deelevate 0.2.0

Drop privileges on Windows
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

//! This example demonstrates that impersonation isn't sufficient
//! to effectively reduce privileges.  It does this by running
//! `whoami` before and after an impersonation request and showing
//! that the effective prileges remain the same.

use deelevate::Token;

fn whoami() {
    let output = std::process::Command::new("whoami.exe")
        .arg("/groups")
        .output()
        .expect("failed to run whoami");
    let stdout = String::from_utf8_lossy(&output.stdout);
    println!("{}", stdout);
}

fn main() {
    whoami();

    let token = Token::with_current_process().unwrap();
    let level = token.privilege_level().unwrap();
    println!("priv level is {:?}", level);

    let medium = token
        .as_medium_integrity_safer_token()
        .expect("failed to make medium token");

    medium
        .impersonate()
        .expect("failed to impersonate self with medium token");

    println!("impersonation successful, but note that it isn't effective in changing whoami!");

    whoami();
}