diff cinst/nssstore_win.c @ 1306:845048d4a69f

(issue159) Use user specific appdata directory for nss list with simple rights. Using the ProgramData folder with resticted access rights failed in case the process was not elevated.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 13 Oct 2014 12:31:37 +0200
parents d4b24df4eed1
children
line wrap: on
line diff
--- a/cinst/nssstore_win.c	Mon Sep 29 16:53:49 2014 +0200
+++ b/cinst/nssstore_win.c	Mon Oct 13 12:31:37 2014 +0200
@@ -805,19 +805,44 @@
   /* Security: if someone has created this directory before
      it might be a symlink to another place that a users
      wants us to grant read access to or makes us overwrite
-     something */
-  if(!create_restricted_directory (path, true, &access_control_list))
+     something so we take the acl that would have been used to
+     create the directory and apply it later on if the directory
+     exists. */
+  if (is_elevated())
     {
-      ERRORPRINTF ("Failed to create directory\n");
-      xfree(path);
-      return NULL;
+      if(!create_restricted_directory (path, true, &access_control_list))
+        {
+          ERRORPRINTF ("Failed to create directory\n");
+          xfree(path);
+          return NULL;
+        }
+    }
+  else
+    {
+      /* We are not elevated so we do not have to care about
+         restricting access and just create the directory with
+         default access rights. */
+      if (!CreateDirectoryW(path, NULL))
+        {
+          DWORD err = GetLastError();
+          if (err != ERROR_ALREADY_EXISTS)
+            {
+              PRINTLASTERROR ("Failed to create directory");
+              DEBUGPRINTF ("Directory path is: %S ", path);
+              xfree (path);
+              return NULL;
+            }
+        }
     }
 
   if (wcscat_s (path, path_len, L"\\") != 0)
     {
       ERRORPRINTF ("Failed to cat dirsep.\n");
       xfree(path);
-      LocalFree(access_control_list);
+      if (access_control_list)
+        {
+          LocalFree(access_control_list);
+        }
       return NULL;
     }
 
@@ -825,7 +850,10 @@
     {
       ERRORPRINTF ("Failed to cat filename.\n");
       xfree(path);
-      LocalFree(access_control_list);
+      if (access_control_list)
+        {
+          LocalFree(access_control_list);
+        }
       return NULL;
     }
 
@@ -847,10 +875,11 @@
                           0,
                           NULL);
     }
-  else
+  else if (access_control_list)
     {
-      /* Opened existing file */
-      /* Set our ACL on it */
+      /* Opened existing file so set our ACL on it if
+         we created a restricted directory where
+         we obtained the access_control_list */
       PSID admin_SID = NULL;
       SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY};
 
@@ -896,11 +925,15 @@
       FreeSid(admin_SID);
     }
 
-  LocalFree(access_control_list);
+  if (access_control_list)
+    {
+      LocalFree(access_control_list);
+    }
 
   if (hFile == INVALID_HANDLE_VALUE)
     {
-      PRINTLASTERROR ("Failed to create file\n");
+      DEBUGPRINTF("Failed to create or open file: %S", path);
+      PRINTLASTERROR ("ERROR");
       syslog_error_printf ( "Failed to create nss instruction file.");
       xfree(path);
       return NULL;

http://wald.intevation.org/projects/trustbridge/