github
/
openvpn-gui
mirror of https://github.com/OpenVPN/openvpn-gui
1
0
Fork 0
Code Issues Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
857 Commits
3 Branches
112 Tags
18 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
openvpn-gui/access.c

455 lines
12 KiB
Raw Permalink Normal View History Unescape

Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
/*
* This file is a part of OpenVPN-GUI -- A Windows GUI for OpenVPN.
*
* Copyright (C) 2016 Selva Nair <selva.nair@gmail.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program (see the file COPYING included with this
* distribution); if not, write to the Free Software Foundation, Inc.,
* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifndef SECURITY_WIN32
#define SECURITY_WIN32
#endif
#include <windows.h>
#include <shellapi.h>
#include <lm.h>
#include <stdlib.h>
#include <security.h>
#include "main.h"
#include "options.h"
#include "service.h"
#include "localization.h"
#include "openvpn-gui-res.h"
PLAP: Add an option to register the COM dll - ShellExecute with runas is used to elevate - This Option is hidden if PLAP dll is not found in the install_path bin folder - Depends on the presence of openvpn-plap-install.reg and openvpn-plap-uninstall.reg in the install-path bin folder. Signed-off-by: Selva Nair <selva.nair@gmail.com>
2 years ago
#include "misc.h"
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
extern options_t o;
#define MAX_UNAME_LEN (UNLEN + DNLEN + 2) /* UNLEN, DNLEN from lmcons.h +2 for '\' and NULL */
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
static BOOL GetOwnerSID(PSID sid, DWORD sid_size);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
static BOOL IsUserInGroup(PSID sid, PTOKEN_GROUPS token_groups, const WCHAR *group_name);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
static PTOKEN_GROUPS GetProcessTokenGroups(void);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
/*
* The Administrators group may be localized or renamed by admins.
* Get the local name of the group using the SID.
*/
static BOOL
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
{
BOOL b = FALSE;
PSID admin_sid = NULL;
DWORD sid_size = SECURITY_MAX_SID_SIZE;
SID_NAME_USE su;
WCHAR domain[MAX_NAME];
DWORD dlen = _countof(domain);
admin_sid = malloc(sid_size);
if (!admin_sid)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return FALSE;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid,
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
&sid_size);
if (b)
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
{
b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &su);
}
#ifdef DEBUG
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
PrintDebug(L"builtin admin group name = %ls", name);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
#endif
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
free(admin_sid);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return b;
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
/*
* Add current user to the specified group. Uses RunAsAdmin to elevate.
Ensure group name in shell-execute cmdline is clean - Also fix typo in a comment. Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
* Reject if the group name contains certain illegal characters.
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
*/
static BOOL
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
AddUserToGroup(const WCHAR *group)
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
{
WCHAR username[MAX_UNAME_LEN];
WCHAR cmd[MAX_PATH] = L"C:\\windows\\system32\\cmd.exe";
WCHAR netcmd[MAX_PATH] = L"C:\\windows\\system32\\net.exe";
WCHAR syspath[MAX_PATH];
WCHAR *params = NULL;
/* command: cmd.exe, params: /c net.exe group /add & net.exe group user /add */
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
const WCHAR *fmt = L"/c %ls localgroup \"%ls\" /add & %ls localgroup \"%ls\" \"%ls\" /add";
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
DWORD size;
DWORD status;
BOOL retval = FALSE;
Ensure group name in shell-execute cmdline is clean - Also fix typo in a comment. Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
WCHAR reject[] = L"\"\?\\/[]:;|=,+*<>\'&";
/*
* The only unknown content in the command line is the variable group. Ensure it
* does not contain any '"' character. Here we reject all characters not allowed
* in group names and special characters such as '&' as well.
*/
if (wcspbrk(group, reject) != NULL)
{
#ifdef DEBUG
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
PrintDebug(L"AddUSerToGroup: illegal characters in group name: '%ls'.", group);
Ensure group name in shell-execute cmdline is clean - Also fix typo in a comment. Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
#endif
return retval;
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
size = _countof(username);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
if (!GetUserNameExW(NameSamCompatible, username, &size))
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return retval;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
size = _countof(syspath);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
if (GetSystemDirectory(syspath, size))
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
{
syspath[size-1] = L'\0';
size = _countof(cmd);
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
_snwprintf(cmd, size, L"%ls\\%ls", syspath, L"cmd.exe");
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
cmd[size-1] = L'\0';
size = _countof(netcmd);
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
_snwprintf(netcmd, size, L"%ls\\%ls", syspath, L"net.exe");
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
netcmd[size-1] = L'\0';
}
size = (wcslen(fmt) + wcslen(username) + 2*wcslen(group) + 2*wcslen(netcmd)+ 1);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
if ((params = malloc(size*sizeof(WCHAR))) == NULL)
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return retval;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
_snwprintf(params, size, fmt, netcmd, group, netcmd, group, username);
params[size-1] = L'\0';
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
status = RunAsAdmin(cmd, params);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
if (status == 0)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
retval = TRUE;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
#ifdef DEBUG
if (status == (DWORD) -1)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
PrintDebug(L"RunAsAdmin: failed to execute the command [%ls %ls] : error = 0x%x",
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
cmd, params, GetLastError());
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
else if (status)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
PrintDebug(L"RunAsAdmin: command [%ls %ls] returned exit_code = %lu",
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
cmd, params, status);
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
#endif
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
free(params);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return retval;
}
/*
* Check whether the config location is authorized for startup through
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
* interactive service.
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
*/
static BOOL
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
CheckConfigPath(const WCHAR *config_dir)
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
{
BOOL ret = FALSE;
int size = wcslen(o.global_config_dir);
/* if interactive service is not running, no access control: return TRUE */
if (!CheckIServiceStatus(FALSE))
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
ret = TRUE;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
/* if config is from the global location allow it */
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
else if (wcsncmp(config_dir, o.global_config_dir, size) == 0
&& wcsstr(config_dir + size, L"..") == NULL)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
ret = TRUE;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return ret;
}
/*
* If config_dir for a connection is not in an authorized location,
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
* and user is not in built-in Administrators or ovpn_admin groups
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
* show a dialog to add the user to the ovpn_admin_group.
*/
BOOL
AuthorizeConfig(const connection_t *c)
{
DWORD res;
BOOL retval = FALSE;
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
WCHAR *admin_group;
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
WCHAR sysadmin_group[MAX_NAME];
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
BYTE sid_buf[SECURITY_MAX_SID_SIZE];
DWORD sid_size = SECURITY_MAX_SID_SIZE;
PSID sid = (PSID) sid_buf;
PTOKEN_GROUPS groups = NULL;
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group)))
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
admin_group = sysadmin_group;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
else
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
admin_group = L"Administrators";
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
PrintDebug(L"Authorized groups: '%ls', '%ls'", admin_group, o.ovpn_admin_group);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
if (CheckConfigPath(c->config_dir))
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
return TRUE;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
if (!GetOwnerSID(sid, sid_size))
{
if (!o.silent_connection)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
MessageBoxW(NULL, L"Failed to determine process owner SID", L""PACKAGE_NAME, MB_OK);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
return FALSE;
}
groups = GetProcessTokenGroups();
if (IsUserInGroup(sid, groups, admin_group)
|| IsUserInGroup(sid, groups, o.ovpn_admin_group))
{
free(groups);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return TRUE;
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
}
free(groups);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
/* do not attempt to add user to sysadmin_group or a no-name group */
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
if (wcscmp(admin_group, o.ovpn_admin_group) == 0
|| wcslen(o.ovpn_admin_group) == 0
|| !o.netcmd_semaphore)
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
ShowLocalizedMsg(IDS_ERR_CONFIG_NOT_AUTHORIZED, c->config_name, o.ovpn_admin_group);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return FALSE;
}
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
if (WaitForSingleObject(o.netcmd_semaphore, 0) != WAIT_OBJECT_0)
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
{
/* Could not lock semaphore -- auth dialog already running? */
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
ShowLocalizedMsg(IDS_NFO_CONFIG_AUTH_PENDING, c->config_name, o.ovpn_admin_group);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return FALSE;
}
/* semaphore locked -- relase before return */
URL profile import: allow specifying owner window of message box This will be used later when parent window needs to be disabled when message box is displayed. Signed-off-by: Lev Stipakov <lev@openvpn.net>
3 years ago
res = ShowLocalizedMsgEx(MB_YESNO|MB_ICONWARNING, NULL, TEXT(PACKAGE_NAME),
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
IDS_ERR_CONFIG_TRY_AUTHORIZE, c->config_name,
o.ovpn_admin_group);
if (res == IDYES)
{
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
AddUserToGroup(o.ovpn_admin_group);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
/*
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
* Check the success of above by testing the group membership again
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
*/
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
if (IsUserInGroup(sid, NULL, o.ovpn_admin_group))
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
retval = TRUE;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
else
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
ShowLocalizedMsg(IDS_ERR_ADD_USER_TO_ADMIN_GROUP, o.ovpn_admin_group);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
SetForegroundWindow(o.hWnd);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
}
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
ReleaseSemaphore(o.netcmd_semaphore, 1, NULL);
Handle interactive service policy restrictions When a connection is attempted using a config in a location that would fail, offer an option to add the user to the "OpenVPN Administrators" group. This is done using shell-execute which will show a UAC prompt for elevation. If it fails (due to user chooses NO or the UAC dialog fails) the connection is not started. v2 Changes - Rebase to master - Automaticlaly add the admin group if it doesn't exist - Allow unicode strings in debug output - Use domain\username to identify user - Fix the PrintDebug macro Minor changes based on user feedback - Bring the window back to foreground after UAC prompt completion - Show a message if another connection is tried during authorization - Do not add user to ovpn_admin_group if it is same as the built-in admin group Signed-off-by: Selva Nair <selva.nair@gmail.com>
9 years ago
return retval;
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
/*
* Find SID from name
*
* On input sid should have space for at least sid_size bytes.
* Returns TRUE on success, FALSE on error.
* Hint: allocate sid to hold SECURITY_MAX_SID_SIZE bytes
*/
static BOOL
LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
{
SID_NAME_USE su;
WCHAR domain[MAX_NAME];
DWORD dlen = _countof(domain);
if (!LookupAccountName(NULL, name, sid, &sid_size, domain, &dlen, &su))
{
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
PrintDebug(L"LookupSID failed for '%ls'", name);
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
return FALSE;
}
return TRUE;
}
/**
* Get a list of groups in the token for the current proceess.
* Returns a pointer to TOKEN_GROUPS structure or NULL on error.
* The caller should free the returned pointer.
*/
static PTOKEN_GROUPS
GetProcessTokenGroups(void)
{
HANDLE token;
PTOKEN_GROUPS groups = NULL;
DWORD buf_size = 0;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token))
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
return NULL;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
if (!GetTokenInformation(token, TokenGroups, NULL, 0, &buf_size)
&& GetLastError() == ERROR_INSUFFICIENT_BUFFER)
{
groups = malloc(buf_size);
}
if (!groups)
{
PrintDebug(L"GetProcessTokenGroups: error = %lu", GetLastError());
Close token handle in GetProcessTokenGroups() Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
goto out;
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
}
if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size))
{
PrintDebug(L"Failed to get Token Group Information: error = %lu", GetLastError);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
free(groups);
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
groups = NULL;
}
Close token handle in GetProcessTokenGroups() Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
out:
CloseHandle(token);
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
return groups;
}
/**
* Check the list of token_groups include the SID of the group_name
* OR the specified user SID is in a local group named group_name.
* The latter check is done to recognize situations where the user is
* added to the group dynamically through the GUI.
*
* Using sid and token groups instead of username avoids reference to
* domains so that this could be completed without access to a Domain
* Controller.
*
* Returns true if the user is in the group, false otherwise.
*/
static BOOL
IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name)
{
BOOL ret = FALSE;
DWORD_PTR resume = 0;
DWORD err;
BYTE grp_sid[SECURITY_MAX_SID_SIZE];
int nloop = 0; /* a counter used to not get stuck in the do .. while() */
/* first check in the token groups */
if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid)))
{
for (DWORD i = 0; i < token_groups->GroupCount; ++i)
{
if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid))
{
PrintDebug(L"Found group in token at position %lu", i);
return TRUE;
}
}
}
if (!sid)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
return FALSE;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
do
{
DWORD nread, nmax;
LOCALGROUP_MEMBERS_INFO_0 *members = NULL;
err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members,
MAX_PREFERRED_LENGTH, &nread, &nmax, &resume);
if (err != NERR_Success && err != ERROR_MORE_DATA)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
break;
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
/* If a match is already found, ret = TRUE, the loop is skipped */
for (DWORD i = 0; i < nread && !ret; ++i)
{
ret = EqualSid(members[i].lgrmi0_sid, sid);
}
NetApiBufferFree(members);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
/* MSDN says the lookup should always iterate until err != ERROR_MORE_DATA */
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
} while (err == ERROR_MORE_DATA && nloop++ < 100);
if (err != NERR_Success && err != NERR_GroupNotFound)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
PrintDebug(L"NetLocalGroupGetMembers for group '%ls' failed: error = %lu", group_name, err);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
if (ret)
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
{
Use C standrad compliant printf specifications %S --> %hs in wide format strings, %ls otherwise %s --> %ls in wide format strings, unchanged otherwise %c --> %lc in wide format strings Resource files together have about 970 lines affected and were edited by looping through all with sed -i 's/%S/%hs/g' $file sed -i 's/%s/%ls/g' $file All other files were manually changed (about 85 lines). Recent versions of mingw-w64 implicitly turns on __USE_MINGW_ANSI_STDIO if _GNU_SOURCE, _XOPEN_SOURCE etc are defined (which we do usei). This breaks non-standard spec such as %S. Anyway, we have been gradually getting rid of those. MSVC builds should not be affected. v2: multiple occurrences in same line was missed in v1 (/g missing in sed expression). Fixed. Signed-off-by: Selva Nair <selva.nair@gmail.com>
3 years ago
PrintDebug(L"User is in group '%ls'", group_name);
Reformat source code with uncrustify Closes: #445 Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com>
1 year ago
}
Check group membership without needing connection to DC Current approach of querying the group membership of DOMAIN\username fails for domain users if no DC is reachable. Instead authorize the user if (i) admin groups are found in the process token (ii) or the SID of the user is a member of the admin groups The second check is needed to support adding the user to the ovpn_admin_group when GUI is running, as such changes in group membership will not be reflected in the token. Signed-off-by: Selva Nair <selva.nair@gmail.com>
8 years ago
return ret;
}
/**
* Get SID of the current process owner
* On input sid must have space for at least sid_size bytes
*
* On success return true, else return false.
*/
static BOOL
GetOwnerSID(PSID sid, DWORD sid_size)
{
BOOL ret = FALSE;
HANDLE token;
DWORD buf_size = 0;
TOKEN_USER *tu = NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &token))
{
PrintDebug(L"Failed to get current process token: error = %lu", GetLastError());
return ret;
}
GetTokenInformation(token, TokenUser, NULL, 0, &buf_size);
PrintDebug(L"Needed buffer size for Token User = %lu", buf_size);
tu = malloc(buf_size);
if (!tu || !GetTokenInformation(token, TokenUser, tu, buf_size, &buf_size))
{
PrintDebug(L"Failed to get Token User Information: error = %lu", GetLastError);
goto out;
}
if (!CopySid(sid_size, sid, tu->User.Sid))
{
PrintDebug(L"CopySid Failed: error = %lu", GetLastError());
goto out;
}
ret = TRUE;
out:
CloseHandle(token);
free(tu);
return ret;
}