Done
parent
013e66ebdc
commit
973b578e2e
|
@ -103,9 +103,6 @@ Thanks to [Weatherlights](https://github.com/Weatherlights) in [#256 (reply in t
|
||||||
**-ModsPath**
|
**-ModsPath**
|
||||||
Get Mods from external Path (**URL/UNC/Local**) - download/copy to `mods` in Winget-AutoUpdate installation location if external mods are newer.
|
Get Mods from external Path (**URL/UNC/Local**) - download/copy to `mods` in Winget-AutoUpdate installation location if external mods are newer.
|
||||||
|
|
||||||
Security:
|
|
||||||
If -ModsPath is used during installation WAU assumes it's an enterprise environment and adds a **Deny rule** to the file rights for the directory `mods` for **Local Users** (SID: S-1-5-32-545) making it impossible to implement own scripts that can be executed in **SYSTEM** context.
|
|
||||||
|
|
||||||
For **URL**: This requires a site directory with **Directory Listing Enabled** and no index page overriding the listing of files (or an index page with href listing of all the **Mods** to be downloaded):
|
For **URL**: This requires a site directory with **Directory Listing Enabled** and no index page overriding the listing of files (or an index page with href listing of all the **Mods** to be downloaded):
|
||||||
```
|
```
|
||||||
<ul>
|
<ul>
|
||||||
|
|
|
@ -380,16 +380,40 @@ function Install-WingetAutoUpdate {
|
||||||
Set-Acl -Path $LogFile -AclObject $NewAcl
|
Set-Acl -Path $LogFile -AclObject $NewAcl
|
||||||
}
|
}
|
||||||
|
|
||||||
#Most likely an enterprise with central mods, not a home user
|
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
|
||||||
if ($ModsPath) {
|
$directory = Get-Item -Path "$WingetUpdatePath\mods"
|
||||||
# Set ReadOnly on Mods Directory for Local Users - Security risk if not done (they could create a script of their own - System Context)!
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
$directory = Get-Item -Path "$WingetUpdatePath\mods"
|
#Disable inheritance
|
||||||
$acl = Get-Acl -Path $directory.FullName
|
$acl.SetAccessRuleProtection($True, $True)
|
||||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
# Remove any existing rules
|
||||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "Write", "Deny")
|
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
||||||
$acl.SetAccessRule($rule)
|
#SYSTEM Full - S-1-5-18
|
||||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
||||||
}
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
# Save the updated ACL
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl | Out-Null
|
||||||
|
|
||||||
|
#Administrators Full - S-1-5-32-544
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
#Authenticated Users ReadAndExecute - S-1-5-11
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
#Create Shortcuts
|
#Create Shortcuts
|
||||||
if ($StartMenuShortcut) {
|
if ($StartMenuShortcut) {
|
||||||
|
|
|
@ -53,17 +53,41 @@ function Invoke-PostUpdateActions {
|
||||||
Write-Log "-> MaxLogFiles/MaxLogSize setting was missing. Fixed with 3/1048576 (in bytes, default is 1048576 = 1 MB)."
|
Write-Log "-> MaxLogFiles/MaxLogSize setting was missing. Fixed with 3/1048576 (in bytes, default is 1048576 = 1 MB)."
|
||||||
}
|
}
|
||||||
|
|
||||||
#Most likely an enterprise with central mods, not a home user
|
#Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
|
||||||
$ModsPath = Get-ItemProperty $regPath -Name WAU_ModsPath -ErrorAction SilentlyContinue
|
$WingetUpdatePath = Get-ItemProperty $regPath -Name InstallLocation -ErrorAction SilentlyContinue
|
||||||
if ($ModsPath) {
|
$directory = Get-Item -Path "$WingetUpdatePath\mods"
|
||||||
# Set ReadOnly on Mods Directory for Local Users - Security risk if not done (they could create a script of their own - System Context)!
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
$directory = Get-Item -Path "$WingetUpdatePath\mods"
|
#Disable inheritance
|
||||||
$acl = Get-Acl -Path $directory.FullName
|
$acl.SetAccessRuleProtection($True, $True)
|
||||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
# Remove any existing rules
|
||||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "Write", "Deny")
|
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
||||||
$acl.SetAccessRule($rule)
|
#SYSTEM Full - S-1-5-18
|
||||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
||||||
}
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
# Save the updated ACL
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl | Out-Null
|
||||||
|
|
||||||
|
#Administrators Full - S-1-5-32-544
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
#Authenticated Users ReadAndExecute - S-1-5-11
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
#Convert about.xml if exists (previous WAU versions) to reg
|
#Convert about.xml if exists (previous WAU versions) to reg
|
||||||
$WAUAboutPath = "$WorkingDir\config\about.xml"
|
$WAUAboutPath = "$WorkingDir\config\about.xml"
|
||||||
|
|
Loading…
Reference in New Issue