Access rights to directory %ProgramData%\Notepad++\plugins are still set incorrectly by the installer

[dinkumoil]

Description of the Issue

Access rights to directory %ProgramData%\Notepad++\plugins are still set incorrectly by Notepad++ installer. Thus, normal Windows users are still allowed to write files to it or its subdirectories. It was the intention of commit 589e211 to change that but it was done in the wrong way.

Steps to Reproduce the Issue

1. Install Notepad++ v7.6.2.
2. Create a Windows user account without admin rights.
3. Log on as the user created in step 2.
4. Navigate to directory %ProgramData%\Notepad++\plugins.
5. Try to copy a file to that directory.

Expected Behavior

A UAC dialog should pop up where you have to provide credentials of an admin user because normal users should not be able to drop files to %ProgramData%\Notepad++\plugins.

Actual Behavior

Copying the file as normal user works without any problem, no UAC dialog pops up.

Debug Information

Applies to Notepad++ v7.6.2

Additional informations

The directory %ProgramData%\Notepad++\plugins inherits access rights from the %ProgramData% directory. There, the user group CREATOR OWNER is configured to have all access rights. That means that every user account can write NEW files and subdirectories to %ProgramData% and its subdirectories. Furthermore, every user account can only delete/overwrite/change files and subdirectories which had been created by itself.

It is not possible to simply remove this access right from %ProgramData%\Notepad++\plugins or to replace it with a restricted access right like it was tried in commit 589e211. Instead ownership of the directory has to be set to the ADMINISTRATORS user group, the access rights inheritance has to be removed from the directory and a manually configured set of access rights has to be set because after removing access rights inheritance the directory has no access rights at all.

I already elaborated about that in this comment at the community forum. Another user stated the same in this comment at the community forum.

Additionally the access rights of the directory %ProgramData%\Notepad++\plugins\config have to be reconfigured in a way that writing to it is allowed for all user accounts in order to be able to update the file nppPluginList.dll.

Suggested access rights for directory %ProgramData%\Notepad++\plugins:

• Owner: ADMINISTRATORS user group
• SYSTEM -> Full access
• ADMINISTRATORS -> Full access
• USERS -> Read & Execute, List folder contents, Read

Suggested access rights for directory %ProgramData%\Notepad++\plugins\config:

• SYSTEM -> Full access
• ADMINISTRATORS -> Full access
• USERS -> Full access for files and directories in it

[dinkumoil]

@donho

The following command sequence (using the ICACLS console tool) would set the access rights of the plugins directory and the plugins\config directory to a desired state.

Please note: I don't want to encourage you to actually use ICACLS to accomplish this task, the access rights plugin of NSIS should be able to do the same steps. I am posting this only as a guideline.

I have tested the script on a Windows 7 x64 machine without an Active Directory environment. According to this site the user group DOMAINADMINS is a member of the local ADMINISTRATORS user group. Thus, the access rights set by the script should be sufficient in an Active Directory environment.

But there could raise up a problem with the DOMAINUSERS user group. This group has no universal SID since the SID of the domain is part of the SID for this user group. Maybe there is a way using the NSIS access rights plugin to set the same access rights for the DOMAINUSERS group like for the local USERS group (SID S-1-5-32-545).

@echo off & setlocal

set "PluginsDir=%ALLUSERSPROFILE%\Notepad++\plugins"
set "PluginsListDir=%ALLUSERSPROFILE%\Notepad++\plugins\config"


::Set owner of directory to local ADMINISTRATORS user group
icacls "%PluginsDir%" /setowner *S-1-5-32-544

::Set ACL of directory for plugins to standard value,
::includes only inherited access rights
icacls "%PluginsDir%" /reset

::Set ACL of directory for plugin list to standard value,
::includes only inherited access rights
icacls "%PluginsListDir%" /reset

::Remove access rights inheritance from directory for plugins
icacls "%PluginsDir%" /inheritance:r


::Set full access rights for local SYSTEM account on plugins directory
::and activate inheritance for this permission
icacls "%PluginsDir%" /grant:r *S-1-5-18:(CI)(OI)(F)

::Set full access rights for local ADMINISTRATORS user group on plugins
::directory and activate inheritance for this permission
icacls "%PluginsDir%" /grant *S-1-5-32-544:(CI)(OI)(F)

::Set read access rights for local USERS user group on plugins directory
::and activate inheritance for this permission
icacls "%PluginsDir%" /grant *S-1-5-32-545:(CI)(OI)(GR,GE,RD,X,RA)

::Set restricted write access rights for local USERS user group on files and
::directories INSIDE the plugins list directory and activate inheritance for
::this permission
icacls "%PluginsListDir%" /grant *S-1-5-32-545:(CI)(OI)(IO)(DE,GW,WD,AD,DC,WA,WEA)

::Allow creation and restoration of files and directories for local USERS user
::group in the plugins list directory
icacls "%PluginsListDir%" /grant *S-1-5-32-545:(WD,AD,WA,WEA)

[donho]

Thank you for the info.
With the new scheme we don't need any more to change ACL :
9fecbae