{
goto out;
}
+
+ error = GetRegString(key, TEXT("ovpn_service_user"), s->ovpn_service_user,
+ sizeof(s->ovpn_service_user), OVPN_SERVICE_USER);
+ if (error != ERROR_SUCCESS)
+ {
+ goto out;
+ }
+
/* set process priority */
if (!_wcsicmp(priority, TEXT("IDLE_PRIORITY_CLASS")))
{
* OR user is authorized to run any config.
*/
if (!ValidateOptions(pipe, sud.directory, sud.options, errmsg, _countof(errmsg))
- && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group))
+ && !IsAuthorizedUser(ovpn_user->User.Sid, imp_token, settings.ovpn_admin_group, settings.ovpn_service_user))
{
ReturnError(pipe, ERROR_STARTUP_DATA, errmsg, 1, &exit_event);
goto out;
TCHAR ext_string[16];
TCHAR log_dir[MAX_PATH];
TCHAR ovpn_admin_group[MAX_NAME];
+ TCHAR ovpn_service_user[MAX_NAME];
DWORD priority;
BOOL append;
} settings_t;
return b;
}
-/*
- * Check whether user is a member of Administrators group or
- * the group specified in ovpn_admin_group
- */
BOOL
-IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group)
+IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user)
{
const WCHAR *admin_group[2];
WCHAR username[MAX_NAME];
domain[0] = '\0';
}
+ /* is this service account? */
+ if ((wcscmp(username, ovpn_service_user) == 0) && (wcscmp(domain, TEXT("NT SERVICE")) == 0))
+ {
+ return TRUE;
+ }
+
if (GetBuiltinAdminGroupName(sysadmin_group, _countof(sysadmin_group)))
{
admin_group[0] = sysadmin_group;
/* Authorized groups who can use any options and config locations */
#define SYSTEM_ADMIN_GROUP TEXT("Administrators")
-#define OVPN_ADMIN_GROUP TEXT("OpenVPN Administrators")
-/* The last one may be reset in registry: HKLM\Software\OpenVPN\ovpn_admin_group */
+#define OVPN_ADMIN_GROUP TEXT("OpenVPN Administrators") /* may be set in HKLM\Software\OpenVPN\ovpn_admin_group */
+#define OVPN_SERVICE_USER TEXT("OpenVPNService") /* may be set in HKLM\Software\OpenVPN\ovpn_service_user */
+
+/*
+ * Check whether user is a member of Administrators group or
+ * the group specified in ovpn_admin_group or
+ * OpenVPN Virtual Service Account user
+ */
BOOL
-IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group);
+IsAuthorizedUser(PSID sid, const HANDLE token, const WCHAR *ovpn_admin_group, const WCHAR *ovpn_service_user);
BOOL
CheckOption(const WCHAR *workdir, int narg, WCHAR *argv[], const settings_t *s);
projects / thirdparty / openvpn.git / commitdiff
