Skip to content
Permalink
Browse files Browse the repository at this point in the history
Lock down bin folder for admin installs
  • Loading branch information
johnstevenson committed Aug 6, 2020
1 parent 05ac76f commit ca9f143
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 8 deletions.
25 changes: 17 additions & 8 deletions src/composer.iss
Expand Up @@ -12,8 +12,9 @@
#define CmdPhp "php.exe"
#define CmdBat "composer.bat"
#define CmdShell "composer"
#define RunPhp "runphp.exe"
#define DllData "userdata.dll"
#define PermsBat "acls.bat"
#define RunPhp "runphp.exe"

#define PhpCheck "check.php"
#define PhpIniCheck "inicheck.php"
Expand Down Expand Up @@ -88,13 +89,14 @@ WizardSizePercent=110,100
OutputBaseFilename=Composer-Setup.dev
#endif


[LangOptions]
DialogFontSize=10


[Dirs]
; we need to make all-users directory writeable so composer.phar can update
Name: {code:GetBinDir}; Permissions: users-modify; Check: CheckPermisions;
; remove the directory so existing permissions are not preserved
[InstallDelete]
Type: filesandordirs; Name: {code:GetBinDir}; Check: CheckPermisions;


[Files]
Expand All @@ -103,6 +105,7 @@ Source: php\{#PhpCheck}; Flags: dontcopy;
Source: php\{#PhpInstaller}; Flags: dontcopy;
Source: php\{#PhpIniCheck}; Flags: dontcopy;
Source: runphp\{#RunPhp}; Flags: dontcopy signonce;
Source: scripts\{#PermsBat}; Flags: dontcopy;
Source: shims\{#CmdShell}; Flags: dontcopy;

; app files
Expand All @@ -121,6 +124,7 @@ Type: filesandordirs; Name: {code:GetBinDir};


[Run]
Filename: {tmp}\{#PermsBat}; Flags: runhidden; Check: CheckPermisions;
Filename: "https://{#AppUrl}"; Description: "View online documentation"; Flags: postinstall shellexec unchecked;


Expand Down Expand Up @@ -357,6 +361,7 @@ const
LF2 = LF + LF;
TAB = #32#32#32#32#32#32;
PERMS_BAT = '{#PermsBat}';
RUN_PHP = '{#RunPhp}';
PHP_CHECK = '{#PhpCheck}';
PHP_CHECK_ID = '{#PHP_CHECK_ID}';
Expand Down Expand Up @@ -621,6 +626,7 @@ begin
GTmpDir := RemoveBackslash(ExpandConstant('{tmp}'));
{Extract our temp files to installer directory}
ExtractTemporaryFile(PERMS_BAT);
ExtractTemporaryFile(RUN_PHP);
ExtractTemporaryFile(PHP_CHECK);
ExtractTemporaryFile(PHP_INICHECK);
Expand Down Expand Up @@ -1691,7 +1697,10 @@ begin
Current := (StrToVer(VerCurrent) shr 24) and $ff;
Existing := (StrToVer(VerExisting) shr 24) and $ff;
if (Current = 5) and (Existing = 4) then
if (Current = 6) and (Existing = 5) then
{Version 6 locks down admin bin directory}
Result := False
else if (Current = 5) and (Existing = 4) then
{Version 5 only drops support for XP}
Result := False
else
Expand Down Expand Up @@ -6055,7 +6064,7 @@ begin
begin
if SameText(GSettingsPage.Combo.Text, GPaths.Php.Data.Cmd) then
Caption := 'This is the PHP in your path. Click Next to use it.'
Info := 'This is the PHP in your path. Click Next to use it.'
else
begin
Info := 'This will replace the PHP entry in your path. Click Next if you want to do this.';
Expand All @@ -6069,7 +6078,7 @@ begin
PATH_NONE:
begin
if (GSettingsPage.Combo.Text <> '') then
if NotEmpty(GSettingsPage.Combo.Text) then
begin
Info := 'This will add PHP to your path. Click Next to use it.';
Confirm := 'Add this PHP to your path?';
Expand Down Expand Up @@ -6162,7 +6171,7 @@ begin
GSettingsPage.Warning.AutoSize := True;
GSettingsPage.Warning.WordWrap := True;
S := 'Please confirm to continue. The security of this location is your responsibility';
S := 'Confirm to continue. The access control of this location is your responsibility';
S := S + ' and is particularly important if other people use this computer.';
GSettingsPage.Warning.Caption := S;
Expand Down
13 changes: 13 additions & 0 deletions src/scripts/acls.bat
@@ -0,0 +1,13 @@
@echo off

:: remove inheritance
icacls %ALLUSERSPROFILE%\ComposerSetup /inheritance:d /Q

:: remove creator owner
icacls %ALLUSERSPROFILE%\ComposerSetup /remove:g *S-1-3-0 /Q

:: remove builtin\users
icacls %ALLUSERSPROFILE%\ComposerSetup /remove:g *S-1-5-32-545 /Q

:: grant read-execute to builtin\users
icacls %ALLUSERSPROFILE%\ComposerSetup /grant *S-1-5-32-545:(OI)(CI)(RX) /Q

0 comments on commit ca9f143

Please sign in to comment.