cristiancmoises
/
wingetautoupdate
mirror of https://github.com/Romanitho/Winget-AutoUpdate
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Function for ModsProtect

pull/275/head
KnifMelti 2023-02-06 07:47:06 +01:00
parent d20fddf097
commit 7e04696cc0
3 changed files with 75 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Winget-AutoUpdate-Install.ps1
View File

@ -380,58 +380,15 @@ function Install-WingetAutoUpdate {
Set-Acl -Path $LogFile -AclObject $NewAcl Set-Acl -Path $LogFile -AclObject $NewAcl
} }
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)! #Security check
#Check if Local Users have write rights in Mods directory or not Write-host "`nChecking Mods Directory:" -ForegroundColor Yellow
$directory = Get-Item -Path "$WingetUpdatePath\mods" . "$WingetUpdatePath\functions\Invoke-ModsProtect.ps1"
$acl = Get-Acl -Path $directory.FullName $Protected = Invoke-ModsProtect "$WingetUpdatePath\mods"
#Local Users - S-1-5-32-545 if ($Protected) {
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") Write-Host "The mods directory is now secured!`n" -ForegroundColor Green
#Translate SID to Locale Name
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
$userName = $ntAccount.Value
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
$hasWriteAccess = $False
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
$hasWriteAccess = $True
break
}
} }
elseif (!$Protected) {
if ($hasWriteAccess) { Write-Host "The mods directory was already secured!`n" -ForegroundColor Green
#Disable inheritance
$acl.SetAccessRuleProtection($True, $True)
# Remove any existing rules
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
#SYSTEM Full - S-1-5-18
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
# Save the updated ACL
Set-Acl -Path $directory.FullName -AclObject $acl
#Administrators Full - S-1-5-32-544
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Authenticated Users ReadAndExecute - S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
} }
#Create Shortcuts #Create Shortcuts

60
Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 Normal file
View File

@ -0,0 +1,60 @@
#Function to check if Mods Directory is secured.
#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
#Check if Local Users have write rights in Mods directory or not (and take action if necessary):
function Invoke-ModsProtect ($ModsPath) {
$directory = Get-Item -Path $ModsPath
$acl = Get-Acl -Path $directory.FullName
#Local Users - S-1-5-32-545
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
#Translate SID to Locale Name
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
$userName = $ntAccount.Value
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
$hasWriteAccess = $False
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
$hasWriteAccess = $True
break
}
}
if ($hasWriteAccess) {
#Disable inheritance
$acl.SetAccessRuleProtection($True, $True)
# Remove any existing rules
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
#SYSTEM Full - S-1-5-18
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
# Save the updated ACL
Set-Acl -Path $directory.FullName -AclObject $acl
#Administrators Full - S-1-5-32-544
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Authenticated Users ReadAndExecute - S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
return $True
}
return $False
}

63
Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
View File

@ -53,63 +53,14 @@ function Invoke-PostUpdateActions {
Write-Log "-> MaxLogFiles/MaxLogSize setting was missing. Fixed with 3/1048576 (in bytes, default is 1048576 = 1 MB)." Write-Log "-> MaxLogFiles/MaxLogSize setting was missing. Fixed with 3/1048576 (in bytes, default is 1048576 = 1 MB)."
} }
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)! #Security check
#Check if Local Users have write rights in Mods directory or not Write-Log "-> Checking Mods Directory:" "yellow"
$WingetUpdatePath = Get-ItemProperty $regPath -Name InstallLocation -ErrorAction SilentlyContinue $Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods"
$directory = Get-Item -Path "$WingetUpdatePath\mods" if ($Protected) {
$acl = Get-Acl -Path $directory.FullName Write-Log "-> The mods directory is now secured!" "green"
#Local Users - S-1-5-32-545
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
#Translate SID to Locale Name
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
$userName = $ntAccount.Value
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
$hasWriteAccess = $False
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
$hasWriteAccess = $True
break
}
} }
elseif (!$Protected) {
if ($hasWriteAccess) { Write-Log "-> The mods directory was already secured!" "green"
#Disable inheritance
$acl.SetAccessRuleProtection($True, $True)
# Remove any existing rules
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
#SYSTEM Full - S-1-5-18
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
# Save the updated ACL
Set-Acl -Path $directory.FullName -AclObject $acl
#Administrators Full - S-1-5-32-544
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Authenticated Users ReadAndExecute - S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#log
Write-Log "-> The mods directory is now secured!."
} }
#Convert about.xml if exists (previous WAU versions) to reg #Convert about.xml if exists (previous WAU versions) to reg