From: Kevin Wasserman Date: Mon, 14 May 2012 16:14:20 +0000 (-0400) Subject: Do not be over-restrictive in the presence of UAC X-Git-Tag: kfw-4.0-final~106 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4e52b28c39bc48c3cad60ae833156061a0ae9b02;p=thirdparty%2Fkrb5.git Do not be over-restrictive in the presence of UAC We used to explicitly check if a process was UAC-limited and deny all access to the TGT in that case; however, this makes the MSLSA cache effectively useless. Do not try to outsmart UAC, and let it do its own checking -- this allows UAC-limited access to the MSLSA ccache, which should mean read-write access to service tickets, and write-only access to the TGT. Signed-off-by: Kevin Wasserman [kaduk@mit.edu: delete instead of comment out, move comment.] (cherry picked from commit 8020c64554dd25a4f09df8a28dca924c6ecb5608) ticket: 7254 status: resolved --- diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index 698b62a244..f25658ebf1 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -172,37 +172,6 @@ is_windows_vista (void) return fIsVista; } -static BOOL -is_process_uac_limited (void) -{ - static BOOL fChecked = FALSE; - static BOOL fIsUAC = FALSE; - - if (!fChecked) - { - NTSTATUS Status = 0; - HANDLE TokenHandle; - DWORD ElevationLevel; - DWORD ReqLen; - BOOL Success; - - if (is_windows_vista()) { - Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); - if ( Success ) { - Success = GetTokenInformation( TokenHandle, - TokenOrigin+1 /* ElevationLevel */, - &ElevationLevel, sizeof(DWORD), &ReqLen ); - CloseHandle( TokenHandle ); - if ( Success && ElevationLevel == 3 /* Limited */ ) - fIsUAC = TRUE; - } - } - fChecked = TRUE; - } - return fIsUAC; - -} - typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL); static BOOL @@ -445,9 +414,6 @@ IsMSSessionKeyNull(KERB_CRYPTO_KEY *mskey) { DWORD i; - if (is_process_uac_limited()) - return TRUE; - if (mskey->KeyType == KERB_ETYPE_NULL) return TRUE; @@ -1252,6 +1218,10 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ, // tickets. This is safe to do because the LSA purges its cache when it // retrieves a new TGT (ms calls this renew) but not when it renews the TGT // (ms calls this refresh). +// UAC-limited processes are not allowed to obtain a copy of the MSTGT +// session key. We used to check for UAC-limited processes and refuse all +// access to the TGT, but this makes the MSLSA ccache completely unusable. +// Instead we ought to just flag that the tgt session key is not valid. static BOOL GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNAL_TICKET **ticket, BOOL enforce_tgs_enctypes) @@ -1279,11 +1249,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA int ignore_cache = 0; krb5_enctype *etype_list = NULL, *ptr = NULL, etype = 0; - if (is_process_uac_limited()) { - Status = STATUS_ACCESS_DENIED; - goto cleanup; - } - memset(&CacheRequest, 0, sizeof(KERB_QUERY_TKT_CACHE_REQUEST)); CacheRequest.MessageType = KerbRetrieveTicketMessage; CacheRequest.LogonId.LowPart = 0;