1
0
mirror of https://github.com/qTox/qTox.git synced 2024-03-22 14:00:36 +08:00

fix(Windows): Restrict non-default install directory permissions

Installations to Program Files (default) inherit restrictive permissions,
disallowing regular users from writing to files in the install location. If a
user installs to other directories with more lax permissions though, i.e. C:\,
the install directory can be writable by non-admins, causing a privilege
escalation opportunity. An unprivileged user could modify or replace the qTox
binary or a dll, that would then be run by any other user on the system.

Clone Program Files permissions rather than trying to craft sane permissions
manually for simplicity and compatibility.
This commit is contained in:
Anthony Bilinski 2022-03-02 20:20:46 -08:00
parent 2c2c6f6818
commit 553bd47e81
No known key found for this signature in database
GPG Key ID: 2AA8E0DA1B31FB3C
2 changed files with 40 additions and 0 deletions

View File

@ -206,6 +206,26 @@ FunctionEnd
;Uninstall log file missing. ;Uninstall log file missing.
LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!" LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!"
Section "Create install directory"
CreateDirectory "$INSTDIR"
nsExec::ExecToStack 'icacls "$PROGRAMFILES64" /save "$TEMP\program-files-permissions.txt"'
Pop $0 # return value/error/timeout
Pop $1 # printed text, up to ${NSIS_MAX_STRLEN}
FileOpen $0 "$TEMP\program-files-permissions.txt" r
FileReadUTF16LE $0 $1 1024
FileReadUTF16LE $0 $2 1024
FileClose $0
DetailPrint "First read line is: $1"
DetailPrint "Second read line is: $2"
FileOpen $0 "$TEMP\qTox-install-file-permissions.txt" w
FileWriteUTF16LE $0 "$INSTDIR"
FileWriteUTF16LE $0 "$\r$\n"
DetailPrint "Writing to file: $2"
FileWriteUTF16LE $0 "$2"
FileClose $0
nsExec::Exec 'icacls "" /restore "$TEMP\qTox-install-file-permissions.txt"'
SectionEnd
Section -openlogfile Section -openlogfile
CreateDirectory "$INSTDIR" CreateDirectory "$INSTDIR"
IfFileExists "$INSTDIR\${UninstLog}" +3 IfFileExists "$INSTDIR\${UninstLog}" +3

View File

@ -206,6 +206,26 @@ FunctionEnd
;Uninstall log file missing. ;Uninstall log file missing.
LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!" LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!"
Section "Create install directory"
CreateDirectory "$INSTDIR"
nsExec::ExecToStack 'icacls "$PROGRAMFILES64" /save "$TEMP\program-files-permissions.txt"'
Pop $0 # return value/error/timeout
Pop $1 # printed text, up to ${NSIS_MAX_STRLEN}
FileOpen $0 "$TEMP\program-files-permissions.txt" r
FileReadUTF16LE $0 $1 1024
FileReadUTF16LE $0 $2 1024
FileClose $0
DetailPrint "First read line is: $1"
DetailPrint "Second read line is: $2"
FileOpen $0 "$TEMP\qTox-install-file-permissions.txt" w
FileWriteUTF16LE $0 "$INSTDIR"
FileWriteUTF16LE $0 "$\r$\n"
DetailPrint "Writing to file: $2"
FileWriteUTF16LE $0 "$2"
FileClose $0
nsExec::Exec 'icacls "" /restore "$TEMP\qTox-install-file-permissions.txt"'
SectionEnd
Section -openlogfile Section -openlogfile
CreateDirectory "$INSTDIR" CreateDirectory "$INSTDIR"
IfFileExists "$INSTDIR\${UninstLog}" +3 IfFileExists "$INSTDIR\${UninstLog}" +3