Add a -restrict-putty-acl option to Windows Pageant.

This causes PuTTY processes spawned from its system-tray menu to run with the -restrict-acl option (or rather, the synonymous &R prefix used by my auto-constructed command lines for easier parsing). The previous behaviour of Pageant was never to pass -restrict-acl to PuTTY, even when started with -restrict-acl itself; this is not actually a silly thing to want to do, because Pageant might well have more need of -restrict-acl than PuTTY (it stores longer-term and more powerful secrets) and conversely PuTTY might have more need to _not_ restrict its ACL than Pageant (in that among the things enabled by an unrestricted ACL are various kinds of accessibility software, which is more useful on the more user-facing PuTTY than on Pageant). But for those who want to lock everything down with every security option possible (even though -restrict-acl is only an ad-hoc precaution and cannot deliver any hard guarantees), this new option should fill in the UI gap.
2025-01-10 01:48:00 +00:00 · 2017-09-20 18:04:37 +01:00 · 2017-09-20 18:04:37 +01:00 · ba4837dae8
commit ba4837dae8
parent 4ec2791945
2 changed files with 32 additions and 6 deletions
--- a/doc/using.but
+++ b/doc/using.but
@ -1042,3 +1042,15 @@ any processes started with Duplicate Session, New Session etc.
 (However, if you're invoking PuTTY tools explicitly, for instance as a
 proxy command, you'll need to arrange to pass them the
 \c{-restrict-acl} option yourself, if that's what you want.)
+
+If Pageant is started with the \c{-restrict-acl} option, and you use
+it to launch a PuTTY session from its System Tray submenu, then
+Pageant will \e{not} default to starting the PuTTY subprocess with a
+restricted ACL. This is because PuTTY is more likely to suffer reduced
+functionality as a result of restricted ACLs (e.g. screen reader
+software will have a greater need to interact with it), whereas
+Pageant stores the more critical information (hence benefits more from
+the extra protection), so it's reasonable to want to run Pageant but
+not PuTTY with the ACL restrictions. You can force Pageant to start
+subsidiary PuTTY processes with a restricted ACL if you also pass the
+\c{-restrict-putty-acl} option.
--- a/windows/winpgnt.c
+++ b/windows/winpgnt.c
@ -57,6 +57,7 @@ static HMENU systray_menu, session_menu;
 static int already_running;

 static char *putty_path;
+static int restrict_putty_acl = FALSE;

 /* CWD for "add key" file requester. */
 static filereq *keypath = NULL;
@ -847,11 +848,18 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
      case WM_SYSCOMMAND:
 	switch (wParam & ~0xF) {       /* low 4 bits reserved to Windows */
 	  case IDM_PUTTY:
-	    if((INT_PTR)ShellExecute(hwnd, NULL, putty_path, _T(""), _T(""),
-				 SW_SHOW) <= 32) {
-		MessageBox(NULL, "Unable to execute PuTTY!",
-			   "Error", MB_OK | MB_ICONERROR);
-	    }
+            {
+                TCHAR cmdline[10];
+                cmdline[0] = '\0';
+                if (restrict_putty_acl)
+                    strcat(cmdline, "&R");
+
+                if((INT_PTR)ShellExecute(hwnd, NULL, putty_path, cmdline,
+                                         _T(""), SW_SHOW) <= 32) {
+                    MessageBox(NULL, "Unable to execute PuTTY!",
+                               "Error", MB_OK | MB_ICONERROR);
+                }
+            }
 	    break;
 	  case IDM_CLOSE:
 	    if (passphrase_box)
@ -912,7 +920,10 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
 		    mii.cch = MAX_PATH;
 		    mii.dwTypeData = buf;
 		    GetMenuItemInfo(session_menu, wParam, FALSE, &mii);
-		    strcpy(param, "@");
+                    param[0] = '\0';
+                    if (restrict_putty_acl)
+                        strcat(param, "&R");
+		    strcat(param, "@");
 		    strcat(param, mii.dwTypeData);
 		    if((INT_PTR)ShellExecute(hwnd, NULL, putty_path, param,
 					 _T(""), SW_SHOW) <= 32) {
@ -1169,6 +1180,9 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
                   !strcmp(argv[i], "-restrict_acl") ||
                   !strcmp(argv[i], "-restrictacl")) {
            restrict_process_acl();
+        } else if (!strcmp(argv[i], "-restrict-putty-acl") ||
+                   !strcmp(argv[i], "-restrict_putty_acl")) {
+            restrict_putty_acl = TRUE;
 	} else if (!strcmp(argv[i], "-c")) {
 	    /*
 	     * If we see `-c', then the rest of the