diff options
-rw-r--r-- | main.go | 38 |
1 files changed, 33 insertions, 5 deletions
@@ -12,9 +12,11 @@ import ( "golang.zx2c4.com/wireguard/windows/service" "golang.zx2c4.com/wireguard/windows/ui" "os" + "runtime" "strconv" "strings" "time" + "unsafe" ) var flags = [...]string{ @@ -48,11 +50,8 @@ func usage() { func checkForWow64() { var b bool - p, err := windows.GetCurrentProcess() - if err != nil { - fatal("Unable to determine current process handle: ", err) - } - err = isWow64Process(p, &b) + p, _ := windows.GetCurrentProcess() + err := isWow64Process(p, &b) if err != nil { fatal("Unable to determine whether the process is running under WOW64: ", err) } @@ -61,6 +60,34 @@ func checkForWow64() { } } +func checkForAdminGroup() { + // This is not a security check, but rather a user-confusion one. + adminSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid) + if err != nil { + fatal("Unable to create well-known SID for Builtin Administrators: ", err) + } + token, err := windows.OpenCurrentProcessToken() + if err != nil { + fatal("Unable to open current process token: ", err) + } + gs, err := token.GetTokenGroups() + if err != nil { + fatal("Unable to get groups of current process token: ", err) + } + groups := (*[(1 << 28) - 1]windows.SIDAndAttributes)(unsafe.Pointer(&gs.Groups[0]))[:gs.GroupCount] + isAdmin := false + for _, g := range groups { + if windows.EqualSid(g.Sid, adminSid) { + isAdmin = true + break + } + } + runtime.KeepAlive(gs) + if !isAdmin { + fatal("WireGuard may only be used by users who are a member of the Builtin Administrators group.") + } +} + //sys shellExecute(hwnd windows.Handle, verb *uint16, file *uint16, args *uint16, cwd *uint16, showCmd int) (err error) = shell32.ShellExecuteW func execElevatedManagerServiceInstaller() error { path, err := os.Executable() @@ -87,6 +114,7 @@ func main() { checkForWow64() if len(os.Args) <= 1 { + checkForAdminGroup() if ui.RaiseUI() { return } |