Allow SID strings in sshd_config (#724)
* SIDs in sshd_config * add #include <Sddl.h> to servconf.c --------- Co-authored-by: Tess Gauthier <tessgauthier@microsoft.com>
This commit is contained in:
Andrew
GitHub
parent
afe9007141
commit
661803c9ec
|
|
@ -190,6 +190,29 @@ check_group_membership(const char* group)
|
|||
{
|
||||
PSID sid = NULL;
|
||||
BOOL is_member = 0;
|
||||
char* utf8_group_name = NULL;
|
||||
|
||||
// it can be a SID string; if it is - use localized name for that SID
|
||||
wchar_t* group_utf16 = utf8_to_utf16(group);
|
||||
if (ConvertStringSidToSidW(group_utf16, &sid) != 0) {
|
||||
WCHAR group_name[UNLEN + 1];
|
||||
DWORD group_name_length = UNLEN + 1;
|
||||
WCHAR domain_name[DNLEN + 1] = L"";
|
||||
DWORD domain_name_size = DNLEN + 1;
|
||||
SID_NAME_USE account_type = 0;
|
||||
if (LookupAccountSidW(NULL, sid, group_name, &group_name_length,
|
||||
domain_name, &domain_name_size, &account_type) != 0) {
|
||||
utf8_group_name = utf16_to_utf8(group_name);
|
||||
debug3_f("'%s' is translated to '%s'", group, utf8_group_name);
|
||||
group = utf8_group_name;
|
||||
} else {
|
||||
debug3_f("LookupAccountSid failed for '%s'", group);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
debug3_f("'%s' not recognized as SID", group);
|
||||
}
|
||||
|
||||
if ((sid = get_sid(group)) == NULL) {
|
||||
error("unable to resolve group %s", group);
|
||||
|
|
@ -202,6 +225,10 @@ check_group_membership(const char* group)
|
|||
cleanup:
|
||||
if (sid)
|
||||
free(sid);
|
||||
if (group_utf16)
|
||||
free(group_utf16);
|
||||
if (utf8_group_name)
|
||||
free(utf8_group_name);
|
||||
return is_member? 1: 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
72
servconf.c
72
servconf.c
|
|
@ -11,6 +11,10 @@
|
|||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#ifdef WINDOWS
|
||||
#include <LM.h>
|
||||
#include <Sddl.h>
|
||||
#endif // WINDOWS
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
|
|
@ -1827,6 +1831,34 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
uintptr = &options->num_allow_users;
|
||||
parse_allowdenyusers:
|
||||
while ((arg = argv_next(&ac, &av)) != NULL) {
|
||||
#ifdef WINDOWS
|
||||
// it can be a SID string; if it is - use localized name for that SID
|
||||
PSID Sid = NULL;
|
||||
char* utf8_user_name = NULL;
|
||||
wchar_t* arg_utf16 = utf8_to_utf16(arg);
|
||||
if (ConvertStringSidToSidW(arg_utf16, &Sid) != 0) {
|
||||
WCHAR user_name[UNLEN + 1];
|
||||
DWORD user_name_length = UNLEN + 1;
|
||||
WCHAR domain_name[DNLEN + 1] = L"";
|
||||
DWORD domain_name_size = DNLEN + 1;
|
||||
SID_NAME_USE account_type = 0;
|
||||
if (LookupAccountSidW(NULL, Sid, user_name, &user_name_length,
|
||||
domain_name, &domain_name_size, &account_type) != 0) {
|
||||
utf8_user_name = utf16_to_utf8(user_name);
|
||||
debug3_f("'%s' is translated to '%s'", arg, utf8_user_name);
|
||||
arg = utf8_user_name;
|
||||
} else {
|
||||
debug3_f("LookupAccountSid failed for '%s'", arg);
|
||||
}
|
||||
|
||||
if (Sid)
|
||||
LocalFree(Sid);
|
||||
}
|
||||
else
|
||||
{
|
||||
debug3_f("'%s' not recognized as SID", arg);
|
||||
}
|
||||
#endif // WINDOWS
|
||||
if (*arg == '\0' ||
|
||||
match_user(NULL, NULL, NULL, arg) == -1)
|
||||
fatal("%s line %d: invalid %s pattern: \"%s\"",
|
||||
|
|
@ -1835,6 +1867,12 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
continue;
|
||||
opt_array_append(filename, linenum, keyword,
|
||||
chararrayptr, uintptr, arg);
|
||||
#ifdef WINDOWS
|
||||
if (utf8_user_name)
|
||||
free(utf8_user_name);
|
||||
if (arg_utf16)
|
||||
free(arg_utf16);
|
||||
#endif // WINDOWS
|
||||
}
|
||||
break;
|
||||
|
||||
|
|
@ -1851,10 +1889,44 @@ process_server_config_line_depth(ServerOptions *options, char *line,
|
|||
if (*arg == '\0')
|
||||
fatal("%s line %d: empty %s pattern",
|
||||
filename, linenum, keyword);
|
||||
#ifdef WINDOWS
|
||||
// it can be a SID string; if it is - use localized name for that SID
|
||||
PSID Sid = NULL;
|
||||
char* utf8_group_name = NULL;
|
||||
wchar_t* arg_utf16 = utf8_to_utf16(arg);
|
||||
if (ConvertStringSidToSidW(arg_utf16, &Sid) != 0) {
|
||||
WCHAR group_name[UNLEN + 1];
|
||||
DWORD group_name_length = UNLEN + 1;
|
||||
WCHAR domain_name[DNLEN + 1] = L"";
|
||||
DWORD domain_name_size = DNLEN + 1;
|
||||
SID_NAME_USE account_type = 0;
|
||||
if (LookupAccountSidW(NULL, Sid, group_name, &group_name_length,
|
||||
domain_name, &domain_name_size, &account_type) != 0) {
|
||||
utf8_group_name = utf16_to_utf8(group_name);
|
||||
debug3_f("'%s' is translated to '%s'", arg, utf8_group_name);
|
||||
arg = utf8_group_name;
|
||||
} else {
|
||||
debug3_f("LookupAccountSid failed for '%s'", arg);
|
||||
}
|
||||
|
||||
if (Sid)
|
||||
LocalFree(Sid);
|
||||
}
|
||||
else
|
||||
{
|
||||
debug3_f("'%s' not recognized as SID", arg);
|
||||
}
|
||||
#endif // WINDOWS
|
||||
if (!*activep)
|
||||
continue;
|
||||
opt_array_append(filename, linenum, keyword,
|
||||
chararrayptr, uintptr, arg);
|
||||
#ifdef WINDOWS
|
||||
if (utf8_group_name)
|
||||
free(utf8_group_name);
|
||||
if (arg_utf16)
|
||||
free(arg_utf16);
|
||||
#endif // WINDOWS
|
||||
}
|
||||
break;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue