cristiancmoises
/
wingetautoupdate
mirror of https://github.com/Romanitho/Winget-AutoUpdate
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

All done now!

pull/275/head
KnifMelti 2023-02-05 00:10:32 +01:00
parent a1a427ec25
commit 80f61d9b15
2 changed files with 96 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Winget-AutoUpdate-Install.ps1
View File

@ -381,8 +381,26 @@ function Install-WingetAutoUpdate {
} }
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)! #Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
#Check if Local Users have write rights in Mods directory or not
$directory = Get-Item -Path "$WingetUpdatePath\mods" $directory = Get-Item -Path "$WingetUpdatePath\mods"
$acl = Get-Acl -Path $directory.FullName $acl = Get-Acl -Path $directory.FullName
#Local Users - S-1-5-32-545
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
#Translate SID to Locale Name
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
$userName = $ntAccount.Value
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
$hasWriteAccess = $False
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
$hasWriteAccess = $True
break
}
}
if ($hasWriteAccess) {
#Disable inheritance #Disable inheritance
$acl.SetAccessRuleProtection($True, $True) $acl.SetAccessRuleProtection($True, $True)
# Remove any existing rules # Remove any existing rules
@ -392,7 +410,7 @@ function Install-WingetAutoUpdate {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule) $acl.SetAccessRule($rule)
# Save the updated ACL # Save the updated ACL
Set-Acl -Path $directory.FullName -AclObject $acl | Out-Null Set-Acl -Path $directory.FullName -AclObject $acl
#Administrators Full - S-1-5-32-544 #Administrators Full - S-1-5-32-544
$acl = Get-Acl -Path $directory.FullName $acl = Get-Acl -Path $directory.FullName
@ -414,6 +432,7 @@ function Install-WingetAutoUpdate {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule) $acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl Set-Acl -Path $directory.FullName -AclObject $acl
}
#Create Shortcuts #Create Shortcuts
if ($StartMenuShortcut) { if ($StartMenuShortcut) {

21
Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
View File

@ -54,9 +54,27 @@ function Invoke-PostUpdateActions {
} }
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)! #Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
#Check if Local Users have write rights in Mods directory or not
$WingetUpdatePath = Get-ItemProperty $regPath -Name InstallLocation -ErrorAction SilentlyContinue $WingetUpdatePath = Get-ItemProperty $regPath -Name InstallLocation -ErrorAction SilentlyContinue
$directory = Get-Item -Path "$WingetUpdatePath\mods" $directory = Get-Item -Path "$WingetUpdatePath\mods"
$acl = Get-Acl -Path $directory.FullName $acl = Get-Acl -Path $directory.FullName
#Local Users - S-1-5-32-545
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
#Translate SID to Locale Name
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
$userName = $ntAccount.Value
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
$hasWriteAccess = $False
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
$hasWriteAccess = $True
break
}
}
if ($hasWriteAccess) {
#Disable inheritance #Disable inheritance
$acl.SetAccessRuleProtection($True, $True) $acl.SetAccessRuleProtection($True, $True)
# Remove any existing rules # Remove any existing rules
@ -66,7 +84,7 @@ function Invoke-PostUpdateActions {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule) $acl.SetAccessRule($rule)
# Save the updated ACL # Save the updated ACL
Set-Acl -Path $directory.FullName -AclObject $acl | Out-Null Set-Acl -Path $directory.FullName -AclObject $acl
#Administrators Full - S-1-5-32-544 #Administrators Full - S-1-5-32-544
$acl = Get-Acl -Path $directory.FullName $acl = Get-Acl -Path $directory.FullName
@ -88,6 +106,7 @@ function Invoke-PostUpdateActions {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($rule) $acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl Set-Acl -Path $directory.FullName -AclObject $acl
}
#Convert about.xml if exists (previous WAU versions) to reg #Convert about.xml if exists (previous WAU versions) to reg
$WAUAboutPath = "$WorkingDir\config\about.xml" $WAUAboutPath = "$WorkingDir\config\about.xml"