From 11a667c8decb4a2e7caee7aac7d4f1d7b82f5f21 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Fri, 19 Jul 2019 15:59:53 +0200 Subject: tunnel: extract owner of config file for pipe dacl If the config file is unencrypted and its owner is not Local System, then we allow the runtime named pipe to be accessed by that owner, since generally the private key is already stored in the config file. Signed-off-by: Jason A. Donenfeld --- tunnel/ipcpermissions.go | 55 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 tunnel/ipcpermissions.go (limited to 'tunnel/ipcpermissions.go') diff --git a/tunnel/ipcpermissions.go b/tunnel/ipcpermissions.go new file mode 100644 index 00000000..48f21f1f --- /dev/null +++ b/tunnel/ipcpermissions.go @@ -0,0 +1,55 @@ +/* SPDX-License-Identifier: MIT + * + * Copyright (C) 2019 WireGuard LLC. All Rights Reserved. + */ + +package tunnel + +import ( + "fmt" + "unsafe" + + "golang.org/x/sys/windows" + "golang.zx2c4.com/wireguard/ipc" + + "golang.zx2c4.com/wireguard/windows/conf" +) + +func CopyConfigOwnerToIPCSecurityDescriptor(filename string) error { + if conf.PathIsEncrypted(filename) { + return nil + } + handle, err := windows.CreateFile(windows.StringToUTF16Ptr(filename), windows.STANDARD_RIGHTS_READ, windows.FILE_SHARE_READ | windows.FILE_SHARE_WRITE, nil, windows.OPEN_EXISTING, 0, 0) + if err != nil { + return err + } + defer windows.CloseHandle(handle) + var sid *windows.SID + var sd windows.Handle + //TODO: Move into x/sys/windows + const SE_FILE_OBJECT = 1 + const OWNER_SECURITY_INFORMATION = 1 + r, _, _ := windows.NewLazySystemDLL("advapi32.dll").NewProc("GetSecurityInfo").Call( + uintptr(handle), + SE_FILE_OBJECT, + OWNER_SECURITY_INFORMATION, + uintptr(unsafe.Pointer(&sid)), + 0, + 0, + 0, + uintptr(unsafe.Pointer(&sd)), + ) + if r != uintptr(windows.ERROR_SUCCESS) { + return windows.Errno(r) + } + defer windows.LocalFree(sd) + if sid.IsWellKnown(windows.WinLocalSystemSid) { + return nil + } + sidString, err := sid.String() + if err != nil { + return err + } + ipc.UAPISecurityDescriptor += fmt.Sprintf("(A;;GA;;;%s)", sidString) + return nil +} -- cgit v1.2.3-59-g8ed1b