more unique_sid's, and m,ore comments
This commit is contained in:
parent
4da965f901
commit
1e3a319314
|
@ -1480,9 +1480,21 @@ namespace winrt::TerminalApp::implementation
|
|||
return true;
|
||||
}
|
||||
|
||||
// Method Description:
|
||||
// - For a given commandline, determines if we should prompt the user for
|
||||
// approval. We only do this check when elevated. This will check the
|
||||
// AllowedCommandlines in `elevated-state.json`, to see if the commandline
|
||||
// already exists in that list.
|
||||
// Arguments:
|
||||
// - cmdline: The commandline to check
|
||||
// Return Value:
|
||||
// - true if we should prompt the user for approval.
|
||||
bool TerminalPage::_shouldPromptForCommandline(const winrt::hstring& cmdline) const
|
||||
{
|
||||
if (true || _isElevated())
|
||||
// NOTE: For debugging purposes, changing this to `true ||
|
||||
// _isElevated()` is a handy way of forcing the elevation logic, even
|
||||
// when unelevated.
|
||||
if (_isElevated())
|
||||
{
|
||||
if (const auto& allowedCommandlines{ ElevatedState::SharedInstance().AllowedCommandlines() })
|
||||
{
|
||||
|
@ -1494,9 +1506,12 @@ namespace winrt::TerminalApp::implementation
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
// TODO! If the cmdline starts with (case-insensitive)
|
||||
// `C:\WINDOWS\System32`, then ignore this check.
|
||||
}
|
||||
|
||||
return true; // TODO! Change this to false. This is defaulted to true for testing.
|
||||
return false;
|
||||
}
|
||||
|
||||
void TerminalPage::_adminWarningPrimaryClicked(const TerminalApp::AdminWarningPlaceholder& sender,
|
||||
|
|
|
@ -115,7 +115,15 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
|
|||
|
||||
void ElevatedState::_writeFileContents(const std::string_view content) const
|
||||
{
|
||||
// WriteUTF8FileAtomic(_path, content, true);
|
||||
// DON'T use WriteUTF8FileAtomic, which will write to a temporary file
|
||||
// then rename that file to the final filename. That actually lets us
|
||||
// overwrite the elevate file's contents even when unelevated, because
|
||||
// we're effectively deleting the original file, then renaming a
|
||||
// different file in it's place.
|
||||
//
|
||||
// We're not worried about someone else doing that though, if they do
|
||||
// that with the wrong permissions, then we'll just ignore the file and
|
||||
// start over.
|
||||
WriteUTF8File(_path, content, true);
|
||||
}
|
||||
|
||||
|
|
|
@ -206,16 +206,16 @@ namespace Microsoft::Terminal::Settings::Model
|
|||
// SYSTEM, but if I did that, then even we can't write the file
|
||||
// while elevated, which isn't what we want.
|
||||
|
||||
PSID pEveryoneSid = nullptr;
|
||||
PSID pAdminGroupSid = nullptr;
|
||||
wil::unique_sid everyoneSid{};
|
||||
wil::unique_sid adminGroupSid{};
|
||||
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
|
||||
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
|
||||
|
||||
// Create a SID for the BUILTIN\Administrators group.
|
||||
THROW_IF_WIN32_BOOL_FALSE(AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminGroupSid));
|
||||
THROW_IF_WIN32_BOOL_FALSE(AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &adminGroupSid));
|
||||
|
||||
// Create a well-known SID for the Everyone group.
|
||||
THROW_IF_WIN32_BOOL_FALSE(AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSid));
|
||||
THROW_IF_WIN32_BOOL_FALSE(AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &everyoneSid));
|
||||
|
||||
EXPLICIT_ACCESS ea[2];
|
||||
ZeroMemory(&ea, 2 * sizeof(EXPLICIT_ACCESS));
|
||||
|
@ -225,7 +225,7 @@ namespace Microsoft::Terminal::Settings::Model
|
|||
ea[0].grfInheritance = NO_INHERITANCE;
|
||||
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
|
||||
ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
|
||||
ea[0].Trustee.ptstrName = (LPTSTR)pAdminGroupSid;
|
||||
ea[0].Trustee.ptstrName = (LPWSTR)(adminGroupSid.get());
|
||||
|
||||
// Grant Everyone the permission or read this file
|
||||
ea[1].grfAccessPermissions = GENERIC_READ;
|
||||
|
@ -233,7 +233,7 @@ namespace Microsoft::Terminal::Settings::Model
|
|||
ea[1].grfInheritance = NO_INHERITANCE;
|
||||
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
|
||||
ea[1].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
|
||||
ea[1].Trustee.ptstrName = (LPTSTR)pEveryoneSid;
|
||||
ea[1].Trustee.ptstrName = (LPWSTR)(everyoneSid.get());
|
||||
|
||||
ACL acl;
|
||||
PACL pAcl = &acl;
|
||||
|
|
Loading…
Reference in a new issue