Diff - acfa387b8d69adbeab4af0736737d42b9f2e8254^! - sys

commit	acfa387b8d69adbeab4af0736737d42b9f2e8254	[log] [tgz]
author	Jason A. Donenfeld <Jason@zx2c4.com>	Thu Aug 29 07:51:42 2019 -0600
committer	Jason A. Donenfeld <Jason@zx2c4.com>	Fri Aug 30 14:18:01 2019 +0000
tree	7aee2406b5f7d78942a1412540d4da8a796545ca
parent	08d80c9d36de4cf3f0843a021c300dd67a5e47dc [diff]

windows: open process tokens with duplicate access

A usual thing to ask is, "Is my current token in group X?" The right way
of doing such a thing is:

	processToken, err := windows.OpenCurrentProcessToken()
	if err != nil {
		return false, err
	}
	defer processToken.Close()
	var checkableToken windows.Token
	err = windows.DuplicateTokenEx(token, windows.TOKEN_QUERY | windows.TOKEN_IMPERSONATE, nil, windows.SecurityIdentification, windows.TokenImpersonation, &checkableToken)
	if err != nil {
		return false, err
	}
	defer checkableToken.Close()
	isMember, err := checkableToken.IsMember(someSID)
	return isMember && err == nil, nil

This is the same flow that's used by, for example, shell32's internal
_LUAIsTokenAdmin function.

However, this all fails unless the original token is opened with
duplicate access. So this commit adjusts OpenCurrentProcessToken to do
the right thing.

Change-Id: I18efdfde43097ea9d10758018b0df132fba819f5
Reviewed-on: https://go-review.googlesource.com/c/sys/+/192337
Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Simon Rozman <simon@rozman.si>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>

diff --git a/windows/security_windows.go b/windows/security_windows.go
index 7dfe201..7b2cfb9 100644
--- a/windows/security_windows.go
+++ b/windows/security_windows.go

@@ -666,7 +666,7 @@
 		return 0, e
 	}
 	var t Token
-	e = OpenProcessToken(p, TOKEN_QUERY, &t)
+	e = OpenProcessToken(p, TOKEN_QUERY|TOKEN_DUPLICATE, &t)
 	if e != nil {
 		return 0, e
 	}