From c505773f8cf1086664c9094c919ef6c16ba5e14a Mon Sep 17 00:00:00 2001 From: KnifMelti Date: Tue, 7 Feb 2023 20:06:54 +0100 Subject: [PATCH] A bit of error handling in ModsProtect --- Winget-AutoUpdate-Install.ps1 | 7 +- .../functions/Invoke-ModsProtect.ps1 | 107 +++++++++--------- .../functions/Invoke-PostUpdateActions.ps1 | 7 +- 3 files changed, 66 insertions(+), 55 deletions(-) diff --git a/Winget-AutoUpdate-Install.ps1 b/Winget-AutoUpdate-Install.ps1 index 3ab3a11..b836d5a 100644 --- a/Winget-AutoUpdate-Install.ps1 +++ b/Winget-AutoUpdate-Install.ps1 @@ -384,12 +384,15 @@ function Install-WingetAutoUpdate { Write-host "`nChecking Mods Directory:" -ForegroundColor Yellow . "$WingetUpdatePath\functions\Invoke-ModsProtect.ps1" $Protected = Invoke-ModsProtect "$WingetUpdatePath\mods" - if ($Protected) { + if ($Protected -eq $True) { Write-Host "The mods directory is now secured!`n" -ForegroundColor Green } - elseif (!$Protected) { + elseif ($Protected -eq $False) { Write-Host "The mods directory was already secured!`n" -ForegroundColor Green } + else { + Write-Host "Error: The mods directory couldn't be verified as secured!`n" -ForegroundColor Red + } #Create Shortcuts if ($StartMenuShortcut) { diff --git a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 b/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 index 98eff2e..b800571 100644 --- a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 +++ b/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 @@ -3,58 +3,63 @@ #Check if Local Users have write rights in Mods directory or not (and take action if necessary): function Invoke-ModsProtect ($ModsPath) { - $directory = Get-Item -Path $ModsPath - $acl = Get-Acl -Path $directory.FullName - #Local Users - S-1-5-32-545 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - #Translate SID to Locale Name - $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount]) - $userName = $ntAccount.Value - $userRights = [System.Security.AccessControl.FileSystemRights]"Write" - - $hasWriteAccess = $False - - foreach ($access in $acl.Access) { - if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) { - $hasWriteAccess = $True - break - } - } - - if ($hasWriteAccess) { - #Disable inheritance - $acl.SetAccessRuleProtection($True, $True) - # Remove any existing rules - $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } - #SYSTEM Full - S-1-5-18 - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - # Save the updated ACL - Set-Acl -Path $directory.FullName -AclObject $acl - - #Administrators Full - S-1-5-32-544 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 + try { + $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue $acl = Get-Acl -Path $directory.FullName + #Local Users - S-1-5-32-545 $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - #Authenticated Users ReadAndExecute - S-1-5-11 - $acl = Get-Acl -Path $directory.FullName - $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") - $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") - $acl.SetAccessRule($rule) - Set-Acl -Path $directory.FullName -AclObject $acl - - return $True + #Translate SID to Locale Name + $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount]) + $userName = $ntAccount.Value + $userRights = [System.Security.AccessControl.FileSystemRights]"Write" + + $hasWriteAccess = $False + + foreach ($access in $acl.Access) { + if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) { + $hasWriteAccess = $True + break + } + } + + if ($hasWriteAccess) { + #Disable inheritance + $acl.SetAccessRuleProtection($True, $True) + # Remove any existing rules + $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } + #SYSTEM Full - S-1-5-18 + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + # Save the updated ACL + Set-Acl -Path $directory.FullName -AclObject $acl + + #Administrators Full - S-1-5-32-544 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + #Authenticated Users ReadAndExecute - S-1-5-11 + $acl = Get-Acl -Path $directory.FullName + $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11") + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow") + $acl.SetAccessRule($rule) + Set-Acl -Path $directory.FullName -AclObject $acl + + return $True + } + return $False + } + catch { + return "Error" } - return $False } \ No newline at end of file diff --git a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 index de89e3c..5bfe644 100644 --- a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 +++ b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 @@ -74,12 +74,15 @@ function Invoke-PostUpdateActions { #Security check Write-Log "-> Checking Mods Directory:" "yellow" $Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods" - if ($Protected) { + if ($Protected -eq $True) { Write-Log "-> The mods directory is now secured!" "green" } - elseif (!$Protected) { + elseif ($Protected -eq $False) { Write-Log "-> The mods directory was already secured!" "green" } + else { + Write-Log "-> Error: The mods directory couldn't be verified as secured!" "red" + } #Convert about.xml if exists (previous WAU versions) to reg $WAUAboutPath = "$WorkingDir\config\about.xml"