Privileges play hard-to-get in Vista
2009-08-11 15:16
495 查看
Privileges play hard-to-get in Vista
Posted by Satya DasMay 10, 2009
Privileges are a way to control who has access to certain system-wide resources. For example if a user does not have SE_SHUTDOWN_PRIVILEGE aka SeShutdownPrivilege, she cannot shutdown the machine. Privileges are stored in the token and have to be present and enabled to take effect. If a privilege is absent or disabled in the process/thread token, attempts to shutdown the system by calling ExitWindowsEx or NtShutdownSystem will fail and GetLastError will return error 1314 (ERROR_PRIVILEGE_NOT_HELD )- A required privilege is not held by the client.
Now obviously privileges are pretty powerful and play a huge role in locking down the system. As it turns out, some privileges such as SeCreateTokenPrivilege are pretty hard to obtain in Vista – even under the hallowed auspices of a LocalSystem service.
If one adds SeCreateTokenPrivilege to RequiredPrivileges REG_MULTI_SZ value under HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/<Service> registry key, which is the documented way to request that a privilege be present for a service, the service fails to start.
As an experiment I added SeCreateTokenPrivilege to Microsoft’s svchost based iphlpsvc service and attempted to start the service from Services.msc. I got error 1297 (ERROR_INCOMPATIBLE_SERVICE_PRIVILEGE) -
Granting SeCreateTokenPrivilege to LocalSystem explicitly (in Local Security Policy MMC snap-in secpol.msc) does not help either.
Services are managed (and started) by Service Control Manager (services.exe). If one looks at the process token of services.exe, the SeCreateTokenPrivilege privilege seems to be missing altogether !
What is going in here is that the Service Control Manager (services.exe) after being launched by wininit.exe, removes SeCreateTokenPrivilege (SE_CREATE_TOKEN_PRIVILEGE), SeTrustedCredManAccessPrivilege (SE_TRUSTED_CREDMAN_ACCESS_PRIVILEGE), SeRelabelPrivilege (SE_RELABEL_PRIVILEGE) from its process token1 thereby renouncing2 the privileges forever because once a privilege is removed, it cannot be added back to the token and of course a privilege cannot be enabled if it is not even there. Since these privileges are missing from Service Control Manager process token, none of the LocalSystem services can get these privileges.
So what if a LocalSystem service needs to call NtCreateToken on Vista and therefore needs SeCreateTokenPrivilege ? The short answer is – you would have to redesign and probably complicate3 your software in the process.
1This was observed in 32-bit Vista SP1 Service Control Manager when it calls NtAdjustPrivilegeToken in internal function ScRemoveProcessPrivileges.
2Service Control Manager is not the only one that does such removal. The Local Session Manager (lsm.exe) also removes SeCreateTokenPrivilegeand SeTrustedCredManAccessPrivilege but keeps SeRelabelPrivilege.
3One of the ways to be able to call NtCreateToken is to arrange code to run in lsass.exe process space which has and has to have SeCreateTokenPrivilege.
相关文章推荐
- boy, it's hard to get in the news
- 远程调试 ERROR: JDWP unable to get necessary JVMTI capabilities. ["debugInit.c",L279]
- zju 3712 Hard to Play
- ECmall错误:Call to a member function get_users_count() on a non-object in /home/dmg/wwwroot/includes/ecapp.base.php
- HardLinkCGUnix use "stat -c%h" to get the hard link count
- How to get real file offset in NAND by file name?
- How to play video with AVPlayerViewController (AVKit) in Swift
- ZOJ3712:Hard to Play
- How to get the object type in javascript:
- The best way to get unique elements of a list in Python
- Remove-Azureaccount (Can't get Azure credentials to stick in Powershel)
- How to get files to show up in the Process Monitor/Report Repository
- How to get a high quality system in the developing process?
- How to understand pare(soft/hard) in AWR report
- sql server query to get the list of column name in a table
- How to Get a List of Class Attributes in Python
- How to get array from string contained identical symbols in Ruby?
- How to Get SharePoint Client Context in SharePoint Apps (Provider Hosted / SharePoint Access ) in CSOM (Client Side Object Model)
- A guide to get you building OGRE from source with the default settings in the shortest possible time
- Post-Build script to fix MSI issues in Vista for VS 2005 Setup and Deployment Projects