SSH Agent: Add support for OpenSSH for Windows (#1994)

* Fixed missing includes in Bootstrap.cpp
2025-04-04 13:07:38 +03:00 · 2018-12-25 21:28:02 +02:00 · 2018-12-25 21:28:02 +02:00 · c34b0069ff
commit c34b0069ff
parent 5488f1bfc3
6 changed files with 87 additions and 27 deletions
--- a/src/core/Bootstrap.cpp
+++ b/src/core/Bootstrap.cpp
@ -16,6 +16,7 @@
 */

 #include "Bootstrap.h"
+#include "config-keepassx.h"
 #include "core/Config.h"
 #include "core/Translator.h"
 #include "gui/MessageBox.h"
@ -26,6 +27,21 @@
 #undef MessageBox
 #endif

+#if defined(HAVE_RLIMIT_CORE)
+#include <sys/resource.h>
+#endif
+
+#if defined(HAVE_PR_SET_DUMPABLE)
+#include <sys/prctl.h>
+#endif
+
+#ifdef HAVE_PT_DENY_ATTACH
+// clang-format off
+#include <sys/types.h>
+#include <sys/ptrace.h>
+// clang-format on
+#endif
+
 namespace Bootstrap
 {
    /**
@ -140,6 +156,8 @@ namespace Bootstrap
        HANDLE hToken = nullptr;
        PTOKEN_USER pTokenUser = nullptr;
        DWORD cbBufferSize = 0;
+        PSID pLocalSystemSid = nullptr;
+        DWORD pLocalSystemSidSize = SECURITY_MAX_SID_SIZE;

        // Access control list
        PACL pACL = nullptr;
@ -166,8 +184,19 @@ namespace Bootstrap
            goto Cleanup;
        }

+        // Retrieve LocalSystem account SID
+        pLocalSystemSid = static_cast<PSID>(HeapAlloc(GetProcessHeap(), 0, pLocalSystemSidSize));
+        if (pLocalSystemSid == nullptr) {
+            goto Cleanup;
+        }
+
+        if (!CreateWellKnownSid(WinLocalSystemSid, nullptr, pLocalSystemSid, &pLocalSystemSidSize)) {
+            goto Cleanup;
+        }
+
        // Calculate the amount of memory that must be allocated for the DACL
-        cbACL = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid);
+        cbACL = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pTokenUser->User.Sid)
+                + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(pLocalSystemSid);

        // Create and initialize an ACL
        pACL = static_cast<PACL>(HeapAlloc(GetProcessHeap(), 0, cbACL));
@ -189,6 +218,18 @@ namespace Bootstrap
            goto Cleanup;
        }

+#ifdef WITH_XC_SSHAGENT
+        // OpenSSH for Windows ssh-agent service is running as LocalSystem
+        if (!AddAccessAllowedAce(
+                pACL,
+                ACL_REVISION,
+                PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, // just enough for ssh-agent
+                pLocalSystemSid // known LocalSystem sid
+                )) {
+            goto Cleanup;
+        }
+#endif
+
        // Set discretionary access control list
        bSuccess = ERROR_SUCCESS
                   == SetSecurityInfo(GetCurrentProcess(), // object handle
@ -205,6 +246,9 @@ namespace Bootstrap
        if (pACL != nullptr) {
            HeapFree(GetProcessHeap(), 0, pACL);
        }
+        if (pLocalSystemSid != nullptr) {
+            HeapFree(GetProcessHeap(), 0, pLocalSystemSid);
+        }
        if (pTokenUser != nullptr) {
            HeapFree(GetProcessHeap(), 0, pTokenUser);
        }