mirror of
https://github.com/gnif/LookingGlass.git
synced 2024-11-25 23:07:18 +00:00
[host] service: disable privileges as soon as they are not needed
It is usually considered good practice to enable elevated privileges for the shortest duration possible.
This commit is contained in:
parent
5d5eb47598
commit
2afad4e1be
@ -97,7 +97,7 @@ void winerr(void)
|
|||||||
doLog("0x%08lx - %s", GetLastError(), buf);
|
doLog("0x%08lx - %s", GetLastError(), buf);
|
||||||
}
|
}
|
||||||
|
|
||||||
bool enablePriv(const char * name)
|
bool adjustPriv(const char * name, DWORD attributes)
|
||||||
{
|
{
|
||||||
HANDLE hToken;
|
HANDLE hToken;
|
||||||
LUID luid;
|
LUID luid;
|
||||||
@ -120,7 +120,7 @@ bool enablePriv(const char * name)
|
|||||||
|
|
||||||
tp.PrivilegeCount = 1;
|
tp.PrivilegeCount = 1;
|
||||||
tp.Privileges[0].Luid = luid;
|
tp.Privileges[0].Luid = luid;
|
||||||
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
|
tp.Privileges[0].Attributes = attributes;
|
||||||
|
|
||||||
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL,
|
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL,
|
||||||
NULL))
|
NULL))
|
||||||
@ -145,6 +145,16 @@ fail:
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool enablePriv(const char * name)
|
||||||
|
{
|
||||||
|
return adjustPriv(name, SE_PRIVILEGE_ENABLED);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool disablePriv(const char * name)
|
||||||
|
{
|
||||||
|
return adjustPriv(name, 0);
|
||||||
|
}
|
||||||
|
|
||||||
HANDLE dupeSystemProcessToken(void)
|
HANDLE dupeSystemProcessToken(void)
|
||||||
{
|
{
|
||||||
DWORD count = 0;
|
DWORD count = 0;
|
||||||
@ -223,7 +233,10 @@ void Launch(void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!enablePriv(SE_DEBUG_NAME))
|
if (!enablePriv(SE_DEBUG_NAME))
|
||||||
|
{
|
||||||
|
doLog("failed to enable " SE_DEBUG_NAME);
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
HANDLE hToken = dupeSystemProcessToken();
|
HANDLE hToken = dupeSystemProcessToken();
|
||||||
if (!hToken)
|
if (!hToken)
|
||||||
@ -232,12 +245,18 @@ void Launch(void)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!disablePriv(SE_DEBUG_NAME))
|
||||||
|
doLog("failed to disable " SE_DEBUG_NAME);
|
||||||
|
|
||||||
DWORD origSessionID, targetSessionID, returnedLen;
|
DWORD origSessionID, targetSessionID, returnedLen;
|
||||||
GetTokenInformation(hToken, TokenSessionId, &origSessionID,
|
GetTokenInformation(hToken, TokenSessionId, &origSessionID,
|
||||||
sizeof(origSessionID), &returnedLen);
|
sizeof(origSessionID), &returnedLen);
|
||||||
|
|
||||||
if (!enablePriv(SE_TCB_NAME))
|
if (!enablePriv(SE_TCB_NAME))
|
||||||
|
{
|
||||||
|
doLog("failed to enable " SE_TCB_NAME);
|
||||||
goto fail_token;
|
goto fail_token;
|
||||||
|
}
|
||||||
|
|
||||||
targetSessionID = WTSGetActiveConsoleSessionId();
|
targetSessionID = WTSGetActiveConsoleSessionId();
|
||||||
if (origSessionID != targetSessionID)
|
if (origSessionID != targetSessionID)
|
||||||
@ -251,6 +270,9 @@ void Launch(void)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!disablePriv(SE_TCB_NAME))
|
||||||
|
doLog("failed to disable " SE_TCB_NAME);
|
||||||
|
|
||||||
LPVOID pEnvironment = NULL;
|
LPVOID pEnvironment = NULL;
|
||||||
if (!CreateEnvironmentBlock(&pEnvironment, hToken, TRUE))
|
if (!CreateEnvironmentBlock(&pEnvironment, hToken, TRUE))
|
||||||
{
|
{
|
||||||
@ -260,10 +282,16 @@ void Launch(void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!enablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
|
if (!enablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
|
||||||
|
{
|
||||||
|
doLog("failed to enable " SE_ASSIGNPRIMARYTOKEN_NAME);
|
||||||
goto fail_token;
|
goto fail_token;
|
||||||
|
}
|
||||||
|
|
||||||
if (!enablePriv(SE_INCREASE_QUOTA_NAME))
|
if (!enablePriv(SE_INCREASE_QUOTA_NAME))
|
||||||
|
{
|
||||||
|
doLog("failed to enable " SE_INCREASE_QUOTA_NAME);
|
||||||
goto fail_token;
|
goto fail_token;
|
||||||
|
}
|
||||||
|
|
||||||
DWORD flags = CREATE_NEW_CONSOLE | HIGH_PRIORITY_CLASS;
|
DWORD flags = CREATE_NEW_CONSOLE | HIGH_PRIORITY_CLASS;
|
||||||
if (!pEnvironment)
|
if (!pEnvironment)
|
||||||
@ -298,6 +326,12 @@ void Launch(void)
|
|||||||
goto fail_token;
|
goto fail_token;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!disablePriv(SE_INCREASE_QUOTA_NAME))
|
||||||
|
doLog("failed to disable " SE_INCREASE_QUOTA_NAME);
|
||||||
|
|
||||||
|
if (!disablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
|
||||||
|
doLog("failed to disable " SE_ASSIGNPRIMARYTOKEN_NAME);
|
||||||
|
|
||||||
CloseHandle(pi.hThread);
|
CloseHandle(pi.hThread);
|
||||||
service.process = pi.hProcess;
|
service.process = pi.hProcess;
|
||||||
service.running = true;
|
service.running = true;
|
||||||
|
Loading…
Reference in New Issue
Block a user