Mirrored_Repos/LookingGlass
1
0
Fork 0
mirror of https://github.com/gnif/LookingGlass.git synced 2024-11-22 13:37:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[host] service: disable privileges as soon as they are not needed

Browse Source 
It is usually considered good practice to enable elevated privileges
for the shortest duration possible.
This commit is contained in:
Quantum 2021-04-26 02:51:08 -04:00 committed by Geoffrey McRae
parent 5d5eb47598
commit 2afad4e1be
1 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
host/platform/Windows/src/service.c
View File

@ -97,7 +97,7 @@ void winerr(void)
doLog("0x%08lx - %s", GetLastError(), buf);
}
bool enablePriv(const char * name)
bool adjustPriv(const char * name, DWORD attributes)
{
HANDLE hToken;
LUID luid;
@ -120,7 +120,7 @@ bool enablePriv(const char * name)
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
tp.Privileges[0].Attributes = attributes;
if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL,
NULL))
@ -145,6 +145,16 @@ fail:
return false;
}
bool enablePriv(const char * name)
{
return adjustPriv(name, SE_PRIVILEGE_ENABLED);
}
bool disablePriv(const char * name)
{
return adjustPriv(name, 0);
}
HANDLE dupeSystemProcessToken(void)
{
DWORD count = 0;
@ -223,7 +233,10 @@ void Launch(void)
}
if (!enablePriv(SE_DEBUG_NAME))
{
doLog("failed to enable " SE_DEBUG_NAME);
return;
}
HANDLE hToken = dupeSystemProcessToken();
if (!hToken)
@ -232,12 +245,18 @@ void Launch(void)
return;
}
if (!disablePriv(SE_DEBUG_NAME))
doLog("failed to disable " SE_DEBUG_NAME);
DWORD origSessionID, targetSessionID, returnedLen;
GetTokenInformation(hToken, TokenSessionId, &origSessionID,
sizeof(origSessionID), &returnedLen);
if (!enablePriv(SE_TCB_NAME))
{
doLog("failed to enable " SE_TCB_NAME);
goto fail_token;
}
targetSessionID = WTSGetActiveConsoleSessionId();
if (origSessionID != targetSessionID)
@ -251,6 +270,9 @@ void Launch(void)
}
}
if (!disablePriv(SE_TCB_NAME))
doLog("failed to disable " SE_TCB_NAME);
LPVOID pEnvironment = NULL;
if (!CreateEnvironmentBlock(&pEnvironment, hToken, TRUE))
{
@ -260,10 +282,16 @@ void Launch(void)
}
if (!enablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
{
doLog("failed to enable " SE_ASSIGNPRIMARYTOKEN_NAME);
goto fail_token;
}
if (!enablePriv(SE_INCREASE_QUOTA_NAME))
{
doLog("failed to enable " SE_INCREASE_QUOTA_NAME);
goto fail_token;
}
DWORD flags = CREATE_NEW_CONSOLE | HIGH_PRIORITY_CLASS;
if (!pEnvironment)
@ -298,6 +326,12 @@ void Launch(void)
goto fail_token;
}
if (!disablePriv(SE_INCREASE_QUOTA_NAME))
doLog("failed to disable " SE_INCREASE_QUOTA_NAME);
if (!disablePriv(SE_ASSIGNPRIMARYTOKEN_NAME))
doLog("failed to disable " SE_ASSIGNPRIMARYTOKEN_NAME);
CloseHandle(pi.hThread);
service.process = pi.hProcess;
service.running = true;