tyler.durden/openssh-portable
1
0
Fork 0
mirror of https://github.com/PowerShell/openssh-portable.git synced 2025-07-31 01:35:11 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove None/Domain Users Group Filter (#316)

Browse Source 
- Removed logic that was excluding the group membership SID that matched 'None' on workgroup computers or 'Domain Users' on domain systems.
- Removed test that was checking that AllowGroups failure if user was not in any group at all.  This is no longer testable since user will always be a member of at least one group.

https://github.com/PowerShell/Win32-OpenSSH/issues/1167
This commit is contained in:
Bryan Berns 2018-06-03 11:23:30 -04:00 committed by Manoj Ampalam
parent 8013f1377b
commit 710050b186
2 changed files with 2 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
contrib/win32/win32compat/misc.c
View File

@ -1273,17 +1273,12 @@ getusergroups(const char *user, int *ngroups)
!IsValidSid(group_buf->Groups[i].Sid)) !IsValidSid(group_buf->Groups[i].Sid))
continue; continue;
/* only bother with groups that are builtin or classic domain/local groups /* only bother with groups that are builtin or classic domain/local groups */
* also ignore domain users and builtin users since these will be meaningless
* since they do not resolve properly on workgroup computers; these would
* never meaningfully be used in the server configuration */
SID * sid = group_buf->Groups[i].Sid; SID * sid = group_buf->Groups[i].Sid;
DWORD sub = sid->SubAuthority[0]; DWORD sub = sid->SubAuthority[0];
DWORD rid = sid->SubAuthority[sid->SubAuthorityCount - 1];
SID_IDENTIFIER_AUTHORITY nt_authority = SECURITY_NT_AUTHORITY; SID_IDENTIFIER_AUTHORITY nt_authority = SECURITY_NT_AUTHORITY;
if (memcmp(&nt_authority, GetSidIdentifierAuthority(sid), sizeof(SID_IDENTIFIER_AUTHORITY)) == 0 && ( if (memcmp(&nt_authority, GetSidIdentifierAuthority(sid), sizeof(SID_IDENTIFIER_AUTHORITY)) == 0 && (
sub == SECURITY_NT_NON_UNIQUE || sub == SECURITY_BUILTIN_DOMAIN_RID) && sub == SECURITY_NT_NON_UNIQUE || sub == SECURITY_BUILTIN_DOMAIN_RID)) {
rid != DOMAIN_GROUP_RID_USERS && rid != DOMAIN_ALIAS_RID_USERS) {
/* lookup the account name for this sid */ /* lookup the account name for this sid */
wchar_t name[GNLEN + 1]; wchar_t name[GNLEN + 1];

13
regress/pesterTests/SSHDConfig.tests.ps1
View File

@ -228,19 +228,6 @@ Describe "Tests of sshd_config" -Tags "CI" {
} }
It "$tC.$tI-User with full name in the list of AllowUsers but not in any AllowGroups" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog"
Add-LocalUser -UserName $allowUser4 -Password $password
ssh -p $port -E $sshlog -o "UserKnownHostsFile $testknownhosts" $allowUser4@$server echo 1234
$LASTEXITCODE | Should Not Be 0
Stop-SSHDTestDaemon
$sshdlog | Should Contain "not allowed because not in any group"
}
It "$tC.$tI-User with full name in the list of DenyUsers" -skip:$skip { It "$tC.$tI-User with full name in the list of DenyUsers" -skip:$skip {
#Run #Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog"