diff options
author | Bernhard Schmidt <berni@debian.org> | 2020-04-19 15:52:33 +0200 |
---|---|---|
committer | Bernhard Schmidt <berni@debian.org> | 2020-04-19 15:52:33 +0200 |
commit | 620785fe268a1221c1ba7a9cb5a70f3140a4f1ca (patch) | |
tree | 7b876715822d9620801283022ba73f2fce7387a3 /src/openvpnserv | |
parent | 8a3450ef8682b9085637d7b94afc5c7e6f92e64b (diff) |
New upstream version 2.4.9upstream/2.4.9
Diffstat (limited to 'src/openvpnserv')
-rw-r--r-- | src/openvpnserv/Makefile.in | 2 | ||||
-rw-r--r-- | src/openvpnserv/common.c | 4 | ||||
-rw-r--r-- | src/openvpnserv/interactive.c | 41 |
3 files changed, 28 insertions, 19 deletions
diff --git a/src/openvpnserv/Makefile.in b/src/openvpnserv/Makefile.in index 05b2b49..90a9abe 100644 --- a/src/openvpnserv/Makefile.in +++ b/src/openvpnserv/Makefile.in @@ -285,6 +285,8 @@ OPENVPN_VERSION_PATCH = @OPENVPN_VERSION_PATCH@ OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ +OPTIONAL_INOTIFY_CFLAGS = @OPTIONAL_INOTIFY_CFLAGS@ +OPTIONAL_INOTIFY_LIBS = @OPTIONAL_INOTIFY_LIBS@ OPTIONAL_LZ4_CFLAGS = @OPTIONAL_LZ4_CFLAGS@ OPTIONAL_LZ4_LIBS = @OPTIONAL_LZ4_LIBS@ OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index 73c418f..eb718d4 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -102,8 +102,10 @@ GetOpenvpnSettings(settings_t *s) } /* The default value of REG_KEY is the install path */ - if (GetRegString(key, NULL, install_path, sizeof(install_path), NULL) != ERROR_SUCCESS) + status = GetRegString(key, NULL, install_path, sizeof(install_path), NULL); + if (status != ERROR_SUCCESS) { + error = status; goto out; } diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index d7c9eea..aecbd84 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -360,14 +360,13 @@ ReturnOpenvpnOutput(HANDLE pipe, HANDLE ovpn_output, DWORD count, LPHANDLE event /* * Validate options against a white list. Also check the config_file is * inside the config_dir. The white list is defined in validate.c - * Returns true on success + * Returns true on success, false on error with reason set in errmsg. */ static BOOL -ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options) +ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options, WCHAR *errmsg, DWORD capacity) { WCHAR **argv; int argc; - WCHAR buf[256]; BOOL ret = FALSE; int i; const WCHAR *msg1 = L"You have specified a config file location (%s relative to %s)" @@ -382,8 +381,10 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options) if (!argv) { - ReturnLastError(pipe, L"CommandLineToArgvW"); - ReturnError(pipe, ERROR_STARTUP_DATA, L"Cannot validate options", 1, &exit_event); + swprintf(errmsg, capacity, + L"Cannot validate options: CommandLineToArgvW failed with error = 0x%08x", + GetLastError()); + errmsg[capacity-1] = L'\0'; goto out; } @@ -403,10 +404,9 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options) if (!CheckOption(workdir, 2, argv_tmp, &settings)) { - swprintf(buf, _countof(buf), msg1, argv[0], workdir, + swprintf(errmsg, capacity, msg1, argv[0], workdir, settings.ovpn_admin_group); - buf[_countof(buf) - 1] = L'\0'; - ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, &exit_event); + errmsg[capacity-1] = L'\0'; } goto out; } @@ -422,18 +422,15 @@ ValidateOptions(HANDLE pipe, const WCHAR *workdir, const WCHAR *options) { if (wcscmp(L"--config", argv[i]) == 0 && argc-i > 1) { - swprintf(buf, _countof(buf), msg1, argv[i+1], workdir, + swprintf(errmsg, capacity, msg1, argv[i+1], workdir, settings.ovpn_admin_group); - buf[_countof(buf) - 1] = L'\0'; - ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, &exit_event); } else { - swprintf(buf, _countof(buf), msg2, argv[i], + swprintf(errmsg, capacity, msg2, argv[i], settings.ovpn_admin_group); - buf[_countof(buf) - 1] = L'\0'; - ReturnError(pipe, ERROR_STARTUP_DATA, buf, 1, &exit_event); } + errmsg[capacity-1] = L'\0'; goto out; } } @@ -1352,7 +1349,7 @@ static DWORD WINAPI RunOpenvpn(LPVOID p) { HANDLE pipe = p; - HANDLE ovpn_pipe, svc_pipe; + HANDLE ovpn_pipe = NULL, svc_pipe = NULL; PTOKEN_USER svc_user = NULL, ovpn_user = NULL; HANDLE svc_token = NULL, imp_token = NULL, pri_token = NULL; HANDLE stdin_read = NULL, stdin_write = NULL; @@ -1367,6 +1364,7 @@ RunOpenvpn(LPVOID p) WCHAR *cmdline = NULL; size_t cmdline_size; undo_lists_t undo_lists; + WCHAR errmsg[512] = L""; SECURITY_ATTRIBUTES inheritable = { .nLength = sizeof(inheritable), @@ -1459,10 +1457,17 @@ RunOpenvpn(LPVOID p) goto out; } - /* Check user is authorized or options are white-listed */ - if (!IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group) - && !ValidateOptions(pipe, sud.directory, sud.options)) + /* + * Only authorized users are allowed to use any command line options or + * have the config file in locations other than the global config directory. + * + * Check options are white-listed and config is in the global directory + * OR user is authorized to run any config. + */ + if (!ValidateOptions(pipe, sud.directory, sud.options, errmsg, _countof(errmsg)) + && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group)) { + ReturnError(pipe, ERROR_STARTUP_DATA, errmsg, 1, &exit_event); goto out; } |