fix HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH registry permissions (#484)
This commit is contained in:
parent
65625c685a
commit
2539e60536
|
@ -27,6 +27,6 @@ after_test:
|
|||
Publish-OpenSSHTestResults
|
||||
|
||||
on_finish:
|
||||
- ps: |
|
||||
- ps: |
|
||||
Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppveyorHelper.psm1
|
||||
Publish-Artifact
|
||||
Publish-Artifact
|
||||
|
|
|
@ -289,6 +289,8 @@ function Publish-Artifact
|
|||
Write-Host "Publishing $artifact as Appveyor artifact"
|
||||
Push-AppveyorArtifact $artifact -ErrorAction Continue
|
||||
}
|
||||
|
||||
Write-Host -ForegroundColor Yellow "End of publishing project artifacts"
|
||||
}
|
||||
|
||||
<#
|
||||
|
|
|
@ -203,7 +203,7 @@ WARNING: Following changes will be made to OpenSSH configuration
|
|||
{
|
||||
#only add the local user when it does not exists on the machine
|
||||
net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#setup single sign on for ssouser
|
||||
|
|
|
@ -47,6 +47,28 @@ finally {
|
|||
}
|
||||
}
|
||||
|
||||
# Fix the registry permissions
|
||||
Import-Module $PSScriptRoot\OpenSSHUtils -Force
|
||||
Enable-Privilege SeRestorePrivilege | out-null
|
||||
|
||||
$sshRootRegPath="HKLM:SOFTWARE/Openssh"
|
||||
if (Test-Path $sshRootRegPath)
|
||||
{
|
||||
$sshRootAcl=Get-Acl $sshRootRegPath
|
||||
# SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users
|
||||
$sshRootAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KR;;;AU)(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)")
|
||||
Set-Acl $sshRootRegPath $sshRootAcl
|
||||
}
|
||||
|
||||
$sshAgentRegPath="HKLM:SOFTWARE/Openssh/agent"
|
||||
if (Test-Path $sshAgentRegPath)
|
||||
{
|
||||
$sshAgentAcl=Get-Acl $sshAgentRegPath
|
||||
# SDDL - FullAcess to System and Builtin/Admins.
|
||||
$sshAgentAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)")
|
||||
Set-Acl $sshAgentRegPath $sshAgentAcl
|
||||
}
|
||||
|
||||
#register etw provider
|
||||
wevtutil im `"$etwman`"
|
||||
|
||||
|
|
|
@ -2041,4 +2041,4 @@ strrstr(const char *inStr, const char *pattern)
|
|||
last = tmp++;
|
||||
|
||||
return last;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -81,4 +81,4 @@ wchar_t* get_final_path_by_handle(HANDLE h);
|
|||
int lookup_principal_name(const wchar_t * sam_account_name, wchar_t * user_principal_name);
|
||||
BOOL is_bash_test_env();
|
||||
int bash_to_win_path(const char *in, char *out, const size_t out_len);
|
||||
void debug_assert_internal();
|
||||
void debug_assert_internal();
|
|
@ -74,7 +74,7 @@ set_defaultshell()
|
|||
arg_buf[0] = L'\0';
|
||||
|
||||
tmp_len = _countof(path_buf);
|
||||
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, ®_key) == ERROR_SUCCESS) &&
|
||||
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, ®_key) == ERROR_SUCCESS) &&
|
||||
(RegQueryValueExW(reg_key, L"DefaultShell", 0, NULL, (LPBYTE)path_buf, &tmp_len) == ERROR_SUCCESS) &&
|
||||
(path_buf[0] != L'\0')) {
|
||||
/* fetched default shell path from registry */
|
||||
|
|
|
@ -86,6 +86,20 @@ agent_listen_loop()
|
|||
wait_events[0] = event_stop_agent;
|
||||
wait_events[1] = ol.hEvent;
|
||||
|
||||
wchar_t* sddl_str;
|
||||
memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
|
||||
sa.nLength = sizeof(sa);
|
||||
/*
|
||||
* SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users
|
||||
* 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
|
||||
*/
|
||||
sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
|
||||
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1,
|
||||
&sa.lpSecurityDescriptor, &sa.nLength))
|
||||
fatal("cannot convert sddl ERROR:%d", GetLastError());
|
||||
|
||||
sa.bInheritHandle = FALSE;
|
||||
|
||||
while (1) {
|
||||
pipe = CreateNamedPipeW(
|
||||
AGENT_PIPE_ID, // pipe name
|
||||
|
@ -196,11 +210,9 @@ agent_start(BOOL dbg_mode)
|
|||
|
||||
memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
|
||||
sa.nLength = sizeof(sa);
|
||||
/*
|
||||
* SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users
|
||||
* 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
|
||||
*/
|
||||
sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
|
||||
|
||||
// SDDL - FullAcess to System and Builtin/Admins
|
||||
sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)";
|
||||
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1,
|
||||
&sa.lpSecurityDescriptor, &sa.nLength))
|
||||
fatal("cannot convert sddl ERROR:%d", GetLastError());
|
||||
|
|
|
@ -688,7 +688,7 @@ get_custom_lsa_package()
|
|||
if (s_processed)
|
||||
return s_lsa_auth_pkg;
|
||||
|
||||
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, ®_key) == ERROR_SUCCESS) &&
|
||||
if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, ®_key) == ERROR_SUCCESS) &&
|
||||
(RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, NULL, &lsa_auth_pkg_len) == ERROR_SUCCESS)) {
|
||||
lsa_auth_pkg_w = (wchar_t *)malloc(lsa_auth_pkg_len); // lsa_auth_pkg_len includes the null terminating character.
|
||||
if (!lsa_auth_pkg_w)
|
||||
|
|
|
@ -174,11 +174,8 @@ create_openssh_registry_key()
|
|||
memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES));
|
||||
sa.nLength = sizeof(sa);
|
||||
|
||||
/*
|
||||
* SDDL - FullAcess to System and Builtin/Admins and restricted access to Authenticated users
|
||||
* 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE
|
||||
*/
|
||||
sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)";
|
||||
// SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users
|
||||
sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)(A;OICI;KR;;;AU)";
|
||||
if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1, &sa.lpSecurityDescriptor, &sa.nLength)) {
|
||||
printf("cannot convert sddl ERROR:%d", GetLastError());
|
||||
return;
|
||||
|
|
|
@ -275,7 +275,22 @@ Describe "Setup Tests" -Tags "Setup" {
|
|||
@{
|
||||
Identity=$authenticatedUserSid
|
||||
IsInherited = $false
|
||||
RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__)
|
||||
RegistryRights = $RegReadKeyPerm
|
||||
PropagationFlags = "None"
|
||||
}
|
||||
)
|
||||
|
||||
$opensshAgentACLs = @(
|
||||
@{
|
||||
Identity=$systemSid
|
||||
IsInherited = $false
|
||||
RegistryRights = $RegFullControlPerm
|
||||
PropagationFlags = "None"
|
||||
},
|
||||
@{
|
||||
Identity=$adminsSid
|
||||
IsInherited = $false
|
||||
RegistryRights = $RegFullControlPerm
|
||||
PropagationFlags = "None"
|
||||
}
|
||||
)
|
||||
|
@ -362,12 +377,12 @@ Describe "Setup Tests" -Tags "Setup" {
|
|||
$agentPath = Join-Path $opensshRegPath "Agent"
|
||||
if(Test-Path $agentPath -PathType Container)
|
||||
{
|
||||
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs
|
||||
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs
|
||||
}
|
||||
elseif((-not $windowsInBox) -or ((Get-Service ssh-agent).StartType -ne ([System.ServiceProcess.ServiceStartMode]::Disabled)))
|
||||
{
|
||||
Start-Service ssh-agent
|
||||
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs
|
||||
ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -142,7 +142,7 @@ Describe "Uninstall Tests" -Tags "Uninstall" {
|
|||
@{
|
||||
Identity=$authenticatedUserSid
|
||||
IsInherited = $false
|
||||
RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__)
|
||||
RegistryRights = $RegReadKeyPerm
|
||||
PropagationFlags = "None"
|
||||
}
|
||||
)
|
||||
|
|
Loading…
Reference in New Issue