From patchwork Wed Mar 12 11:54:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ordex (Code Review)" X-Patchwork-Id: 4178 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a706:b0:60a:d70a:d3c7 with SMTP id hl6csp184024mab; Wed, 12 Mar 2025 04:55:21 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUmlajDjrx6z8nwJ91kC7S4vAxPwq2wUX22hdX4WYf9frupCOsEnbBtX4sK7JtLxdx23zczehMSDz4=@openvpn.net X-Google-Smtp-Source: AGHT+IFsEUiWcMg0Y5GNULtMJOzOka6vXnfdqoITK0e30+cM247ehbdxUP9Bt4jcogotu23DGmoj X-Received: by 2002:a05:6870:41ce:b0:2b8:3a1f:6351 with SMTP id 586e51a60fabf-2c2e89c365dmr4037327fac.34.1741780521686; Wed, 12 Mar 2025 04:55:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1741780521; cv=none; d=google.com; s=arc-20240605; b=R5H0s9QnORyZ/bz6o1TGjcbhy71nHH+10F8BEq6kkExzh40RXVYNDmnONLZzvPflHk Pa9crFxLcfOYvv/vlpzbJ1X/3IZI1iBigmGoSW0vPdJme3AlJ9CS3d6rf7EWI8quNfOe vgaZLwgIerqnVvcnpHrxSAg1N9Mj+Ty0sRMe4hJXpKdvoApAH6/f3/kVDqewRAB1EaSV hT97UAIAgdioGSvbf3Rj1qSpyANPCX2kL77x/PQ0+d1HZa3TE8Zjfqu5iWEKipdD0jWC 0to7t4UxdL0bRmFblMo8R75sQaVwsdxKfBBvRUQ6/zrHZB1s0F9v378baGFf0rEx2ygu 8O9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=CG+QRWAlCPrXWc4ctFSMRTfY0UB/YxwGGurhBFVPGsg=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=ZRWppyvaOoqrzj48ShDoI/Y+o3499as+f5UabMr/UU3bXfRl50PYKtgug8/ncGVadb zA0jcNT9XXfNuYj5qHRsYwRZFtyt2xIVJ209cMt/QAKbuWz9rOdVmSmkEAC2k/4o64dh uQD2GAD4v8S4KErQyx4FsAV1NCQ5pTWmW46nZXku6k6RIF7F6Si1bGaJvHzYsYDj/dQ3 jJec0BwZuA1rzghWkjPUXASkpPkxiUgZ/JsZAPzIAGAz6N1iyLsvkQFFy7QbUMvD1JO5 MjwMhvm3bw0sZX92X/sNsttrYO/iC/jAA7+HQeJ5L/GfrOP5fX0NWAapXDbhiAcFxO76 9A+A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="FSCW/kwm"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=a60UzTYg; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=f6llJ5N1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2c248c9c477si9223472fac.158.2025.03.12.04.55.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Mar 2025 04:55:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="FSCW/kwm"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=a60UzTYg; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=f6llJ5N1; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tsKg7-00024d-O7; Wed, 12 Mar 2025 11:55:15 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tsKfy-00024P-Gg for openvpn-devel@lists.sourceforge.net; Wed, 12 Mar 2025 11:55:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gjed/2h3+tR+i7uupq/leCQ/I2QKf52RvcCDAl4iR94=; b=FSCW/kwmwAHlNhUUUXJXj3cMkY WEnkQNZwUNt1WdFBYtfXWHyO4JOoeiwbYGZMAMtqc2jm2f26WnrfiJEKLxuJQWkZa/5/iR++WlDO5 NvCVjlPlcn+00Cbv1q2XsXipXghm56sr6i1wG2XOMXTlP5X6NwptDt1KPfBqhBvT1GO8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=gjed/2h3+tR+i7uupq/leCQ/I2QKf52RvcCDAl4iR94=; b=a 60UzTYgwPbXxKCyShbwRWIlRKfRRst+y8hcBgeQuJRNBSXLIch+llKTUt3rWZ8uZBEYYuWVFaqYNQ vapBk66DowIZeTlz/55GPuh4jO9Rrq18XpNRFoXkNL4Z2ES/JUCnms7QBJ+cyaNJRfJe7wveMoDzW fK2HVSUZkn74Wja0=; Received: from mail-wr1-f46.google.com ([209.85.221.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tsKfq-00013T-2z for openvpn-devel@lists.sourceforge.net; Wed, 12 Mar 2025 11:55:04 +0000 Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-3912fdddf8fso496450f8f.1 for ; Wed, 12 Mar 2025 04:54:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1741780486; x=1742385286; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=gjed/2h3+tR+i7uupq/leCQ/I2QKf52RvcCDAl4iR94=; b=f6llJ5N1zi1aDeG6kMg4IRwPBTycUqV/nDS4fNUlAZgZV08Sq/jPQuebuNSb7oKBSG UzZ++VrL5uf1E4nldtKH9ZDfiBDpI6Li+1FLgbIK19zi1kpZOdt0EVudIXuljRT9VoUN ycOrwOugbf2XyTsFWRldSDduG5J1OfyknBh9Zmr7OjuzgTTQ6esIvrrgQGJO0DALrRgZ oaJMENEOlsFXHzCf9FWnm6f3GvmlsTN9OhBGlcwDt61czchajn1i/jehJZkQnKmIzWej YzaSZ0A8SBPErUryjOSm5+cKEQprMkjqnD34VqbUBvzF97TJnYrQdDDTYuco0mBsEUsf MH8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741780486; x=1742385286; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gjed/2h3+tR+i7uupq/leCQ/I2QKf52RvcCDAl4iR94=; b=eTUiBdsVOSpBlqh4DrBlI/+pEYl3S4f49TZ5ijTYEFwj1HO7VKwu2dsI1Zuo8GYop5 5Kg+u3KQOhY9QYu+LXcb5su7ONV6nan9dBA5sJgm3oCCkYTiL8Md5f5pRSGXdeE7MwZr IDICrVIDG8U1hWbNXVXvUhDUuMe+Chf31jJ4zxiMXSsUGtUmue2ciRMB8HT471RugyO0 dhJsHP8INoJ5HQeV6wvPZLUU8AvqSlZhTT1tzBhjAkLSOPdad10cNV8hDMDyQ3hfelxU 3EfWEMnC+axxfwFsbtMQTc59qJP76+xTuySZ1d2reT3tlXNarwwazYSko71rWznBDvNl 77vg== X-Gm-Message-State: AOJu0Yy9yOyuV6yXnxwInnrfqEH+E7Y7o7x2ilNRIMEmcFMA02Q4EXgK yudwRvqL3eu7Rz/zNggHc1/SdRLgdk1BYyUUFFru3iu6PfYHplvIxHiU1eRGn6J7ASe9uWQm33u 9 X-Gm-Gg: ASbGncsY2O/6lzVm1lqaBj2iDYjNm92QMfoRXl5MbWE7O+mgzMz5XbvEUYdJaqt+ZvY nbZExczpuZN5S6SgYOh8eL+yyy2gaSmvk5Z96jGJDhBGj+0YfGnyilkOPamYzHSTT1FRUjDQRag lMF6IEgSeTkRMZgqc/dyK8Zj93w/pkVlgmEQnQw9SqLH394N234TfdSz3SF77pCts8Jvqg44MEf KNXsnYK8oqj6VeYa9rgqsOcfr1jwgqJ9/Zk1j4sucqL5ig8NApMPi3FS+d6lRLNnIi7HHUBUOFF YAk3GXGTnQ4J/8ttRPuY1YyChKJVDmabM4Td9fGQm/ldCtKshpRLjax41gjK4zl8LNboa7C02Jj hJFSUapA+vf7YkcK1+3RR+IMzNw4GXCvVvhWH X-Received: by 2002:a5d:598c:0:b0:38d:e0a9:7e5e with SMTP id ffacd0b85a97d-3926bdf5cd9mr7337768f8f.6.1741780486421; Wed, 12 Mar 2025 04:54:46 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3912c0e2f10sm21027215f8f.65.2025.03.12.04.54.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 12 Mar 2025 04:54:46 -0700 (PDT) From: "stipa (Code Review)" X-Google-Original-From: "stipa (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 12 Mar 2025 11:54:45 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I44d308301dfb7c22600d8632a553288f52b3068f X-Gerrit-Change-Number: 906 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: f89d00a3a89ca4a817b10bee92ae7fea184616ad References: Message-ID: <9128b360c98a50df91605a7af5b6cd0365d7f63d-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.46 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.46 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.46 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.46 listed in list.dnswl.org] 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tsKfq-00013T-2z Subject: [Openvpn-devel] [S] Change in openvpn[master]: win: allow OpenVPN service account to use any command-line options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: lstipakov@gmail.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1826389252353425104?= X-GMAIL-MSGID: =?utf-8?q?1826389252353425104?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/906?usp=email to review the following change. Change subject: win: allow OpenVPN service account to use any command-line options ...................................................................... win: allow OpenVPN service account to use any command-line options Since 2.7, OpenVPN service (used to start persistent connections) runs under limited virtual service account NT SERVICE\OpenVPNService. Since it should be able to use all command-line options and cannot be made member of "OpenVPN Administrators" group, it has to be handled separately. Change-Id: I44d308301dfb7c22600d8632a553288f52b3068f Signed-off-by: Lev Stipakov --- M src/openvpnserv/common.c M src/openvpnserv/interactive.c M src/openvpnserv/service.h M src/openvpnserv/validate.c M src/openvpnserv/validate.h 5 files changed, 26 insertions(+), 9 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/06/906/1 diff --git a/src/openvpnserv/common.c b/src/openvpnserv/common.c index 74bec6e..658e5cd 100644 --- a/src/openvpnserv/common.c +++ b/src/openvpnserv/common.c @@ -130,6 +130,14 @@ { goto out; } + + error = GetRegString(key, TEXT("ovpn_service_user"), s->ovpn_service_user, + sizeof(s->ovpn_service_user), OVPN_SERVICE_USER); + if (error != ERROR_SUCCESS) + { + goto out; + } + /* set process priority */ if (!_wcsicmp(priority, TEXT("IDLE_PRIORITY_CLASS"))) { diff --git a/src/openvpnserv/interactive.c b/src/openvpnserv/interactive.c index d5a749a..2364c38 100644 --- a/src/openvpnserv/interactive.c +++ b/src/openvpnserv/interactive.c @@ -2497,7 +2497,7 @@ * OR user is authorized to run any config. */ if (!ValidateOptions(pipe, sud.directory, sud.options, errmsg, _countof(errmsg)) - && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group)) + && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group, settings.ovpn_service_user)) { ReturnError(pipe, ERROR_STARTUP_DATA, errmsg, 1, &exit_event); goto out; diff --git a/src/openvpnserv/service.h b/src/openvpnserv/service.h index c5f587b..c8c1005 100644 --- a/src/openvpnserv/service.h +++ b/src/openvpnserv/service.h @@ -71,6 +71,7 @@ TCHAR ext_string[16]; TCHAR log_dir[MAX_PATH]; TCHAR ovpn_admin_group[MAX_NAME]; + TCHAR ovpn_service_user[MAX_NAME]; DWORD priority; BOOL append; } settings_t; diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c index 9563fa5..5b0b368 100644 --- a/src/openvpnserv/validate.c +++ b/src/openvpnserv/validate.c @@ -140,12 +140,8 @@ return b; } -/* - * Check whether user is a member of Administrators group or - * the group specified in ovpn_admin_group - */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group) +IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user) { const WCHAR *admin_group[2]; WCHAR username[MAX_NAME]; @@ -164,6 +160,12 @@ domain[0] = '\0'; } + /* is this service account? */ + if ((wcscmp(username, ovpn_service_user) == 0) && (wcscmp(domain, TEXT("NT SERVICE")) == 0)) + { + return TRUE; + } + if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group))) { admin_group[0] = sysadmin_group; diff --git a/src/openvpnserv/validate.h b/src/openvpnserv/validate.h index a9f1b9d..a68e564 100644 --- a/src/openvpnserv/validate.h +++ b/src/openvpnserv/validate.h @@ -29,11 +29,17 @@ /* Authorized groups who can use any options and config locations */ #define SYSTEM_ADMIN_GROUP TEXT("Administrators") -#define OVPN_ADMIN_GROUP TEXT("OpenVPN Administrators") -/* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */ +#define OVPN_ADMIN_GROUP TEXT("OpenVPN Administrators") /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */ +#define OVPN_SERVICE_USER TEXT("OpenVPNService") /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */ + +/* + * Check whether user is a member of Administrators group or + * the group specified in ovpn_admin_group or + * OpenVPN Virtual Service Account user + */ BOOL -IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group); +IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user); BOOL CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s);