Ensure the destination for downloaded ADMX files is writable

Fleex255 · Nov 2, 2016 · b5da020 · b5da020
1 parent 400c3a8
commit b5da020
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 16 deletions.
diff --git a/PolicyPlus/DownloadAdmx.vb b/PolicyPlus/DownloadAdmx.vb
@@ -38,7 +38,9 @@ Public Class DownloadAdmx
                                  IO.Directory.CreateDirectory(Dest)
                                  For Each file In IO.Directory.EnumerateFiles(Source)
                                      Dim plainFilename = IO.Path.GetFileName(file)
-                                     IO.File.Move(file, IO.Path.Combine(Dest, plainFilename))
+                                     Dim newName = IO.Path.Combine(Dest, plainFilename)
+                                     If IO.File.Exists(newName) Then IO.File.Delete(newName)
+                                     IO.File.Move(file, newName)
                                  Next
                              End Sub
         Task.Factory.StartNew(Sub()
@@ -59,6 +61,18 @@ Public Class DownloadAdmx
                                       proc.WaitForExit()
                                       If proc.ExitCode <> 0 Then Throw New Exception ' msiexec failed
                                       IO.File.Delete(downloadPath)
+                                      If IO.Directory.Exists(destination) Then
+                                          failPhase = "take control of the destination"
+                                          setProgress("Securing destination...")
+                                          Privilege.EnablePrivilege("SeTakeOwnershipPrivilege")
+                                          Privilege.EnablePrivilege("SeRestorePrivilege")
+                                          Dim dacl = IO.Directory.GetAccessControl(destination)
+                                          Dim adminSid As New Security.Principal.SecurityIdentifier(Security.Principal.WellKnownSidType.BuiltinAdministratorsSid, Nothing)
+                                          dacl.SetOwner(adminSid)
+                                          Dim allowRule As New Security.AccessControl.FileSystemAccessRule(adminSid, Security.AccessControl.FileSystemRights.FullControl, Security.AccessControl.AccessControlType.Allow)
+                                          dacl.AddAccessRule(allowRule)
+                                          IO.Directory.SetAccessControl(destination, dacl)
+                                      End If
                                       failPhase = "move the ADMX files"
                                       setProgress("Moving files to destination...")
                                       Dim langSubfolder = Globalization.CultureInfo.CurrentCulture.Name

diff --git a/PolicyPlus/PolicyLoader.vb b/PolicyPlus/PolicyLoader.vb
@@ -58,21 +58,8 @@ Public Class PolicyLoader
                 SourceObject = regPol
             Case PolicyLoaderSource.NtUserDat
                 ' Turn on the backup and restore privileges to allow the use of RegLoadKey
-                Dim restoreLuid, backupLuid As PInvokeLuid
-                Dim restorePriv, backupPriv As PInvokeTokenPrivileges
-                Dim thisProcToken As IntPtr
-                PInvoke.OpenProcessToken(PInvoke.GetCurrentProcess, &H28, thisProcToken) ' 0x28 = TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
-                PInvoke.LookupPrivilegeValueW(Nothing, "SeRestorePrivilege", restoreLuid)
-                PInvoke.LookupPrivilegeValueW(Nothing, "SeBackupPrivilege", backupLuid)
-                restorePriv.PrivilegeCount = 1
-                restorePriv.Attributes = 2 ' SE_PRIVILEGE_ENABLED
-                restorePriv.LUID = restoreLuid
-                backupPriv.PrivilegeCount = 1
-                backupPriv.Attributes = 2
-                backupPriv.LUID = backupLuid
-                PInvoke.AdjustTokenPrivileges(thisProcToken, False, restorePriv, Marshal.SizeOf(restorePriv), IntPtr.Zero, 0)
-                PInvoke.AdjustTokenPrivileges(thisProcToken, False, backupPriv, Marshal.SizeOf(backupPriv), IntPtr.Zero, 0)
-                PInvoke.CloseHandle(thisProcToken)
+                Privilege.EnablePrivilege("SeBackupPrivilege")
+                Privilege.EnablePrivilege("SeRestorePrivilege")
                 ' Load the hive
                 Using machHive = RegistryKey.OpenBaseKey(RegistryHive.LocalMachine, RegistryView.Default)
                     Dim subkeyName = "PolicyPlusMount:" & Guid.NewGuid().ToString

diff --git a/PolicyPlus/PolicyPlus.vbproj b/PolicyPlus/PolicyPlus.vbproj
@@ -237,6 +237,7 @@
     <Compile Include="PolicySource.vb" />
     <Compile Include="PolicyStructures.vb" />
     <Compile Include="PresentationStructures.vb" />
+    <Compile Include="Privilege.vb" />
     <Compile Include="SpolFile.vb" />
     <Compile Include="XmlExtensions.vb" />
   </ItemGroup>

diff --git a/PolicyPlus/Privilege.vb b/PolicyPlus/Privilege.vb
@@ -0,0 +1,15 @@
+Imports System.Runtime.InteropServices
+Public Class Privilege
+    Public Shared Sub EnablePrivilege(Name As String)
+        Dim luid As PInvokeLuid
+        Dim priv As PInvokeTokenPrivileges
+        Dim thisProcToken As IntPtr
+        PInvoke.OpenProcessToken(PInvoke.GetCurrentProcess, &H28, thisProcToken) ' 0x28 = TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY
+        PInvoke.LookupPrivilegeValueW(Nothing, Name, luid)
+        priv.Attributes = 2 ' SE_PRIVILEGE_ENABLED
+        priv.PrivilegeCount = 1
+        priv.LUID = luid
+        PInvoke.AdjustTokenPrivileges(thisProcToken, False, priv, Marshal.SizeOf(priv), IntPtr.Zero, 0)
+        PInvoke.CloseHandle(thisProcToken)
+    End Sub
+End Class