change integrity level

change integrity level

• mig16

  I am not terribly familiar with ProgramData, but perhaps the problem is virtualization. If an exe does not have a requestedExecutionLevel manifest, and is not run elevated, it will have virtualization on. Let's say - and I am not sure if this is true - that ProgramData is virtualized, and that your test exe's do not include requestedExecutionLevel manifests. Then the medium-integrity exe creating the directory under c:\ProgramData will actually create it in the virtualized location, and the low-integrity exe using the directory will use it in the virtualized location. IE, on the other hand, does have a requestedExecutionLevel manifest, so it has virtualization disabled, and will not go to the virtualizated location, thus failing to find the directory created by medium-integrity exe.
  

• Iram

  Maryz, can you please elaborate a little more

  I have a named pipe that communicates between processes with different security levels.

  When communication happens between a low security level process and a middle security level process, all is working just fine.

  However, when the same pipe is trying to communicate between a high security level process (runnning as administrator) and a low security level process, the pipe stops to work.

  If you have experienced something simular or just have some thoughts on the issue, your answer would be greatly appreciated.

  TIA

  OTNS

  
  

• MON205

  #define STRICT 1
  #define WIN32_LEAN_AND_MEAN
  #define WIN32_EXTRA_LEAN
  #define VC_EXTRALEAN
  #include <windows.h>
  #include <aclapi.h>

  // Sets the integrity level of an object (e.g. file or registry entry)
  // to low.
  // On failure, call GetLastError() to find the problem
  bool SetLowIntegrity(const char* objectName, SE_OBJECT_TYPE objectType);

  // SACL specifying low integrity level.
  // May be passed to functions like SetNamedSecurityInfo and SetSecurityDescriptorSacl.
  class CLowIntegritySacl {
  public:
  CLowIntegritySacl();
  ~CLowIntegritySacl();
  PACL Init();
  protected:
  PSECURITY_DESCRIPTOR m_pSD;
  };

  // Security attributes specifying full privileges to everyone,
  // and, optionally, a low integrity level.
  // Useful for passing to functions like CreateFile.
  class CNoSecAttr : public SECURITY_ATTRIBUTES {
  public:
  CNoSecAttr(bool lowIntegrity = false) {
  m_initialized = false;
  m_lowIntegrity = lowIntegrity;
  }
  bool IsLowIntegrity() const {
  return m_lowIntegrity;
  }
  bool Initialize();
  protected:
  char m_secDesc[SECURITY_DESCRIPTOR_MIN_LENGTH];
  CLowIntegritySacl m_sacl;
  bool m_initialized;
  bool m_lowIntegrity;
  };

  // The LABEL_SECURITY_INFORMATION SDDL SACL to be set for low integrity
  #define LOW_INTEGRITY_SDDL_SACL "S:(ML;;NW;;;LW)"

  CLowIntegritySacl::CLowIntegritySacl() {
  m_pSD = NULL;
  }

  CLowIntegritySacl::~CLowIntegritySacl() {
  if (m_pSD != NULL)
  LocalFree(m_pSD);
  }

  PACL CLowIntegritySacl::Init() {
  if (m_pSD == NULL) {
  if (!ConvertStringSecurityDescriptorToSecurityDescriptor(
  LOW_INTEGRITY_SDDL_SACL,
  SDDL_REVISION_1,
  &m_pSD,
  NULL)
  ) {
  m_pSD = NULL;
  return NULL;
  }
  }
  PACL pSacl = NULL; // not allocated
  BOOL fSaclPresent = FALSE;
  BOOL fSaclDefaulted = FALSE;

  if (
  !GetSecurityDescriptorSacl(
  m_pSD,
  &fSaclPresent,
  &pSacl,
  &fSaclDefaulted)
  )
  return NULL;

  if (!fSaclPresent) {
  SetLastError(ERROR_NO_DATA);
  return NULL;
  }

  return pSacl;
  }

  bool SetLowIntegrity(const char* objectName, SE_OBJECT_TYPE objectType) {
  CLowIntegritySacl sacl;
  PACL pSacl = sacl.Init();
  if (!pSacl)
  return false;

  DWORD dwErr = SetNamedSecurityInfo(
  (char*)objectName, objectType,
  LABEL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
  NULL, NULL, NULL, pSacl);
  if (dwErr != ERROR_SUCCESS) {
  SetLastError(dwErr);
  return false;
  }

  return true;
  }
  
  bool CNoSecAttr::Initialize() {
  if (m_initialized)
  return true;
  nLength = sizeof(SECURITY_ATTRIBUTES);
  bInheritHandle = FALSE;
  lpSecurityDescriptor = &m_secDesc;
  PACL pSacl = m_lowIntegrity m_sacl.Init() : NULL;
  return m_initialized =
  InitializeSecurityDescriptor(
  lpSecurityDescriptor, SECURITY_DESCRIPTOR_REVISION) &&
  SetSecurityDescriptorDacl(lpSecurityDescriptor, TRUE, NULL, FALSE) &&
  (
  pSacl == NULL ||
  SetSecurityDescriptorSacl(lpSecurityDescriptor, TRUE, pSacl, FALSE)
  );
  }
  

  
  

• Mathew1972

  Thanks for reply anyway. And the following is my answer to your questions:

  1. I think that starting a medium-integrity process from a low-integrity process is prohibited by design. What would be the point, otherwise

  A: No, it's not. That's why the elevation is allowed by Vista. BTW, I've developed a utility which allows lauch application in different integrity level.

  2. Similarly, if an object already exists, and has medium integrity, its integrity can not be lowered by a low-integrity process. It may well be that any attempt to set the integrity (or other security properties) of an object will fail for a low-integrity process, even if the "new" value is the same as the existing value. If an object is created by a low-integrity process, it automatically has low integrity (and can not be created with medium integrity).

  A: I'm talking about set the integrity level of a object(by default it's medium or low if created by a low IL process). And I didn't mention set the integrity level in low-integrity process(in fact, it's a high-integrity process), otherwise, it will work for me w/o problem.

  Anyway, if you know anything about that API, it will be more helpful. Thanks!

  
  

• ChrisMoje

  1. I think that starting a medium-integrity process from a low-integrity process is prohibited by design. What would be the point, otherwise

  2. Similarly, if an object already exists, and has medium integrity, its integrity can not be lowered by a low-integrity process. It may well be that any attempt to set the integrity (or other security properties) of an object will fail for a low-integrity process, even if the "new" value is the same as the existing value. If an object is created by a low-integrity process, it automatically has low integrity (and can not be created with medium integrity).

  
  

• GRK

  Ok, I found answer to my first question:

  The RIDs for different integrity levels are defined in winnt.h using "MANDATORY" instead of "integrity".

  Anyone has any clue about my 2nd question

  
  

• kmmii

  >> I think that starting a medium-integrity process from a low-integrity process is prohibited by design. What would be the point, otherwise

  > No, it's not. That's why the elevation is allowed by Vista.

  I had meant without an elevation prompt.

  > BTW, I've developed a utility which allows lauch application in different integrity level.

  You've figured out how to launch a medium-level integrity process from a low-integrity process (with some sort of elevation prompt) How My only guess would be to launch a high-integrity, admin process (marked as such with a manifest) via an elevation prompt, and then have it launch a medium-level, non-admin process using the APIs discussed in the "How to CreateProcess NOT as administrator" thread. How simple...

  > I'm talking about set the integrity level of a object(by default it's medium or low if created by a low IL process). And I didn't mention set the integrity level in low-integrity process(in fact, it's a high-integrity process), otherwise, it will work for me w/o problem. Anyway, if you know anything about that API, it will be more helpful.

  Sorry, but I am confused about what it is you are trying to do. I know how to change the integrity level of an existing object from medium to low in a medium-level (or high-level) process. I also know how to create an object with a-priori low integrity in a medium-level (or high-level) process. If you want me to post the details, please indicate, but these are things that Microsoft has already described.

  
  

• Whoisit

  Note that this latest piece of code also sets a NULL DACL (everyone has access) on top of setting the label.
  This is unlike the code in the first post.

  
  
  

• Javfarary

  >Sorry, but I am confused about what it is you are trying to do. I know how to change the
  >integrity level of an existing object from medium to low in a medium-level (or high-level)
  >process. I also know how to create an object with a-priori low integrity in a medium-level
  >(or high-level) process. If you want me to post the details, please indicate, but these are things
  >that Microsoft has already described.
  
  Hi, I'm interested on those both things. Can you post the datails or a link to microsoft's description on how to do that
  
  Regards,
  
  Jorge Cercadillo
  
  

• jbruso

  efratian,

  The code works great if you create a low integrity process yourself and try to access a directory that has been created using your code. (meaning using CNoSecAttr(true) )

  However, it doesn't work - for whatever reason - if:

  - the low integrity level is IE (or if you are running as a IE add-ons)

  - and you created the directory under c:/ProgramData

  Any idea why

  it baffles me.

  
  

• Jerod Moemeka

  Ok, I can set the integrity level of the named pipe to low by setting the SACL to SD directly when creating the pipe.

  
  

• torick

  W/o any response/help from others about the 2nd question, I'm trying to add an ACE in the ACL when creating the named pipe. I did find some info from the header files, there is a new API AddMandatoryAce(), however, it looks like that this API is not documented anywhere. MS folks, please, share your knowledge about this API or update the document. Thanks! Anyone else who has info about it from whatever resource, please share! Thanks!

  
  
• change integrity level