EldoS | Feel safer!

Software components for data protection, secure storage and transfer

CBFS_SYMLINK_LOCAL exposed to other user sessions

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#33590
Posted: 06/07/2015 11:50:38
by Eric Simmerman (Standard support level)
Joined: 06/14/2013
Posts: 12

I'm running CBFS5 Version 5.1.159 and am mounting my drive with three flags (CBFS_SYMLINK_LOCAL, CBFS_SYMLINK_NETWORK, CBFS_SYMLINK_NETWORK_ALLOW_MAP_AS_DRIVE) and a null authentication id.

After mounting my drive in Windows 8 if I then "Switch User" to another user session - the mounted drive is NOT exposed under the drive letter where it was mounted but it IS exposed under Network. This is a significant security issue for my application as it allows users full access to a virtual drive that was mounted with another user's credentials.

Is this a regression or expected behavior? What are my options given that I need to restrict all access to the mounted drive to the mounting user's session?
#33592
Posted: 06/07/2015 12:57:46
by Eugene Mayevski (EldoS Corp.)

You are specifying mutually exclusive flags. If the disk is shared to the network, it's exposed for everyone to use.

The solution is not to specify CBFS_SYMLINK_NETWORK_ALLOW_MAP_AS_DRIVE - seems that you don't need it anyway.


Sincerely yours
Eugene Mayevski
#33593
Posted: 06/07/2015 13:17:25
by Eric Simmerman (Standard support level)
Joined: 06/14/2013
Posts: 12

Thanks for the fast response. I've tried so many permutations that I posted in error. I should have mentioned that I'd tried both with and without that third parameter and see the same behavior. My drive is still available under Network to other users when mounted with:

Code
AddMountingPoint(pointName, CBFS_SYMLINK_LOCAL | CBFS_SYMLINK_NETWORK, null)


I'm mounting the drive as an Administrator and then switching to a Windows "Standard User" account where the drive is visible under Network.
#33595
Posted: 06/08/2015 00:26:00
by Eugene Mayevski (EldoS Corp.)

I think that's how the specific OS version treats all network drives...

I'll move your question to the HelpDesk so that the developers check it deeper.


Sincerely yours
Eugene Mayevski
#34345
Posted: 09/01/2015 09:57:53
by Tomasz L (Priority Standard support level)
Joined: 03/25/2015
Posts: 3

Quote
Eugene Mayevski wrote:
I think that's how the specific OS version treats all network drives...

I'll move your question to the HelpDesk so that the developers check it deeper.


Hello Eugene,

we are also experiencing the same issue:

The drive mounted by one user (e.g. under letter Z:) is visible to other user on the same machine (after switching user) - not in other user's "My Computer", but still fully browsable under "Network". We are using CBFS_SYMLINK_LOCAL | CBFS_SYMLINK_NETWORK.

I have tested this under Win 7, Win 8.1 and Win 10 (the released one) - both 32 and 64 bit. This browsing of other user's driver works nicely on each and every platform, just as if it was a feature.

We need to solve this, as of course this is a huge security issue. Is there any update regarding this issue? Are there any options? Thanks!
#34346
Posted: 09/01/2015 11:13:44
by Volodymyr Zinin (EldoS Corp.)

Network mounting points consists of two parts - mounting point like "X:" or "qwerty" (this part is optional) and UNC path (this part is always required).
CBFS_SYMLINK_LOCAL only influences on the "mounting point" part. If it's set the mounting point (drive letter) will be visible only for the specified session.
UNC path is always globally visible and accessible for all sessions. Although you can hide its visibility in Explorer by specifying CBFS_SYMLINK_NETWORK_HIDDEN_SHARE and protect from accessing by checking session ID in the OnCreate and OnOpen callbacks (if the session isn't allowed then return ERROR_ACCESS_DENIED).
#34347
Posted: 09/01/2015 11:37:10
by Eugene Mayevski (EldoS Corp.)

For future generations I've turned Volodymyr's answer to the FAQ article.


Sincerely yours
Eugene Mayevski
#34357
Posted: 09/02/2015 09:48:54
by Tomasz L (Priority Standard support level)
Joined: 03/25/2015
Posts: 3

Volodymyr, thanks for the answer. So from what you write, I understand that:


1. in the beginning of the program I detect session ID and store the somewhere, e.g. mySessionID (is this a LUID?).

Question: Where do I get this session ID from? I guess this is related to mentioned at the bottom of this page: https://www.eldos.com/documentation/cbfs/ref_gen_mounting_points.html
( by the way, the link to CodeProject is invalid, perhaps it was originally this one: http://www.codeproject.com/Articles/7483/Enumerating-Logon-Sessions ).

So should I get AuthenticationId from TOKEN_STATISTICS for access token of current process?


2. I compare this mySessionID with the session ID from OnOpen/OnCreate callback.

Question: Where do I get the session ID for the callback? OnOpen/OnCreate do not seem to pass it anyway. Should I use CallbackFileSystem.GetOriginatorToken and then again TOKEN_STATISTICS?
#34363
Posted: 09/02/2015 12:06:35
by Volodymyr Zinin (EldoS Corp.)

Quote
Tomasz L wrote:
So should I get AuthenticationId from TOKEN_STATISTICS for access token of current process?

I don't remember it, but it seems it is correct way to obtain authentication id. You can check whether it is correct by executing WinObj from sysinternals.com (run it elevated, i.e. "run as administrator"). It contains all session IDs present on the machine (see the attached screenshot).

Quote
Tomasz L wrote:
Should I use CallbackFileSystem.GetOriginatorToken and then again TOKEN_STATISTICS?

Yes. The authentication id should be obtained from the token.


#34391
Posted: 09/08/2015 04:10:19
by David Ruzicka (Standard support level)
Joined: 02/05/2014
Posts: 4

Maybe better is SecurityIdentifier of the authorized user from OpenThreadToken/OpenProcessToken ( https://msdn.microsoft.com/en-us/library/windows/desktop/aa379554(v=vs.85).aspx ) for user authentication - you can identify user in Open/Create callback through GetOriginatorToken() regardless session.
Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.

Reply

Statistics

Topic viewed 9061 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!