Skip to content

Updated Permissions Check For SidHistory #375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 10, 2019
Merged

Updated Permissions Check For SidHistory #375

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 25 additions & 1 deletion contrib/win32/win32compat/w32-sshfileperm.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
/*
* Author: Yanbing Wang <[email protected]>

* Author: Bryan Berns <[email protected]>
* Updates to account for sidhistory checking
*
* Support file permission check on Win32 based operating systems.
*
Expand Down Expand Up @@ -119,12 +122,33 @@ check_secure_file_permission(const char *input_path, struct passwd * pw)
EqualSid(current_trustee_sid, user_sid)) {
continue;
} else {

/* do reverse lookups on the sids to verify the sids are not actually for
* for the same user as could be the case of a sidhistory entry in the ace */
wchar_t resolved_user[DNLEN + 1 + UNLEN + 1] = L"UNKNOWN", resolved_trustee[DNLEN + 1 + UNLEN + 1] = L"UNKNOWN";
DWORD resolved_user_len = _countof(resolved_user), resolved_trustee_len = _countof(resolved_trustee);
wchar_t resolved_user_domain[DNLEN + 1] = L"UNKNOWN", resolved_trustee_domain[DNLEN + 1] = L"UNKNOWN";
DWORD resolved_user_domain_len = _countof(resolved_user_domain), resolved_trustee_domain_len = _countof(resolved_trustee_domain);
SID_NAME_USE resolved_user_type, resolved_trustee_type;

if (LookupAccountSidW(NULL, user_sid, resolved_user, &resolved_user_len,
resolved_user_domain, &resolved_user_domain_len, &resolved_user_type) != 0 &&
LookupAccountSidW(NULL, current_trustee_sid, resolved_trustee, &resolved_trustee_len,
resolved_trustee_domain, &resolved_trustee_domain_len, &resolved_trustee_type) != 0 &&
wcsicmp(resolved_user, resolved_trustee) == 0 &&
wcsicmp(resolved_user_domain, resolved_trustee_domain) == 0 &&
resolved_user_type == resolved_trustee_type) {
/* same user */
continue;
}

ret = -1;
if (ConvertSidToStringSid(current_trustee_sid, &bad_user) == FALSE) {
debug3("ConvertSidToSidString failed with %d. ", GetLastError());
break;
}
debug3("Bad permissions. Try removing permissions for user: %s on file %S.", bad_user, path_utf16);
debug3("Bad permissions. Try removing permissions for user: %S\\%S (%s) on file %S.",
resolved_trustee_domain, resolved_trustee, bad_user, path_utf16);
break;
}
}
Expand Down