diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-13 03:10:00 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2020-11-22 22:00:32 +0100 |
commit | 1c7606cea18e908cf76201ce1534b0afdc04cc89 (patch) | |
tree | 56c591b462989278a9bc89fafe927d7347122db5 /conf/admin_windows.go | |
parent | tunnel: only enable DNS blocking for 0/0 configs (diff) | |
download | wireguard-windows-1c7606cea18e908cf76201ce1534b0afdc04cc89.tar.xz wireguard-windows-1c7606cea18e908cf76201ce1534b0afdc04cc89.zip |
manager: allow S-1-5-32-556 users to launch a limited UI
I still have serious security reservations about this, both conceptually
-- should users be allowed to do this stuff? -- and pratically -- there
are issues with this implementation that need some examination.
TODO:
- Is that registry key a secure path? Should we double check it?
- Are we leaking handles to the unpriv'd process from the manager? Audit
this too.
- IPC notifications are blocking. Should we move this to a go routine to
mitigate DoS potential?
- Is GOB deserialization secure? Can an NCO user crash or RCE the
manager?
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rw-r--r-- | conf/admin_windows.go | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/conf/admin_windows.go b/conf/admin_windows.go new file mode 100644 index 00000000..2f97f4da --- /dev/null +++ b/conf/admin_windows.go @@ -0,0 +1,36 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2020 WireGuard LLC. All Rights Reserved. + */ + +package conf + +import "golang.org/x/sys/windows/registry" + +const adminRegKey = `Software\WireGuard` + +var adminKey registry.Key + +func openAdminKey() (registry.Key, error) { + if adminKey != 0 { + return adminKey, nil + } + var err error + adminKey, err = registry.OpenKey(registry.LOCAL_MACHINE, adminRegKey, registry.QUERY_VALUE) + if err != nil { + return 0, err + } + return adminKey, nil +} + +func AdminBool(name string) bool { + key, err := openAdminKey() + if err != nil { + return false + } + val, _, err := key.GetIntegerValue(name) + if err != nil { + return false + } + return val != 0 +} |