Guest User

Untitled

a guest
Mar 10th, 2016
87
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.64 KB | None | 0 0
  1. #!/bin/sh
  2.  
  3. set -e
  4.  
  5. #
  6. # Configuration
  7. #
  8.  
  9. PRIV_USER=cyg_server
  10. PRIV_NAME="Privileged server"
  11. UNPRIV_USER=sshd
  12. UNPRIV_NAME="Unprivileged user for sshd"
  13.  
  14. EMPTY_DIR=/var/empty
  15.  
  16.  
  17. #
  18. # Check installation sanity
  19. #
  20.  
  21. if ! /mingw64/bin/editrights -h >/dev/null; then
  22. echo "Missing 'editrights'. Try: pacman -S mingw-w64-x86_64-editrights."
  23. exit 1
  24. fi
  25.  
  26. if ! cygrunsrv -v >/dev/null; then
  27. echo "Missing 'cygrunsrv'. Try: pacman -S cygrunsrv."
  28. exit 1
  29. fi
  30.  
  31. if ! ssh-keygen -A; then
  32. echo "Missing 'ssh-keygen'. Try: pacman -S openssh."
  33. exit 1
  34. fi
  35.  
  36.  
  37. #
  38. # The privileged cyg_server user
  39. #
  40.  
  41. # Some random password; this is only needed internally by cygrunsrv and
  42. # is limited to 14 characters by Windows (lol)
  43. tmp_pass="$(tr -dc 'a-zA-Z0-9' < /dev/urandom | dd count=14 bs=1 2>/dev/null)"
  44.  
  45. # Create user
  46. add="$(if ! net user "${PRIV_USER}" >/dev/null; then echo "//add"; fi)"
  47. net user "${PRIV_USER}" "${tmp_pass}" ${add} //fullname:"${PRIV_NAME}" \
  48. //homedir:"$(cygpath -w ${EMPTY_DIR})" //yes
  49.  
  50. # Add user to the Administrators group if necessary
  51. admingroup="$(mkgroup -l | awk -F: '{if ($2 == "S-1-5-32-544") print $1;}')"
  52. if ! (net localgroup "${admingroup}" | grep -q '^'"${PRIV_USER}"'$'); then
  53. net localgroup "${admingroup}" "${PRIV_USER}" //add
  54. fi
  55.  
  56. # Infinite passwd expiry
  57. passwd -e "${PRIV_USER}"
  58.  
  59. # set required privileges
  60. /mingw64/bin/editrights -a SeAssignPrimaryTokenPrivilege -u "${PRIV_USER}"
  61. /mingw64/bin/editrights -a SeCreateTokenPrivilege -u "${PRIV_USER}"
  62. /mingw64/bin/editrights -a SeTcbPrivilege -u "${PRIV_USER}"
  63. /mingw64/bin/editrights -a SeDenyRemoteInteractiveLogonRight -u "${PRIV_USER}"
  64. /mingw64/bin/editrights -a SeServiceLogonRight -u "${PRIV_USER}"
  65.  
  66.  
  67. #
  68. # The unprivileged sshd user (for privilege separation)
  69. #
  70.  
  71. add="$(if ! net user "${UNPRIV_USER}" >/dev/null; then echo "//add"; fi)"
  72. net user "${UNPRIV_USER}" ${add} //fullname:"${UNPRIV_NAME}" \
  73. //homedir:"$(cygpath -w ${EMPTY_DIR})" //active:no
  74.  
  75.  
  76. #
  77. # Add or update /etc/passwd entries if necessary
  78. #
  79.  
  80. if [ -f "/etc/passwd" ]; then
  81. for u in "${PRIV_USER}" "${UNPRIV_USER}"; do
  82. sed -i -e '/^'"${u}"':/d' /etc/passwd
  83. SED='/^'"${u}"':/s?^\(\([^:]*:\)\{5\}\).*?\1'"${EMPTY_DIR}"':/bin/false?p'
  84. mkpasswd -l -u "${u}" | sed -e 's/^[^:]*+//' | sed -ne "${SED}" \
  85. >> /etc/passwd
  86. done
  87. fi
  88.  
  89.  
  90. #
  91. # Finally, register service with cygrunsrv and start it
  92. #
  93.  
  94. cygrunsrv -R sshd || true
  95. cygrunsrv -I sshd -d "MSYS2 sshd" -p \
  96. /usr/bin/sshd -a -D -y tcpip -u "${PRIV_USER}" -w "${tmp_pass}"
  97.  
  98. # The SSH service should start automatically when Windows is rebooted. You can
  99. # manually restart the service by running `net stop sshd` + `net start sshd`
  100. net start sshd
Add Comment
Please, Sign In to add comment