cristiancmoises
/
wingetautoupdate
mirror of https://github.com/Romanitho/Winget-AutoUpdate
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Secure Function folder as well

pull/483/head
romanitho 2023-11-16 12:46:31 +01:00
parent c52e8c2230
commit e9006d4387
4 changed files with 69 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
Winget-AutoUpdate-Install.ps1
View File

@ -371,16 +371,21 @@ function Install-WingetAutoUpdate {
#Security check #Security check
Write-ToLog "Checking Mods Directory:" "Yellow" Write-ToLog "Checking Mods Directory:" "Yellow"
$Protected = Invoke-ModsProtect "$WAUinstallPath\mods" $Protected = Invoke-DirProtect "$WAUinstallPath\mods"
if ($Protected -eq $True) { if ($Protected -eq $True) {
Write-ToLog "-> The mods directory is now secured!`n" "Green" Write-ToLog "-> The mods directory is secured!`n" "Green"
}
elseif ($Protected -eq $False) {
Write-ToLog "-> The mods directory was already secured!`n" "Green"
} }
else { else {
Write-ToLog "-> Error: The mods directory couldn't be verified as secured!`n" "Red" Write-ToLog "-> Error: The mods directory couldn't be verified as secured!`n" "Red"
} }
Write-ToLog "Checking Functions Directory:" "Yellow"
$Protected = Invoke-DirProtect "$WAUinstallPath\Functions"
if ($Protected -eq $True) {
Write-ToLog "-> The Functions directory is secured!`n" "Green"
}
else {
Write-ToLog "-> Error: The Functions directory couldn't be verified as secured!`n" "Red"
}
#Create Shortcuts #Create Shortcuts
if ($StartMenuShortcut) { if ($StartMenuShortcut) {

49
Winget-AutoUpdate/functions/Invoke-DirProtect.ps1 Normal file
View File

@ -0,0 +1,49 @@
#Function to check if a directory is secured.
#Security: Some directories must be protected (Users could create scripts of their own - then they'll run in System Context)!
function Invoke-DirProtect ($ModsPath) {
try {
#Get directory
$directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
$acl = Get-Acl -Path $directory.FullName
#Disable inheritance
$acl.SetAccessRuleProtection($True, $True)
#Remove any existing rules
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
#SYSTEM Full - S-1-5-18
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
# Save the updated ACL
Set-Acl -Path $directory.FullName -AclObject $acl
#Administrators Full - S-1-5-32-544
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Authenticated Users ReadAndExecute - S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
return $True
}
catch {
return $false
}
}

65
Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1
View File

@ -1,65 +0,0 @@
#Function to check if the mods directory is secured.
#Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
#Check if Local Users have write rights in Mods directory or not (and take action if necessary):
function Invoke-ModsProtect ($ModsPath) {
try {
$directory = Get-Item -Path $ModsPath -ErrorAction SilentlyContinue
$acl = Get-Acl -Path $directory.FullName
#Local Users - S-1-5-32-545
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
#Translate SID to Locale Name
$ntAccount = $userSID.Translate([System.Security.Principal.NTAccount])
$userName = $ntAccount.Value
$userRights = [System.Security.AccessControl.FileSystemRights]"Write"
$hasWriteAccess = $False
foreach ($access in $acl.Access) {
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights) {
$hasWriteAccess = $True
break
}
}
if ($hasWriteAccess) {
#Disable inheritance
$acl.SetAccessRuleProtection($True, $True)
# Remove any existing rules
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) }
#SYSTEM Full - S-1-5-18
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-18")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
# Save the updated ACL
Set-Acl -Path $directory.FullName -AclObject $acl
#Administrators Full - S-1-5-32-544
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-544")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-32-545")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
#Authenticated Users ReadAndExecute - S-1-5-11
$acl = Get-Acl -Path $directory.FullName
$userSID = New-Object System.Security.Principal.SecurityIdentifier("S-1-5-11")
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($userSID, "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.SetAccessRule($rule)
Set-Acl -Path $directory.FullName -AclObject $acl
return $True
}
return $False
}
catch {
return "Error"
}
}

15
Winget-AutoUpdate/functions/Invoke-PostUpdateActions.ps1
View File

@ -77,16 +77,21 @@ function Invoke-PostUpdateActions {
#Security check #Security check
Write-ToLog "-> Checking Mods Directory:" "yellow" Write-ToLog "-> Checking Mods Directory:" "yellow"
$Protected = Invoke-ModsProtect "$($WAUConfig.InstallLocation)\mods" $Protected = Invoke-DirProtect "$($WAUConfig.InstallLocation)\mods"
if ($Protected -eq $True) { if ($Protected -eq $True) {
Write-ToLog "-> The mods directory is now secured!" "green" Write-ToLog "-> The mods directory is secured!" "green"
}
elseif ($Protected -eq $False) {
Write-ToLog "-> The mods directory was already secured!" "green"
} }
else { else {
Write-ToLog "-> Error: The mods directory couldn't be verified as secured!" "red" Write-ToLog "-> Error: The mods directory couldn't be verified as secured!" "red"
} }
Write-ToLog "-> Checking Functions Directory:" "yellow"
$Protected = Invoke-DirProtect "$($WAUConfig.InstallLocation)\Functions"
if ($Protected -eq $True) {
Write-ToLog "-> The Functions directory is secured!" "green"
}
else {
Write-ToLog "-> Error: The Functions directory couldn't be verified as secured!" "red"
}
#Convert about.xml if exists (old WAU versions) to reg #Convert about.xml if exists (old WAU versions) to reg
$WAUAboutPath = "$WorkingDir\config\about.xml" $WAUAboutPath = "$WorkingDir\config\about.xml"