From 791aea49e6cdab83c5ac9ca203104859a57f4260 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Thu, 4 Feb 2016 23:19:59 -0500 Subject: [PATCH 1/3] Do not use interactive service if running as admin Connecting to a named pipe server while running with admin rights is not secure in some windows versions. As the interactive service is not required to set routes while running as admin, this looks like a safe compromise. Fix based on feedback from Heiko Hund - Move IsUserAdmin() check before opening the service pipe Signed-off-by: Selva Nair --- misc.c | 25 +++++++++++++++++++++++++ misc.h | 2 ++ openvpn.c | 5 +++-- 3 files changed, 30 insertions(+), 2 deletions(-) diff --git a/misc.c b/misc.c index e21dd93..0326f97 100644 --- a/misc.c +++ b/misc.c @@ -190,3 +190,28 @@ ForceForegroundWindow(HWND hWnd) return ret; } + +/* + * Check user has admin rights + * Taken from https://msdn.microsoft.com/en-us/library/windows/desktop/aa376389(v=vs.85).aspx + * Returns true if the calling process token has the local Administrators group enabled + * in its SID. Assumes the caller is not impersonating and has access to open its own + * process token. + */ +BOOL IsUserAdmin(VOID) +{ + BOOL b; + SID_IDENTIFIER_AUTHORITY NtAuthority = {SECURITY_NT_AUTHORITY}; + PSID AdministratorsGroup; + + b = AllocateAndInitializeSid (&NtAuthority, 2, SECURITY_BUILTIN_DOMAIN_RID, + DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, + &AdministratorsGroup); + if(b) + { + CheckTokenMembership(NULL, AdministratorsGroup, &b); + FreeSid(AdministratorsGroup); + } + + return(b); +} diff --git a/misc.h b/misc.h index 615ba73..8792755 100644 --- a/misc.h +++ b/misc.h @@ -30,4 +30,6 @@ BOOL streq(LPCSTR, LPCSTR); BOOL wcsbegins(LPCWSTR, LPCWSTR); BOOL ForceForegroundWindow(HWND); + +BOOL IsUserAdmin(VOID); #endif diff --git a/openvpn.c b/openvpn.c index 7ccf45f..213a189 100644 --- a/openvpn.c +++ b/openvpn.c @@ -692,10 +692,11 @@ StartOpenVPN(connection_t *c) (o.proxy_source != config ? _T("--management-query-proxy ") : _T(""))); /* Try to open the service pipe */ - service = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"), + if (!IsUserAdmin()) + service = CreateFile(_T("\\\\.\\pipe\\openvpn\\service"), GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); - if (service != INVALID_HANDLE_VALUE) + if (service && service != INVALID_HANDLE_VALUE) { DWORD size = _tcslen(c->config_dir) + _tcslen(options) + sizeof(c->manage.password) + 3; TCHAR startup_info[1024]; From 4437ce7a8cd7e0508d26fede84fcaf5d040a8c05 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Thu, 4 Feb 2016 23:28:09 -0500 Subject: [PATCH 2/3] Change default log file location to a OpenVPN/log in user's profile directory Change the default log file location to OpenVPN/log in user's profile directory to support running without admin privileges using the interactive service. The registry keys are moved to HKCU from HKLM to allow for user-specific settings as well as to avoid the need for running the GUI as admin at the first instance. Signed-off-by: Selva Nair --- openvpn-gui-res.h | 1 + registry.c | 18 ++++++++++++------ res/openvpn-gui-res-en.rc | 1 + 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/openvpn-gui-res.h b/openvpn-gui-res.h index 86057bb..8377ce3 100644 --- a/openvpn-gui-res.h +++ b/openvpn-gui-res.h @@ -239,5 +239,6 @@ #define IDS_ERR_OPEN_WRITE_REG 1810 #define IDS_ERR_READ_SET_KEY 1811 #define IDS_ERR_WRITE_REGVALUE 1812 +#define IDS_ERR_GET_PROFILE_DIR 1813 #endif diff --git a/registry.c b/registry.c index 70d8149..923c7dd 100644 --- a/registry.c +++ b/registry.c @@ -42,6 +42,7 @@ GetRegistryKeys() TCHAR windows_dir[MAX_PATH]; TCHAR temp_path[MAX_PATH]; TCHAR openvpn_path[MAX_PATH]; + TCHAR profile_dir[MAX_PATH]; HKEY regkey; if (!GetWindowsDirectory(windows_dir, _countof(windows_dir))) { @@ -50,6 +51,11 @@ GetRegistryKeys() return(false); } + if (SHGetFolderPath(NULL, CSIDL_PROFILE, NULL, SHGFP_TYPE_CURRENT, profile_dir) != S_OK) { + ShowLocalizedMsg(IDS_ERR_GET_PROFILE_DIR); + return(false); + } + /* Get path to OpenVPN installation. */ if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\OpenVPN"), 0, KEY_READ, ®key) != ERROR_SUCCESS) @@ -78,7 +84,7 @@ GetRegistryKeys() if (!GetRegKey(_T("exe_path"), o.exe_path, temp_path, _countof(o.exe_path))) return(false); - _sntprintf_0(temp_path, _T("%slog"), openvpn_path); + _sntprintf_0(temp_path, _T("%s\\OpenVPN\\log"), profile_dir); if (!GetRegKey(_T("log_dir"), o.log_dir, temp_path, _countof(o.log_dir))) return(false); @@ -178,7 +184,7 @@ int GetRegKey(const TCHAR name[], TCHAR *data, const TCHAR default_data[], DWORD return(true); } - status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, + status = RegOpenKeyEx(HKEY_CURRENT_USER, _T("SOFTWARE\\OpenVPN-GUI"), 0, KEY_READ, @@ -186,7 +192,7 @@ int GetRegKey(const TCHAR name[], TCHAR *data, const TCHAR default_data[], DWORD if (status != ERROR_SUCCESS) { - if (RegCreateKeyEx(HKEY_LOCAL_MACHINE, + if (RegCreateKeyEx(HKEY_CURRENT_USER, _T("Software\\OpenVPN-GUI"), 0, _T(""), @@ -197,7 +203,7 @@ int GetRegKey(const TCHAR name[], TCHAR *data, const TCHAR default_data[], DWORD &dwDispos) != ERROR_SUCCESS) { /* error creating registry key */ - ShowLocalizedMsg(IDS_ERR_CREATE_REG_KEY); + ShowLocalizedMsg(IDS_ERR_CREATE_REG_HKCU_KEY, _T("OpenVPN-GUI")); return(false); } } @@ -208,7 +214,7 @@ int GetRegKey(const TCHAR name[], TCHAR *data, const TCHAR default_data[], DWORD if (status != ERROR_SUCCESS || type != REG_SZ) { /* key did not exist - set default value */ - status = RegOpenKeyEx(HKEY_LOCAL_MACHINE, + status = RegOpenKeyEx(HKEY_CURRENT_USER, _T("SOFTWARE\\OpenVPN-GUI"), 0, KEY_READ | KEY_WRITE, @@ -216,7 +222,7 @@ int GetRegKey(const TCHAR name[], TCHAR *data, const TCHAR default_data[], DWORD if (status != ERROR_SUCCESS) { /* can't open registry for writing */ - ShowLocalizedMsg(IDS_ERR_OPEN_WRITE_REG); + ShowLocalizedMsg(IDS_ERR_WRITE_REGVALUE, _T("OpenVPN-GUI"), name); return(false); } if(!SetRegistryValue(openvpn_key_write, name, default_data)) diff --git a/res/openvpn-gui-res-en.rc b/res/openvpn-gui-res-en.rc index 490efcb..431f4bd 100644 --- a/res/openvpn-gui-res-en.rc +++ b/res/openvpn-gui-res-en.rc @@ -325,6 +325,7 @@ BEGIN /* registry */ IDS_ERR_GET_WINDOWS_DIR "Error getting Windows Directory." + IDS_ERR_GET_PROFILE_DIR "Error getting User Profile Directory." IDS_ERR_GET_PROGRAM_DIR "Error getting ""Program"" folder name." IDS_ERR_OPEN_REGISTRY "Error opening registry for reading (HKLM\\SOFTWARE\\OpenVPN).\n " \ "OpenVPN is probably not installed" From 09334e71a0277ecf00e45b389c9238a150e13317 Mon Sep 17 00:00:00 2001 From: Selva Nair Date: Thu, 4 Feb 2016 23:41:02 -0500 Subject: [PATCH 3/3] Fix the path of notepad.exe Signed-off-by: Selva Nair --- registry.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/registry.c b/registry.c index 923c7dd..f220566 100644 --- a/registry.c +++ b/registry.c @@ -93,11 +93,11 @@ GetRegistryKeys() if (!GetRegKey(_T("priority"), o.priority_string, _T("NORMAL_PRIORITY_CLASS"), _countof(o.priority_string))) return(false); - _sntprintf_0(temp_path, _T("%s\\notepad.exe"), windows_dir); + _sntprintf_0(temp_path, _T("%s\\system32\\notepad.exe"), windows_dir); if (!GetRegKey(_T("log_viewer"), o.log_viewer, temp_path, _countof(o.log_viewer))) return(false); - _sntprintf_0(temp_path, _T("%s\\notepad.exe"), windows_dir); + _sntprintf_0(temp_path, _T("%s\\system32\\notepad.exe"), windows_dir); if (!GetRegKey(_T("editor"), o.editor, temp_path, _countof(o.editor))) return(false);