From b0b5d5fbe63e982d6a230269a2e2a823e2586512 Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Sat, 2 Apr 2016 08:00:07 +0100 Subject: [PATCH] Extend ACL-restriction to all Windows tools. Protecting our processes from outside interference need not be limited to just PuTTY: there's no reason why the other SSH-speaking tools shouldn't have the same treatment (PSFTP, PSCP, Plink), and PuTTYgen and Pageant which handle private key material. --- Recipe | 2 +- pscp.c | 2 ++ psftp.c | 2 ++ psftp.h | 7 +++++++ unix/uxsftp.c | 2 ++ windows/winpgen.c | 18 ++++++++++++++++++ windows/winpgnt.c | 17 +++++++++++++++++ windows/winplink.c | 17 +++++++++++++++++ windows/winsftp.c | 19 +++++++++++++++++++ 9 files changed, 85 insertions(+), 1 deletion(-) diff --git a/Recipe b/Recipe index 59ac7d56..39ab078a 100644 --- a/Recipe +++ b/Recipe @@ -296,7 +296,7 @@ puttygen : [G] winpgen sshrsag sshdssg sshprime sshdes sshbn sshmd5 version + sshrand winnoise sshsha winstore misc winctrls sshrsa sshdss winmisc + sshpubk sshaes sshsh256 sshsh512 IMPORT winutils puttygen.res + tree234 notiming winhelp winnojmp conf LIBS wintime sshecc - + sshecdsag + + sshecdsag winsecur pterm : [X] GTKTERM uxmisc misc ldisc settings uxpty uxsel BE_NONE uxstore + uxsignal CHARSET cmdline uxpterm version time xpmpterm xpmptcfg diff --git a/pscp.c b/pscp.c index 61e6e1af..6e1d0ff9 100644 --- a/pscp.c +++ b/pscp.c @@ -2349,6 +2349,8 @@ int psftp_main(int argc, char *argv[]) argv += i; back = NULL; + platform_psftp_post_option_setup(); + if (list) { if (argc != 1) usage(); diff --git a/psftp.c b/psftp.c index 92b57a2f..784c81b1 100644 --- a/psftp.c +++ b/psftp.c @@ -2941,6 +2941,8 @@ int psftp_main(int argc, char *argv[]) argv += i; back = NULL; + platform_psftp_post_option_setup(); + /* * If the loaded session provides a hostname, and a hostname has not * otherwise been specified, pop it in `userhost' so that diff --git a/psftp.h b/psftp.h index 57a821ab..6f46bdcd 100644 --- a/psftp.h +++ b/psftp.h @@ -47,6 +47,13 @@ int ssh_sftp_loop_iteration(void); */ char *ssh_sftp_get_cmdline(const char *prompt, int backend_required); +/* + * Platform-specific function called after the command line has been + * processed, so that any per-platform initialisation such as process + * ACL setup can be done. + */ +void platform_psftp_post_option_setup(void); + /* * The main program in psftp.c. Called from main() in the platform- * specific code, after doing any platform-specific initialisation. diff --git a/unix/uxsftp.c b/unix/uxsftp.c index 3ac1d2c3..6e394910 100644 --- a/unix/uxsftp.c +++ b/unix/uxsftp.c @@ -618,6 +618,8 @@ char *ssh_sftp_get_cmdline(const char *prompt, int no_fds_ok) void frontend_net_error_pending(void) {} +void platform_psftp_post_option_setup(void) {} + /* * Main program: do platform-specific initialisation and then call * psftp_main(). diff --git a/windows/winpgen.c b/windows/winpgen.c index 002070a5..c4f3d57f 100644 --- a/windows/winpgen.c +++ b/windows/winpgen.c @@ -12,6 +12,7 @@ #include "putty.h" #include "ssh.h" #include "licence.h" +#include "winsecur.h" #include @@ -1530,6 +1531,23 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show) } } +#ifndef UNPROTECT + /* + * Protect our process. + */ + { + char *error = NULL; + if (!setprocessacl(error)) { + char *message = dupprintf("Could not restrict process ACL: %s", + error); + MessageBox(NULL, message, "PuTTYgen Warning", + MB_ICONWARNING | MB_OK); + sfree(message); + sfree(error); + } + } +#endif + random_ref(); ret = DialogBox(hinst, MAKEINTRESOURCE(201), NULL, MainDlgProc) != IDOK; diff --git a/windows/winpgnt.c b/windows/winpgnt.c index ab030524..3e47e690 100644 --- a/windows/winpgnt.c +++ b/windows/winpgnt.c @@ -1174,6 +1174,23 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show) } } +#ifndef UNPROTECT + /* + * Protect our process. + */ + { + char *error = NULL; + if (!setprocessacl(error)) { + char *message = dupprintf("Could not restrict process ACL: %s", + error); + MessageBox(NULL, message, "Pageant Warning", + MB_ICONWARNING | MB_OK); + sfree(message); + sfree(error); + } + } +#endif + /* * Forget any passphrase that we retained while going over * command line keyfiles. diff --git a/windows/winplink.c b/windows/winplink.c index ac4dab29..759a71c0 100644 --- a/windows/winplink.c +++ b/windows/winplink.c @@ -11,6 +11,7 @@ #include "putty.h" #include "storage.h" #include "tree234.h" +#include "winsecur.h" #define WM_AGENT_CALLBACK (WM_APP + 4) @@ -497,6 +498,22 @@ int main(int argc, char **argv) } } +#ifndef UNPROTECT + /* + * Protect our process. + */ + { + char *error = NULL; + if (!setprocessacl(error)) { + char *message = dupprintf("Could not restrict process ACL: %s", + error); + logevent(NULL, message); + sfree(message); + sfree(error); + } + } +#endif + if (errors) return 1; diff --git a/windows/winsftp.c b/windows/winsftp.c index 0776cba9..a0341274 100644 --- a/windows/winsftp.c +++ b/windows/winsftp.c @@ -733,6 +733,25 @@ char *ssh_sftp_get_cmdline(const char *prompt, int no_fds_ok) return ctx->line; } +void platform_psftp_post_option_setup(void) +{ +#ifndef UNPROTECT + /* + * Protect our process. + */ + { + char *error = NULL; + if (!setprocessacl(error)) { + char *message = dupprintf("Could not restrict process ACL: %s", + error); + logevent(NULL, message); + sfree(message); + sfree(error); + } + } +#endif +} + /* ---------------------------------------------------------------------- * Main program. Parse arguments etc. */