OpenVPN
validate.c
Go to the documentation of this file.
1/*
2 * OpenVPN -- An application to securely tunnel IP networks
3 * over a single TCP/UDP port, with support for SSL/TLS-based
4 * session authentication and key exchange,
5 * packet encryption, packet authentication, and
6 * packet compression.
7 *
8 * Copyright (C) 2016-2024 Selva Nair <selva.nair@gmail.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2
12 * as published by the Free Software Foundation.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License along
20 * with this program; if not, write to the Free Software Foundation, Inc.,
21 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 */
23
24#include "validate.h"
25
26#include <lmaccess.h>
27#include <shlwapi.h>
28#include <lm.h>
29
30static const WCHAR *white_list[] =
31{
32 L"auth-retry",
33 L"config",
34 L"log",
35 L"log-append",
36 L"management",
37 L"management-forget-disconnect",
38 L"management-hold",
39 L"management-query-passwords",
40 L"management-query-proxy",
41 L"management-signal",
42 L"management-up-down",
43 L"mute",
44 L"setenv",
45 L"service",
46 L"verb",
47 L"pull-filter",
48 L"script-security",
49
50 NULL /* last value */
51};
52
53static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name);
54
55static PTOKEN_GROUPS GetTokenGroups(const HANDLE token);
56
57/*
58 * Check workdir\fname is inside config_dir
59 * The logic here is simple: we may reject some valid paths if ..\ is in any of the strings
60 */
61static BOOL
62CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
63{
64 WCHAR tmp[MAX_PATH];
65 const WCHAR *config_file = NULL;
66 const WCHAR *config_dir = NULL;
67
68 /* convert fname to full path */
69 if (PathIsRelativeW(fname) )
70 {
71 swprintf(tmp, _countof(tmp), L"%ls\\%ls", workdir, fname);
72 config_file = tmp;
73 }
74 else
75 {
76 config_file = fname;
77 }
78
79 config_dir = s->config_dir;
80
81 if (wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0
82 && wcsstr(config_file + wcslen(config_dir), L"..") == NULL)
83 {
84 return TRUE;
85 }
86
87 return FALSE;
88}
89
90
91/*
92 * A simple linear search meant for a small wchar_t *array.
93 * Returns index to the item if found, -1 otherwise.
94 */
95static int
96OptionLookup(const WCHAR *name, const WCHAR *white_list[])
97{
98 int i;
99
100 for (i = 0; white_list[i]; i++)
101 {
102 if (wcscmp(white_list[i], name) == 0)
103 {
104 return i;
105 }
106 }
107
108 return -1;
109}
110
111/*
112 * The Administrators group may be localized or renamed by admins.
113 * Get the local name of the group using the SID.
114 */
115static BOOL
116GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
117{
118 BOOL b = FALSE;
119 PSID admin_sid = NULL;
120 DWORD sid_size = SECURITY_MAX_SID_SIZE;
121 SID_NAME_USE snu;
122
123 WCHAR domain[MAX_NAME];
124 DWORD dlen = _countof(domain);
125
126 admin_sid = malloc(sid_size);
127 if (!admin_sid)
128 {
129 return FALSE;
130 }
131
132 b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
133 if (b)
134 {
135 b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu);
136 }
137
138 free(admin_sid);
139
140 return b;
141}
142
143/*
144 * Check whether user is a member of Administrators group or
145 * the group specified in ovpn_admin_group
146 */
147BOOL
148IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group)
149{
150 const WCHAR *admin_group[2];
151 WCHAR username[MAX_NAME];
152 WCHAR domain[MAX_NAME];
153 WCHAR sysadmin_group[MAX_NAME];
154 DWORD len = MAX_NAME;
155 BOOL ret = FALSE;
156 SID_NAME_USE sid_type;
157
158 /* Get username */
159 if (!LookupAccountSidW(NULL, sid, username, &len, domain, &len, &sid_type))
160 {
161 MsgToEventLog(M_SYSERR, TEXT("LookupAccountSid"));
162 /* not fatal as this is now used only for logging */
163 username[0] = '\0';
164 domain[0] = '\0';
165 }
166
167 if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group)))
168 {
169 admin_group[0] = sysadmin_group;
170 }
171 else
172 {
173 MsgToEventLog(M_SYSERR, TEXT("Failed to get the name of Administrators group. Using the default."));
174 /* use the default value */
175 admin_group[0] = SYSTEM_ADMIN_GROUP;
176 }
177 admin_group[1] = ovpn_admin_group;
178
179 PTOKEN_GROUPS token_groups = GetTokenGroups(token);
180 for (int i = 0; i < 2; ++i)
181 {
182 ret = IsUserInGroup(sid, token_groups, admin_group[i]);
183 if (ret)
184 {
185 MsgToEventLog(M_INFO, TEXT("Authorizing user '%ls@%ls' by virtue of membership in group '%ls'"),
186 username, domain, admin_group[i]);
187 goto out;
188 }
189 }
190
191out:
192 free(token_groups);
193 return ret;
194}
195
201static PTOKEN_GROUPS
202GetTokenGroups(const HANDLE token)
203{
204 PTOKEN_GROUPS groups = NULL;
205 DWORD buf_size = 0;
206
207 if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size)
208 && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
209 {
210 groups = malloc(buf_size);
211 }
212 if (!groups)
213 {
214 MsgToEventLog(M_SYSERR, L"GetTokenGroups");
215 }
216 else if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size))
217 {
218 MsgToEventLog(M_SYSERR, L"GetTokenInformation");
219 free(groups);
220 }
221 return groups;
222}
223
224/*
225 * Find SID from name
226 *
227 * On input sid buffer should have space for at least sid_size bytes.
228 * Returns true on success, false on failure.
229 * Suggest: in caller allocate sid to hold SECURITY_MAX_SID_SIZE bytes
230 */
231static BOOL
232LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
233{
234 SID_NAME_USE su;
235 WCHAR domain[MAX_NAME];
236 DWORD dlen = _countof(domain);
237
238 if (!LookupAccountName(NULL, name, sid, &sid_size, domain, &dlen, &su))
239 {
240 return FALSE; /* not fatal as the group may not exist */
241 }
242 return TRUE;
243}
244
257static BOOL
258IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name)
259{
260 BOOL ret = FALSE;
261 DWORD_PTR resume = 0;
262 DWORD err;
263 BYTE grp_sid[SECURITY_MAX_SID_SIZE];
264 int nloop = 0; /* a counter used to not get stuck in the do .. while() */
265
266 /* first check in the token groups */
267 if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid)))
268 {
269 for (DWORD i = 0; i < token_groups->GroupCount; ++i)
270 {
271 if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid))
272 {
273 return TRUE;
274 }
275 }
276 }
277
278 /* check user's SID is a member of the group */
279 if (!sid)
280 {
281 return FALSE;
282 }
283 do
284 {
285 DWORD nread, nmax;
286 LOCALGROUP_MEMBERS_INFO_0 *members = NULL;
287 err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members,
288 MAX_PREFERRED_LENGTH, &nread, &nmax, &resume);
289 if ((err != NERR_Success && err != ERROR_MORE_DATA))
290 {
291 break;
292 }
293 /* If a match is already found, ret == TRUE and the loop is skipped */
294 for (DWORD i = 0; i < nread && !ret; ++i)
295 {
296 ret = EqualSid(members[i].lgrmi0_sid, sid);
297 }
298 NetApiBufferFree(members);
299 /* MSDN says the lookup should always iterate until err != ERROR_MORE_DATA */
300 } while (err == ERROR_MORE_DATA && nloop++ < 100);
301
302 if (err != NERR_Success && err != NERR_GroupNotFound)
303 {
304 SetLastError(err);
305 MsgToEventLog(M_SYSERR, TEXT("In NetLocalGroupGetMembers for group '%ls'"), group_name);
306 }
307
308 return ret;
309}
310
311/*
312 * Check whether option argv[0] is white-listed. If argv[0] == "--config",
313 * also check that argv[1], if present, passes CheckConfigPath().
314 * The caller should set argc to the number of valid elements in argv[] array.
315 */
316BOOL
317CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
318{
319 /* Do not modify argv or *argv -- ideally it should be const WCHAR *const *, but alas...*/
320
321 if (wcscmp(argv[0], L"--config") == 0
322 && argc > 1
323 && !CheckConfigPath(workdir, argv[1], s)
324 )
325 {
326 return FALSE;
327 }
328
329 /* option name starts at 2 characters from argv[i] */
330 if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */
331 {
332 return FALSE;
333 }
334
335 return TRUE;
336}
MsgToEventLog
DWORD MsgToEventLog(DWORD flags, LPCTSTR format,...)
Definition common.c:215
M_INFO
#define M_INFO
Definition errlevel.h:55
M_SYSERR
#define M_SYSERR
Definition service.h:51
MAX_NAME
#define MAX_NAME
Definition service.h:67
argv
Definition argv.h:35
settings_t
Definition service.h:68
settings_t::config_dir
TCHAR config_dir[MAX_PATH]
Definition service.h:70
CheckConfigPath
static BOOL CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
Definition validate.c:62
white_list
static const WCHAR * white_list[]
Definition validate.c:30
OptionLookup
static int OptionLookup(const WCHAR *name, const WCHAR *white_list[])
Definition validate.c:96
IsUserInGroup
static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name)
User is in group if the token groups contain the SID of the group of if the user is a direct member o...
Definition validate.c:258
LookupSID
static BOOL LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
Definition validate.c:232
CheckOption
BOOL CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
Definition validate.c:317
GetBuiltinAdminGroupName
static BOOL GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
Definition validate.c:116
IsAuthorizedUser
BOOL IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group)
Definition validate.c:148
GetTokenGroups
static PTOKEN_GROUPS GetTokenGroups(const HANDLE token)
Get a list of groups in token.
Definition validate.c:202
SYSTEM_ADMIN_GROUP
#define SYSTEM_ADMIN_GROUP
Definition validate.h:31
Generated by doxygen 1.9.8