aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--main.go38
1 files changed, 33 insertions, 5 deletions
diff --git a/main.go b/main.go
index 18b83e92..f7c10f32 100644
--- a/main.go
+++ b/main.go
@@ -12,9 +12,11 @@ import (
"golang.zx2c4.com/wireguard/windows/service"
"golang.zx2c4.com/wireguard/windows/ui"
"os"
+ "runtime"
"strconv"
"strings"
"time"
+ "unsafe"
)
var flags = [...]string{
@@ -48,11 +50,8 @@ func usage() {
func checkForWow64() {
var b bool
- p, err := windows.GetCurrentProcess()
- if err != nil {
- fatal("Unable to determine current process handle: ", err)
- }
- err = isWow64Process(p, &b)
+ p, _ := windows.GetCurrentProcess()
+ err := isWow64Process(p, &b)
if err != nil {
fatal("Unable to determine whether the process is running under WOW64: ", err)
}
@@ -61,6 +60,34 @@ func checkForWow64() {
}
}
+func checkForAdminGroup() {
+ // This is not a security check, but rather a user-confusion one.
+ adminSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
+ if err != nil {
+ fatal("Unable to create well-known SID for Builtin Administrators: ", err)
+ }
+ token, err := windows.OpenCurrentProcessToken()
+ if err != nil {
+ fatal("Unable to open current process token: ", err)
+ }
+ gs, err := token.GetTokenGroups()
+ if err != nil {
+ fatal("Unable to get groups of current process token: ", err)
+ }
+ groups := (*[(1 << 28) - 1]windows.SIDAndAttributes)(unsafe.Pointer(&gs.Groups[0]))[:gs.GroupCount]
+ isAdmin := false
+ for _, g := range groups {
+ if windows.EqualSid(g.Sid, adminSid) {
+ isAdmin = true
+ break
+ }
+ }
+ runtime.KeepAlive(gs)
+ if !isAdmin {
+ fatal("WireGuard may only be used by users who are a member of the Builtin Administrators group.")
+ }
+}
+
//sys shellExecute(hwnd windows.Handle, verb *uint16, file *uint16, args *uint16, cwd *uint16, showCmd int) (err error) = shell32.ShellExecuteW
func execElevatedManagerServiceInstaller() error {
path, err := os.Executable()
@@ -87,6 +114,7 @@ func main() {
checkForWow64()
if len(os.Args) <= 1 {
+ checkForAdminGroup()
if ui.RaiseUI() {
return
}