Done

2023-02-04 04:17:35 +01:00 · 2023-02-04 04:17:35 +01:00 · 973b578e2e
parent 013e66ebdc
commit 973b578e2e
3 changed files with 69 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -103,9 +103,6 @@ Thanks to [Weatherlights](https://github.com/Weatherlights) in [#256 (reply in t
 **-ModsPath**  
 Get Mods from external Path (**URL/UNC/Local**) - download/copy to `mods` in Winget-AutoUpdate installation location if external mods are newer.  

-Security:  
-If -ModsPath is used during installation WAU assumes it's an enterprise environment and adds a **Deny rule** to the file rights for the directory `mods` for **Local Users** (SID: S-1-5-32-545) making it impossible to implement own scripts that can be executed in **SYSTEM** context.
-
 For **URL**: This requires a site directory with **Directory Listing Enabled** and no index page overriding the listing of files (or an index page with href listing of all the **Mods** to be downloaded):  
 ```
 <ul>
--- a/Winget-AutoUpdate-Install.ps1
+++ b/Winget-AutoUpdate-Install.ps1
@ -380,16 +380,40 @@ function Install-WingetAutoUpdate {
            Set-Acl -Path $LogFile -AclObject $NewAcl
        }

-        #Most likely an enterprise with central mods, not a home user
-        if ($ModsPath) {
-            # Set ReadOnly on Mods Directory for Local Users - Security risk if not done (they could create a script of their own - System Context)!
-            $directory = Get-Item -Path "$WingetUpdatePath\mods"
-            $acl = Get-Acl -Path $directory.FullName
-            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
-            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "Write", "Deny")
-            $acl.SetAccessRule($rule)
-            Set-Acl -Path $directory.FullName -AclObject $acl
-        }
+        #Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
+        $directory = Get-Item -Path "$WingetUpdatePath\mods"
+        $acl = Get-Acl -Path $directory.FullName
+        #Disable inheritance
+        $acl.SetAccessRuleProtection($True, $True)
+        # Remove any existing rules
+        $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
+        #SYSTEM Full - S-1-5-18
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
+        $acl.SetAccessRule($rule)
+        # Save the updated ACL
+        Set-Acl -Path $directory.FullName -AclObject $acl | Out-Null
+
+        #Administrators Full - S-1-5-32-544
+        $acl = Get-Acl -Path $directory.FullName
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
+        $acl.SetAccessRule($rule)
+        Set-Acl -Path $directory.FullName -AclObject $acl
+        
+        #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
+        $acl = Get-Acl -Path $directory.FullName
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
+        $acl.SetAccessRule($rule)
+        Set-Acl -Path $directory.FullName -AclObject $acl
+
+        #Authenticated Users ReadAndExecute - S-1-5-11
+        $acl = Get-Acl -Path $directory.FullName
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
+        $acl.SetAccessRule($rule)
+        Set-Acl -Path $directory.FullName -AclObject $acl

        #Create Shortcuts
        if ($StartMenuShortcut) {
--- a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
+++ b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
@ -53,17 +53,41 @@ function Invoke-PostUpdateActions {
        Write-Log "-> MaxLogFiles/MaxLogSize setting was missing. Fixed with 3/1048576 (in bytes, default is 1048576 = 1 MB)."
    }

-    #Most likely an enterprise with central mods, not a home user
-    $ModsPath = Get-ItemProperty $regPath -Name WAU_ModsPath -ErrorAction SilentlyContinue
-    if ($ModsPath) {
-        # Set ReadOnly on Mods Directory for Local Users - Security risk if not done (they could create a script of their own - System Context)!
-        $directory = Get-Item -Path "$WingetUpdatePath\mods"
-        $acl = Get-Acl -Path $directory.FullName
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "Write", "Deny")
-        $acl.SetAccessRule($rule)
-        Set-Acl -Path $directory.FullName -AclObject $acl
-    }
+    #Security: Mods directory must be protected (Users could create scripts of their own - then they're run in System Context)!
+    $WingetUpdatePath = Get-ItemProperty $regPath -Name InstallLocation -ErrorAction SilentlyContinue
+    $directory = Get-Item -Path "$WingetUpdatePath\mods"
+    $acl = Get-Acl -Path $directory.FullName
+    #Disable inheritance
+    $acl.SetAccessRuleProtection($True, $True)
+    # Remove any existing rules
+    $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
+    #SYSTEM Full - S-1-5-18
+    $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
+    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
+    $acl.SetAccessRule($rule)
+    # Save the updated ACL
+    Set-Acl -Path $directory.FullName -AclObject $acl | Out-Null
+
+    #Administrators Full - S-1-5-32-544
+    $acl = Get-Acl -Path $directory.FullName
+    $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
+    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
+    $acl.SetAccessRule($rule)
+    Set-Acl -Path $directory.FullName -AclObject $acl
+    
+    #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
+    $acl = Get-Acl -Path $directory.FullName
+    $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
+    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
+    $acl.SetAccessRule($rule)
+    Set-Acl -Path $directory.FullName -AclObject $acl
+
+    #Authenticated Users ReadAndExecute - S-1-5-11
+    $acl = Get-Acl -Path $directory.FullName
+    $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
+    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
+    $acl.SetAccessRule($rule)
+    Set-Acl -Path $directory.FullName -AclObject $acl

    #Convert about.xml if exists (previous WAU versions) to reg
    $WAUAboutPath = "$WorkingDir\config\about.xml"