From a0cda2c718e96612138a079de7233166dc964ee2 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Thu, 2 May 2019 16:26:20 +0200 Subject: service: set security attributes on new process Signed-off-by: Jason A. Donenfeld --- service/service_manager.go | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) (limited to 'service/service_manager.go') diff --git a/service/service_manager.go b/service/service_manager.go index 4d287c6f..9596671b 100644 --- a/service/service_manager.go +++ b/service/service_manager.go @@ -56,6 +56,15 @@ type wellKnownSidType uint32 //sys wtsEnumerateSessions(handle windows.Handle, reserved uint32, version uint32, sessions **wtsSessionInfo, count *uint32) (err error) = wtsapi32.WTSEnumerateSessionsW //sys wtsFreeMemory(ptr uintptr) = wtsapi32.WTSFreeMemory +const ( + SE_KERNEL_OBJECT = 6 + DACL_SECURITY_INFORMATION = 4 + ATTRIBUTE_SECURITY_INFORMATION = 16 +) + +//sys getSecurityInfo(handle windows.Handle, objectType uint32, si uint32, sidOwner *windows.SID, sidGroup *windows.SID, dacl *uintptr, sacl *uintptr, securityDescriptor *uintptr) (err error) [failretval!=0] = advapi32.GetSecurityInfo +//sys getSecurityDescriptorLength(securityDescriptor uintptr) (len uint32) = advapi32.GetSecurityDescriptorLength + //sys createEnvironmentBlock(block *uintptr, token windows.Token, inheritExisting bool) (err error) = userenv.CreateEnvironmentBlock //sys destroyEnvironmentBlock(block uintptr) (err error) = userenv.DestroyEnvironmentBlock @@ -125,6 +134,23 @@ func (service *managerService) Execute(args []string, r <-chan svc.ChangeRequest return } + currentProcess, err := windows.GetCurrentProcess() + if err != nil { + panic(err) + } + var securityAttributes syscall.SecurityAttributes + err = getSecurityInfo(currentProcess, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, nil, nil, &securityAttributes.SecurityDescriptor) + if err != nil { + serviceError = ErrorCreateSecurityDescriptor + return + } + defer windows.LocalFree(windows.Handle(securityAttributes.SecurityDescriptor)) + securityAttributes.Length = getSecurityDescriptorLength(securityAttributes.SecurityDescriptor) + if securityAttributes.Length == 0 { + serviceError = ErrorCreateSecurityDescriptor + return + } + devNull, err := os.OpenFile(os.DevNull, os.O_RDWR, 0) if err != nil { serviceError = ErrorOpenNULFile @@ -216,7 +242,9 @@ func (service *managerService) Execute(args []string, r <-chan svc.ChangeRequest log.Printf("Starting UI process for user: '%s@%s'", username, domain) attr := &os.ProcAttr{ Sys: &syscall.SysProcAttr{ - Token: syscall.Token(userToken), + Token: syscall.Token(userToken), + ProcessAttributes: &securityAttributes, + ThreadAttributes: &securityAttributes, }, Files: []*os.File{devNull, devNull, devNull}, Env: env, -- cgit v1.2.3-59-g8ed1b