Function for ModsProtect
KnifMelti
parent
d20fddf097
commit
7e04696cc0
|
|
@ -380,58 +380,15 @@ function Install-WingetAutoUpdate {
|
|||
Set-Acl -Path $LogFile -AclObject $NewAcl
|
||||
}
|
||||
|
||||
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
|
||||
#Check if Local Users have write rights in Mods directory or not
|
||||
$directory = Get-Item -Path "$WingetUpdatePath\mods"
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
#Local Users - S-1-5-32-545
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||
#Translate SID to Locale Name
|
||||
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
|
||||
$userName = $ntAccount.Value
|
||||
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
|
||||
|
||||
$hasWriteAccess = $False
|
||||
|
||||
foreach ($access in $acl.Access) {
|
||||
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
|
||||
$hasWriteAccess = $True
|
||||
break
|
||||
}
|
||||
#Security check
|
||||
Write-host "`nChecking Mods Directory:" -ForegroundColor Yellow
|
||||
. "$WingetUpdatePath\functions\Invoke-ModsProtect.ps1"
|
||||
$Protected = Invoke-ModsProtect "$WingetUpdatePath\mods"
|
||||
if ($Protected) {
|
||||
Write-Host "The mods directory is now secured!`n" -ForegroundColor Green
|
||||
}
|
||||
|
||||
if ($hasWriteAccess) {
|
||||
#Disable inheritance
|
||||
$acl.SetAccessRuleProtection($True, $True)
|
||||
# Remove any existing rules
|
||||
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
||||
#SYSTEM Full - S-1-5-18
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
# Save the updated ACL
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Administrators Full - S-1-5-32-544
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Authenticated Users ReadAndExecute - S-1-5-11
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
elseif (!$Protected) {
|
||||
Write-Host "The mods directory was already secured!`n" -ForegroundColor Green
|
||||
}
|
||||
|
||||
#Create Shortcuts
|
||||
|
|
|
|||
|
|
@ -0,0 +1,60 @@
|
|||
#Function to check if Mods Directory is secured.
|
||||
#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
|
||||
#Check if Local Users have write rights in Mods directory or not (and take action if necessary):
|
||||
|
||||
function Invoke-ModsProtect ($ModsPath) {
|
||||
$directory = Get-Item -Path $ModsPath
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
#Local Users - S-1-5-32-545
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||
#Translate SID to Locale Name
|
||||
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
|
||||
$userName = $ntAccount.Value
|
||||
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
|
||||
|
||||
$hasWriteAccess = $False
|
||||
|
||||
foreach ($access in $acl.Access) {
|
||||
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
|
||||
$hasWriteAccess = $True
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if ($hasWriteAccess) {
|
||||
#Disable inheritance
|
||||
$acl.SetAccessRuleProtection($True, $True)
|
||||
# Remove any existing rules
|
||||
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
||||
#SYSTEM Full - S-1-5-18
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
# Save the updated ACL
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Administrators Full - S-1-5-32-544
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Authenticated Users ReadAndExecute - S-1-5-11
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
return $True
|
||||
}
|
||||
return $False
|
||||
}
|
||||
|
|
@ -53,63 +53,14 @@ function Invoke-PostUpdateActions {
|
|||
Write-Log "-> MaxLogFiles/MaxLogSize setting was missing. Fixed with 3/1048576 (in bytes, default is 1048576 = 1 MB)."
|
||||
}
|
||||
|
||||
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
|
||||
#Check if Local Users have write rights in Mods directory or not
|
||||
$WingetUpdatePath = Get-ItemProperty $regPath -Name InstallLocation -ErrorAction SilentlyContinue
|
||||
$directory = Get-Item -Path "$WingetUpdatePath\mods"
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
#Local Users - S-1-5-32-545
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||
#Translate SID to Locale Name
|
||||
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
|
||||
$userName = $ntAccount.Value
|
||||
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
|
||||
|
||||
$hasWriteAccess = $False
|
||||
|
||||
foreach ($access in $acl.Access) {
|
||||
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
|
||||
$hasWriteAccess = $True
|
||||
break
|
||||
}
|
||||
#Security check
|
||||
Write-Log "-> Checking Mods Directory:" "yellow"
|
||||
$Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods"
|
||||
if ($Protected) {
|
||||
Write-Log "-> The mods directory is now secured!" "green"
|
||||
}
|
||||
|
||||
if ($hasWriteAccess) {
|
||||
#Disable inheritance
|
||||
$acl.SetAccessRuleProtection($True, $True)
|
||||
# Remove any existing rules
|
||||
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
||||
#SYSTEM Full - S-1-5-18
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
# Save the updated ACL
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Administrators Full - S-1-5-32-544
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#Authenticated Users ReadAndExecute - S-1-5-11
|
||||
$acl = Get-Acl -Path $directory.FullName
|
||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||
$acl.SetAccessRule($rule)
|
||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||
|
||||
#log
|
||||
Write-Log "-> The mods directory is now secured!."
|
||||
|
||||
elseif (!$Protected) {
|
||||
Write-Log "-> The mods directory was already secured!" "green"
|
||||
}
|
||||
|
||||
#Convert about.xml if exists (previous WAU versions) to reg
|
||||
|
|
|
|||
Loading…
Reference in New Issue