diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2019-07-19 15:59:53 +0200 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-07-19 15:59:53 +0200 |
| commit | 54b2e7113ead40f0be9b21370415346fd6c356b1 (patch) | |
| tree | 8346fd7c7ecaeb7260a8c80ee9df5942a100797b | |
| parent | ringlogger: windows only (diff) | |
| download | wireguard-windows-54b2e7113ead40f0be9b21370415346fd6c356b1.tar.xz wireguard-windows-54b2e7113ead40f0be9b21370415346fd6c356b1.zip | |
tunnel: extract owner of config file for pipe dacl
If the config file is unencrypted and its owner is not Local System,
then we allow the runtime named pipe to be accessed by that owner, since
generally the private key is already stored in the config file.
| -rw-r--r-- | conf/store.go | 4 | ||||
| -rw-r--r-- | tunnel/ipcpermissions.go | 55 | ||||
| -rw-r--r-- | tunnel/service.go | 5 |
3 files changed, 64 insertions, 0 deletions
diff --git a/conf/store.go b/conf/store.go index b5cdd1ef..504a0d01 100644 --- a/conf/store.go +++ b/conf/store.go @@ -148,6 +148,10 @@ func LoadFromPath(path string) (*Config, error) { return FromWgQuickWithUnknownEncoding(string(bytes), name) } +func PathIsEncrypted(path string) bool { + return strings.HasSuffix(filepath.Base(path), configFileSuffix) +} + func NameFromPath(path string) (string, error) { name := filepath.Base(path) if !((len(name) > len(configFileSuffix) && strings.HasSuffix(name, configFileSuffix)) || diff --git a/tunnel/ipcpermissions.go b/tunnel/ipcpermissions.go new file mode 100644 index 00000000..48f21f1f --- /dev/null +++ b/tunnel/ipcpermissions.go @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package tunnel + +import ( + "fmt" + "unsafe" + + "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/ipc" + + "golang.zx2c4.com/wireguard/windows/conf" +) + +func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error { + if conf.PathIsEncrypted(filename) { + return nil + } + handle, err := windows.CreateFile(windows.StringToUTF16Ptr(filename), windows.STANDARD_RIGHTS_READ, windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE, nil, windows.OPEN_EXISTING, 0, 0) + if err != nil { + return err + } + defer windows.CloseHandle(handle) + var sid *windows.SID + var sd windows.Handle + //TODO: Move into x/sys/windows + const SE_FILE_OBJECT = 1 + const OWNER_SECURITY_INFORMATION = 1 + r, _, _ := windows.NewLazySystemDLL("advapi32.dll").NewProc("GetSecurityInfo").Call( + uintptr(handle), + SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION, + uintptr(unsafe.Pointer(&sid)), + 0, + 0, + 0, + uintptr(unsafe.Pointer(&sd)), + ) + if r != uintptr(windows.ERROR_SUCCESS) { + return windows.Errno(r) + } + defer windows.LocalFree(sd) + if sid.IsWellKnown(windows.WinLocalSystemSid) { + return nil + } + sidString, err := sid.String() + if err != nil { + return err + } + ipc.UAPISecurityDescriptor += fmt.Sprintf("(A;;GA;;;%s)", sidString) + return nil +} diff --git a/tunnel/service.go b/tunnel/service.go index c0ead084..752b9561 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -117,6 +117,11 @@ func (service *Service) Execute(args []string, r <-chan svc.ChangeRequest, chang serviceError = services.ErrorLoadConfiguration return } + err = CopyConfigOwnerToIPCSecurityDescriptor(service.Path) + if err != nil { + serviceError = services.ErrorLoadConfiguration + return + } logPrefix := fmt.Sprintf("[%s] ", conf.Name) log.SetPrefix(logPrefix) |