Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ssh folder permissions check in SSHD #761

Open
wants to merge 12 commits into
base: latestw_all
Choose a base branch
from
Open

Update ssh folder permissions check in SSHD #761

wants to merge 12 commits into from
+208 −71

Conversation

tgauth
Copy link
Collaborator

@tgauth tgauth commented Nov 11, 2024
edited
Loading

PR Summary

  • change sshd startup permissions check to log message to event viewer, rather than fail if expected permissions are not found
  • limit sshd startup permissions check to just ProgData\ssh folder, not ProgData\ssh\logs folder
  • add Pester Test for startup scenario
  • sample logging message:
image

PR Context

anmenaga
anmenaga requested changes Dec 17, 2024
View reviewed changes
contrib/win32/win32compat/w32-sshfileperm.c Outdated Show resolved Hide resolved
regress/pesterTests/Setup.Tests.ps1 Outdated Show resolved Hide resolved
SteveL-MSFT
SteveL-MSFT requested changes Dec 20, 2024
View reviewed changes
contrib/win32/win32compat/w32-sshfileperm.c Outdated

adminSid = (PSID)malloc(SECURITY_MAX_SID_SIZE);
if (adminSid != NULL) {
if (CreateWellKnownSid(WinBuiltinAdministratorsSid, NULL, adminSid, &adminSidSize) != 0) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Deeply nested code like this should probably be a separate function

contrib/win32/win32compat/w32-sshfileperm.c Show resolved Hide resolved
contrib/win32/win32compat/w32-sshfileperm.c Outdated
if (systemSid != NULL) {
if (CreateWellKnownSid(WinLocalSystemSid, NULL, systemSid, &systemSidSize) != 0) {
if (LookupAccountSidW(NULL, systemSid, systemName, &systemNameSize, systemDomain, &systemDomainSize, &sidType) != 0) {
logit("Suggest restricting write permissions on '%S' folder to %S\\%S and %S\\%S.", path_utf16, systemDomain, systemName, adminDomain, adminName);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The message would be more useful if instead of suggesting what it should be, indicate what makes it open

@tgauth
Copy link
Collaborator Author

tgauth commented Jan 6, 2025

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@tgauth
Copy link
Collaborator Author

tgauth commented Jan 7, 2025

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

SteveL-MSFT
SteveL-MSFT requested changes Jan 7, 2025
View reviewed changes
contrib/win32/win32compat/w32-sshfileperm.c
wchar_t* bad_user = NULL;
int ret = 0;
size_t log_msg_len = (DNLEN + 1 + UNLEN) * 2 + 3; // +3 for ", " and null terminator
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preference is to use const for the extra lengths instead of a comment as code and comments can get out of sync (someone modifies the code, but doesn't update the comment). So:

const size_t NULL_TERMINATOR_LEN = 1;
const size_t COMMA_SPACE_LEN = 2;

This applies elsewhere as well.

contrib/win32/win32compat/w32-sshfileperm.c
Comment on lines +280 to +281
if (log_msg)
free(log_msg);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Braces make the code more clear and also avoids problems with future changes

Suggested change
if (log_msg)
free(log_msg);
if (log_msg) {
free(log_msg);
}

contrib/win32/win32compat/w32-sshfileperm.c
return ret;
}

/* Helper function used by check_secure_folder_permission */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like it would be better for this comment to describe what this function does

contrib/win32/win32compat/w32-sshfileperm.c
Comment on lines +344 to +347
if (adminSid)
free(adminSid);
if (systemSid)
free(systemSid);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (adminSid)
free(adminSid);
if (systemSid)
free(systemSid);
if (adminSid) {
free(adminSid);
}
if (systemSid) {
free(systemSid);
}

contrib/win32/win32compat/w32-sshfileperm.c

if (log_on_stderr == 0) {
/* log generic warning message in unlikely case that lookup for either well-known SID fails or user list is empty */
logit("for '%S' folder, consider downgrading permissions for any users with unnecessary write access.", path_utf16);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is logit() an upstream function or only in the Windows code? If the latter, seems better to have a wrapper function that only logs to ETW as that seems like the intent?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SteveL-MSFT SteveL-MSFT SteveL-MSFT requested changes

@anmenaga anmenaga anmenaga approved these changes

@TravisEz13 TravisEz13 Awaiting requested review from TravisEz13

@vthiebaut10 vthiebaut10 Awaiting requested review from vthiebaut10

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@tgauth @SteveL-MSFT @anmenaga