mirror of
https://github.com/qTox/qTox.git
synced 2024-03-22 14:00:36 +08:00
fix(Windows): Restrict non-default install directory permissions
Installations to Program Files (default) inherit restrictive permissions, disallowing regular users from writing to files in the install location. If a user installs to other directories with more lax permissions though, i.e. C:\, the install directory can be writable by non-admins, causing a privilege escalation opportunity. An unprivileged user could modify or replace the qTox binary or a dll, that would then be run by any other user on the system. Clone Program Files permissions rather than trying to craft sane permissions manually for simplicity and compatibility.
This commit is contained in:
parent
2c2c6f6818
commit
553bd47e81
|
@ -206,6 +206,26 @@ FunctionEnd
|
||||||
;Uninstall log file missing.
|
;Uninstall log file missing.
|
||||||
LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!"
|
LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!"
|
||||||
|
|
||||||
|
Section "Create install directory"
|
||||||
|
CreateDirectory "$INSTDIR"
|
||||||
|
nsExec::ExecToStack 'icacls "$PROGRAMFILES64" /save "$TEMP\program-files-permissions.txt"'
|
||||||
|
Pop $0 # return value/error/timeout
|
||||||
|
Pop $1 # printed text, up to ${NSIS_MAX_STRLEN}
|
||||||
|
FileOpen $0 "$TEMP\program-files-permissions.txt" r
|
||||||
|
FileReadUTF16LE $0 $1 1024
|
||||||
|
FileReadUTF16LE $0 $2 1024
|
||||||
|
FileClose $0
|
||||||
|
DetailPrint "First read line is: $1"
|
||||||
|
DetailPrint "Second read line is: $2"
|
||||||
|
FileOpen $0 "$TEMP\qTox-install-file-permissions.txt" w
|
||||||
|
FileWriteUTF16LE $0 "$INSTDIR"
|
||||||
|
FileWriteUTF16LE $0 "$\r$\n"
|
||||||
|
DetailPrint "Writing to file: $2"
|
||||||
|
FileWriteUTF16LE $0 "$2"
|
||||||
|
FileClose $0
|
||||||
|
nsExec::Exec 'icacls "" /restore "$TEMP\qTox-install-file-permissions.txt"'
|
||||||
|
SectionEnd
|
||||||
|
|
||||||
Section -openlogfile
|
Section -openlogfile
|
||||||
CreateDirectory "$INSTDIR"
|
CreateDirectory "$INSTDIR"
|
||||||
IfFileExists "$INSTDIR\${UninstLog}" +3
|
IfFileExists "$INSTDIR\${UninstLog}" +3
|
||||||
|
|
|
@ -206,6 +206,26 @@ FunctionEnd
|
||||||
;Uninstall log file missing.
|
;Uninstall log file missing.
|
||||||
LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!"
|
LangString UninstLogMissing ${LANG_ENGLISH} "${UninstLog} not found!$\r$\nUninstallation cannot proceed!"
|
||||||
|
|
||||||
|
Section "Create install directory"
|
||||||
|
CreateDirectory "$INSTDIR"
|
||||||
|
nsExec::ExecToStack 'icacls "$PROGRAMFILES64" /save "$TEMP\program-files-permissions.txt"'
|
||||||
|
Pop $0 # return value/error/timeout
|
||||||
|
Pop $1 # printed text, up to ${NSIS_MAX_STRLEN}
|
||||||
|
FileOpen $0 "$TEMP\program-files-permissions.txt" r
|
||||||
|
FileReadUTF16LE $0 $1 1024
|
||||||
|
FileReadUTF16LE $0 $2 1024
|
||||||
|
FileClose $0
|
||||||
|
DetailPrint "First read line is: $1"
|
||||||
|
DetailPrint "Second read line is: $2"
|
||||||
|
FileOpen $0 "$TEMP\qTox-install-file-permissions.txt" w
|
||||||
|
FileWriteUTF16LE $0 "$INSTDIR"
|
||||||
|
FileWriteUTF16LE $0 "$\r$\n"
|
||||||
|
DetailPrint "Writing to file: $2"
|
||||||
|
FileWriteUTF16LE $0 "$2"
|
||||||
|
FileClose $0
|
||||||
|
nsExec::Exec 'icacls "" /restore "$TEMP\qTox-install-file-permissions.txt"'
|
||||||
|
SectionEnd
|
||||||
|
|
||||||
Section -openlogfile
|
Section -openlogfile
|
||||||
CreateDirectory "$INSTDIR"
|
CreateDirectory "$INSTDIR"
|
||||||
IfFileExists "$INSTDIR\${UninstLog}" +3
|
IfFileExists "$INSTDIR\${UninstLog}" +3
|
||||||
|
|
Loading…
Reference in New Issue
Block a user