diff options
Diffstat (limited to '')
-rw-r--r-- | conf/store.go | 4 | ||||
-rw-r--r-- | tunnel/ipcpermissions.go | 55 | ||||
-rw-r--r-- | tunnel/service.go | 5 |
3 files changed, 64 insertions, 0 deletions
diff --git a/conf/store.go b/conf/store.go index b5cdd1ef..504a0d01 100644 --- a/conf/store.go +++ b/conf/store.go @@ -148,6 +148,10 @@ func LoadFromPath(path string) (*Config, error) { return FromWgQuickWithUnknownEncoding(string(bytes), name) } +func PathIsEncrypted(path string) bool { + return strings.HasSuffix(filepath.Base(path), configFileSuffix) +} + func NameFromPath(path string) (string, error) { name := filepath.Base(path) if !((len(name) > len(configFileSuffix) && strings.HasSuffix(name, configFileSuffix)) || diff --git a/tunnel/ipcpermissions.go b/tunnel/ipcpermissions.go new file mode 100644 index 00000000..48f21f1f --- /dev/null +++ b/tunnel/ipcpermissions.go @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package tunnel + +import ( + "fmt" + "unsafe" + + "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/ipc" + + "golang.zx2c4.com/wireguard/windows/conf" +) + +func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error { + if conf.PathIsEncrypted(filename) { + return nil + } + handle, err := windows.CreateFile(windows.StringToUTF16Ptr(filename), windows.STANDARD_RIGHTS_READ, windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE, nil, windows.OPEN_EXISTING, 0, 0) + if err != nil { + return err + } + defer windows.CloseHandle(handle) + var sid *windows.SID + var sd windows.Handle + //TODO: Move into x/sys/windows + const SE_FILE_OBJECT = 1 + const OWNER_SECURITY_INFORMATION = 1 + r, _, _ := windows.NewLazySystemDLL("advapi32.dll").NewProc("GetSecurityInfo").Call( + uintptr(handle), + SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION, + uintptr(unsafe.Pointer(&sid)), + 0, + 0, + 0, + uintptr(unsafe.Pointer(&sd)), + ) + if r != uintptr(windows.ERROR_SUCCESS) { + return windows.Errno(r) + } + defer windows.LocalFree(sd) + if sid.IsWellKnown(windows.WinLocalSystemSid) { + return nil + } + sidString, err := sid.String() + if err != nil { + return err + } + ipc.UAPISecurityDescriptor += fmt.Sprintf("(A;;GA;;;%s)", sidString) + return nil +} diff --git a/tunnel/service.go b/tunnel/service.go index c0ead084..752b9561 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -117,6 +117,11 @@ func (service *Service) Execute(args []string, r <-chan svc.ChangeRequest, chang serviceError = services.ErrorLoadConfiguration return } + err = CopyConfigOwnerToIPCSecurityDescriptor(service.Path) + if err != nil { + serviceError = services.ErrorLoadConfiguration + return + } logPrefix := fmt.Sprintf("[%s] ", conf.Name) log.SetPrefix(logPrefix) |