Fixes handling for LocalSystem account if set as service user

Fixes #51
2025-12-20 23:00:35 -05:00 · 2020-03-11 13:01:54 +01:00 · 2020-03-11 13:01:54 +01:00 · 66eda2d71b
commit 66eda2d71b
parent 77ebfc431f
4 changed files with 30 additions and 7 deletions
--- a/lib/core/icingaagent/getters/Get-IcingaServiceUser.psm1
+++ b/lib/core/icingaagent/getters/Get-IcingaServiceUser.psm1
@ -6,5 +6,11 @@ function Get-IcingaServiceUser()
    }

    $Services    = $Services.GetEnumerator() | Select-Object -First 1;
-    return ($Services.Value.configuration.ServiceUser).Replace('.\', '');
+    $ServiceUser = ($Services.Value.configuration.ServiceUser).Replace('.\', '');
+
+    if ($ServiceUser -eq 'LocalSystem') {
+        $ServiceUser = 'NT Authority\SYSTEM';
+    }
+
+    return $ServiceUser;
 }
--- a/lib/core/icingaagent/tests/Test-IcingaAcl.psm1
+++ b/lib/core/icingaagent/tests/Test-IcingaAcl.psm1
@ -9,17 +9,26 @@ function Test-IcingaAcl()
        throw 'The specified directory was not found';
    }

-    $FolderACL   = Get-Acl $Directory;
-    $ServiceUser = Get-IcingaServiceUser;
-    $UserFound   = $FALSE;
-    $HasAccess   = $FALSE;
+    $FolderACL      = Get-Acl $Directory;
+    $ServiceUser    = Get-IcingaServiceUser;
+    $UserFound      = $FALSE;
+    $HasAccess      = $FALSE;
+    $ServiceUserSID = Get-IcingaUserSID $ServiceUser;
+
    foreach ($user in $FolderACL.Access) {
        # Not only check here for the exact name but also for included strings like NT AU or NT-AU or even further later on
        # As the Get-Acl Cmdlet will translate usernames into the own language, resultng in 'NT AUTHORITY\NetworkService' being translated
        # to 'NT-AUTORITÄT\Netzwerkdienst' for example
-        if ($user.IdentityReference -like "*$ServiceUser" -Or ($ServiceUser -Like '*NT AU*' -And ($user.IdentityReference -Like '*NT AU*' -Or $user.IdentityReference -Like '*NT-AU*'))) {
+        $UserSID = $null;
+        try {
+            $UserSID = Get-IcingaUserSID $user.IdentityReference;
+        } catch {
+            $UserSID = $null;
+        }
+
+        if ($ServiceUserSID -eq $UserSID) {
            $UserFound = $TRUE;
-            if ($user.FileSystemRights -Like '*Modify*' -And $user.FileSystemRights -Like '*Synchronize*') {
+            if (($user.FileSystemRights -Like '*Modify*' -And $user.FileSystemRights -Like '*Synchronize*') -Or $user.FileSystemRights -like '*FullControl*') {
                $HasAccess = $TRUE;
            }
        }
--- a/lib/core/icingaagent/tests/Test-IcingaAgentServicePermission.psm1
+++ b/lib/core/icingaagent/tests/Test-IcingaAgentServicePermission.psm1
@ -9,6 +9,10 @@ function Test-IcingaAgentServicePermission()
    $SystemContent     = Get-IcingaAgentServicePermission;
    [bool]$FoundSID    = $FALSE;

+    if ($ServiceUser -eq 'NT Authority\SYSTEM') {
+        return $TRUE;
+    }
+
    if ([string]::IsNullOrEmpty($ServiceUser)) {
        if (-Not $Silent) {
            Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';
--- a/lib/core/tools/Get-IcingaUserSID.psm1
+++ b/lib/core/tools/Get-IcingaUserSID.psm1
@ -4,6 +4,10 @@ function Get-IcingaUserSID()
        [string]$User
    );

+    if ($User -eq 'LocalSystem') {
+        $User = 'NT Authority\SYSTEM';
+    }
+
    [string]$Username = '';
    [string]$Domain   = '';