tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

removed logic arround NTService\SSHD related checks (#261)

This commit is contained in:
Manoj Ampalam 2018-01-18 10:46:52 -08:00 committed by GitHub
parent 32ff0c2aed
commit 88defae8c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
contrib/win32/win32compat/w32-sshfileperm.c
View File

@ -35,8 +35,6 @@
#include "sshfileperm.h" #include "sshfileperm.h"
#include "debug.h" #include "debug.h"
#define SSHD_ACCOUNT L"NT Service\\sshd"
/* /*
* The function is to check if current user is secure to access to the file. * The function is to check if current user is secure to access to the file.
* Check the owner of the file is one of these types: Local Administrators groups, system account, current user account * Check the owner of the file is one of these types: Local Administrators groups, system account, current user account
@ -127,15 +125,7 @@ check_secure_file_permission(const char *name, struct passwd * pw)
IsWellKnownSid(current_trustee_sid, WinLocalSystemSid) || IsWellKnownSid(current_trustee_sid, WinLocalSystemSid) ||
EqualSid(current_trustee_sid, user_sid)) { EqualSid(current_trustee_sid, user_sid)) {
continue; continue;
} } else {
else if(is_sshd_account(current_trustee_sid)){
if ((current_access_mask & ~FILE_GENERIC_READ) != 0){
debug3("Bad permission. %s can only read access to %s", SSHD_ACCOUNT, name);
ret = -1;
break;
}
}
else {
ret = -1; ret = -1;
if (ConvertSidToStringSid(current_trustee_sid, &bad_user) == FALSE) { if (ConvertSidToStringSid(current_trustee_sid, &bad_user) == FALSE) {
debug3("ConvertSidToSidString failed with %d. ", GetLastError()); debug3("ConvertSidToSidString failed with %d. ", GetLastError());
@ -157,26 +147,3 @@ cleanup:
return ret; return ret;
} }
/*TODO: optimize to get sshd sid first and then call EqualSid*/
static BOOL
is_sshd_account(PSID user_sid) {
wchar_t user_name[UNCLEN] = { 0 }, full_name[UNCLEN + DNLEN + 2] = { 0 };
DWORD name_length = UNCLEN, domain_name_length = 0, full_name_len = UNCLEN + DNLEN + 2;
SID_NAME_USE sid_type = SidTypeInvalid;
BOOL ret = FALSE;
errno_t r = 0;
if (LookupAccountSidLocalW(user_sid, user_name, &name_length, full_name, &full_name_len, &sid_type) == FALSE)
{
debug3("LookupAccountSidLocalW() failed with error: %d. ", GetLastError());
errno = ENOENT;
return FALSE;
}
domain_name_length = wcsnlen(full_name, _countof(full_name));
full_name[domain_name_length] = L'\\';
if ((r = wmemcpy_s(full_name + domain_name_length + 1, _countof(full_name) - domain_name_length -1, user_name, wcsnlen_s(user_name, UNCLEN) + 1)) != 0) {
debug3("wmemcpy_s failed with error: %d.", r);
return FALSE;
}
return (wcsicmp(full_name, SSHD_ACCOUNT) == 0);
}