commit | acfa387b8d69adbeab4af0736737d42b9f2e8254 | [log] [tgz] |
---|---|---|
author | Jason A. Donenfeld <Jason@zx2c4.com> | Thu Aug 29 07:51:42 2019 -0600 |
committer | Jason A. Donenfeld <Jason@zx2c4.com> | Fri Aug 30 14:18:01 2019 +0000 |
tree | 7aee2406b5f7d78942a1412540d4da8a796545ca | |
parent | 08d80c9d36de4cf3f0843a021c300dd67a5e47dc [diff] |
windows: open process tokens with duplicate access A usual thing to ask is, "Is my current token in group X?" The right way of doing such a thing is: processToken, err := windows.OpenCurrentProcessToken() if err != nil { return false, err } defer processToken.Close() var checkableToken windows.Token err = windows.DuplicateTokenEx(token, windows.TOKEN_QUERY | windows.TOKEN_IMPERSONATE, nil, windows.SecurityIdentification, windows.TokenImpersonation, &checkableToken) if err != nil { return false, err } defer checkableToken.Close() isMember, err := checkableToken.IsMember(someSID) return isMember && err == nil, nil This is the same flow that's used by, for example, shell32's internal _LUAIsTokenAdmin function. However, this all fails unless the original token is opened with duplicate access. So this commit adjusts OpenCurrentProcessToken to do the right thing. Change-Id: I18efdfde43097ea9d10758018b0df132fba819f5 Reviewed-on: https://go-review.googlesource.com/c/sys/+/192337 Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Simon Rozman <simon@rozman.si> Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
This repository holds supplemental Go packages for low-level interactions with the operating system.
The easiest way to install is to run go get -u golang.org/x/sys
. You can also manually git clone the repository to $GOPATH/src/golang.org/x/sys
.
This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.
The main issue tracker for the sys repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/sys:” in the subject line, so it is easy to find.