From c72198549d08411c306a2f25421ae8b4f17ad0ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Herbel?= Date: Fri, 22 Nov 2024 08:45:45 +0100 Subject: [PATCH] Reset RCC binary and profile permissions during setup Since explicitly grant plan users access to these files, we should also reset the access to cover the case where a plan user is removed or changes. --- src/bin/scheduler/setup/steps/rcc.rs | 72 +++++++++++++++++++++++++--- src/bin/scheduler/setup/steps/run.rs | 10 ++-- 2 files changed, 72 insertions(+), 10 deletions(-) diff --git a/src/bin/scheduler/setup/steps/rcc.rs b/src/bin/scheduler/setup/steps/rcc.rs index 4f5ec4f6..74f69920 100644 --- a/src/bin/scheduler/setup/steps/rcc.rs +++ b/src/bin/scheduler/setup/steps/rcc.rs @@ -6,7 +6,7 @@ use super::{ use crate::internal_config::{GlobalConfig, Plan}; use crate::logging::log_and_return_error; #[cfg(windows)] -use crate::setup::windows_permissions::run_icacls_command; +use crate::setup::windows_permissions::{reset_access, run_icacls_command}; use robotmk::config::RCCProfileConfig; use robotmk::environment::RCCEnvironment; @@ -22,14 +22,32 @@ use std::vec; use tokio_util::sync::CancellationToken; #[cfg(windows)] -struct StepFilePermissions { +struct StepResetFilePermissions { + target: Utf8PathBuf, +} + +#[cfg(windows)] +impl SetupStep for StepResetFilePermissions { + fn setup(&self) -> Result<(), api::Error> { + log::info!("Resetting permissions of {}.", self.target); + reset_access(&self.target).map_err(|err| { + api::Error::new( + format!("Resetting permissions of {} failed", self.target), + err, + ) + }) + } +} + +#[cfg(windows)] +struct StepGrantFilePermissions { target: Utf8PathBuf, session: Session, icacls_permissions: String, } #[cfg(windows)] -impl SetupStep for StepFilePermissions { +impl SetupStep for StepGrantFilePermissions { fn setup(&self) -> Result<(), api::Error> { if let Session::User(user_session) = &self.session { log::info!( @@ -249,7 +267,47 @@ impl SetupStep for StepDisableSharedHolotree { } #[cfg(windows)] -pub fn gather_rcc_binary_permissions( +pub fn gather_reset_rcc_binary_permissions( + config: &GlobalConfig, + plans: Vec, +) -> Vec { + let (rcc_plans, system_plans): (Vec, Vec) = + partition_into_rcc_and_system_plans(plans); + vec![ + ( + Box::new(StepResetFilePermissions { + target: config.rcc_config.binary_path.clone(), + }), + rcc_plans, + ), + skip(system_plans), + ] +} + +#[cfg(windows)] +pub fn gather_reset_rcc_profile_permissions( + config: &GlobalConfig, + plans: Vec, +) -> Vec { + let (rcc_plans, system_plans): (Vec, Vec) = + partition_into_rcc_and_system_plans(plans); + let mut steps: Vec = vec![skip(system_plans)]; + match &config.rcc_config.profile_config { + RCCProfileConfig::Default => steps.push(skip(rcc_plans)), + RCCProfileConfig::Custom(custom_profile) => { + steps.push(( + Box::new(StepResetFilePermissions { + target: custom_profile.path.clone(), + }), + rcc_plans, + )); + } + } + steps +} + +#[cfg(windows)] +pub fn gather_grant_rcc_binary_permissions( config: &GlobalConfig, plans: Vec, ) -> Vec { @@ -258,7 +316,7 @@ pub fn gather_rcc_binary_permissions( let mut steps: Vec = vec![skip(system_plans)]; for (session, plans_in_session) in plans_by_sessions(rcc_plans) { steps.push(( - Box::new(StepFilePermissions { + Box::new(StepGrantFilePermissions { target: config.rcc_config.binary_path.clone(), session, icacls_permissions: "(RX)".to_string(), @@ -270,7 +328,7 @@ pub fn gather_rcc_binary_permissions( } #[cfg(windows)] -pub fn gather_rcc_profile_permissions( +pub fn gather_grant_rcc_profile_permissions( config: &GlobalConfig, plans: Vec, ) -> Vec { @@ -282,7 +340,7 @@ pub fn gather_rcc_profile_permissions( RCCProfileConfig::Custom(custom_profile) => { for (session, plans_in_session) in plans_by_sessions(rcc_plans) { steps.push(( - Box::new(StepFilePermissions { + Box::new(StepGrantFilePermissions { target: custom_profile.path.clone(), session, icacls_permissions: "(R)".to_string(), diff --git a/src/bin/scheduler/setup/steps/run.rs b/src/bin/scheduler/setup/steps/run.rs index fbb9372a..b3c0c4a3 100644 --- a/src/bin/scheduler/setup/steps/run.rs +++ b/src/bin/scheduler/setup/steps/run.rs @@ -31,7 +31,7 @@ type Gatherer = fn(&GlobalConfig, Vec) -> Vec; #[cfg(unix)] type Steps = [Gatherer; 10]; #[cfg(windows)] -type Steps = [Gatherer; 16]; +type Steps = [Gatherer; 18]; const STEPS: Steps = [ directories::gather_managed_directories, @@ -46,9 +46,13 @@ const STEPS: Steps = [ directories::gather_rcc_longpath_directory, directories::gather_rcc_working_per_user, #[cfg(windows)] - rcc::gather_rcc_binary_permissions, + rcc::gather_reset_rcc_binary_permissions, #[cfg(windows)] - rcc::gather_rcc_profile_permissions, + rcc::gather_reset_rcc_profile_permissions, + #[cfg(windows)] + rcc::gather_grant_rcc_binary_permissions, + #[cfg(windows)] + rcc::gather_grant_rcc_profile_permissions, rcc::gather_disable_rcc_telemetry, rcc::gather_configure_default_rcc_profile, rcc::gather_import_custom_rcc_profile,