From 724d177d0bab4104fc99df24dca597312c86b806 Mon Sep 17 00:00:00 2001
From: Bill Zissimopoulos <billziss@navimatics.com>
Date: Thu, 12 May 2016 14:18:08 -0700
Subject: [PATCH] launcher: security model improvements

---
 src/launcher/launcher.c | 16 +++++++++++-----
 src/launcher/launcher.h | 22 +++++++++++++++++-----
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/src/launcher/launcher.c b/src/launcher/launcher.c
index e1e4d694..20dd4ff7 100644
--- a/src/launcher/launcher.c
+++ b/src/launcher/launcher.c
@@ -161,9 +161,10 @@ NTSTATUS SvcInstanceCreate(HANDLE ClientToken,
 {
     SVC_INSTANCE *SvcInstance = 0;
     HKEY RegKey = 0;
-    DWORD RegResult, RegSize, SecurityLen;
+    DWORD RegResult, RegSize;
     DWORD ClassNameSize, InstanceNameSize;
-    WCHAR Executable[MAX_PATH], CommandLine[512], Security[512] = L"O:SYG:SY";
+    WCHAR Executable[MAX_PATH], CommandLine[512], SecurityBuf[512] = L"O:SYG:SY";
+    PWSTR Security;
     PSECURITY_DESCRIPTOR SecurityDescriptor;
     STARTUPINFOW StartupInfo;
     PROCESS_INFORMATION ProcessInfo;
@@ -206,10 +207,10 @@ NTSTATUS SvcInstanceCreate(HANDLE ClientToken,
         goto exit;
     }
 
-    SecurityLen = lstrlenW(Security);
-    RegSize = sizeof Security - SecurityLen * sizeof(WCHAR);
+    Security = SecurityBuf + lstrlenW(SecurityBuf);
+    RegSize = (DWORD)(sizeof SecurityBuf - (Security - SecurityBuf) * sizeof(WCHAR));
     RegResult = RegGetValueW(RegKey, ClassName, L"Security", RRF_RT_REG_SZ, 0,
-        Security + SecurityLen, &RegSize);
+        Security, &RegSize);
     if (ERROR_SUCCESS != RegResult && ERROR_FILE_NOT_FOUND != RegResult)
     {
         Result = FspNtStatusFromWin32(RegResult);
@@ -220,7 +221,12 @@ NTSTATUS SvcInstanceCreate(HANDLE ClientToken,
     RegKey = 0;
 
     if (L'\0' == Security)
+    {
+        Security = SecurityBuf;
         lstrcpyW(Security, L"" SVC_INSTANCE_DEFAULT_SDDL);
+    }
+    else if (L'D' == Security[0] && L':' == Security[1])
+        Security = SecurityBuf;
 
     if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(Security, SDDL_REVISION_1,
         &SecurityDescriptor, 0))
diff --git a/src/launcher/launcher.h b/src/launcher/launcher.h
index 8164e6e7..b41744cf 100644
--- a/src/launcher/launcher.h
+++ b/src/launcher/launcher.h
@@ -26,14 +26,26 @@
 #define PIPE_BUFFER_SIZE                2048
 #define PIPE_DEFAULT_TIMEOUT            3000
 
-#define SVC_INSTANCE_DEFAULT_SDDL       "O:SYG:SYD:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GR;;;WD)"
+/* RP:SERVICE_START, WP:SERVICE_STOP, SC:SERVICE_QUERY_STATUS */
+/*
+ * The default service instance SDDL gives full access to LocalSystem and Administrators.
+ * The only possible service instance rights are as follows:
+ *     RP   SERVICE_START
+ *     WP   SERVICE_STOP
+ *     SC   SERVICE_QUERY_STATUS
+ *
+ * To create a service that can be started, stopped or queried by everyone, you can set
+ * the following SDDL:
+ *     D:P(A;;RPWPSC;;;WD)
+ */
+#define SVC_INSTANCE_DEFAULT_SDDL       "O:SYG:SYD:P(A;;RPWPSC;;;SY)(A;;RPWPSC;;;BA)"
 
 enum
 {
-    LauncherSvcInstanceStart            = 'S',
-    LauncherSvcInstanceStop             = 'T',
-    LauncherSvcInstanceList             = 'L',
-    LauncherSvcInstanceInfo             = 'I',
+    LauncherSvcInstanceStart            = 'S',  /* requires: SERVICE_START */
+    LauncherSvcInstanceStop             = 'T',  /* requires: SERVICE_STOP */
+    LauncherSvcInstanceList             = 'L',  /* requires: none*/
+    LauncherSvcInstanceInfo             = 'I',  /* requires: SERVICE_QUERY_STATUS */
 };
 
 #endif