manager: allow S-1-5-32-556 users to launch a limited UI

I still have serious security reservations about this, both conceptually
-- should users be allowed to do this stuff? -- and pratically -- there
are issues with this implementation that need some examination.

TODO:
- Is that registry key a secure path? Should we double check it?
- Are we leaking handles to the unpriv'd process from the manager? Audit
  this too.
- IPC notifications are blocking. Should we move this to a go routine to
  mitigate DoS potential?
- Is GOB deserialization secure? Can an NCO user crash or RCE the
  manager?

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

1 files changed, 14 insertions, 4 deletions

diff --git a/main.go b/main.go
index 868be5d0..b8c385fe 100644
--- a/main.go
+++ b/main.go
@@ -137,10 +137,10 @@ func main() {
 	checkForWow64()
 
 	if len(os.Args) <= 1 {
-		checkForAdminGroup()
 		if ui.RaiseUI() {
 			return
 		}
+		checkForAdminGroup()
 		err := execElevatedManagerServiceInstaller()
 		if err != nil {
 			fatal(err)
@@ -213,9 +213,18 @@ func main() {
 		if len(os.Args) != 6 {
 			usage()
 		}
-		err := elevate.DropAllPrivileges(false)
-		if err != nil {
-			fatal(err)
+		var processToken windows.Token
+		isAdmin := false
+		err := windows.OpenProcessToken(windows.CurrentProcess(), windows.TOKEN_QUERY|windows.TOKEN_DUPLICATE, &processToken)
+		if err == nil {
+			isAdmin = elevate.TokenIsElevatedOrElevatable(processToken)
+			processToken.Close()
+		}
+		if isAdmin {
+			err := elevate.DropAllPrivileges(false)
+			if err != nil {
+				fatal(err)
+			}
 		}
 		readPipe, err := pipeFromHandleArgument(os.Args[2])
 		if err != nil {
@@ -234,6 +243,7 @@ func main() {
 			fatal(err)
 		}
 		manager.InitializeIPCClient(readPipe, writePipe, eventPipe)
+		ui.IsAdmin = isAdmin
 		ui.RunUI()
 		return
 	case "/dumplog":