upstream/icinga-powershell-framework
1
0
Fork 0
mirror of https://github.com/Icinga/icinga-powershell-framework.git synced 2025-12-20 23:00:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fixes handling for LocalSystem account if set as service user

Browse source 
Fixes #51
This commit is contained in:
Christian Stein 2020-03-11 13:01:54 +01:00
parent 77ebfc431f
commit 66eda2d71b
4 changed files with 30 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/core/icingaagent/getters/Get-IcingaServiceUser.psm1
View file

@ -6,5 +6,11 @@ function Get-IcingaServiceUser()
} }
$Services = $Services.GetEnumerator() | Select-Object -First 1; $Services = $Services.GetEnumerator() | Select-Object -First 1;
return ($Services.Value.configuration.ServiceUser).Replace('.\', ''); $ServiceUser = ($Services.Value.configuration.ServiceUser).Replace('.\', '');
if ($ServiceUser -eq 'LocalSystem') {
$ServiceUser = 'NT Authority\SYSTEM';
}
return $ServiceUser;
} }

21
lib/core/icingaagent/tests/Test-IcingaAcl.psm1
View file

@ -9,17 +9,26 @@ function Test-IcingaAcl()
throw 'The specified directory was not found'; throw 'The specified directory was not found';
} }
$FolderACL = Get-Acl $Directory; $FolderACL = Get-Acl $Directory;
$ServiceUser = Get-IcingaServiceUser; $ServiceUser = Get-IcingaServiceUser;
$UserFound = $FALSE; $UserFound = $FALSE;
$HasAccess = $FALSE; $HasAccess = $FALSE;
$ServiceUserSID = Get-IcingaUserSID $ServiceUser;
foreach ($user in $FolderACL.Access) { foreach ($user in $FolderACL.Access) {
# Not only check here for the exact name but also for included strings like NT AU or NT-AU or even further later on # Not only check here for the exact name but also for included strings like NT AU or NT-AU or even further later on
# As the Get-Acl Cmdlet will translate usernames into the own language, resultng in 'NT AUTHORITY\NetworkService' being translated # As the Get-Acl Cmdlet will translate usernames into the own language, resultng in 'NT AUTHORITY\NetworkService' being translated
# to 'NT-AUTORITÄT\Netzwerkdienst' for example # to 'NT-AUTORITÄT\Netzwerkdienst' for example
if ($user.IdentityReference -like "*$ServiceUser" -Or ($ServiceUser -Like '*NT AU*' -And ($user.IdentityReference -Like '*NT AU*' -Or $user.IdentityReference -Like '*NT-AU*'))) { $UserSID = $null;
try {
$UserSID = Get-IcingaUserSID $user.IdentityReference;
} catch {
$UserSID = $null;
}
if ($ServiceUserSID -eq $UserSID) {
$UserFound = $TRUE; $UserFound = $TRUE;
if ($user.FileSystemRights -Like '*Modify*' -And $user.FileSystemRights -Like '*Synchronize*') { if (($user.FileSystemRights -Like '*Modify*' -And $user.FileSystemRights -Like '*Synchronize*') -Or $user.FileSystemRights -like '*FullControl*') {
$HasAccess = $TRUE; $HasAccess = $TRUE;
} }
} }

4
lib/core/icingaagent/tests/Test-IcingaAgentServicePermission.psm1
View file

@ -9,6 +9,10 @@ function Test-IcingaAgentServicePermission()
$SystemContent = Get-IcingaAgentServicePermission; $SystemContent = Get-IcingaAgentServicePermission;
[bool]$FoundSID = $FALSE; [bool]$FoundSID = $FALSE;
if ($ServiceUser -eq 'NT Authority\SYSTEM') {
return $TRUE;
}
if ([string]::IsNullOrEmpty($ServiceUser)) { if ([string]::IsNullOrEmpty($ServiceUser)) {
if (-Not $Silent) { if (-Not $Silent) {
Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed'; Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';

4
lib/core/tools/Get-IcingaUserSID.psm1
View file

@ -4,6 +4,10 @@ function Get-IcingaUserSID()
[string]$User [string]$User
); );
if ($User -eq 'LocalSystem') {
$User = 'NT Authority\SYSTEM';
}
[string]$Username = ''; [string]$Username = '';
[string]$Domain = ''; [string]$Domain = '';