On Wed, Apr 7, 2021 at 1:18 AM David Woodhouse <[email protected]> wrote: > > On Tue, 2021-04-06 at 18:17 -0600, Jason A. Donenfeld wrote: > > With regards to permissions, you must be Local System, which is > > already the case if you're running inside a service. If you'd like to > > run as a mere Administrator process, you can steal a token with a > > technique like > > https://git.zx2c4.com/wireguard-tools/tree/src/ipc-uapi-windows.h#n14 > > or https://git.zx2c4.com/wireguard-windows/tree/elevate/doas.go#n30 > > Great, thanks! > > Is there a list of precisely which operations require such privileges? > Is it only *creating* an adapter? Or only if doing so requires the > kernel driver to be loaded for the first time? >
I'm a little confused by this. In my testing of our recent builds of OpenConnect on Windows 2012 R2 with wintun-0.10.2… Running as Administrator *has been* sufficient to allow OpenConnect to open the Wintun adapters, as well as to configure them with "netsh", etc. Is there some additional environment we should be testing in, where Administrator may *not* be sufficient? Thanks, Dan
