openvpn: allow all local users to use personal config dir (!333) · Merge requests · Yusuf Hamied Department of Chemistry / COs / ucam_wpkg

Dr Adam Thorn requested to merge openvpn_permission_fix into master May 31, 2024

We want users to be able to install and use their own config files which they keep under C:\users. However, openvpn performs a group membership check if a user tries to use such a profile, requiring membership of either the builtin Administrators group, or the group defined via the ovpn_admin_group setting (which defaults to "OpenVPN Administrators")

Note that the check is performed via a call to the Windows API function NetLocalGroupGetMembers() . The 'Users' group corresponds to the well-known SID S-1-5-32-545, which is:

https://github.com/ANSSI-FR/AD-permissions/blob/master/dbbrowser/docs/well-known_sids.txt

"A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer."

openvpn: allow all local users to use personal config dir

Merge request reports