Message257116
Testing based on integrity level doesn't require creating a child process. I'm attaching a ctypes-based example that defines a context manager that temporarily sets the integrity level of the current thread's impersonation token.
To get the impersonation token, I initially tried using ImpersonateSelf / RevertToSelf, but I was unhappy with how it fails for nested contexts since RevertToSelf always switches back to the process token. I opted to instead call OpenThreadToken / OpenProcessToken, DuplicateTokenEx, and SetThreadToken.
I chose to use the WELL_KNOWN_SID_TYPE enum values to get the label SIDs via CreateWellKnownSid. Note that I omitted the GetLengthSid call when passing the size of the TOKEN_MANDATORY_LABEL to SetTokenInformation. It only needs the size of the primary buffer. The SID it points at is a sized structure (i.e. SubAuthorityCount).
Example:
import winreg
HKLM = winreg.HKEY_LOCAL_MACHINE
subkey = r'SOFTWARE\Microsoft\SystemCertificates\CA'
access = winreg.KEY_ALL_ACCESS
>>> key = winreg.OpenKey(HKLM, subkey, 0, access)
>>> print(key)
<PyHKEY:0x0000000000000178>
>>> key.Close()
Repeat with low integrity level:
>>> with token_integrity_level('low'):
... winreg.OpenKey(HKLM, subkey, 0, access)
...
Traceback (most recent call last):
File "<stdin>", line 2, in <module>
PermissionError: [WinError 5] Access is denied
A context manager like this could be added to the test helper module that was proposed in issue 22080. It could also add the ability to impersonate with a restricted copy of the process token -- like what UAC creates. psexec -l does this by calling CreateRestrictedToken followed by SetInformationToken for the TokenIntegrityLevel and TokenDefaultDacl. |
|
Date |
User |
Action |
Args |
2015-12-28 15:06:08 | eryksun | set | recipients:
+ eryksun, paul.moore, tim.golden, zach.ware, steve.dower, yan12125 |
2015-12-28 15:06:08 | eryksun | set | messageid: <1451315168.72.0.0640947833306.issue25939@psf.upfronthosting.co.za> |
2015-12-28 15:06:08 | eryksun | link | issue25939 messages |
2015-12-28 15:06:08 | eryksun | create | |
|