krb5 commit: Do not be over-restrictive in the presence of UAC

Benjamin Kaduk kaduk at MIT.EDU
Fri Aug 24 12:24:15 EDT 2012


https://github.com/krb5/krb5/commit/8020c64554dd25a4f09df8a28dca924c6ecb5608
commit 8020c64554dd25a4f09df8a28dca924c6ecb5608
Author: Kevin Wasserman <kevin.wasserman at painless-security.com>
Date:   Mon May 14 12:14:20 2012 -0400

    Do not be over-restrictive in the presence of UAC
    
    We used to explicitly check if a process was UAC-limited and deny all
    access to the TGT in that case; however, this makes the MSLSA cache
    effectively useless.
    Do not try to outsmart UAC, and let it do its own checking -- this allows
    UAC-limited access to the MSLSA ccache, which should mean read-write
    access to service tickets, and write-only access to the TGT.
    
    Signed-off-by: Kevin Wasserman <kevin.wasserman at painless-security.com>
    
    [kaduk at mit.edu: delete instead of comment out, move comment.]
    
    ticket: 7254 (new)
    queue: kfw
    target_version: 1.10.4
    tags: pullup

 src/lib/krb5/ccache/cc_mslsa.c |   43 +++------------------------------------
 1 files changed, 4 insertions(+), 39 deletions(-)

diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c
index 698b62a..f25658e 100644
--- a/src/lib/krb5/ccache/cc_mslsa.c
+++ b/src/lib/krb5/ccache/cc_mslsa.c
@@ -172,37 +172,6 @@ is_windows_vista (void)
     return fIsVista;
 }
 
-static BOOL
-is_process_uac_limited (void)
-{
-    static BOOL fChecked = FALSE;
-    static BOOL fIsUAC = FALSE;
-
-    if (!fChecked)
-    {
-        NTSTATUS Status = 0;
-        HANDLE  TokenHandle;
-        DWORD   ElevationLevel;
-        DWORD   ReqLen;
-        BOOL    Success;
-
-        if (is_windows_vista()) {
-            Success = OpenProcessToken( GetCurrentProcess(), TOKEN_QUERY, &TokenHandle );
-            if ( Success ) {
-                Success = GetTokenInformation( TokenHandle,
-                                               TokenOrigin+1 /* ElevationLevel */,
-                                               &ElevationLevel, sizeof(DWORD), &ReqLen );
-                CloseHandle( TokenHandle );
-                if ( Success && ElevationLevel == 3 /* Limited */ )
-                    fIsUAC = TRUE;
-            }
-        }
-        fChecked = TRUE;
-    }
-    return fIsUAC;
-
-}
-
 typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
 
 static BOOL
@@ -445,9 +414,6 @@ IsMSSessionKeyNull(KERB_CRYPTO_KEY *mskey)
 {
     DWORD i;
 
-    if (is_process_uac_limited())
-        return TRUE;
-
     if (mskey->KeyType == KERB_ETYPE_NULL)
         return TRUE;
 
@@ -1252,6 +1218,10 @@ krb5_is_permitted_tgs_enctype(krb5_context context, krb5_const_principal princ,
 // tickets.  This is safe to do because the LSA purges its cache when it
 // retrieves a new TGT (ms calls this renew) but not when it renews the TGT
 // (ms calls this refresh).
+// UAC-limited processes are not allowed to obtain a copy of the MSTGT
+// session key.  We used to check for UAC-limited processes and refuse all
+// access to the TGT, but this makes the MSLSA ccache completely unusable.
+// Instead we ought to just flag that the tgt session key is not valid.
 
 static BOOL
 GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNAL_TICKET **ticket, BOOL enforce_tgs_enctypes)
@@ -1279,11 +1249,6 @@ GetMSTGT(krb5_context context, HANDLE LogonHandle, ULONG PackageId, KERB_EXTERNA
     int    ignore_cache = 0;
     krb5_enctype *etype_list = NULL, *ptr = NULL, etype = 0;
 
-    if (is_process_uac_limited()) {
-        Status = STATUS_ACCESS_DENIED;
-        goto cleanup;
-    }
-
     memset(&CacheRequest, 0, sizeof(KERB_QUERY_TKT_CACHE_REQUEST));
     CacheRequest.MessageType = KerbRetrieveTicketMessage;
     CacheRequest.LogonId.LowPart = 0;


More information about the cvs-krb5 mailing list