Tighten permissions of ROBOCORP_HOME base (Windows only)

* Remove inherited permissions * Grant Administrators group full access CMK-20325
elabit · Nov 26, 2024 · 003333e · 003333e
1 parent e0107db
commit 003333e
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/src/bin/scheduler/setup/steps/directories.rs b/src/bin/scheduler/setup/steps/directories.rs
@@ -7,7 +7,7 @@ use crate::internal_config::{GlobalConfig, Plan, Source};
 #[cfg(windows)]
 use crate::setup::ownership::transfer_directory_ownership_recursive;
 #[cfg(windows)]
-use crate::setup::windows_permissions::{grant_full_access, reset_access};
+use crate::setup::windows_permissions::{grant_full_access, reset_access, run_icacls_command};
 
 use camino::Utf8PathBuf;
 use robotmk::environment::Environment;
@@ -78,6 +78,25 @@ impl SetupStep for StepRobocorpHomeBase {
                 err,
             )
         })?;
+        run_icacls_command([self.target.as_str(), "/inheritancelevel:r"]).map_err(|err| {
+            api::Error::new(
+                format!(
+                    "Failed to set remove permission inheritance for {}",
+                    self.target
+                ),
+                err,
+            )
+        })?;
+        grant_full_access(
+            "*S-1-5-32-544", // Administrators (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers)
+            &self.target,
+        )
+        .map_err(|err| {
+            api::Error::new(
+                format!("Failed to set permissions for {}", self.target),
+                err,
+            )
+        })?;
         Ok(())
     }
 }

diff --git a/src/bin/scheduler/setup/windows_permissions.rs b/src/bin/scheduler/setup/windows_permissions.rs
@@ -7,15 +7,15 @@ pub fn run_icacls_command<'a>(arguments: impl IntoIterator<Item = &'a str>) -> a
     run_command("icacls.exe", arguments)
 }
 
-pub fn grant_full_access(user: &str, target_path: &Utf8Path) -> anyhow::Result<()> {
+pub fn grant_full_access(sid: &str, target_path: &Utf8Path) -> anyhow::Result<()> {
     let arguments = [
         target_path.as_ref(),
         "/grant",
-        &format!("{user}:(OI)(CI)F"),
+        &format!("{sid}:(OI)(CI)F"),
         "/T",
     ];
     run_icacls_command(arguments).map_err(|e| {
-        let message = format!("Adjusting permissions of {target_path} for user `{user}` failed");
+        let message = format!("Adjusting permissions of {target_path} for SID `{sid}` failed");
         e.context(message)
     })
 }