[Feature] Chromium and restricted token

Started by fixer, May 30, 2018, 02:09:27 PM

Previous topic - Next topic

fixer

Take care using restricted tokens (here I mean tokens created with CreateRestrictedToken API function with a non-empty list of RestrictedSids) for Chromium (and probably other Chromium-based browsers). Chromium extensively uses restricted tokens itself for security purposes creating restricted processes. It creates tokens using CreateRestrictedToken API function. But there is a catch. If you try to further restrict an already restricted token, the list of restricting SIDs for the new token is the intersection of supplied list and the list of restricting SIDs for the existing token. If the resulting list of restricting SIDs turns out to be empty, the function returns error causing Chromium to fail to create additional processes leading to empty tabs. So take care and keep in mind that Chromium uses WinRestrictedCodeSid and NULL SID for its restricted tokens. Though personally I don't think it's a good idea to use restricted tokens for Chromium at all as adding these SIDs is clearly a workaround that will stop working anytime they decide to add some additional SID.