/******************************************************************
CaExecSecureObjects - entry point for SecureObjects Custom Action
called as Type 1025 CustomAction (deferred binary DLL)
NOTE: deferred CustomAction since it modifies the machine
NOTE: CustomActionData == wzObject\twzTable\twzDomain\twzUser\tdwPermissions\twzObject\t...
******************************************************************/
extern "C" UINT __stdcall ExecSecureObjects(
__in MSIHANDLE hInstall
)
{
// AssertSz(FALSE, "debug ExecSecureObjects");
HRESULT hr = S_OK;
DWORD er = ERROR_SUCCESS;
LPWSTR pwz = NULL;
LPWSTR pwzData = NULL;
LPWSTR pwzObject = NULL;
LPWSTR pwzTable = NULL;
LPWSTR pwzDomain = NULL;
DWORD dwRevision = 0;
LPWSTR pwzUser = NULL;
DWORD dwPermissions = 0;
LPWSTR pwzAccount = NULL;
PSID psid = NULL;
EXPLICIT_ACCESSW ea = {0};
SE_OBJECT_TYPE objectType = SE_UNKNOWN_OBJECT_TYPE;
PSECURITY_DESCRIPTOR psd = NULL;
SECURITY_DESCRIPTOR_CONTROL sdc = {0};
SECURITY_INFORMATION si = {0};
PACL pAclExisting = NULL; // doesn't get freed
PACL pAclNew = NULL;
PMSIHANDLE hActionRec = ::MsiCreateRecord(1);
//
// initialize
//
hr = WcaInitialize(hInstall, "ExecSecureObjects");
ExitOnFailure(hr, "failed to initialize");
hr = WcaGetProperty(L"CustomActionData", &pwzData);
ExitOnFailure(hr, "failed to get CustomActionData");
WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %S", pwzData);
pwz = pwzData;
//
// loop through all the passed in data
//
while (pwz && *pwz)
{
hr = WcaReadStringFromCaData(&pwz, &pwzObject);
ExitOnFailure(hr, "failed to process CustomActionData");
hr = WcaReadStringFromCaData(&pwz, &pwzTable);
ExitOnFailure(hr, "failed to process CustomActionData");
hr = WcaReadStringFromCaData(&pwz, &pwzDomain);
ExitOnFailure(hr, "failed to process CustomActionData");
hr = WcaReadStringFromCaData(&pwz, &pwzUser);
ExitOnFailure(hr, "failed to process CustomActionData");
hr = WcaReadIntegerFromCaData(&pwz, reinterpret_cast<int*>(&dwPermissions));
ExitOnFailure(hr, "failed to processCustomActionData");
WcaLog(LOGMSG_VERBOSE, "Securing Object: %S Type: %S User: %S", pwzObject, pwzTable, pwzUser);
//
// create the appropriate SID
//
// figure out the right user to put into the access block
if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Everyone"))
{
hr = AclGetWellKnownSid(WinWorldSid, &psid);
}
else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Administrators"))
{
hr = AclGetWellKnownSid(WinBuiltinAdministratorsSid, &psid);
}
else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"LocalSystem"))
{
hr = AclGetWellKnownSid(WinLocalSystemSid, &psid);
}
else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"LocalService"))
{
hr = AclGetWellKnownSid(WinLocalServiceSid, &psid);
}
else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"NetworkService"))
{
hr = AclGetWellKnownSid(WinNetworkServiceSid, &psid);
}
else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"AuthenticatedUser"))
{
hr = AclGetWellKnownSid(WinAuthenticatedUserSid, &psid);
}
else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Guests"))
{
hr = AclGetWellKnownSid(WinBuiltinGuestsSid, &psid);
}
else if(!*pwzDomain && 0 == lstrcmpW(pwzUser, L"CREATOR OWNER"))
{
hr = AclGetWellKnownSid(WinCreatorOwnerSid, &psid);
}
else if (!*pwzDomain && 0 == lstrcmpW(pwzUser, L"INTERACTIVE"))
{
hr = AclGetWellKnownSid(WinInteractiveSid, &psid);
}
else if(!*pwzDomain && 0 == lstrcmpW(pwzUser, L"Users"))
{
hr = AclGetWellKnownSid(WinBuiltinUsersSid, &psid);
}
else
{
hr = StrAllocFormatted(&pwzAccount, L"%s\\%s", *pwzDomain ? pwzDomain : L".", pwzUser);
ExitOnFailure(hr, "failed to build domain user name");
hr = AclGetAccountSid(NULL, pwzAccount, &psid);
}
ExitOnFailure3(hr, "failed to get sid for account: %S%S%S", pwzDomain, *pwzDomain ? L"\\" : L"", pwzUser);
//
// build up the explicit access
//
ea.grfAccessPermissions = dwPermissions;
ea.grfAccessMode = SET_ACCESS;
if (0 == lstrcmpW(L"CreateFolder", pwzTable))
{
ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
}
else
{
ea.grfInheritance = NO_INHERITANCE;
}
::BuildTrusteeWithSidW(&ea.Trustee, psid);
if (0 == lstrcmpW(L"ServiceInstall", pwzTable))
{
objectType = SE_SERVICE;
// always add these permissions for services
// these are basic permissions that are often forgotten
dwPermissions |= SERVICE_QUERY_CONFIG | SERVICE_QUERY_STATUS | SERVICE_ENUMERATE_DEPENDENTS | SERVICE_INTERROGATE;
}
else if (0 == lstrcmpW(L"CreateFolder", pwzTable) || 0 == lstrcmpW(L"File", pwzTable))
{
objectType = SE_FILE_OBJECT;
}
else if (0 == lstrcmpW(L"Registry", pwzTable))
{
objectType = SE_REGISTRY_KEY;
}
if (SE_UNKNOWN_OBJECT_TYPE != objectType)
{
er = ::GetNamedSecurityInfoW(pwzObject, objectType, DACL_SECURITY_INFORMATION, NULL, NULL, &pAclExisting, NULL, &psd);
ExitOnFailure1(hr = HRESULT_FROM_WIN32(er), "failed to get security info for object: %S", pwzObject);
//Need to see if DACL is protected so getting Descriptor information
if(!::GetSecurityDescriptorControl(psd, &sdc, &dwRevision))
{
ExitOnLastError1(hr, "failed to get security descriptor control for object: %S", pwzObject);
}
er = ::SetEntriesInAclW(1, &ea, pAclExisting, &pAclNew);
ExitOnFailure1(hr = HRESULT_FROM_WIN32(er), "failed to add ACLs for object: %S", pwzObject);
if (sdc & SE_DACL_PROTECTED)
{
si = DACL_SECURITY_INFORMATION | PROTECTED_DACL_SECURITY_INFORMATION;
}
else
{
si = DACL_SECURITY_INFORMATION;
}
er = ::SetNamedSecurityInfoW(pwzObject, objectType, si, NULL, NULL, pAclNew, NULL);
MessageExitOnFailure1(hr = HRESULT_FROM_WIN32(er), msierrSecureObjectsFailedSet, "failed to set security info for object: %S", pwzObject);
}
else
{
MessageExitOnFailure1(hr = E_UNEXPECTED, msierrSecureObjectsUnknownType, "unknown object type: %S", pwzTable);
}
hr = WcaProgressMessage(COST_SECUREOBJECT, FALSE);
ExitOnFailure(hr, "failed to send progress message");
objectType = SE_UNKNOWN_OBJECT_TYPE;
}
LExit:
ReleaseStr(pwzUser);
ReleaseStr(pwzDomain);
ReleaseStr(pwzTable);
ReleaseStr(pwzObject);
ReleaseStr(pwzData);
ReleaseStr(pwzAccount);
if (pAclNew)
::LocalFree(pAclNew);
if (psd)
::LocalFree(psd);
if (psid)
AclFreeSid(psid);
if (FAILED(hr))
er = ERROR_INSTALL_FAILURE;
return WcaFinalize(er);
}
static HRESULT StoreACLRollbackInfo(
__in LPWSTR pwzObject,
__in LPCWSTR pwzTable
)
{
HRESULT hr = S_OK;
DWORD er = ERROR_SUCCESS;
PSECURITY_DESCRIPTOR psd = NULL;
SECURITY_DESCRIPTOR_CONTROL sdc = {0};
DWORD dwRevision = 0;
LPWSTR pwzCustomActionData = NULL;
LPWSTR pwzSecurityInfo = NULL;
Assert(pwzObject && pwzTable);
SE_OBJECT_TYPE objectType = SEObjectTypeFromString(const_cast<LPCWSTR> (pwzTable));
if (SE_UNKNOWN_OBJECT_TYPE != objectType)
{
er = ::GetNamedSecurityInfoW(pwzObject, objectType, DACL_SECURITY_INFORMATION, NULL, NULL, NULL, NULL, &psd);
if (ERROR_FILE_NOT_FOUND == er || ERROR_PATH_NOT_FOUND == er || ERROR_SERVICE_DOES_NOT_EXIST == HRESULT_CODE(er))
{
// If the file, path or service doesn't exist yet, skip rollback without a message
hr = HRESULT_FROM_WIN32(er);
ExitFunction();
}
ExitOnFailure1(hr = HRESULT_FROM_WIN32(er), "Unable to schedule rollback for object: %ls", pwzObject);
//Need to see if DACL is protected so getting Descriptor information
if (!::GetSecurityDescriptorControl(psd, &sdc, &dwRevision))
{
ExitOnLastError1(hr, "Unable to schedule rollback for object (failed to get security descriptor control): %ls", pwzObject);
}
// Convert the security information to a string, and write this to the custom action data
if (!::ConvertSecurityDescriptorToStringSecurityDescriptorW(psd,SDDL_REVISION_1,DACL_SECURITY_INFORMATION,&pwzSecurityInfo,NULL))
{
hr = E_UNEXPECTED;
ExitOnFailure1(hr, "Unable to schedule rollback for object (failed to convert security descriptor to a valid security descriptor string): %ls", pwzObject);
}
hr = WcaWriteStringToCaData(pwzObject, &pwzCustomActionData);
ExitOnFailure(hr, "failed to add object data to rollback CustomActionData");
hr = WcaWriteStringToCaData(pwzTable, &pwzCustomActionData);
ExitOnFailure(hr, "failed to add table name to rollback CustomActionData");
hr = WcaWriteStringToCaData(pwzSecurityInfo, &pwzCustomActionData);
ExitOnFailure(hr, "failed to add security info data to rollback CustomActionData");
// Write a 1 if DACL is protected, 0 otherwise
if (sdc & SE_DACL_PROTECTED)
{
hr = WcaWriteIntegerToCaData(1,&pwzCustomActionData);
ExitOnFailure(hr, "failed to add data to rollbackCustomActionData");
}
else
{
hr = WcaWriteIntegerToCaData(0,&pwzCustomActionData);
ExitOnFailure(hr, "failed to add data to rollback CustomActionData");
}
hr = WcaDoDeferredAction(PLATFORM_DECORATION(L"ExecSecureObjectsRollback"), pwzCustomActionData, COST_SECUREOBJECT);
ExitOnFailure2(hr, "failed to schedule ExecSecureObjectsRollback for item: %ls of type: %ls", pwzObject, pwzTable);
ReleaseStr(pwzCustomActionData);
pwzCustomActionData = NULL;
}
else
{
MessageExitOnFailure1(hr = E_UNEXPECTED, msierrSecureObjectsUnknownType, "unknown object type: %ls", pwzTable);
}
LExit:
ReleaseStr(pwzCustomActionData);
if (psd)
{
::LocalFree(psd);
}
return hr;
}
/******************************************************************
ExecXmlConfigRollback - entry point for XmlConfig rollback Custom Action
*******************************************************************/
extern "C" UINT __stdcall ExecXmlConfigRollback(
__in MSIHANDLE hInstall
)
{
// AssertSz(FALSE, "debug ExecXmlConfigRollback");
HRESULT hr = S_OK;
UINT er = ERROR_SUCCESS;
int iIs64Bit;
BOOL fIs64Bit = FALSE;
LPWSTR pwzCustomActionData = NULL;
LPWSTR pwz = NULL;
LPWSTR pwzFileName = NULL;
LPBYTE pbData = NULL;
DWORD_PTR cbData = 0;
DWORD cbDataWritten = 0;
FILETIME ft;
HANDLE hFile = INVALID_HANDLE_VALUE;
// initialize
hr = WcaInitialize(hInstall, "ExecXmlConfigRollback");
ExitOnFailure(hr, "failed to initialize");
hr = WcaGetProperty( L"CustomActionData", &pwzCustomActionData);
ExitOnFailure(hr, "failed to get CustomActionData");
WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %ls", pwzCustomActionData);
pwz = pwzCustomActionData;
hr = WcaReadIntegerFromCaData(&pwz, &iIs64Bit);
ExitOnFailure(hr, "failed to read component bitness from custom action data");
hr = WcaReadStringFromCaData(&pwz, &pwzFileName);
ExitOnFailure(hr, "failed to read file name from custom action data");
hr = WcaReadStreamFromCaData(&pwz, &pbData, &cbData);
ExitOnFailure(hr, "failed to read file contents from custom action data");
fIs64Bit = (BOOL)iIs64Bit;
if (fIs64Bit)
{
hr = WcaInitializeWow64();
if (S_FALSE == hr)
{
hr = TYPE_E_DLLFUNCTIONNOTFOUND;
}
ExitOnFailure(hr, "failed to initialize Wow64 API");
if (!WcaIsWow64Process())
{
hr = E_NOTIMPL;
ExitOnFailure(hr, "Custom action was told to rollback a 64-bit component, but the Wow64 API is unavailable.");
}
hr = WcaDisableWow64FSRedirection();
ExitOnFailure(hr, "Custom action was told to rollback a 64-bit component, but was unable to Disable Filesystem Redirection through the Wow64 API.");
}
hr = FileGetTime(pwzFileName, NULL, NULL, &ft);
ExitOnFailure1(hr, "Failed to get modified date of file %ls.", pwzFileName);
// Open the file
hFile = ::CreateFileW(pwzFileName, GENERIC_WRITE, NULL, NULL, TRUNCATE_EXISTING, NULL, NULL);
ExitOnInvalidHandleWithLastError1(hFile, hr, "failed to open file: %ls", pwzFileName);
// Write out the old data
if (!::WriteFile(hFile, pbData, (DWORD)cbData, &cbDataWritten, NULL))
{
ExitOnLastError1(hr, "failed to write to file: %ls", pwzFileName);
}
Assert(cbData == cbDataWritten);
ReleaseFile(hFile);
hr = FileSetTime(pwzFileName, NULL, NULL, &ft);
ExitOnFailure1(hr, "Failed to set modified date of file %ls.", pwzFileName);
LExit:
ReleaseStr(pwzCustomActionData);
ReleaseStr(pwzFileName);
ReleaseFile(hFile);
if (fIs64Bit)
{
WcaRevertWow64FSRedirection();
WcaFinalizeWow64();
}
ReleaseMem(pbData);
if (FAILED(hr))
{
er = ERROR_INSTALL_FAILURE;
}
return WcaFinalize(er);
}
extern "C" UINT __stdcall ExecSecureObjectsRollback(
__in MSIHANDLE hInstall
)
{
// AssertSz(FALSE, "debug ExecSecureObjectsRollback");
HRESULT hr = S_OK;
DWORD er = ERROR_SUCCESS;
LPWSTR pwz = NULL;
LPWSTR pwzData = NULL;
LPWSTR pwzObject = NULL;
LPWSTR pwzTable = NULL;
LPWSTR pwzSecurityInfo = NULL;
SE_OBJECT_TYPE objectType = SE_UNKNOWN_OBJECT_TYPE;
PSECURITY_DESCRIPTOR psd = NULL;
ULONG psdSize;
SECURITY_DESCRIPTOR_CONTROL sdc = {0};
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;
PACL pDacl = NULL;
BOOL bDaclPresent = false;
BOOL bDaclDefaulted = false;
DWORD dwRevision = 0;
int iProtected;
// initialize
hr = WcaInitialize(hInstall, "ExecSecureObjectsRollback");
ExitOnFailure(hr, "failed to initialize");
hr = WcaGetProperty(L"CustomActionData", &pwzData);
ExitOnFailure(hr, "failed to get CustomActionData");
WcaLog(LOGMSG_TRACEONLY, "CustomActionData: %ls", pwzData);
pwz = pwzData;
hr = WcaReadStringFromCaData(&pwz, &pwzObject);
ExitOnFailure(hr, "failed to process CustomActionData");
hr = WcaReadStringFromCaData(&pwz, &pwzTable);
ExitOnFailure(hr, "failed to process CustomActionData");
objectType = SEObjectTypeFromString(const_cast<LPCWSTR> (pwzTable));
if (SE_UNKNOWN_OBJECT_TYPE != objectType)
{
hr = WcaReadStringFromCaData(&pwz, &pwzSecurityInfo);
ExitOnFailure(hr, "failed to process CustomActionData");
hr = WcaReadIntegerFromCaData(&pwz, &iProtected);
ExitOnFailure(hr, "failed to process CustomActionData");
if (!::ConvertStringSecurityDescriptorToSecurityDescriptorW(pwzSecurityInfo,SDDL_REVISION_1,&psd,&psdSize))
{
ExitOnLastError(hr, "failed to convert security descriptor string to a valid security descriptor");
}
if (!::GetSecurityDescriptorDacl(psd,&bDaclPresent,&pDacl,&bDaclDefaulted))
{
hr = E_UNEXPECTED;
ExitOnFailure2(hr, "failed to get security descriptor's DACL - error code: %d",pwzSecurityInfo,GetLastError());
}
// The below situation may always be caught by the above if block - the documentation isn't very clear. To be safe, we're going to test for it.
if (!bDaclPresent)
{
hr = E_UNEXPECTED;
ExitOnFailure(hr, "security descriptor does not contain a DACL");
}
//Need to see if DACL is protected so getting Descriptor information
if (!::GetSecurityDescriptorControl(psd, &sdc, &dwRevision))
{
ExitOnLastError1(hr, "failed to get security descriptor control for object: %ls", pwzObject);
}
// Write a 1 if DACL is protected, 0 otherwise
switch (iProtected)
{
case 0:
// Unnecessary to do anything - leave si to the default flags
break;
case 1:
si = si | PROTECTED_DACL_SECURITY_INFORMATION;
break;
default:
hr = E_UNEXPECTED;
ExitOnFailure(hr, "unrecognized value in CustomActionData");
break;
}
er = ::SetNamedSecurityInfoW(pwzObject, objectType, si, NULL, NULL, pDacl, NULL);
ExitOnFailure2(hr = HRESULT_FROM_WIN32(er), "failed to set security info for object: %ls error code: %d", pwzObject, GetLastError());
}
else
{
MessageExitOnFailure1(hr = E_UNEXPECTED, msierrSecureObjectsUnknownType, "unknown object type: %ls", pwzTable);
}
LExit:
ReleaseStr(pwzData);
ReleaseStr(pwzObject);
ReleaseStr(pwzTable);
ReleaseStr(pwzSecurityInfo);
if (psd)
{
::LocalFree(psd);
}
if (FAILED(hr))
{
er = ERROR_INSTALL_FAILURE;
}
return WcaFinalize(er);
}
