diff options
-rw-r--r-- | elevate/membership.go | 28 | ||||
-rw-r--r-- | elevate/privileges.go (renamed from services/tokens.go) | 18 | ||||
-rw-r--r-- | elevate/shellexecute.go | 4 | ||||
-rw-r--r-- | main.go | 5 | ||||
-rw-r--r-- | manager/service.go | 3 | ||||
-rw-r--r-- | tunnel/service.go | 3 |
6 files changed, 36 insertions, 25 deletions
diff --git a/elevate/membership.go b/elevate/membership.go new file mode 100644 index 00000000..baa4d71b --- /dev/null +++ b/elevate/membership.go @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package elevate + +import ( + "runtime" + + "golang.org/x/sys/windows" +) + +func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool { + gs, err := token.GetTokenGroups() + if err != nil { + return false + } + isAdmin := false + for _, g := range gs.AllGroups() { + if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && g.Sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) { + isAdmin = true + break + } + } + runtime.KeepAlive(gs) + return isAdmin +} diff --git a/services/tokens.go b/elevate/privileges.go index bca75475..a02d8a5d 100644 --- a/services/tokens.go +++ b/elevate/privileges.go @@ -3,7 +3,7 @@ * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. */ -package services +package elevate import ( "errors" @@ -13,22 +13,6 @@ import ( "golang.org/x/sys/windows" ) -func TokenIsMemberOfBuiltInAdministrator(token windows.Token) bool { - gs, err := token.GetTokenGroups() - if err != nil { - return false - } - isAdmin := false - for _, g := range gs.AllGroups() { - if (g.Attributes&windows.SE_GROUP_USE_FOR_DENY_ONLY != 0 || g.Attributes&windows.SE_GROUP_ENABLED != 0) && g.Sid.IsWellKnown(windows.WinBuiltinAdministratorsSid) { - isAdmin = true - break - } - } - runtime.KeepAlive(gs) - return isAdmin -} - func DropAllPrivileges(retainDriverLoading bool) error { processHandle, err := windows.GetCurrentProcess() if err != nil { diff --git a/elevate/shellexecute.go b/elevate/shellexecute.go index 6e71e576..00f2d915 100644 --- a/elevate/shellexecute.go +++ b/elevate/shellexecute.go @@ -13,8 +13,6 @@ import ( "golang.org/x/sys/windows" "golang.org/x/sys/windows/registry" - - "golang.zx2c4.com/wireguard/windows/services" ) const ( @@ -79,7 +77,7 @@ func ShellExecute(program string, arguments string, directory string, show int32 err = windows.ERROR_SUCCESS return } - if !services.TokenIsMemberOfBuiltInAdministrator(processToken) { + if !TokenIsMemberOfBuiltInAdministrator(processToken) { err = windows.ERROR_ACCESS_DENIED return } @@ -18,7 +18,6 @@ import ( "golang.zx2c4.com/wireguard/windows/elevate" "golang.zx2c4.com/wireguard/windows/manager" "golang.zx2c4.com/wireguard/windows/ringlogger" - "golang.zx2c4.com/wireguard/windows/services" "golang.zx2c4.com/wireguard/windows/ui" ) @@ -75,7 +74,7 @@ func checkForAdminGroup() { fatal("Unable to open current process token: ", err) } defer processToken.Close() - if !services.TokenIsMemberOfBuiltInAdministrator(processToken) { + if !elevate.TokenIsMemberOfBuiltInAdministrator(processToken) { fatal("WireGuard may only be used by users who are a member of the Builtin Administrators group.") } } @@ -177,7 +176,7 @@ func main() { if len(os.Args) != 6 { usage() } - err := services.DropAllPrivileges(false) + err := elevate.DropAllPrivileges(false) if err != nil { fatal(err) } diff --git a/manager/service.go b/manager/service.go index d6c7d922..585078fb 100644 --- a/manager/service.go +++ b/manager/service.go @@ -22,6 +22,7 @@ import ( "golang.org/x/sys/windows/svc" "golang.zx2c4.com/wireguard/windows/conf" + "golang.zx2c4.com/wireguard/windows/elevate" "golang.zx2c4.com/wireguard/windows/ringlogger" "golang.zx2c4.com/wireguard/windows/services" "golang.zx2c4.com/wireguard/windows/version" @@ -102,7 +103,7 @@ func (service *managerService) Execute(args []string, r <-chan svc.ChangeRequest if err != nil { return } - if !services.TokenIsMemberOfBuiltInAdministrator(userToken) { + if !elevate.TokenIsMemberOfBuiltInAdministrator(userToken) { userToken.Close() return } diff --git a/tunnel/service.go b/tunnel/service.go index 752b9561..2dbfff9c 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -24,6 +24,7 @@ import ( "golang.zx2c4.com/wireguard/tun" "golang.zx2c4.com/wireguard/windows/conf" + "golang.zx2c4.com/wireguard/windows/elevate" "golang.zx2c4.com/wireguard/windows/ringlogger" "golang.zx2c4.com/wireguard/windows/services" "golang.zx2c4.com/wireguard/windows/version" @@ -178,7 +179,7 @@ func (service *Service) Execute(args []string, r <-chan svc.ChangeRequest, chang } log.Println("Dropping privileges") - err = services.DropAllPrivileges(true) + err = elevate.DropAllPrivileges(true) if err != nil { serviceError = services.ErrorDropPrivileges return |