From 6e4f7f759f091ec30af60ebc8a405d84f8234cc5 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Wed, 8 May 2019 09:11:15 +0200
Subject: main: when called with no args, check for admin group membership

This should cut back on user confusion.
---
 main.go | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/main.go b/main.go
index 18b83e92..f7c10f32 100644
--- a/main.go
+++ b/main.go
@@ -12,9 +12,11 @@ import (
 	"golang.zx2c4.com/wireguard/windows/service"
 	"golang.zx2c4.com/wireguard/windows/ui"
 	"os"
+	"runtime"
 	"strconv"
 	"strings"
 	"time"
+	"unsafe"
 )
 
 var flags = [...]string{
@@ -48,11 +50,8 @@ func usage() {
 
 func checkForWow64() {
 	var b bool
-	p, err := windows.GetCurrentProcess()
-	if err != nil {
-		fatal("Unable to determine current process handle: ", err)
-	}
-	err = isWow64Process(p, &b)
+	p, _ := windows.GetCurrentProcess()
+	err := isWow64Process(p, &b)
 	if err != nil {
 		fatal("Unable to determine whether the process is running under WOW64: ", err)
 	}
@@ -61,6 +60,34 @@ func checkForWow64() {
 	}
 }
 
+func checkForAdminGroup() {
+	// This is not a security check, but rather a user-confusion one.
+	adminSid, err := windows.CreateWellKnownSid(windows.WinBuiltinAdministratorsSid)
+	if err != nil {
+		fatal("Unable to create well-known SID for Builtin Administrators: ", err)
+	}
+	token, err := windows.OpenCurrentProcessToken()
+	if err != nil {
+		fatal("Unable to open current process token: ", err)
+	}
+	gs, err := token.GetTokenGroups()
+	if err != nil {
+		fatal("Unable to get groups of current process token: ", err)
+	}
+	groups := (*[(1 << 28) - 1]windows.SIDAndAttributes)(unsafe.Pointer(&gs.Groups[0]))[:gs.GroupCount]
+	isAdmin := false
+	for _, g := range groups {
+		if windows.EqualSid(g.Sid, adminSid) {
+			isAdmin = true
+			break
+		}
+	}
+	runtime.KeepAlive(gs)
+	if !isAdmin {
+		fatal("WireGuard may only be used by users who are a member of the Builtin Administrators group.")
+	}
+}
+
 //sys shellExecute(hwnd windows.Handle, verb *uint16, file *uint16, args *uint16, cwd *uint16, showCmd int) (err error) = shell32.ShellExecuteW
 func execElevatedManagerServiceInstaller() error {
 	path, err := os.Executable()
@@ -87,6 +114,7 @@ func main() {
 	checkForWow64()
 
 	if len(os.Args) <= 1 {
+		checkForAdminGroup()
 		if ui.RaiseUI() {
 			return
 		}
-- 
cgit v1.2.3-59-g8ed1b