What are the current issues with compiling bitmask for Windows?
In Windows (since Vista) the proper way to get privileges is with UAC (User Account Control). en.wikipedia.org/wiki/User_Account_Control
- Authenticode — http://msdn.microsoft.com/en-us/library/ms537359(v=vs.85).aspx
- using SignTool — msdn.microsoft.com/en-us/library/aa3877...
- Digital Code Signing Step-by-Step Guide – http://msdn.microsoft.com/en-us/library/office/aa140234(v=office.10).aspx
- Authenticode and Digital Certificate ID From Comodo — www.instantssl.com/code-signing/code-si...
We will need to have the user run an installer so that the administrative service can be set up. Also, this is what users expect for windows. What installer should we use?
Free software installer makers for windows:
- Qt Installer Framework wiki.qt.io/Qt-Installer-Framework
- WiX, from Microsoft en.wikipedia.org/wiki/WiX
On all platforms, some actions need to be performed with superuser permissions. These actions include:
- firewall: adding and removing firewall rules.
- openvpn: openvpn is always initially started as superuser so that it can change the routing table to use the VPN gateway as the new default route and add the TUN/TAP device. this needs to be done carefully so that only safe options are passed to openvpn and that only the right openvpn executable is called. after openvpn is called with superuser permissions, we then tell openvpn to drop all permissions (is this possible on Windows?)
- updates: modifying the installed Bitmask application with security updates.
Currently, on linux, there is a separate script called ‘bitmask-root’ that is responsible for the firewall and calling openvpn securely. It does not yet handle updates.
For windows, we need something that performs the same function. On windows, as far as I know, the way we can do this is to create administrative service that gets created via an installer. The Viper app (see below) does this via a service called ovpnmon.exe (compiled python app), which is used for calling another script for starting/stoping the firewall.
My proposal is for ‘bitmask-root’ to be this administrative service on Windows, and that we organize the bitmask-root code base like so:
bitmask-root.git src/ leap/ bitmask-root/ linux/ mac/ windows/
The bitmask-root directory would hold abstract classes and cross platform code, and the platform-specific directories would hold platform-specific sub-classes. For example, we can create a class for ‘Firewall’, with the same methods but with different implementations for each platform.
On linux, we can just call bitmask-root from bitmask, passing arguments. For windows and mac, we need a more complex method of passing commands to bitmask-root. Chiiph came up with some experimental solution to this on mac, I don’t remember what it was. Viper’s approach is simple, using RPC.
One complication is that we need to ensure that only bitmask is able to run bitmask-root. On linux, we do this with policykit. On mac, this will need to be done with SMJobBless. I am not sure what we can do on Windows.
Because a bitmask-root administrative service on windows would need to run totally stand alone, I propose that we do what Viper does and compile this service using py2exe. This means that there will be two bundled python executable as part of bitmask bundle: one for bitmask and one for bitmask-root. Awkward, but not horrible.
Viper is a GPL openvpn client written in python for windows. The code is pretty minimal and easy to read.
This is how it deals with firewall rules and running as root:
- installs ovpnmon.exe as a windows service, running as admin.
- main program
- contains ServiceProxy, that proxies start/stop/status commands to ovpnmon.exe via RPC.
- gets built into ovpnmon.exe using py2exe
- starts an RPC server running on localhost that the client connects to
- the RPC server code is in viper/openvpn/monitor.py monitor.RPCService
- calls firewall.py start/stop
- a python helper for running fwipv6.exe
- c# code that gets built into fwipv6.exe
- it starts/stops firewall that blocks ipv6 traffic