Running a process with lowest possible privileges in winapi

Question

I am writing something similar to the http://ideone.com/. Currently I am running user processes with CreateProcess call. I kill the process if it runs longer then specified amount of time but I don't know how to deny read/write filesystem rights / creating process rights etc. to the created process. The given executable can be literally anything and I need to allow only stdin / stdout. Also it would be great if I could set working memory set.

I read a lot of articles on msdn such as CreateProcessAsUser Function, CreateProcessWithLogonW Function etc. but I get confused very fast (probably because my win32 knowledge is extremely limited). Is it sufficient just to call CreateProcessAsUser and create special user with those limited privileges (and how to create such user).

I hope I can achieve this in one function call with right parameters so please help.

Also, if you know some similar open source project it would be great.

Thanks.

==========================================================

Edit: Hi again :) I am still stuck with this. I didn't have enough time to work on this, but I guess snemarch post is very useful. If someone has out of the box solution it would be great. I will post if I do something with snemarch's links.

Answer 1

Take a look at OpenProcessToken and AdjustTokenPrivileges - this lets you fine-tune (to some extent) the permissions of your process. You can use SaferCreateLevel for some standard rights like SAFER_LEVELID_UNTRUSTED.

Answer 2

Consider running user process inside a job object. Child processes created by the user process will end up inside the same job object too. You can apply specific restrictions to how much resources the job can use, how can it interact with GUI etc (see SetInformationJobObject function). You can kill all processes inside a job object with one blow.

Answer 3

We have a chunk of code for doing this, though I can't post it :(

Create a "restricted" access token based on the access token for this process. Then create a new process for the app with this access token.

Had a comment with the code - More information can be found in the MSDN article called, "Browsing the Web and Reading E-mail safely as an Administrator". However as usual MS has broken the web and the article isn't there any more.

Associated searches found "DropMyRights" app linked on a blog linking to this article which may do what you want, offers up source, but again those links have become broken in the blog page.

you may want to look at functions like OpenProcessToken GetTokenInformation CreateRestrictedToken

and privs like SE_CHANGE_NOTIFY_NAME