[host] service: disable privileges as soon as they are not needed

It is usually considered good practice to enable elevated privileges
for the shortest duration possible.
This commit is contained in:
Quantum 2021-04-26 02:51:08 -04:00 committed by Geoffrey McRae
parent 5d5eb47598
commit 2afad4e1be

View File

@ -97,7 +97,7 @@ void winerr(void)
doLog("0x%08lx - %s", GetLastError(), buf); doLog("0x%08lx - %s", GetLastError(), buf);
} }
bool enablePriv(const char * name) bool adjustPriv(const char * name, DWORD attributes)
{ {
HANDLE hToken; HANDLE hToken;
LUID luid; LUID luid;
@ -120,7 +120,7 @@ bool enablePriv(const char * name)
tp.PrivilegeCount = 1; tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid; tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; tp.Privileges[0].Attributes = attributes;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL,
NULL)) NULL))
@ -145,6 +145,16 @@ fail:
return false; return false;
} }
bool enablePriv(const char * name)
{
return adjustPriv(name, SE_PRIVILEGE_ENABLED);
}
bool disablePriv(const char * name)
{
return adjustPriv(name, 0);
}
HANDLE dupeSystemProcessToken(void) HANDLE dupeSystemProcessToken(void)
{ {
DWORD count = 0; DWORD count = 0;
@ -223,7 +233,10 @@ void Launch(void)
} }
if (!enablePriv(SE_DEBUG_NAME)) if (!enablePriv(SE_DEBUG_NAME))
{
doLog("failed to enable " SE_DEBUG_NAME);
return; return;
}
HANDLE hToken = dupeSystemProcessToken(); HANDLE hToken = dupeSystemProcessToken();
if (!hToken) if (!hToken)
@ -232,12 +245,18 @@ void Launch(void)
return; return;
} }
if (!disablePriv(SE_DEBUG_NAME))
doLog("failed to disable " SE_DEBUG_NAME);
DWORD origSessionID, targetSessionID, returnedLen; DWORD origSessionID, targetSessionID, returnedLen;
GetTokenInformation(hToken, TokenSessionId, &origSessionID, GetTokenInformation(hToken, TokenSessionId, &origSessionID,
sizeof(origSessionID), &returnedLen); sizeof(origSessionID), &returnedLen);
if (!enablePriv(SE_TCB_NAME)) if (!enablePriv(SE_TCB_NAME))
{
doLog("failed to enable " SE_TCB_NAME);
goto fail_token; goto fail_token;
}
targetSessionID = WTSGetActiveConsoleSessionId(); targetSessionID = WTSGetActiveConsoleSessionId();
if (origSessionID != targetSessionID) if (origSessionID != targetSessionID)
@ -251,6 +270,9 @@ void Launch(void)
} }
} }
if (!disablePriv(SE_TCB_NAME))
doLog("failed to disable " SE_TCB_NAME);
LPVOID pEnvironment = NULL; LPVOID pEnvironment = NULL;
if (!CreateEnvironmentBlock(&pEnvironment, hToken, TRUE)) if (!CreateEnvironmentBlock(&pEnvironment, hToken, TRUE))
{ {
@ -260,10 +282,16 @@ void Launch(void)
} }
if (!enablePriv(SE_ASSIGNPRIMARYTOKEN_NAME)) if (!enablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
{
doLog("failed to enable " SE_ASSIGNPRIMARYTOKEN_NAME);
goto fail_token; goto fail_token;
}
if (!enablePriv(SE_INCREASE_QUOTA_NAME)) if (!enablePriv(SE_INCREASE_QUOTA_NAME))
{
doLog("failed to enable " SE_INCREASE_QUOTA_NAME);
goto fail_token; goto fail_token;
}
DWORD flags = CREATE_NEW_CONSOLE | HIGH_PRIORITY_CLASS; DWORD flags = CREATE_NEW_CONSOLE | HIGH_PRIORITY_CLASS;
if (!pEnvironment) if (!pEnvironment)
@ -298,6 +326,12 @@ void Launch(void)
goto fail_token; goto fail_token;
} }
if (!disablePriv(SE_INCREASE_QUOTA_NAME))
doLog("failed to disable " SE_INCREASE_QUOTA_NAME);
if (!disablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
doLog("failed to disable " SE_ASSIGNPRIMARYTOKEN_NAME);
CloseHandle(pi.hThread); CloseHandle(pi.hThread);
service.process = pi.hProcess; service.process = pi.hProcess;
service.running = true; service.running = true;