Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deny default write permissions from windows root directory #1962

Merged
merged 3 commits into from
Nov 19, 2024
Merged

deny default write permissions from windows root directory #1962

merged 3 commits into from
Nov 19, 2024

Conversation

zackattack01
Copy link
Contributor

this adds an additional check to the windows_svc_config startup routine to verify permissions for the configured root directory. I do not love the concept of adding an explicit denial instead of just removing the existing grant, but this has been the only way i've seen success so far, after trying several different ways to do this.

Once the changes run I am no longer able to create/write nested directories inside of the root directory without using an admin console. Subsequent runs see the entry exists and skip before making further changes.

Follow up PRs will attempt to set the proper directory permissions on package install

@zackattack01 zackattack01 marked this pull request as draft November 19, 2024 19:16
RebeccaMahany
RebeccaMahany previously approved these changes Nov 19, 2024
View reviewed changes
@RebeccaMahany RebeccaMahany added the bug-fixes Bug Fixes label Nov 19, 2024
James-Pickett
James-Pickett previously approved these changes Nov 19, 2024
View reviewed changes
@zackattack01 zackattack01 force-pushed the zack/update_windows_rootdir_permissions branch from 41e3c19 to d129718 Compare November 19, 2024 20:41
@zackattack01 zackattack01 marked this pull request as ready for review November 19, 2024 20:43
directionless
directionless reviewed Nov 19, 2024
View reviewed changes
cmd/launcher/svc_config_windows.go Outdated
// if there is already a DENY entry set for user's group to avoid recreating every time
for i := 0; i < int(existingDACL.AceCount); i++ {
var ace *windows.ACCESS_ALLOWED_ACE
err = windows.GetAce(existingDACL, uint32(i), &ace)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reusing err in here always feels fixy. Can we use the common if err := ... form?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh yep!

@zackattack01 zackattack01 added this pull request to the merge queue Nov 19, 2024
Merged via the queue into main with commit 7d72304 Nov 19, 2024
29 checks passed
@zackattack01 zackattack01 deleted the zack/update_windows_rootdir_permissions branch November 19, 2024 21:46
@RebeccaMahany RebeccaMahany mentioned this pull request Nov 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@directionless directionless directionless left review comments

@James-Pickett James-Pickett James-Pickett approved these changes

@RebeccaMahany RebeccaMahany RebeccaMahany approved these changes

Assignees
No one assigned
Labels
bug-fixes Bug Fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zackattack01 @directionless @RebeccaMahany @James-Pickett