diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-16 13:06:58 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-16 13:06:58 +0200 |
| commit | 7d8584727ad15bada4ed19a8277f0bc5b8fdca5f (patch) | |
| tree | c9c412d2e082ebf0dbd946a023678b18fc1a56df /service | |
| parent | ui: react to DPI changes in syntax editor (diff) | |
| download | wireguard-windows-7d8584727ad15bada4ed19a8277f0bc5b8fdca5f.tar.xz wireguard-windows-7d8584727ad15bada4ed19a8277f0bc5b8fdca5f.zip | |
service: token elevation stuff is upstream
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'service')
| -rw-r--r-- | service/service_manager.go | 21 | ||||
| -rw-r--r-- | service/tokens.go | 27 |
2 files changed, 14 insertions, 34 deletions
diff --git a/service/service_manager.go b/service/service_manager.go index dcc8a908..5ffd8615 100644 --- a/service/service_manager.go +++ b/service/service_manager.go @@ -111,14 +111,21 @@ func (service *managerService) Execute(args []string, r <-chan svc.ChangeRequest userToken.Close() return } - //TODO: The environment that Go gets from CreateEnvironmentBlock seems to have the same PATH as the userToken. Aren't there attacks? - elevatedToken, err := getElevatedToken(userToken) - if err != nil { - log.Printf("Unable to elevate token: %v", err) - return - } - if elevatedToken != userToken { + var elevatedToken windows.Token + if userToken.IsElevated() { + elevatedToken = userToken + } else { + elevatedToken, err = userToken.GetLinkedToken() userToken.Close() + if err != nil { + log.Printf("Unable to elevate token: %v", err) + return + } + if !elevatedToken.IsElevated() { + elevatedToken.Close() + log.Println("Linked token is not elevated") + return + } } defer elevatedToken.Close() userToken = 0 diff --git a/service/tokens.go b/service/tokens.go index f203f268..aade8734 100644 --- a/service/tokens.go +++ b/service/tokens.go @@ -13,33 +13,6 @@ import ( "golang.org/x/sys/windows" ) -func tokenIsElevated(token windows.Token) bool { - var isElevated uint32 - var outLen uint32 - err := windows.GetTokenInformation(token, windows.TokenElevation, (*byte)(unsafe.Pointer(&isElevated)), uint32(unsafe.Sizeof(isElevated)), &outLen) - if err != nil { - return false - } - return outLen == uint32(unsafe.Sizeof(isElevated)) && isElevated != 0 -} - -func getElevatedToken(token windows.Token) (windows.Token, error) { - if tokenIsElevated(token) { - return token, nil - } - var linkedToken windows.Token - var outLen uint32 - err := windows.GetTokenInformation(token, windows.TokenLinkedToken, (*byte)(unsafe.Pointer(&linkedToken)), uint32(unsafe.Sizeof(linkedToken)), &outLen) - if err != nil { - return windows.Token(0), err - } - if tokenIsElevated(linkedToken) { - return linkedToken, nil - } - linkedToken.Close() - return windows.Token(0), errors.New("the linked token is not elevated") -} - func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool { adminSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid) if err != nil { |