wingetautoupdate/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1

#Function to check if Mods Directory is secured.
#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
#Check if Local Users have write rights in Mods directory or not (and take action if necessary):

function Invoke-ModsProtect ($ModsPath) {
    $directory = Get-Item -Path $ModsPath
    $acl = Get-Acl -Path $directory.FullName
    #Local Users - S-1-5-32-545
    $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
    #Translate SID to Locale Name
    $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
    $userName = $ntAccount.Value
    $userRights = [System.Security.AccessControl.FileSystemRights]"Write"
    
    $hasWriteAccess = $False
    
    foreach ($access in $acl.Access) {
        if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
            $hasWriteAccess = $True
            break
        }
    }
    
    if ($hasWriteAccess) {
        #Disable inheritance
        $acl.SetAccessRuleProtection($True, $True)
        # Remove any existing rules
        $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
        #SYSTEM Full - S-1-5-18
        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
        $acl.SetAccessRule($rule)
        # Save the updated ACL
        Set-Acl -Path $directory.FullName -AclObject $acl

        #Administrators Full - S-1-5-32-544
        $acl = Get-Acl -Path $directory.FullName
        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
        $acl.SetAccessRule($rule)
        Set-Acl -Path $directory.FullName -AclObject $acl
        
        #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
        $acl = Get-Acl -Path $directory.FullName
        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
        $acl.SetAccessRule($rule)
        Set-Acl -Path $directory.FullName -AclObject $acl

        #Authenticated Users ReadAndExecute - S-1-5-11
        $acl = Get-Acl -Path $directory.FullName
        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
        $acl.SetAccessRule($rule)
        Set-Acl -Path $directory.FullName -AclObject $acl

        return $True
    }
    return $False
}
Function for ModsProtect 2023-02-06 06:47:06 +00:00			`#Function to check if Mods Directory is secured.`
			`#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!`
			`#Check if Local Users have write rights in Mods directory or not (and take action if necessary):`

			`function Invoke-ModsProtect ($ModsPath) {`
			`$directory = Get-Item -Path $ModsPath`
			`$acl = Get-Acl -Path $directory.FullName`
			`#Local Users - S-1-5-32-545`
			`$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")`
			`#Translate SID to Locale Name`
			`$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])`
			`$userName = $ntAccount.Value`
			`$userRights = [System.Security.AccessControl.FileSystemRights]"Write"`

			`$hasWriteAccess = $False`

			`foreach ($access in $acl.Access) {`
			`if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {`
			`$hasWriteAccess = $True`
			`break`
			`}`
			`}`

			`if ($hasWriteAccess) {`
			`#Disable inheritance`
			`$acl.SetAccessRuleProtection($True, $True)`
			`# Remove any existing rules`
			`$acl.Access \| ForEach-Object { $acl.RemoveAccessRule($_) }`
			`#SYSTEM Full - S-1-5-18`
			`$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")`
			`$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")`
			`$acl.SetAccessRule($rule)`
			`# Save the updated ACL`
			`Set-Acl -Path $directory.FullName -AclObject $acl`

			`#Administrators Full - S-1-5-32-544`
			`$acl = Get-Acl -Path $directory.FullName`
			`$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")`
			`$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")`
			`$acl.SetAccessRule($rule)`
			`Set-Acl -Path $directory.FullName -AclObject $acl`

			`#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11`
			`$acl = Get-Acl -Path $directory.FullName`
			`$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")`
			`$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")`
			`$acl.SetAccessRule($rule)`
			`Set-Acl -Path $directory.FullName -AclObject $acl`

			`#Authenticated Users ReadAndExecute - S-1-5-11`
			`$acl = Get-Acl -Path $directory.FullName`
			`$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")`
			`$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")`
			`$acl.SetAccessRule($rule)`
			`Set-Acl -Path $directory.FullName -AclObject $acl`

			`return $True`
			`}`
			`return $False`
			`}`