Allow local admins access to the pipe created by the unprivileged native messaging host process. If not, the privileged NM host process won't be able to connect to the named pipe created by the unprivileged NM host process.

BUG=477471

Review URL: https://codereview.chromium.org/1351453005

Cr-Commit-Position: refs/heads/master@{#349703}

1 files changed, 6 insertions, 3 deletions

diff --git a/remoting/host/setup/me2me_native_messaging_host.cc b/remoting/host/setup/me2me_native_messaging_host.cc
index 49d2b74..37c004d 100644
--- a/remoting/host/setup/me2me_native_messaging_host.cc
+++ b/remoting/host/setup/me2me_native_messaging_host.cc
@@ -588,11 +588,14 @@ void Me2MeNativeMessagingHost::EnsureElevatedHostCreated() {
   }
 
   // Create a security descriptor that gives full access to the caller and
-  // denies access by anyone else.
+  // BUILTIN_ADMINISTRATORS and denies access by anyone else.
+  // Local admins need access because the privileged host process will run
+  // as a local admin which may not be the same user as the current user.
   std::string user_sid_ascii = base::UTF16ToASCII(user_sid);
   std::string security_descriptor =
-      base::StringPrintf("O:%sG:%sD:(A;;GA;;;%s)", user_sid_ascii.c_str(),
-                         user_sid_ascii.c_str(), user_sid_ascii.c_str());
+      base::StringPrintf("O:%sG:%sD:(A;;GA;;;%s)(A;;GA;;;BA)",
+                         user_sid_ascii.c_str(), user_sid_ascii.c_str(),
+                         user_sid_ascii.c_str());
 
   ScopedSd sd = ConvertSddlToSd(security_descriptor);
   if (!sd) {