windows config files admin-only access

Windows configuration files were accessible by normal users until now. Now we use the NSIS AccessControl Plugin (http://nsis.sourceforge.net/AccessControl_plug-in) to limit the access to the Administrator only. This also means that if you want to edit the config file, this has to happen as administrator. Fixes #208: Look into possibility to limit access rights on %APPDATA%/Bareos to administrators only. Signed-off-by: Marco van Wieringen <marco.van.wieringen@bareos.com>
bareos · Feb 17, 2015 · 2c4a67d · 2c4a67d
1 parent b549fd4
commit 2c4a67d
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 23 deletions.
diff --git a/platforms/win32/winbareos-nsi.spec b/platforms/win32/winbareos-nsi.spec
@@ -39,7 +39,7 @@ Source2:         clientdialog.ini
 Source3:         directordialog.ini
 Source4:         KillProcWMI.dll
 Source5:         bareos.ico
-
+Source6:         AccessControl.dll
 %description
 bareos
 
@@ -59,7 +59,8 @@ bareos
 %build
 
 mkdir -p $RPM_BUILD_ROOT/nsisplugins
-cp %SOURCE4 $RPM_BUILD_ROOT/nsisplugins
+cp %SOURCE4 $RPM_BUILD_ROOT/nsisplugins  #  KillProcWMI
+cp %SOURCE6 $RPM_BUILD_ROOT/nsisplugins  #  AccessControl
 
 mkdir  $RPM_BUILD_ROOT/release32
 mkdir  $RPM_BUILD_ROOT/release64
@@ -84,8 +85,8 @@ for cfg in /etc/mingw64-winbareos/*.conf; do
       cp $cfg $RPM_BUILD_ROOT/release64
 done
 
-cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release32
-cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release64
+cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %SOURCE6 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release32
+cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %SOURCE6 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release64
 
 makensis -DPRODUCT_VERSION=%version-%release -DBIT_WIDTH=32 $RPM_BUILD_ROOT/release32/winbareos.nsi
 makensis -DPRODUCT_VERSION=%version-%release -DBIT_WIDTH=64 $RPM_BUILD_ROOT/release64/winbareos.nsi

diff --git a/platforms/win32/winbareos.nsi b/platforms/win32/winbareos.nsi
@@ -181,6 +181,33 @@ FunctionEnd
     Rename "$PLUGINSDIR\${fname}" "$APPDATA\${PRODUCT_NAME}\${fname}"
   ${EndIf}
  CreateShortCut "$SMPROGRAMS\${PRODUCT_NAME}\Edit ${fname}.lnk" "write.exe" '"$APPDATA\${PRODUCT_NAME}\${fname}"'
+
+# disable file access inheritance
+ AccessControl::DisableFileInheritance "$APPDATA\${PRODUCT_NAME}\${fname}"
+ Pop $R0
+ DetailPrint `AccessControl result: $R0`
+ ${If} $R0 == error
+    Pop $R0
+    DetailPrint `AccessControl error: $R0`
+ ${EndIf}
+
+# set file owner to administrator
+ AccessControl::SetFileOwner "$APPDATA\${PRODUCT_NAME}\${fname}" "(S-1-5-32-544)"  # administratoren
+ Pop $R0
+ DetailPrint `AccessControl result: $R0`
+ ${If} $R0 == error
+    Pop $R0
+    DetailPrint `AccessControl error: $R0`
+ ${EndIf}
+
+# set fullaccess only for administrators (S-1-5-32-544)
+ AccessControl::ClearOnFile "$APPDATA\${PRODUCT_NAME}\${fname}" "(S-1-5-32-544)" "FullAccess"
+ Pop $R0
+ DetailPrint `AccessControl result: $R0`
+ ${If} $R0 == error
+    Pop $R0
+    DetailPrint `AccessControl error: $R0`
+ ${EndIf}
 !macroend
 
 
@@ -283,6 +310,7 @@ SectionIn 1 2 3
 
   SetOutPath "$INSTDIR"
   SetOverwrite ifnewer
+  CreateDirectory "$INSTDIR\Plugins"
   CreateDirectory "$SMPROGRAMS\${PRODUCT_NAME}"
   CreateDirectory "$APPDATA\${PRODUCT_NAME}"
   File "bareos-fd.exe"
@@ -893,6 +921,7 @@ ConfDeleteSkip:
   Delete "$SMPROGRAMS\${PRODUCT_NAME}\Website.lnk"
   Delete "$SMPROGRAMS\${PRODUCT_NAME}\Uninstall.lnk"
   RMDir "$SMPROGRAMS\${PRODUCT_NAME}"
+  RMDir "$INSTDIR\Plugins"
   RMDir "$INSTDIR"
   DeleteRegKey ${PRODUCT_UNINST_ROOT_KEY} "${PRODUCT_UNINST_KEY}"
   DeleteRegKey HKLM "${PRODUCT_DIR_REGKEY}"
@@ -924,22 +953,3 @@ Push $R1
 Pop $R1
 Pop $R0
 FunctionEnd
-
-
-
-# TODO:
-# - access on conf files has to be limited to administrators
-# - tray-monitor automatic start at login
-# - tray-monitor does not work right now (why?)
-# - create snippet for restricted console that is only allowed to access
-#   this client
-#
-# DONE:
-# - silent installer with configurable parameters that are otherwise in the forms
-# - find out if a prior version is already installed and use that install directory or uninstall it first
-# - add firewall rule for bareos-fd after installation.
-# - put the config files in $APPDATA
-# - add section bconsole automatically when section bat is selected
-# - add license information to installer
-# - kill tray monitor before installing / updateing TODO: testing
-# - replace "the network backups solution" by "backup archiving recovery open sourced"