Re: Implementing a privileged IOCTL

In theory you are on the right track. But in practice, the vast majority of windows users run as administrators. So, any app can still make the IOCTL to your driver. Even if the privilege is not enabled by default, any app (running as an admin) can turn it on.

The best way to do what you are doing is to sign your IOCTL request using a key that both the driver and app agrees on.
Soumik.


On Tue, 13 Sep 2005 16:56:41 -0700, Ilya Konstantinov <ilya.konstantinov@xxxxxxxxx> wrote:

Hi,

My device driver strives to be secure and prevent the user from causing
any damage to the operating system through its commands. Most of my
IRP_MJ_DEVICE_CONTROLs and IRP_MJ_READ/IRP_MJ_WRITEs are safe to use by
any user without compromising system stability. However, there's one
IOCTL - the "LOAD_FIRMWARE" IOCTL - which I deem dangerous and
therefore wish to keep for privileged users only. This is because
whoever can load a firmware to the device essentially has full control
over the PCI bus, being able overrun memory etc.

I figured that comparing the current user's SID to a well-known SID of
an Administrator is an ugly solution, not in the NT spirit.

So I turned to SeSinglePrivilegeCheck[1]... but what PrivilegeValue
should I pass it? None of the standard NT privileges describe my
"loading firmware into a device" privilege quite precisely.
SeSystemEnvironment? SeLoadDriverPrivilege?
So far, I figured SeLoadDriverPrivilege fits me best (since loading
firmware is at least as powerful as loading a driver), but perhaps I
should define a custom privilege?

And anyway, on Windows 2003 I've noticed the Administrator doesn't
automatically have the SeLoadDriverPrivilege enabled. Will my users
have to add all the usual (complicated) code to enable privileges[2]
just to use my IOCTL?

[1]
http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k110_ee767278-7c5f-4dcd-b328-e9219b453a84.xml.asp
[2] This consists of calling AdjustTokenPrivileges on the current
thread token (OpenThreadToken(GetCurrentThread))?




--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
.

Relevant Pages

  • RE: Question regarding su.exe
    ... Many so called "administrator" applications do ... For instance, loading a driver should require admin rights, ... If you use su.exe to elevate the privilege ... Rather than using su or giving admin access, have you looked at what the app ...
    (Focus-Microsoft)
  • Re: Block (or Hide) Control Panel
    ... restricted than Administrator, but can read or write any file on the nework. ... Vista addresses this by running each app at the lowest possible security privilege level ...
    (microsoft.public.vc.mfc)
  • [RFC] dev_acpi: device driver for userspace access to ACPI
    ... The basic concept of operation is that the ioctl operates on the ACPI ... The sample, proof-of-concept app, is called acpitree. ... You can find the driver and sample app here: ...
    (Linux-Kernel)
  • Re: Access is denied
    ... Primary User Name: Administrator ... Primary Domain: MICRON ... Client User Name: - ... > Event Category: Privilege Use ...
    (microsoft.public.windowsxp.general)
  • Re: "RUN AS" administartor
    ... they don't need to launch apps as an administrator. ... Microsoft MVP - Terminal Server ... > One solution is to have the user on the console run a TS session within a TS ... >> run the app under a different account. ...
    (microsoft.public.win2000.termserv.apps)
Loading