[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireguard
Subject:    Re: Duplicate IP address, and permissions problems on Windows
From:       "Jason A. Donenfeld" <Jason () zx2c4 ! com>
Date:       2021-04-12 17:50:28
Message-ID: CAHmME9qyfHYOjrmXeV-QKpGtF5z+ChA_Xdo8g4ufP0-OqnE0Gg () mail ! gmail ! com
[Download RAW message or body]

On Wed, Apr 7, 2021 at 5:05 PM Daniel Lenski <dlenski@gmail.com> wrote:
>
> On Wed, Apr 7, 2021 at 1:18 AM David Woodhouse <dwmw2@infradead.org> wrote:
> >
> > On Tue, 2021-04-06 at 18:17 -0600, Jason A. Donenfeld wrote:
> > > With regards to permissions, you must be Local System, which is
> > > already the case if you're running inside a service. If you'd like to
> > > run as a mere Administrator process, you can steal a token with a
> > > technique like https://git.zx2c4.com/wireguard-tools/tree/src/ipc-uapi-windows.h#n14
> > > or https://git.zx2c4.com/wireguard-windows/tree/elevate/doas.go#n30
> >
> > Great, thanks!
> >
> > Is there a list of precisely which operations require such privileges?
> > Is it only *creating* an adapter? Or only if doing so requires the
> > kernel driver to be loaded for the first time?
> >
>
> I'm a little confused by this. In my testing of our recent builds of
> OpenConnect on Windows 2012 R2 with wintun-0.10.2…
>
> Running as Administrator *has been* sufficient to allow OpenConnect to
> open the Wintun adapters, as well as to configure them with "netsh",
> etc.
>
> Is there some additional environment we should be testing in, where
> Administrator may *not* be sufficient?

Oh, sorry, you're right. Administrator _is_ sufficient for this,
because the code I mentioned above to do automatic elevation is part
of wintun.dll. Sorry for the confusion.

Jason
[prev in list] [next in list] [prev in thread] [next in thread]