Fixes handling for LocalSystem account if set as service user

LordHepipud · LordHepipud · commit 72dc4c00513d · 2020-03-18T08:00:32.000+01:00
Fixes #51
diff --git a/lib/core/icingaagent/getters/Get-IcingaServiceUser.psm1 b/lib/core/icingaagent/getters/Get-IcingaServiceUser.psm1
@@ -6,5 +6,11 @@ function Get-IcingaServiceUser()
     }
 
     $Services    = $Services.GetEnumerator() | Select-Object -First 1;
-    return ($Services.Value.configuration.ServiceUser).Replace('.\', '');
+    $ServiceUser = ($Services.Value.configuration.ServiceUser).Replace('.\', '');
+
+    if ($ServiceUser -eq 'LocalSystem') {
+        $ServiceUser = 'NT Authority\SYSTEM';
+    }
+
+    return $ServiceUser;
 }
diff --git a/lib/core/icingaagent/tests/Test-IcingaAcl.psm1 b/lib/core/icingaagent/tests/Test-IcingaAcl.psm1
@@ -9,17 +9,26 @@ function Test-IcingaAcl()
         throw 'The specified directory was not found';
     }
 
-    $FolderACL   = Get-Acl $Directory;
-    $ServiceUser = Get-IcingaServiceUser;
-    $UserFound   = $FALSE;
-    $HasAccess   = $FALSE;
+    $FolderACL      = Get-Acl $Directory;
+    $ServiceUser    = Get-IcingaServiceUser;
+    $UserFound      = $FALSE;
+    $HasAccess      = $FALSE;
+    $ServiceUserSID = Get-IcingaUserSID $ServiceUser;
+
     foreach ($user in $FolderACL.Access) {
         # Not only check here for the exact name but also for included strings like NT AU or NT-AU or even further later on
         # As the Get-Acl Cmdlet will translate usernames into the own language, resultng in 'NT AUTHORITY\NetworkService' being translated
         # to 'NT-AUTORITÄT\Netzwerkdienst' for example
-        if ($user.IdentityReference -like "*$ServiceUser" -Or ($ServiceUser -Like '*NT AU*' -And ($user.IdentityReference -Like '*NT AU*' -Or $user.IdentityReference -Like '*NT-AU*'))) {
+        $UserSID = $null;
+        try {
+            $UserSID = Get-IcingaUserSID $user.IdentityReference;
+        } catch {
+            $UserSID = $null;
+        }
+
+        if ($ServiceUserSID -eq $UserSID) {
             $UserFound = $TRUE;
-            if ($user.FileSystemRights -Like '*Modify*' -And $user.FileSystemRights -Like '*Synchronize*') {
+            if (($user.FileSystemRights -Like '*Modify*' -And $user.FileSystemRights -Like '*Synchronize*') -Or $user.FileSystemRights -like '*FullControl*') {
                 $HasAccess = $TRUE;
             }
         }
diff --git a/lib/core/icingaagent/tests/Test-IcingaAgentServicePermission.psm1 b/lib/core/icingaagent/tests/Test-IcingaAgentServicePermission.psm1
@@ -9,6 +9,10 @@ function Test-IcingaAgentServicePermission()
     $SystemContent     = Get-IcingaAgentServicePermission;
     [bool]$FoundSID    = $FALSE;
 
+    if ($ServiceUser -eq 'NT Authority\SYSTEM') {
+        return $TRUE;
+    }
+
     if ([string]::IsNullOrEmpty($ServiceUser)) {
         if (-Not $Silent) {
             Write-IcingaTestOutput -Severity 'FAILED' -Message 'There is no user assigned to the Icinga 2 service or the service is not yet installed';
diff --git a/lib/core/tools/Get-IcingaUserSID.psm1 b/lib/core/tools/Get-IcingaUserSID.psm1
@@ -4,6 +4,10 @@ function Get-IcingaUserSID()
         [string]$User
     );
 
+    if ($User -eq 'LocalSystem') {
+        $User = 'NT Authority\SYSTEM';
+    }
+
     [string]$Username = '';
     [string]$Domain   = '';
 

Original file line number	Diff line number	Diff line change
`@@ -6,5 +6,11 @@ function Get-IcingaServiceUser()`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`$Services = $Services.GetEnumerator() \| Select-Object -First 1;`
`9`		`- return ($Services.Value.configuration.ServiceUser).Replace('.\', '');`
	`9`	`+ $ServiceUser = ($Services.Value.configuration.ServiceUser).Replace('.\', '');`
	`10`	`+`
	`11`	`+ if ($ServiceUser -eq 'LocalSystem') {`
	`12`	`+ $ServiceUser = 'NT Authority\SYSTEM';`
	`13`	`+ }`
	`14`	`+`
	`15`	`+ return $ServiceUser;`
`10`	`16`	`}`