comparison cinst/nssstore_win.c @ 1306:845048d4a69f

(issue159) Use user specific appdata directory for nss list with simple rights. Using the ProgramData folder with resticted access rights failed in case the process was not elevated.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 13 Oct 2014 12:31:37 +0200
parents d4b24df4eed1
children
comparison
equal deleted inserted replaced
1305:c56d2618aabe 1306:845048d4a69f
803 } 803 }
804 804
805 /* Security: if someone has created this directory before 805 /* Security: if someone has created this directory before
806 it might be a symlink to another place that a users 806 it might be a symlink to another place that a users
807 wants us to grant read access to or makes us overwrite 807 wants us to grant read access to or makes us overwrite
808 something */ 808 something so we take the acl that would have been used to
809 if(!create_restricted_directory (path, true, &access_control_list)) 809 create the directory and apply it later on if the directory
810 { 810 exists. */
811 ERRORPRINTF ("Failed to create directory\n"); 811 if (is_elevated())
812 xfree(path); 812 {
813 return NULL; 813 if(!create_restricted_directory (path, true, &access_control_list))
814 {
815 ERRORPRINTF ("Failed to create directory\n");
816 xfree(path);
817 return NULL;
818 }
819 }
820 else
821 {
822 /* We are not elevated so we do not have to care about
823 restricting access and just create the directory with
824 default access rights. */
825 if (!CreateDirectoryW(path, NULL))
826 {
827 DWORD err = GetLastError();
828 if (err != ERROR_ALREADY_EXISTS)
829 {
830 PRINTLASTERROR ("Failed to create directory");
831 DEBUGPRINTF ("Directory path is: %S ", path);
832 xfree (path);
833 return NULL;
834 }
835 }
814 } 836 }
815 837
816 if (wcscat_s (path, path_len, L"\\") != 0) 838 if (wcscat_s (path, path_len, L"\\") != 0)
817 { 839 {
818 ERRORPRINTF ("Failed to cat dirsep.\n"); 840 ERRORPRINTF ("Failed to cat dirsep.\n");
819 xfree(path); 841 xfree(path);
820 LocalFree(access_control_list); 842 if (access_control_list)
843 {
844 LocalFree(access_control_list);
845 }
821 return NULL; 846 return NULL;
822 } 847 }
823 848
824 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0) 849 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0)
825 { 850 {
826 ERRORPRINTF ("Failed to cat filename.\n"); 851 ERRORPRINTF ("Failed to cat filename.\n");
827 xfree(path); 852 xfree(path);
828 LocalFree(access_control_list); 853 if (access_control_list)
854 {
855 LocalFree(access_control_list);
856 }
829 return NULL; 857 return NULL;
830 } 858 }
831 859
832 hFile = CreateFileW(path, 860 hFile = CreateFileW(path,
833 GENERIC_WRITE, 861 GENERIC_WRITE,
845 NULL, /* use the security attributes from the folder */ 873 NULL, /* use the security attributes from the folder */
846 CREATE_NEW, 874 CREATE_NEW,
847 0, 875 0,
848 NULL); 876 NULL);
849 } 877 }
850 else 878 else if (access_control_list)
851 { 879 {
852 /* Opened existing file */ 880 /* Opened existing file so set our ACL on it if
853 /* Set our ACL on it */ 881 we created a restricted directory where
882 we obtained the access_control_list */
854 PSID admin_SID = NULL; 883 PSID admin_SID = NULL;
855 SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY}; 884 SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY};
856 885
857 /* Create the SID for the BUILTIN\Administrators group. */ 886 /* Create the SID for the BUILTIN\Administrators group. */
858 if(!AllocateAndInitializeSid(&admin_identifier, 887 if(!AllocateAndInitializeSid(&admin_identifier,
894 return NULL; 923 return NULL;
895 } 924 }
896 FreeSid(admin_SID); 925 FreeSid(admin_SID);
897 } 926 }
898 927
899 LocalFree(access_control_list); 928 if (access_control_list)
929 {
930 LocalFree(access_control_list);
931 }
900 932
901 if (hFile == INVALID_HANDLE_VALUE) 933 if (hFile == INVALID_HANDLE_VALUE)
902 { 934 {
903 PRINTLASTERROR ("Failed to create file\n"); 935 DEBUGPRINTF("Failed to create or open file: %S", path);
936 PRINTLASTERROR ("ERROR");
904 syslog_error_printf ( "Failed to create nss instruction file."); 937 syslog_error_printf ( "Failed to create nss instruction file.");
905 xfree(path); 938 xfree(path);
906 return NULL; 939 return NULL;
907 } 940 }
908 if (!write_instructions (to_install, hFile, false)) 941 if (!write_instructions (to_install, hFile, false))

http://wald.intevation.org/projects/trustbridge/