Mercurial > trustbridge

changeset 1306:845048d4a69f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
(issue159) Use user specific appdata directory for nss list with simple rights. Using the ProgramData folder with resticted access rights failed in case the process was not elevated.
author Andre Heinecke <andre.heinecke@intevation.de>
date Mon, 13 Oct 2014 12:31:37 +0200
parents c56d2618aabe
children 2bacaec6e101
files cinst/nssstore_win.c common/util.c
diffstat 2 files changed, 67 insertions(+), 19 deletions(-) [+]
line wrap: on
line diff
--- a/cinst/nssstore_win.c	Mon Sep 29 16:53:49 2014 +0200
+++ b/cinst/nssstore_win.c	Mon Oct 13 12:31:37 2014 +0200
@@ -805,19 +805,44 @@
   /* Security: if someone has created this directory before
      it might be a symlink to another place that a users
      wants us to grant read access to or makes us overwrite
-     something */
-  if(!create_restricted_directory (path, true, &access_control_list))
+     something so we take the acl that would have been used to
+     create the directory and apply it later on if the directory
+     exists. */
+  if (is_elevated())
     {
-      ERRORPRINTF ("Failed to create directory\n");
-      xfree(path);
-      return NULL;
+      if(!create_restricted_directory (path, true, &access_control_list))
+        {
+          ERRORPRINTF ("Failed to create directory\n");
+          xfree(path);
+          return NULL;
+        }
+    }
+  else
+    {
+      /* We are not elevated so we do not have to care about
+         restricting access and just create the directory with
+         default access rights. */
+      if (!CreateDirectoryW(path, NULL))
+        {
+          DWORD err = GetLastError();
+          if (err != ERROR_ALREADY_EXISTS)
+            {
+              PRINTLASTERROR ("Failed to create directory");
+              DEBUGPRINTF ("Directory path is: %S ", path);
+              xfree (path);
+              return NULL;
+            }
+        }
     }
 
   if (wcscat_s (path, path_len, L"\\") != 0)
     {
       ERRORPRINTF ("Failed to cat dirsep.\n");
       xfree(path);
-      LocalFree(access_control_list);
+      if (access_control_list)
+        {
+          LocalFree(access_control_list);
+        }
       return NULL;
     }
 
@@ -825,7 +850,10 @@
     {
       ERRORPRINTF ("Failed to cat filename.\n");
       xfree(path);
-      LocalFree(access_control_list);
+      if (access_control_list)
+        {
+          LocalFree(access_control_list);
+        }
       return NULL;
     }
 
@@ -847,10 +875,11 @@
                           0,
                           NULL);
     }
-  else
+  else if (access_control_list)
     {
-      /* Opened existing file */
-      /* Set our ACL on it */
+      /* Opened existing file so set our ACL on it if
+         we created a restricted directory where
+         we obtained the access_control_list */
       PSID admin_SID = NULL;
       SID_IDENTIFIER_AUTHORITY admin_identifier = {SECURITY_NT_AUTHORITY};
 
@@ -896,11 +925,15 @@
       FreeSid(admin_SID);
     }
 
-  LocalFree(access_control_list);
+  if (access_control_list)
+    {
+      LocalFree(access_control_list);
+    }
 
   if (hFile == INVALID_HANDLE_VALUE)
     {
-      PRINTLASTERROR ("Failed to create file\n");
+      DEBUGPRINTF("Failed to create or open file: %S", path);
+      PRINTLASTERROR ("ERROR");
       syslog_error_printf ( "Failed to create nss instruction file.");
       xfree(path);
       return NULL;
--- a/common/util.c	Mon Sep 29 16:53:49 2014 +0200
+++ b/common/util.c	Mon Oct 13 12:31:37 2014 +0200
@@ -511,14 +511,29 @@
 get_program_data_folder ()
 {
   wchar_t *folder_name = NULL;
-  if (SHGetKnownFolderPath (&FOLDERID_ProgramData, /* Get program data dir */
-                                 KF_FLAG_CREATE | /* Create if it does not exist */
-                                 KF_FLAG_INIT, /* Initialize it if created */
-                                 INVALID_HANDLE_VALUE, /* Get it for the default user */
-                                 &folder_name) != S_OK)
+  if (is_elevated())
     {
-      PRINTLASTERROR ("Failed to get folder path");
-      return NULL;
+      if (SHGetKnownFolderPath (&FOLDERID_ProgramData, /* Get program data dir */
+                                KF_FLAG_CREATE | /* Create if it does not exist */
+                                KF_FLAG_INIT, /* Initialize it if created */
+                                INVALID_HANDLE_VALUE, /* Get it for the default user */
+                                &folder_name) != S_OK)
+        {
+          PRINTLASTERROR ("Failed to get folder path");
+          return NULL;
+        }
+    }
+  else
+    {
+      if (SHGetKnownFolderPath (&FOLDERID_LocalAppData, /* Get program data dir */
+                                KF_FLAG_CREATE | /* Create if it does not exist */
+                                KF_FLAG_INIT, /* Initialize it if created */
+                                NULL, /* Get it for the default user */
+                                &folder_name) != S_OK)
+        {
+          PRINTLASTERROR ("Failed to get folder path");
+          return NULL;
+        }
     }
   return folder_name;
 }
http://wald.intevation.org/projects/trustbridge/