Yes, to only allow programs that REALLY REALLY REALLY REALLY ….. need to do so to trigger the hard-error “shutdown” BSOD from user-mode to do so, and these programs would better be only those that run only in SYSTEM rights, and more exactly these include CSRSS, WINLOGON and SMSS when something very bad happen to them.
I would not appreciate, for example, that when I run a program under a not-so privileged account (like, some random user account) that has just the shutdown privilege to shut the computer down properly, that this program suddently “BSODS” my machine. To these programs, I say “f$ck these!” Regards, Hermès De : Ros-dev [mailto:ros-dev-boun...@reactos.org] De la part de Alex Ionescu Envoyé : lundi 2 avril 2018 04:20 À : ReactOS Development List; Hermès Bélusca-Maïto Cc : Linda Wang Objet : Re: [ros-dev] [ros-diffs] 02/08: [NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD. Is there a point to this blatant behavior change? Best regards, Alex Ionescu On Sun, Apr 1, 2018 at 3:04 PM, Hermès Bélusca-Maïto <hermes.belusca-ma...@reactos.org> wrote: https://git.reactos.org/?p=reactos.git;a=commitdiff;h=f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3 commit f0729b30bb79d6f538cf2b9578ff8ebe7989f8d3 Author: Hermès Bélusca-Maïto <hermes.belusca-ma...@reactos.org> AuthorDate: Sun Apr 1 14:46:19 2018 +0200 Commit: Hermès Bélusca-Maïto <hermes.belusca-ma...@reactos.org> CommitDate: Sun Apr 1 22:39:31 2018 +0200 [NTOSKRNL] Forbid processes without the Tcb prvilege to perform a user-mode hard-error BSOD. --- ntoskrnl/ex/harderr.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/ntoskrnl/ex/harderr.c b/ntoskrnl/ex/harderr.c index 84f409a1bb..a5200e3e74 100644 --- a/ntoskrnl/ex/harderr.c +++ b/ntoskrnl/ex/harderr.c @@ -132,8 +132,18 @@ ExpRaiseHardError(IN NTSTATUS ErrorStatus, /* Check if this error will shutdown the system */ if (ValidResponseOptions == OptionShutdownSystem) { - /* Check for privilege */ - if (!SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode)) + /* + * Check if we have the privileges. + * + * NOTE: In addition to the Shutdown privilege we also check whether + * the caller has the Tcb privilege. The purpose is to allow only + * SYSTEM processes to "shutdown" the system on hard errors (BSOD) + * while forbidding regular processes to do so. This behaviour differs + * from Windows, where any user-mode process, as soon as it has the + * Shutdown privilege, can trigger a hard-error BSOD. + */ + if (!SeSinglePrivilegeCheck(SeTcbPrivilege, PreviousMode) || + !SeSinglePrivilegeCheck(SeShutdownPrivilege, PreviousMode)) { /* No rights */ *Response = ResponseNotHandled;
_______________________________________________ Ros-dev mailing list Ros-dev@reactos.org http://www.reactos.org/mailman/listinfo/ros-dev
