tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed bug in Administrators group lookup logic

This commit is contained in:
Yanbing 2017-05-04 11:38:03 -07:00 committed by Manoj Ampalam
parent 6b807ae229
commit ba4ee6f3de
1 changed files with 19 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
contrib/win32/win32compat/w32-sshfileperm.c
View File

@ -63,6 +63,7 @@ check_secure_file_permission(const char *name, struct passwd * pw)
DWORD error_code = ERROR_SUCCESS; DWORD error_code = ERROR_SUCCESS;
BOOL is_valid_sid = FALSE, is_valid_acl = FALSE; BOOL is_valid_sid = FALSE, is_valid_acl = FALSE;
struct passwd * pwd = pw; struct passwd * pwd = pw;
char *bad_user = NULL;
int ret = 0; int ret = 0;
if (pwd == NULL) if (pwd == NULL)
@ -170,11 +171,17 @@ check_secure_file_permission(const char *name, struct passwd * pw)
} }
else { else {
ret = -1; ret = -1;
debug3("Bad permission. Other user or group than owner, admin user and local system have access to file %s.", name); if (ConvertSidToStringSid(current_trustee_sid, &bad_user) == FALSE) {
debug3("ConvertSidToSidString failed with %d. ", GetLastError());
break;
}
debug3("Bad permissions. Try removing permissions for user: %s on file %s.", bad_user, name);
break; break;
} }
} }
cleanup: cleanup:
if(bad_user)
free(bad_user);
if (pSD) if (pSD)
LocalFree(pSD); LocalFree(pSD);
if (user_sid) if (user_sid)
@ -211,17 +218,16 @@ is_sshd_account(PSID user_sid) {
static BOOL static BOOL
is_admin_account(PSID user_sid) is_admin_account(PSID user_sid)
{ {
DWORD entries_read = 0, total_entries = 0, i = 0, name_length = UNCLEN, domain_name_length = DNLEN; DWORD entries_read = 0, total_entries = 0, i = 0, name_length = UNCLEN, domain_name_length = DNLEN, sid_size;
LPLOCALGROUP_MEMBERS_INFO_1 local_groups_member_info = NULL; LPLOCALGROUP_MEMBERS_INFO_1 local_groups_member_info = NULL;
PSID admins_sid = NULL; char admins_sid[SECURITY_MAX_SID_SIZE];
wchar_t admins_group_name[UNCLEN], domain_name[DNLEN]; wchar_t admins_group_name[UNCLEN], domain_name[DNLEN];
SID_NAME_USE sid_type = SidTypeInvalid; SID_NAME_USE sid_type = SidTypeInvalid;
NET_API_STATUS status; NET_API_STATUS status;
BOOL ret = FALSE; BOOL ret = FALSE;
if (ConvertStringSidToSidW(L"S-1-5-32-544", &admins_sid) == FALSE || if (CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, admins_sid, &sid_size) == FALSE) {
(IsValidSid(user_sid) == FALSE)) { debug3("CreateWellKnownSid failed with error code: %d.", GetLastError());
debug3("ConvertStringSidToSidW failed with error code: %d.", GetLastError());
goto done; goto done;
} }
@ -251,8 +257,6 @@ is_admin_account(PSID user_sid)
done: done:
if (local_groups_member_info) if (local_groups_member_info)
NetApiBufferFree(local_groups_member_info); NetApiBufferFree(local_groups_member_info);
if(admins_sid)
LocalFree(admins_sid);
return ret; return ret;
} }