From c83f030b75bd2c46334f3e0d04d2cd1dda4c6d45 Mon Sep 17 00:00:00 2001 From: Romain <96626929+Romanitho@users.noreply.github.com> Date: Tue, 24 Sep 2024 00:31:50 +0200 Subject: [PATCH 1/2] Setting ACL --- .../config/WAU-MSI_Actions.ps1 | 51 ++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/Sources/Winget-AutoUpdate/config/WAU-MSI_Actions.ps1 b/Sources/Winget-AutoUpdate/config/WAU-MSI_Actions.ps1 index 234ba2b..dae4fd8 100644 --- a/Sources/Winget-AutoUpdate/config/WAU-MSI_Actions.ps1 +++ b/Sources/Winget-AutoUpdate/config/WAU-MSI_Actions.ps1 @@ -15,6 +15,20 @@ Write-Output "Uninstall: $Uninstall" <# FUNCTIONS #> +function Add-ACLRule { + param ( + [System.Security.AccessControl.DirectorySecurity]$acl, + [string]$sid, + [string]$access, + [string]$inheritance = "ContainerInherit,ObjectInherit", + [string]$propagation = "None", + [string]$type = "Allow" + ) + $userSID = New-Object System.Security.Principal.SecurityIdentifier($sid) + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, $access, $inheritance, $propagation, $type) + $acl.SetAccessRule($rule) +} + function Install-WingetAutoUpdate { Write-Host "### Post install actions ###" @@ -106,7 +120,42 @@ function Install-WingetAutoUpdate { Copy-Item -Path $AppListPath -Destination $InstallPath } - #Add 1 to counter file + #Secure folders if not installed to ProgramFiles + if ($InstallPath -notlike "$env:ProgramFiles*") { + + Write-Output "-> Securing functions and mods folders" + $directories = @("$InstallPath\functions", "$InstallPath\mods") + + foreach ($directory in $directories) { + try { + #Get dir + $dirPath = Get-Item -Path $directory + #Get ACL + $acl = Get-Acl -Path $dirPath.FullName + #Disable inheritance + $acl.SetAccessRuleProtection($True, $True) + #Remove any existing rules + $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } + + # Add new ACL rules + Add-ACLRule -acl $acl -sid "S-1-5-18" -access "FullControl" # SYSTEM Full + Add-ACLRule -acl $acl -sid "S-1-5-32-544" -access "FullControl" # Administrators Full + Add-ACLRule -acl $acl -sid "S-1-5-32-545" -access "ReadAndExecute" # Local Users ReadAndExecute + Add-ACLRule -acl $acl -sid "S-1-5-11" -access "ReadAndExecute" # Authenticated Users ReadAndExecute + + # Save the updated ACL to the directory + Set-Acl -Path $dirPath.FullName -AclObject $acl + + Write-Host "Permissions for '$directory' have been updated successfully." + } + catch { + Write-Host "Error setting ACL for '$directory' : $($_.Exception.Message)" + } + } + + } + + #Add 1 to Github counter file try { Invoke-RestMethod -Uri "https://github.com/Romanitho/Winget-AutoUpdate/releases/download/v$($WAUconfig.ProductVersion)/WAU_InstallCounter" | Out-Null Write-Host "-> Reported installation." From 997779e87e029e5984e17df5f9182f0137960c34 Mon Sep 17 00:00:00 2001 From: Romain <96626929+Romanitho@users.noreply.github.com> Date: Tue, 24 Sep 2024 00:35:34 +0200 Subject: [PATCH 2/2] Delete Invoke-DirProtect.ps1 --- .../functions/Invoke-DirProtect.ps1 | 49 ------------------- 1 file changed, 49 deletions(-) delete mode 100644 Sources/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 diff --git a/Sources/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 b/Sources/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 deleted file mode 100644 index 169f955..0000000 --- a/Sources/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 +++ /dev/null @@ -1,49 +0,0 @@ -#Function to check if a directory is secured. -#Security: Some directories must be protected (Users could create scripts of their own - then they'll run in System Context)! - -function Invoke-DirProtect ($ModsPath) { - try { - #Get directory - $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue - $acl = Get-Acl -Path $directory.FullName - - #Disable inheritance - $acl.SetAccessRuleProtection($True, $True) - - #Remove any existing rules - $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } - - #SYSTEM Full - S-1-5-18 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - # Save the updated ACL - Set-Acl -Path $directory.FullName -AclObject $acl - - #Administrators Full - S-1-5-32-544 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Authenticated Users ReadAndExecute - S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - return $True - } - catch { - return $false - } -}