fix HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH registry permissions (#484)

This commit is contained in:
bagajjal 2021-03-22 19:17:33 -07:00 committed by GitHub
parent 65625c685a
commit 2539e60536
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 69 additions and 21 deletions

View File

@ -27,6 +27,6 @@ after_test:
Publish-OpenSSHTestResults
on_finish:
- ps: |
- ps: |
Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppveyorHelper.psm1
Publish-Artifact
Publish-Artifact

View File

@ -289,6 +289,8 @@ function Publish-Artifact
Write-Host "Publishing $artifact as Appveyor artifact"
Push-AppveyorArtifact $artifact -ErrorAction Continue
}
Write-Host -ForegroundColor Yellow "End of publishing project artifacts"
}
<#

View File

@ -203,7 +203,7 @@ WARNING: Following changes will be made to OpenSSH configuration
{
#only add the local user when it does not exists on the machine
net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile
}
}
}
#setup single sign on for ssouser

View File

@ -47,6 +47,28 @@ finally {
}
}
# Fix the registry permissions
Import-Module $PSScriptRoot\OpenSSHUtils -Force
Enable-Privilege SeRestorePrivilege | out-null
$sshRootRegPath="HKLM:SOFTWARE/Openssh"
if (Test-Path $sshRootRegPath)
{
$sshRootAcl=Get-Acl $sshRootRegPath
# SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users
$sshRootAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KR;;;AU)(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)")
Set-Acl $sshRootRegPath $sshRootAcl
}
$sshAgentRegPath="HKLM:SOFTWARE/Openssh/agent"
if (Test-Path $sshAgentRegPath)
{
$sshAgentAcl=Get-Acl $sshAgentRegPath
# SDDL - FullAcess to System and Builtin/Admins.
$sshAgentAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)")
Set-Acl $sshAgentRegPath $sshAgentAcl
}
#register etw provider
wevtutil im `"$etwman`"

View File

@ -2041,4 +2041,4 @@ strrstr(const char *inStr, const char *pattern)
last = tmp++;
return last;
}
}

View File

@ -81,4 +81,4 @@ wchar_t* get_final_path_by_handle(HANDLE h);
int lookup_principal_name(const wchar_t * sam_account_name, wchar_t * user_principal_name);
BOOL is_bash_test_env();
int bash_to_win_path(const char *in, char *out, const size_t out_len);
void debug_assert_internal();
void debug_assert_internal();

View File

@ -74,7 +74,7 @@ set_defaultshell()
arg_buf[0] = L'\0';
tmp_len = _countof(path_buf);
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, &reg_key) == ERROR_SUCCESS) &&
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, &reg_key) == ERROR_SUCCESS) &&
(RegQueryValueExW(reg_key, L"DefaultShell", 0, NULL, (LPBYTE)path_buf, &tmp_len) == ERROR_SUCCESS) &&
(path_buf[0] != L'\0')) {
/* fetched default shell path from registry */

View File

@ -86,6 +86,20 @@ agent_listen_loop()
wait_events[0] = event_stop_agent;
wait_events[1] = ol.hEvent;
wchar_t* sddl_str;
memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
sa.nLength = sizeof(sa);
/*
* SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users
* 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
*/
sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1,
&sa.lpSecurityDescriptor, &sa.nLength))
fatal("cannot convert sddl ERROR:%d", GetLastError());
sa.bInheritHandle = FALSE;
while (1) {
pipe = CreateNamedPipeW(
AGENT_PIPE_ID, // pipe name
@ -196,11 +210,9 @@ agent_start(BOOL dbg_mode)
memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
sa.nLength = sizeof(sa);
/*
* SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users
* 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
*/
sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
// SDDL - FullAcess to System and Builtin/Admins
sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)";
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1,
&sa.lpSecurityDescriptor, &sa.nLength))
fatal("cannot convert sddl ERROR:%d", GetLastError());

View File

@ -688,7 +688,7 @@ get_custom_lsa_package()
if (s_processed)
return s_lsa_auth_pkg;
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, &reg_key) == ERROR_SUCCESS) &&
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, &reg_key) == ERROR_SUCCESS) &&
(RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, NULL, &lsa_auth_pkg_len) == ERROR_SUCCESS)) {
lsa_auth_pkg_w = (wchar_t *)malloc(lsa_auth_pkg_len); // lsa_auth_pkg_len includes the null terminating character.
if (!lsa_auth_pkg_w)

View File

@ -174,11 +174,8 @@ create_openssh_registry_key()
memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
sa.nLength = sizeof(sa);
/*
* SDDL - FullAcess to System and Builtin/Admins and restricted access to Authenticated users
* 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
*/
sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
// SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users
sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)(A;OICI;KR;;;AU)";
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1, &sa.lpSecurityDescriptor, &sa.nLength)) {
printf("cannot convert sddl ERROR:%d", GetLastError());
return;

View File

@ -275,7 +275,22 @@ Describe "Setup Tests" -Tags "Setup" {
@{
Identity=$authenticatedUserSid
IsInherited = $false
RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__)
RegistryRights = $RegReadKeyPerm
PropagationFlags = "None"
}
)
$opensshAgentACLs = @(
@{
Identity=$systemSid
IsInherited = $false
RegistryRights = $RegFullControlPerm
PropagationFlags = "None"
},
@{
Identity=$adminsSid
IsInherited = $false
RegistryRights = $RegFullControlPerm
PropagationFlags = "None"
}
)
@ -362,12 +377,12 @@ Describe "Setup Tests" -Tags "Setup" {
$agentPath = Join-Path $opensshRegPath "Agent"
if(Test-Path $agentPath -PathType Container)
{
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs
}
elseif((-not $windowsInBox) -or ((Get-Service ssh-agent).StartType -ne ([System.ServiceProcess.ServiceStartMode]::Disabled)))
{
Start-Service ssh-agent
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs
}
}
}

View File

@ -142,7 +142,7 @@ Describe "Uninstall Tests" -Tags "Uninstall" {
@{
Identity=$authenticatedUserSid
IsInherited = $false
RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__)
RegistryRights = $RegReadKeyPerm
PropagationFlags = "None"
}
)