Mercurial > trustbridge
comparison cinst/nssstore_win.c @ 1306:845048d4a69f
(issue159) Use user specific appdata directory for nss list with simple rights.
Using the ProgramData folder with resticted access rights failed in case
the process was not elevated.
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Mon, 13 Oct 2014 12:31:37 +0200 |
parents | d4b24df4eed1 |
children |
comparison
equal
deleted
inserted
replaced
1305:c56d2618aabe | 1306:845048d4a69f |
---|---|
803 } | 803 } |
804 | 804 |
805 /* Security: if someone has created this directory before | 805 /* Security: if someone has created this directory before |
806 it might be a symlink to another place that a users | 806 it might be a symlink to another place that a users |
807 wants us to grant read access to or makes us overwrite | 807 wants us to grant read access to or makes us overwrite |
808 something */ | 808 something so we take the acl that would have been used to |
809 if(!create_restricted_directory (path, true, &access_control_list)) | 809 create the directory and apply it later on if the directory |
810 { | 810 exists. */ |
811 ERRORPRINTF ("Failed to create directory\n"); | 811 if (is_elevated()) |
812 xfree(path); | 812 { |
813 return NULL; | 813 if(!create_restricted_directory (path, true, &access_control_list)) |
814 { | |
815 ERRORPRINTF ("Failed to create directory\n"); | |
816 xfree(path); | |
817 return NULL; | |
818 } | |
819 } | |
820 else | |
821 { | |
822 /* We are not elevated so we do not have to care about | |
823 restricting access and just create the directory with | |
824 default access rights. */ | |
825 if (!CreateDirectoryW(path, NULL)) | |
826 { | |
827 DWORD err = GetLastError(); | |
828 if (err != ERROR_ALREADY_EXISTS) | |
829 { | |
830 PRINTLASTERROR ("Failed to create directory"); | |
831 DEBUGPRINTF ("Directory path is: %S ", path); | |
832 xfree (path); | |
833 return NULL; | |
834 } | |
835 } | |
814 } | 836 } |
815 | 837 |
816 if (wcscat_s (path, path_len, L"\\") != 0) | 838 if (wcscat_s (path, path_len, L"\\") != 0) |
817 { | 839 { |
818 ERRORPRINTF ("Failed to cat dirsep.\n"); | 840 ERRORPRINTF ("Failed to cat dirsep.\n"); |
819 xfree(path); | 841 xfree(path); |
820 LocalFree(access_control_list); | 842 if (access_control_list) |
843 { | |
844 LocalFree(access_control_list); | |
845 } | |
821 return NULL; | 846 return NULL; |
822 } | 847 } |
823 | 848 |
824 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0) | 849 if (wcscat_s (path, path_len, SELECTION_FILE_NAME) != 0) |
825 { | 850 { |
826 ERRORPRINTF ("Failed to cat filename.\n"); | 851 ERRORPRINTF ("Failed to cat filename.\n"); |
827 xfree(path); | 852 xfree(path); |
828 LocalFree(access_control_list); | 853 if (access_control_list) |
854 { | |
855 LocalFree(access_control_list); | |
856 } | |
829 return NULL; | 857 return NULL; |
830 } | 858 } |
831 | 859 |
832 hFile = CreateFileW(path, | 860 hFile = CreateFileW(path, |
833 GENERIC_WRITE, | 861 GENERIC_WRITE, |
845 NULL, /* use the security attributes from the folder */ | 873 NULL, /* use the security attributes from the folder */ |
846 CREATE_NEW, | 874 CREATE_NEW, |
847 0, | 875 0, |
848 NULL); | 876 NULL); |
849 } | 877 } |
850 else | 878 else if (access_control_list) |
851 { | 879 { |
852 /* Opened existing file */ | 880 /* Opened existing file so set our ACL on it if |
853 /* Set our ACL on it */ | 881 we created a restricted directory where |
882 we obtained the access_control_list */ | |
854 PSID admin_SID = NULL; | 883 PSID admin_SID = NULL; |
855 SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY}; | 884 SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY}; |
856 | 885 |
857 /* Create the SID for the BUILTIN\Administrators group. */ | 886 /* Create the SID for the BUILTIN\Administrators group. */ |
858 if(!AllocateAndInitializeSid(&admin_identifier, | 887 if(!AllocateAndInitializeSid(&admin_identifier, |
894 return NULL; | 923 return NULL; |
895 } | 924 } |
896 FreeSid(admin_SID); | 925 FreeSid(admin_SID); |
897 } | 926 } |
898 | 927 |
899 LocalFree(access_control_list); | 928 if (access_control_list) |
929 { | |
930 LocalFree(access_control_list); | |
931 } | |
900 | 932 |
901 if (hFile == INVALID_HANDLE_VALUE) | 933 if (hFile == INVALID_HANDLE_VALUE) |
902 { | 934 { |
903 PRINTLASTERROR ("Failed to create file\n"); | 935 DEBUGPRINTF("Failed to create or open file: %S", path); |
936 PRINTLASTERROR ("ERROR"); | |
904 syslog_error_printf ( "Failed to create nss instruction file."); | 937 syslog_error_printf ( "Failed to create nss instruction file."); |
905 xfree(path); | 938 xfree(path); |
906 return NULL; | 939 return NULL; |
907 } | 940 } |
908 if (!write_instructions (to_install, hFile, false)) | 941 if (!write_instructions (to_install, hFile, false)) |