Windows Installer: adapt ACLs and cleanups

* File Permissions: * %ALLUSERSPROFILE%\bareos\bareos-*.d * no access for group Users * %ALLUSERSPROFILE%\bareos\tray-monitor.d * full access for group Users * Section "Consoles" have been renamed to "User Interfaces" * Section Webui have been moved from Director to "User Interfaces" * Added deprecated note at BAT. Don't select BAT by default. * Include PHP and nssm by BuildRequires RPMs (winbareos-nssm, winbareos-php) instead of downloading from there URLs. * MUI_FINISHPAGE: only open Webui, if it is installed.
bareos · Oct 16, 2016 · aa3dfb3 · aa3dfb3
1 parent 8fa9d28
commit aa3dfb3
Show file tree

Hide file tree

Showing 3 changed files with 230 additions and 202 deletions.
diff --git a/platforms/win32/bareos-config-deploy.bat b/platforms/win32/bareos-config-deploy.bat
@@ -13,8 +13,8 @@ if not exist "%SED_CMD%" (
     call :exit 1
 )
 
-echo source %SRC%
-echo dest: %DST%
+echo source: %SRC%
+echo dest:   %DST%
 
 if "%SRC%" == "" (
     call :usage
@@ -43,6 +43,14 @@ if not exist "%DST%\*" (
     call :exit 1
 )
 
+rem Check if the icacls command is available.
+rem If yes, it will later be used to adapt
+rem rem the permissions of the configuration.
+WHERE icacls.exe >NUL
+IF ERRORLEVEL 0 (
+   SET ACL_CMD=icacls.exe
+)
+
 pushd "%SRC%"
 rem c: COMPONENT
 for /D %%c in (*) do (
@@ -71,10 +79,40 @@ for /D %%c in (*) do (
                 "%SED_CMD%" --in-place=".orig" --file "%SED_SCRIPT%" "%%f"
             )
         )
+        if defined ACL_CMD (
+            if "%%c" == "tray-monitor.d" (
+               rem The bareos-tray-monitor should be accessable and its configuration adaptable
+               rem for all users.
+               rem Therefore grant Full Access to the group "Users".
+               "%ACL_CMD%" "%DST%\%%c" /grant *S-1-5-32-545:"(OI)(CI)F"
+            ) else (
+               rem The Bareos Daemon (Dir, Sd, Fd) contains passwords.
+               rem Only users from the "Administrators" group should be able to read them.
+               rem Therefore remove the "Users" group from the ACLs.
+
+               rem Stop ACL inheritance and copy the current ACLs
+               "%ACL_CMD%" "%DST%\%%c" /inheritance:d
+
+               rem Remove ACL for group "Users"
+               "%ACL_CMD%" "%DST%\%%c" /remove:g *S-1-5-32-545 /T
+            )
+        )
     )
     pushd "%SRC%"
 )
 popd
+
+if defined ACL_CMD (
+   rem configure.sed also contains passwords.
+   rem So make it only accessable for Administrators.
+
+   rem Stop ACL inheritance and copy the current ACLs
+   "%ACL_CMD%" "%DST%\configure.sed" /inheritance:d
+
+   rem Remove ACL for group "Users"
+   "%ACL_CMD%" "%DST%\configure.sed" /remove:g *S-1-5-32-545 /T
+)
+
 rem call :exit
 goto:eof
 

diff --git a/platforms/win32/winbareos-nsi.spec b/platforms/win32/winbareos-nsi.spec
@@ -29,14 +29,15 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildArch:      noarch
 
 BuildRequires:  bareos-addons
+BuildRequires:  winbareos-nssm
+BuildRequires:  winbareos-php
 
 BuildRequires:  bc
 BuildRequires:  less
 BuildRequires:  procps
 BuildRequires:  sed
 BuildRequires:  vim
 
-BuildRequires:  unzip
 # Bareos sources
 BuildRequires:  mingw-debugsrc-devel = %{version}
 
@@ -110,11 +111,6 @@ Source9:         databasedialog.ini
 
 %define NSISDLLS KillProcWMI.dll AccessControl.dll LogEx.dll
 
-%define NSSM_VERSION 2.24
-%define PHP_VERSION 5.6.26
-Source11:        http://windows.php.net/downloads/releases/php-%PHP_VERSION-Win32-VC11-x86.zip
-Source12:        https://nssm.cc/release/nssm-%NSSM_VERSION.zip
-
 %description
 Bareos Windows NSI installer packages for the different variants.
 
@@ -154,18 +150,14 @@ for flavor in %{flavors}; do
       echo "" >> %_sourcedir/LICENSE
 
       # nssm
-      unzip %SOURCE12;
-      cp nssm-%NSSM_VERSION/win${BITS}/nssm.exe $RPM_BUILD_ROOT/$flavor/release${BITS}
-
+      cp -a /usr/lib/windows/nssm/win${BITS}/nssm.exe .
       echo "" >> %_sourcedir/LICENSE
       echo "NSSM - the Non-Sucking Service Manager: https://nssm.cc/" >> %_sourcedir/LICENSE
       echo "##### LICENSE FILE OF NSSM START #####" >> %_sourcedir/LICENSE
-      cat nssm-%NSSM_VERSION/README.txt >> %_sourcedir/LICENSE
+      cat /usr/lib/windows/nssm/README.txt >> %_sourcedir/LICENSE
       echo "##### LICENSE FILE OF NSSM END #####" >> %_sourcedir/LICENSE
       echo "" >> %_sourcedir/LICENSE
 
-      rm -rvf nssm-%NSSM_VERSION
-
       # bareos-webui
       cp -av /usr/share/bareos-webui bareos-webui  # copy bareos-webui
       pushd bareos-webui
@@ -183,21 +175,18 @@ for flavor in %{flavors}; do
       echo "" >> %_sourcedir/LICENSE
 
 
-      # php has no subdir in zipfile
-      mkdir php;
-      pushd php;
-      unzip %SOURCE11
-      cp php.ini-production $RPM_BUILD_ROOT/$flavor/release${BITS}/php.ini
+      # php
+      cp -a /usr/lib/windows/php/ .
+      cp php/php.ini .
       echo "" >> %_sourcedir/LICENSE
       echo "PHP: http://php.net/" >> %_sourcedir/LICENSE
       echo "##### LICENSE FILE OF PHP START #####" >> %_sourcedir/LICENSE
-      cat license.txt >> %_sourcedir/LICENSE
+      cat php/license.txt >> %_sourcedir/LICENSE
       echo "##### LICENSE FILE OF PHP END #####" >> %_sourcedir/LICENSE
       echo "" >> %_sourcedir/LICENSE
 
       popd
 
-
       # copy the sql ddls over
       cp -av /etc/$flavor/mingw${BITS}-winbareos/ddl $RPM_BUILD_ROOT/$flavor/release${BITS}