diff options
| author | Simon Tatham <anakin@pobox.com> | 2017-01-29 00:56:28 +0300 |
|---|---|---|
| committer | Simon Tatham <anakin@pobox.com> | 2017-01-30 02:08:19 +0300 |
| commit | e22120fea8d39e6a2ef6b2f4ab3ee5502f56169a (patch) | |
| tree | 77ac856c87650dc9a00d06d516f7c3239430eac4 /cmdline.c | |
| parent | 54cc0c5b296ee7c27b48a3c8e7aead6e74f2abf1 (diff) | |
Turn off Windows process ACL restriction by default.
As documented in bug 'win-process-acl-finesse', we've had enough
assorted complaints about it breaking various non-malicious pieces of
Windows process interaction (ranging from git->plink integration to
screen readers for the vision-impaired) that I think it's more
sensible to set the process back to its default level of protection.
This precaution was never a fully effective protection anyway, due to
the race condition at process startup; the only properly effective
defence would have been to prevent malware running under the same user
ID as PuTTY in the first place, so in that sense, nothing has changed.
But people who want the arguable defence-in-depth advantage of the ACL
restriction can now turn it on with the '-restrict-acl' command-line
option, and it's up to them whether they can live with the assorted
inconveniences that come with it.
In the course of this change, I've centralised a bit more of the
restriction code into winsecur.c, to avoid repeating the error
handling in multiple places.
Diffstat (limited to 'cmdline.c')
| -rw-r--r-- | cmdline.c | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -609,6 +609,17 @@ int cmdline_process_param(const char *p, char *value, conf_set_str(conf, CONF_proxy_telnet_command, value); } +#ifdef _WINDOWS + /* + * Cross-tool options only available on Windows. + */ + if (!strcmp(p, "-restrict-acl") || !strcmp(p, "-restrict_acl") || + !strcmp(p, "-restrictacl")) { + RETURN(1); + restrict_process_acl(); + } +#endif + return ret; /* unrecognised */ } |