Re: [Openvpn-devel] [PATCH v2] Fix user's group membership check in interactive service to work with domains

Mon, 20 Feb 2017 08:17:04 -0800 

On Mon, Feb 20, 2017 at 7:18 AM, Gert Doering <g...@greenie.muc.de> wrote:

> On Sat, Jan 14, 2017 at 04:16:29PM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair <selva.n...@gmail.com>
> >
> > Currently the username unqualified by the domain is used to validate
> > a user which fails for domain users. Instead authorize the user
> >
> > (i) if the built-in admin group or ovpn_admin group is in the process
> token
> > (ii) else if the user's SID is in the built-in admin or ovpn_admin groups
> >
> > The second check is needed to recognize dynamic updates to group
> membership
> > on the local machine that will not be reflected in the token.
> >
> > These checks do not require connection to a domain controller and will
> > work even when user is logged in with cached credentials.
> >
> > Resolves Trac: #810
> >
> > v2: include the token check as described above
>
> Took me way too long...  the code change looks reasonable ("does what it
> says on the tin, and safely so").
>
> One questions occured to me, though...
>
> MS documentation for GetTokenInformation() suggests that group membership
> tests should be done with "CheckTokenMembership()", which sounds more
> convenient than "extract them all and walk the list" - so maybe this
> is done to avoid domain controller contact?


Thanks for the review :)

CheckTokenMembership() returns true only if the SID is present and enabled.
That means when UAC is active it will not detect that the user is a member
of administrators group as the SID will not be enabled. In other words, our
usage of group membership is somewhat special -- we only care user is a
member of admin or ovpn_admin groups, not that the corresponding rights be
enabled in the token.

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to