np, launcher: allow RunAs=. registry setting

2025-07-03 01:12:58 -05:00 · 2018-11-26 13:29:34 -08:00
parent 5d90c35e20
commit 3119922708
7 changed files with 181 additions and 33 deletions
--- a/src/launcher/launcher.c
+++ b/src/launcher/launcher.c
@ -255,6 +255,7 @@ exit:

 static BOOL LogonCreateProcess(
    PWSTR UserName,
+    HANDLE Token,
    LPCWSTR ApplicationName,
    LPWSTR CommandLine,
    LPSECURITY_ATTRIBUTES ProcessAttributes,
@ -271,11 +272,20 @@ static BOOL LogonCreateProcess(
    if (0 != UserName)
    {
        if (0 == invariant_wcsicmp(UserName, L"LocalSystem"))
+        {
            UserName = 0;
+            Token = 0;
+        }
        else
        if (0 == invariant_wcsicmp(UserName, L"LocalService") ||
            0 == invariant_wcsicmp(UserName, L"NetworkService"))
+        {
            DomainName = L"NT AUTHORITY";
+            Token = 0;
+        }
+        else
+        if (0 == invariant_wcsicmp(UserName, L"."))
+            ;
        else
        {
            SetLastError(ERROR_ACCESS_DENIED);
@ -299,18 +309,40 @@ static BOOL LogonCreateProcess(

    HANDLE LogonToken = 0;
    PVOID EnvironmentBlock = 0;
+    DWORD SessionId;
    DWORD LastError;
    BOOL Success;

-    Success = LogonUserW(
-        UserName,
-        DomainName,
-        0,
-        LOGON32_LOGON_SERVICE,
-        LOGON32_PROVIDER_DEFAULT,
-        &LogonToken);
-    if (!Success)
-        goto exit;
+    if (0 == Token)
+    {
+        Success = LogonUserW(
+            UserName,
+            DomainName,
+            0,
+            LOGON32_LOGON_SERVICE,
+            LOGON32_PROVIDER_DEFAULT,
+            &LogonToken);
+        if (!Success)
+            goto exit;
+    }
+    else
+    {
+        /* convert the impersonation token to a primary token */
+        Success = DuplicateTokenEx(Token,
+            TOKEN_ALL_ACCESS,
+            0,
+            SecurityAnonymous,
+            TokenPrimary,
+            &LogonToken);
+        if (!Success)
+            goto exit;
+        if (!ProcessIdToSessionId(GetCurrentProcessId(), &SessionId))
+            SessionId = 0;
+        /* place the duplicated token in the service session (session 0) */
+        Success = SetTokenInformation(LogonToken, TokenSessionId, &SessionId, sizeof SessionId);
+        if (!Success)
+            goto exit;
+    }

    if (0 == Environment)
    {
@ -663,7 +695,7 @@ static NTSTATUS SvcInstanceAccessCheck(HANDLE ClientToken, ULONG DesiredAccess,
    return Result;
 }

-static NTSTATUS SvcInstanceCreateProcess(PWSTR UserName,
+static NTSTATUS SvcInstanceCreateProcess(PWSTR UserName, HANDLE ClientToken,
    PWSTR Executable, PWSTR CommandLine, PWSTR WorkDirectory,
    HANDLE StdioHandles[2],
    PPROCESS_INFORMATION ProcessInfo)
@ -758,7 +790,7 @@ static NTSTATUS SvcInstanceCreateProcess(PWSTR UserName,
        StartupInfoEx.StartupInfo.hStdOutput = ChildHandles[1];
        StartupInfoEx.StartupInfo.hStdError = ChildHandles[2];

-        if (!LogonCreateProcess(UserName,
+        if (!LogonCreateProcess(UserName, ClientToken,
            Executable, CommandLine, 0, 0, TRUE,
            CREATE_SUSPENDED | CREATE_NEW_PROCESS_GROUP | EXTENDED_STARTUPINFO_PRESENT,
            0, WorkDirectory,
@ -779,7 +811,7 @@ static NTSTATUS SvcInstanceCreateProcess(PWSTR UserName,
             * Not ideal, but...
             */
            StartupInfoEx.StartupInfo.cb = sizeof StartupInfoEx.StartupInfo;
-            if (!LogonCreateProcess(UserName,
+            if (!LogonCreateProcess(UserName, ClientToken,
                Executable, CommandLine, 0, 0, TRUE,
                CREATE_SUSPENDED | CREATE_NEW_PROCESS_GROUP,
                0, WorkDirectory,
@ -792,7 +824,7 @@ static NTSTATUS SvcInstanceCreateProcess(PWSTR UserName,
    }
    else
    {
-        if (!LogonCreateProcess(UserName,
+        if (!LogonCreateProcess(UserName, ClientToken,
            Executable, CommandLine, 0, 0, FALSE,
            CREATE_SUSPENDED | CREATE_NEW_PROCESS_GROUP,
            0, WorkDirectory,
@ -1009,7 +1041,7 @@ NTSTATUS SvcInstanceCreate(HANDLE ClientToken,
    if (!NT_SUCCESS(Result))
        goto exit;

-    Result = SvcInstanceCreateProcess(L'\0' != RunAsBuf[0] ? RunAsBuf : 0,
+    Result = SvcInstanceCreateProcess(L'\0' != RunAsBuf[0] ? RunAsBuf : 0, ClientToken,
        Executable, SvcInstance->CommandLine, L'\0' != WorkDirectory[0] ? WorkDirectory : 0,
        RedirectStdio ? SvcInstance->StdioHandles : 0, &ProcessInfo);
    if (!NT_SUCCESS(Result))
@ -1629,7 +1661,10 @@ static DWORD WINAPI SvcPipeServer(PVOID Context)

        ClientToken = 0;
        if (!ImpersonateNamedPipeClient(SvcPipe) ||
-            !OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &ClientToken) ||
+            (
+                !OpenThreadToken(GetCurrentThread(), TOKEN_QUERY | TOKEN_DUPLICATE, FALSE, &ClientToken) &&
+                !OpenThreadToken(GetCurrentThread(), TOKEN_QUERY, FALSE, &ClientToken)
+            ) ||
            !RevertToSelf())
        {
            LastError = GetLastError();