diff --git a/Winget-AutoUpdate-Install.ps1 b/Winget-AutoUpdate-Install.ps1 index 9e5d3b7..3ab3a11 100644 --- a/Winget-AutoUpdate-Install.ps1 +++ b/Winget-AutoUpdate-Install.ps1 @@ -380,58 +380,15 @@ function Install-WingetAutoUpdate { Set-Acl -Path $LogFile -AclObject $NewAcl } - #Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)! - #Check if Local Users have write rights in Mods directory or not - $directory = Get-Item -Path "$WingetUpdatePath\mods" - $acl = Get-Acl -Path $directory.FullName - #Local Users - S-1-5-32-545 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - #Translate SID to Locale Name - $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount]) - $userName = $ntAccount.Value - $userRights = [System.Security.AccessControl.FileSystemRights]"Write" - - $hasWriteAccess = $False - - foreach ($access in $acl.Access) { - if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) { - $hasWriteAccess = $True - break - } + #Security check + Write-host "`nChecking Mods Directory:" -ForegroundColor Yellow + . "$WingetUpdatePath\functions\Invoke-ModsProtect.ps1" + $Protected = Invoke-ModsProtect "$WingetUpdatePath\mods" + if ($Protected) { + Write-Host "The mods directory is now secured!`n" -ForegroundColor Green } - - if ($hasWriteAccess) { - #Disable inheritance - $acl.SetAccessRuleProtection($True, $True) - # Remove any existing rules - $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } - #SYSTEM Full - S-1-5-18 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - # Save the updated ACL - Set-Acl -Path $directory.FullName -AclObject $acl - - #Administrators Full - S-1-5-32-544 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Authenticated Users ReadAndExecute - S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl + elseif (!$Protected) { + Write-Host "The mods directory was already secured!`n" -ForegroundColor Green } #Create Shortcuts diff --git a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 b/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 new file mode 100644 index 0000000..98eff2e --- /dev/null +++ b/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 @@ -0,0 +1,60 @@ +#Function to check if Mods Directory is secured. +#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)! +#Check if Local Users have write rights in Mods directory or not (and take action if necessary): + +function Invoke-ModsProtect ($ModsPath) { + $directory = Get-Item -Path $ModsPath + $acl = Get-Acl -Path $directory.FullName + #Local Users - S-1-5-32-545 + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") + #Translate SID to Locale Name + $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount]) + $userName = $ntAccount.Value + $userRights = [System.Security.AccessControl.FileSystemRights]"Write" + + $hasWriteAccess = $False + + foreach ($access in $acl.Access) { + if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) { + $hasWriteAccess = $True + break + } + } + + if ($hasWriteAccess) { + #Disable inheritance + $acl.SetAccessRuleProtection($True, $True) + # Remove any existing rules + $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } + #SYSTEM Full - S-1-5-18 + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + # Save the updated ACL + Set-Acl -Path $directory.FullName -AclObject $acl + + #Administrators Full - S-1-5-32-544 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + #Authenticated Users ReadAndExecute - S-1-5-11 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + return $True + } + return $False +} \ No newline at end of file diff --git a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 index 8303eec..35d2acb 100644 --- a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 +++ b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 @@ -53,63 +53,14 @@ function Invoke-PostUpdateActions { Write-Log "-> MaxLogFiles/MaxLogSize setting was missing. Fixed with 3/1048576 (in bytes, default is 1048576 = 1 MB)." } - #Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)! - #Check if Local Users have write rights in Mods directory or not - $WingetUpdatePath = Get-ItemProperty $regPath -Name InstallLocation -ErrorAction SilentlyContinue - $directory = Get-Item -Path "$WingetUpdatePath\mods" - $acl = Get-Acl -Path $directory.FullName - #Local Users - S-1-5-32-545 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - #Translate SID to Locale Name - $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount]) - $userName = $ntAccount.Value - $userRights = [System.Security.AccessControl.FileSystemRights]"Write" - - $hasWriteAccess = $False - - foreach ($access in $acl.Access) { - if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) { - $hasWriteAccess = $True - break - } + #Security check + Write-Log "-> Checking Mods Directory:" "yellow" + $Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods" + if ($Protected) { + Write-Log "-> The mods directory is now secured!" "green" } - - if ($hasWriteAccess) { - #Disable inheritance - $acl.SetAccessRuleProtection($True, $True) - # Remove any existing rules - $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } - #SYSTEM Full - S-1-5-18 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - # Save the updated ACL - Set-Acl -Path $directory.FullName -AclObject $acl - - #Administrators Full - S-1-5-32-544 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Authenticated Users ReadAndExecute - S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #log - Write-Log "-> The mods directory is now secured!." - + elseif (!$Protected) { + Write-Log "-> The mods directory was already secured!" "green" } #Convert about.xml if exists (previous WAU versions) to reg