From 5218d4fc4540ffc68ac9ed7066c461356d846629 Mon Sep 17 00:00:00 2001 From: Manoj Ampalam Date: Sun, 16 Apr 2017 13:17:57 -0700 Subject: [PATCH] Revereted "Take Ownership Privileges" change on key auth tokens Fixed https://github.com/PowerShell/Win32-OpenSSH/issues/611 --- .../win32compat/ssh-agent/authagent-request.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/contrib/win32/win32compat/ssh-agent/authagent-request.c b/contrib/win32/win32compat/ssh-agent/authagent-request.c index 5f0259c94..291f332fa 100644 --- a/contrib/win32/win32compat/ssh-agent/authagent-request.c +++ b/contrib/win32/win32compat/ssh-agent/authagent-request.c @@ -278,7 +278,7 @@ int process_pubkeyauth_request(struct sshbuf* request, struct sshbuf* response, char *key_blob, *user, *sig, *blob; size_t key_blob_len, user_len, sig_len, blob_len; struct sshkey *key = NULL; - HANDLE token = NULL, restricted_token = NULL, dup_token = NULL, client_proc = NULL; + HANDLE token = NULL, dup_token = NULL, client_proc = NULL; wchar_t *user_utf16 = NULL, *udom_utf16 = NULL, *tmp; PWSTR wuser_home = NULL; ULONG client_pid; @@ -305,14 +305,8 @@ int process_pubkeyauth_request(struct sshbuf* request, struct sshbuf* response, goto done; } - /* for key based auth, remove SeTakeOwnershipPrivilege */ - if (LookupPrivilegeValueW(NULL, L"SeTakeOwnershipPrivilege", &priv_to_delete[0].Luid) == FALSE || - CreateRestrictedToken(token, 0, 0, NULL, 1, priv_to_delete, 0, NULL, &restricted_token) == FALSE) { - debug("unable to remove SeTakeOwnershipPrivilege privilege"); - goto done; - } - if (SHGetKnownFolderPath(&FOLDERID_Profile, 0, restricted_token, &wuser_home) != S_OK || + if (SHGetKnownFolderPath(&FOLDERID_Profile, 0, token, &wuser_home) != S_OK || pubkey_allowed(key, user_utf16, wuser_home) != 1) { debug("unable to verify public key for user %ls (profile:%ls)", user_utf16, wuser_home); goto done; @@ -325,14 +319,14 @@ int process_pubkeyauth_request(struct sshbuf* request, struct sshbuf* response, if ((FALSE == GetNamedPipeClientProcessId(con->connection, &client_pid)) || ( (client_proc = OpenProcess(PROCESS_DUP_HANDLE, FALSE, client_pid)) == NULL) || - (FALSE == DuplicateHandle(GetCurrentProcess(), restricted_token, client_proc, &dup_token, TOKEN_QUERY | TOKEN_IMPERSONATE, FALSE, DUPLICATE_SAME_ACCESS)) || + (FALSE == DuplicateHandle(GetCurrentProcess(), token, client_proc, &dup_token, TOKEN_QUERY | TOKEN_IMPERSONATE, FALSE, DUPLICATE_SAME_ACCESS)) || (sshbuf_put_u32(response, (int)(intptr_t)dup_token) != 0)) { debug("failed to authorize user"); goto done; } - con->auth_token = restricted_token; - restricted_token = NULL; + con->auth_token = token; + token = NULL; if ((tmp = wcschr(user_utf16, L'@')) != NULL) { udom_utf16 = tmp + 1; *tmp = L'\0';