win_become - don't dispose logon token until end (#61905)
This commit is contained in:
parent
900a51b283
commit
6e8d430872
2 changed files with 54 additions and 19 deletions
2
changelogs/fragments/win_become-shared-token.yaml
Normal file
2
changelogs/fragments/win_become-shared-token.yaml
Normal file
|
@ -0,0 +1,2 @@
|
|||
bugfixes:
|
||||
- win_become - Do not dispose of one of the logon tokens until after the process has run
|
|
@ -282,21 +282,46 @@ namespace Ansible.Become
|
|||
if (lpCurrentDirectory == "")
|
||||
lpCurrentDirectory = null;
|
||||
|
||||
// A user may have 2 tokens, 1 limited and 1 elevated. GetUserTokens will return both token to ensure
|
||||
// we don't close one of the pairs while the process is still running. If the process tries to retrieve
|
||||
// one of the pairs and the token handle is closed then it will fail with ERROR_NO_SUCH_LOGON_SESSION.
|
||||
List<SafeNativeHandle> userTokens = GetUserTokens(username, password, logonType);
|
||||
try
|
||||
{
|
||||
using (Process.SafeMemoryBuffer lpEnvironment = ProcessUtil.CreateEnvironmentPointer(environment))
|
||||
using (SafeNativeHandle hToken = GetUserToken(username, password, logonType))
|
||||
{
|
||||
bool launchSuccess = false;
|
||||
StringBuilder commandLine = new StringBuilder(lpCommandLine);
|
||||
if (!NativeMethods.CreateProcessWithTokenW(hToken, logonFlags, lpApplicationName, commandLine,
|
||||
creationFlags, lpEnvironment, lpCurrentDirectory, si, out pi))
|
||||
foreach (SafeNativeHandle token in userTokens)
|
||||
{
|
||||
throw new Process.Win32Exception("CreateProcessWithTokenW() failed");
|
||||
// GetUserTokens could return null if an elevated token could not be retrieved.
|
||||
if (token == null)
|
||||
continue;
|
||||
|
||||
if (NativeMethods.CreateProcessWithTokenW(token, logonFlags, lpApplicationName,
|
||||
commandLine, creationFlags, lpEnvironment, lpCurrentDirectory, si, out pi))
|
||||
{
|
||||
launchSuccess = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
return ProcessUtil.WaitProcess(stdoutRead, stdoutWrite, stderrRead, stderrWrite, stdinStream, stdin, pi.hProcess);
|
||||
}
|
||||
|
||||
private static SafeNativeHandle GetUserToken(string username, string password, LogonType logonType)
|
||||
if (!launchSuccess)
|
||||
throw new Process.Win32Exception("CreateProcessWithTokenW() failed");
|
||||
}
|
||||
return ProcessUtil.WaitProcess(stdoutRead, stdoutWrite, stderrRead, stderrWrite, stdinStream, stdin,
|
||||
pi.hProcess);
|
||||
}
|
||||
finally
|
||||
{
|
||||
userTokens.Where(t => t != null).ToList().ForEach(t => t.Dispose());
|
||||
}
|
||||
}
|
||||
|
||||
private static List<SafeNativeHandle> GetUserTokens(string username, string password, LogonType logonType)
|
||||
{
|
||||
List<SafeNativeHandle> userTokens = new List<SafeNativeHandle>();
|
||||
|
||||
SafeNativeHandle systemToken = null;
|
||||
bool impersonated = false;
|
||||
string becomeSid = username;
|
||||
|
@ -333,7 +358,7 @@ namespace Ansible.Become
|
|||
try
|
||||
{
|
||||
if (becomeSid == "S-1-5-18")
|
||||
return systemToken;
|
||||
userTokens.Add(systemToken);
|
||||
// Cannot use String.IsEmptyOrNull() as an empty string is an account that doesn't have a pass.
|
||||
// We only use S4U if no password was defined or it was null
|
||||
else if (!SERVICE_SIDS.Contains(becomeSid) && password == null && logonType != LogonType.NewCredentials)
|
||||
|
@ -343,9 +368,16 @@ namespace Ansible.Become
|
|||
SecurityIdentifier sid = new SecurityIdentifier(becomeSid);
|
||||
SafeNativeHandle becomeToken = GetPrimaryTokenForUser(sid);
|
||||
if (becomeToken != null)
|
||||
return GetElevatedToken(becomeToken);
|
||||
{
|
||||
userTokens.Add(GetElevatedToken(becomeToken));
|
||||
userTokens.Add(becomeToken);
|
||||
}
|
||||
else
|
||||
return GetS4UTokenForUser(sid, logonType);
|
||||
{
|
||||
becomeToken = GetS4UTokenForUser(sid, logonType);
|
||||
userTokens.Add(null);
|
||||
userTokens.Add(becomeToken);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
|
@ -380,9 +412,8 @@ namespace Ansible.Become
|
|||
|
||||
// Get the elevated token for a local/domain accounts only
|
||||
if (!SERVICE_SIDS.Contains(becomeSid))
|
||||
return GetElevatedToken(hToken);
|
||||
else
|
||||
return hToken;
|
||||
userTokens.Add(GetElevatedToken(hToken));
|
||||
userTokens.Add(hToken);
|
||||
}
|
||||
}
|
||||
finally
|
||||
|
@ -390,6 +421,8 @@ namespace Ansible.Become
|
|||
if (impersonated)
|
||||
TokenUtil.RevertToSelf();
|
||||
}
|
||||
|
||||
return userTokens;
|
||||
}
|
||||
|
||||
private static SafeNativeHandle GetPrimaryTokenForUser(SecurityIdentifier sid, List<string> requiredPrivileges = null)
|
||||
|
@ -530,9 +563,9 @@ namespace Ansible.Become
|
|||
private static SafeNativeHandle GetElevatedToken(SafeNativeHandle hToken)
|
||||
{
|
||||
TokenElevationType tet = TokenUtil.GetTokenElevationType(hToken);
|
||||
// We already have the best token we can get, just use it
|
||||
// We already have the best token we can get, no linked token is really available.
|
||||
if (tet != TokenElevationType.Limited)
|
||||
return hToken;
|
||||
return null;
|
||||
|
||||
SafeNativeHandle linkedToken = TokenUtil.GetTokenLinkedToken(hToken);
|
||||
TokenStatistics tokenStats = TokenUtil.GetTokenStatistics(linkedToken);
|
||||
|
@ -541,7 +574,7 @@ namespace Ansible.Become
|
|||
if (tokenStats.TokenType == TokenType.Primary)
|
||||
return linkedToken;
|
||||
else
|
||||
return hToken;
|
||||
return null;
|
||||
}
|
||||
|
||||
private static NativeHelpers.SECURITY_LOGON_TYPE GetTokenLogonType(SafeNativeHandle hToken)
|
||||
|
|
Loading…
Reference in a new issue