A bit of error handling in ModsProtect
parent
2471438c3b
commit
c505773f8c
|
@ -384,12 +384,15 @@ function Install-WingetAutoUpdate {
|
||||||
Write-host "`nChecking Mods Directory:" -ForegroundColor Yellow
|
Write-host "`nChecking Mods Directory:" -ForegroundColor Yellow
|
||||||
. "$WingetUpdatePath\functions\Invoke-ModsProtect.ps1"
|
. "$WingetUpdatePath\functions\Invoke-ModsProtect.ps1"
|
||||||
$Protected = Invoke-ModsProtect "$WingetUpdatePath\mods"
|
$Protected = Invoke-ModsProtect "$WingetUpdatePath\mods"
|
||||||
if ($Protected) {
|
if ($Protected -eq $True) {
|
||||||
Write-Host "The mods directory is now secured!`n" -ForegroundColor Green
|
Write-Host "The mods directory is now secured!`n" -ForegroundColor Green
|
||||||
}
|
}
|
||||||
elseif (!$Protected) {
|
elseif ($Protected -eq $False) {
|
||||||
Write-Host "The mods directory was already secured!`n" -ForegroundColor Green
|
Write-Host "The mods directory was already secured!`n" -ForegroundColor Green
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
Write-Host "Error: The mods directory couldn't be verified as secured!`n" -ForegroundColor Red
|
||||||
|
}
|
||||||
|
|
||||||
#Create Shortcuts
|
#Create Shortcuts
|
||||||
if ($StartMenuShortcut) {
|
if ($StartMenuShortcut) {
|
||||||
|
|
|
@ -3,58 +3,63 @@
|
||||||
#Check if Local Users have write rights in Mods directory or not (and take action if necessary):
|
#Check if Local Users have write rights in Mods directory or not (and take action if necessary):
|
||||||
|
|
||||||
function Invoke-ModsProtect ($ModsPath) {
|
function Invoke-ModsProtect ($ModsPath) {
|
||||||
$directory = Get-Item -Path $ModsPath
|
try {
|
||||||
$acl = Get-Acl -Path $directory.FullName
|
$directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
|
||||||
#Local Users - S-1-5-32-545
|
|
||||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
|
||||||
#Translate SID to Locale Name
|
|
||||||
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
|
|
||||||
$userName = $ntAccount.Value
|
|
||||||
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
|
|
||||||
|
|
||||||
$hasWriteAccess = $False
|
|
||||||
|
|
||||||
foreach ($access in $acl.Access) {
|
|
||||||
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
|
|
||||||
$hasWriteAccess = $True
|
|
||||||
break
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ($hasWriteAccess) {
|
|
||||||
#Disable inheritance
|
|
||||||
$acl.SetAccessRuleProtection($True, $True)
|
|
||||||
# Remove any existing rules
|
|
||||||
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
|
||||||
#SYSTEM Full - S-1-5-18
|
|
||||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
|
||||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
|
||||||
$acl.SetAccessRule($rule)
|
|
||||||
# Save the updated ACL
|
|
||||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
|
||||||
|
|
||||||
#Administrators Full - S-1-5-32-544
|
|
||||||
$acl = Get-Acl -Path $directory.FullName
|
|
||||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
|
||||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
|
||||||
$acl.SetAccessRule($rule)
|
|
||||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
|
||||||
|
|
||||||
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
|
||||||
$acl = Get-Acl -Path $directory.FullName
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
#Local Users - S-1-5-32-545
|
||||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
#Translate SID to Locale Name
|
||||||
$acl.SetAccessRule($rule)
|
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
|
||||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
$userName = $ntAccount.Value
|
||||||
|
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
|
||||||
|
|
||||||
#Authenticated Users ReadAndExecute - S-1-5-11
|
$hasWriteAccess = $False
|
||||||
$acl = Get-Acl -Path $directory.FullName
|
|
||||||
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
|
||||||
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
|
||||||
$acl.SetAccessRule($rule)
|
|
||||||
Set-Acl -Path $directory.FullName -AclObject $acl
|
|
||||||
|
|
||||||
return $True
|
foreach ($access in $acl.Access) {
|
||||||
|
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
|
||||||
|
$hasWriteAccess = $True
|
||||||
|
break
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($hasWriteAccess) {
|
||||||
|
#Disable inheritance
|
||||||
|
$acl.SetAccessRuleProtection($True, $True)
|
||||||
|
# Remove any existing rules
|
||||||
|
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
|
||||||
|
#SYSTEM Full - S-1-5-18
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
# Save the updated ACL
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
#Administrators Full - S-1-5-32-544
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
#Authenticated Users ReadAndExecute - S-1-5-11
|
||||||
|
$acl = Get-Acl -Path $directory.FullName
|
||||||
|
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
|
||||||
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
|
||||||
|
$acl.SetAccessRule($rule)
|
||||||
|
Set-Acl -Path $directory.FullName -AclObject $acl
|
||||||
|
|
||||||
|
return $True
|
||||||
|
}
|
||||||
|
return $False
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
return "Error"
|
||||||
}
|
}
|
||||||
return $False
|
|
||||||
}
|
}
|
|
@ -74,12 +74,15 @@ function Invoke-PostUpdateActions {
|
||||||
#Security check
|
#Security check
|
||||||
Write-Log "-> Checking Mods Directory:" "yellow"
|
Write-Log "-> Checking Mods Directory:" "yellow"
|
||||||
$Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods"
|
$Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods"
|
||||||
if ($Protected) {
|
if ($Protected -eq $True) {
|
||||||
Write-Log "-> The mods directory is now secured!" "green"
|
Write-Log "-> The mods directory is now secured!" "green"
|
||||||
}
|
}
|
||||||
elseif (!$Protected) {
|
elseif ($Protected -eq $False) {
|
||||||
Write-Log "-> The mods directory was already secured!" "green"
|
Write-Log "-> The mods directory was already secured!" "green"
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
Write-Log "-> Error: The mods directory couldn't be verified as secured!" "red"
|
||||||
|
}
|
||||||
|
|
||||||
#Convert about.xml if exists (previous WAU versions) to reg
|
#Convert about.xml if exists (previous WAU versions) to reg
|
||||||
$WAUAboutPath = "$WorkingDir\config\about.xml"
|
$WAUAboutPath = "$WorkingDir\config\about.xml"
|
||||||
|
|
Loading…
Reference in New Issue