File 1093-Revoke-default-windows-access-rights.patch of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 1093-Revoke-default-windows-access-rights.patch of Package erlang

From 80095582a9a2fa85823c0a02361671d68fffc37d Mon Sep 17 00:00:00 2001
From: Dan Gudmundsson <dgud@erlang.org>
Date: Fri, 8 Jan 2021 09:35:31 +0100
Subject: [PATCH] Revoke default windows access rights

Depending on the default access rights, dll injection could be used
to gain admin rights via a normal user if erlang was used as a service.
---
 erts/etc/win32/nsis/erlang20.nsi | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/erts/etc/win32/nsis/erlang20.nsi b/erts/etc/win32/nsis/erlang20.nsi
index 5a79101b5d..907a64b89c 100644
--- a/erts/etc/win32/nsis/erlang20.nsi
+++ b/erts/etc/win32/nsis/erlang20.nsi
@@ -144,7 +144,21 @@ SubSection /e "Erlang" SecErlang
 Section "Development" SecErlangDev
 SectionIn 1 RO
 
+
   	SetOutPath "$INSTDIR"
+
+; Don't let Users nor Autenticated Users group create new files
+; Avoid dll injection when installing to non /Program Files/ dirs
+
+        StrCmp $INSTDIR $InstallDir cp_files
+        ; Remove ANY inherited access control
+        ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /inheritance:r' SW_HIDE
+        ; Grant Admin full control
+        ExecShellWait  "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /grant:r *S-1-5-32-544:(OI)(CI)F' SW_HIDE
+        ; Grant Normal Users read+execute control
+        ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /grant:r *S-1-1-0:(OI)(CI)RX' SW_HIDE
+
+cp_files:
   	File "${TESTROOT}\Install.ini"
   	File "${TESTROOT}\Install.exe"
 	SetOutPath "$INSTDIR\releases"
-- 
2.26.2

Places

File 1093-Revoke-default-windows-access-rights.patch of Package erlang

Places