File 1093-Revoke-default-windows-access-rights.patch of Package erlang
From 80095582a9a2fa85823c0a02361671d68fffc37d Mon Sep 17 00:00:00 2001
From: Dan Gudmundsson <dgud@erlang.org>
Date: Fri, 8 Jan 2021 09:35:31 +0100
Subject: [PATCH] Revoke default windows access rights
Depending on the default access rights, dll injection could be used
to gain admin rights via a normal user if erlang was used as a service.
---
erts/etc/win32/nsis/erlang20.nsi | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/erts/etc/win32/nsis/erlang20.nsi b/erts/etc/win32/nsis/erlang20.nsi
index 5a79101b5d..907a64b89c 100644
--- a/erts/etc/win32/nsis/erlang20.nsi
+++ b/erts/etc/win32/nsis/erlang20.nsi
@@ -144,7 +144,21 @@ SubSection /e "Erlang" SecErlang
Section "Development" SecErlangDev
SectionIn 1 RO
+
SetOutPath "$INSTDIR"
+
+; Don't let Users nor Autenticated Users group create new files
+; Avoid dll injection when installing to non /Program Files/ dirs
+
+ StrCmp $INSTDIR $InstallDir cp_files
+ ; Remove ANY inherited access control
+ ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /inheritance:r' SW_HIDE
+ ; Grant Admin full control
+ ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /grant:r *S-1-5-32-544:(OI)(CI)F' SW_HIDE
+ ; Grant Normal Users read+execute control
+ ExecShellWait "open" "$SYSDIR\icacls.exe" '"$INSTDIR" /grant:r *S-1-1-0:(OI)(CI)RX' SW_HIDE
+
+cp_files:
File "${TESTROOT}\Install.ini"
File "${TESTROOT}\Install.exe"
SetOutPath "$INSTDIR\releases"
--
2.26.2