From 5aec69c5ba5cebd7b284f5d96e61b2d389a5572d Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Wed, 28 Aug 2019 21:50:19 -0600
Subject: elevate: use more strict check for admin group

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 elevate/membership.go   | 33 +++++++++++++++++++++------------
 elevate/shellexecute.go |  2 +-
 main.go                 |  2 +-
 manager/service.go      |  2 +-
 4 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/elevate/membership.go b/elevate/membership.go
index baa4d71b..ccd0b60e 100644
--- a/elevate/membership.go
+++ b/elevate/membership.go
@@ -6,23 +6,32 @@
 package elevate
 
 import (
-	"runtime"
-
 	"golang.org/x/sys/windows"
 )
 
-func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
-	gs, err := token.GetTokenGroups()
+func isAdmin(token windows.Token) bool {
+	builtinAdminsGroup, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
 	if err != nil {
 		return false
 	}
-	isAdmin := false
-	for _, g := range gs.AllGroups() {
-		if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && g.Sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
-			isAdmin = true
-			break
-		}
+	var checkableToken windows.Token
+	err = windows.DuplicateTokenEx(token, windows.TOKEN_QUERY | windows.TOKEN_IMPERSONATE, nil, windows.SecurityIdentification, windows.TokenImpersonation, &checkableToken)
+	if err != nil {
+		return false
+	}
+	defer checkableToken.Close()
+	isAdmin, err := checkableToken.IsMember(builtinAdminsGroup)
+	return isAdmin && err == nil
+}
+
+func TokenIsElevatedOrElevatable(token windows.Token) bool {
+	if token.IsElevated() && isAdmin(token) {
+		return true
+	}
+	linked, err := token.GetLinkedToken()
+	if err != nil {
+		return false
 	}
-	runtime.KeepAlive(gs)
-	return isAdmin
+	defer linked.Close()
+	return linked.IsElevated() && isAdmin(linked)
 }
diff --git a/elevate/shellexecute.go b/elevate/shellexecute.go
index 6933c8f5..2c4190e0 100644
--- a/elevate/shellexecute.go
+++ b/elevate/shellexecute.go
@@ -54,7 +54,7 @@ func ShellExecute(program string, arguments string, directory string, show int32
 		err = windows.ERROR_SUCCESS
 		return
 	}
-	if !TokenIsMemberOfBuiltInAdministrator(processToken) {
+	if !TokenIsElevatedOrElevatable(processToken) {
 		err = windows.ERROR_ACCESS_DENIED
 		return
 	}
diff --git a/main.go b/main.go
index bd86227e..e7070335 100644
--- a/main.go
+++ b/main.go
@@ -75,7 +75,7 @@ func checkForAdminGroup() {
 		fatal("Unable to open current process token: ", err)
 	}
 	defer processToken.Close()
-	if !elevate.TokenIsMemberOfBuiltInAdministrator(processToken) {
+	if !elevate.TokenIsElevatedOrElevatable(processToken) {
 		fatal("WireGuard may only be used by users who are a member of the Builtin Administrators group.")
 	}
 }
diff --git a/manager/service.go b/manager/service.go
index 8a525b12..43dd5d4c 100644
--- a/manager/service.go
+++ b/manager/service.go
@@ -104,7 +104,7 @@ func (service *managerService) Execute(args []string, r <-chan svc.ChangeRequest
 		if err != nil {
 			return
 		}
-		if !elevate.TokenIsMemberOfBuiltInAdministrator(userToken) {
+		if !elevate.TokenIsElevatedOrElevatable(userToken) {
 			userToken.Close()
 			return
 		}
-- 
cgit v1.2.3-59-g8ed1b