Make our process's ACL more restrictive.

By default Windows processes have wide open ACLs which allow interference
by other processes running as the same user.  Adjust our ACL to make this
a bit harder.

Because it's useful to protect PuTTYtel as well, carve winsecur.c into
advapi functions and wincapi.c for crypt32 functions.

diff --git a/Recipe b/Recipe
index ebc9908fbc9c41c90a660e8d31b6ee58b2f0b6fe..67435c6871a4ca7e19180514c274d6682e4ab828 100644 (file)
--- a/Recipe
+++ b/Recipe
@@ -224,7 +224,7 @@ SSH      = ssh sshcrc sshdes sshmd5 sshrsa sshrand sshsha sshblowf
          + sshdh sshcrcda sshpubk sshzlib sshdss x11fwd portfwd
          + sshaes sshccp sshsh256 sshsh512 sshbn wildcard pinger ssharcf
          + sshgssc pgssapi sshshare sshecc
-WINSSH   = SSH winnoise winsecur winpgntc wingss winshare winnps winnpc
+WINSSH   = SSH winnoise wincapi winpgntc wingss winshare winnps winnpc
          + winhsock errsock
 UXSSH    = SSH uxnoise uxagentc uxgss uxshare
 
@@ -235,7 +235,7 @@ SFTP     = sftp int64 logging
 # Pageant or PuTTYgen).
 MISC     = timing callback misc version settings tree234 proxy conf
 WINMISC  = MISC winstore winnet winhandl cmdline windefs winmisc winproxy
-         + wintime winhsock errsock
+         + wintime winhsock errsock winsecur
 UXMISC   = MISC uxstore uxsel uxnet uxpeer cmdline uxmisc uxproxy time
 OSXMISC  = MISC uxstore uxsel osxsel uxnet uxpeer uxmisc uxproxy time
 

diff --git a/windows/wincapi.c b/windows/wincapi.c
new file mode 100644 (file)
index 0000000..2550b6d
--- /dev/null
+++ b/windows/wincapi.c
@@ -0,0 +1,27 @@
+/*
+ * wincapi.c: implementation of wincapi.h.
+ */
+
+#include "putty.h"
+
+#if !defined NO_SECURITY
+
+#define WINCAPI_GLOBAL
+#include "wincapi.h"
+
+int got_crypt(void)
+{
+    static int attempted = FALSE;
+    static int successful;
+    static HMODULE crypt;
+
+    if (!attempted) {
+        attempted = TRUE;
+        crypt = load_system32_dll("crypt32.dll");
+        successful = crypt &&
+            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
+    }
+    return successful;
+}
+
+#endif /* !defined NO_SECURITY */

diff --git a/windows/wincapi.h b/windows/wincapi.h
new file mode 100644 (file)
index 0000000..06ee2d3
--- /dev/null
+++ b/windows/wincapi.h
@@ -0,0 +1,18 @@
+/*
+ * wincapi.h: Windows Crypto API functions defined in wincrypt.c
+ * that use the crypt32 library. Also centralises the machinery
+ * for dynamically loading that library.
+ */
+
+#if !defined NO_SECURITY
+
+#ifndef WINCAPI_GLOBAL
+#define WINCAPI_GLOBAL extern
+#endif
+
+DECL_WINDOWS_FUNCTION(WINCAPI_GLOBAL, BOOL, CryptProtectMemory,
+                     (LPVOID,DWORD,DWORD));
+
+int got_crypt(void);
+
+#endif

diff --git a/windows/window.c b/windows/window.c
index 23f98a476da825ac25a66a084a5d80a8a35aee4f..db42634731f6258372752890bf6781f699ddbe08 100644 (file)
--- a/windows/window.c
+++ b/windows/window.c
@@ -19,6 +19,7 @@
 #include "terminal.h"
 #include "storage.h"
 #include "win_res.h"
+#include "winsecur.h"
 
 #ifndef NO_MULTIMON
 #include <multimon.h>
@@ -390,6 +391,20 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
        return 1;
     }
 
+    /*
+     * Protect our process
+     */
+    {
+      char *error = NULL;
+
+      if (! setprocessacl(error)) {
+       /* FIXME: prepare to stuff this into event log somehow */
+       MessageBox(NULL, "Process protection",
+                  error, MB_OK | MB_ICONEXCLAMATION);
+      }
+      sfree(error);
+
+    }
     /*
      * Process the command line.
      */

diff --git a/windows/winsecur.c b/windows/winsecur.c
index 6e4bd7d4c2fe54e3cbf237c32ed3a2e7e101ac3c..9cdac26c3ba36bf11a09c5d40d6ecf6257714e88 100644 (file)
--- a/windows/winsecur.c
+++ b/windows/winsecur.c
@@ -36,21 +36,6 @@ int got_advapi(void)
     return successful;
 }
 
-int got_crypt(void)
-{
-    static int attempted = FALSE;
-    static int successful;
-    static HMODULE crypt;
-
-    if (!attempted) {
-        attempted = TRUE;
-        crypt = load_system32_dll("crypt32.dll");
-        successful = crypt &&
-            GET_WINDOWS_FUNCTION(crypt, CryptProtectMemory);
-    }
-    return successful;
-}
-
 PSID get_user_sid(void)
 {
     HANDLE proc = NULL, tok = NULL;
@@ -237,7 +222,7 @@ int make_private_security_descriptor(DWORD permissions,
     return ret;
 }
 
-int protectprocess(char *error)
+int setprocessacl(char *error)
 {
     SID_IDENTIFIER_AUTHORITY world_auth = SECURITY_WORLD_SID_AUTHORITY;
     SID_IDENTIFIER_AUTHORITY nt_auth = SECURITY_NT_AUTHORITY;

diff --git a/windows/winsecur.h b/windows/winsecur.h
index bd64982768aaf3d18f4add9c15c88730928f08cf..03e8314d7b72bfacc1b80160dd26011f9ee7a43a 100644 (file)
--- a/windows/winsecur.h
+++ b/windows/winsecur.h
@@ -32,13 +32,6 @@ DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, DWORD, SetEntriesInAclA,
                      (ULONG, PEXPLICIT_ACCESS, PACL, PACL *));
 int got_advapi(void);
 
-/*
- * Functions loaded from crypt32.dll.
- */
-DECL_WINDOWS_FUNCTION(WINSECUR_GLOBAL, BOOL, CryptProtectMemory,
-                     (LPVOID, DWORD, DWORD));
-int got_crypt(void);
-
 /*
  * Find the SID describing the current user. The return value (if not
  * NULL for some error-related reason) is smalloced.
@@ -60,4 +53,6 @@ int make_private_security_descriptor(DWORD permissions,
                                      PACL *acl,
                                      char **error);
 
+int setprocessacl(char *error);
+
 #endif

diff --git a/windows/winshare.c b/windows/winshare.c
index 2f21638e76c6c01b914a576291c171b4c0768156..5f1c7244010ff401a4da4889c674b349884654b0 100644 (file)
--- a/windows/winshare.c
+++ b/windows/winshare.c
@@ -14,7 +14,7 @@
 #include "proxy.h"
 #include "ssh.h"
 
-#include "winsecur.h"
+#include "wincapi.h"
 
 #ifdef COVERITY
 /*