From a6d5ef82f4d90f3e997aa2ed4bf61414d6c39ee6 Mon Sep 17 00:00:00 2001 From: Odd Stranne Date: Wed, 6 Mar 2019 14:58:25 +0100 Subject: Windows: Apply strict security descriptor on pipe server Signed-off-by: Odd Stranne --- ipc/uapi_windows.go | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/ipc/uapi_windows.go b/ipc/uapi_windows.go index 158c5a8..8f0268d 100644 --- a/ipc/uapi_windows.go +++ b/ipc/uapi_windows.go @@ -46,9 +46,20 @@ func (l *UAPIListener) Addr() net.Addr { return l.listener.Addr() } +func GetSystemSecurityDescriptor() string { + // + // SDDL encoded. + // + // (system = SECURITY_NT_AUTHORITY | SECURITY_LOCAL_SYSTEM_RID) + // owner: system + // grant: GENERIC_ALL to system + // + return "O:SYD:(A;;GA;;;SY)" +} + func UAPIListen(name string) (net.Listener, error) { config := winio.PipeConfig{ - SecurityDescriptor: "O:SYD:P(A;;GA;;;SY)", /* Local System only, not inheritable */ + SecurityDescriptor: GetSystemSecurityDescriptor(), } listener, err := winio.ListenPipe("\\\\.\\pipe\\WireGuard\\"+name, &config) if err != nil { -- cgit v1.2.3