AdGuardHome/internal/permcheck/check_windows.go

//go:build windows

package permcheck

import (
	"context"
	"log/slog"

	"github.com/AdguardTeam/golibs/logutil/slogutil"
	"golang.org/x/sys/windows"
)

// check is the Windows-specific implementation of [Check].
//
// Note, that it only checks the owner and the ACEs of the working directory.
// This is due to the assumption that the working directory ACEs are inherited
// by the underlying files and directories, since at least [migrate] sets this
// inheritance mode.
func check(ctx context.Context, l *slog.Logger, workDir, _, _, _, _ string) {
	l = l.With("type", typeDir, "path", workDir)

	dacl, owner, err := getSecurityInfo(workDir)
	if err != nil {
		l.ErrorContext(ctx, "getting security info", slogutil.KeyError, err)

		return
	}

	if !owner.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
		l.WarnContext(ctx, "owner is not in administrators group")
	}

	err = rangeACEs(dacl, func(
		hdr windows.ACE_HEADER,
		mask windows.ACCESS_MASK,
		sid *windows.SID,
	) (cont bool) {
		l.DebugContext(ctx, "checking access control entry", "mask", mask, "sid", sid)

		warn := false
		switch {
		case hdr.AceType != windows.ACCESS_ALLOWED_ACE_TYPE:
			// Skip non-allowed ACEs.
		case !sid.IsWellKnown(windows.WinBuiltinAdministratorsSid):
			// Non-administrator ACEs should not have any access rights.
			warn = mask > 0
		default:
			// Administrators should full control access rights.
			warn = mask&fullControlMask != fullControlMask
		}
		if warn {
			l.WarnContext(ctx, "unexpected access control entry", "mask", mask, "sid", sid)
		}

		return true
	})
	if err != nil {
		l.ErrorContext(ctx, "checking access control entries", slogutil.KeyError, err)
	}
}
Pull request 2312: 7400 Windows permcheck Updates #7400. Squashed commit of the following: commit f50d7c200de545dc6c8ef70b39208f522033fb90 Merge: 47040a14c 37b16bcf7 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 18:09:23 2024 +0300 Merge branch 'master' into 7400-chown-permcheck commit 47040a14cd50bf50429f44eba0acdcf736412b61 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 14:26:43 2024 +0300 permcheck: fix nil entries commit e1d21c576d75a903b88db3b7beb82348cdcf60c9 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Dec 2 15:37:58 2024 +0300 permcheck: fix nil owner commit b1fc67c4d189293d0aee90c1905f7f387840643b Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 18:07:15 2024 +0300 permcheck: imp doc commit 0b6a71326e249f0923e389aa1f6f164b02802a24 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 17:16:24 2024 +0300 permcheck: imp code commit 7dfbeda179d0ddb81db54fa4e0dcff189b400215 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 14:28:17 2024 +0300 permcheck: imp code commit 3a5b6aced948a2d09fdae823fc986266c9984b3d Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 19:21:03 2024 +0300 all: imp code, docs commit c076c9366934303fa8c5909bd13770e367dca72e Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 15:14:06 2024 +0300 permcheck: imp code, docs commit 09e4ae1ba12e195454f1db11fa2f5c9e8e170f06 Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 27 19:19:11 2024 +0300 all: implement windows permcheck commit b75ed7d4d30e289b8a99e68e6a5e94ab74cf49cb Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Nov 25 18:01:47 2024 +0300 all: revert permissions 2024-12-03 18:26:00 +03:00			`//go:build windows`

			`package permcheck`

			`import (`
			`"context"`
			`"log/slog"`

			`"github.com/AdguardTeam/golibs/logutil/slogutil"`
			`"golang.org/x/sys/windows"`
			`)`

			`// check is the Windows-specific implementation of [Check].`
			`//`
			`// Note, that it only checks the owner and the ACEs of the working directory.`
			`// This is due to the assumption that the working directory ACEs are inherited`
			`// by the underlying files and directories, since at least [migrate] sets this`
			`// inheritance mode.`
			`func check(ctx context.Context, l *slog.Logger, workDir, _, _, _, _ string) {`
			`l = l.With("type", typeDir, "path", workDir)`

			`dacl, owner, err := getSecurityInfo(workDir)`
			`if err != nil {`
			`l.ErrorContext(ctx, "getting security info", slogutil.KeyError, err)`

			`return`
			`}`

			`if !owner.IsWellKnown(windows.WinBuiltinAdministratorsSid) {`
			`l.WarnContext(ctx, "owner is not in administrators group")`
			`}`

			`err = rangeACEs(dacl, func(`
			`hdr windows.ACE_HEADER,`
			`mask windows.ACCESS_MASK,`
			`sid *windows.SID,`
			`) (cont bool) {`
			`l.DebugContext(ctx, "checking access control entry", "mask", mask, "sid", sid)`

			`warn := false`
			`switch {`
			`case hdr.AceType != windows.ACCESS_ALLOWED_ACE_TYPE:`
			`// Skip non-allowed ACEs.`
			`case !sid.IsWellKnown(windows.WinBuiltinAdministratorsSid):`
			`// Non-administrator ACEs should not have any access rights.`
			`warn = mask > 0`
			`default:`
			`// Administrators should full control access rights.`
			`warn = mask&fullControlMask != fullControlMask`
			`}`
			`if warn {`
			`l.WarnContext(ctx, "unexpected access control entry", "mask", mask, "sid", sid)`
			`}`

			`return true`
			`})`
			`if err != nil {`
			`l.ErrorContext(ctx, "checking access control entries", slogutil.KeyError, err)`
			`}`
			`}`