diff options
author | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
---|---|---|
committer | Jörg Frings-Fürst <debian@jff-webhosting.net> | 2017-06-27 13:56:16 +0200 |
commit | 749384a154025e268b53cf3cc79eaeddde2b3ceb (patch) | |
tree | 27baa9e6aec76635d750405d90cd461440a656d1 /src/openvpnserv | |
parent | db4f04c584f7d4e828b5d317cf40962b9d854ac5 (diff) |
initial stretch branch release 2.4.0-6
Diffstat (limited to 'src/openvpnserv')
-rw-r--r-- | src/openvpnserv/Makefile.in | 36 | ||||
-rw-r--r-- | src/openvpnserv/automatic.c | 10 | ||||
-rw-r--r-- | src/openvpnserv/common.c | 7 | ||||
-rw-r--r-- | src/openvpnserv/interactive.c | 84 | ||||
-rw-r--r-- | src/openvpnserv/service.h | 7 | ||||
-rw-r--r-- | src/openvpnserv/validate.c | 178 | ||||
-rw-r--r-- | src/openvpnserv/validate.h | 9 |
7 files changed, 85 insertions, 246 deletions
diff --git a/src/openvpnserv/Makefile.in b/src/openvpnserv/Makefile.in index 234a927..e113fee 100644 --- a/src/openvpnserv/Makefile.in +++ b/src/openvpnserv/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.15 from Makefile.am. +# Makefile.in generated by automake 1.13.4 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2014 Free Software Foundation, Inc. +# Copyright (C) 1994-2013 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -37,17 +37,7 @@ # Required to build Windows resource file VPATH = @srcdir@ -am__is_gnu_make = { \ - if test -z '$(MAKELEVEL)'; then \ - false; \ - elif test -n '$(MAKE_HOST)'; then \ - true; \ - elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ - true; \ - else \ - false; \ - fi; \ -} +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -110,6 +100,8 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +DIST_COMMON = $(top_srcdir)/build/ltrc.inc $(srcdir)/Makefile.in \ + $(srcdir)/Makefile.am $(top_srcdir)/depcomp @WIN32_TRUE@sbin_PROGRAMS = openvpnserv$(EXEEXT) subdir = src/openvpnserv ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -122,7 +114,6 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/openvpn-plugin.h @@ -205,8 +196,6 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags -am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/build/ltrc.inc \ - $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -255,7 +244,6 @@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ -LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ LZ4_CFLAGS = @LZ4_CFLAGS@ LZ4_LIBS = @LZ4_LIBS@ LZO_CFLAGS = @LZO_CFLAGS@ @@ -304,7 +292,6 @@ PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGINDIR = @PLUGINDIR@ PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ RANLIB = @RANLIB@ @@ -317,14 +304,12 @@ SHELL = @SHELL@ SOCKETS_LIBS = @SOCKETS_LIBS@ STRIP = @STRIP@ SYSTEMD_ASK_PASSWORD = @SYSTEMD_ASK_PASSWORD@ -SYSTEMD_UNIT_DIR = @SYSTEMD_UNIT_DIR@ TAP_CFLAGS = @TAP_CFLAGS@ TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ TEST_CFLAGS = @TEST_CFLAGS@ TEST_LDFLAGS = @TEST_LDFLAGS@ -TMPFILES_DIR = @TMPFILES_DIR@ VENDOR_BUILD_ROOT = @VENDOR_BUILD_ROOT@ VENDOR_DIST_ROOT = @VENDOR_DIST_ROOT@ VENDOR_SRC_ROOT = @VENDOR_SRC_ROOT@ @@ -381,9 +366,7 @@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ -systemdunitdir = @systemdunitdir@ target_alias = @target_alias@ -tmpfilesdir = @tmpfilesdir@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ @@ -430,6 +413,7 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(top_srcdir)/build/ltrc.inc $(am_ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/openvpnserv/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/openvpnserv/Makefile +.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -438,7 +422,7 @@ Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; -$(top_srcdir)/build/ltrc.inc $(am__empty): +$(top_srcdir)/build/ltrc.inc: $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh @@ -520,14 +504,14 @@ distclean-compile: @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -833,8 +817,6 @@ uninstall-am: uninstall-sbinPROGRAMS mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am uninstall-sbinPROGRAMS -.PRECIOUS: Makefile - .rc.lo: $(LTRCCOMPILE) -i "$<" -o "$@" diff --git a/src/openvpnserv/automatic.c b/src/openvpnserv/automatic.c index 4123d0f..6be6c6d 100644 --- a/src/openvpnserv/automatic.c +++ b/src/openvpnserv/automatic.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* @@ -292,8 +293,7 @@ ServiceStartAutomatic(DWORD dwArgc, LPTSTR *lpszArgv) /* * Loop over each config file */ - do - { + do { HANDLE log_handle = NULL; STARTUPINFO start_info; PROCESS_INFORMATION proc_info; diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index 0c9098f..3b9b396 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include <service.h> diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 607c8a9..dbe2b9b 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ @@ -93,13 +94,6 @@ typedef enum { } undo_type_t; typedef list_item_t *undo_lists_t[_undo_type_max]; -typedef struct { - HANDLE engine; - int index; - int metric_v4; - int metric_v6; -} block_dns_data_t; - static DWORD AddListItem(list_item_t **pfirst, LPVOID data) @@ -221,9 +215,7 @@ AsyncPipeOp(async_op_t op, HANDLE pipe, LPVOID buffer, DWORD size, DWORD count, handles[0] = io_event; for (i = 0; i < count; i++) - { handles[i + 1] = events[i]; - } res = WaitForMultipleObjects(count + 1, handles, FALSE, op == peek ? INFINITE : IO_TIMEOUT); @@ -891,7 +883,6 @@ static DWORD HandleBlockDNSMessage(const block_dns_message_t *msg, undo_lists_t *lists) { DWORD err = 0; - block_dns_data_t *interface_data; HANDLE engine = NULL; LPCWSTR exe_path; @@ -908,57 +899,16 @@ HandleBlockDNSMessage(const block_dns_message_t *msg, undo_lists_t *lists) err = add_block_dns_filters(&engine, msg->iface.index, exe_path, BlockDNSErrHandler); if (!err) { - interface_data = malloc(sizeof(block_dns_data_t)); - if (!interface_data) - { - return ERROR_OUTOFMEMORY; - } - interface_data->engine = engine; - interface_data->index = msg->iface.index; - interface_data->metric_v4 = get_interface_metric(msg->iface.index, - AF_INET); - if (interface_data->metric_v4 < 0) - { - interface_data->metric_v4 = -1; - } - interface_data->metric_v6 = get_interface_metric(msg->iface.index, - AF_INET6); - if (interface_data->metric_v6 < 0) - { - interface_data->metric_v6 = -1; - } - err = AddListItem(&(*lists)[block_dns], interface_data); - if (!err) - { - err = set_interface_metric(msg->iface.index, AF_INET, - BLOCK_DNS_IFACE_METRIC); - if (!err) - { - set_interface_metric(msg->iface.index, AF_INET6, - BLOCK_DNS_IFACE_METRIC); - } - } + err = AddListItem(&(*lists)[block_dns], engine); } } else { - interface_data = RemoveListItem(&(*lists)[block_dns], CmpEngine, NULL); - if (interface_data) + engine = RemoveListItem(&(*lists)[block_dns], CmpEngine, NULL); + if (engine) { - engine = interface_data->engine; err = delete_block_dns_filters(engine); engine = NULL; - if (interface_data->metric_v4 >= 0) - { - set_interface_metric(msg->iface.index, AF_INET, - interface_data->metric_v4); - } - if (interface_data->metric_v6 >= 0) - { - set_interface_metric(msg->iface.index, AF_INET6, - interface_data->metric_v6); - } - free(interface_data); } else { @@ -1373,7 +1323,6 @@ static VOID Undo(undo_lists_t *lists) { undo_type_t type; - block_dns_data_t *interface_data; for (type = 0; type < _undo_type_max; type++) { list_item_t **pnext = &(*lists)[type]; @@ -1399,18 +1348,8 @@ Undo(undo_lists_t *lists) break; case block_dns: - interface_data = (block_dns_data_t*)(item->data); - delete_block_dns_filters(interface_data->engine); - if (interface_data->metric_v4 >= 0) - { - set_interface_metric(interface_data->index, AF_INET, - interface_data->metric_v4); - } - if (interface_data->metric_v6 >= 0) - { - set_interface_metric(interface_data->index, AF_INET6, - interface_data->metric_v6); - } + delete_block_dns_filters(item->data); + item->data = NULL; break; } @@ -1536,7 +1475,7 @@ RunOpenvpn(LPVOID p) } /* Check user is authorized or options are white-listed */ - if (!IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group) + if (!IsAuthorizedUser(ovpn_user->User.Sid, &settings) && !ValidateOptions(pipe, sud.directory, sud.options)) { goto out; @@ -1901,8 +1840,7 @@ ServiceStartInteractive(DWORD dwArgc, LPTSTR *lpszArgv) PHANDLE handles = NULL; DWORD handle_count; BOOL - CmpHandle(LPVOID item, LPVOID hnd) - { + CmpHandle(LPVOID item, LPVOID hnd) { return item == hnd; } diff --git a/src/openvpnserv/service.h b/src/openvpnserv/service.h index 9fe573e..b1130c9 100644 --- a/src/openvpnserv/service.h +++ b/src/openvpnserv/service.h @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef _SERVICE_H diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index f6a97e9..c9c3855 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -16,9 +16,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #include "validate.h" @@ -48,9 +49,6 @@ static const WCHAR *white_list[] = NULL /* last value */ }; -static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name); -static PTOKEN_GROUPS GetTokenGroups(const HANDLE token); - /* * Check workdir\fname is inside config_dir * The logic here is simple: we may reject some valid paths if ..\ is in any of the strings @@ -149,16 +147,21 @@ GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen) /* * Check whether user is a member of Administrators group or - * the group specified in ovpn_admin_group + * the group specified in s->ovpn_admin_group */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group) +IsAuthorizedUser(SID *sid, settings_t *s) { + LOCALGROUP_USERS_INFO_0 *groups = NULL; + DWORD nread; + DWORD nmax; + WCHAR *tmp = NULL; const WCHAR *admin_group[2]; WCHAR username[MAX_NAME]; WCHAR domain[MAX_NAME]; WCHAR sysadmin_group[MAX_NAME]; - DWORD len = MAX_NAME; + DWORD err, len = MAX_NAME; + int i; BOOL ret = FALSE; SID_NAME_USE sid_type; @@ -166,9 +169,17 @@ IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group) if (!LookupAccountSidW(NULL, sid, username, &len, domain, &len, &sid_type)) { MsgToEventLog(M_SYSERR, TEXT("LookupAccountSid")); - /* not fatal as this is now used only for logging */ - username[0] = '\0'; - domain[0] = '\0'; + goto out; + } + + /* Get an array of groups the user is member of */ + err = NetUserGetLocalGroups(NULL, username, 0, LG_INCLUDE_INDIRECT, (LPBYTE *) &groups, + MAX_PREFERRED_LENGTH, &nread, &nmax); + if (err && err != ERROR_MORE_DATA) + { + SetLastError(err); + MsgToEventLog(M_SYSERR, TEXT("NetUserGetLocalGroups")); + goto out; } if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group))) @@ -181,136 +192,41 @@ IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group) /* use the default value */ admin_group[0] = SYSTEM_ADMIN_GROUP; } - admin_group[1] = ovpn_admin_group; - - PTOKEN_GROUPS token_groups = GetTokenGroups(token); - for (int i = 0; i < 2; ++i) - { - ret = IsUserInGroup(sid, token_groups, admin_group[i]); - if (ret) - { - MsgToEventLog(M_INFO, TEXT("Authorizing user '%s@%s' by virtue of membership in group '%s'"), - username, domain, admin_group[i]); - goto out; - } - } - -out: - free(token_groups); - return ret; -} - -/** - * Get a list of groups in token. - * Returns a pointer to TOKEN_GROUPS struct or NULL on error. - * The caller should free the returned pointer. - */ -static PTOKEN_GROUPS -GetTokenGroups(const HANDLE token) -{ - PTOKEN_GROUPS groups = NULL; - DWORD buf_size = 0; - - if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size) - && GetLastError() == ERROR_INSUFFICIENT_BUFFER) - { - groups = malloc(buf_size); - } - if (!groups) - { - MsgToEventLog(M_SYSERR, L"GetTokenGroups"); - } - else if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size)) - { - MsgToEventLog(M_SYSERR, L"GetTokenInformation"); - free(groups); - } - return groups; -} -/* - * Find SID from name - * - * On input sid buffer should have space for at least sid_size bytes. - * Returns true on success, false on failure. - * Suggest: in caller allocate sid to hold SECURITY_MAX_SID_SIZE bytes - */ -static BOOL -LookupSID(const WCHAR *name, PSID sid, DWORD sid_size) -{ - SID_NAME_USE su; - WCHAR domain[MAX_NAME]; - DWORD dlen = _countof(domain); - - if (!LookupAccountName(NULL, name, sid, &sid_size, domain, &dlen, &su)) - { - return FALSE; /* not fatal as the group may not exist */ - } - return TRUE; -} - -/** - * User is in group if the token groups contain the SID of the group - * of if the user is a direct member of the group. The latter check - * catches dynamic changes in group membership in the local user - * database not reflected in the token. - * If token_groups or sid is NULL the corresponding check is skipped. - * - * Using sid and list of groups in token avoids reference to domains so that - * this could be completed without access to a Domain Controller. - * - * Returns true if the user is in the group, false otherwise. - */ -static BOOL -IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name) -{ - BOOL ret = FALSE; - DWORD_PTR resume = 0; - DWORD err; - BYTE grp_sid[SECURITY_MAX_SID_SIZE]; - int nloop = 0; /* a counter used to not get stuck in the do .. while() */ - - /* first check in the token groups */ - if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid))) +#ifdef UNICODE + admin_group[1] = s->ovpn_admin_group; +#else + tmp = NULL; + len = MultiByteToWideChar(CP_UTF8, 0, s->ovpn_admin_group, -1, NULL, 0); + if (len == 0 || (tmp = malloc(len*sizeof(WCHAR))) == NULL) { - for (DWORD i = 0; i < token_groups->GroupCount; ++i) - { - if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid)) - { - return TRUE; - } - } + MsgToEventLog(M_SYSERR, TEXT("Failed to convert admin group name to WideChar")); + goto out; } + MultiByteToWideChar(CP_UTF8, 0, s->ovpn_admin_group, -1, tmp, len); + admin_group[1] = tmp; +#endif - /* check user's SID is a member of the group */ - if (!sid) - { - return FALSE; - } - do + /* Check if user's groups include any of the admin groups */ + for (i = 0; i < nread; i++) { - DWORD nread, nmax; - LOCALGROUP_MEMBERS_INFO_0 *members = NULL; - err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members, - MAX_PREFERRED_LENGTH, &nread, &nmax, &resume); - if ((err != NERR_Success && err != ERROR_MORE_DATA)) + if (wcscmp(groups[i].lgrui0_name, admin_group[0]) == 0 + || wcscmp(groups[i].lgrui0_name, admin_group[1]) == 0 + ) { + MsgToEventLog(M_INFO, TEXT("Authorizing user %s by virtue of membership in group %s"), + username, groups[i].lgrui0_name); + ret = TRUE; break; } - /* If a match is already found, ret == TRUE and the loop is skipped */ - for (int i = 0; i < nread && !ret; ++i) - { - ret = EqualSid(members[i].lgrmi0_sid, sid); - } - NetApiBufferFree(members); - /* MSDN says the lookup should always iterate until err != ERROR_MORE_DATA */ - } while (err == ERROR_MORE_DATA && nloop++ < 100); + } - if (err != NERR_Success && err != NERR_GroupNotFound) +out: + if (groups) { - SetLastError(err); - MsgToEventLog(M_SYSERR, TEXT("In NetLocalGroupGetMembers for group '%s'"), group_name); + NetApiBufferFree(groups); } + free(tmp); return ret; } diff --git a/src/openvpnserv/validate.h b/src/openvpnserv/validate.h index cc443e6..ece8704 100644 --- a/src/openvpnserv/validate.h +++ b/src/openvpnserv/validate.h @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ #ifndef VALIDATE_H @@ -33,7 +34,7 @@ /* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group); +IsAuthorizedUser(SID *sid, settings_t *s); BOOL CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s); |