A bit of error handling in ModsProtect

2023-02-07 20:06:54 +01:00 · 2023-02-07 20:06:54 +01:00 · c505773f8c
parent 2471438c3b
commit c505773f8c
3 changed files with 66 additions and 55 deletions
--- a/Winget-AutoUpdate-Install.ps1
+++ b/Winget-AutoUpdate-Install.ps1
@ -384,12 +384,15 @@ function Install-WingetAutoUpdate {
        Write-host "`nChecking Mods Directory:" -ForegroundColor Yellow
        . "$WingetUpdatePath\functions\Invoke-ModsProtect.ps1"
        $Protected = Invoke-ModsProtect "$WingetUpdatePath\mods"
-        if ($Protected) {
+        if ($Protected -eq $True) {
            Write-Host "The mods directory is now secured!`n" -ForegroundColor Green
        }
-        elseif (!$Protected) {
+        elseif ($Protected -eq $False) {
            Write-Host "The mods directory was already secured!`n" -ForegroundColor Green
        }
+        else {
+            Write-Host "Error: The mods directory couldn't be verified as secured!`n" -ForegroundColor Red
+        }
                        
        #Create Shortcuts
        if ($StartMenuShortcut) {
--- a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1
+++ b/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1
@ -3,58 +3,63 @@
 #Check if Local Users have write rights in Mods directory or not (and take action if necessary):

 function Invoke-ModsProtect ($ModsPath) {
-    $directory = Get-Item -Path $ModsPath
-    $acl = Get-Acl -Path $directory.FullName
-    #Local Users - S-1-5-32-545
-    $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
-    #Translate SID to Locale Name
-    $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
-    $userName = $ntAccount.Value
-    $userRights = [System.Security.AccessControl.FileSystemRights]"Write"
-    
-    $hasWriteAccess = $False
-    
-    foreach ($access in $acl.Access) {
-        if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
-            $hasWriteAccess = $True
-            break
-        }
-    }
-    
-    if ($hasWriteAccess) {
-        #Disable inheritance
-        $acl.SetAccessRuleProtection($True, $True)
-        # Remove any existing rules
-        $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
-        #SYSTEM Full - S-1-5-18
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
-        $acl.SetAccessRule($rule)
-        # Save the updated ACL
-        Set-Acl -Path $directory.FullName -AclObject $acl
-
-        #Administrators Full - S-1-5-32-544
-        $acl = Get-Acl -Path $directory.FullName
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
-        $acl.SetAccessRule($rule)
-        Set-Acl -Path $directory.FullName -AclObject $acl
-        
-        #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
+    try {
+        $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
        $acl = Get-Acl -Path $directory.FullName
+        #Local Users - S-1-5-32-545
        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
-        $acl.SetAccessRule($rule)
-        Set-Acl -Path $directory.FullName -AclObject $acl
-
-        #Authenticated Users ReadAndExecute - S-1-5-11
-        $acl = Get-Acl -Path $directory.FullName
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
-        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
-        $acl.SetAccessRule($rule)
-        Set-Acl -Path $directory.FullName -AclObject $acl
-
-        return $True
+        #Translate SID to Locale Name
+        $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
+        $userName = $ntAccount.Value
+        $userRights = [System.Security.AccessControl.FileSystemRights]"Write"
+        
+        $hasWriteAccess = $False
+        
+        foreach ($access in $acl.Access) {
+            if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
+                $hasWriteAccess = $True
+                break
+            }
+        }
+        
+        if ($hasWriteAccess) {
+            #Disable inheritance
+            $acl.SetAccessRuleProtection($True, $True)
+            # Remove any existing rules
+            $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
+            #SYSTEM Full - S-1-5-18
+            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
+            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
+            $acl.SetAccessRule($rule)
+            # Save the updated ACL
+            Set-Acl -Path $directory.FullName -AclObject $acl
+    
+            #Administrators Full - S-1-5-32-544
+            $acl = Get-Acl -Path $directory.FullName
+            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
+            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
+            $acl.SetAccessRule($rule)
+            Set-Acl -Path $directory.FullName -AclObject $acl
+            
+            #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
+            $acl = Get-Acl -Path $directory.FullName
+            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
+            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
+            $acl.SetAccessRule($rule)
+            Set-Acl -Path $directory.FullName -AclObject $acl
+    
+            #Authenticated Users ReadAndExecute - S-1-5-11
+            $acl = Get-Acl -Path $directory.FullName
+            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
+            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute","ContainerInherit,ObjectInherit","None","Allow")
+            $acl.SetAccessRule($rule)
+            Set-Acl -Path $directory.FullName -AclObject $acl
+    
+            return $True
+        }
+        return $False
+    }
+    catch {
+        return "Error"
    }
-    return $False
 }
--- a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
+++ b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
@ -74,12 +74,15 @@ function Invoke-PostUpdateActions {
    #Security check
    Write-Log "-> Checking Mods Directory:" "yellow"
    $Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods"
-    if ($Protected) {
+    if ($Protected -eq $True) {
        Write-Log "-> The mods directory is now secured!" "green"
    }
-    elseif (!$Protected) {
+    elseif ($Protected -eq $False) {
        Write-Log "-> The mods directory was already secured!" "green"
    }
+    else {
+        Write-Log "-> Error: The mods directory couldn't be verified as secured!" "red"
+    }

    #Convert about.xml if exists (previous WAU versions) to reg
    $WAUAboutPath = "$WorkingDir\config\about.xml"