forked from microsoft/navcontainerhelper
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Check-BcContainerHelperPermissions.ps1
204 lines (196 loc) · 9.9 KB
/
Check-BcContainerHelperPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
<#
.Synopsis
Checks Permissions for BcContainerHelper to run
.Description
When running BcContainerHelper as administrator, you have access to everything.
When running BcContainerHelper as a user, that user needs:
- Full control to C:\ProgramData\BcContainerHelper (in order to create and remove containers)
- Modify permissions to C:\Windows\System32\drivers\etc\hosts (if you use -updatehosts)
- Full control to docker engine pipe (in order to run docker commands)
This script checks these permissions and allows you to fix the permissions by specifying -fix
.Parameter fix
Specify fix in order for this script to attempt to fix permissions
.Parameter silent
Specify -silent to stay silent on successfull permission checks
.Parameter ignoreHosts
Specify -ignoreHosts to ignore checking the permissions for the hosts file
.Example
Check-BcContainerHelperPermissions -fix
.Example
Check-BcContainerHelperPermissions -fix -ignoreHosts
.Example
Check-BcContainerHelperPermissions -silent
#>
function Check-BcContainerHelperPermissions {
Param (
[switch] $Fix,
[switch] $Silent,
[switch] $IgnoreHosts
)
if (!$isAdministrator -or $Fix) {
$startProcessParams = @{
"Verb" = "RunAs"
"Wait" = $true
"WindowStyle" = "Hidden"
"PassThru" = $true
}
if ($isPsCore) {
$startProcessParams += @{ "FilePath" = "pwsh" }
}
else {
$startProcessParams += @{ "FilePath" = "powershell" }
}
if (!$silent) {
if ($isAdministrator) {
Write-Host "Running as administrator"
} else {
Write-Host "Running as $myUsername"
}
}
# Check access to C:\ProgramData\BcContainerHelper
if (!$silent) {
Write-Host "Checking permissions to $($bcContainerHelperConfig.hostHelperFolder)"
}
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'FullControl', 3, 'InheritOnly', 'Allow')
$acl = Get-Acl -Path $bcContainerHelperConfig.hostHelperFolder
$access = $acl.Access | Where-Object { $_.IdentityReference -eq $rule.IdentityReference -and $_.FileSystemRights -eq $rule.FileSystemRights -and $_.AccessControlType -eq $rule.AccessControlType -and $_.InheritanceFlags -eq $rule.InheritanceFlags }
if ($access) {
if (!$silent) {
Write-Host -ForegroundColor Green "$myUsername has the right permissions to $($bcContainerHelperConfig.hostHelperFolder)"
}
} else {
Write-Host -ForegroundColor Red "$myUsername does NOT have Full Control to $($bcContainerHelperConfig.hostHelperFolder) and all subfolders"
if (!$Fix) {
Write-Host -ForegroundColor Red "You need to run as administrator or you can run Check-BcContainerHelperPermissions -Fix to fix permissions"
} else {
Write-Host -ForegroundColor Yellow "Trying to add permissions"
$scriptblock = {
Param($myUsername, $hostHelperFolder)
try {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'FullControl', 3, 'InheritOnly', 'Allow')
$acl = Get-Acl -Path $hostHelperFolder
$acl.AddAccessRule($rule)
Set-Acl -Path $hostHelperFolder -AclObject $acl
EXIT 0
} catch {
EXIT 1
}
}
$exitCode = (Start-Process @startProcessParams -ArgumentList "-command & {$scriptblock} -myUsername '$myUsername' -hostHelperFolder '$($bcContainerHelperConfig.hostHelperFolder)'").ExitCode
if ($exitcode -eq 0) {
Write-Host -ForegroundColor Green "Permissions successfully added"
} else {
Write-Host -ForegroundColor Red "Error adding permissions"
}
}
}
if (!$IgnoreHosts) {
# check access to c:\windows\system32\drivers\etc\hosts
$hostsFile = Join-Path $env:SystemRoot "System32\drivers\etc\hosts"
if (!$silent) {
Write-Host "Checking permissions to $hostsFile"
}
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'Modify', 'Allow')
$acl = Get-Acl -Path $hostsFile
$access = $acl.Access | Where-Object { $_.IdentityReference -eq $rule.IdentityReference -and $_.FileSystemRights -eq $rule.FileSystemRights -and $_.AccessControlType -eq $rule.AccessControlType }
if ($access) {
if (!$silent) {
Write-Host -ForegroundColor Green "$myUsername has the right permissions to $hostsFile"
}
} else {
Write-Host -ForegroundColor Red "$myUsername does NOT have modify permissions to $hostsFile"
if (!$Fix) {
Write-Host -ForegroundColor Red "You need to run as administrator or you can run Check-BcContainerHelperPermissions -Fix to fix permissions"
} else {
Write-Host -ForegroundColor Yellow "Trying to add permissions"
$scriptblock = {
Param($myUsername, $hostsFile)
try {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'Modify', 'Allow')
$acl = Get-Acl -Path $hostsFile
$acl.AddAccessRule($rule)
Set-Acl -Path $hostsFile -AclObject $acl
EXIT 0
} catch {
EXIT 1
}
}
$exitcode = (Start-Process @startProcessParams -ArgumentList "-command & {$scriptblock} -myUsername '$myUsername' -hostsFile '$hostsFile'").ExitCode
if ($exitcode -eq 0) {
Write-Host -ForegroundColor Green "Permissions successfully added"
} else {
Write-Host -ForegroundColor Red "Error adding permissions"
}
}
}
}
# Check Access to Docker Deamon Socket
# Thanks to Tobias Fenster, Axians Infoma for this blog post:
# https://www.axians-infoma.com/techblog/allow-access-to-the-docker-engine-without-admin-rights-on-windows/
# Pointing me in the right directions wrt. running docker commands without admin rights
if (!$silent) {
Write-Host "Checking permissions to docker commands"
}
$npipe = ""
$dockerOk = $true
$pre = $errorActionPreference
$errorActionPreference = 'Continue'
try{
$tempFile = [System.IO.Path]::GetTempFileName()
$ps = docker ps 2> $tempFile
if ($LASTEXITCODE -ne 0) {
$dockerOk = $false
$err = [System.IO.File]::ReadAllText($tempFile)
Write-Host "ERROR: $err"
Remove-Item -Path $tempFile -ErrorAction Ignore
$npipeStart = $err.IndexOf('\\.\pipe')
if ($npipeStart -lt 0) {
$npipeStart = $err.IndexOf('//./pipe')
}
$npipe = $err.Substring($npipeStart)
$npipeEnd = $npipe.IndexOf(':')
$npipe = $npipe.SubString(0, $npipeEnd)
Write-Host "npipe: $npipe"
}
} catch {
$dockerOk = $false
}
$errorActionPreference = $pre
if ($dockerOk) {
if (!$silent) {
Write-Host -ForegroundColor Green "$myUsername has the right permissions to run docker commands"
}
} else {
Write-Host -ForegroundColor Red "$myUsername does NOT have permissions to run docker commands"
if (!$Fix) {
Write-Host -ForegroundColor Red "You need to run as administrator or you can run Check-BcContainerHelperPermissions -Fix to fix permissions"
} else {
if ($npipe -eq "") {
Write-Host -ForegroundColor Red "Unable to determine docker deamon socket. Are you sure Docker is running and reachable?"
} else {
Write-Host -ForegroundColor Yellow "Trying to add permissions"
$scriptblock = {
Param($myUsername, $npipe)
try {
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'FullControl', 'Allow')
$acl = Get-Acl -Path $npipe
$acl.AddAccessRule($rule)
Set-Acl -Path $npipe -AclObject $acl
exit 0
} catch {
exit 1
}
}
$exitcode = (Start-Process @startProcessParams -ArgumentList "-command & {$scriptblock} -myUsername '$myUsername' -npipe '$npipe'").ExitCode
if ($exitcode -eq 0) {
Write-Host -ForegroundColor Green "Permissions successfully added"
} else {
Write-Host -ForegroundColor Red "Error adding permissions"
}
}
}
}
}
}
Set-Alias -Name Check-NavContainerHelperPermissions -Value Check-BcContainerHelperPermissions
Export-ModuleMember -Function Check-BcContainerHelperPermissions -Alias Check-NavContainerHelperPermissions