wingetautoupdate/Winget-AutoUpdate/functions/Invoke-ModsProtect.ps1

82 lines
3.4 KiB
PowerShell

# Function to check if the mods directory is secured.
# Security: Mods directory must be protected (Users could create scripts of their own - then they'll run in System Context)!
# Check if Local Users have write rights in Mods directory or not (and take action if necessary):
function Invoke-ModsProtect
{
[CmdletBinding()]
param
(
[string]$ModsPath
)
try
{
$directory = (Get-Item -Path $ModsPath -ErrorAction SilentlyContinue)
$acl = (Get-Acl -Path $directory.FullName)
# Local Users - S-1-5-32-545
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-32-545'))
# Translate SID to Locale Name
$ntAccount = $userSID.Translate([Security.Principal.NTAccount])
$userName = $ntAccount.Value
$userRights = [Security.AccessControl.FileSystemRights]'Write'
$hasWriteAccess = $False
foreach ($access in $acl.Access)
{
if ($access.IdentityReference.Value -eq $userName -and $access.FileSystemRights -eq $userRights)
{
$hasWriteAccess = $True
break
}
}
if ($hasWriteAccess)
{
# Disable inheritance
$acl.SetAccessRuleProtection($True, $True)
# Remove any existing rules
$acl.Access | ForEach-Object -Process {
$acl.RemoveAccessRule($_)
}
# SYSTEM Full - S-1-5-18
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-18'))
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
$acl.SetAccessRule($rule)
# Save the updated ACL
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
# Administrators Full - S-1-5-32-544
$acl = (Get-Acl -Path $directory.FullName)
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-32-544'))
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'FullControl', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
$acl.SetAccessRule($rule)
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
# Local Users ReadAndExecute - S-1-5-32-545 S-1-5-11
$acl = (Get-Acl -Path $directory.FullName)
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-32-545'))
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
$acl.SetAccessRule($rule)
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
# Authenticated Users ReadAndExecute - S-1-5-11
$acl = (Get-Acl -Path $directory.FullName)
$userSID = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList ('S-1-5-11'))
$rule = (New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList ($userSID, 'ReadAndExecute', 'ContainerInherit,ObjectInherit', 'None', 'Allow'))
$acl.SetAccessRule($rule)
$null = (Set-Acl -Path $directory.FullName -AclObject $acl)
return $True
}
return $False
}
catch
{
return 'Error'
}
}