[Chromoting] Move CreateSessionToken() next to launch process utilities.

remoting/host/win/launch_process_with_token.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "remoting/host/win/launch_process_with_token.h"
 
 #include <windows.h>
 #include <winternl.h>
 
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/scoped_native_library.h"
 #include "base/stringprintf.h"
 #include "base/utf_string_conversions.h"
-#include "base/win/scoped_handle.h"
 #include "base/win/scoped_process_information.h"
 #include "base/win/windows_version.h"
 
 using base::win::ScopedHandle;
 
 namespace {
 
 const wchar_t kCreateProcessDefaultPipeNameFormat[] =
     L"\\\\.\\Pipe\\TerminalServer\\SystemExecSrvr\\%d";
 
 // Undocumented WINSTATIONINFOCLASS value causing
 // winsta!WinStationQueryInformationW() to return the name of the pipe for
 // requesting cross-session process creation.
 const WINSTATIONINFOCLASS kCreateProcessPipeNameClass =
     static_cast<WINSTATIONINFOCLASS>(0x21);
 
 const int kPipeBusyWaitTimeoutMs = 2000;
 const int kPipeConnectMaxAttempts = 3;
 
 // The minimum and maximum delays between attempts to inject host process into
 // a session.
 const int kMaxLaunchDelaySeconds = 60;
 const int kMinLaunchDelaySeconds = 1;
 
 // Name of the default session desktop.
 wchar_t kDefaultDesktopName[] = L"winsta0\\default";
 
+// Takes the process token and makes a copy of it. The returned handle will have
+// |desired_access| rights.

[Wez, 2012/08/03 20:56:06]

nit: Clarify that we make an impersonation token from it.

[alexeypa (please no reviews), 2012/08/03 21:40:39]

Done.

+bool CopyProcessToken(DWORD desired_access, ScopedHandle* token_out) {
+  HANDLE handle;

[Wez, 2012/08/03 20:56:06]

Why not use ScopedHandle::Receive() to avoid the unmanaged HANDLE?

[alexeypa (please no reviews), 2012/08/03 21:40:39]

Good point. I missed this piece.

+  if (!OpenProcessToken(GetCurrentProcess(),
+                        TOKEN_DUPLICATE | desired_access,
+                        &handle)) {
+    LOG_GETLASTERROR(ERROR) << "Failed to open process token";
+    return false;
+  }
+
+  ScopedHandle process_token(handle);
+
+  if (!DuplicateTokenEx(process_token,
+                        desired_access,
+                        NULL,
+                        SecurityImpersonation,
+                        TokenPrimary,
+                        &handle)) {
+    LOG_GETLASTERROR(ERROR) << "Failed to duplicate the process token";
+    return false;
+  }
+
+  token_out->Set(handle);
+  return true;
+}
+
+// Creates a copy of the current process with SE_TCB_NAME privilege enabled.
+bool CreatePrivilegedToken(ScopedHandle* token_out) {

[Wez, 2012/08/03 20:56:06]

nit: Why not have CreatePrivilegedToken() accept the token to duplicate to be
privileged as a parameter, pass the process token in, and have this method
duplicate it?

[alexeypa (please no reviews), 2012/08/03 21:40:39]

The main reason is that it is not going to be used by the existing code. Should
such need arise it will be easy to make the change.

+  ScopedHandle privileged_token;
+  DWORD desired_access = TOKEN_ADJUST_PRIVILEGES | TOKEN_IMPERSONATE |
+                         TOKEN_DUPLICATE | TOKEN_QUERY;
+  if (!CopyProcessToken(desired_access, &privileged_token)) {
+    return false;
+  }
+
+  // Get the LUID for the SE_TCB_NAME privilege.
+  TOKEN_PRIVILEGES state;
+  state.PrivilegeCount = 1;
+  state.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+  if (!LookupPrivilegeValue(NULL, SE_TCB_NAME, &state.Privileges[0].Luid)) {
+    LOG_GETLASTERROR(ERROR) <<
+        "Failed to lookup the LUID for the SE_TCB_NAME privilege";
+    return false;
+  }
+
+  // Enable the SE_TCB_NAME privilege.
+  if (!AdjustTokenPrivileges(privileged_token, FALSE, &state, 0, NULL, 0)) {
+    LOG_GETLASTERROR(ERROR) <<
+        "Failed to enable SE_TCB_NAME privilege in a token";
+    return false;
+  }
+
+  token_out->Set(privileged_token.Take());
+  return true;
+}
+
 // Requests the execution server to create a process in the specified session
 // using the default (i.e. Winlogon) token. This routine relies on undocumented
 // OS functionality and will likely not work on anything but XP or W2K3.
 bool CreateRemoteSessionProcess(
     uint32 session_id,
     const std::wstring& application_name,
     const std::wstring& command_line,
     PROCESS_INFORMATION* process_information_out)
 {
   DCHECK(base::win::GetVersion() == base::win::VERSION_XP);
@@ skipping 183 matching lines @@
   }
 
   *process_information_out = response.process_information;
   return true;
 }
 
 } // namespace
 
 namespace remoting {
 
+// Creates a copy of the current process token for the given |session_id| so
+// it can be used to launch a process in that session.
+bool CreateSessionToken(uint32 session_id, ScopedHandle* token_out) {
+  ScopedHandle session_token;
+  DWORD desired_access = TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID |
+                         TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_QUERY;
+  if (!CopyProcessToken(desired_access, &session_token)) {
+    return false;
+  }
+
+  // Temporarily enable the SE_TCB_NAME privilege.

[Wez, 2012/08/03 20:56:06]

nit: Update comment to indicate _why_ we're doing this.

[alexeypa (please no reviews), 2012/08/03 21:40:39]

Done.

+  ScopedHandle privileged_token;
+  if (!CreatePrivilegedToken(&privileged_token)) {
+    return false;
+  }
+

[Wez, 2012/08/03 20:56:06]

nit: Lose the blank line; it implies that the impersonation isn't related to the
SE_TCB_NAME comment.

[alexeypa (please no reviews), 2012/08/03 21:40:39]

Done.

+  if (!ImpersonateLoggedOnUser(privileged_token)) {
+    LOG_GETLASTERROR(ERROR) <<
+        "Failed to impersonate the privileged token";
+    return false;
+  }
+
+  // Change the session ID of the token.
+  DWORD new_session_id = session_id;
+  if (!SetTokenInformation(session_token,
+                           TokenSessionId,
+                           &new_session_id,
+                           sizeof(new_session_id))) {
+    LOG_GETLASTERROR(ERROR) << "Failed to change session ID of a token";
+
+    // Revert to the default token.
+    CHECK(RevertToSelf());
+    return false;
+  }
+
+  // Revert to the default token.
+  CHECK(RevertToSelf());
+
+  token_out->Set(session_token.Take());
+  return true;
+}
+
 bool LaunchProcessWithToken(const FilePath& binary,
                             const std::wstring& command_line,
                             HANDLE user_token,
                             base::Process* process_out) {
   std::wstring application_name = binary.value();
 
   base::win::ScopedProcessInformation process_info;
   STARTUPINFOW startup_info;
 
   memset(&startup_info, 0, sizeof(startup_info));
@@ skipping 45 matching lines @@
         "Failed to launch a process with a user token";
     return false;
   }
 
   CHECK(process_info.IsValid());
   process_out->set_handle(process_info.TakeProcessHandle());
   return true;
 }
 
 } // namespace remoting