Win32-OpenSSH icon indicating copy to clipboard operation
Win32-OpenSSH copied to clipboard

Published 20 hours ago verified publisher icon PowerShell

Permissions repair PowerShell scripts do not work in an ssh session.

Open rkitover opened this issue 2 years ago • 4 comments

"OpenSSH for Windows" version 8.0.0.0

Server OperatingSystem Windows 10 Pro

Client OperatingSystem Windows 10 Pro

What is failing

powershell -noprofile -file .\FixUserFilePermissions.ps1

when connected to the computer over ssh, with the default shell set to:

Name                           Value
----                           -----
PSVersion                      7.2.1
PSEdition                      Core
GitCommitId                    7.2.1
OS                             Microsoft Windows 10.0.22523
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Expected output

  [*] ~\.ssh\config
      looks good

  [*] C:\Users\rkitover\.ssh\id_rsa
      looks good

  [*] C:\Users\rkitover\.ssh\id_rsa.pub
      looks good

   Done.

Actual output

Repair-FilePermission : Cannot validate argument on parameter
'Owners'. The argument has a null value, or an element of the
argument collection contains a null value. Provide a collection
that does not contain any null values, and then try the command
again.
At C:\Users\rkitover\tmp\OpenSSHUtils.psm1:260 char:39
+ ...  Repair-FilePermission -Owners
$UserSid,$adminsSid,$systemSid -AnyAcc ...
+                                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Repair-FilePermiss
   ion], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Rep
   air-FilePermission

Repair-FilePermission : Cannot validate argument on parameter
'Owners'. The argument has a null value, or an element of the
argument collection contains a null value. Provide a collection
that does not contain any null values, and then try the command
again.
At C:\Users\rkitover\tmp\OpenSSHUtils.psm1:241 char:39
+ ... Repair-FilePermission -Owners $UserSid,
$adminsSid,$systemSid -AnyAcc ...
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Repair-FilePermiss
   ion], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Rep
   air-FilePermission

Repair-FilePermission : Cannot validate argument on parameter
'Owners'. The argument has a null value, or an element of the
argument collection contains a null value. Provide a collection
that does not contain any null values, and then try the command
again.
At C:\Users\rkitover\tmp\OpenSSHUtils.psm1:244 char:39
+ ... Repair-FilePermission -Owners $UserSid,
$adminsSid,$systemSid -AnyAcc ...
+                                   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Repair-FilePermiss
   ion], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Rep
   air-FilePermission

   Done.

rkitover avatar Dec 29 '21 16:12 rkitover

@tgauth - please have a look.

bagajjal avatar Jan 10 '22 22:01 bagajjal

@rkitover, could you run the following commands PowerShell?

$systemSid = Get-UserSID -WellKnownSidType ([System.Security.Principal.WellKnownSidType]::LocalSystemSid)
$adminsSid = Get-UserSID -WellKnownSidType ([System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid)
$currentUserSid = Get-UserSID -User "$($env:USERDOMAIN)\$($env:USERNAME)"

Based on that error message, it seems like one, or more, of the args ($systemSid, $adminsSid, $currentUserSid) being passed into Repair-FilePermission via the -Owners parameter is $null

tgauth avatar Jan 11 '22 20:01 tgauth

@rkitover, disregard my previous comment - I was able to repro this issue.

Over SSH, I found that the env:USERDOMAIN was set to WORKGROUP, while the actual value, in my case, should be NULL (This discrepancy is what results in $currentUserSid = Get-UserSID -User "$($env:USERDOMAIN)\$($env:USERNAME)" being $null and leads to the PowerShell error).

To temporarily fix this and run the file permissions script, modify the $env:USERDOMAIN variable during the SSH session to the proper value (note, if the value is $null and USERDOMAIN no longer shows up in the list of environment variables, the script will still run). This value will only persist for the duration of that SSH session.

If a lasting fix is required, the Registry could be updated by adding a USERDOMAIN key under the user's Environment that is populated with the actual value. Going forward, when the user establishes an SSH session, the value from the Registry will populate that environment variable. I can provide more information on this, if necessary.

If the actual domain of the user is already known, it can be confirmed by running the following in PowerShell:

$user = [System.Security.Principal.NTAccount]"<actual domain>\$($env:USERNAME)"
$userSID = $user.Translate([System.Security.Principal.SecurityIdentifier])
$userSID.value

If not, the SIDs can be found in the Registry, under HKEY_USERS. If opening the Registry GUI is not an option, run the following in Command Prompt: REG QUERY HKU This will list all the SIDs on the machine. In PowerShell, translate from SID to Username until the correct one is found:

$SIDstr = 'from result of REG QUERY HKU'
$SID = New-Object System.Security.Principal.SecurityIdentifier($SIDstr)
$user = $objSID.Translate([System.Security.Principal.NTAccount])
$user.Value

Lastly, set the USERDOMAIN and execute the script:

$env:USERDOMAIN = "<actual domain>"
powershell -noprofile -file .\FixUserFilePermissions.ps1

tgauth avatar Jan 12 '22 18:01 tgauth

Thank you for the detailed response, I don't personally need a fix for this, I was just reporting the issue.

Can we not fix the code to get the domain in a more reliable way?

rkitover avatar Jan 28 '22 02:01 rkitover