Merge pull request #323 from gerardog/fix/cache-as-system

Fix issue in system/trusted-installer credentials cache support

src/gsudo/AppSettings/Settings.cs

@@ -82,7 +82,7 @@ namespace gsudo
 
         public static RegistrySetting<string> ExceptionList { get; } =
             new RegistrySetting<string>(nameof(ExceptionList),
-                defaultValue: "notepad.exe;powershell.exe;",
+                defaultValue: "notepad.exe;powershell.exe;whoami.exe;",
                 deserializer: (string s)=>s,
                 scope: RegistrySettingScope.GlobalOnly);
 

src/gsudo/Commands/AttachRunCommand.cs

@@ -1,60 +0,0 @@
-using System;
-using gsudo.Helpers;
-using System.Collections.Generic;
-using System.ComponentModel;
-using System.IO;
-using System.Linq;
-using System.Threading.Tasks;
-using gsudo.Native;
-
-namespace gsudo.Commands
-{
-    /// <summary>
-    /// This command attaches to the parent console, then executes the command.
-    /// This works even if the parent has higher integrity level than us.
-    /// This must be launched by the caller gsudo and not the elevated service, because the parent process id must have the user console.
-    /// </summary>
-    class AttachRunCommand : ICommand
-    {
-        public IEnumerable<string> CommandToRun { get; private set; }
-
-        public AttachRunCommand(IEnumerable<string> commandToRun)
-        {
-            CommandToRun = commandToRun;
-        }
-        
-        public Task<int> Execute()
-        {
-            ConsoleApi.FreeConsole();
-            if (!ConsoleApi.AttachConsole(-1))
-            {
-                ConsoleApi.AllocConsole();
-                throw new ApplicationException($"Failed to attach console: {new Win32Exception()}");
-            }
-
-            var app = CommandToRun.First();
-            var args = string.Join(" ", CommandToRun.Skip(1).ToArray());
-
-            if (InputArguments.IntegrityLevel.HasValue &&
-                (int) InputArguments.IntegrityLevel != SecurityHelper.GetCurrentIntegrityLevel() &&
-                Environment.GetEnvironmentVariable("gsudoAttachRun") != "1")
-            {
-                Environment.SetEnvironmentVariable("gsudoAttachRun", "1"); // prevents infinite loop on machines with UAC disabled.
-                
-                var process = ProcessFactory.StartAttachedWithIntegrity(
-                    InputArguments.GetIntegrityLevel(), app, args, Directory.GetCurrentDirectory(), false, true);
-
-                process.GetProcessWaitHandle().WaitOne();
-
-                if (ProcessApi.GetExitCodeProcess(process, out var exitCode))
-                    return Task.FromResult(exitCode);
-            }
-            else
-            {
-                ProcessFactory.StartAttached(app, args).WaitForExit();
-            }
-
-            return Task.FromResult(0);
-        }
-    }
-}

src/gsudo/Commands/RunCommand.cs

@@ -120,15 +120,15 @@ namespace gsudo.Commands
                     serviceLocation = await ServiceHelper.WaitForNewService(callingPid).ConfigureAwait(false);
                 }
 
+                if (serviceLocation==null)
+                    throw new ApplicationException("Unable to connect to the elevated service.");
+
                 if (!InputArguments.IntegrityLevel.HasValue)
                 {
                     // This is the edge case where user does `gsudo -u SomeOne` and we dont know if SomeOne can elevate or not.
                     elevationRequest.IntegrityLevel = serviceLocation.IsHighIntegrity ? IntegrityLevel.High : IntegrityLevel.Medium;
                 }
 
-                if (serviceLocation==null)
-                    throw new ApplicationException("Unable to connect to the elevated service.");
-
                 connection = await ServiceHelper.Connect(serviceLocation).ConfigureAwait(false);
                 if (connection == null) // service is not running or listening.
                 {

src/gsudo/Helpers/CommandLineParser.cs

@@ -274,9 +274,6 @@ namespace gsudo.Helpers
             if (arg.In("run"))
                 return new RunCommand(commandToRun: args.ToArray());
 
-            if (arg.In("AttachRun"))
-                return new AttachRunCommand(commandToRun: args.ToArray());
-
             args.AddFirst(arg);
 
             if (arg == "!!" || arg.StartsWith("!", StringComparison.InvariantCulture))

src/gsudo/Helpers/ServiceHelper.cs

@@ -71,9 +71,12 @@ namespace gsudo.Helpers
             var anyIntegrity = InputArguments.UserName != null;
             var tryHighIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value >= IntegrityLevel.High;
             var tryLowIntegrity = !InputArguments.IntegrityLevel.HasValue || InputArguments.IntegrityLevel.Value < IntegrityLevel.High;
+
+            var targetUserSid = InputArguments.RunAsSystem ? "S-1-5-18" : InputArguments.UserSid;
+
             if (tryHighIntegrity)
             {
-                var pipeName = NamedPipeClient.TryGetServicePipe(user, clientPid.Value, true);
+                var pipeName = NamedPipeClient.TryGetServicePipe(user, clientPid.Value, true, null);
                 if (pipeName != null)
                 {
                     return new ServiceLocation

src/gsudo/Rpc/NamedPipeNameFactory.cs

@@ -13,9 +13,10 @@ namespace gsudo.Rpc
             if (allowedPid < 0) allowedPid = 0;
 
             var ti = InputArguments.TrustedInstaller ? "_TI" : string.Empty;
-            var admin = !isAdmin ? "_NonAdmin" : string.Empty;
+            var s = InputArguments.RunAsSystem ? "_S" : string.Empty;
+            var admin = !isAdmin ? "_NonAdmin" : string.Empty;
 
-            var data = $"{allowedSid}_{targetSid}_{allowedPid}_{ti}{admin}";
+            var data = $"allowedSid-{allowedSid}_targetSid-{targetSid}{allowedPid}{s}{ti}{admin}";
 #if !DEBUG
             data = GetHash(data);
 #endif