Merge pull request #336 from gerardog/fix/2.4.2-issues

Release v2.4.3

Author: gerardog

src/gsudo.Wrappers.Tests/Invoke-gsudo.Tests.ps1

@@ -43,7 +43,7 @@ Describe "PS Invoke-Gsudo (PSv$($PSVersionTable.PSVersion.Major))" {
 	}
 
 	It "It throws with .Net Exceptions" {
-		{ Invoke-gsudo { [int]::Parse('foo') } } | Should -throw "*Input string was not*"
+		{ Invoke-gsudo { [int]::Parse('foo') } } | Should -throw "*nput string*"
 	}
 
 	It "It throws when ErrorAction = Stop" {

src/gsudo.Wrappers/gsudo

@@ -8,4 +8,5 @@
 # For better experience (fix credentials cache) in git-bash/MinGw create this wrapper can be added as function in .bashrc:
 # 		gsudo() { WSLENV=WSL_DISTRO_NAME:USER:$WSLENV MSYS_NO_PATHCONV=1 gsudo.exe "$@"; }
 
-WSLENV=WSL_DISTRO_NAME:USER:$WSLENV MSYS_NO_PATHCONV=1 "$( dirname -- "$0")/gsudo.exe" "$@"
+thisdir="$(dirname "$(readlink "$0")")"
+WSLENV=WSL_DISTRO_NAME:USER:$WSLENV MSYS_NO_PATHCONV=1 "${thisdir}/gsudo.exe" "$@"

src/gsudo/AppSettings/Settings.cs

@@ -82,7 +82,7 @@ class Settings
 
         public static RegistrySetting<string> ExceptionList { get; } =
             new RegistrySetting<string>(nameof(ExceptionList),
-                defaultValue: "notepad.exe;powershell.exe;whoami.exe;",
+                defaultValue: "notepad.exe;powershell.exe;whoami.exe;vim.exe;nano.exe;",
                 deserializer: (string s)=>s,
                 scope: RegistrySettingScope.GlobalOnly);
 
@@ -127,8 +127,14 @@ internal static TimeSpan TimeSpanParseWithInfinite(string value)
         {
             if (value.In("-1", "Infinite"))
                 return TimeSpan.MaxValue;
-            else
-                return TimeSpan.Parse(value, CultureInfo.InvariantCulture);
+
+            var timeSpan = TimeSpan.Parse(value, CultureInfo.InvariantCulture);
+
+            // Cap at 24 days.
+            if (timeSpan.TotalDays > 24)
+                return TimeSpan.MaxValue;
+
+            return timeSpan;
         }
 
         internal static string TimeSpanWithInfiniteToString(TimeSpan value)

src/gsudo/Commands/RunCommand.cs

@@ -231,15 +231,18 @@ private void AdjustUacIsolationRequest(ElevationRequest elevationRequest, bool i
             }
         }
 
-        internal static bool IsRunningAsDesiredUser()
+        internal static bool IsRunningAsDesiredUser(bool allowHigherIntegrity = false)
         {
             if (InputArguments.TrustedInstaller && !WindowsIdentity.GetCurrent().Claims.Any(c => c.Value == Constants.TI_SID))
                 return false;
 
             if (InputArguments.RunAsSystem && !WindowsIdentity.GetCurrent().IsSystem)
-                return false;
+                return false;
 
-            if ((int)InputArguments.GetIntegrityLevel() != SecurityHelper.GetCurrentIntegrityLevel())
+            if ((int)InputArguments.GetIntegrityLevel() != SecurityHelper.GetCurrentIntegrityLevel() && !allowHigherIntegrity)
+                return false;
+
+            if ((int)InputArguments.GetIntegrityLevel() > SecurityHelper.GetCurrentIntegrityLevel())
                 return false;
 
             if (InputArguments.UserName != null && InputArguments.UserName != WindowsIdentity.GetCurrent().Name)

src/gsudo/Commands/ServiceCommand.cs

@@ -28,6 +28,8 @@ class ServiceCommand : ICommand, IDisposable
 
         void EnableTimer()
         {
+            if (CacheDuration > TimeSpan.FromDays(24)) CacheDuration = TimeSpan.FromDays(24);
+
             if (CacheDuration != TimeSpan.MaxValue) 
                 ShutdownTimer.Change((int)CacheDuration.TotalMilliseconds, Timeout.Infinite);
         }
@@ -55,7 +57,7 @@ public async Task<int> Execute()
                 || (InputArguments.RunAsSystem && !System.Security.Principal.WindowsIdentity.GetCurrent().IsSystem)
                 || (InputArguments.UserName != null && !SecurityHelper.IsAdministrator() && SecurityHelper.IsMemberOfLocalAdmins()) 
                 )*/
-            if (!RunCommand.IsRunningAsDesiredUser())
+            if (!RunCommand.IsRunningAsDesiredUser(allowHigherIntegrity: true))
             {
                 Logger.Instance.Log("This service is not running with desired credentials. Starting a new service instance.", LogLevel.Info);
 #if DEBUG

src/gsudo/Commands/StatusCommand.cs

@@ -152,7 +152,7 @@ private static void PrintToConsole(Dictionary<string, object> result)
 
             foreach (string s in result["CacheSessions"] as string[])
             {
-                Console.WriteLine($"    {s},");
+                Console.WriteLine($"    {s}");
             }
 
             if ((bool)result["IsRedirected"])

src/gsudo/Helpers/ProcessFactory.cs

@@ -67,7 +67,7 @@ public static Process StartRedirected(string fileName, string arguments, string
 
         public static Process StartAttached(string filename, string arguments)
         {
-            Logger.Instance.Log($"Process Start: {filename} {arguments}", LogLevel.Debug    );
+            Logger.Instance.Log($"Process Start: {filename} {arguments}", LogLevel.Debug);
             var process = new Process();
             process.StartInfo = new ProcessStartInfo(filename)
             {
@@ -128,7 +128,7 @@ public static Process StartWithCredentials(string filename, string arguments, st
                     CreateNoWindow = !InputArguments.Debug,
                 });
             }
-            catch(Win32Exception ex)
+            catch (Win32Exception ex)
             {
                 if (ex.NativeErrorCode == 1326)
                     throw new ApplicationException("The user name or password is incorrect.");
@@ -332,7 +332,7 @@ private static SafeProcessHandle CreateProcessWithToken(IntPtr newToken, string
             return new SafeProcessHandle(processInformation.hProcess, true);
         }
 
-        internal static SafeProcessHandle CreateProcessAsUserWithFlags(string lpApplicationName, string args, ProcessApi.CreateProcessFlags dwCreationFlags, out PROCESS_INFORMATION pInfo)
+        internal static void CreateProcessForTokenReplacement(string lpApplicationName, string args, ProcessApi.CreateProcessFlags dwCreationFlags, out SafeProcessHandle processHandle, out SafeHandle threadHandle, out int processId)
         {
             var sInfoEx = new ProcessApi.STARTUPINFOEX();
             sInfoEx.StartupInfo.cb = Marshal.SizeOf(sInfoEx);
@@ -342,7 +342,9 @@ internal static SafeProcessHandle CreateProcessAsUserWithFlags(string lpApplicat
             pSec.nLength = Marshal.SizeOf(pSec);
             tSec.nLength = Marshal.SizeOf(tSec);
 
-            // Set more restrictive Security Descriptor
+            // Set a more restrictive Security Descriptor:
+            // - This code runs at medium integrity, so we dont have permissions to change the SDACL to High integrity level.
+            // - We will do that in TokenSwitcher.ReplaceProcessToken.
             string sddl = "D:(D;;GAFAWD;;;S-1-1-0)"; // Deny Generic-All, File-All, and Write-Dac to everyone.
 
             IntPtr sd_ptr = new IntPtr();
@@ -354,15 +356,43 @@ internal static SafeProcessHandle CreateProcessAsUserWithFlags(string lpApplicat
 
             var command = $"{lpApplicationName} {args}";
 
-            Logger.Instance.Log($"{nameof(CreateProcessAsUserWithFlags)}: {lpApplicationName} {args}", LogLevel.Debug);
+            PROCESS_INFORMATION pInfo;
+            Logger.Instance.Log($"Creating target process: {lpApplicationName} {args}", LogLevel.Debug);
             if (!ProcessApi.CreateProcess(null, command, ref pSec, ref tSec, false, dwCreationFlags, IntPtr.Zero, null, ref sInfoEx, out pInfo))
             {
                 throw new Win32Exception((int)ConsoleApi.GetLastError());
             }
 
-            return new SafeProcessHandle(pInfo.hProcess, true);
-        }
+            var currentProcessHandle = ProcessApi.GetCurrentProcess();
+
+            if (!DuplicateHandle(
+                currentProcessHandle,   // Source process handle is the current process
+                pInfo.hProcess,         // The handle to duplicate
+                currentProcessHandle,   // Target process handle is also the current process
+                out var restrictedProcessHandle,     // The duplicated handle with desired access rights
+                0x1000 | 0x00100000 | 0x0001,       // Desired access: PROCESS_QUERY_LIMITED_INFORMATION | SYNCHRONIZE | PROCESS_TERMINATE
+                false,                  // The handle is not inheritable
+                1))                     // dwOptions: auto close pInfo.hProcess.
+            {
+                throw new Win32Exception(Marshal.GetLastWin32Error());
+            }
 
+            if (!DuplicateHandle(
+                    currentProcessHandle,       // Source process handle is the current process
+                    pInfo.hThread,              // The thread handle to duplicate
+                    currentProcessHandle,       // Target process handle is also the current process
+                    out var restrictedThreadHandle, // The duplicated handle with desired access rights
+                    0x0002,                     // Desired access: THREAD_SUSPEND_RESUME
+                    false,                      // The handle is not inheritable
+                    1))                         // dwOptions: auto close pInfo.hThread.
+            {
+                throw new Win32Exception(Marshal.GetLastWin32Error());
+            }
+
+            processHandle = new SafeProcessHandle(restrictedProcessHandle, true);
+            threadHandle = new Native.SafeThreadHandle(restrictedThreadHandle);
+
+            processId = pInfo.dwProcessId;
+        }
     }
 }
-

src/gsudo/Helpers/ServiceHelper.cs

@@ -69,8 +69,8 @@ public static async Task<ServiceLocation> FindAnyServiceFast()
         private static ServiceLocation FindServiceByIntegrity(int? clientPid, string user)
         {
             var anyIntegrity = InputArguments.UserName != null;
-            var tryHighIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value >= IntegrityLevel.High;
-            var tryLowIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value < IntegrityLevel.High;
+            var tryHighIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value > IntegrityLevel.Medium;
+            var tryLowIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value <= IntegrityLevel.Medium;
 
             var targetUserSid = InputArguments.RunAsSystem ? "S-1-5-18" : InputArguments.UserSid;
 

src/gsudo/Tokens/NativeMethods.cs src/gsudo/Native/NativeMethods.cs

@@ -1,11 +1,10 @@
-using gsudo.Native;
-using System;
+using System;
 using System.Runtime.ConstrainedExecution;
 using System.Runtime.InteropServices;
 using System.Security.Principal;
 using static gsudo.Native.TokensApi;
 
-namespace gsudo.Tokens
+namespace gsudo.Native
 {
     internal static partial class NativeMethods
     {
@@ -21,19 +20,19 @@ internal static partial class NativeMethods
         internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
         internal const int ERROR_NOT_ALL_ASSIGNED = 0x00000514;
 
-        internal const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
-        internal const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
-        internal const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
-        internal const UInt32 TOKEN_DUPLICATE = 0x0002;
-        internal const UInt32 TOKEN_IMPERSONATE = 0x0004;
-        internal const UInt32 TOKEN_QUERY = 0x0008;
-        internal const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
-        internal const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020;
-        internal const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
-        internal const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
-        internal const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
-        internal const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
-        internal const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED |
+        internal const uint STANDARD_RIGHTS_REQUIRED = 0x000F0000;
+        internal const uint STANDARD_RIGHTS_READ = 0x00020000;
+        internal const uint TOKEN_ASSIGN_PRIMARY = 0x0001;
+        internal const uint TOKEN_DUPLICATE = 0x0002;
+        internal const uint TOKEN_IMPERSONATE = 0x0004;
+        internal const uint TOKEN_QUERY = 0x0008;
+        internal const uint TOKEN_QUERY_SOURCE = 0x0010;
+        internal const uint TOKEN_ADJUST_PRIVILEGES = 0x0020;
+        internal const uint TOKEN_ADJUST_GROUPS = 0x0040;
+        internal const uint TOKEN_ADJUST_DEFAULT = 0x0080;
+        internal const uint TOKEN_ADJUST_SESSIONID = 0x0100;
+        internal const uint TOKEN_READ = STANDARD_RIGHTS_READ | TOKEN_QUERY;
+        internal const uint TOKEN_ALL_ACCESS = STANDARD_RIGHTS_REQUIRED |
                             TOKEN_ASSIGN_PRIMARY |
                             TOKEN_DUPLICATE |
                             TOKEN_IMPERSONATE |
@@ -42,7 +41,7 @@ internal static partial class NativeMethods
                             TOKEN_ADJUST_PRIVILEGES |
                             TOKEN_ADJUST_GROUPS |
                             TOKEN_ADJUST_DEFAULT |
-                            TOKEN_ADJUST_SESSIONID);
+                            TOKEN_ADJUST_SESSIONID;
 
         [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
         internal static extern IntPtr GetCurrentProcess();
@@ -65,7 +64,13 @@ internal static extern bool OpenProcessToken(IntPtr processHandle,
 
         [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
         [return: MarshalAs(UnmanagedType.Bool)]
-        internal static extern Boolean CloseHandle(IntPtr hObject);
+        internal static extern bool CloseHandle(IntPtr hObject);
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+        internal static extern bool GetKernelObjectSecurity(IntPtr Handle, uint securityInformation, IntPtr pSecurityDescriptor, uint nLength, out uint lpnLengthNeeded);
+
+        [DllImport("advapi32.dll", SetLastError = true)]
+        internal static extern bool SetKernelObjectSecurity(IntPtr Handle, uint securityInformation, IntPtr pSecurityDescriptor);
 
         [StructLayout(LayoutKind.Sequential)]
         public struct LUID
@@ -100,5 +105,20 @@ public struct TOKEN_PRIVILEGES
 
             public LUID_AND_ATTRIBUTES[] Privileges { get => privileges; set => privileges = value; }
         }
+
     }
+
+    [Flags]
+    internal enum SECURITY_INFORMATION : uint
+    {
+        OWNER_SECURITY_INFORMATION = 0x00000001,
+        GROUP_SECURITY_INFORMATION = 0x00000002,
+        DACL_SECURITY_INFORMATION = 0x00000004,
+        SACL_SECURITY_INFORMATION = 0x00000008,
+        UNPROTECTED_SACL_SECURITY_INFORMATION = 0x10000000,
+        UNPROTECTED_DACL_SECURITY_INFORMATION = 0x20000000,
+        PROTECTED_SACL_SECURITY_INFORMATION = 0x40000000,
+        PROTECTED_DACL_SECURITY_INFORMATION = 0x80000000
+    }
+
 }

src/gsudo/Native/ProcessApi.cs

@@ -120,7 +120,10 @@ public enum CreateProcessFlags : uint
         internal static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList);
 
         [DllImport("kernel32.dll", SetLastError = true)]
-        internal static extern bool CloseHandle(IntPtr hObject);
+        internal static extern bool CloseHandle(IntPtr hObject);
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        public static extern IntPtr LocalFree(IntPtr hMem);
 
         [DllImport("kernel32.dll", CharSet = System.Runtime.InteropServices.CharSet.Auto, SetLastError = true)]
         internal static extern bool GetExitCodeProcess(Microsoft.Win32.SafeHandles.SafeProcessHandle processHandle, out int exitCode);
@@ -190,7 +193,9 @@ protected override bool ReleaseHandle()
         #region Query Process Info
         public const UInt32 PROCESS_QUERY_INFORMATION = 0x0400;
         public const UInt32 PROCESS_SET_INFORMATION = 0x0200;
-
+        public const UInt32 READ_CONTROL = 0x00020000;
+        public const UInt32 WRITE_DAC = 0x40000;
+
         [DllImport("kernel32.dll", SetLastError = true)]
         internal static extern IntPtr OpenProcess(UInt32 dwDesiredAccess, Boolean bInheritHandle, UInt32 dwProcessId);
 
@@ -225,13 +230,24 @@ internal static extern bool CheckRemoteDebuggerPresent(
         internal static extern bool CreatePipe(out SafeFileHandle hReadPipe, out SafeFileHandle hWritePipe, SECURITY_ATTRIBUTES lpPipeAttributes, int nSize);
 
         [DllImport("kernel32.dll", SetLastError = true)]
-        internal static extern uint ResumeThread(IntPtr hThread);
+        internal static extern int ResumeThread(IntPtr hThread);
 
         [DllImport("kernel32.dll", SetLastError = true)]
         [return: MarshalAs(UnmanagedType.Bool)]
         internal static extern bool TerminateProcess(IntPtr hProcess, uint uExitCode);
 
         [DllImport("kernel32.dll", SetLastError = true)]
         internal static extern UInt32 WaitForSingleObject(IntPtr hHandle, UInt32 dwMilliseconds);
+
+        [DllImport("kernel32.dll", SetLastError = true)]
+        [return: MarshalAs(UnmanagedType.Bool)]
+        internal static extern bool DuplicateHandle(
+            IntPtr hSourceProcessHandle,
+            IntPtr hSourceHandle,
+            IntPtr hTargetProcessHandle,
+            out IntPtr lpTargetHandle,
+            uint dwDesiredAccess,
+            [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle,
+            uint dwOptions);
     }
 }

src/gsudo/Native/SafeTokenHandle.cs

@@ -21,4 +21,19 @@ protected override bool ReleaseHandle()
             return Native.ProcessApi.CloseHandle(base.handle);
         }
     }
+
+    internal sealed class SafeThreadHandle : SafeHandleZeroOrMinusOneIsInvalid
+    {
+        internal SafeThreadHandle(IntPtr handle)
+            : base(true)
+        {
+            base.SetHandle(handle);
+        }
+
+        override protected bool ReleaseHandle()
+        {
+            return Native.ProcessApi.CloseHandle(handle);
+        }
+
+    }
 }

src/gsudo/Native/TokensApi.cs

@@ -414,7 +414,19 @@ public struct LUID
         #endregion
 
         [DllImport("Advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
-        internal static extern bool ConvertStringSecurityDescriptorToSecurityDescriptor(string StringSecurityDescriptor, uint StringSDRevision, out IntPtr SecurityDescriptor, out UIntPtr SecurityDescriptorSize);
-
+        internal static extern bool ConvertStringSecurityDescriptorToSecurityDescriptor(
+            string StringSecurityDescriptor, 
+            uint StringSDRevision, 
+            out IntPtr SecurityDescriptor, 
+            out UIntPtr SecurityDescriptorSize);
+
+        // Additional imports for DACL manipulation
+        [DllImport("advapi32.dll", SetLastError = true)]
+        internal static extern bool ConvertSecurityDescriptorToStringSecurityDescriptor(
+            IntPtr SecurityDescriptor,
+            uint StringSDRevision,
+            SECURITY_INFORMATION SecurityInformation,
+            out IntPtr StringSecurityDescriptor,
+            out uint StringSecurityDescriptorLen);
     }
 }