mirror of
https://github.com/keepassxreboot/keepassxc.git
synced 2024-10-01 01:26:01 -04:00
Grant minimal access rights to the user associated with the process token.
This commit is contained in:
parent
153dc620c8
commit
6d69f0b547
@ -248,8 +248,7 @@ void setupSearchPaths()
|
|||||||
|
|
||||||
//
|
//
|
||||||
// Prevent memory dumps without admin privileges.
|
// Prevent memory dumps without admin privileges.
|
||||||
// MiniDumpWriteDump function requires
|
// MiniDumpWriteDump function requires PROCESS_QUERY_INFORMATION and PROCESS_VM_READ
|
||||||
// PROCESS_QUERY_INFORMATION and PROCESS_VM_READ
|
|
||||||
// see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680360%28v=vs.85%29.aspx
|
// see: https://msdn.microsoft.com/en-us/library/windows/desktop/ms680360%28v=vs.85%29.aspx
|
||||||
//
|
//
|
||||||
bool createWindowsDACL()
|
bool createWindowsDACL()
|
||||||
@ -257,48 +256,62 @@ bool createWindowsDACL()
|
|||||||
bool bSuccess = false;
|
bool bSuccess = false;
|
||||||
|
|
||||||
#ifdef Q_OS_WIN
|
#ifdef Q_OS_WIN
|
||||||
|
// Process token and user
|
||||||
|
HANDLE hToken = nullptr;
|
||||||
|
PTOKEN_USER pTokenUser = nullptr;
|
||||||
|
DWORD cbBufferSize = 0;
|
||||||
|
|
||||||
// Access control list
|
// Access control list
|
||||||
PACL pACL = nullptr;
|
PACL pACL = nullptr;
|
||||||
DWORD cbACL = 0;
|
DWORD cbACL = 0;
|
||||||
|
|
||||||
// Security identifiers
|
// Open the access token associated with the calling process
|
||||||
PSID pSIDAdmin = nullptr;
|
if (!OpenProcessToken(
|
||||||
PSID pSIDSystem = nullptr;
|
GetCurrentProcess(),
|
||||||
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
|
TOKEN_QUERY,
|
||||||
|
&hToken
|
||||||
// Create a SID for the BUILTIN\Administrators group
|
|
||||||
if (!AllocateAndInitializeSid(
|
|
||||||
&SIDAuthNT,
|
|
||||||
2,
|
|
||||||
SECURITY_BUILTIN_DOMAIN_RID,
|
|
||||||
DOMAIN_ALIAS_RID_ADMINS,
|
|
||||||
0, 0, 0, 0, 0, 0,
|
|
||||||
&pSIDAdmin
|
|
||||||
)) {
|
)) {
|
||||||
goto Cleanup;
|
goto Cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create a SID for the System group
|
// Retrieve the token information in a TOKEN_USER structure
|
||||||
if (!AllocateAndInitializeSid(
|
GetTokenInformation(
|
||||||
&SIDAuthNT,
|
hToken,
|
||||||
1,
|
TokenUser, // request for a TOKEN_USER structure
|
||||||
SECURITY_LOCAL_SYSTEM_RID,
|
nullptr,
|
||||||
0, 0, 0, 0, 0, 0, 0,
|
0,
|
||||||
&pSIDSystem
|
&cbBufferSize
|
||||||
|
);
|
||||||
|
|
||||||
|
pTokenUser = static_cast<PTOKEN_USER>(HeapAlloc(GetProcessHeap(), 0, cbBufferSize));
|
||||||
|
if (pTokenUser == nullptr) {
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!GetTokenInformation(
|
||||||
|
hToken,
|
||||||
|
TokenUser,
|
||||||
|
pTokenUser,
|
||||||
|
cbBufferSize,
|
||||||
|
&cbBufferSize
|
||||||
)) {
|
)) {
|
||||||
goto Cleanup;
|
goto Cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!IsValidSid(pTokenUser->User.Sid)) {
|
||||||
|
goto Cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Calculate the amount of memory that must be allocated for the DACL
|
||||||
cbACL = sizeof(ACL)
|
cbACL = sizeof(ACL)
|
||||||
+ sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pSIDAdmin)
|
+ sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid);
|
||||||
+ sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pSIDSystem);
|
|
||||||
|
|
||||||
|
// Create and initialize an ACL
|
||||||
pACL = static_cast<PACL>(HeapAlloc(GetProcessHeap(), 0, cbACL));
|
pACL = static_cast<PACL>(HeapAlloc(GetProcessHeap(), 0, cbACL));
|
||||||
if (pACL == nullptr) {
|
if (pACL == nullptr) {
|
||||||
goto Cleanup;
|
goto Cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Initialize access control list
|
|
||||||
if (!InitializeAcl(pACL, cbACL, ACL_REVISION)) {
|
if (!InitializeAcl(pACL, cbACL, ACL_REVISION)) {
|
||||||
goto Cleanup;
|
goto Cleanup;
|
||||||
}
|
}
|
||||||
@ -307,21 +320,13 @@ bool createWindowsDACL()
|
|||||||
if (!AddAccessAllowedAce(
|
if (!AddAccessAllowedAce(
|
||||||
pACL,
|
pACL,
|
||||||
ACL_REVISION,
|
ACL_REVISION,
|
||||||
SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE, // protected process
|
SYNCHRONIZE | PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_TERMINATE, // same as protected process
|
||||||
pSIDAdmin
|
pTokenUser->User.Sid // pointer to the trustee's SID
|
||||||
)) {
|
|
||||||
goto Cleanup;
|
|
||||||
}
|
|
||||||
if (!AddAccessAllowedAce(
|
|
||||||
pACL,
|
|
||||||
ACL_REVISION,
|
|
||||||
PROCESS_ALL_ACCESS,
|
|
||||||
pSIDSystem
|
|
||||||
)) {
|
)) {
|
||||||
goto Cleanup;
|
goto Cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update discretionary access control list
|
// Set discretionary access control list
|
||||||
bSuccess = ERROR_SUCCESS == SetSecurityInfo(
|
bSuccess = ERROR_SUCCESS == SetSecurityInfo(
|
||||||
GetCurrentProcess(), // object handle
|
GetCurrentProcess(), // object handle
|
||||||
SE_KERNEL_OBJECT, // type of object
|
SE_KERNEL_OBJECT, // type of object
|
||||||
@ -333,15 +338,15 @@ bool createWindowsDACL()
|
|||||||
|
|
||||||
Cleanup:
|
Cleanup:
|
||||||
|
|
||||||
if (pSIDAdmin != nullptr) {
|
|
||||||
FreeSid(pSIDAdmin);
|
|
||||||
}
|
|
||||||
if (pSIDSystem != nullptr) {
|
|
||||||
FreeSid(pSIDSystem);
|
|
||||||
}
|
|
||||||
if (pACL != nullptr) {
|
if (pACL != nullptr) {
|
||||||
HeapFree(GetProcessHeap(), 0, pACL);
|
HeapFree(GetProcessHeap(), 0, pACL);
|
||||||
}
|
}
|
||||||
|
if (pTokenUser != nullptr) {
|
||||||
|
HeapFree(GetProcessHeap(), 0, pTokenUser);
|
||||||
|
}
|
||||||
|
if (hToken != nullptr) {
|
||||||
|
CloseHandle(hToken);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return bSuccess;
|
return bSuccess;
|
||||||
|
Loading…
Reference in New Issue
Block a user