Explicit permissions - remove inheritance/lock down to admins #398
Comments
|
Another place to see some examples of acl setting came in an interesting unrelated search http://blog.enowsoftware.com/solutions-engine/bid/185867/Powershell-Upping-your-Parameter-Validation-Game-with-Dynamic-Parameters-Part-II |
ferventcoder
changed the title
ferventcoder
added a commit
that referenced
this issue
Jun 13, 2016
Explicitly set ACEs for Chocolatey's default folder installation to Administrators, removing inherited permissions and ensuring container and object inheritance flow from explicit ACE settings. Only remove inheritance for the default install folder, if being installed elsewhere, leave inherited permissions alone. Additionally, only set the current user to have modify access if there is an environment variable set to allow this behavior - `$env:ChocolateyInstallAllowCurrentUser="true"`. Based on conversations and code examples from @jberezanski. Jakub wrote the Get-LocalizedWellKnownPrincipalName to return the localized user name for Well-Known SIDS.
ferventcoder
added a commit
that referenced
this issue
Jun 13, 2016
* stable: (version) 0.9.10-rc1 (doc) update CHANGELOG/nuspec (GH-398) Explicitly Set Permissions (doc) fix use of * to code comment
ferventcoder
added a commit
that referenced
this issue
Jun 17, 2016
To see errors and otherwise, allow users permission to append to log files.
ferventcoder
added a commit
that referenced
this issue
Jun 17, 2016
Adding to the changes in 680dc88, further secure down the default Chocolatey installation directory. - If not the default install path, do not make any changes. Issue a warning so the user knows they need to secure their own install For the default install path: - If not being run from an administrative context, throw. Do not allow the installation. - Remove existing explicit permissions - Change the owner to Administrators This work is the result of a continued conversation with @jberezanski and thanks goes to Jakub in providing some of this code and testing the installation for security holes.
ferventcoder
added a commit
that referenced
this issue
Jun 17, 2016
* stable: (version) 0.9.10 (GH-398) Default install permissions enhancements (doc) update CHANGELOG/nuspec (GH-732) reduce default webrequest timeout to 30s (maint) fix environmentvariable (GH-802) PowerShell Host - Exit codes should return (GH-398) Allow append for users on logs directory (GH-794) Warn when non-admin in default install (GH-793) Failing to update config - log to debug (GH-796) Relax upgrade log package separation (GH-801) Fix - bad nuspec from choco new (legal) add logo use policy (GH-795) Adjust message for missing licensed code
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This further restricts the default installation location by removing all permissions and inheritance of permissions, explicitly giving Administrator/LocalSystem to Full access, and Users are granted Read and Execute.
In prior installations, we ensured Modify access to the installing user, but that has been removed for security reasons. Should you need the previous behavior, set
$env:ChocolateyInstallAllowCurrentUser="true".(OI)(CI)(F)", Users Read/Execute "(OI)(CI)(RX)"$env:ChocolateyInstallAllowCurrentUser="true".I owe @jberezanski a debt of gratitude for his tireless work in providing code, examples and testing all the scenarios to find security holes.
Details
https://github.com/chocolatey/choco/blob/master/nuget/chocolatey/tools/chocolateysetup.psm1#L174-L186
http://stackoverflow.com/questions/10970957/changing-permissions-with-powershell-doesnt-propogate-to-children
A non-admin can write to the programdata folder, but they cannot modify or append to existing files. They are also not able to delete existing files they did not put there (and possibly not even those files).
Lock down the default folder even more so that by default, non-admins can not even write to the folder.
The text was updated successfully, but these errors were encountered: