Mercurial > trustbridge
comparison cinst/nssstore_win.c @ 1208:0a803c3fb5a6
(issue138) Set the ACL explictly on existing files or directories
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Tue, 23 Sep 2014 19:15:49 +0200 |
| parents | c8f698ca6355 |
| children | d4b24df4eed1 |
comparison
equal
deleted
inserted
replaced
| 1207:e79fc57f1f9c | 1208:0a803c3fb5a6 |
|---|---|
| 754 { | 754 { |
| 755 wchar_t *folder_name = NULL, | 755 wchar_t *folder_name = NULL, |
| 756 *path = NULL; | 756 *path = NULL; |
| 757 HANDLE hFile = NULL; | 757 HANDLE hFile = NULL; |
| 758 size_t path_len; | 758 size_t path_len; |
| 759 PACL access_control_list = NULL; | |
| 759 | 760 |
| 760 folder_name = get_program_data_folder(); | 761 folder_name = get_program_data_folder(); |
| 761 if (!folder_name) | 762 if (!folder_name) |
| 762 { | 763 { |
| 763 ERRORPRINTF("Failed to look up ProgramData folder.\n"); | 764 ERRORPRINTF("Failed to look up ProgramData folder.\n"); |
| 803 | 804 |
| 804 /* Security: if someone has created this directory before | 805 /* Security: if someone has created this directory before |
| 805 it might be a symlink to another place that a users | 806 it might be a symlink to another place that a users |
| 806 wants us to grant read access to or makes us overwrite | 807 wants us to grant read access to or makes us overwrite |
| 807 something */ | 808 something */ |
| 808 if(!create_restricted_directory (path, true)) | 809 if(!create_restricted_directory (path, true, &access_control_list)) |
| 809 { | 810 { |
| 810 ERRORPRINTF ("Failed to create directory\n"); | 811 ERRORPRINTF ("Failed to create directory\n"); |
| 811 xfree(path); | 812 xfree(path); |
| 812 return NULL; | 813 return NULL; |
| 813 } | 814 } |
| 814 | 815 |
| 815 if (wcscat_s (path, path_len, L"\\") != 0) | 816 if (wcscat_s (path, path_len, L"\\") != 0) |
| 816 { | 817 { |
| 817 ERRORPRINTF ("Failed to cat dirsep.\n"); | 818 ERRORPRINTF ("Failed to cat dirsep.\n"); |
| 818 xfree(path); | 819 xfree(path); |
| 820 LocalFree(access_control_list); | |
| 819 return NULL; | 821 return NULL; |
| 820 } | 822 } |
| 821 | 823 |
| 822 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0) | 824 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0) |
| 823 { | 825 { |
| 824 ERRORPRINTF ("Failed to cat filename.\n"); | 826 ERRORPRINTF ("Failed to cat filename.\n"); |
| 825 xfree(path); | 827 xfree(path); |
| 828 LocalFree(access_control_list); | |
| 826 return NULL; | 829 return NULL; |
| 827 } | 830 } |
| 828 | 831 |
| 829 hFile = CreateFileW(path, | 832 hFile = CreateFileW(path, |
| 830 GENERIC_WRITE, | 833 GENERIC_WRITE, |
| 842 NULL, /* use the security attributes from the folder */ | 845 NULL, /* use the security attributes from the folder */ |
| 843 CREATE_NEW, | 846 CREATE_NEW, |
| 844 0, | 847 0, |
| 845 NULL); | 848 NULL); |
| 846 } | 849 } |
| 850 else | |
| 851 { | |
| 852 /* Opened existing file */ | |
| 853 /* Set our ACL on it */ | |
| 854 PSID admin_SID = NULL; | |
| 855 SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY}; | |
| 856 | |
| 857 /* Create the SID for the BUILTIN\Administrators group. */ | |
| 858 if(!AllocateAndInitializeSid(&admin_identifier, | |
| 859 2, | |
| 860 SECURITY_BUILTIN_DOMAIN_RID, /*BUILTIN\ */ | |
| 861 DOMAIN_ALIAS_RID_ADMINS, /*\Administrators */ | |
| 862 0, 0, 0, 0, 0, 0, /* No other */ | |
| 863 &admin_SID)) | |
| 864 { | |
| 865 PRINTLASTERROR ("Failed to allocate admin sid."); | |
| 866 syslog_error_printf ( "Failed to allocate admin sid."); | |
| 867 if (hFile) | |
| 868 { | |
| 869 CloseHandle (hFile); | |
| 870 } | |
| 871 xfree (path); | |
| 872 LocalFree(access_control_list); | |
| 873 return NULL; | |
| 874 } | |
| 875 | |
| 876 if (SetNamedSecurityInfoW (path, | |
| 877 SE_FILE_OBJECT, | |
| 878 DACL_SECURITY_INFORMATION | | |
| 879 OWNER_SECURITY_INFORMATION | | |
| 880 GROUP_SECURITY_INFORMATION, | |
| 881 admin_SID, /* owner */ | |
| 882 admin_SID, /* group */ | |
| 883 access_control_list, /* the dacl */ | |
| 884 NULL) != ERROR_SUCCESS) | |
| 885 { | |
| 886 ERRORPRINTF ("Failed to set the ACL on the NSS instruction file."); | |
| 887 if (hFile) | |
| 888 { | |
| 889 CloseHandle (hFile); | |
| 890 } | |
| 891 FreeSid(admin_SID); | |
| 892 LocalFree(access_control_list); | |
| 893 xfree (path); | |
| 894 return NULL; | |
| 895 } | |
| 896 FreeSid(admin_SID); | |
| 897 } | |
| 898 | |
| 899 LocalFree(access_control_list); | |
| 900 | |
| 847 if (hFile == INVALID_HANDLE_VALUE) | 901 if (hFile == INVALID_HANDLE_VALUE) |
| 848 { | 902 { |
| 849 PRINTLASTERROR ("Failed to create file\n"); | 903 PRINTLASTERROR ("Failed to create file\n"); |
| 904 syslog_error_printf ( "Failed to create nss instruction file."); | |
| 850 xfree(path); | 905 xfree(path); |
| 851 return NULL; | 906 return NULL; |
| 852 } | 907 } |
| 853 if (!write_instructions (to_install, hFile, false)) | 908 if (!write_instructions (to_install, hFile, false)) |
| 854 { | 909 { |
| 855 ERRORPRINTF ("Failed to write install instructions.\n"); | 910 ERRORPRINTF ("Failed to write install instructions.\n"); |
| 911 syslog_error_printf ( "Failed to write nss instruction file."); | |
| 856 CloseHandle(hFile); | 912 CloseHandle(hFile); |
| 857 xfree(path); | 913 xfree(path); |
| 858 return NULL; | 914 return NULL; |
| 859 } | 915 } |
| 860 if (!write_instructions (to_remove, hFile, true)) | 916 if (!write_instructions (to_remove, hFile, true)) |
| 861 { | 917 { |
| 862 ERRORPRINTF ("Failed to write remove instructions.\n"); | 918 ERRORPRINTF ("Failed to write remove instructions.\n"); |
| 919 syslog_error_printf ( "Failed to write nss instruction file removal entries."); | |
| 863 CloseHandle(hFile); | 920 CloseHandle(hFile); |
| 864 xfree(path); | 921 xfree(path); |
| 865 return NULL; | 922 return NULL; |
| 866 } | 923 } |
| 867 CloseHandle(hFile); | 924 CloseHandle(hFile); |