Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
windows config files admin-only access
Windows configuration files were accessible by
normal users until now.

Now we use the NSIS AccessControl Plugin
(http://nsis.sourceforge.net/AccessControl_plug-in)
to limit the access to the Administrator only.

This also means that if you want to edit the
config file, this has to happen as administrator.

Fixes #208: Look into possibility to limit access rights on %APPDATA%/Bareos to administrators only.

Signed-off-by: Marco van Wieringen <marco.van.wieringen@bareos.com>
  • Loading branch information
pstorz authored and Marco van Wieringen committed Feb 17, 2015
1 parent 8372742 commit 9b49454
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 23 deletions.
9 changes: 5 additions & 4 deletions platforms/win32/winbareos-nsi.spec
Expand Up @@ -39,7 +39,7 @@ Source2: clientdialog.ini
Source3: directordialog.ini
Source4: KillProcWMI.dll
Source5: bareos.ico

Source6: AccessControl.dll
%description
bareos

Expand All @@ -59,7 +59,8 @@ bareos
%build

mkdir -p $RPM_BUILD_ROOT/nsisplugins
cp %SOURCE4 $RPM_BUILD_ROOT/nsisplugins
cp %SOURCE4 $RPM_BUILD_ROOT/nsisplugins # KillProcWMI
cp %SOURCE6 $RPM_BUILD_ROOT/nsisplugins # AccessControl

mkdir $RPM_BUILD_ROOT/release32
mkdir $RPM_BUILD_ROOT/release64
Expand All @@ -84,8 +85,8 @@ for cfg in /etc/mingw64-winbareos/*.conf; do
cp $cfg $RPM_BUILD_ROOT/release64
done

cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release32
cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release64
cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %SOURCE6 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release32
cp %SOURCE1 %SOURCE2 %SOURCE3 %SOURCE4 %SOURCE5 %SOURCE6 %_sourcedir/LICENSE $RPM_BUILD_ROOT/release64

makensis -DPRODUCT_VERSION=%version-%release -DBIT_WIDTH=32 $RPM_BUILD_ROOT/release32/winbareos.nsi
makensis -DPRODUCT_VERSION=%version-%release -DBIT_WIDTH=64 $RPM_BUILD_ROOT/release64/winbareos.nsi
Expand Down
46 changes: 27 additions & 19 deletions platforms/win32/winbareos.nsi
Expand Up @@ -181,6 +181,33 @@ FunctionEnd
Rename "$PLUGINSDIR\${fname}" "$APPDATA\${PRODUCT_NAME}\${fname}"
${EndIf}
CreateShortCut "$SMPROGRAMS\${PRODUCT_NAME}\Edit ${fname}.lnk" "write.exe" '"$APPDATA\${PRODUCT_NAME}\${fname}"'

# disable file access inheritance
AccessControl::DisableFileInheritance "$APPDATA\${PRODUCT_NAME}\${fname}"
Pop $R0
DetailPrint `AccessControl result: $R0`
${If} $R0 == error
Pop $R0
DetailPrint `AccessControl error: $R0`
${EndIf}

# set file owner to administrator
AccessControl::SetFileOwner "$APPDATA\${PRODUCT_NAME}\${fname}" "(S-1-5-32-544)" # administratoren
Pop $R0
DetailPrint `AccessControl result: $R0`
${If} $R0 == error
Pop $R0
DetailPrint `AccessControl error: $R0`
${EndIf}

# set fullaccess only for administrators (S-1-5-32-544)
AccessControl::ClearOnFile "$APPDATA\${PRODUCT_NAME}\${fname}" "(S-1-5-32-544)" "FullAccess"
Pop $R0
DetailPrint `AccessControl result: $R0`
${If} $R0 == error
Pop $R0
DetailPrint `AccessControl error: $R0`
${EndIf}
!macroend


Expand Down Expand Up @@ -924,22 +951,3 @@ Push $R1
Pop $R1
Pop $R0
FunctionEnd



# TODO:
# - access on conf files has to be limited to administrators
# - tray-monitor automatic start at login
# - tray-monitor does not work right now (why?)
# - create snippet for restricted console that is only allowed to access
# this client
#
# DONE:
# - silent installer with configurable parameters that are otherwise in the forms
# - find out if a prior version is already installed and use that install directory or uninstall it first
# - add firewall rule for bareos-fd after installation.
# - put the config files in $APPDATA
# - add section bconsole automatically when section bat is selected
# - add license information to installer
# - kill tray monitor before installing / updateing TODO: testing
# - replace "the network backups solution" by "backup archiving recovery open sourced"

0 comments on commit 9b49454

Please sign in to comment.