diff --git a/appveyor.yml b/appveyor.yml index 2d0301bd2..ab2350dc5 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -27,6 +27,6 @@ after_test: Publish-OpenSSHTestResults on_finish: - - ps: | + - ps: | Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppveyorHelper.psm1 - Publish-Artifact + Publish-Artifact diff --git a/contrib/win32/openssh/AppveyorHelper.psm1 b/contrib/win32/openssh/AppveyorHelper.psm1 index f5a9e2469..afc47eb2c 100644 --- a/contrib/win32/openssh/AppveyorHelper.psm1 +++ b/contrib/win32/openssh/AppveyorHelper.psm1 @@ -289,6 +289,8 @@ function Publish-Artifact Write-Host "Publishing $artifact as Appveyor artifact" Push-AppveyorArtifact $artifact -ErrorAction Continue } + + Write-Host -ForegroundColor Yellow "End of publishing project artifacts" } <# diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index ab9ca4a69..600d0d257 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -203,7 +203,7 @@ WARNING: Following changes will be made to OpenSSH configuration { #only add the local user when it does not exists on the machine net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile - } + } } #setup single sign on for ssouser diff --git a/contrib/win32/openssh/install-sshd.ps1 b/contrib/win32/openssh/install-sshd.ps1 index 70bec18b5..7ace9c8cb 100644 --- a/contrib/win32/openssh/install-sshd.ps1 +++ b/contrib/win32/openssh/install-sshd.ps1 @@ -47,6 +47,28 @@ finally { } } +# Fix the registry permissions +Import-Module $PSScriptRoot\OpenSSHUtils -Force +Enable-Privilege SeRestorePrivilege | out-null + +$sshRootRegPath="HKLM:SOFTWARE/Openssh" +if (Test-Path $sshRootRegPath) +{ + $sshRootAcl=Get-Acl $sshRootRegPath + # SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users + $sshRootAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KR;;;AU)(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)") + Set-Acl $sshRootRegPath $sshRootAcl +} + +$sshAgentRegPath="HKLM:SOFTWARE/Openssh/agent" +if (Test-Path $sshAgentRegPath) +{ + $sshAgentAcl=Get-Acl $sshAgentRegPath + # SDDL - FullAcess to System and Builtin/Admins. + $sshAgentAcl.SetSecurityDescriptorSddlForm("O:BAG:SYD:P(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)") + Set-Acl $sshAgentRegPath $sshAgentAcl +} + #register etw provider wevtutil im `"$etwman`" diff --git a/contrib/win32/win32compat/misc.c b/contrib/win32/win32compat/misc.c index 4b66b5e83..57022de6f 100644 --- a/contrib/win32/win32compat/misc.c +++ b/contrib/win32/win32compat/misc.c @@ -2041,4 +2041,4 @@ strrstr(const char *inStr, const char *pattern) last = tmp++; return last; -} \ No newline at end of file +} diff --git a/contrib/win32/win32compat/misc_internal.h b/contrib/win32/win32compat/misc_internal.h index f5056095f..f56d39b2b 100644 --- a/contrib/win32/win32compat/misc_internal.h +++ b/contrib/win32/win32compat/misc_internal.h @@ -81,4 +81,4 @@ wchar_t* get_final_path_by_handle(HANDLE h); int lookup_principal_name(const wchar_t * sam_account_name, wchar_t * user_principal_name); BOOL is_bash_test_env(); int bash_to_win_path(const char *in, char *out, const size_t out_len); -void debug_assert_internal(); +void debug_assert_internal(); \ No newline at end of file diff --git a/contrib/win32/win32compat/pwd.c b/contrib/win32/win32compat/pwd.c index 6606f7a13..9c9a385b4 100644 --- a/contrib/win32/win32compat/pwd.c +++ b/contrib/win32/win32compat/pwd.c @@ -74,7 +74,7 @@ set_defaultshell() arg_buf[0] = L'\0'; tmp_len = _countof(path_buf); - if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, ®_key) == ERROR_SUCCESS) && + if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, ®_key) == ERROR_SUCCESS) && (RegQueryValueExW(reg_key, L"DefaultShell", 0, NULL, (LPBYTE)path_buf, &tmp_len) == ERROR_SUCCESS) && (path_buf[0] != L'\0')) { /* fetched default shell path from registry */ diff --git a/contrib/win32/win32compat/ssh-agent/agent.c b/contrib/win32/win32compat/ssh-agent/agent.c index a97d9d3f7..02d463ab4 100644 --- a/contrib/win32/win32compat/ssh-agent/agent.c +++ b/contrib/win32/win32compat/ssh-agent/agent.c @@ -86,6 +86,20 @@ agent_listen_loop() wait_events[0] = event_stop_agent; wait_events[1] = ol.hEvent; + wchar_t* sddl_str; + memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES)); + sa.nLength = sizeof(sa); + /* + * SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users + * 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE + */ + sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)"; + if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1, + &sa.lpSecurityDescriptor, &sa.nLength)) + fatal("cannot convert sddl ERROR:%d", GetLastError()); + + sa.bInheritHandle = FALSE; + while (1) { pipe = CreateNamedPipeW( AGENT_PIPE_ID, // pipe name @@ -196,11 +210,9 @@ agent_start(BOOL dbg_mode) memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES)); sa.nLength = sizeof(sa); - /* - * SDDL - GA to System and Builtin/Admins and restricted access to Authenticated users - * 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE - */ - sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)"; + + // SDDL - FullAcess to System and Builtin/Admins + sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)"; if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1, &sa.lpSecurityDescriptor, &sa.nLength)) fatal("cannot convert sddl ERROR:%d", GetLastError()); diff --git a/contrib/win32/win32compat/win32_usertoken_utils.c b/contrib/win32/win32compat/win32_usertoken_utils.c index dea175c42..78609d470 100644 --- a/contrib/win32/win32compat/win32_usertoken_utils.c +++ b/contrib/win32/win32compat/win32_usertoken_utils.c @@ -688,7 +688,7 @@ get_custom_lsa_package() if (s_processed) return s_lsa_auth_pkg; - if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\\OpenSSH", 0, mask, ®_key) == ERROR_SUCCESS) && + if ((RegOpenKeyExW(HKEY_LOCAL_MACHINE, SSH_REGISTRY_ROOT, 0, mask, ®_key) == ERROR_SUCCESS) && (RegQueryValueExW(reg_key, L"LSAAuthenticationPackage", 0, NULL, NULL, &lsa_auth_pkg_len) == ERROR_SUCCESS)) { lsa_auth_pkg_w = (wchar_t *)malloc(lsa_auth_pkg_len); // lsa_auth_pkg_len includes the null terminating character. if (!lsa_auth_pkg_w) diff --git a/contrib/win32/win32compat/wmain_sshd.c b/contrib/win32/win32compat/wmain_sshd.c index 5d5fff88f..9c7dfcbe8 100644 --- a/contrib/win32/win32compat/wmain_sshd.c +++ b/contrib/win32/win32compat/wmain_sshd.c @@ -174,11 +174,8 @@ create_openssh_registry_key() memset(&sa, 0, sizeof(SECURITY_ATTRIBUTES)); sa.nLength = sizeof(sa); - /* - * SDDL - FullAcess to System and Builtin/Admins and restricted access to Authenticated users - * 0x12019b - FILE_GENERIC_READ/WRITE minus FILE_CREATE_PIPE_INSTANCE - */ - sddl_str = L"D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;0x12019b;;;AU)"; + // SDDL - FullAcess to System and Builtin/Admins and read only access to Authenticated users + sddl_str = L"D:PAI(A;OICI;KA;;;SY)(A;OICI;KA;;;BA)(A;OICI;KR;;;AU)"; if (!ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl_str, SDDL_REVISION_1, &sa.lpSecurityDescriptor, &sa.nLength)) { printf("cannot convert sddl ERROR:%d", GetLastError()); return; diff --git a/regress/pesterTests/Setup.Tests.ps1 b/regress/pesterTests/Setup.Tests.ps1 index a5e41a38c..4c62ce148 100644 --- a/regress/pesterTests/Setup.Tests.ps1 +++ b/regress/pesterTests/Setup.Tests.ps1 @@ -275,7 +275,22 @@ Describe "Setup Tests" -Tags "Setup" { @{ Identity=$authenticatedUserSid IsInherited = $false - RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__) + RegistryRights = $RegReadKeyPerm + PropagationFlags = "None" + } + ) + + $opensshAgentACLs = @( + @{ + Identity=$systemSid + IsInherited = $false + RegistryRights = $RegFullControlPerm + PropagationFlags = "None" + }, + @{ + Identity=$adminsSid + IsInherited = $false + RegistryRights = $RegFullControlPerm PropagationFlags = "None" } ) @@ -362,12 +377,12 @@ Describe "Setup Tests" -Tags "Setup" { $agentPath = Join-Path $opensshRegPath "Agent" if(Test-Path $agentPath -PathType Container) { - ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs + ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs } elseif((-not $windowsInBox) -or ((Get-Service ssh-agent).StartType -ne ([System.ServiceProcess.ServiceStartMode]::Disabled))) { Start-Service ssh-agent - ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshACLs + ValidateRegistryACL -RegPath $agentPath -IdAcls $opensshAgentACLs } } } diff --git a/regress/pesterTests/Uninstall.Tests.ps1 b/regress/pesterTests/Uninstall.Tests.ps1 index 5d20e45fd..74268bd2d 100644 --- a/regress/pesterTests/Uninstall.Tests.ps1 +++ b/regress/pesterTests/Uninstall.Tests.ps1 @@ -142,7 +142,7 @@ Describe "Uninstall Tests" -Tags "Uninstall" { @{ Identity=$authenticatedUserSid IsInherited = $false - RegistryRights = $RegReadKeyPerm -bor ([System.UInt32] [System.Security.AccessControl.RegistryRights]::SetValue.value__) + RegistryRights = $RegReadKeyPerm PropagationFlags = "None" } )