I think this creates a test file that's only accessible by SYSTEM. Asked raymond chen for help.

2021-09-08 15:51:21 -05:00 · 2021-09-08 15:51:21 -05:00 · 447c2f9d4f
parent b592155d2b
commit 447c2f9d4f
2 changed files with 41 additions and 1 deletions
--- a/src/cascadia/TerminalApp/TerminalPage.cpp
+++ b/src/cascadia/TerminalApp/TerminalPage.cpp
@ -1312,7 +1312,7 @@ namespace winrt::TerminalApp::implementation

    bool TerminalPage::_shouldPromptForCommandline(const winrt::hstring& cmdline) const
    {
-        if (_isElevated())
+        if (true || _isElevated())
        {
            if (const auto& allowedCommandlines{ ElevatedState::SharedInstance().AllowedCommandlines() })
            {
--- a/src/cascadia/TerminalSettingsModel/ElevatedState.cpp
+++ b/src/cascadia/TerminalSettingsModel/ElevatedState.cpp
@ -9,6 +9,8 @@
 #include "JsonUtils.h"
 #include "FileUtils.h"

+#include <aclapi.h>
+
 constexpr std::wstring_view stateFileName{ L"elevated-state.json" };

 using namespace ::Microsoft::Terminal::Settings::Model;
@ -24,6 +26,44 @@ namespace winrt::Microsoft::Terminal::Settings::Model::implementation
        // TODO! place in a totally different file! and path!
        static auto state = winrt::make_self<ElevatedState>(GetBaseSettingsPath() / stateFileName);
        state->Reload();
+
+        const auto testPath{ GetBaseSettingsPath() / L"test.json" };
+
+        PSID pEveryoneSID = NULL;
+        SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_NT_AUTHORITY;
+        BOOL success = AllocateAndInitializeSid(&SIDAuthWorld, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &pEveryoneSID);
+
+        EXPLICIT_ACCESS ea[1];
+        ZeroMemory(&ea, 1 * sizeof(EXPLICIT_ACCESS));
+        ea[0].grfAccessPermissions = KEY_READ;
+        ea[0].grfAccessMode = SET_ACCESS;
+        ea[0].grfInheritance = NO_INHERITANCE;
+        ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
+        ea[0].Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
+        ea[0].Trustee.ptstrName = (LPTSTR)pEveryoneSID;
+
+        ACL acl;
+        PACL pAcl = &acl;
+        DWORD dwRes = SetEntriesInAcl(1, ea, NULL, &pAcl);
+        dwRes;
+
+        SECURITY_DESCRIPTOR sd;
+        success = InitializeSecurityDescriptor(&sd, SECURITY_DESCRIPTOR_REVISION);
+        success = SetSecurityDescriptorDacl(&sd,
+                                            TRUE, // bDaclPresent flag
+                                            pAcl,
+                                            FALSE);
+
+        SECURITY_ATTRIBUTES sa;
+        // Initialize a security attributes structure.
+        sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+        sa.lpSecurityDescriptor = &sd;
+        sa.bInheritHandle = FALSE;
+        success;
+
+        wil::unique_hfile file{ CreateFileW(testPath.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, &sa, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, nullptr) };
+        THROW_LAST_ERROR_IF(!file);
+
        return *state;
    }