Merge branch 'master' into snyk-fix-402cafacd65f3ea5e38c1c202c3528ca

2025-01-08 11:47:40 +08:00 · 2023-12-18 10:46:24 -03:00 · 2023-12-18 10:46:24 -03:00 · a7fcc1a9aa
commit a7fcc1a9aa
parent b0b07efa81 c23b1024b4
7 changed files with 13 additions and 74 deletions
--- a/src/gsudo/AppSettings/Settings.cs
+++ b/src/gsudo/AppSettings/Settings.cs
@ -82,7 +82,7 @@ namespace gsudo

        public static RegistrySetting<string> ExceptionList { get; } =
            new RegistrySetting<string>(nameof(ExceptionList),
-                defaultValue: "notepad.exe;powershell.exe;",
+                defaultValue: "notepad.exe;powershell.exe;whoami.exe;",
                deserializer: (string s)=>s,
                scope: RegistrySettingScope.GlobalOnly);

--- a/src/gsudo/Commands/AttachRunCommand.cs
+++ b/src/gsudo/Commands/AttachRunCommand.cs
@ -1,60 +0,0 @@
-using System;
-using gsudo.Helpers;
-using System.Collections.Generic;
-using System.ComponentModel;
-using System.IO;
-using System.Linq;
-using System.Threading.Tasks;
-using gsudo.Native;
-
-namespace gsudo.Commands
-{
-    /// <summary>
-    /// This command attaches to the parent console, then executes the command.
-    /// This works even if the parent has higher integrity level than us.
-    /// This must be launched by the caller gsudo and not the elevated service, because the parent process id must have the user console.
-    /// </summary>
-    class AttachRunCommand : ICommand
-    {
-        public IEnumerable<string> CommandToRun { get; private set; }
-
-        public AttachRunCommand(IEnumerable<string> commandToRun)
-        {
-            CommandToRun = commandToRun;
-        }
-        
-        public Task<int> Execute()
-        {
-            ConsoleApi.FreeConsole();
-            if (!ConsoleApi.AttachConsole(-1))
-            {
-                ConsoleApi.AllocConsole();
-                throw new ApplicationException($"Failed to attach console: {new Win32Exception()}");
-            }
-
-            var app = CommandToRun.First();
-            var args = string.Join(" ", CommandToRun.Skip(1).ToArray());
-
-            if (InputArguments.IntegrityLevel.HasValue &&
-                (int) InputArguments.IntegrityLevel != SecurityHelper.GetCurrentIntegrityLevel() &&
-                Environment.GetEnvironmentVariable("gsudoAttachRun") != "1")
-            {
-                Environment.SetEnvironmentVariable("gsudoAttachRun", "1"); // prevents infinite loop on machines with UAC disabled.
-                
-                var process = ProcessFactory.StartAttachedWithIntegrity(
-                    InputArguments.GetIntegrityLevel(), app, args, Directory.GetCurrentDirectory(), false, true);
-
-                process.GetProcessWaitHandle().WaitOne();
-
-                if (ProcessApi.GetExitCodeProcess(process, out var exitCode))
-                    return Task.FromResult(exitCode);
-            }
-            else
-            {
-                ProcessFactory.StartAttached(app, args).WaitForExit();
-            }
-
-            return Task.FromResult(0);
-        }
-    }
-}
--- a/src/gsudo/Commands/RunCommand.cs
+++ b/src/gsudo/Commands/RunCommand.cs
@ -120,15 +120,15 @@ namespace gsudo.Commands
                    serviceLocation = await ServiceHelper.WaitForNewService(callingPid).ConfigureAwait(false);
                }

+                if (serviceLocation==null)
+                    throw new ApplicationException("Unable to connect to the elevated service.");
+
                if (!InputArguments.IntegrityLevel.HasValue)
                {
                    // This is the edge case where user does `gsudo -u SomeOne` and we dont know if SomeOne can elevate or not.
                    elevationRequest.IntegrityLevel = serviceLocation.IsHighIntegrity ? IntegrityLevel.High : IntegrityLevel.Medium;
                }

-                if (serviceLocation==null)
-                    throw new ApplicationException("Unable to connect to the elevated service.");
-
                connection = await ServiceHelper.Connect(serviceLocation).ConfigureAwait(false);
                if (connection == null) // service is not running or listening.
                {
--- a/src/gsudo/Helpers/CommandLineParser.cs
+++ b/src/gsudo/Helpers/CommandLineParser.cs
@ -79,6 +79,7 @@ namespace gsudo.Helpers
                    if (c != null)
                        return c;
                }
+                else if (arg.In("-noninteractive")) { } // ignore due to gerardog/gsudo#305
                else if (arg.StartsWith("-", StringComparison.OrdinalIgnoreCase)
                            && arg.NotIn("-encodedCommand")) // -encodedCommand is not posix compliant, but is what powershell sends on: gsudo { script block }
                                                             // So treat -encodedCommand as part of the CommandToRun, for gerardog/gsudo#160
@ -273,9 +274,6 @@ namespace gsudo.Helpers
            if (arg.In("run"))
                return new RunCommand(commandToRun: args.ToArray());

-            if (arg.In("AttachRun"))
-                return new AttachRunCommand(commandToRun: args.ToArray());
-
            args.AddFirst(arg);

            if (arg == "!!" || arg.StartsWith("!", StringComparison.InvariantCulture))
--- a/src/gsudo/Helpers/CommandToRunAdapter.cs
+++ b/src/gsudo/Helpers/CommandToRunAdapter.cs
@ -1,15 +1,12 @@
 using gsudo.Native;
-using Microsoft.VisualBasic;
 using System;
 using System.Collections;
 using System.Collections.Generic;
-using System.Globalization;
 using System.IO;
 using System.Linq;
 using System.Security.AccessControl;
 using System.Security.Principal;
 using System.Text;
-using System.Threading.Tasks;

 namespace gsudo.Helpers
 {
@ -133,7 +130,7 @@ namespace gsudo.Helpers
                        if (!Settings.PowerShellLoadProfile)
                            newArgs.Add("-NoProfile");

-                        if (args[0] == "-encodedCommand")
+                        if (args[0].In("-encodedCommand", "-noninteractive"))
                        {
                            newArgs.AddRange(args);
                        }
--- a/src/gsudo/Helpers/ServiceHelper.cs
+++ b/src/gsudo/Helpers/ServiceHelper.cs
@ -71,9 +71,12 @@ namespace gsudo.Helpers
            var anyIntegrity = InputArguments.UserName != null;
            var tryHighIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value >= IntegrityLevel.High;
            var tryLowIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value < IntegrityLevel.High;
+
+            var targetUserSid = InputArguments.RunAsSystem ? "S-1-5-18" : InputArguments.UserSid;
+
            if (tryHighIntegrity)
            {
-                var pipeName = NamedPipeClient.TryGetServicePipe(user, clientPid.Value, true);
+                var pipeName = NamedPipeClient.TryGetServicePipe(user, clientPid.Value, true, null);
                if (pipeName != null)
                {
                    return new ServiceLocation
--- a/src/gsudo/Rpc/NamedPipeNameFactory.cs
+++ b/src/gsudo/Rpc/NamedPipeNameFactory.cs
@ -13,9 +13,10 @@ namespace gsudo.Rpc
            if (allowedPid < 0) allowedPid = 0;

            var ti = InputArguments.TrustedInstaller ? "_TI" : string.Empty;
-            var admin = !isAdmin ? "_NonAdmin" : string.Empty;
+            var s = InputArguments.RunAsSystem ? "_S" : string.Empty;
+            var admin = !isAdmin ? "_NonAdmin" : string.Empty;

-            var data = $"{allowedSid}_{targetSid}_{allowedPid}_{ti}{admin}";
+            var data = $"allowedSid-{allowedSid}_targetSid-{targetSid}{allowedPid}{s}{ti}{admin}";
 #if !DEBUG
            data = GetHash(data);
 #endif