vikarti.anatra/safing-portmaster
1
0
Fork 0
mirror of https://github.com/safing/portmaster synced 2025-09-04 11:39:29 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Simplify windows acl calls and switch to using SIDs

Browse source
This commit is contained in:
Daniel 2024-12-06 14:34:54 +01:00
parent 05a5d5e350
commit 9d874daed2
1 changed files with 51 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
base/utils/permissions_windows.go
View file

@ -7,32 +7,71 @@ import (
"golang.org/x/sys/windows" "golang.org/x/sys/windows"
) )
var (
systemSID *windows.SID
adminsSID *windows.SID
usersSID *windows.SID
)
func init() {
var err error
systemSID, err = windows.StringToSid("S-1-5") // NT Authority / SYSTEM
if err != nil {
panic(err)
}
adminsSID, err = windows.StringToSid("S-1-5-32-544") // Administrators
if err != nil {
panic(err)
}
usersSID, err = windows.StringToSid("S-1-5-32-545") // Users
if err != nil {
panic(err)
}
}
// SetDirPermission sets the permission of a directory.
func SetDirPermission(path string, perm FSPermission) error { func SetDirPermission(path string, perm FSPermission) error {
setWindowsFilePermissions(path, perm) SetFilePermission(path, perm)
return nil return nil
} }
// SetExecPermission sets the permission of an executable file. // SetExecPermission sets the permission of an executable file.
func SetExecPermission(path string, perm FSPermission) error { func SetExecPermission(path string, perm FSPermission) error {
return SetDirPermission(path, perm) SetFilePermission(path, perm)
return nil
} }
func setWindowsFilePermissions(path string, perm FSPermission) { // SetFilePermission sets the permission of a non executable file.
func SetFilePermission(path string, perm FSPermission) {
switch perm { switch perm {
case AdminOnlyPermission: case AdminOnlyPermission:
// Set only admin rights, remove all others. // Set only admin rights, remove all others.
acl.Apply(path, true, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Administrators")) acl.Apply(
path,
true,
false,
acl.GrantSid(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, systemSID),
acl.GrantSid(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, adminsSID),
)
case PublicReadPermission: case PublicReadPermission:
// Set admin rights and read/execute rights for users, remove all others. // Set admin rights and read/execute rights for users, remove all others.
acl.Apply(path, true, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Administrators")) acl.Apply(
acl.Apply(path, false, false, acl.GrantName(windows.GENERIC_EXECUTE, "Users")) path,
acl.Apply(path, false, false, acl.GrantName(windows.GENERIC_READ, "Users")) true,
false,
acl.GrantSid(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, systemSID),
acl.GrantSid(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, adminsSID),
acl.GrantSid(windows.GENERIC_READ|windows.GENERIC_EXECUTE, usersSID),
)
case PublicWritePermission: case PublicWritePermission:
// Set full control to admin and regular users. Guest users will not have access. // Set full control to admin and regular users. Guest users will not have access.
acl.Apply(path, true, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Administrators")) acl.Apply(
acl.Apply(path, false, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "Users")) path,
true,
false,
acl.GrantSid(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, systemSID),
acl.GrantSid(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, adminsSID),
acl.GrantSid(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, usersSID),
)
} }
// For completeness
acl.Apply(path, false, false, acl.GrantName(windows.GENERIC_ALL|windows.STANDARD_RIGHTS_ALL, "SYSTEM"))
} }