Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Ledest:erlang:19
erlang
1093-Revoke-default-windows-access-rights.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 1093-Revoke-default-windows-access-rights.patch of Package erlang
From 80095582a9a2fa85823c0a02361671d68fffc37d Mon Sep 17 00:00:00 2001 From: Dan Gudmundsson <dgud@erlang.org> Date: Fri, 8 Jan 2021 09:35:31 +0100 Subject: [PATCH] Revoke default windows access rights Depending on the default access rights, dll injection could be used to gain admin rights via a normal user if erlang was used as a service. --- erts/etc/win32/nsis/erlang20.nsi | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/erts/etc/win32/nsis/erlang20.nsi b/erts/etc/win32/nsis/erlang20.nsi index 5a79101b5d..907a64b89c 100644 --- a/erts/etc/win32/nsis/erlang20.nsi +++ b/erts/etc/win32/nsis/erlang20.nsi @@ -144,7 +144,21 @@ SubSection /e "Erlang" SecErlang Section "Development" SecErlangDev SectionIn 1 RO + SetOutPath "$INSTDIR" + +; Don't let Users nor Autenticated Users group create new files +; Avoid dll injection when installing to non /Program Files/ dirs + + StrCmp $INSTDIR $InstallDir cp_files + ; Remove ANY inherited access control + ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /inheritance:r' SW_HIDE + ; Grant Admin full control + ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /grant:r *S-1-5-32-544:(OI)(CI)F' SW_HIDE + ; Grant Normal Users read+execute control + ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /grant:r *S-1-1-0:(OI)(CI)RX' SW_HIDE + +cp_files: File "${TESTROOT}\Install.ini" File "${TESTROOT}\Install.exe" SetOutPath "$INSTDIR\releases" -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor