OpenSSHUtils ProfilePath parsing issues #843
Conversation
|
@annulus, |
| @@ -168,7 +168,9 @@ function Repair-AuthorizedKeyPermission | |||
| $userProfilePath = $properties.ProfileImagePath | |||
| } | |||
| $userProfilePath = $userProfilePath.Replace("\", "\\") | |||
| $fullPath -match "^$userProfilePath[\\|\W|\w]+authorized_keys$" | |||
| if ( $properties.PSChildName -notmatch '\.bak$') { | |||
There was a problem hiding this comment.
@bingbing8 - Windows will also create additional, profile when users move between domains or a profile is corrupt. These result it other profile folders that are orphaned (invalid for authorized_keys purposes).
Rather than the exclude, maybe the regex should just be tightened up to not match "...\userprofilepath...", but only "...\userprofilepath\..." ?
There was a problem hiding this comment.
@DarwinJS It seems that you wrote "...\userprofilepath..." twice.
There was a problem hiding this comment.
Looks like github mistook my second slash for markup - was able to fix it. I am suggesting that the second literal slash that is found in $properties.profileimagepath be left intact so that profiles with ".something" are not picked up as they are generally not in live use.
There was a problem hiding this comment.
It is two separate thing:
- appending a slash to the end of the filesystem path in the regex, that's against the value of the registry field ProfileImagePath is important to ignore the registry entries that are belonging to users that share the beginning of their path (this is what my other commit is about)
- ignoring the registry ProfileList entries that end with .bak are to avoid loading old/backup reg.entries
|
Please submit the changes in the openssh-portable repo... This repo is only used for tracking the issues... |
Hi,
Regarding the authorized_keys permission fix bits:
I found out that in case there's more than one entry in the registry that matches the regex, then it will throw an exception as it appends all the matching registry paths to the profileItem variable, which won't be a valid registry entry that has a PSChildName field (thus the exception).
Regards,
David