Mercurial > trustbridge
comparison cinst/nssstore_win.c @ 1306:845048d4a69f
(issue159) Use user specific appdata directory for nss list with simple rights.
Using the ProgramData folder with resticted access rights failed in case
the process was not elevated.
| author | Andre Heinecke <andre.heinecke@intevation.de> |
|---|---|
| date | Mon, 13 Oct 2014 12:31:37 +0200 |
| parents | d4b24df4eed1 |
| children |
comparison
equal
deleted
inserted
replaced
| 1305:c56d2618aabe | 1306:845048d4a69f |
|---|---|
| 803 } | 803 } |
| 804 | 804 |
| 805 /* Security: if someone has created this directory before | 805 /* Security: if someone has created this directory before |
| 806 it might be a symlink to another place that a users | 806 it might be a symlink to another place that a users |
| 807 wants us to grant read access to or makes us overwrite | 807 wants us to grant read access to or makes us overwrite |
| 808 something */ | 808 something so we take the acl that would have been used to |
| 809 if(!create_restricted_directory (path, true, &access_control_list)) | 809 create the directory and apply it later on if the directory |
| 810 { | 810 exists. */ |
| 811 ERRORPRINTF ("Failed to create directory\n"); | 811 if (is_elevated()) |
| 812 xfree(path); | 812 { |
| 813 return NULL; | 813 if(!create_restricted_directory (path, true, &access_control_list)) |
| 814 { | |
| 815 ERRORPRINTF ("Failed to create directory\n"); | |
| 816 xfree(path); | |
| 817 return NULL; | |
| 818 } | |
| 819 } | |
| 820 else | |
| 821 { | |
| 822 /* We are not elevated so we do not have to care about | |
| 823 restricting access and just create the directory with | |
| 824 default access rights. */ | |
| 825 if (!CreateDirectoryW(path, NULL)) | |
| 826 { | |
| 827 DWORD err = GetLastError(); | |
| 828 if (err != ERROR_ALREADY_EXISTS) | |
| 829 { | |
| 830 PRINTLASTERROR ("Failed to create directory"); | |
| 831 DEBUGPRINTF ("Directory path is: %S ", path); | |
| 832 xfree (path); | |
| 833 return NULL; | |
| 834 } | |
| 835 } | |
| 814 } | 836 } |
| 815 | 837 |
| 816 if (wcscat_s (path, path_len, L"\\") != 0) | 838 if (wcscat_s (path, path_len, L"\\") != 0) |
| 817 { | 839 { |
| 818 ERRORPRINTF ("Failed to cat dirsep.\n"); | 840 ERRORPRINTF ("Failed to cat dirsep.\n"); |
| 819 xfree(path); | 841 xfree(path); |
| 820 LocalFree(access_control_list); | 842 if (access_control_list) |
| 843 { | |
| 844 LocalFree(access_control_list); | |
| 845 } | |
| 821 return NULL; | 846 return NULL; |
| 822 } | 847 } |
| 823 | 848 |
| 824 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0) | 849 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0) |
| 825 { | 850 { |
| 826 ERRORPRINTF ("Failed to cat filename.\n"); | 851 ERRORPRINTF ("Failed to cat filename.\n"); |
| 827 xfree(path); | 852 xfree(path); |
| 828 LocalFree(access_control_list); | 853 if (access_control_list) |
| 854 { | |
| 855 LocalFree(access_control_list); | |
| 856 } | |
| 829 return NULL; | 857 return NULL; |
| 830 } | 858 } |
| 831 | 859 |
| 832 hFile = CreateFileW(path, | 860 hFile = CreateFileW(path, |
| 833 GENERIC_WRITE, | 861 GENERIC_WRITE, |
| 845 NULL, /* use the security attributes from the folder */ | 873 NULL, /* use the security attributes from the folder */ |
| 846 CREATE_NEW, | 874 CREATE_NEW, |
| 847 0, | 875 0, |
| 848 NULL); | 876 NULL); |
| 849 } | 877 } |
| 850 else | 878 else if (access_control_list) |
| 851 { | 879 { |
| 852 /* Opened existing file */ | 880 /* Opened existing file so set our ACL on it if |
| 853 /* Set our ACL on it */ | 881 we created a restricted directory where |
| 882 we obtained the access_control_list */ | |
| 854 PSID admin_SID = NULL; | 883 PSID admin_SID = NULL; |
| 855 SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY}; | 884 SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY}; |
| 856 | 885 |
| 857 /* Create the SID for the BUILTIN\Administrators group. */ | 886 /* Create the SID for the BUILTIN\Administrators group. */ |
| 858 if(!AllocateAndInitializeSid(&admin_identifier, | 887 if(!AllocateAndInitializeSid(&admin_identifier, |
| 894 return NULL; | 923 return NULL; |
| 895 } | 924 } |
| 896 FreeSid(admin_SID); | 925 FreeSid(admin_SID); |
| 897 } | 926 } |
| 898 | 927 |
| 899 LocalFree(access_control_list); | 928 if (access_control_list) |
| 929 { | |
| 930 LocalFree(access_control_list); | |
| 931 } | |
| 900 | 932 |
| 901 if (hFile == INVALID_HANDLE_VALUE) | 933 if (hFile == INVALID_HANDLE_VALUE) |
| 902 { | 934 { |
| 903 PRINTLASTERROR ("Failed to create file\n"); | 935 DEBUGPRINTF("Failed to create or open file: %S", path); |
| 936 PRINTLASTERROR ("ERROR"); | |
| 904 syslog_error_printf ( "Failed to create nss instruction file."); | 937 syslog_error_printf ( "Failed to create nss instruction file."); |
| 905 xfree(path); | 938 xfree(path); |
| 906 return NULL; | 939 return NULL; |
| 907 } | 940 } |
| 908 if (!write_instructions (to_install, hFile, false)) | 941 if (!write_instructions (to_install, hFile, false)) |