @@ void logprintf(LPCSTR format, ...) SYSTEMTIME stime; char username[UNLEN+1]; char groupname[GNLEN+1]; + HANDLE tok; + const char *tok_src; + bool free_tok = false; GetLocalTime(&stime); - if (!get_token_user_name(GetCurrentThreadEffectiveToken(), - username)) { + + if (OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &tok)) { + tok_src = "impersonated_user"; + free_tok = true; + } + else { + int lasterr = GetLastError(); + if (lasterr == ERROR_CANT_OPEN_ANONYMOUS) { + tok_src = "anon_user"; + } + else { + tok_src = "proc_user"; + } + + tok = GetCurrentProcessToken(); + } + + if (!get_token_user_name(tok, username)) { (void)strcpy(username, "<unknown>"); } - if (!get_token_primarygroup_name(GetCurrentThreadEffectiveToken(), - groupname)) { + if (!get_token_primarygroup_name(tok, groupname)) { (void)strcpy(groupname, "<unknown>"); } @@ -105,15 +123,20 @@ void logprintf(LPCSTR format, ...) va_start(args, format); (void)fprintf(dlog_file, "# LOG: ts=%04d-%02d-%02d_%02d:%02d:%02d:%04d" - " thr=%04x user='%s'/'%s' msg=", + " thr=%04x %s='%s'/'%s' msg=", (int)stime.wYear, (int)stime.wMonth, (int)stime.wDay, (int)stime.wHour, (int)stime.wMinute, (int)stime.wSecond, (int)stime.wMilliseconds, (int)GetCurrentThreadId(), + tok_src, username, groupname); (void)vfprintf(dlog_file, format, args); (void)fflush(dlog_file); va_end(args); + + if (free_tok) { + (void)CloseHandle(tok); + } } void eprintf(LPCSTR format, ...) -- 2.43.0 From a1b83f0e1845fa18710c9561ca92c404c2eede07 Mon Sep 17 00:00:00 2001 From: Roland Mainz <roland.mainz@nrubsig.org> Date: Wed, 24 Apr 2024 16:37:17 +0200 Subject: [PATCH 2/2] daemon: Enable Win32 priviledges for impersonation Enable Win32 priviledges "SeImpersonatePrivilege" and "SeDelegateSessionUserImpersonatePrivilege" in case Admins or site policy have disabled them by default. Signed-off-by: Cedric Blancher <cedric.blancher@gmail.com> --- daemon/nfs41_daemon.c | 26 ++++++++++++++++++++++++++ daemon/util.c | 40 ++++++++++++++++++++++++++++++++++++++++ daemon/util.h | 1 + 3 files changed, 67 insertions(+) diff --git a/daemon/nfs41_daemon.c b/daemon/nfs41_daemon.c index d63b65f..78393be 100644 --- a/daemon/nfs41_daemon.c +++ b/daemon/nfs41_daemon.c @@ -655,6 +655,29 @@ void init_version_string(void) nfs41_dg.nfs41_nii_name)); } +static +void set_nfs_daemon_privileges(void) +{ + HANDLE proc_token; + + DPRINTF(0, ("Enabling priviledges...\n")); + + if (!OpenProcessToken(GetCurrentProcess(), + TOKEN_QUERY|TOKEN_ADJUST_PRIVILEGES, &proc_token)) { + eprintf("set_nfs_daemon_privileges: " + "cannot open process token\n"); + exit(1); + } + + (void)set_token_privilege(proc_token, + "SeImpersonatePrivilege", true); + (void)set_token_privilege(proc_token, + "SeDelegateSessionUserImpersonatePrivilege", true); + + (void)CloseHandle(proc_token); +} + + #ifdef STANDALONE_NFSD void __cdecl _tmain(int argc, TCHAR *argv[]) #else @@ -685,6 +708,9 @@ VOID ServiceStart(DWORD argc, LPTSTR *argv) logprintf("NFS client daemon starting...\n"); + /* Enable Win32 privileges */ + set_nfs_daemon_privileges(); + /* acquire and store in global memory current dns domain name. * needed for acls */ if (getdomainname()) { diff --git a/daemon/util.c b/daemon/util.c index c9c3310..ba753d9 100644 --- a/daemon/util.c +++ b/daemon/util.c @@ -798,3 +798,43 @@ bool get_token_primarygroup_name(HANDLE tok, char *out_buffer) return true; } + +bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv) +{ + TOKEN_PRIVILEGES tp; + LUID luid; + bool res; + + if(!LookupPrivilegeValueA(NULL, seprivname, &luid)) { + DPRINTF(1, ("set_token_privilege: " + "LookupPrivilegeValue(seprivname='%s') failed, " + "status=%d\n", + seprivname, + (int)GetLastError())); + res = false; + goto out; + } + + tp.PrivilegeCount = 1; + tp.Privileges[0].Luid = luid; + tp.Privileges[0].Attributes = enable_priv?(SE_PRIVILEGE_ENABLED):0; + + if(!AdjustTokenPrivileges(tok, + FALSE, &tp, sizeof(TOKEN_PRIVILEGES), + NULL, NULL)) { + DPRINTF(1, ("set_token_privilege: " + "AdjustTokenPrivileges() for '%s' failed, status=%d\n", + seprivname, + (int)GetLastError())); + res = false; + goto out; + } + + res = true; +out: + DPRINTF(0, + ("set_token_privilege(seprivname='%s',enable_priv=%d), res=%d\n", + seprivname, (int)enable_priv, (int)res)); + + return res; +} diff --git a/daemon/util.h b/daemon/util.h index a09df70..899711d 100644 --- a/daemon/util.h +++ b/daemon/util.h @@ -286,6 +286,7 @@ bool getwinntversionnnumbers(DWORD *MajorVersionPtr, DWORD *MinorVersionPtr, DWO bool get_token_user_name(HANDLE tok, char *out_buffer); bool get_token_primarygroup_name(HANDLE tok, char *out_buffer); +bool set_token_privilege(HANDLE tok, const char *seprivname, bool enable_priv); #endif /* !__NFS41_DAEMON_UTIL_H__ */ -- 2.43.0

Title:

Privacy: Public Private

How long should your post be retained?

15 mins an hour a day a week a month forever

All content is user-submitted.
The administrators of this site (kpaste.net) are not responsible for their content.
Abuse reports should be emailed to us at