mirror of
https://github.com/netbirdio/netbird.git
synced 2026-04-16 07:16:38 +00:00
92 lines
2.5 KiB
Go
92 lines
2.5 KiB
Go
//go:build windows
|
|
|
|
package server
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"os/user"
|
|
|
|
"github.com/gliderlabs/ssh"
|
|
log "github.com/sirupsen/logrus"
|
|
"golang.org/x/sys/windows"
|
|
)
|
|
|
|
// createSftpCommand creates a Windows SFTP command with user switching.
|
|
// The caller must close the returned token handle after starting the process.
|
|
func (s *Server) createSftpCommand(targetUser *user.User, sess ssh.Session) (*exec.Cmd, windows.Token, error) {
|
|
username, domain := s.parseUsername(targetUser.Username)
|
|
|
|
netbirdPath, err := os.Executable()
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("get netbird executable path: %w", err)
|
|
}
|
|
|
|
args := []string{
|
|
"ssh", "sftp",
|
|
"--working-dir", targetUser.HomeDir,
|
|
"--windows-username", username,
|
|
"--windows-domain", domain,
|
|
}
|
|
|
|
pd := NewPrivilegeDropper()
|
|
token, err := pd.createToken(username, domain)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("create token: %w", err)
|
|
}
|
|
|
|
defer func() {
|
|
if err := windows.CloseHandle(token); err != nil {
|
|
log.Warnf("failed to close impersonation token: %v", err)
|
|
}
|
|
}()
|
|
|
|
cmd, primaryToken, err := pd.createProcessWithToken(sess.Context(), windows.Token(token), netbirdPath, append([]string{netbirdPath}, args...), targetUser.HomeDir)
|
|
if err != nil {
|
|
return nil, 0, fmt.Errorf("create SFTP command: %w", err)
|
|
}
|
|
|
|
log.Debugf("Created Windows SFTP command with user switching for %s", targetUser.Username)
|
|
return cmd, primaryToken, nil
|
|
}
|
|
|
|
// executeSftpCommand executes a Windows SFTP command with proper I/O handling
|
|
func (s *Server) executeSftpCommand(sess ssh.Session, sftpCmd *exec.Cmd, token windows.Token) error {
|
|
defer func() {
|
|
if err := windows.CloseHandle(windows.Handle(token)); err != nil {
|
|
log.Debugf("close primary token: %v", err)
|
|
}
|
|
}()
|
|
|
|
sftpCmd.Stdin = sess
|
|
sftpCmd.Stdout = sess
|
|
sftpCmd.Stderr = sess.Stderr()
|
|
|
|
if err := sftpCmd.Start(); err != nil {
|
|
return fmt.Errorf("starting sftp executor: %w", err)
|
|
}
|
|
|
|
if err := sftpCmd.Wait(); err != nil {
|
|
var exitError *exec.ExitError
|
|
if errors.As(err, &exitError) {
|
|
log.Tracef("sftp process exited with code %d", exitError.ExitCode())
|
|
return nil
|
|
}
|
|
|
|
return fmt.Errorf("exec sftp: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// executeSftpWithPrivilegeDrop executes SFTP using Windows privilege dropping
|
|
func (s *Server) executeSftpWithPrivilegeDrop(sess ssh.Session, targetUser *user.User) error {
|
|
sftpCmd, token, err := s.createSftpCommand(targetUser, sess)
|
|
if err != nil {
|
|
return fmt.Errorf("create sftp: %w", err)
|
|
}
|
|
return s.executeSftpCommand(sess, sftpCmd, token)
|
|
}
|