mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-12-24 07:38:16 +03:00
3895cfb4f0
Updates #7400. Squashed commit of the following: commit f50d7c200de545dc6c8ef70b39208f522033fb90 Merge:47040a14c
37b16bcf7
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 18:09:23 2024 +0300 Merge branch 'master' into 7400-chown-permcheck commit47040a14cd
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 14:26:43 2024 +0300 permcheck: fix nil entries commite1d21c576d
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Dec 2 15:37:58 2024 +0300 permcheck: fix nil owner commitb1fc67c4d1
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 18:07:15 2024 +0300 permcheck: imp doc commit0b6a71326e
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 17:16:24 2024 +0300 permcheck: imp code commit7dfbeda179
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 14:28:17 2024 +0300 permcheck: imp code commit3a5b6aced9
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 19:21:03 2024 +0300 all: imp code, docs commitc076c93669
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 15:14:06 2024 +0300 permcheck: imp code, docs commit09e4ae1ba1
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 27 19:19:11 2024 +0300 all: implement windows permcheck commitb75ed7d4d3
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Nov 25 18:01:47 2024 +0300 all: revert permissions
60 lines
1.6 KiB
Go
60 lines
1.6 KiB
Go
//go:build windows
|
|
|
|
package permcheck
|
|
|
|
import (
|
|
"context"
|
|
"log/slog"
|
|
|
|
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
|
"golang.org/x/sys/windows"
|
|
)
|
|
|
|
// check is the Windows-specific implementation of [Check].
|
|
//
|
|
// Note, that it only checks the owner and the ACEs of the working directory.
|
|
// This is due to the assumption that the working directory ACEs are inherited
|
|
// by the underlying files and directories, since at least [migrate] sets this
|
|
// inheritance mode.
|
|
func check(ctx context.Context, l *slog.Logger, workDir, _, _, _, _ string) {
|
|
l = l.With("type", typeDir, "path", workDir)
|
|
|
|
dacl, owner, err := getSecurityInfo(workDir)
|
|
if err != nil {
|
|
l.ErrorContext(ctx, "getting security info", slogutil.KeyError, err)
|
|
|
|
return
|
|
}
|
|
|
|
if !owner.IsWellKnown(windows.WinBuiltinAdministratorsSid) {
|
|
l.WarnContext(ctx, "owner is not in administrators group")
|
|
}
|
|
|
|
err = rangeACEs(dacl, func(
|
|
hdr windows.ACE_HEADER,
|
|
mask windows.ACCESS_MASK,
|
|
sid *windows.SID,
|
|
) (cont bool) {
|
|
l.DebugContext(ctx, "checking access control entry", "mask", mask, "sid", sid)
|
|
|
|
warn := false
|
|
switch {
|
|
case hdr.AceType != windows.ACCESS_ALLOWED_ACE_TYPE:
|
|
// Skip non-allowed ACEs.
|
|
case !sid.IsWellKnown(windows.WinBuiltinAdministratorsSid):
|
|
// Non-administrator ACEs should not have any access rights.
|
|
warn = mask > 0
|
|
default:
|
|
// Administrators should full control access rights.
|
|
warn = mask&fullControlMask != fullControlMask
|
|
}
|
|
if warn {
|
|
l.WarnContext(ctx, "unexpected access control entry", "mask", mask, "sid", sid)
|
|
}
|
|
|
|
return true
|
|
})
|
|
if err != nil {
|
|
l.ErrorContext(ctx, "checking access control entries", slogutil.KeyError, err)
|
|
}
|
|
}
|