Sākums Izpētīt Palīdzība
Pierakstīties
pascal
/
innosetup
spogulis no https://github.com/jrsoftware/issrc.git
2
0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: 90e1249e8f
Atzari Tagi
innosetup
/
Projects
/
Src
/
SecurityFunc.pas

SecurityFunc.pas 7.7 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215 
  1. unit SecurityFunc;
    2. 

  2. 

  3. {
    4. 

  4.   Inno Setup
    5. 

  5.   Copyright (C) 1997-2024 Jordan Russell
    6. 

  6.   Portions by Martijn Laan
    7. 

  7.   For conditions of distribution and use, see LICENSE.TXT.
    8. 

  8. 

  9.   Functions for altering ACLs on files & registry keys
    10. 

  10. }
    11. 

  11. 

  12. interface
    13. 

  13. 

  14. uses
    15. 

  15.   Windows, SysUtils, CmnFunc2, Struct;
    16. 

  16. 

  17. function GrantPermissionOnFile(const DisableFsRedir: Boolean; Filename: String;
    18. 

  18.   const Entries: TGrantPermissionEntry; const EntryCount: Integer): Boolean;
    19. 

  19. function GrantPermissionOnKey(const RegView: TRegView; const RootKey: HKEY;
    20. 

  20.   const Subkey: String; const Entries: TGrantPermissionEntry;
    21. 

  21.   const EntryCount: Integer): Boolean;
    22. 

  22. 

  23. implementation
    24. 

  24. 

  25. uses
    26. 

  26.   PathFunc, Msgs, InstFunc, Logging, RedirFunc, Helper;
    27. 

  27. 

  28. function InternalGrantPermission(const ObjectType: DWORD; const ObjectName: String;
    29. 

  29.   const Entries: TGrantPermissionEntry; const EntryCount: Integer;
    30. 

  30.   const Inheritance: DWORD): DWORD;
    31. 

  31. { Grants the specified access to the specified object. Returns ERROR_SUCCESS if
    32. 

  32.   successful. }
    33. 

  33. type
    34. 

  34.   PPSID = ^PSID;
    35. 

  35.   PPACL = ^PACL;
    36. 

  36.   PTrusteeW = ^TTrusteeW;
    37. 

  37.   TTrusteeW = record
    38. 

  38.     pMultipleTrustee: PTrusteeW;
    39. 

  39.     MultipleTrusteeOperation: DWORD;  { MULTIPLE_TRUSTEE_OPERATION }
    40. 

  40.     TrusteeForm: DWORD;  { TRUSTEE_FORM }
    41. 

  41.     TrusteeType: DWORD;  { TRUSTEE_TYPE }
    42. 

  42.     ptstrName: PWideChar;
    43. 

  43.   end;
    44. 

  44.   TExplicitAccessW = record
    45. 

  45.     grfAccessPermissions: DWORD;
    46. 

  46.     grfAccessMode: DWORD;  { ACCESS_MODE }
    47. 

  47.     grfInheritance: DWORD;
    48. 

  48.     Trustee: TTrusteeW;
    49. 

  49.   end;
    50. 

  50.   PArrayOfExplicitAccessW = ^TArrayOfExplicitAccessW;
    51. 

  51.   TArrayOfExplicitAccessW = array[0..999999] of TExplicitAccessW;
    52. 

  52. const
    53. 

  53.   GRANT_ACCESS = 1;
    54. 

  54.   TRUSTEE_IS_SID = 0;
    55. 

  55.   TRUSTEE_IS_UNKNOWN = 0;
    56. 

  56. var
    57. 

  57.   AdvApiHandle: HMODULE;
    58. 

  58.   GetNamedSecurityInfoW: function(pObjectName: PWideChar; ObjectType: DWORD;
    59. 

  59.     SecurityInfo: SECURITY_INFORMATION; ppsidOwner, ppsidGroup: PPSID;
    60. 

  60.     ppDacl, ppSacl: PPACL; var ppSecurityDescriptor: PSECURITY_DESCRIPTOR): DWORD;
    61. 

  61.     stdcall;
    62. 

  62.   SetNamedSecurityInfoW: function(pObjectName: PWideChar; ObjectType: DWORD;
    63. 

  63.     SecurityInfo: SECURITY_INFORMATION; ppsidOwner, ppsidGroup: PSID;
    64. 

  64.     ppDacl, ppSacl: PACL): DWORD; stdcall;
    65. 

  65.   SetEntriesInAclW: function(cCountOfExplicitEntries: ULONG;
    66. 

  66.     const pListOfExplicitEntries: TExplicitAccessW; OldAcl: PACL;
    67. 

  67.     var NewAcl: PACL): DWORD; stdcall;
    68. 

  68.   SD: PSECURITY_DESCRIPTOR;
    69. 

  69.   Dacl, NewDacl: PACL;
    70. 

  70.   ExplicitAccess: PArrayOfExplicitAccessW;
    71. 

  71.   E: ^TGrantPermissionEntry;
    72. 

  72.   I: Integer;
    73. 

  73.   Sid: PSID;
    74. 

  74. begin
    75. 

  75.   AdvApiHandle := GetModuleHandle(advapi32);
    76. 

  76.   GetNamedSecurityInfoW := GetProcAddress(AdvApiHandle, PAnsiChar('GetNamedSecurityInfoW'));
    77. 

  77.   SetNamedSecurityInfoW := GetProcAddress(AdvApiHandle, PAnsiChar('SetNamedSecurityInfoW'));
    78. 

  78.   SetEntriesInAclW := GetProcAddress(AdvApiHandle, PAnsiChar('SetEntriesInAclW'));
    79. 

  79.   if (@GetNamedSecurityInfoW = nil) or (@SetNamedSecurityInfoW = nil) or
    80. 

  80.      (@SetEntriesInAclW = nil) then begin
    81. 

  81.     Result := ERROR_PROC_NOT_FOUND;
    82. 

  82.     Exit;
    83. 

  83.   end;
    84. 

  84. 

  85.   ExplicitAccess := nil;
    86. 

  86.   Result := GetNamedSecurityInfoW(PChar(ObjectName), ObjectType,
    87. 

  87.     DACL_SECURITY_INFORMATION, nil, nil, @Dacl, nil, SD);
    88. 

  88.   if Result <> ERROR_SUCCESS then
    89. 

  89.     Exit;
    90. 

  90.   try
    91. 

  91.     { Note: Dacl will be nil if GetNamedSecurityInfo is called on a FAT partition.
    92. 

  92.       Be careful not to dereference a nil pointer. }
    93. 

  93.     ExplicitAccess := AllocMem(EntryCount * SizeOf(ExplicitAccess[0]));
    94. 

  94.     E := @Entries;
    95. 

  95.     for I := 0 to EntryCount-1 do begin
    96. 

  96.       if not AllocateAndInitializeSid(E.Sid.Authority, E.Sid.SubAuthCount,
    97. 

  97.          E.Sid.SubAuth[0], E.Sid.SubAuth[1], 0, 0, 0, 0, 0, 0, Sid) then begin
    98. 

  98.         Result := GetLastError;
    99. 

  99.         if Result = ERROR_SUCCESS then  { just in case... }
    100. 

  100.           Result := ERROR_INVALID_PARAMETER;
    101. 

  101.         Exit;
    102. 

  102.       end;
    103. 

  103.       ExplicitAccess[I].grfAccessPermissions := E.AccessMask;
    104. 

  104.       ExplicitAccess[I].grfAccessMode := GRANT_ACCESS;
    105. 

  105.       ExplicitAccess[I].grfInheritance := Inheritance;
    106. 

  106.       ExplicitAccess[I].Trustee.TrusteeForm := TRUSTEE_IS_SID;
    107. 

  107.       ExplicitAccess[I].Trustee.TrusteeType := TRUSTEE_IS_UNKNOWN;
    108. 

  108.       PSID(ExplicitAccess[I].Trustee.ptstrName) := Sid;
    109. 

  109.       Inc(E);
    110. 

  110.     end;
    111. 

  111.     Result := SetEntriesInAclW(EntryCount, ExplicitAccess[0], Dacl, NewDacl);
    112. 

  112.     if Result <> ERROR_SUCCESS then
    113. 

  113.       Exit;
    114. 

  114.     try
    115. 

  115.       Result := SetNamedSecurityInfoW(PChar(ObjectName), ObjectType,
    116. 

  116.         DACL_SECURITY_INFORMATION, nil, nil, NewDacl, nil);
    117. 

  117.     finally
    118. 

  118.       LocalFree(HLOCAL(NewDacl));
    119. 

  119.     end;
    120. 

  120.   finally
    121. 

  121.     if Assigned(ExplicitAccess) then begin
    122. 

  122.       for I := EntryCount-1 downto 0 do begin
    123. 

  123.         Sid := PSID(ExplicitAccess[I].Trustee.ptstrName);
    124. 

  124.         if Assigned(Sid) then
    125. 

  125.           FreeSid(Sid);
    126. 

  126.       end;
    127. 

  127.       FreeMem(ExplicitAccess);
    128. 

  128.     end;
    129. 

  129.     LocalFree(HLOCAL(SD));
    130. 

  130.   end;
    131. 

  131. end;
    132. 

  132. 

  133. function GrantPermission(const Use64BitHelper: Boolean; const ObjectType: DWORD;
    134. 

  134.   const ObjectName: String; const Entries: TGrantPermissionEntry;
    135. 

  135.   const EntryCount: Integer; const Inheritance: DWORD): DWORD;
    136. 

  136. { Invokes either the internal GrantPermission function or the one inside the
    137. 

  137.   64-bit helper, depending on the setting of Use64BitHelper }
    138. 

  138. begin
    139. 

  139.   try
    140. 

  140.     if Use64BitHelper then
    141. 

  141.       Result := HelperGrantPermission(ObjectType, ObjectName, Entries,
    142. 

  142.         EntryCount, Inheritance)
    143. 

  143.     else
    144. 

  144.       Result := InternalGrantPermission(ObjectType, ObjectName, Entries,
    145. 

  145.         EntryCount, Inheritance);
    146. 

  146.   except
    147. 

  147.     { If the helper interface (or even InternalGrantPermission) raises an
    148. 

  148.       exception, don't propagate it. Just log it and return an error code, as
    149. 

  149.       that's what the caller is expecting on failure. }
    150. 

  150.     Log('Exception while setting permissions:' + SNewLine + GetExceptMessage);
    151. 

  151.     Result := ERROR_GEN_FAILURE;
    152. 

  152.   end;
    153. 

  153. end;
    154. 

  154. 

  155. const
    156. 

  156.   OBJECT_INHERIT_ACE    = 1;
    157. 

  157.   CONTAINER_INHERIT_ACE = 2;
    158. 

  158. 

  159. function GrantPermissionOnFile(const DisableFsRedir: Boolean; Filename: String;
    160. 

  160.   const Entries: TGrantPermissionEntry; const EntryCount: Integer): Boolean;
    161. 

  161. { Grants the specified access to the specified file/directory. Returns True if
    162. 

  162.   successful. On failure, the thread's last error code is set. }
    163. 

  163. const
    164. 

  164.   SE_FILE_OBJECT = 1;
    165. 

  165. var
    166. 

  166.   Attr, Inheritance, ErrorCode: DWORD;
    167. 

  167. begin
    168. 

  168.   { Expand filename if needed because the 64-bit helper may not have the same
    169. 

  169.     current directory as us }
    170. 

  170.   Filename := PathExpand(Filename);
    171. 

  171.   Attr := GetFileAttributesRedir(DisableFsRedir, Filename);
    172. 

  172.   if Attr = $FFFFFFFF then begin
    173. 

  173.     Result := False;
    174. 

  174.     Exit;
    175. 

  175.   end;
    176. 

  176.   if Attr and FILE_ATTRIBUTE_DIRECTORY <> 0 then
    177. 

  177.     Inheritance := OBJECT_INHERIT_ACE or CONTAINER_INHERIT_ACE
    178. 

  178.   else
    179. 

  179.     Inheritance := 0;
    180. 

  180.   ErrorCode := GrantPermission(DisableFsRedir, SE_FILE_OBJECT, Filename, Entries,
    181. 

  181.     EntryCount, Inheritance);
    182. 

  182.   SetLastError(ErrorCode);
    183. 

  183.   Result := (ErrorCode = ERROR_SUCCESS);
    184. 

  184. end;
    185. 

  185. 

  186. function GrantPermissionOnKey(const RegView: TRegView; const RootKey: HKEY;
    187. 

  187.   const Subkey: String; const Entries: TGrantPermissionEntry;
    188. 

  188.   const EntryCount: Integer): Boolean;
    189. 

  189. { Grants the specified access to the specified registry key. Returns True if
    190. 

  190.   successful. On failure, the thread's last error code is set. }
    191. 

  191. const
    192. 

  192.   SE_REGISTRY_KEY = 4;
    193. 

  193. var
    194. 

  194.   ObjName: String;
    195. 

  195.   ErrorCode: DWORD;
    196. 

  196. begin
    197. 

  197.   case RootKey of
    198. 

  198.     HKEY_CLASSES_ROOT: ObjName := 'CLASSES_ROOT';
    199. 

  199.     HKEY_CURRENT_USER: ObjName := 'CURRENT_USER';
    200. 

  200.     HKEY_LOCAL_MACHINE: ObjName := 'MACHINE';
    201. 

  201.     HKEY_USERS: ObjName := 'USERS';
    202. 

  202.   else
    203. 

  203.     { Other root keys are not supported by Get/SetNamedSecurityInfo }
    204. 

  204.     SetLastError(ERROR_INVALID_PARAMETER);
    205. 

  205.     Result := False;
    206. 

  206.     Exit;
    207. 

  207.   end;
    208. 

  208.   ObjName := ObjName + '\' + Subkey;
    209. 

  209.   ErrorCode := GrantPermission(RegView = rv64Bit, SE_REGISTRY_KEY, ObjName,
    210. 

  210.     Entries, EntryCount, CONTAINER_INHERIT_ACE);
    211. 

  211.   SetLastError(ErrorCode);
    212. 

  212.   Result := (ErrorCode = ERROR_SUCCESS);
    213. 

  213. end;
    214. 

  214. 

  215. end.
    216.