OpenVPN
validate.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2016-2021 Selva Nair <selva.nair@gmail.com>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 #include "validate.h"
25 
26 #include <lmaccess.h>
27 #include <shlwapi.h>
28 #include <lm.h>
29 
30 static const WCHAR *white_list[] =
31 {
32  L"auth-retry",
33  L"config",
34  L"log",
35  L"log-append",
36  L"management",
37  L"management-forget-disconnect",
38  L"management-hold",
39  L"management-query-passwords",
40  L"management-query-proxy",
41  L"management-signal",
42  L"management-up-down",
43  L"mute",
44  L"setenv",
45  L"service",
46  L"verb",
47  L"pull-filter",
48  L"script-security",
49 
50  NULL /* last value */
51 };
52 
53 static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name);
54 
55 static PTOKEN_GROUPS GetTokenGroups(const HANDLE token);
56 
57 /*
58  * Check workdir\fname is inside config_dir
59  * The logic here is simple: we may reject some valid paths if ..\ is in any of the strings
60  */
61 static BOOL
62 CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
63 {
64  WCHAR tmp[MAX_PATH];
65  const WCHAR *config_file = NULL;
66  const WCHAR *config_dir = NULL;
67 
68  /* convert fname to full path */
69  if (PathIsRelativeW(fname) )
70  {
71  openvpn_swprintf(tmp, _countof(tmp), L"%ls\\%ls", workdir, fname);
72  config_file = tmp;
73  }
74  else
75  {
76  config_file = fname;
77  }
78 
79  config_dir = s->config_dir;
80 
81  if (wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0
82  && wcsstr(config_file + wcslen(config_dir), L"..") == NULL)
83  {
84  return TRUE;
85  }
86 
87  return FALSE;
88 }
89 
90 
91 /*
92  * A simple linear search meant for a small wchar_t *array.
93  * Returns index to the item if found, -1 otherwise.
94  */
95 static int
96 OptionLookup(const WCHAR *name, const WCHAR *white_list[])
97 {
98  int i;
99 
100  for (i = 0; white_list[i]; i++)
101  {
102  if (wcscmp(white_list[i], name) == 0)
103  {
104  return i;
105  }
106  }
107 
108  return -1;
109 }
110 
111 /*
112  * The Administrators group may be localized or renamed by admins.
113  * Get the local name of the group using the SID.
114  */
115 static BOOL
116 GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
117 {
118  BOOL b = FALSE;
119  PSID admin_sid = NULL;
120  DWORD sid_size = SECURITY_MAX_SID_SIZE;
121  SID_NAME_USE snu;
122 
123  WCHAR domain[MAX_NAME];
124  DWORD dlen = _countof(domain);
125 
126  admin_sid = malloc(sid_size);
127  if (!admin_sid)
128  {
129  return FALSE;
130  }
131 
132  b = CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admin_sid, &sid_size);
133  if (b)
134  {
135  b = LookupAccountSidW(NULL, admin_sid, name, &nlen, domain, &dlen, &snu);
136  }
137 
138  free(admin_sid);
139 
140  return b;
141 }
142 
143 /*
144  * Check whether user is a member of Administrators group or
145  * the group specified in ovpn_admin_group
146  */
147 BOOL
148 IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group)
149 {
150  const WCHAR *admin_group[2];
151  WCHAR username[MAX_NAME];
152  WCHAR domain[MAX_NAME];
153  WCHAR sysadmin_group[MAX_NAME];
154  DWORD len = MAX_NAME;
155  BOOL ret = FALSE;
156  SID_NAME_USE sid_type;
157 
158  /* Get username */
159  if (!LookupAccountSidW(NULL, sid, username, &len, domain, &len, &sid_type))
160  {
161  MsgToEventLog(M_SYSERR, TEXT("LookupAccountSid"));
162  /* not fatal as this is now used only for logging */
163  username[0] = '\0';
164  domain[0] = '\0';
165  }
166 
167  if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group)))
168  {
169  admin_group[0] = sysadmin_group;
170  }
171  else
172  {
173  MsgToEventLog(M_SYSERR, TEXT("Failed to get the name of Administrators group. Using the default."));
174  /* use the default value */
175  admin_group[0] = SYSTEM_ADMIN_GROUP;
176  }
177  admin_group[1] = ovpn_admin_group;
178 
179  PTOKEN_GROUPS token_groups = GetTokenGroups(token);
180  for (int i = 0; i < 2; ++i)
181  {
182  ret = IsUserInGroup(sid, token_groups, admin_group[i]);
183  if (ret)
184  {
185  MsgToEventLog(M_INFO, TEXT("Authorizing user '%ls@%ls' by virtue of membership in group '%ls'"),
186  username, domain, admin_group[i]);
187  goto out;
188  }
189  }
190 
191 out:
192  free(token_groups);
193  return ret;
194 }
195 
201 static PTOKEN_GROUPS
202 GetTokenGroups(const HANDLE token)
203 {
204  PTOKEN_GROUPS groups = NULL;
205  DWORD buf_size = 0;
206 
207  if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size)
208  && GetLastError() == ERROR_INSUFFICIENT_BUFFER)
209  {
210  groups = malloc(buf_size);
211  }
212  if (!groups)
213  {
214  MsgToEventLog(M_SYSERR, L"GetTokenGroups");
215  }
216  else if (!GetTokenInformation(token, TokenGroups, groups, buf_size, &buf_size))
217  {
218  MsgToEventLog(M_SYSERR, L"GetTokenInformation");
219  free(groups);
220  }
221  return groups;
222 }
223 
224 /*
225  * Find SID from name
226  *
227  * On input sid buffer should have space for at least sid_size bytes.
228  * Returns true on success, false on failure.
229  * Suggest: in caller allocate sid to hold SECURITY_MAX_SID_SIZE bytes
230  */
231 static BOOL
232 LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
233 {
234  SID_NAME_USE su;
235  WCHAR domain[MAX_NAME];
236  DWORD dlen = _countof(domain);
237 
238  if (!LookupAccountName(NULL, name, sid, &sid_size, domain, &dlen, &su))
239  {
240  return FALSE; /* not fatal as the group may not exist */
241  }
242  return TRUE;
243 }
244 
257 static BOOL
258 IsUserInGroup(PSID sid, const PTOKEN_GROUPS token_groups, const WCHAR *group_name)
259 {
260  BOOL ret = FALSE;
261  DWORD_PTR resume = 0;
262  DWORD err;
263  BYTE grp_sid[SECURITY_MAX_SID_SIZE];
264  int nloop = 0; /* a counter used to not get stuck in the do .. while() */
265 
266  /* first check in the token groups */
267  if (token_groups && LookupSID(group_name, (PSID) grp_sid, _countof(grp_sid)))
268  {
269  for (DWORD i = 0; i < token_groups->GroupCount; ++i)
270  {
271  if (EqualSid((PSID) grp_sid, token_groups->Groups[i].Sid))
272  {
273  return TRUE;
274  }
275  }
276  }
277 
278  /* check user's SID is a member of the group */
279  if (!sid)
280  {
281  return FALSE;
282  }
283  do
284  {
285  DWORD nread, nmax;
286  LOCALGROUP_MEMBERS_INFO_0 *members = NULL;
287  err = NetLocalGroupGetMembers(NULL, group_name, 0, (LPBYTE *) &members,
288  MAX_PREFERRED_LENGTH, &nread, &nmax, &resume);
289  if ((err != NERR_Success && err != ERROR_MORE_DATA))
290  {
291  break;
292  }
293  /* If a match is already found, ret == TRUE and the loop is skipped */
294  for (DWORD i = 0; i < nread && !ret; ++i)
295  {
296  ret = EqualSid(members[i].lgrmi0_sid, sid);
297  }
298  NetApiBufferFree(members);
299  /* MSDN says the lookup should always iterate until err != ERROR_MORE_DATA */
300  } while (err == ERROR_MORE_DATA && nloop++ < 100);
301 
302  if (err != NERR_Success && err != NERR_GroupNotFound)
303  {
304  SetLastError(err);
305  MsgToEventLog(M_SYSERR, TEXT("In NetLocalGroupGetMembers for group '%ls'"), group_name);
306  }
307 
308  return ret;
309 }
310 
311 /*
312  * Check whether option argv[0] is white-listed. If argv[0] == "--config",
313  * also check that argv[1], if present, passes CheckConfigPath().
314  * The caller should set argc to the number of valid elements in argv[] array.
315  */
316 BOOL
317 CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
318 {
319  /* Do not modify argv or *argv -- ideally it should be const WCHAR *const *, but alas...*/
320 
321  if (wcscmp(argv[0], L"--config") == 0
322  && argc > 1
323  && !CheckConfigPath(workdir, argv[1], s)
324  )
325  {
326  return FALSE;
327  }
328 
329  /* option name starts at 2 characters from argv[i] */
330  if (OptionLookup(argv[0] + 2, white_list) == -1) /* not found */
331  {
332  return FALSE;
333  }
334 
335  return TRUE;
336 }
DWORD MsgToEventLog(DWORD flags, LPCTSTR format,...)
Definition: common.c:245
#define M_INFO
Definition: errlevel.h:55
TCHAR config_dir[MAX_PATH]
Definition: service.h:71
BOOL CheckOption(const WCHAR *workdir, int argc, WCHAR *argv[], const settings_t *s)
Definition: validate.c:317
static PTOKEN_GROUPS GetTokenGroups(const HANDLE token)
Get a list of groups in token.
Definition: validate.c:202
#define SYSTEM_ADMIN_GROUP
Definition: validate.h:31
static BOOL IsUserInGroup(PSID sid, const PTOKEN_GROUPS groups, const WCHAR *group_name)
User is in group if the token groups contain the SID of the group of if the user is a direct member o...
Definition: validate.c:258
static const WCHAR * white_list[]
Definition: validate.c:30
static BOOL GetBuiltinAdminGroupName(WCHAR *name, DWORD nlen)
Definition: validate.c:116
#define malloc
Definition: cmocka.c:1795
static int OptionLookup(const WCHAR *name, const WCHAR *white_list[])
Definition: validate.c:96
static BOOL LookupSID(const WCHAR *name, PSID sid, DWORD sid_size)
Definition: validate.c:232
#define M_SYSERR
Definition: service.h:52
#define MAX_NAME
Definition: service.h:68
#define free
Definition: cmocka.c:1850
bool openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format,...)
Definition: buffer.c:318
Definition: argv.h:35
static BOOL CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
Definition: validate.c:62
BOOL IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group)
Definition: validate.c:148