OpenVPN
validate.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2016-2025 Selva Nair <selva.nair@gmail.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, see <https://www.gnu.org/licenses/>.
21 */
22
23#include "validate.h"
24
25#include <lmaccess.h>
26#include <shlwapi.h>
27#include <pathcch.h>
28#include <lm.h>
29
30static const WCHAR *white_list[] = {
31 L"auth-retry",
32 L"config",
33 L"log",
34 L"log-append",
35 L"management",
36 L"management-forget-disconnect",
37 L"management-hold",
38 L"management-query-passwords",
39 L"management-query-proxy",
40 L"management-signal",
41 L"management-up-down",
42 L"mute",
43 L"setenv",
44 L"service",
45 L"verb",
46 L"pull-filter",
47 L"script-security",
48
49 NULL /* last value */
50};
51
52static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name);
53
54static PTOKEN_GROUPS GetTokenGroups(const HANDLE token);
55
56/*
57 * Check that config path is inside config_dir
58 * The logic here is simple: if the path isn't prefixed with config_dir it's rejected
59 */
60static BOOL
61CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
62{
63 HRESULT res;
64 WCHAR config_path[MAX_PATH];
65
66 /* fname = stdin is special: do not treat it as a relative path */
67 if (wcscmp(fname, L"stdin") == 0)
68 {
69 return FALSE;
70 }
71 /* convert fname to full canonical path */
72 if (PathIsRelativeW(fname))
73 {
74 res = PathCchCombine(config_path, _countof(config_path), workdir, fname);
75 }
76 else
77 {
78 res = PathCchCanonicalize(config_path, _countof(config_path), fname);
79 }
80
81 return res == S_OK && wcsnicmp(config_path, s->config_dir, wcslen(s->config_dir)) == 0;
82}
83
84
85/*
86 * A simple linear search meant for a small wchar_t *array.
87 * Returns index to the item if found, -1 otherwise.
88 */
89static int
90OptionLookup(const WCHAR *name, const WCHAR *white_list[])
91{
92 int i;
93
94 for (i = 0; white_list[i]; i++)
95 {
96 if (wcscmp(white_list[i], name) == 0)
97 {
98 return i;
99 }
100 }
101
102 return -1;
103}
104
105/*
106 * The Administrators group may be localized or renamed by admins.
107 * Get the local name of the group using the SID.
108 */
109static BOOL
110GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
111{
112 BOOL b = FALSE;
113 PSID admin_sid = NULL;
114 DWORD sid_size = SECURITY_MAX_SID_SIZE;
115 SID_NAME_USE snu;
116
117 WCHAR domain[MAX_NAME];
118 DWORD dlen = _countof(domain);
119
120 admin_sid = malloc(sid_size);
121 if (!admin_sid)
122 {
123 return FALSE;
124 }
125
126 b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
127 if (b)
128 {
129 b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu);
130 }
131
132 free(admin_sid);
133
134 return b;
135}
136
137BOOL
138IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group,
139 const WCHAR *ovpn_service_user)
140{
141 const WCHAR *admin_group[2];
142 WCHAR username[MAX_NAME];
143 WCHAR domain[MAX_NAME];
144 WCHAR sysadmin_group[MAX_NAME];
145 DWORD len = MAX_NAME;
146 BOOL ret = FALSE;
147 SID_NAME_USE sid_type;
148
149 /* Get username */
150 if (!LookupAccountSidW(NULL, sid, username, &len, domain, &len, &sid_type))
151 {
152 MsgToEventLog(M_SYSERR, L"LookupAccountSid");
153 /* not fatal as this is now used only for logging */
154 username[0] = '\0';
155 domain[0] = '\0';
156 }
157
158 /* is this service account? */
159 if ((wcscmp(username, ovpn_service_user) == 0) && (wcscmp(domain, L"NT SERVICE") == 0))
160 {
161 return TRUE;
162 }
163
164 if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group)))
165 {
166 admin_group[0] = sysadmin_group;
167 }
168 else
169 {
170 MsgToEventLog(M_SYSERR,
171 L"Failed to get the name of Administrators group. Using the default.");
172 /* use the default value */
173 admin_group[0] = SYSTEM_ADMIN_GROUP;
174 }
175 admin_group[1] = ovpn_admin_group;
176
177 PTOKEN_GROUPS token_groups = GetTokenGroups(token);
178 for (int i = 0; i < 2; ++i)
179 {
180 ret = IsUserInGroup(sid, token_groups, admin_group[i]);
181 if (ret)
182 {
183 MsgToEventLog(M_INFO,
184 L"Authorizing user '%ls@%ls' by virtue of membership in group '%ls'",
185 username, domain, admin_group[i]);
186 goto out;
187 }
188 }
189
190out:
191 free(token_groups);
192 return ret;
193}
194
200static PTOKEN_GROUPS
201GetTokenGroups(const HANDLE token)
202{
203 PTOKEN_GROUPS groups = NULL;
204 DWORD buf_size = 0;
205
206 if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size)
207 && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
208 {
209 groups = malloc(buf_size);
210 }
211 if (!groups)
212 {
213 MsgToEventLog(M_SYSERR, L"GetTokenGroups");
214 }
215 else if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size))
216 {
217 MsgToEventLog(M_SYSERR, L"GetTokenInformation");
218 free(groups);
219 }
220 return groups;
221}
222
223/*
224 * Find SID from name
225 *
226 * On input sid buffer should have space for at least sid_size bytes.
227 * Returns true on success, false on failure.
228 * Suggest: in caller allocate sid to hold SECURITY_MAX_SID_SIZE bytes
229 */
230static BOOL
231LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
232{
233 SID_NAME_USE su;
234 WCHAR domain[MAX_NAME];
235 DWORD dlen = _countof(domain);
236
237 if (!LookupAccountName(NULL, name, sid, &sid_size, domain, &dlen, &su))
238 {
239 return FALSE; /* not fatal as the group may not exist */
240 }
241 return TRUE;
242}
243
256static BOOL
257IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name)
258{
259 BOOL ret = FALSE;
260 DWORD_PTR resume = 0;
261 DWORD err;
262 BYTE grp_sid[SECURITY_MAX_SID_SIZE];
263 int nloop = 0; /* a counter used to not get stuck in the do .. while() */
264
265 /* first check in the token groups */
266 if (token_groups && LookupSID(group_name, (PSID)grp_sid, _countof(grp_sid)))
267 {
268 for (DWORD i = 0; i < token_groups->GroupCount; ++i)
269 {
270 if (EqualSid((PSID)grp_sid, token_groups->Groups[i].Sid))
271 {
272 return TRUE;
273 }
274 }
275 }
276
277 /* check user's SID is a member of the group */
278 if (!sid)
279 {
280 return FALSE;
281 }
282 do
283 {
284 DWORD nread, nmax;
285 LOCALGROUP_MEMBERS_INFO_0 *members = NULL;
286 err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *)&members, MAX_PREFERRED_LENGTH,
287 &nread, &nmax, &resume);
288 if ((err != NERR_Success && err != ERROR_MORE_DATA))
289 {
290 break;
291 }
292 /* If a match is already found, ret == TRUE and the loop is skipped */
293 for (DWORD i = 0; i < nread && !ret; ++i)
294 {
295 ret = EqualSid(members[i].lgrmi0_sid, sid);
296 }
297 NetApiBufferFree(members);
298 /* MSDN says the lookup should always iterate until err != ERROR_MORE_DATA */
299 } while (err == ERROR_MORE_DATA && nloop++ < 100);
300
301 if (err != NERR_Success && err != NERR_GroupNotFound)
302 {
303 SetLastError(err);
304 MsgToEventLog(M_SYSERR, L"In NetLocalGroupGetMembers for group '%ls'", group_name);
305 }
306
307 return ret;
308}
309
310/*
311 * Check whether option argv[0] is white-listed. If argv[0] == "--config",
312 * also check that argv[1], if present, passes CheckConfigPath().
313 * The caller should set argc to the number of valid elements in argv[] array.
314 */
315BOOL
316CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
317{
318 /* Do not modify argv or *argv -- ideally it should be const WCHAR *const *, but alas...*/
319
320 if (wcscmp(argv[0], L"--config") == 0 && argc > 1 && !CheckConfigPath(workdir, argv[1], s))
321 {
322 return FALSE;
323 }
324
325 /* option name starts at 2 characters from argv[i] */
326 if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */
327 {
328 return FALSE;
329 }
330
331 return TRUE;
332}
MsgToEventLog
DWORD MsgToEventLog(DWORD flags, LPCWSTR format,...)
Definition common.c:253
M_INFO
#define M_INFO
Definition errlevel.h:54
M_SYSERR
#define M_SYSERR
Definition service.h:45
MAX_NAME
#define MAX_NAME
Definition service.h:63
argv
Definition argv.h:35
settings_t
Definition service.h:65
settings_t::config_dir
WCHAR config_dir[MAX_PATH]
Definition service.h:67
CheckConfigPath
static BOOL CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
Definition validate.c:61
white_list
static const WCHAR * white_list[]
Definition validate.c:30
OptionLookup
static int OptionLookup(const WCHAR *name, const WCHAR *white_list[])
Definition validate.c:90
IsAuthorizedUser
BOOL IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user)
Definition validate.c:138
IsUserInGroup
static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name)
User is in group if the token groups contain the SID of the group of if the user is a direct member o...
Definition validate.c:257
LookupSID
static BOOL LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
Definition validate.c:231
CheckOption
BOOL CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
Definition validate.c:316
GetBuiltinAdminGroupName
static BOOL GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
Definition validate.c:110
GetTokenGroups
static PTOKEN_GROUPS GetTokenGroups(const HANDLE token)
Get a list of groups in token.
Definition validate.c:201
SYSTEM_ADMIN_GROUP
#define SYSTEM_ADMIN_GROUP
Definition validate.h:30
Generated by doxygen 1.9.8