2023-10-03 08:18:00 +00:00
|
|
|
#Function to check if the mods directory is secured.
|
|
|
|
#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
|
|
|
|
#Check if Local Users have write rights in Mods directory or not (and take action if necessary):
|
2023-02-06 06:47:06 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
function Invoke-ModsProtect ($ModsPath) {
|
|
|
|
try {
|
|
|
|
$directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
|
|
|
|
$acl = Get-Acl -Path $directory.FullName
|
|
|
|
#Local Users - S-1-5-32-545
|
|
|
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
|
|
|
#Translate SID to Locale Name
|
|
|
|
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
|
|
|
|
$userName = $ntAccount.Value
|
|
|
|
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
|
2023-09-15 14:40:37 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
$hasWriteAccess = $False
|
2023-09-15 14:40:37 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
foreach ($access in $acl.Access) {
|
|
|
|
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
|
|
|
|
$hasWriteAccess = $True
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
2023-09-15 14:40:37 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
if ($hasWriteAccess) {
|
|
|
|
#Disable inheritance
|
|
|
|
$acl.SetAccessRuleProtection($True, $True)
|
|
|
|
# Remove any existing rules
|
|
|
|
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
|
|
|
#SYSTEM Full - S-1-5-18
|
|
|
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
|
|
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
# Save the updated ACL
|
|
|
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
2023-09-15 14:40:37 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
#Administrators Full - S-1-5-32-544
|
|
|
|
$acl = Get-Acl -Path $directory.FullName
|
|
|
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
|
|
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
2023-09-15 14:40:37 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
|
|
|
$acl = Get-Acl -Path $directory.FullName
|
|
|
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
|
|
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
2023-09-15 14:40:37 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
#Authenticated Users ReadAndExecute - S-1-5-11
|
|
|
|
$acl = Get-Acl -Path $directory.FullName
|
|
|
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
|
|
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
|
|
|
|
$acl.SetAccessRule($rule)
|
|
|
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
2023-09-15 14:40:37 +00:00
|
|
|
|
2023-10-03 08:18:00 +00:00
|
|
|
return $True
|
|
|
|
}
|
|
|
|
return $False
|
|
|
|
}
|
|
|
|
catch {
|
|
|
|
return "Error"
|
|
|
|
}
|
|
|
|
}
|