Merge pull request #712 from Romanitho/security

Security
2024-09-24 00:48:08 +02:00 · 2024-09-24 00:48:08 +02:00 · 8a03d3f0e5
parent 4df1d9fa72 997779e87e
commit 8a03d3f0e5
2 changed files with 50 additions and 50 deletions
--- a/Sources/Winget-AutoUpdate/config/WAU-MSI_Actions.ps1
+++ b/Sources/Winget-AutoUpdate/config/WAU-MSI_Actions.ps1
@ -15,6 +15,20 @@ Write-Output "Uninstall:    $Uninstall"

 <# FUNCTIONS #>

+function Add-ACLRule {
+    param (
+        [System.Security.AccessControl.DirectorySecurity]$acl,
+        [string]$sid,
+        [string]$access,
+        [string]$inheritance = "ContainerInherit,ObjectInherit",
+        [string]$propagation = "None",
+        [string]$type = "Allow"
+    )
+    $userSID = New-Object System.Security.Principal.SecurityIdentifier($sid)
+    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, $access, $inheritance, $propagation, $type)
+    $acl.SetAccessRule($rule)
+}
+
 function Install-WingetAutoUpdate {

    Write-Host "### Post install actions ###"
@ -106,7 +120,42 @@ function Install-WingetAutoUpdate {
            Copy-Item -Path $AppListPath -Destination $InstallPath
        }

-        #Add 1 to counter file
+        #Secure folders if not installed to ProgramFiles
+        if ($InstallPath -notlike "$env:ProgramFiles*") {
+
+            Write-Output "-> Securing functions and mods folders"
+            $directories = @("$InstallPath\functions", "$InstallPath\mods")
+
+            foreach ($directory in $directories) {
+                try {
+                    #Get dir
+                    $dirPath = Get-Item -Path $directory
+                    #Get ACL
+                    $acl = Get-Acl -Path $dirPath.FullName
+                    #Disable inheritance
+                    $acl.SetAccessRuleProtection($True, $True)
+                    #Remove any existing rules
+                    $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
+
+                    # Add new ACL rules
+                    Add-ACLRule -acl $acl -sid "S-1-5-18" -access "FullControl"         # SYSTEM Full
+                    Add-ACLRule -acl $acl -sid "S-1-5-32-544" -access "FullControl"     # Administrators Full
+                    Add-ACLRule -acl $acl -sid "S-1-5-32-545" -access "ReadAndExecute"  # Local Users ReadAndExecute
+                    Add-ACLRule -acl $acl -sid "S-1-5-11" -access "ReadAndExecute"      # Authenticated Users ReadAndExecute
+
+                    # Save the updated ACL to the directory
+                    Set-Acl -Path $dirPath.FullName -AclObject $acl
+
+                    Write-Host "Permissions for '$directory' have been updated successfully."
+                }
+                catch {
+                    Write-Host "Error setting ACL for '$directory' : $($_.Exception.Message)"
+                }
+            }
+
+        }
+
+        #Add 1 to Github counter file
        try {
            Invoke-RestMethod -Uri "https://github.com/Romanitho/Winget-AutoUpdate/releases/download/v$($WAUconfig.ProductVersion)/WAU_InstallCounter" | Out-Null
            Write-Host "-> Reported installation."
--- a/Sources/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1
+++ b/Sources/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1
@ -1,49 +0,0 @@
-#Function to check if a directory is secured.
-#Security: Some directories must be protected (Users could create scripts of their own - then they'll run in System Context)!
-
-function Invoke-DirProtect ($ModsPath) {
-    try {
-        #Get directory
-        $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
-        $acl = Get-Acl -Path $directory.FullName
-
-        #Disable inheritance
-        $acl.SetAccessRuleProtection($True, $True)
-
-        #Remove any existing rules
-        $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
-
-        #SYSTEM Full - S-1-5-18
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
-        $acl.SetAccessRule($rule)
-        # Save the updated ACL
-        Set-Acl -Path $directory.FullName -AclObject $acl
-
-        #Administrators Full - S-1-5-32-544
-        $acl = Get-Acl -Path $directory.FullName
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
-        $acl.SetAccessRule($rule)
-        Set-Acl -Path $directory.FullName -AclObject $acl
-
-        #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
-        $acl = Get-Acl -Path $directory.FullName
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
-        $acl.SetAccessRule($rule)
-        Set-Acl -Path $directory.FullName -AclObject $acl
-
-        #Authenticated Users ReadAndExecute - S-1-5-11
-        $acl = Get-Acl -Path $directory.FullName
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
-        $acl.SetAccessRule($rule)
-        Set-Acl -Path $directory.FullName -AclObject $acl
-
-        return $True
-    }
-    catch {
-        return $false
-    }
-}