From acfa387b8d69adbeab4af0736737d42b9f2e8254 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 29 Aug 2019 07:51:42 -0600
Subject: [PATCH] windows: open process tokens with duplicate access

A usual thing to ask is, "Is my current token in group X?" The right way
of doing such a thing is:

	processToken, err := windows.OpenCurrentProcessToken()
	if err != nil {
		return false, err
	}
	defer processToken.Close()
	var checkableToken windows.Token
	err = windows.DuplicateTokenEx(token, windows.TOKEN_QUERY | windows.TOKEN_IMPERSONATE, nil, windows.SecurityIdentification, windows.TokenImpersonation, &checkableToken)
	if err != nil {
		return false, err
	}
	defer checkableToken.Close()
	isMember, err := checkableToken.IsMember(someSID)
	return isMember && err == nil, nil

This is the same flow that's used by, for example, shell32's internal
_LUAIsTokenAdmin function.

However, this all fails unless the original token is opened with
duplicate access. So this commit adjusts OpenCurrentProcessToken to do
the right thing.

Change-Id: I18efdfde43097ea9d10758018b0df132fba819f5
Reviewed-on: https://go-review.googlesource.com/c/sys/+/192337
Run-TryBot: Jason A. Donenfeld <Jason@zx2c4.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Simon Rozman <simon@rozman.si>
Reviewed-by: Alex Brainman <alex.brainman@gmail.com>
---
 windows/security_windows.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security_windows.go b/windows/security_windows.go
index 7dfe201a..7b2cfb9e 100644
--- a/windows/security_windows.go
+++ b/windows/security_windows.go
@@ -666,7 +666,7 @@ func OpenCurrentProcessToken() (Token, error) {
 		return 0, e
 	}
 	var t Token
-	e = OpenProcessToken(p, TOKEN_QUERY, &t)
+	e = OpenProcessToken(p, TOKEN_QUERY|TOKEN_DUPLICATE, &t)
 	if e != nil {
 		return 0, e
 	}