diff options
Diffstat (limited to 'tunnel')
| -rw-r--r-- | tunnel/ipcpermissions.go | 55 | ||||
| -rw-r--r-- | tunnel/service.go | 5 |
2 files changed, 60 insertions, 0 deletions
diff --git a/tunnel/ipcpermissions.go b/tunnel/ipcpermissions.go new file mode 100644 index 00000000..48f21f1f --- /dev/null +++ b/tunnel/ipcpermissions.go @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package tunnel + +import ( + "fmt" + "unsafe" + + "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/ipc" + + "golang.zx2c4.com/wireguard/windows/conf" +) + +func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error { + if conf.PathIsEncrypted(filename) { + return nil + } + handle, err := windows.CreateFile(windows.StringToUTF16Ptr(filename), windows.STANDARD_RIGHTS_READ, windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE, nil, windows.OPEN_EXISTING, 0, 0) + if err != nil { + return err + } + defer windows.CloseHandle(handle) + var sid *windows.SID + var sd windows.Handle + //TODO: Move into x/sys/windows + const SE_FILE_OBJECT = 1 + const OWNER_SECURITY_INFORMATION = 1 + r, _, _ := windows.NewLazySystemDLL("advapi32.dll").NewProc("GetSecurityInfo").Call( + uintptr(handle), + SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION, + uintptr(unsafe.Pointer(&sid)), + 0, + 0, + 0, + uintptr(unsafe.Pointer(&sd)), + ) + if r != uintptr(windows.ERROR_SUCCESS) { + return windows.Errno(r) + } + defer windows.LocalFree(sd) + if sid.IsWellKnown(windows.WinLocalSystemSid) { + return nil + } + sidString, err := sid.String() + if err != nil { + return err + } + ipc.UAPISecurityDescriptor += fmt.Sprintf("(A;;GA;;;%s)", sidString) + return nil +} diff --git a/tunnel/service.go b/tunnel/service.go index c0ead084..752b9561 100644 --- a/tunnel/service.go +++ b/tunnel/service.go @@ -117,6 +117,11 @@ func (service *Service) Execute(args []string, r <-chan svc.ChangeRequest, chang serviceError = services.ErrorLoadConfiguration return } + err = CopyConfigOwnerToIPCSecurityDescriptor(service.Path) + if err != nil { + serviceError = services.ErrorLoadConfiguration + return + } logPrefix := fmt.Sprintf("[%s] ", conf.Name) log.SetPrefix(logPrefix) |