From a4ceb4c35f364922075dfe707a582c0b3b08046b Mon Sep 17 00:00:00 2001 From: Matt Davis Date: Tue, 10 Oct 2017 16:53:21 -0700 Subject: [PATCH] improve become/runas error messaging on bogus/missing username (#31551) --- lib/ansible/plugins/shell/powershell.py | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/lib/ansible/plugins/shell/powershell.py b/lib/ansible/plugins/shell/powershell.py index df3425601b..c7b514d52c 100644 --- a/lib/ansible/plugins/shell/powershell.py +++ b/lib/ansible/plugins/shell/powershell.py @@ -957,12 +957,21 @@ Function Run($payload) { # NB: CreateProcessWithTokenW commandline maxes out at 1024 chars, must bootstrap via filesystem $temp = [System.IO.Path]::Combine([System.IO.Path]::GetTempPath(), [System.IO.Path]::GetRandomFileName() + ".ps1") $exec_wrapper.ToString() | Set-Content -Path $temp - # allow (potentially unprivileged) target user access to the tempfile (NB: this likely won't work if traverse checking is enabled) - $acl = Get-Acl $temp - $acl.AddAccessRule($(New-Object System.Security.AccessControl.FileSystemAccessRule($username, "FullControl", "Allow"))) - Set-Acl $temp $acl | Out-Null + $rc = 0 Try { + # allow (potentially unprivileged) target user access to the tempfile (NB: this likely won't work if traverse checking is enabled) + $acl = Get-Acl $temp + + Try { + $acl.AddAccessRule($(New-Object System.Security.AccessControl.FileSystemAccessRule($username, "FullControl", "Allow"))) + } + Catch [System.Security.Principal.IdentityNotMappedException] { + throw "become_user '$username' is not recognized on this host" + } + + Set-Acl $temp $acl | Out-Null + $payload_string = $payload | ConvertTo-Json -Depth 99 -Compress $lp_command_line = New-Object System.Text.StringBuilder @("powershell.exe -NonInteractive -NoProfile -ExecutionPolicy Bypass -File $temp")