Secured permissions on logs folder and underlying logs (#221)

2017-10-12 22:46:26 -07:00 · 2017-10-12 22:46:26 -07:00 · 7a4a10a224
parent 96235ad333
commit 7a4a10a224
1 changed files with 19 additions and 3 deletions
--- a/contrib/win32/openssh/install-sshd.ps1
+++ b/contrib/win32/openssh/install-sshd.ps1
@ -274,13 +274,29 @@ sc.exe privs sshd SeAssignPrimaryTokenPrivilege
 Add-Privilege -Account $sshdSid -Privilege SeAssignPrimaryTokenPrivilege
 Add-Privilege -Account $sshdSid -Privilege SeServiceLogonRight

+# create logs folder and set its permissions
 if(-not (test-path $logsdir -PathType Container))
 {
    $null = New-Item $logsdir -ItemType Directory -Force -ErrorAction Stop
 }
-$rights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
-$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sshdAccount, $rights, "ContainerInherit,ObjectInherit", "None", "Allow")
 $acl = Get-Acl -Path $logsdir
-$Acl.SetAccessRule($accessRule)
+# following SDDL implies 
+# - owner - built in Administrators
+# - disabled inheritance
+# - Full access to System
+# - Full access to built in Administrators
+$acl.SetSecurityDescriptorSddlForm("O:BAD:PAI(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)")
 Set-Acl -Path $logsdir -AclObject $acl
+
+$agentlog = Join-Path $logsdir "ssh-agent.log"
+if(-not (test-path $agentlog)){ $null | Set-Content $agentlog }
+Set-Acl -Path $agentlog -AclObject $acl
+
+$sshdlog = Join-Path $logsdir "sshd.log"
+if(-not (test-path $sshdlog)){ $null | Set-Content $sshdlog }
+$rights = [System.Security.AccessControl.FileSystemRights]"Read, Write"
+$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($sshdAccount, $rights, "None", "None", "Allow")
+$acl.SetAccessRule($accessRule)
+Set-Acl -Path $sshdlog -AclObject $acl
+
 Write-Host -ForegroundColor Green "sshd and ssh-agent services successfully installed"