Mercurial > trustbridge
diff cinst/nssstore_win.c @ 1306:845048d4a69f
(issue159) Use user specific appdata directory for nss list with simple rights.
Using the ProgramData folder with resticted access rights failed in case
the process was not elevated.
author | Andre Heinecke <andre.heinecke@intevation.de> |
---|---|
date | Mon, 13 Oct 2014 12:31:37 +0200 |
parents | d4b24df4eed1 |
children |
line wrap: on
line diff
--- a/cinst/nssstore_win.c Mon Sep 29 16:53:49 2014 +0200 +++ b/cinst/nssstore_win.c Mon Oct 13 12:31:37 2014 +0200 @@ -805,19 +805,44 @@ /* Security: if someone has created this directory before it might be a symlink to another place that a users wants us to grant read access to or makes us overwrite - something */ - if(!create_restricted_directory (path, true, &access_control_list)) + something so we take the acl that would have been used to + create the directory and apply it later on if the directory + exists. */ + if (is_elevated()) { - ERRORPRINTF ("Failed to create directory\n"); - xfree(path); - return NULL; + if(!create_restricted_directory (path, true, &access_control_list)) + { + ERRORPRINTF ("Failed to create directory\n"); + xfree(path); + return NULL; + } + } + else + { + /* We are not elevated so we do not have to care about + restricting access and just create the directory with + default access rights. */ + if (!CreateDirectoryW(path, NULL)) + { + DWORD err = GetLastError(); + if (err != ERROR_ALREADY_EXISTS) + { + PRINTLASTERROR ("Failed to create directory"); + DEBUGPRINTF ("Directory path is: %S ", path); + xfree (path); + return NULL; + } + } } if (wcscat_s (path, path_len, L"\\") != 0) { ERRORPRINTF ("Failed to cat dirsep.\n"); xfree(path); - LocalFree(access_control_list); + if (access_control_list) + { + LocalFree(access_control_list); + } return NULL; } @@ -825,7 +850,10 @@ { ERRORPRINTF ("Failed to cat filename.\n"); xfree(path); - LocalFree(access_control_list); + if (access_control_list) + { + LocalFree(access_control_list); + } return NULL; } @@ -847,10 +875,11 @@ 0, NULL); } - else + else if (access_control_list) { - /* Opened existing file */ - /* Set our ACL on it */ + /* Opened existing file so set our ACL on it if + we created a restricted directory where + we obtained the access_control_list */ PSID admin_SID = NULL; SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY}; @@ -896,11 +925,15 @@ FreeSid(admin_SID); } - LocalFree(access_control_list); + if (access_control_list) + { + LocalFree(access_control_list); + } if (hFile == INVALID_HANDLE_VALUE) { - PRINTLASTERROR ("Failed to create file\n"); + DEBUGPRINTF("Failed to create or open file: %S", path); + PRINTLASTERROR ("ERROR"); syslog_error_printf ( "Failed to create nss instruction file."); xfree(path); return NULL;