1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 01:02:24 +00:00

Add a -restrict-putty-acl option to Windows Pageant.

This causes PuTTY processes spawned from its system-tray menu to run
with the -restrict-acl option (or rather, the synonymous &R prefix
used by my auto-constructed command lines for easier parsing).

The previous behaviour of Pageant was never to pass -restrict-acl to
PuTTY, even when started with -restrict-acl itself; this is not
actually a silly thing to want to do, because Pageant might well have
more need of -restrict-acl than PuTTY (it stores longer-term and more
powerful secrets) and conversely PuTTY might have more need to _not_
restrict its ACL than Pageant (in that among the things enabled by an
unrestricted ACL are various kinds of accessibility software, which is
more useful on the more user-facing PuTTY than on Pageant).

But for those who want to lock everything down with every security
option possible (even though -restrict-acl is only an ad-hoc
precaution and cannot deliver any hard guarantees), this new option
should fill in the UI gap.
This commit is contained in:
Simon Tatham 2017-09-20 18:04:37 +01:00
parent 4ec2791945
commit ba4837dae8
2 changed files with 32 additions and 6 deletions

View File

@ -1042,3 +1042,15 @@ any processes started with Duplicate Session, New Session etc.
(However, if you're invoking PuTTY tools explicitly, for instance as a
proxy command, you'll need to arrange to pass them the
\c{-restrict-acl} option yourself, if that's what you want.)
If Pageant is started with the \c{-restrict-acl} option, and you use
it to launch a PuTTY session from its System Tray submenu, then
Pageant will \e{not} default to starting the PuTTY subprocess with a
restricted ACL. This is because PuTTY is more likely to suffer reduced
functionality as a result of restricted ACLs (e.g. screen reader
software will have a greater need to interact with it), whereas
Pageant stores the more critical information (hence benefits more from
the extra protection), so it's reasonable to want to run Pageant but
not PuTTY with the ACL restrictions. You can force Pageant to start
subsidiary PuTTY processes with a restricted ACL if you also pass the
\c{-restrict-putty-acl} option.

View File

@ -57,6 +57,7 @@ static HMENU systray_menu, session_menu;
static int already_running;
static char *putty_path;
static int restrict_putty_acl = FALSE;
/* CWD for "add key" file requester. */
static filereq *keypath = NULL;
@ -847,11 +848,18 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
case WM_SYSCOMMAND:
switch (wParam & ~0xF) { /* low 4 bits reserved to Windows */
case IDM_PUTTY:
if((INT_PTR)ShellExecute(hwnd, NULL, putty_path, _T(""), _T(""),
SW_SHOW) <= 32) {
{
TCHAR cmdline[10];
cmdline[0] = '\0';
if (restrict_putty_acl)
strcat(cmdline, "&R");
if((INT_PTR)ShellExecute(hwnd, NULL, putty_path, cmdline,
_T(""), SW_SHOW) <= 32) {
MessageBox(NULL, "Unable to execute PuTTY!",
"Error", MB_OK | MB_ICONERROR);
}
}
break;
case IDM_CLOSE:
if (passphrase_box)
@ -912,7 +920,10 @@ static LRESULT CALLBACK WndProc(HWND hwnd, UINT message,
mii.cch = MAX_PATH;
mii.dwTypeData = buf;
GetMenuItemInfo(session_menu, wParam, FALSE, &mii);
strcpy(param, "@");
param[0] = '\0';
if (restrict_putty_acl)
strcat(param, "&R");
strcat(param, "@");
strcat(param, mii.dwTypeData);
if((INT_PTR)ShellExecute(hwnd, NULL, putty_path, param,
_T(""), SW_SHOW) <= 32) {
@ -1169,6 +1180,9 @@ int WINAPI WinMain(HINSTANCE inst, HINSTANCE prev, LPSTR cmdline, int show)
!strcmp(argv[i], "-restrict_acl") ||
!strcmp(argv[i], "-restrictacl")) {
restrict_process_acl();
} else if (!strcmp(argv[i], "-restrict-putty-acl") ||
!strcmp(argv[i], "-restrict_putty_acl")) {
restrict_putty_acl = TRUE;
} else if (!strcmp(argv[i], "-c")) {
/*
* If we see `-c', then the rest of the