Skip to main content

sudont

I'm writing a sandbox application for a larger Windows project, and I needed the ability to drop admin privileges for certain operations. I thought about going the other way and elevating only when needed, but there are problems with that approach.

First of all, a LUA token can't magically become an admin. I would need to prompt for credentials and create a new token using LogonUser. If my application is holding credentials in memory or has an admin token standing by, then it shouldn't be performing untrusted operations. This is the same problem if the user is a protected administrator with UAC enabled.

In order to maintain a proper security boundary, the entire sandbox process should be started with lesser privileges. Ideally, I wanted to take advantage of Windows integrity levels because then I could precisely control where the sandbox could write to.

My approach is pretty simple: create a restricted token and then execute the target program using CreateProcessAsUser. I initially missed the note in the documentation stating that the current process needs to have SeIncreaseQuotaPrivilege enabled first. This worked well to create a non-privileged process, but the target program was still running with a high integrity level.

I added a check to read the image's integrity label from the file ACL. If there is an existing integrity label then that becomes the level of the new token, but never higher than medium. If no label is present in the ACL, then the default is medium integrity.

I named the program sudont as a play on the Unix utility sudo. The first command-line argument should be the target program path. Any remaining arguments are passed to the target program. The return code is the new process ID, and a return code of 0 means there was an error.

C:\> sudont notepad.exe foo.txt

The above command will launch notepad and begin editing the file foo.txt. See this article for more information on setting file integrity labels.

You can find the source code to sudont here.