How to pass security descriptor to NdisMRegisterDevice?
jim...@yonan.net
device objects created by NdisMRegisterDevice, as IoCreateDeviceSecure
allows?
The goal is to allow applications running without Administrator
privileges to be able to do ReadFile and WriteFile on the device
object.
I've searched the newsgroup archives on this, and have only found
solutions to this problem for DeviceIoControl access. The problem is
that I also need to grant ReadFile and WriteFile access for this device
object to applications running without Administrator privileges.
Is this possible?
Thanks in advance for any insights you might have.
James
![Alireza Dabagh [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
Alireza Dabagh [MS]
this issue in NDIS 6.0 (vista) by creating a new API.
-ali
--
This posting is provided "AS IS" with no warranties, and confers no rights.
<jim...@yonan.net> wrote in message
news:1127463329.6...@g49g2000cwa.googlegroups.com...
jim...@yonan.net
Alireza Dabagh [MS] wrote:
> Unfortunately NdisMRegisterDevice does not support this. We have addressed
> this issue in NDIS 6.0 (vista) by creating a new API.
This is a serious limitation because it means that the underlying app
can't be used by non-administrators even if an administrator wants to
grant them access, and unfortunately, we can't wait for NDIS 6.0.
Is there any possible workaround for NDIS 5.0 that could be embraced by
WHQL? It would be great if MS could provide a library function in the
DDK to back-port this capability to NDIS 5.0 and 5.1, so that we don't
have to use ugly, non-WHQL approved workarounds for this (such as
calling IoCreateDeviceSecure from the miniport driver).
How about trying to do this from userspace? Can a userspace program
running with Administrator privileges change the device object
permissions, after the driver has created the device with
NdisMRegisterDevice?
Thanks,
James
Don Burn
tried this, but it may get you there.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply
<jim...@yonan.net> wrote in message
news:1127502333.5...@g44g2000cwa.googlegroups.com...
Skywing
kmode and pass it to the system service though.
You could also just do this in kernel mode directly with
ZwSetSecurityObject. I'm not really sure which of these two approaches
would be considered more 'evil' as they're both things that aren't
officially documented / sanctioned, although both ought to work.
"Don Burn" <bu...@stopspam.acm.org> wrote in message
news:O2yG3MHw...@TK2MSFTNGP11.phx.gbl...
Alireza Dabagh [MS]
it by or'ing the the appropriate flag (FILE_WRITE_ACCESS) with your IoCtl
code.
-ali
--
This posting is provided "AS IS" with no warranties, and confers no rights.
<jim...@yonan.net> wrote in message
news:1127502333.5...@g44g2000cwa.googlegroups.com...
jim...@yonan.net
Can you elaborate on that?
Are you saying that the IRP_MJ_DEVICE_CONTROL handler for the device
can potentially add access permissions (such as FILE_WRITE_ACCESS) by
modifying a field in the DEVICE_OBJECT or IRP?
How would this be done?
Thanks,
James
Alireza Dabagh [MS]
code, use FILE_WRITE_ACCESS instead of FILE_ANY_ACCESS. for example:
#define IOCTL_NDIS_RESERVED6 CTL_CODE(FILE_DEVICE_PHYSICAL_NETCARD, 0xE,
METHOD_BUFFERED, FILE_WRITE_ACCESS)
check out http://agent.microsoft.com/whdc/driver/tips/SafeIOCTL.mspx
-ali
--
This posting is provided "AS IS" with no warranties, and confers no rights.
<jim...@yonan.net> wrote in message
news:1127606736.6...@g44g2000cwa.googlegroups.com...
jim...@yonan.net
need non-admin clients to be able to ReadFile and WriteFile on the
device.
James
Alireza Dabagh [MS]
about read though. Is this a protocol driver? if yes, then you are welcome
to use IoCreateDevice or any of its variations directly.
-ali
--
This posting is provided "AS IS" with no warranties, and confers no rights.
<jim...@yonan.net> wrote in message
news:1127640824.4...@g43g2000cwa.googlegroups.com...