windows: open process tokens with duplicate access
A usual thing to ask is, "Is my current token in group X?" The right way
of doing such a thing is:
processToken, err := windows.OpenCurrentProcessToken()
if err != nil {
return false, err
}
defer processToken.Close()
var checkableToken windows.Token
err = windows.DuplicateTokenEx(token, windows.TOKEN_QUERY | windows.TOKEN_IMPERSONATE, nil, windows.SecurityIdentification, windows.TokenImpersonation, &checkableToken)
if err != nil {
return false, err
}
defer checkableToken.Close()
isMember, err := checkableToken.IsMember(someSID)
return isMember && err == nil, nil
This is the same flow that's used by, for example, shell32's internal
_LUAIsTokenAdmin function.
However, this all fails unless the original token is opened with
duplicate access. So this commit adjusts OpenCurrentProcessToken to do
the right thing.
Change-Id: I18efdfde43097ea9d10758018b0df132fba819f5
Reviewed-on: https://go-review.googlesource.com/c/sys/+/192337
Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Simon Rozman <simon@rozman.si>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
diff --git a/windows/security_windows.go b/windows/security_windows.go
index 7dfe201..7b2cfb9 100644
--- a/windows/security_windows.go
+++ b/windows/security_windows.go
@@ -666,7 +666,7 @@
return 0, e
}
var t Token
- e = OpenProcessToken(p, TOKEN_QUERY, &t)
+ e = OpenProcessToken(p, TOKEN_QUERY|TOKEN_DUPLICATE, &t)
if e != nil {
return 0, e
}