set access control on setting data folder

2026-01-04 09:33:26 +00:00 · 2017-05-17 10:16:35 -04:00
parent b636cd21e5
commit 7e916e6cba
6 changed files with 79 additions and 7 deletions
--- a/src/Console/Program.cs
+++ b/src/Console/Program.cs
@@ -783,6 +783,15 @@ namespace Bit.Console
            }

            Con.WriteLine();
+
+            if((start || stop) && !Helpers.IsAdministrator())
+            {
+                Con.ForegroundColor = ConsoleColor.Red;
+                Con.WriteLine("You must be an administrator to control the service.");
+                Con.ResetColor();
+                return Task.FromResult(0);
+            }
+
            if(start)
            {
                Con.WriteLine("Starting service...");
--- a/src/Core/Core.csproj
+++ b/src/Core/Core.csproj
@@ -90,11 +90,13 @@
    <Compile Include="Services\IDirectoryService.cs" />
    <Compile Include="Services\SettingsService.cs" />
    <Compile Include="Utilities\AzureAuthenticationProvider.cs" />
+    <Compile Include="Utilities\Constants.cs" />
    <Compile Include="Utilities\Crypto.cs" />
    <Compile Include="Services\TokenService.cs" />
    <Compile Include="Services\AuthService.cs" />
    <Compile Include="Properties\AssemblyInfo.cs" />
    <Compile Include="Utilities\Extensions.cs" />
+    <Compile Include="Utilities\Helpers.cs" />
    <Compile Include="Utilities\Sync.cs" />
  </ItemGroup>
  <ItemGroup>
--- a/src/Core/Services/SettingsService.cs
+++ b/src/Core/Services/SettingsService.cs
@@ -1,4 +1,5 @@
 using Bit.Core.Models;
+using Bit.Core.Utilities;
 using Newtonsoft.Json;
 using System;
 using System.Collections.Generic;
@@ -14,9 +15,6 @@ namespace Bit.Core.Services
    {
        private static SettingsService _instance;
        private static object _locker = new object();
-        private static string _baseStoragePath = string.Concat(
-            Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
-            "\\bitwarden\\Directory Connector");

        private SettingsModel _settings;

@@ -39,7 +37,7 @@ namespace Bit.Core.Services
        {
            get
            {
-                var filePath = $"{_baseStoragePath}\\settings.json";
+                var filePath = $"{Constants.BaseStoragePath}\\settings.json";
                if(_settings == null && File.Exists(filePath))
                {
                    var serializer = new JsonSerializer();
@@ -59,13 +57,13 @@ namespace Bit.Core.Services
        {
            lock(_locker)
            {
-                if(!Directory.Exists(_baseStoragePath))
+                if(!Directory.Exists(Constants.BaseStoragePath))
                {
-                    Directory.CreateDirectory(_baseStoragePath);
+                    Directory.CreateDirectory(Constants.BaseStoragePath);
                }

                _settings = Settings;
-                var filePath = $"{_baseStoragePath}\\settings.json";
+                var filePath = $"{Constants.BaseStoragePath}\\settings.json";
                using(var s = new FileStream(filePath, FileMode.Create, FileAccess.Write, FileShare.Read))
                using(var sw = new StreamWriter(s, Encoding.UTF8))
                {
--- a/src/Core/Utilities/Constants.cs
+++ b/src/Core/Utilities/Constants.cs
@@ -0,0 +1,15 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Bit.Core.Utilities
+{
+    public static class Constants
+    {
+        public static string BaseStoragePath = string.Concat(
+            Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData),
+            "\\bitwarden\\Directory Connector");
+    }
+}
--- a/src/Core/Utilities/Helpers.cs
+++ b/src/Core/Utilities/Helpers.cs
@@ -0,0 +1,19 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Principal;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Bit.Core.Utilities
+{
+    public static class Helpers
+    {
+        public static bool IsAdministrator()
+        {
+            var identity = WindowsIdentity.GetCurrent();
+            var principal = new WindowsPrincipal(identity);
+            return principal.IsInRole(WindowsBuiltInRole.Administrator);
+        }
+    }
+}
--- a/src/Service/Installer.cs
+++ b/src/Service/Installer.cs
@@ -7,6 +7,10 @@ using System.Text;
 using System.Threading.Tasks;
 using System.Configuration.Install;
 using System.Diagnostics;
+using System.IO;
+using System.Security.AccessControl;
+using System.Security.Principal;
+using Bit.Core.Utilities;

 namespace Service
 {
@@ -41,7 +45,32 @@ namespace Service

        private void AfterInstalled(object sender, InstallEventArgs e)
        {
+            if(!Directory.Exists(Constants.BaseStoragePath))
+            {
+                Directory.CreateDirectory(Constants.BaseStoragePath);
+            }

+            var info = new DirectoryInfo(Constants.BaseStoragePath);
+            var sec = info.GetAccessControl();
+
+            var adminRule = new FileSystemAccessRule(
+                new SecurityIdentifier(WellKnownSidType.BuiltinAdministratorsSid, null),
+                FileSystemRights.FullControl | FileSystemRights.Write | FileSystemRights.Read,
+                InheritanceFlags.None,
+                PropagationFlags.NoPropagateInherit,
+                AccessControlType.Allow);
+            sec.AddAccessRule(adminRule);
+
+            var userRule = new FileSystemAccessRule(
+                WindowsIdentity.GetCurrent().Name,
+                FileSystemRights.Write | FileSystemRights.Read,
+                InheritanceFlags.None,
+                PropagationFlags.NoPropagateInherit,
+                AccessControlType.Allow);
+            sec.AddAccessRule(userRule);
+
+            sec.SetAccessRuleProtection(isProtected: true, preserveInheritance: false);
+            info.SetAccessControl(sec);
        }

        private void BeforeInstalled(object sender, InstallEventArgs e)