From e9006d43879cc97038f7cffd0884cf40cbb9b3ab Mon Sep 17 00:00:00 2001
From: romanitho <96626929+Romanitho@users.noreply.github.com>
Date: Thu, 16 Nov 2023 12:46:31 +0100
Subject: [PATCH] Secure Function folder as well

---
 Winget-AutoUpdate-Install.ps1                 | 15 +++--
 .../functions/Invoke-DirProtect.ps1           | 49 ++++++++++++++
 .../functions/Invoke-ModsProtect.ps1          | 65 -------------------
 .../functions/Invoke-PostUpdateActions.ps1    | 15 +++--
 4 files changed, 69 insertions(+), 75 deletions(-)
 create mode 100644 Winget-AutoUpdate/functions/Invoke-DirProtect.ps1
 delete mode 100644 Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1

diff --git a/Winget-AutoUpdate-Install.ps1 b/Winget-AutoUpdate-Install.ps1
index 900a13e..601acad 100644
--- a/Winget-AutoUpdate-Install.ps1
+++ b/Winget-AutoUpdate-Install.ps1
@@ -371,16 +371,21 @@ function Install-WingetAutoUpdate {
 
         #Security check
         Write-ToLog "Checking Mods Directory:" "Yellow"
-        $Protected = Invoke-ModsProtect "$WAUinstallPath\mods"
+        $Protected = Invoke-DirProtect "$WAUinstallPath\mods"
         if ($Protected -eq $True) {
-            Write-ToLog "-> The mods directory is now secured!`n" "Green"
-        }
-        elseif ($Protected -eq $False) {
-            Write-ToLog "-> The mods directory was already secured!`n" "Green"
+            Write-ToLog "-> The mods directory is secured!`n" "Green"
         }
         else {
             Write-ToLog "-> Error: The mods directory couldn't be verified as secured!`n" "Red"
         }
+        Write-ToLog "Checking Functions Directory:" "Yellow"
+        $Protected = Invoke-DirProtect "$WAUinstallPath\Functions"
+        if ($Protected -eq $True) {
+            Write-ToLog "-> The Functions directory is secured!`n" "Green"
+        }
+        else {
+            Write-ToLog "-> Error: The Functions directory couldn't be verified as secured!`n" "Red"
+        }
 
         #Create Shortcuts
         if ($StartMenuShortcut) {
diff --git a/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 b/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1
new file mode 100644
index 0000000..4177ab3
--- /dev/null
+++ b/Winget-AutoUpdate/functions/Invoke-DirProtect.ps1
@@ -0,0 +1,49 @@
+#Function to check if a directory is secured.
+#Security: Some directories must be protected (Users could create scripts of their own - then they'll run in System Context)!
+
+function Invoke-DirProtect ($ModsPath) {
+    try {
+        #Get directory
+        $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
+        $acl = Get-Acl -Path $directory.FullName
+
+        #Disable inheritance
+        $acl.SetAccessRuleProtection($True, $True)
+
+        #Remove any existing rules
+        $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
+
+        #SYSTEM Full - S-1-5-18
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
+        $acl.SetAccessRule($rule)
+        # Save the updated ACL
+        Set-Acl -Path $directory.FullName -AclObject $acl
+
+        #Administrators Full - S-1-5-32-544
+        $acl = Get-Acl -Path $directory.FullName
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
+        $acl.SetAccessRule($rule)
+        Set-Acl -Path $directory.FullName -AclObject $acl
+
+        #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
+        $acl = Get-Acl -Path $directory.FullName
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
+        $acl.SetAccessRule($rule)
+        Set-Acl -Path $directory.FullName -AclObject $acl
+
+        #Authenticated Users ReadAndExecute - S-1-5-11
+        $acl = Get-Acl -Path $directory.FullName
+        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
+        $acl.SetAccessRule($rule)
+        Set-Acl -Path $directory.FullName -AclObject $acl
+
+        return $True
+    }
+    catch {
+        return $false
+    }
+}
\ No newline at end of file
diff --git a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1 b/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1
deleted file mode 100644
index 1b56707..0000000
--- a/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1
+++ /dev/null
@@ -1,65 +0,0 @@
-#Function to check if the mods directory is secured.
-#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
-#Check if Local Users have write rights in Mods directory or not (and take action if necessary):
-
-function Invoke-ModsProtect ($ModsPath) {
-    try {
-        $directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
-        $acl = Get-Acl -Path $directory.FullName
-        #Local Users - S-1-5-32-545
-        $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
-        #Translate SID to Locale Name
-        $ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
-        $userName = $ntAccount.Value
-        $userRights = [System.Security.AccessControl.FileSystemRights]"Write"
-
-        $hasWriteAccess = $False
-
-        foreach ($access in $acl.Access) {
-            if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
-                $hasWriteAccess = $True
-                break
-            }
-        }
-
-        if ($hasWriteAccess) {
-            #Disable inheritance
-            $acl.SetAccessRuleProtection($True, $True)
-            # Remove any existing rules
-            $acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
-            #SYSTEM Full - S-1-5-18
-            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
-            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
-            $acl.SetAccessRule($rule)
-            # Save the updated ACL
-            Set-Acl -Path $directory.FullName -AclObject $acl
-
-            #Administrators Full - S-1-5-32-544
-            $acl = Get-Acl -Path $directory.FullName
-            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
-            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
-            $acl.SetAccessRule($rule)
-            Set-Acl -Path $directory.FullName -AclObject $acl
-
-            #Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
-            $acl = Get-Acl -Path $directory.FullName
-            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
-            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
-            $acl.SetAccessRule($rule)
-            Set-Acl -Path $directory.FullName -AclObject $acl
-
-            #Authenticated Users ReadAndExecute - S-1-5-11
-            $acl = Get-Acl -Path $directory.FullName
-            $userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
-            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
-            $acl.SetAccessRule($rule)
-            Set-Acl -Path $directory.FullName -AclObject $acl
-
-            return $True
-        }
-        return $False
-    }
-    catch {
-        return "Error"
-    }
-}
\ No newline at end of file
diff --git a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1 b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
index 79ebeec..2b510de 100644
--- a/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
+++ b/Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
@@ -77,16 +77,21 @@ function Invoke-PostUpdateActions {
 
     #Security check
     Write-ToLog "-> Checking Mods Directory:" "yellow"
-    $Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods"
+    $Protected = Invoke-DirProtect "$($WAUConfig.InstallLocation)\mods"
     if ($Protected -eq $True) {
-        Write-ToLog "-> The mods directory is now secured!" "green"
-    }
-    elseif ($Protected -eq $False) {
-        Write-ToLog "-> The mods directory was already secured!" "green"
+        Write-ToLog "-> The mods directory is secured!" "green"
     }
     else {
         Write-ToLog "-> Error: The mods directory couldn't be verified as secured!" "red"
     }
+    Write-ToLog "-> Checking Functions Directory:" "yellow"
+    $Protected = Invoke-DirProtect "$($WAUConfig.InstallLocation)\Functions"
+    if ($Protected -eq $True) {
+        Write-ToLog "-> The Functions directory is secured!" "green"
+    }
+    else {
+        Write-ToLog "-> Error: The Functions directory couldn't be verified as secured!" "red"
+    }
 
     #Convert about.xml if exists (old WAU versions) to reg
     $WAUAboutPath = "$WorkingDir\config\about.xml"