aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/service/securityapi.go
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2019-05-14 17:00:10 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2019-05-14 17:10:50 +0200
commit2149611190c6d80feb8f752da190378127207a6a (patch)
treea3050b6130f1eef70baccfe7305a7a7884c4e153 /service/securityapi.go
parentservice: drop all privileges for tunnel service (diff)
downloadwireguard-windows-2149611190c6d80feb8f752da190378127207a6a.tar.xz
wireguard-windows-2149611190c6d80feb8f752da190378127207a6a.zip
service: clean up token mangling
Diffstat (limited to 'service/securityapi.go')
-rw-r--r--service/securityapi.go62
1 files changed, 13 insertions, 49 deletions
diff --git a/service/securityapi.go b/service/securityapi.go
index 989b4ac3..a7e6072c 100644
--- a/service/securityapi.go
+++ b/service/securityapi.go
@@ -55,40 +55,6 @@ type WTS_SESSION_INFO struct {
//sys wtsEnumerateSessions(handle windows.Handle, reserved uint32, version uint32, sessions **WTS_SESSION_INFO, count *uint32) (err error) = wtsapi32.WTSEnumerateSessionsW
//sys wtsFreeMemory(ptr uintptr) = wtsapi32.WTSFreeMemory
-// TEMP //
-
-type LUID struct {
- LowPart uint32
- HighPart int32
-}
-
-type LUID_AND_ATTRIBUTES struct {
- Luid LUID
- Attributes uint32
-}
-
-type TOKEN_PRIVILEGES struct {
- PrivilegeCount uint32
- Privileges [1]LUID_AND_ATTRIBUTES
-}
-
-const (
- SE_PRIVILEGE_REMOVED uint32 = 0X00000004
- TOKEN_READ uint32 = 0x00020008
- TOKEN_WRITE uint32 = 0x000200e0
- TokenPrivileges uint32 = 3
-)
-
-//sys adjustTokenPrivileges(token windows.Token, disableAllPrivileges bool, newstate *TOKEN_PRIVILEGES, buflen uint32, prevstate *TOKEN_PRIVILEGES, returnlen *uint32) (err error) = advapi32.AdjustTokenPrivileges
-//sys openProcessToken(processHandle windows.Handle, accessFlags uint32, token *windows.Token) (err error) = advapi32.OpenProcessToken
-
-// END TEMP //
-
-const (
- SE_GROUP_ENABLED = 0x00000004
- SE_GROUP_USE_FOR_DENY_ONLY = 0x00000010
-)
-
func tokenIsElevated(token windows.Token) bool {
var isElevated uint32
var outLen uint32
@@ -116,7 +82,7 @@ func getElevatedToken(token windows.Token) (windows.Token, error) {
return windows.Token(0), errors.New("the linked token is not elevated")
}
-func tokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
+func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
adminSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
if err != nil {
return false
@@ -128,7 +94,7 @@ func tokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
groups := (*[(1 << 28) - 1]windows.SIDAndAttributes)(unsafe.Pointer(&gs.Groups[0]))[:gs.GroupCount]
isAdmin := false
for _, g := range groups {
- if (g.Attributes&SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&SE_GROUP_ENABLED != 0) && windows.EqualSid(g.Sid, adminSid) {
+ if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && windows.EqualSid(g.Sid, adminSid) {
isAdmin = true
break
}
@@ -143,33 +109,31 @@ func dropAllPrivileges() error {
return err
}
var processToken windows.Token
- err = openProcessToken(processHandle, TOKEN_READ | TOKEN_WRITE, (*windows.Token)(unsafe.Pointer(&processToken)))
+ err = windows.OpenProcessToken(processHandle, windows.TOKEN_READ|windows.TOKEN_WRITE, &processToken)
if err != nil {
return err
}
defer processToken.Close()
+
var bufferSizeRequired uint32
- _ = windows.GetTokenInformation(processToken, TokenPrivileges, nil, 0, (*uint32)(unsafe.Pointer(&bufferSizeRequired)))
- if bufferSizeRequired == 0 {
+ windows.GetTokenInformation(processToken, windows.TokenPrivileges, nil, 0, &bufferSizeRequired)
+ if bufferSizeRequired == 0 || bufferSizeRequired < uint32(unsafe.Sizeof(windows.Tokenprivileges{}.PrivilegeCount)) {
return errors.New("GetTokenInformation failed to provide a buffer size")
}
- buffer := make([]uint8, bufferSizeRequired)
+ buffer := make([]byte, bufferSizeRequired)
var bytesWritten uint32
- err = windows.GetTokenInformation(processToken, TokenPrivileges, (*uint8)(unsafe.Pointer(&buffer[0])), (uint32)(len(buffer)), (*uint32)(unsafe.Pointer(&bytesWritten)))
+ err = windows.GetTokenInformation(processToken, windows.TokenPrivileges, &buffer[0], uint32(len(buffer)), &bytesWritten)
if err != nil {
return err
}
if bytesWritten != bufferSizeRequired {
return errors.New("GetTokenInformation returned incomplete data")
}
- tokenPrivileges := (*TOKEN_PRIVILEGES)(unsafe.Pointer(&buffer[0]))
- privs := (*[1024]LUID_AND_ATTRIBUTES)(unsafe.Pointer(&buffer[unsafe.Sizeof(tokenPrivileges.PrivilegeCount)]))
+ tokenPrivileges := (*windows.Tokenprivileges)(unsafe.Pointer(&buffer[0]))
for i := uint32(0); i < tokenPrivileges.PrivilegeCount; i++ {
- privs[i].Attributes = SE_PRIVILEGE_REMOVED
- }
- err = adjustTokenPrivileges(processToken, false, tokenPrivileges, 0, nil, nil)
- if err != nil {
- return err
+ (*windows.LUIDAndAttributes)(unsafe.Pointer(uintptr(unsafe.Pointer(&tokenPrivileges.Privileges[0])) + unsafe.Sizeof(tokenPrivileges.Privileges[0])*uintptr(i))).Attributes = windows.SE_PRIVILEGE_REMOVED
}
- return nil
+ err = windows.AdjustTokenPrivileges(processToken, false, tokenPrivileges, 0, nil, nil)
+ runtime.KeepAlive(buffer)
+ return err
}