diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-08-05 16:04:39 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-08-05 20:12:19 +0200 |
commit | c1ee46faae672e8024cb114450d974232fe44a8b (patch) | |
tree | 161840e31285965c1aae7f51e7a769522ba22d58 /elevate | |
parent | elevate: require builtin admins group and proper reg key (diff) | |
download | wireguard-windows-c1ee46faae672e8024cb114450d974232fe44a8b.tar.xz wireguard-windows-c1ee46faae672e8024cb114450d974232fe44a8b.zip |
elevate: move service/token into proper module
Diffstat (limited to 'elevate')
-rw-r--r-- | elevate/membership.go | 28 | ||||
-rw-r--r-- | elevate/privileges.go | 60 | ||||
-rw-r--r-- | elevate/shellexecute.go | 4 |
3 files changed, 89 insertions, 3 deletions
diff --git a/elevate/membership.go b/elevate/membership.go new file mode 100644 index 00000000..baa4d71b --- /dev/null +++ b/elevate/membership.go @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package elevate + +import ( + "runtime" + + "golang.org/x/sys/windows" +) + +func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool { + gs, err := token.GetTokenGroups() + if err != nil { + return false + } + isAdmin := false + for _, g := range gs.AllGroups() { + if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && g.Sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) { + isAdmin = true + break + } + } + runtime.KeepAlive(gs) + return isAdmin +} diff --git a/elevate/privileges.go b/elevate/privileges.go new file mode 100644 index 00000000..a02d8a5d --- /dev/null +++ b/elevate/privileges.go @@ -0,0 +1,60 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package elevate + +import ( + "errors" + "runtime" + "unsafe" + + "golang.org/x/sys/windows" +) + +func DropAllPrivileges(retainDriverLoading bool) error { + processHandle, err := windows.GetCurrentProcess() + if err != nil { + return err + } + var luid windows.LUID + if retainDriverLoading { + err = windows.LookupPrivilegeValue(nil, windows.StringToUTF16Ptr("SeLoadDriverPrivilege"), &luid) + if err != nil { + return err + } + } + var processToken windows.Token + err = windows.OpenProcessToken(processHandle, windows.TOKEN_READ|windows.TOKEN_WRITE, &processToken) + if err != nil { + return err + } + defer processToken.Close() + + var bufferSizeRequired uint32 + windows.GetTokenInformation(processToken, windows.TokenPrivileges, nil, 0, &bufferSizeRequired) + if bufferSizeRequired == 0 || bufferSizeRequired < uint32(unsafe.Sizeof(windows.Tokenprivileges{}.PrivilegeCount)) { + return errors.New("GetTokenInformation failed to provide a buffer size") + } + buffer := make([]byte, bufferSizeRequired) + var bytesWritten uint32 + err = windows.GetTokenInformation(processToken, windows.TokenPrivileges, &buffer[0], uint32(len(buffer)), &bytesWritten) + if err != nil { + return err + } + if bytesWritten != bufferSizeRequired { + return errors.New("GetTokenInformation returned incomplete data") + } + tokenPrivileges := (*windows.Tokenprivileges)(unsafe.Pointer(&buffer[0])) + for i := uint32(0); i < tokenPrivileges.PrivilegeCount; i++ { + item := (*windows.LUIDAndAttributes)(unsafe.Pointer(uintptr(unsafe.Pointer(&tokenPrivileges.Privileges[0])) + unsafe.Sizeof(tokenPrivileges.Privileges[0])*uintptr(i))) + if retainDriverLoading && item.Luid == luid { + continue + } + item.Attributes = windows.SE_PRIVILEGE_REMOVED + } + err = windows.AdjustTokenPrivileges(processToken, false, tokenPrivileges, 0, nil, nil) + runtime.KeepAlive(buffer) + return err +} diff --git a/elevate/shellexecute.go b/elevate/shellexecute.go index 6e71e576..00f2d915 100644 --- a/elevate/shellexecute.go +++ b/elevate/shellexecute.go @@ -13,8 +13,6 @@ import ( "golang.org/x/sys/windows" "golang.org/x/sys/windows/registry" - - "golang.zx2c4.com/wireguard/windows/services" ) const ( @@ -79,7 +77,7 @@ func ShellExecute(program string, arguments string, directory string, show int32 err = windows.ERROR_SUCCESS return } - if !services.TokenIsMemberOfBuiltInAdministrator(processToken) { + if !TokenIsMemberOfBuiltInAdministrator(processToken) { err = windows.ERROR_ACCESS_DENIED return } |