| Index: remoting/host/win/unprivileged_process_delegate.cc
|
| diff --git a/remoting/host/win/unprivileged_process_delegate.cc b/remoting/host/win/unprivileged_process_delegate.cc
|
| index cf538d392a123615cadb3816225ae1b498b285aa..9a7f2ab0ff7780d58308d3c88e0d6f73e1b2243e 100644
|
| --- a/remoting/host/win/unprivileged_process_delegate.cc
|
| +++ b/remoting/host/win/unprivileged_process_delegate.cc
|
| @@ -22,7 +22,6 @@
|
| #include "base/strings/utf_string_conversions.h"
|
| #include "base/synchronization/lock.h"
|
| #include "base/win/scoped_handle.h"
|
| -#include "base/win/windows_version.h"
|
| #include "ipc/attachment_broker.h"
|
| #include "ipc/ipc_channel.h"
|
| #include "ipc/ipc_channel_proxy.h"
|
| @@ -92,34 +91,23 @@ bool CreateRestrictedToken(ScopedHandle* token_out) {
|
| if (restricted_token.Init(token.Get()) != ERROR_SUCCESS)
|
| return false;
|
|
|
| - if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
|
| - // "SeChangeNotifyPrivilege" is needed to access the machine certificate
|
| - // (including its private key) in the "Local Machine" cert store. This is
|
| - // needed for HTTPS client third-party authentication . But the presence of
|
| - // "SeChangeNotifyPrivilege" also allows it to open and manipulate objects
|
| - // owned by the same user. This risk is only mitigated by setting the
|
| - // process integrity level to Low, which is why it is unsafe to enable
|
| - // "SeChangeNotifyPrivilege" on Windows XP where we don't have process
|
| - // integrity to protect us.
|
| - std::vector<base::string16> exceptions;
|
| - exceptions.push_back(base::string16(L"SeChangeNotifyPrivilege"));
|
| -
|
| - // Remove privileges in the token.
|
| - if (restricted_token.DeleteAllPrivileges(&exceptions) != ERROR_SUCCESS)
|
| - return false;
|
| -
|
| - // Set low integrity level if supported by the OS.
|
| - if (restricted_token.SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW)
|
| - != ERROR_SUCCESS) {
|
| - return false;
|
| - }
|
| - } else {
|
| - // Remove all privileges in the token.
|
| - // Since "SeChangeNotifyPrivilege" is among the privileges being removed,
|
| - // the network process won't be able to acquire certificates from the local
|
| - // machine store. This means third-party authentication won't work.
|
| - if (restricted_token.DeleteAllPrivileges(nullptr) != ERROR_SUCCESS)
|
| - return false;
|
| + // "SeChangeNotifyPrivilege" is needed to access the machine certificate
|
| + // (including its private key) in the "Local Machine" cert store. This is
|
| + // needed for HTTPS client third-party authentication . But the presence of
|
| + // "SeChangeNotifyPrivilege" also allows it to open and manipulate objects
|
| + // owned by the same user. This risk is only mitigated by setting the
|
| + // process integrity level to Low.
|
| + std::vector<base::string16> exceptions;
|
| + exceptions.push_back(base::string16(L"SeChangeNotifyPrivilege"));
|
| +
|
| + // Remove privileges in the token.
|
| + if (restricted_token.DeleteAllPrivileges(&exceptions) != ERROR_SUCCESS)
|
| + return false;
|
| +
|
| + // Set low integrity level.
|
| + if (restricted_token.SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW) !=
|
| + ERROR_SUCCESS) {
|
| + return false;
|
| }
|
|
|
| // Return the resulting token.
|
| @@ -145,17 +133,12 @@ bool CreateWindowStationAndDesktop(ScopedSid logon_sid,
|
|
|
| // Format the security descriptors in SDDL form.
|
| std::string desktop_sddl =
|
| - base::StringPrintf(kDesktopSdFormat, logon_sid_string.c_str());
|
| + base::StringPrintf(kDesktopSdFormat, logon_sid_string.c_str()) +
|
| + kLowIntegrityMandatoryLabel;
|
| std::string window_station_sddl =
|
| base::StringPrintf(kWindowStationSdFormat, logon_sid_string.c_str(),
|
| - logon_sid_string.c_str());
|
| -
|
| - // The worker runs at low integrity level. Make sure it will be able to attach
|
| - // to the window station and desktop.
|
| - if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
|
| - desktop_sddl += kLowIntegrityMandatoryLabel;
|
| - window_station_sddl += kLowIntegrityMandatoryLabel;
|
| - }
|
| + logon_sid_string.c_str()) +
|
| + kLowIntegrityMandatoryLabel;
|
|
|
| // Create the desktop and window station security descriptors.
|
| ScopedSd desktop_sd = ConvertSddlToSd(desktop_sddl);
|
| @@ -177,9 +160,7 @@ bool CreateWindowStationAndDesktop(ScopedSid logon_sid,
|
|
|
| // Make sure that a new window station will be created instead of opening
|
| // an existing one.
|
| - DWORD window_station_flags = 0;
|
| - if (base::win::GetVersion() >= base::win::VERSION_VISTA)
|
| - window_station_flags = CWF_CREATE_ONLY;
|
| + DWORD window_station_flags = CWF_CREATE_ONLY;
|
|
|
| // Request full access because this handle will be inherited by the worker
|
| // process which needs full access in order to attach to the window station.
|
|
|
Chromium Code Reviews
Issue 2037163002:
Removing WinXP and Vista specific code from Chromoting. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@sas_be_gone