diff options
Diffstat (limited to 'tunnel/ipcpermissions.go')
| -rw-r--r-- | tunnel/ipcpermissions.go | 62 |
1 files changed, 35 insertions, 27 deletions
diff --git a/tunnel/ipcpermissions.go b/tunnel/ipcpermissions.go index 20af4257..613d0283 100644 --- a/tunnel/ipcpermissions.go +++ b/tunnel/ipcpermissions.go @@ -6,10 +6,8 @@ package tunnel import ( - "fmt" - "unsafe" - "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/ipc" "golang.zx2c4.com/wireguard/windows/conf" @@ -19,37 +17,47 @@ func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error { if conf.PathIsEncrypted(filename) { return nil } - handle, err := windows.CreateFile(windows.StringToUTF16Ptr(filename), windows.STANDARD_RIGHTS_READ, windows.FILE_SHARE_READ|windows.FILE_SHARE_WRITE, nil, windows.OPEN_EXISTING, 0, 0) + + fileSd, err := windows.GetNamedSecurityInfo(filename, windows.SE_FILE_OBJECT, windows.OWNER_SECURITY_INFORMATION) if err != nil { return err } - defer windows.CloseHandle(handle) - var sid *windows.SID - var sd windows.Handle - //TODO: Move into x/sys/windows - const SE_FILE_OBJECT = 1 - const OWNER_SECURITY_INFORMATION = 1 - r, _, _ := windows.NewLazySystemDLL("advapi32.dll").NewProc("GetSecurityInfo").Call( - uintptr(handle), - SE_FILE_OBJECT, - OWNER_SECURITY_INFORMATION, - uintptr(unsafe.Pointer(&sid)), - 0, - 0, - 0, - uintptr(unsafe.Pointer(&sd)), - ) - if r != uintptr(windows.ERROR_SUCCESS) { - return windows.Errno(r) - } - defer windows.LocalFree(sd) - if sid.IsWellKnown(windows.WinLocalSystemSid) { + fileOwner, _, err := fileSd.Owner() + if err != nil { + return err + } + if fileOwner.IsWellKnown(windows.WinLocalSystemSid) { return nil } - sidString, err := sid.String() + additionalEntries := []windows.EXPLICIT_ACCESS{{ + AccessPermissions: windows.GENERIC_ALL, + AccessMode: windows.GRANT_ACCESS, + Trustee: windows.TRUSTEE{ + TrusteeForm: windows.TRUSTEE_IS_SID, + TrusteeType: windows.TRUSTEE_IS_USER, + TrusteeValue: windows.TrusteeValueFromSID(fileOwner), + }, + }} + + sd, err := ipc.UAPISecurityDescriptor.ToAbsolute() + if err != nil { + return err + } + dacl, defaulted, _ := sd.DACL() + + newDacl, err := windows.ACLFromEntries(additionalEntries, dacl) + if err != nil { + return err + } + err = sd.SetDACL(newDacl, true, defaulted) if err != nil { return err } - ipc.UAPISecurityDescriptor += fmt.Sprintf("(A;;GA;;;%s)", sidString) + sd, err = sd.ToSelfRelative() + if err != nil { + return err + } + ipc.UAPISecurityDescriptor = sd + return nil } |