mirror of
https://github.com/PowerShell/openssh-portable.git
synced 2025-07-31 01:35:11 +02:00
Remove None/Domain Users Group Filter (#316)
- Removed logic that was excluding the group membership SID that matched 'None' on workgroup computers or 'Domain Users' on domain systems. - Removed test that was checking that AllowGroups failure if user was not in any group at all. This is no longer testable since user will always be a member of at least one group. https://github.com/PowerShell/Win32-OpenSSH/issues/1167
This commit is contained in:
parent
8013f1377b
commit
710050b186
@ -1273,17 +1273,12 @@ getusergroups(const char *user, int *ngroups)
|
|||||||
!IsValidSid(group_buf->Groups[i].Sid))
|
!IsValidSid(group_buf->Groups[i].Sid))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
/* only bother with groups that are builtin or classic domain/local groups
|
/* only bother with groups that are builtin or classic domain/local groups */
|
||||||
* also ignore domain users and builtin users since these will be meaningless
|
|
||||||
* since they do not resolve properly on workgroup computers; these would
|
|
||||||
* never meaningfully be used in the server configuration */
|
|
||||||
SID * sid = group_buf->Groups[i].Sid;
|
SID * sid = group_buf->Groups[i].Sid;
|
||||||
DWORD sub = sid->SubAuthority[0];
|
DWORD sub = sid->SubAuthority[0];
|
||||||
DWORD rid = sid->SubAuthority[sid->SubAuthorityCount - 1];
|
|
||||||
SID_IDENTIFIER_AUTHORITY nt_authority = SECURITY_NT_AUTHORITY;
|
SID_IDENTIFIER_AUTHORITY nt_authority = SECURITY_NT_AUTHORITY;
|
||||||
if (memcmp(&nt_authority, GetSidIdentifierAuthority(sid), sizeof(SID_IDENTIFIER_AUTHORITY)) == 0 && (
|
if (memcmp(&nt_authority, GetSidIdentifierAuthority(sid), sizeof(SID_IDENTIFIER_AUTHORITY)) == 0 && (
|
||||||
sub == SECURITY_NT_NON_UNIQUE || sub == SECURITY_BUILTIN_DOMAIN_RID) &&
|
sub == SECURITY_NT_NON_UNIQUE || sub == SECURITY_BUILTIN_DOMAIN_RID)) {
|
||||||
rid != DOMAIN_GROUP_RID_USERS && rid != DOMAIN_ALIAS_RID_USERS) {
|
|
||||||
|
|
||||||
/* lookup the account name for this sid */
|
/* lookup the account name for this sid */
|
||||||
wchar_t name[GNLEN + 1];
|
wchar_t name[GNLEN + 1];
|
||||||
|
@ -228,19 +228,6 @@ Describe "Tests of sshd_config" -Tags "CI" {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
It "$tC.$tI-User with full name in the list of AllowUsers but not in any AllowGroups" -skip:$skip {
|
|
||||||
#Run
|
|
||||||
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog"
|
|
||||||
|
|
||||||
Add-LocalUser -UserName $allowUser4 -Password $password
|
|
||||||
|
|
||||||
ssh -p $port -E $sshlog -o "UserKnownHostsFile $testknownhosts" $allowUser4@$server echo 1234
|
|
||||||
$LASTEXITCODE | Should Not Be 0
|
|
||||||
Stop-SSHDTestDaemon
|
|
||||||
$sshdlog | Should Contain "not allowed because not in any group"
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
It "$tC.$tI-User with full name in the list of DenyUsers" -skip:$skip {
|
It "$tC.$tI-User with full name in the list of DenyUsers" -skip:$skip {
|
||||||
#Run
|
#Run
|
||||||
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog"
|
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog"
|
||||||
|
Loading…
x
Reference in New Issue
Block a user