Mercurial > trustbridge

diff cinst/nssstore_win.c @ 1119:5349e2354c48
(issue54) Merge branch runafterinstall There is now an NSIS Plugin that executes the Software after installation using COM in the shell of the current user. With the way over the shell there is no inheritance / token management required. As it is impossible to drop all privileges of a token granted by UAC and still be able to reelevate the Token again with another RunAs call later this round trip over the Shell was necessary.
author: Andre Heinecke <andre.heinecke@intevation.de>
date: Tue, 16 Sep 2014 19:48:22 +0200
parents: fd85a02d771d
children: e210ecc32d69
--- a/cinst/nssstore_win.c	Tue Sep 16 11:45:32 2014 +0200
+++ b/cinst/nssstore_win.c	Tue Sep 16 19:48:22 2014 +0200
@@ -39,7 +39,6 @@
 */
 
 #include <windows.h>
-#include <winsafer.h>
 #include <sddl.h>
 #include <stdio.h>
 #include <stdbool.h>
@@ -99,73 +98,6 @@
   xfree (item);
 }
 
-/** @brief get a restricted access token to execute nss process
-  *
-  * This function uses the Software Restriction API to obtain the
-  * access token for a process run als normal user.
-  *
-  * @returns A restricted handle or NULL on error.
-  */
-static HANDLE
-get_restricted_token()
-{
-  SAFER_LEVEL_HANDLE user_level = NULL;
-  HANDLE retval = NULL;
-  SID_IDENTIFIER_AUTHORITY medium_identifier = {SECURITY_MANDATORY_LABEL_AUTHORITY};
-  PSID medium_sid = NULL;
-  TOKEN_MANDATORY_LABEL integrity_label;
-
-  memset (&integrity_label, 0, sizeof (integrity_label));
-
-  if (!SaferCreateLevel(SAFER_SCOPEID_USER,
-                        SAFER_LEVELID_NORMALUSER,
-                        SAFER_LEVEL_OPEN, &user_level, NULL))
-    {
-      PRINTLASTERROR ("Failed to create user level.\n");
-      return NULL;
-    }
-
-  if (!SaferComputeTokenFromLevel(user_level, NULL, &retval, 0, NULL))
-    {
-      SaferCloseLevel(user_level);
-      return NULL;
-    }
-
-  SaferCloseLevel(user_level);
-
-  /* Set the SID to medium it will still be high otherwise. Even if
-  there is no high access allowed. */
-  if (!AllocateAndInitializeSid(&medium_identifier,
-                               1,
-                               SECURITY_MANDATORY_MEDIUM_RID,
-                               0,
-                               0,
-                               0,
-                               0,
-                               0,
-                               0,
-                               0,
-                               &medium_sid))
-    {
-      PRINTLASTERROR ("Failed to initialize sid.\n");
-      return NULL;
-    }
-
-  integrity_label.Label.Attributes = SE_GROUP_INTEGRITY;
-  integrity_label.Label.Sid        = medium_sid;
-
-  if (!SetTokenInformation(retval,
-                           TokenIntegrityLevel,
-                           &integrity_label,
-                           sizeof(TOKEN_MANDATORY_LABEL)))
-    {
-      PRINTLASTERROR ("Failed to set token integrity.\n");
-      return NULL;
-    }
-
-  return retval;
-}
-
 /**@brief Write strv of instructions to a handle
 *
 * Writes the null terminated list of instructions to
author	Andre Heinecke <andre.heinecke@intevation.de>
date	Tue, 16 Sep 2014 19:48:22 +0200
parents	fd85a02d771d
children	e210ecc32d69