diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-14 17:00:10 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-05-14 17:10:50 +0200 |
commit | bfdb3aa855de75d91c5d191ef116c651feb0fcfc (patch) | |
tree | a3050b6130f1eef70baccfe7305a7a7884c4e153 /main.go | |
parent | service: drop all privileges for tunnel service (diff) | |
download | wireguard-windows-bfdb3aa855de75d91c5d191ef116c651feb0fcfc.tar.xz wireguard-windows-bfdb3aa855de75d91c5d191ef116c651feb0fcfc.zip |
service: clean up token mangling
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'main.go')
-rw-r--r-- | main.go | 25 |
1 files changed, 4 insertions, 21 deletions
@@ -8,13 +8,12 @@ package main import ( "fmt" "os" - "runtime" "strconv" "strings" "time" - "unsafe" "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/windows/ringlogger" "golang.zx2c4.com/wireguard/windows/service" "golang.zx2c4.com/wireguard/windows/ui" @@ -64,28 +63,12 @@ func checkForWow64() { func checkForAdminGroup() { // This is not a security check, but rather a user-confusion one. - adminSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid) - if err != nil { - fatal("Unable to create well-known SID for Builtin Administrators: ", err) - } - token, err := windows.OpenCurrentProcessToken() + processToken, err := windows.OpenCurrentProcessToken() if err != nil { fatal("Unable to open current process token: ", err) } - gs, err := token.GetTokenGroups() - if err != nil { - fatal("Unable to get groups of current process token: ", err) - } - groups := (*[(1 << 28) - 1]windows.SIDAndAttributes)(unsafe.Pointer(&gs.Groups[0]))[:gs.GroupCount] - isAdmin := false - for _, g := range groups { - if windows.EqualSid(g.Sid, adminSid) { - isAdmin = true - break - } - } - runtime.KeepAlive(gs) - if !isAdmin { + defer processToken.Close() + if !service.TokenIsMemberOfBuiltInAdministrator(processToken) { fatal("WireGuard may only be used by users who are a member of the Builtin Administrators group.") } } |