elevate: move service/token into proper module

author: Jason A. Donenfeld <Jason@zx2c4.com> 2019-08-05 16:04:39 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2019-08-05 20:12:19 +0200
commit: c1ee46faae672e8024cb114450d974232fe44a8b (patch)
tree: 161840e31285965c1aae7f51e7a769522ba22d58
parent: elevate: require builtin admins group and proper reg key (diff)
download: wireguard-windows-c1ee46faae672e8024cb114450d974232fe44a8b.tar.xz
wireguard-windows-c1ee46faae672e8024cb114450d974232fe44a8b.zip
6 files changed, 36 insertions, 25 deletions
diff --git a/elevate/membership.go b/elevate/membership.go
new file mode 100644
index 00000000..baa4d71b
--- /dev/null
+++ b/elevate/membership.go
@@ -0,0 +1,28 @@
+/* SPDX-License-Identifier: MIT
+ *
+ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
+ */
+
+package elevate
+
+import (
+	"runtime"
+
+	"golang.org/x/sys/windows"
+)
+
+func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
+	gs, err := token.GetTokenGroups()
+	if err != nil {
+		return false
+	}
+	isAdmin := false
+	for _, g := range gs.AllGroups() {
+		if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && g.Sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
+			isAdmin = true
+			break
+		}
+	}
+	runtime.KeepAlive(gs)
+	return isAdmin
+}
diff --git a/services/tokens.go b/elevate/privileges.go
index bca75475..a02d8a5d 100644
--- a/services/tokens.go
+++ b/elevate/privileges.go
@@ -3,7 +3,7 @@
  * Copyright (C) 2019 WireGuard LLC. All Rights Reserved.
  */
 
-package services
+package elevate
 
 import (
 	"errors"
@@ -13,22 +13,6 @@ import (
 	"golang.org/x/sys/windows"
 )
 
-func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool {
-	gs, err := token.GetTokenGroups()
-	if err != nil {
-		return false
-	}
-	isAdmin := false
-	for _, g := range gs.AllGroups() {
-		if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && g.Sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
-			isAdmin = true
-			break
-		}
-	}
-	runtime.KeepAlive(gs)
-	return isAdmin
-}
-
 func DropAllPrivileges(retainDriverLoading bool) error {
 	processHandle, err := windows.GetCurrentProcess()
 	if err != nil {
diff --git a/elevate/shellexecute.go b/elevate/shellexecute.go
index 6e71e576..00f2d915 100644
--- a/elevate/shellexecute.go
+++ b/elevate/shellexecute.go
@@ -13,8 +13,6 @@ import (
 
 	"golang.org/x/sys/windows"
 	"golang.org/x/sys/windows/registry"
-
-	"golang.zx2c4.com/wireguard/windows/services"
 )
 
 const (
@@ -79,7 +77,7 @@ func ShellExecute(program string, arguments string, directory string, show int32
 		err = windows.ERROR_SUCCESS
 		return
 	}
-	if !services.TokenIsMemberOfBuiltInAdministrator(processToken) {
+	if !TokenIsMemberOfBuiltInAdministrator(processToken) {
 		err = windows.ERROR_ACCESS_DENIED
 		return
 	}
diff --git a/main.go b/main.go
index 813663a5..da3a6c42 100644
--- a/main.go
+++ b/main.go
@@ -18,7 +18,6 @@ import (
 	"golang.zx2c4.com/wireguard/windows/elevate"
 	"golang.zx2c4.com/wireguard/windows/manager"
 	"golang.zx2c4.com/wireguard/windows/ringlogger"
-	"golang.zx2c4.com/wireguard/windows/services"
 	"golang.zx2c4.com/wireguard/windows/ui"
 )
 
@@ -75,7 +74,7 @@ func checkForAdminGroup() {
 		fatal("Unable to open current process token: ", err)
 	}
 	defer processToken.Close()
-	if !services.TokenIsMemberOfBuiltInAdministrator(processToken) {
+	if !elevate.TokenIsMemberOfBuiltInAdministrator(processToken) {
 		fatal("WireGuard may only be used by users who are a member of the Builtin Administrators group.")
 	}
 }
@@ -177,7 +176,7 @@ func main() {
 		if len(os.Args) != 6 {
 			usage()
 		}
-		err := services.DropAllPrivileges(false)
+		err := elevate.DropAllPrivileges(false)
 		if err != nil {
 			fatal(err)
 		}
diff --git a/manager/service.go b/manager/service.go
index d6c7d922..585078fb 100644
--- a/manager/service.go
+++ b/manager/service.go
@@ -22,6 +22,7 @@ import (
 	"golang.org/x/sys/windows/svc"
 
 	"golang.zx2c4.com/wireguard/windows/conf"
+	"golang.zx2c4.com/wireguard/windows/elevate"
 	"golang.zx2c4.com/wireguard/windows/ringlogger"
 	"golang.zx2c4.com/wireguard/windows/services"
 	"golang.zx2c4.com/wireguard/windows/version"
@@ -102,7 +103,7 @@ func (service *managerService) Execute(args []string, r <-chan svc.ChangeRequest
 		if err != nil {
 			return
 		}
-		if !services.TokenIsMemberOfBuiltInAdministrator(userToken) {
+		if !elevate.TokenIsMemberOfBuiltInAdministrator(userToken) {
 			userToken.Close()
 			return
 		}
diff --git a/tunnel/service.go b/tunnel/service.go
index 752b9561..2dbfff9c 100644
--- a/tunnel/service.go
+++ b/tunnel/service.go
@@ -24,6 +24,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun"
 
 	"golang.zx2c4.com/wireguard/windows/conf"
+	"golang.zx2c4.com/wireguard/windows/elevate"
 	"golang.zx2c4.com/wireguard/windows/ringlogger"
 	"golang.zx2c4.com/wireguard/windows/services"
 	"golang.zx2c4.com/wireguard/windows/version"
@@ -178,7 +179,7 @@ func (service *Service) Execute(args []string, r <-chan svc.ChangeRequest, chang
 	}
 
 	log.Println("Dropping privileges")
-	err = services.DropAllPrivileges(true)
+	err = elevate.DropAllPrivileges(true)
 	if err != nil {
 		serviceError = services.ErrorDropPrivileges
 		return
author	Jason A. Donenfeld <Jason@zx2c4.com>	2019-08-05 16:04:39 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2019-08-05 20:12:19 +0200
commit	c1ee46faae672e8024cb114450d974232fe44a8b (patch)
tree	161840e31285965c1aae7f51e7a769522ba22d58
parent	elevate: require builtin admins group and proper reg key (diff)
download	wireguard-windows-c1ee46faae672e8024cb114450d974232fe44a8b.tar.xz wireguard-windows-c1ee46faae672e8024cb114450d974232fe44a8b.zip