Home Explore Help
Sign In
pascal
/
innosetup
mirror of https://github.com/jrsoftware/issrc.git
2
0
Fork 0
Files Issues 0 Wiki
Branch: main
Branches Tags
innosetup
/
Projects
/
Src
/
Setup.SecurityFunc.pas

Setup.SecurityFunc.pas 7.8 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216 
  1. unit Setup.SecurityFunc;
    2. 

  2. 

  3. {
    4. 

  4.   Inno Setup
    5. 

  5.   Copyright (C) 1997-2024 Jordan Russell
    6. 

  6.   Portions by Martijn Laan
    7. 

  7.   For conditions of distribution and use, see LICENSE.TXT.
    8. 

  8. 

  9.   Functions for altering ACLs on files & registry keys
    10. 

  10. }
    11. 

  11. 

  12. interface
    13. 

  13. 

  14. uses
    15. 

  15.   Windows, SysUtils, Shared.CommonFunc, Shared.Struct;
    16. 

  16. 

  17. function GrantPermissionOnFile(const DisableFsRedir: Boolean; Filename: String;
    18. 

  18.   const Entries: TGrantPermissionEntry; const EntryCount: Integer): Boolean;
    19. 

  19. function GrantPermissionOnKey(const RegView: TRegView; const RootKey: HKEY;
    20. 

  20.   const Subkey: String; const Entries: TGrantPermissionEntry;
    21. 

  21.   const EntryCount: Integer): Boolean;
    22. 

  22. 

  23. implementation
    24. 

  24. 

  25. uses
    26. 

  26.   PathFunc, SetupLdrAndSetup.Messages, SetupLdrAndSetup.InstFunc, Setup.LoggingFunc,
    27. 

  27.   SetupLdrAndSetup.RedirFunc, Setup.Helper;
    28. 

  28. 

  29. function InternalGrantPermission(const ObjectType: DWORD; const ObjectName: String;
    30. 

  30.   const Entries: TGrantPermissionEntry; const EntryCount: Integer;
    31. 

  31.   const Inheritance: DWORD): DWORD;
    32. 

  32. { Grants the specified access to the specified object. Returns ERROR_SUCCESS if
    33. 

  33.   successful. }
    34. 

  34. type
    35. 

  35.   PPSID = ^PSID;
    36. 

  36.   PPACL = ^PACL;
    37. 

  37.   PTrusteeW = ^TTrusteeW;
    38. 

  38.   TTrusteeW = record
    39. 

  39.     pMultipleTrustee: PTrusteeW;
    40. 

  40.     MultipleTrusteeOperation: DWORD;  { MULTIPLE_TRUSTEE_OPERATION }
    41. 

  41.     TrusteeForm: DWORD;  { TRUSTEE_FORM }
    42. 

  42.     TrusteeType: DWORD;  { TRUSTEE_TYPE }
    43. 

  43.     ptstrName: PWideChar;
    44. 

  44.   end;
    45. 

  45.   TExplicitAccessW = record
    46. 

  46.     grfAccessPermissions: DWORD;
    47. 

  47.     grfAccessMode: DWORD;  { ACCESS_MODE }
    48. 

  48.     grfInheritance: DWORD;
    49. 

  49.     Trustee: TTrusteeW;
    50. 

  50.   end;
    51. 

  51.   PArrayOfExplicitAccessW = ^TArrayOfExplicitAccessW;
    52. 

  52.   TArrayOfExplicitAccessW = array[0..999999] of TExplicitAccessW;
    53. 

  53. const
    54. 

  54.   GRANT_ACCESS = 1;
    55. 

  55.   TRUSTEE_IS_SID = 0;
    56. 

  56.   TRUSTEE_IS_UNKNOWN = 0;
    57. 

  57. var
    58. 

  58.   AdvApiHandle: HMODULE;
    59. 

  59.   GetNamedSecurityInfoW: function(pObjectName: PWideChar; ObjectType: DWORD;
    60. 

  60.     SecurityInfo: SECURITY_INFORMATION; ppsidOwner, ppsidGroup: PPSID;
    61. 

  61.     ppDacl, ppSacl: PPACL; var ppSecurityDescriptor: PSECURITY_DESCRIPTOR): DWORD;
    62. 

  62.     stdcall;
    63. 

  63.   SetNamedSecurityInfoW: function(pObjectName: PWideChar; ObjectType: DWORD;
    64. 

  64.     SecurityInfo: SECURITY_INFORMATION; ppsidOwner, ppsidGroup: PSID;
    65. 

  65.     ppDacl, ppSacl: PACL): DWORD; stdcall;
    66. 

  66.   SetEntriesInAclW: function(cCountOfExplicitEntries: ULONG;
    67. 

  67.     const pListOfExplicitEntries: TExplicitAccessW; OldAcl: PACL;
    68. 

  68.     var NewAcl: PACL): DWORD; stdcall;
    69. 

  69.   SD: PSECURITY_DESCRIPTOR;
    70. 

  70.   Dacl, NewDacl: PACL;
    71. 

  71.   ExplicitAccess: PArrayOfExplicitAccessW;
    72. 

  72.   E: ^TGrantPermissionEntry;
    73. 

  73.   I: Integer;
    74. 

  74.   Sid: PSID;
    75. 

  75. begin
    76. 

  76.   AdvApiHandle := GetModuleHandle(advapi32);
    77. 

  77.   GetNamedSecurityInfoW := GetProcAddress(AdvApiHandle, PAnsiChar('GetNamedSecurityInfoW'));
    78. 

  78.   SetNamedSecurityInfoW := GetProcAddress(AdvApiHandle, PAnsiChar('SetNamedSecurityInfoW'));
    79. 

  79.   SetEntriesInAclW := GetProcAddress(AdvApiHandle, PAnsiChar('SetEntriesInAclW'));
    80. 

  80.   if (@GetNamedSecurityInfoW = nil) or (@SetNamedSecurityInfoW = nil) or
    81. 

  81.      (@SetEntriesInAclW = nil) then begin
    82. 

  82.     Result := ERROR_PROC_NOT_FOUND;
    83. 

  83.     Exit;
    84. 

  84.   end;
    85. 

  85. 

  86.   ExplicitAccess := nil;
    87. 

  87.   Result := GetNamedSecurityInfoW(PChar(ObjectName), ObjectType,
    88. 

  88.     DACL_SECURITY_INFORMATION, nil, nil, @Dacl, nil, SD);
    89. 

  89.   if Result <> ERROR_SUCCESS then
    90. 

  90.     Exit;
    91. 

  91.   try
    92. 

  92.     { Note: Dacl will be nil if GetNamedSecurityInfo is called on a FAT partition.
    93. 

  93.       Be careful not to dereference a nil pointer. }
    94. 

  94.     ExplicitAccess := AllocMem(EntryCount * SizeOf(ExplicitAccess[0]));
    95. 

  95.     E := @Entries;
    96. 

  96.     for I := 0 to EntryCount-1 do begin
    97. 

  97.       if not AllocateAndInitializeSid(E.Sid.Authority, E.Sid.SubAuthCount,
    98. 

  98.          E.Sid.SubAuth[0], E.Sid.SubAuth[1], 0, 0, 0, 0, 0, 0, Sid) then begin
    99. 

  99.         Result := GetLastError;
    100. 

  100.         if Result = ERROR_SUCCESS then  { just in case... }
    101. 

  101.           Result := ERROR_INVALID_PARAMETER;
    102. 

  102.         Exit;
    103. 

  103.       end;
    104. 

  104.       ExplicitAccess[I].grfAccessPermissions := E.AccessMask;
    105. 

  105.       ExplicitAccess[I].grfAccessMode := GRANT_ACCESS;
    106. 

  106.       ExplicitAccess[I].grfInheritance := Inheritance;
    107. 

  107.       ExplicitAccess[I].Trustee.TrusteeForm := TRUSTEE_IS_SID;
    108. 

  108.       ExplicitAccess[I].Trustee.TrusteeType := TRUSTEE_IS_UNKNOWN;
    109. 

  109.       PSID(ExplicitAccess[I].Trustee.ptstrName) := Sid;
    110. 

  110.       Inc(E);
    111. 

  111.     end;
    112. 

  112.     Result := SetEntriesInAclW(EntryCount, ExplicitAccess[0], Dacl, NewDacl);
    113. 

  113.     if Result <> ERROR_SUCCESS then
    114. 

  114.       Exit;
    115. 

  115.     try
    116. 

  116.       Result := SetNamedSecurityInfoW(PChar(ObjectName), ObjectType,
    117. 

  117.         DACL_SECURITY_INFORMATION, nil, nil, NewDacl, nil);
    118. 

  118.     finally
    119. 

  119.       LocalFree(HLOCAL(NewDacl));
    120. 

  120.     end;
    121. 

  121.   finally
    122. 

  122.     if Assigned(ExplicitAccess) then begin
    123. 

  123.       for I := EntryCount-1 downto 0 do begin
    124. 

  124.         Sid := PSID(ExplicitAccess[I].Trustee.ptstrName);
    125. 

  125.         if Assigned(Sid) then
    126. 

  126.           FreeSid(Sid);
    127. 

  127.       end;
    128. 

  128.       FreeMem(ExplicitAccess);
    129. 

  129.     end;
    130. 

  130.     LocalFree(HLOCAL(SD));
    131. 

  131.   end;
    132. 

  132. end;
    133. 

  133. 

  134. function GrantPermission(const Use64BitHelper: Boolean; const ObjectType: DWORD;
    135. 

  135.   const ObjectName: String; const Entries: TGrantPermissionEntry;
    136. 

  136.   const EntryCount: Integer; const Inheritance: DWORD): DWORD;
    137. 

  137. { Invokes either the internal GrantPermission function or the one inside the
    138. 

  138.   64-bit helper, depending on the setting of Use64BitHelper }
    139. 

  139. begin
    140. 

  140.   try
    141. 

  141.     if Use64BitHelper then
    142. 

  142.       Result := HelperGrantPermission(ObjectType, ObjectName, Entries,
    143. 

  143.         EntryCount, Inheritance)
    144. 

  144.     else
    145. 

  145.       Result := InternalGrantPermission(ObjectType, ObjectName, Entries,
    146. 

  146.         EntryCount, Inheritance);
    147. 

  147.   except
    148. 

  148.     { If the helper interface (or even InternalGrantPermission) raises an
    149. 

  149.       exception, don't propagate it. Just log it and return an error code, as
    150. 

  150.       that's what the caller is expecting on failure. }
    151. 

  151.     Log('Exception while setting permissions:' + SNewLine + GetExceptMessage);
    152. 

  152.     Result := ERROR_GEN_FAILURE;
    153. 

  153.   end;
    154. 

  154. end;
    155. 

  155. 

  156. const
    157. 

  157.   OBJECT_INHERIT_ACE    = 1;
    158. 

  158.   CONTAINER_INHERIT_ACE = 2;
    159. 

  159. 

  160. function GrantPermissionOnFile(const DisableFsRedir: Boolean; Filename: String;
    161. 

  161.   const Entries: TGrantPermissionEntry; const EntryCount: Integer): Boolean;
    162. 

  162. { Grants the specified access to the specified file/directory. Returns True if
    163. 

  163.   successful. On failure, the thread's last error code is set. }
    164. 

  164. const
    165. 

  165.   SE_FILE_OBJECT = 1;
    166. 

  166. var
    167. 

  167.   Attr, Inheritance, ErrorCode: DWORD;
    168. 

  168. begin
    169. 

  169.   { Expand filename if needed because the 64-bit helper may not have the same
    170. 

  170.     current directory as us }
    171. 

  171.   Filename := PathExpand(Filename);
    172. 

  172.   Attr := GetFileAttributesRedir(DisableFsRedir, Filename);
    173. 

  173.   if Attr = INVALID_FILE_ATTRIBUTES then begin
    174. 

  174.     Result := False;
    175. 

  175.     Exit;
    176. 

  176.   end;
    177. 

  177.   if Attr and FILE_ATTRIBUTE_DIRECTORY <> 0 then
    178. 

  178.     Inheritance := OBJECT_INHERIT_ACE or CONTAINER_INHERIT_ACE
    179. 

  179.   else
    180. 

  180.     Inheritance := 0;
    181. 

  181.   ErrorCode := GrantPermission(DisableFsRedir, SE_FILE_OBJECT, Filename, Entries,
    182. 

  182.     EntryCount, Inheritance);
    183. 

  183.   SetLastError(ErrorCode);
    184. 

  184.   Result := (ErrorCode = ERROR_SUCCESS);
    185. 

  185. end;
    186. 

  186. 

  187. function GrantPermissionOnKey(const RegView: TRegView; const RootKey: HKEY;
    188. 

  188.   const Subkey: String; const Entries: TGrantPermissionEntry;
    189. 

  189.   const EntryCount: Integer): Boolean;
    190. 

  190. { Grants the specified access to the specified registry key. Returns True if
    191. 

  191.   successful. On failure, the thread's last error code is set. }
    192. 

  192. const
    193. 

  193.   SE_REGISTRY_KEY = 4;
    194. 

  194. var
    195. 

  195.   ObjName: String;
    196. 

  196.   ErrorCode: DWORD;
    197. 

  197. begin
    198. 

  198.   case RootKey of
    199. 

  199.     HKEY_CLASSES_ROOT: ObjName := 'CLASSES_ROOT';
    200. 

  200.     HKEY_CURRENT_USER: ObjName := 'CURRENT_USER';
    201. 

  201.     HKEY_LOCAL_MACHINE: ObjName := 'MACHINE';
    202. 

  202.     HKEY_USERS: ObjName := 'USERS';
    203. 

  203.   else
    204. 

  204.     { Other root keys are not supported by Get/SetNamedSecurityInfo }
    205. 

  205.     SetLastError(ERROR_INVALID_PARAMETER);
    206. 

  206.     Result := False;
    207. 

  207.     Exit;
    208. 

  208.   end;
    209. 

  209.   ObjName := ObjName + '\' + Subkey;
    210. 

  210.   ErrorCode := GrantPermission(RegView = rv64Bit, SE_REGISTRY_KEY, ObjName,
    211. 

  211.     Entries, EntryCount, CONTAINER_INHERIT_ACE);
    212. 

  212.   SetLastError(ErrorCode);
    213. 

  213.   Result := (ErrorCode = ERROR_SUCCESS);
    214. 

  214. end;
    215. 

  215. 

  216. end.
    217.