From patchwork Tue Apr 15 15:51:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4219 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:2e0a:b0:63e:cbae:3930 with SMTP id ry10csp2572401mab; Tue, 15 Apr 2025 08:52:07 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVCR4BcgW03Wa26W/OjNSGj4eFs60YP0hOeqK4zfZsh4KtOtL7ATxoQLvk/ZPpkC4yc0PdyleVsH7A=@openvpn.net X-Google-Smtp-Source: AGHT+IEgccStU7RbqZRzK7H95fmK4zf5sn7Z5HRStOU8ExdYju1JfKZJDvCTMBNbngDaT5caiQpu X-Received: by 2002:a05:6e02:3601:b0:3d0:4bce:cfa8 with SMTP id e9e14a558f8ab-3d7ec1dc7f4mr181882775ab.3.1744732327406; Tue, 15 Apr 2025 08:52:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1744732327; cv=none; d=google.com; s=arc-20240605; b=WQyhYhjKTudcRI0Tn/q1j7O9lk8k/xDoFNxEZWyHr/jwgTCav+ytGQq+ElEKj2EBBM JjAxoc1Gdg9YH/WJ1dr3ZgoY4FB2qjM+5/stSAbD2prHepux/d9SlyIKqiUBucwDpRcC 6Iulj9v8dd7q/oAsje9ze131x9chGxrk68vwHXlQ3neVhNGU4n14mNzHXcnXEkxR3Cgh RAMMRBx0bjRZnBcC2WxG3asqHTy/JLXDEg7fk301CHYCyu5h3FqMb7R8wuuW0yPQ2w7Z +khYnx65o0ivbGTm5VAmG7UdTQP97/lAfTJCCWEAQGxbEYdHn0xgXfyp5sYkYtFrLKO8 Jv5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=U3DkkHwk20/AUImAe3jSz5bp9P3+ZlgAeEWCVh0Zmp8=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=NIbtlzRYPTI5xZ2LI9dxfRKdirJBRn+fbj+ryYW6a5Z5O3f36SlDAXkFB7XVOIgRzn 6I9jvYpyRgfBjdUecbm3zEd8v4HB5dxgZ1RromHhMbALVFVcp7xNmqQXhjKR/4AjvJDh jcELN5qSgyfmipfgmzyJX48MPPDFreiovv8pFyT7suyowb79Sq1sP00M1ljjLvDZhdIN zrXTwZMXFDWPjnZiA5sr5JVjxiCiqX0JNMPCwDPVTaJH+4z/db/jiS8ya6HoVfeaI+Xo nEuLk08HMGXW+qs8Gj+5IbyQxjVtJLGwr8IJoFjtNP+2Ot6+zCr31wssVnPSieUN51tr 1+/A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=j9T5iXU9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ST47reda; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e9e14a558f8ab-3d7dba7a83esi137479215ab.65.2025.04.15.08.52.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 15 Apr 2025 08:52:07 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=j9T5iXU9; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ST47reda; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1u4iZu-0005XL-4x; Tue, 15 Apr 2025 15:52:02 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1u4iZs-0005X1-OL for openvpn-devel@lists.sourceforge.net; Tue, 15 Apr 2025 15:52:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=yqJi0DwOkoKsnyOR1o4gXn67AwNdewsnINiBobJUXG4=; b=j9T5iXU9MM+KcGKU/xL4zAEFok 4IAUl0nTZeTQpDWSF3tCiDyO2HM4R8Vg0/QqWQWg/gyFxiCZFm08bN6UlCDwdoRdupNCqEY2TkY8S ASHvAtJEH9mIbvuncoPZRIT7Fv9j/0VRYp6plGtxc1TnmBKyokS61pxVBZ9S/d5U0X5s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yqJi0DwOkoKsnyOR1o4gXn67AwNdewsnINiBobJUXG4=; b=ST47redai4+q73qFPWiJ1rr89Z W1rZNUNSVrmb653iUBvzHytzv/0v2RVaE6UURNhq5DvccyTXTf33KCDg/ULpgBiTWRuCRXZNjJLjB J7lUVsPsO0BA+tnp88V1eNcaXVDJq4GrYwD8lYyJ4dmmo5sfMiuq+4gdU+G6f9xzYCAo=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1u4iZW-0004w3-KP for openvpn-devel@lists.sourceforge.net; Tue, 15 Apr 2025 15:51:54 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 53FFpVQg012477 for ; Tue, 15 Apr 2025 17:51:31 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 53FFpV5i012476 for openvpn-devel@lists.sourceforge.net; Tue, 15 Apr 2025 17:51:31 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Apr 2025 17:51:24 +0200 Message-ID: <20250415155131.12458-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov Since 2.7, OpenVPN service (used to start persistent connections) runs under limited virtual service account NT SERVICE\OpenVPNService. Since it should be able to use all command-line options and cannot be made member of "OpenVPN Administrators" group, it has to be handled separately. Content analysis details: (1.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in bl.score.senderscore.com] 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Rejected by SPF record] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1u4iZW-0004w3-KP Subject: [Openvpn-devel] [PATCH v4] win: allow OpenVPN service account to use any command-line options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1829484444924150436?= X-GMAIL-MSGID: =?utf-8?q?1829484444924150436?= From: Lev Stipakov Since 2.7, OpenVPN service (used to start persistent connections) runs under limited virtual service account NT SERVICE\OpenVPNService. Since it should be able to use all command-line options and cannot be made member of "OpenVPN Administrators" group, it has to be handled separately. Change-Id: I44d308301dfb7c22600d8632a553288f52b3068f Signed-off-by: Lev Stipakov Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/906 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index 39b39aa..4a11e6c 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -130,6 +130,14 @@ { goto out; } + + error = GetRegString(key, L"ovpn_service_user", s->ovpn_service_user, + sizeof(s->ovpn_service_user), OVPN_SERVICE_USER); + if (error != ERROR_SUCCESS) + { + goto out; + } + /* set process priority */ if (!_wcsicmp(priority, L"IDLE_PRIORITY_CLASS")) { diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index c6963b3..871dc6a 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2491,7 +2491,7 @@ * OR user is authorized to run any config. */ if (!ValidateOptions(pipe, sud.directory, sud.options, errmsg, _countof(errmsg)) - && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group)) + && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group, settings.ovpn_service_user)) { ReturnError(pipe, ERROR_STARTUP_DATA, errmsg, 1, &exit_event); goto out; diff --git a/src/openvpnserv/service.h b/src/openvpnserv/service.h index 7112f26..cbe213b 100644 --- a/src/openvpnserv/service.h +++ b/src/openvpnserv/service.h @@ -66,6 +66,7 @@ WCHAR ext_string[16]; WCHAR log_dir[MAX_PATH]; WCHAR ovpn_admin_group[MAX_NAME]; + WCHAR ovpn_service_user[MAX_NAME]; DWORD priority; BOOL append; } settings_t; diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 23d78af..9f176c0 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -140,12 +140,8 @@ return b; } -/* - * Check whether user is a member of Administrators group or - * the group specified in ovpn_admin_group - */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group) +IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user) { const WCHAR *admin_group[2]; WCHAR username[MAX_NAME]; @@ -164,6 +160,12 @@ domain[0] = '\0'; } + /* is this service account? */ + if ((wcscmp(username, ovpn_service_user) == 0) && (wcscmp(domain, L"NT SERVICE") == 0)) + { + return TRUE; + } + if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group))) { admin_group[0] = sysadmin_group; diff --git a/src/openvpnserv/validate.h b/src/openvpnserv/validate.h index 61a0ad6..5cd6d16 100644 --- a/src/openvpnserv/validate.h +++ b/src/openvpnserv/validate.h @@ -29,11 +29,16 @@ /* Authorized groups who can use any options and config locations */ #define SYSTEM_ADMIN_GROUP L"Administrators" -#define OVPN_ADMIN_GROUP L"OpenVPN Administrators" -/* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */ +#define OVPN_ADMIN_GROUP L"OpenVPN Administrators" /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */ +#define OVPN_SERVICE_USER L"OpenVPNService" /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */ +/* + * Check whether user is a member of Administrators group or + * the group specified in ovpn_admin_group or + * OpenVPN Virtual Service Account user + */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group); +IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user); BOOL CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s);