From: Phillip McMahon <phillip.mcmahon@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Adrian Larsen <alarsen@maidenheadbridge.com>,
Clint Dovholuk <clint.dovholuk@netfoundry.io>,
Riccardo Paolo Bestetti <pbl@bestov.io>,
WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: Using WireGuard on Windows as non-admin - proper solution?
Date: Sun, 29 Nov 2020 20:44:20 +0100 [thread overview]
Message-ID: <CABtXGiAK_T0sVPPq_aXLs_fnPG=A9bKZrN-oj7dZa4Wb2j0_Eg@mail.gmail.com> (raw)
In-Reply-To: <CAHmME9o6MdOW=ODPH=Ksh5urUJaaE5Y8HPwkdL7F-_3XCa1KJQ@mail.gmail.com>
Hey Jason,
Won't drag this already long and confusing thread out. Not challenging
the current implementation, just the notion that any other suggestion
is a dead end and the topic is closed.
I will continue to use wg daily and now add in the non-admin elements
to test those out too. Appreciate the progress here and all that hard
work.
Phill
On Sun, 29 Nov 2020 at 18:52, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi Phillip,
>
> On Sun, Nov 29, 2020 at 2:40 PM Phillip McMahon
> <phillip.mcmahon@gmail.com> wrote:
> > I have been following the wider thread and maybe I misunderstood but
> > believe the solution requires some registry tweaks and membership to
> > the Network Operators Group, along with Windows Home requiring the
> > creation of a group not officially supported on that platform. Correct
> > or not?
> >
> > It was with all the in mind that I wrote the two points.
>
> I must admit I misunderstood your first message. Sorry for that. I
> understand you now to be questioning two things:
>
> - That this is gated behind a registry key;
> - That it works by using the network operators group.
>
> The first point is something I could imagine changing down the line as
> we learn more about the NCO group's usage. To start, and for now, I
> prefer to put "risky" settings behind a flag.
>
> But the latter point I'm much more hesitant to change. You recalled
> that I was initially entirely wary of this feature all together. This
> is true. It was only upon hearing the excellent idea of the NCO group
> that it became tenable for me. The reason is that the NCO group is a
> preexisting designation as part of the operating system that confers
> these privileges. And there's an easy argument to be made that adding
> the ability to stop/start tunnels does not add anything extra beyond
> what NCO can already do (like changing IP addresses or disabling
> adapters). Therefore, the brilliance of the NCO suggestion, in my
> mind, was that we're not adding any additional holes to the Windows
> security model. That makes it very compelling to me.
>
> It seems like you want to go back to challenge the initial hesitation
> again: maybe we _should_ add additional caveats to the existing
> Windows model, you suggest. Maybe. But if we can avoid doing so, I
> really would prefer that, and it seems like NCO group strikes a good
> balance.
>
> What's the situation you have in mind in which an administrator would
> permit a user to enable and disable tunnels but would not permit the
> other privileges conferred by NCO? What is the impedance mismatch that
> you are thinking about?
>
> Jason
--
Use this contact page to send me encrypted messages and files
https://flowcrypt.com/me/phillipmcmahon
P.S. Drowning in email? Try SaneBox and take back control:
http://sanebox.com/t/old3m. I love it.
next prev parent reply other threads:[~2020-11-29 19:45 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-12 15:18 vh217
2020-11-13 2:16 ` Jason A. Donenfeld
2020-11-13 12:03 ` Der PCFreak
2020-11-15 15:28 ` Patrik Holmqvist
2020-11-19 16:56 ` Jason A. Donenfeld
2020-11-20 11:49 ` Patrik Holmqvist
2020-11-20 12:52 ` Jason A. Donenfeld
2020-11-20 13:10 ` Patrick Fogarty
2020-11-20 13:14 ` Patrik Holmqvist
2020-11-17 10:18 ` Viktor H
2020-11-26 7:09 ` Chris Bennett
2020-11-21 10:05 ` Jason A. Donenfeld
2020-11-22 12:55 ` Jason A. Donenfeld
2020-11-23 14:57 ` Fatih USTA
2020-11-24 23:42 ` Riccardo Paolo Bestetti
2020-11-25 1:08 ` Jason A. Donenfeld
2020-11-25 7:49 ` Riccardo Paolo Bestetti
2020-11-25 10:30 ` Jason A. Donenfeld
2020-11-25 11:45 ` Jason A. Donenfeld
2020-11-25 14:08 ` Riccardo Paolo Bestetti
[not found] ` <8bf9e364f87bd0018dabca03dcc8c19b@mail.gmail.com>
2020-11-25 20:10 ` Riccardo Paolo Bestetti
2020-11-25 21:42 ` Jason A. Donenfeld
2020-11-26 8:53 ` Adrian Larsen
2020-11-28 14:28 ` Jason A. Donenfeld
2020-11-29 9:30 ` Adrian Larsen
2020-11-29 10:52 ` Jason A. Donenfeld
2020-11-29 12:09 ` Phillip McMahon
2020-11-29 12:50 ` Jason A. Donenfeld
2020-11-29 13:40 ` Phillip McMahon
2020-11-29 17:52 ` Jason A. Donenfeld
2020-11-29 19:44 ` Phillip McMahon [this message]
2020-11-29 20:59 ` Jason A. Donenfeld
2020-11-30 18:34 ` Riccardo Paolo Bestetti
2022-04-22 20:21 ` zer0flash
2020-11-30 12:47 ` Probable Heresy ;-) Peter Whisker
2020-12-02 13:40 ` Jason A. Donenfeld
2021-01-03 11:08 ` Christopher Ng
2020-11-25 12:40 ` AW: Using WireGuard on Windows as non-admin - proper solution? Joachim Lindenberg
2020-11-25 13:08 ` Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABtXGiAK_T0sVPPq_aXLs_fnPG=A9bKZrN-oj7dZa4Wb2j0_Eg@mail.gmail.com' \
--to=phillip.mcmahon@gmail.com \
--cc=Jason@zx2c4.com \
--cc=alarsen@maidenheadbridge.com \
--cc=clint.dovholuk@netfoundry.io \
--cc=pbl@bestov.io \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).