wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

improve become/runas error messaging on bogus/missing username (#31551)

Browse source 
(cherry picked from commit a4ceb4c35f)
This commit is contained in:
Matt Davis 2017-10-10 16:53:21 -07:00 committed by Matt Davis
parent 50af2dc462
commit c1254a8108
1 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
lib/ansible/plugins/shell/powershell.py
View file

@ -647,12 +647,21 @@ Function Run($payload) {
# NB: CreateProcessWithLogonW commandline maxes out at 1024 chars, must bootstrap via filesystem # NB: CreateProcessWithLogonW commandline maxes out at 1024 chars, must bootstrap via filesystem
$temp = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), [System.IO.Path]::GetRandomFileName() + ".ps1") $temp = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), [System.IO.Path]::GetRandomFileName() + ".ps1")
$exec_wrapper.ToString() | Set-Content -Path $temp $exec_wrapper.ToString() | Set-Content -Path $temp
# allow (potentially unprivileged) target user access to the tempfile (NB: this likely won't work if traverse checking is enabled) $rc = 0
$acl = Get-Acl $temp
$acl.AddAccessRule($(New-Object System.Security.AccessControl.FileSystemAccessRule($username, "FullControl", "Allow")))
Set-Acl $temp $acl | Out-Null
Try { Try {
# allow (potentially unprivileged) target user access to the tempfile (NB: this likely won't work if traverse checking is enabled)
$acl = Get-Acl $temp
Try {
$acl.AddAccessRule($(New-Object System.Security.AccessControl.FileSystemAccessRule($username, "FullControl", "Allow")))
}
Catch [System.Security.Principal.IdentityNotMappedException] {
throw "become_user '$username' is not recognized on this host"
}
Set-Acl $temp $acl | Out-Null
$exec_args = @("-noninteractive", $temp) $exec_args = @("-noninteractive", $temp)
# FUTURE: move these flags into C# enum? # FUTURE: move these flags into C# enum?