diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-07-19 15:59:53 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-07-19 15:59:53 +0200 |
commit | 11a667c8decb4a2e7caee7aac7d4f1d7b82f5f21 (patch) | |
tree | 8346fd7c7ecaeb7260a8c80ee9df5942a100797b /tunnel | |
parent | ringlogger: windows only (diff) | |
download | wireguard-windows-11a667c8decb4a2e7caee7aac7d4f1d7b82f5f21.tar.xz wireguard-windows-11a667c8decb4a2e7caee7aac7d4f1d7b82f5f21.zip |
tunnel: extract owner of config file for pipe dacl
If the config file is unencrypted and its owner is not Local System,
then we allow the runtime named pipe to be accessed by that owner, since
generally the private key is already stored in the config file.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to 'tunnel')
-rw-r--r-- | tunnel/ipcpermissions.go | 55 | ||||
-rw-r--r-- | tunnel/service.go | 5 |
2 files changed, 60 insertions, 0 deletions
diff --git a/tunnel/ipcpermissions.go b/tunnel/ipcpermissions.go new file mode 100644 index 00000000..48f21f1f --- /dev/null +++ b/tunnel/ipcpermissions.go @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package tunnel + +import ( + "fmt" + "unsafe" + + "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/ipc" + + "golang.zx2c4.com/wireguard/windows/conf" +) + +func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error { + if conf.PathIsEncrypted(filename) { + return nil + } + handle, err := windows.CreateFile(windows.StringToUTF16Ptr(filename), windows.STANDARD_RIGHTS_READ, windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE, nil, windows.OPEN_EXISTING, 0, 0) + if err != nil { + return err + } + defer windows.CloseHandle(handle) + var sid *windows.SID + var sd windows.Handle + //TODO: Move into x/sys/windows + const SE_FILE_OBJECT = 1 + const OWNER_SECURITY_INFORMATION = 1 + r, _, _ := windows.NewLazySystemDLL("advapi32.dll").NewProc("GetSecurityInfo").Call( + uintptr(handle), + SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION, + uintptr(unsafe.Pointer(&sid)), + 0, + 0, + 0, + uintptr(unsafe.Pointer(&sd)), + ) + if r != uintptr(windows.ERROR_SUCCESS) { + return windows.Errno(r) + } + defer windows.LocalFree(sd) + if sid.IsWellKnown(windows.WinLocalSystemSid) { + return nil + } + sidString, err := sid.String() + if err != nil { + return err + } + ipc.UAPISecurityDescriptor += fmt.Sprintf("(A;;GA;;;%s)", sidString) + return nil +} diff --git a/tunnel/service.go b/tunnel/service.go index c0ead084..752b9561 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -117,6 +117,11 @@ func (service *Service) Execute(args []string, r <-chan svc.ChangeRequest, chang serviceError = services.ErrorLoadConfiguration return } + err = CopyConfigOwnerToIPCSecurityDescriptor(service.Path) + if err != nil { + serviceError = services.ErrorLoadConfiguration + return + } logPrefix := fmt.Sprintf("[%s] ", conf.Name) log.SetPrefix(logPrefix) |