Duplicate IP address, and permissions problems on Windows

Jason A. Donenfeld Jason at zx2c4.com
Mon Apr 12 17:50:28 UTC 2021


On Wed, Apr 7, 2021 at 5:05 PM Daniel Lenski <dlenski at gmail.com> wrote:
>
> On Wed, Apr 7, 2021 at 1:18 AM David Woodhouse <dwmw2 at infradead.org> wrote:
> >
> > On Tue, 2021-04-06 at 18:17 -0600, Jason A. Donenfeld wrote:
> > > With regards to permissions, you must be Local System, which is
> > > already the case if you're running inside a service. If you'd like to
> > > run as a mere Administrator process, you can steal a token with a
> > > technique like https://git.zx2c4.com/wireguard-tools/tree/src/ipc-uapi-windows.h#n14
> > > or https://git.zx2c4.com/wireguard-windows/tree/elevate/doas.go#n30
> >
> > Great, thanks!
> >
> > Is there a list of precisely which operations require such privileges?
> > Is it only *creating* an adapter? Or only if doing so requires the
> > kernel driver to be loaded for the first time?
> >
>
> I'm a little confused by this. In my testing of our recent builds of
> OpenConnect on Windows 2012 R2 with wintun-0.10.2…
>
> Running as Administrator *has been* sufficient to allow OpenConnect to
> open the Wintun adapters, as well as to configure them with "netsh",
> etc.
>
> Is there some additional environment we should be testing in, where
> Administrator may *not* be sufficient?

Oh, sorry, you're right. Administrator _is_ sufficient for this,
because the code I mentioned above to do automatic elevation is part
of wintun.dll. Sorry for the confusion.

Jason


More information about the WireGuard mailing list