diff --git a/Winget-AutoUpdate-Install.ps1 b/Winget-AutoUpdate-Install.ps1 index 900a13e..7f9dd4b 100644 --- a/Winget-AutoUpdate-Install.ps1 +++ b/Winget-AutoUpdate-Install.ps1 @@ -119,7 +119,7 @@ param( <# FUNCTIONS #> #Include external Functions -. "$PSScriptRoot\Winget-AutoUpdate\functions\Invoke-ModsProtect.ps1" +. "$PSScriptRoot\Winget-AutoUpdate\functions\Invoke-DirProtect.ps1" . "$PSScriptRoot\Winget-AutoUpdate\functions\Update-WinGet.ps1" . "$PSScriptRoot\Winget-AutoUpdate\functions\Update-StoreApps.ps1" . "$PSScriptRoot\Winget-AutoUpdate\functions\Add-Shortcut.ps1" @@ -371,16 +371,21 @@ function Install-WingetAutoUpdate { #Security check Write-ToLog "Checking Mods Directory:" "Yellow" - $Protected = Invoke-ModsProtect "$WAUinstallPath\mods" + $Protected = Invoke-DirProtect "$WAUinstallPath\mods" if ($Protected -eq $True) { - Write-ToLog "-> The mods directory is now secured!`n" "Green" - } - elseif ($Protected -eq $False) { - Write-ToLog "-> The mods directory was already secured!`n" "Green" + Write-ToLog "-> The mods directory is secured!`n" "Green" } else { Write-ToLog "-> Error: The mods directory couldn't be verified as secured!`n" "Red" } + Write-ToLog "Checking Functions Directory:" "Yellow" + $Protected = Invoke-DirProtect "$WAUinstallPath\Functions" + if ($Protected -eq $True) { + Write-ToLog "-> The Functions directory is secured!`n" "Green" + } + else { + Write-ToLog "-> Error: The Functions directory couldn't be verified as secured!`n" "Red" + } #Create Shortcuts if ($StartMenuShortcut) { diff --git a/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 b/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 new file mode 100644 index 0000000..4177ab3 --- /dev/null +++ b/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 @@ -0,0 +1,49 @@ +#Function to check if a directory is secured. +#Security: Some directories must be protected (Users could create scripts of their own - then they'll run in System Context)! + +function Invoke-DirProtect ($ModsPath) { + try { + #Get directory + $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue + $acl = Get-Acl -Path $directory.FullName + + #Disable inheritance + $acl.SetAccessRuleProtection($True, $True) + + #Remove any existing rules + $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } + + #SYSTEM Full - S-1-5-18 + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") + $acl.SetAccessRule($rule) + # Save the updated ACL + Set-Acl -Path $directory.FullName -AclObject $acl + + #Administrators Full - S-1-5-32-544 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + #Authenticated Users ReadAndExecute - S-1-5-11 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + return $True + } + catch { + return $false + } +} \ No newline at end of file diff --git a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 b/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 deleted file mode 100644 index 1b56707..0000000 --- a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 +++ /dev/null @@ -1,65 +0,0 @@ -#Function to check if the mods directory is secured. -#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)! -#Check if Local Users have write rights in Mods directory or not (and take action if necessary): - -function Invoke-ModsProtect ($ModsPath) { - try { - $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue - $acl = Get-Acl -Path $directory.FullName - #Local Users - S-1-5-32-545 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - #Translate SID to Locale Name - $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount]) - $userName = $ntAccount.Value - $userRights = [System.Security.AccessControl.FileSystemRights]"Write" - - $hasWriteAccess = $False - - foreach ($access in $acl.Access) { - if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) { - $hasWriteAccess = $True - break - } - } - - if ($hasWriteAccess) { - #Disable inheritance - $acl.SetAccessRuleProtection($True, $True) - # Remove any existing rules - $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } - #SYSTEM Full - S-1-5-18 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - # Save the updated ACL - Set-Acl -Path $directory.FullName -AclObject $acl - - #Administrators Full - S-1-5-32-544 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Authenticated Users ReadAndExecute - S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - return $True - } - return $False - } - catch { - return "Error" - } -} \ No newline at end of file diff --git a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 index 79ebeec..edbc824 100644 --- a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 +++ b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 @@ -77,16 +77,21 @@ function Invoke-PostUpdateActions { #Security check Write-ToLog "-> Checking Mods Directory:" "yellow" - $Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods" + $Protected = Invoke-DirProtect "$($WAUConfig.InstallLocation)\mods" if ($Protected -eq $True) { - Write-ToLog "-> The mods directory is now secured!" "green" - } - elseif ($Protected -eq $False) { - Write-ToLog "-> The mods directory was already secured!" "green" + Write-ToLog "-> The mods directory is secured!" "green" } else { Write-ToLog "-> Error: The mods directory couldn't be verified as secured!" "red" } + Write-ToLog "-> Checking Functions Directory:" "yellow" + $Protected = Invoke-DirProtect "$($WAUConfig.InstallLocation)\Functions" + if ($Protected -eq $True) { + Write-ToLog "-> The Functions directory is secured!" "green" + } + else { + Write-ToLog "-> Error: The Functions directory couldn't be verified as secured!" "red" + } #Convert about.xml if exists (old WAU versions) to reg $WAUAboutPath = "$WorkingDir\config\about.xml" @@ -125,6 +130,7 @@ function Invoke-PostUpdateActions { "$WorkingDir\functions\Get-WAUUpdateStatus.ps1", "$WorkingDir\functions\Write-Log.ps1", "$WorkingDir\functions\Get-WinGetAvailableVersion.ps1", + "$WorkingDir\functions\Invoke-DirProtect.ps1", "$WorkingDir\Version.txt" ) foreach ($FileName in $FileNames) {