cron2 has uploaded a new patch set (#5) to the change originally created by stipa. ( http://gerrit.openvpn.net/c/openvpn/+/906?usp=email )
The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: win: allow OpenVPN service account to use any command-line options ...................................................................... win: allow OpenVPN service account to use any command-line options Since 2.7, OpenVPN service (used to start persistent connections) runs under limited virtual service account NT SERVICE\OpenVPNService. Since it should be able to use all command-line options and cannot be made member of "OpenVPN Administrators" group, it has to be handled separately. Change-Id: I44d308301dfb7c22600d8632a553288f52b3068f Signed-off-by: Lev Stipakov <l...@openvpn.net> Acked-by: Gert Doering <g...@greenie.muc.de> Message-Id: <20250415155131.12458-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31435.html Signed-off-by: Gert Doering <g...@greenie.muc.de> --- M src/openvpnserv/common.c M src/openvpnserv/interactive.c M src/openvpnserv/service.h M src/openvpnserv/validate.c M src/openvpnserv/validate.h 5 files changed, 25 insertions(+), 9 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/06/906/5 diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index 39b39aa..4a11e6c 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -130,6 +130,14 @@ { goto out; } + + error = GetRegString(key, L"ovpn_service_user", s->ovpn_service_user, + sizeof(s->ovpn_service_user), OVPN_SERVICE_USER); + if (error != ERROR_SUCCESS) + { + goto out; + } + /* set process priority */ if (!_wcsicmp(priority, L"IDLE_PRIORITY_CLASS")) { diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index 3cefcc7..f06d386 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -3410,7 +3410,7 @@ * OR user is authorized to run any config. */ if (!ValidateOptions(pipe, sud.directory, sud.options, errmsg, _countof(errmsg)) - && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group)) + && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group, settings.ovpn_service_user)) { ReturnError(pipe, ERROR_STARTUP_DATA, errmsg, 1, &exit_event); goto out; diff --git a/src/openvpnserv/service.h b/src/openvpnserv/service.h index 7112f26..cbe213b 100644 --- a/src/openvpnserv/service.h +++ b/src/openvpnserv/service.h @@ -66,6 +66,7 @@ WCHAR ext_string[16]; WCHAR log_dir[MAX_PATH]; WCHAR ovpn_admin_group[MAX_NAME]; + WCHAR ovpn_service_user[MAX_NAME]; DWORD priority; BOOL append; } settings_t; diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 23d78af..9f176c0 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -140,12 +140,8 @@ return b; } -/* - * Check whether user is a member of Administrators group or - * the group specified in ovpn_admin_group - */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group) +IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user) { const WCHAR *admin_group[2]; WCHAR username[MAX_NAME]; @@ -164,6 +160,12 @@ domain[0] = '\0'; } + /* is this service account? */ + if ((wcscmp(username, ovpn_service_user) == 0) && (wcscmp(domain, L"NT SERVICE") == 0)) + { + return TRUE; + } + if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group))) { admin_group[0] = sysadmin_group; diff --git a/src/openvpnserv/validate.h b/src/openvpnserv/validate.h index 61a0ad6..5cd6d16 100644 --- a/src/openvpnserv/validate.h +++ b/src/openvpnserv/validate.h @@ -29,11 +29,16 @@ /* Authorized groups who can use any options and config locations */ #define SYSTEM_ADMIN_GROUP L"Administrators" -#define OVPN_ADMIN_GROUP L"OpenVPN Administrators" -/* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */ +#define OVPN_ADMIN_GROUP L"OpenVPN Administrators" /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */ +#define OVPN_SERVICE_USER L"OpenVPNService" /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */ +/* + * Check whether user is a member of Administrators group or + * the group specified in ovpn_admin_group or + * OpenVPN Virtual Service Account user + */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group); +IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user); BOOL CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/906?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I44d308301dfb7c22600d8632a553288f52b3068f Gerrit-Change-Number: 906 Gerrit-PatchSet: 5 Gerrit-Owner: stipa <lstipa...@gmail.com> Gerrit-Reviewer: cron2 <g...@greenie.muc.de> Gerrit-Reviewer: d12fk <he...@openvpn.net> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: selvanair <selva.n...@gmail.com> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-MessageType: newpatchset
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
