From 88de90285400e5225b7d632452ec3da830e62b49 Mon Sep 17 00:00:00 2001 From: bingbing8 Date: Mon, 5 Jun 2017 15:11:25 -0700 Subject: [PATCH 1/2] fix of issue 750 and 756 https://github.com/PowerShell/Win32-OpenSSH/issues/750 https://github.com/PowerShell/Win32-OpenSSH/issues/756 --- contrib/win32/openssh/OpenSSHUtils.psm1 | 67 +++++++++++++++++++++---- 1 file changed, 56 insertions(+), 11 deletions(-) diff --git a/contrib/win32/openssh/OpenSSHUtils.psm1 b/contrib/win32/openssh/OpenSSHUtils.psm1 index 5ffc1e1355f9..47bf806de0ec 100644 --- a/contrib/win32/openssh/OpenSSHUtils.psm1 +++ b/contrib/win32/openssh/OpenSSHUtils.psm1 @@ -71,7 +71,14 @@ function Fix-AuthorizedKeyPermissions { $userSid = $profileItem.PSChildName $account = Get-UserAccount -UserSid $userSid - Fix-FilePermissions -Owners $account,$adminsAccount,$systemAccount -AnyAccessOK $account -ReadAccessNeeded $sshdAccount @psBoundParameters + if($account) + { + Fix-FilePermissions -Owners $account,$adminsAccount,$systemAccount -AnyAccessOK $account -ReadAccessNeeded $sshdAccount @psBoundParameters + } + else + { + Write-host "Can't translate $userSid to an account. skip $fullPath..." -ForegroundColor Yellow + } } else { @@ -219,6 +226,10 @@ function Fix-FilePermissionInternal { #this is orginal list requested by the user, the account will be removed from the list if they already part of the dacl $realReadAccessNeeded = $ReadAccessNeeded + #'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name. it is a win32 API bug. + #'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16 + $specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES" + foreach($a in $acl.Access) { if(($realAnyAccessOKList -ne $null) -and $realAnyAccessOKList.Contains($a.IdentityReference)) @@ -250,7 +261,7 @@ function Fix-FilePermissionInternal { { if($needChange) { - Set-Acl -Path $FilePath -AclObject $acl + Set-Acl -Path $FilePath -AclObject $acl } $message = @" @@ -277,9 +288,27 @@ Need to remove inheritance to fix it. if($result.ToLower().Startswith('y')) { $needChange = $true - $sshAce = New-Object System.Security.AccessControl.FileSystemAccessRule ` - ($a.IdentityReference, "Read", "None", "None", "Allow") - $acl.SetAccessRule($sshAce) + $idRefShortValue = ($a.IdentityReference.Value).split('\')[-1] + if ($idRefShortValue -in $specialIdRefs ) + { + $ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue) + if($ruleIdentity) + { + $ace = New-Object System.Security.AccessControl.FileSystemAccessRule ` + ($ruleIdentity, "Read", "None", "None", "Allow") + } + else + { + Write-Warning "can't translate '$idRefShortValue'. " + continue + } + } + else + { + $ace = New-Object System.Security.AccessControl.FileSystemAccessRule ` + ($a.IdentityReference, "Read", "None", "None", "Allow") + } + $acl.SetAccessRule($ace) Write-Host "'$($a.IdentityReference)' now has Read access to $FilePath. " -ForegroundColor Green } else @@ -320,9 +349,26 @@ Need to remove inheritance to fix it. if($result.ToLower().Startswith('y')) { $needChange = $true - if(-not ($acl.RemoveAccessRule($a))) + $ace = $a + $idRefShortValue = ($a.IdentityReference.Value).split('\')[-1] + if ($idRefShortValue -in $specialIdRefs ) + { + $ruleIdentity = Get-UserSID -User (New-Object Security.Principal.NTAccount $idRefShortValue) + if($ruleIdentity) + { + $ace = New-Object System.Security.AccessControl.FileSystemAccessRule ` + ($ruleIdentity, $a.FileSystemRights, $a.InheritanceFlags, $a.PropagationFlags, $a.AccessControlType) + } + else + { + Write-Warning "Can't translate '$idRefShortValue'. " + continue + } + } + + if(-not ($acl.RemoveAccessRule($ace))) { - throw "failed to remove access of $($a.IdentityReference) rule to file $FilePath" + Write-Warning "failed to remove access of $($a.IdentityReference) rule to file $FilePath" } else { @@ -341,9 +387,9 @@ Need to remove inheritance to fix it. if($realReadAccessNeeded) { $realReadAccessNeeded | % { - if([string]::IsNullOrEmpty((Get-UserSID -User $_))) + if((Get-UserSID -User $_) -eq $null) { - Write-Warning "'$_' needs Read access to $FilePath', but it does not exit on the machine." + Write-Warning "'$_' needs Read access to $FilePath', but it can't be translated on the machine." } else { @@ -463,8 +509,7 @@ function Get-UserSID param ([System.Security.Principal.NTAccount]$User) try { - $strSID = $User.Translate([System.Security.Principal.SecurityIdentifier]) - $strSID.Value + $User.Translate([System.Security.Principal.SecurityIdentifier]) } catch { } From a0f0a47703d32ead62cfa767e6c2f4c5d5a3be81 Mon Sep 17 00:00:00 2001 From: bingbing8 Date: Mon, 5 Jun 2017 15:57:19 -0700 Subject: [PATCH 2/2] expose Fix-FilePermissions --- contrib/win32/openssh/OpenSSHUtils.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contrib/win32/openssh/OpenSSHUtils.psm1 b/contrib/win32/openssh/OpenSSHUtils.psm1 index 47bf806de0ec..710fa43c87d3 100644 --- a/contrib/win32/openssh/OpenSSHUtils.psm1 +++ b/contrib/win32/openssh/OpenSSHUtils.psm1 @@ -77,7 +77,7 @@ function Fix-AuthorizedKeyPermissions } else { - Write-host "Can't translate $userSid to an account. skip $fullPath..." -ForegroundColor Yellow + Write-Warning "Can't translate $userSid to an account. skip $fullPath..." -ForegroundColor Yellow } } else @@ -516,4 +516,4 @@ function Get-UserSID } -Export-ModuleMember -Function Fix-HostSSHDConfigPermissions, Fix-HostKeyPermissions, Fix-AuthorizedKeyPermissions, Fix-UserKeyPermissions, Fix-UserSSHConfigPermissions +Export-ModuleMember -Function Fix-FilePermissions, Fix-HostSSHDConfigPermissions, Fix-HostKeyPermissions, Fix-AuthorizedKeyPermissions, Fix-UserKeyPermissions, Fix-UserSSHConfigPermissions