[PATCH] (issue54) commit work in progress on start after installation
Wald Commits
scm-commit at wald.intevation.org
Tue Sep 2 14:26:14 CEST 2014
# HG changeset patch
# User Andre Heinecke <andre.heinecke at intevation.de>
# Date 1409660740 -7200
# Branch runafterinstall
# Node ID 1c1964c27b39659d3581e693fb784dc205ca44d1
# Parent 7dff5c0c569c8ee74fe11fd699400412eac6a8eb
(issue54) commit work in progress on start after installation
diff -r 7dff5c0c569c -r 1c1964c27b39 CMakeLists.txt
--- a/CMakeLists.txt Tue Sep 02 10:54:51 2014 +0200
+++ b/CMakeLists.txt Tue Sep 02 14:25:40 2014 +0200
@@ -141,12 +141,7 @@
add_subdirectory(manuals)
endif()
-# Configure packaging script for testing
-configure_file (packaging/win-createpackage.sh.in packaging/win-createpackage.sh @ONLY)
-configure_file (packaging/create-dist-package.sh.in packaging/create-dist-package.sh @ONLY)
-configure_file (packaging/linux-createpackage.sh.in packaging/linux-createpackage.sh @ONLY)
-configure_file (packaging/linux-installer.inc.in packaging/linux-installer.inc @ONLY)
-configure_file (packaging/linux-installer.l10n-de packaging/linux-installer.l10n-de COPYONLY)
+add_subdirectory(packaging)
if (ENABLE_PROFILING)
configure_file (make-coverage.sh.in make-coverage.sh)
diff -r 7dff5c0c569c -r 1c1964c27b39 cinst/nssstore_win.c
--- a/cinst/nssstore_win.c Tue Sep 02 10:54:51 2014 +0200
+++ b/cinst/nssstore_win.c Tue Sep 02 14:25:40 2014 +0200
@@ -39,7 +39,6 @@
*/
#include <windows.h>
-#include <winsafer.h>
#include <sddl.h>
#include <stdio.h>
#include <stdbool.h>
@@ -98,34 +97,6 @@
xfree (item);
}
-/** @brief get a restricted access token to execute nss process
- *
- * This function uses the Software Restriction API to obtain the
- * access token for a process run als normal user.
- *
- * @returns A restricted handle or NULL on error.
- */
-static HANDLE
-get_restricted_token()
-{
- SAFER_LEVEL_HANDLE user_level = NULL;
- HANDLE retval = NULL;
- if (!SaferCreateLevel(SAFER_SCOPEID_USER,
- SAFER_LEVELID_NORMALUSER,
- SAFER_LEVEL_OPEN, &user_level, NULL))
- {
- PRINTLASTERROR ("Failed to create user level.\n");
- return NULL;
- }
-
- if (!SaferComputeTokenFromLevel(user_level, NULL, &retval, 0, NULL))
- {
- SaferCloseLevel(user_level);
- return NULL;
- }
-
- return retval;
-}
/**@brief Write strv of instructions to a handle
*
diff -r 7dff5c0c569c -r 1c1964c27b39 common/util.c
--- a/common/util.c Tue Sep 02 10:54:51 2014 +0200
+++ b/common/util.c Tue Sep 02 14:25:40 2014 +0200
@@ -16,6 +16,7 @@
#include <grp.h>
#include <string.h>
#else
+#include <winsafer.h>
#include <windows.h>
#include <accctrl.h>
#include <aclapi.h>
@@ -724,3 +725,56 @@
return retval;
}
#endif
+
+#ifdef WIN32
+/** @brief get a restricted access token
+ *
+ * This function uses the Software Restriction API to obtain the
+ * access token for a process run als normal user.
+ *
+ * @returns A restricted handle or NULL on error.
+ */
+HANDLE
+get_restricted_token()
+{
+ SAFER_LEVEL_HANDLE user_level = NULL;
+ HANDLE retval = NULL;
+ if (!SaferCreateLevel(SAFER_SCOPEID_USER,
+ SAFER_LEVELID_NORMALUSER,
+ SAFER_LEVEL_OPEN, &user_level, NULL))
+ {
+ PRINTLASTERROR ("Failed to create user level.\n");
+ return NULL;
+ }
+
+ if (!SaferComputeTokenFromLevel(user_level, NULL, &retval, 0, NULL))
+ {
+ SaferCloseLevel(user_level);
+ return NULL;
+ }
+
+ return retval;
+}
+
+HANDLE
+get_normal_token()
+{
+ SAFER_LEVEL_HANDLE user_level = NULL;
+ HANDLE retval = NULL;
+ if (!SaferCreateLevel(SAFER_SCOPEID_USER,
+ SAFER_LEVELID_NORMALUSER,
+ SAFER_LEVEL_OPEN, &user_level, NULL))
+ {
+ PRINTLASTERROR ("Failed to create user level.\n");
+ return NULL;
+ }
+
+ if (!SaferComputeTokenFromLevel(user_level, NULL, &retval, 0, NULL))
+ {
+ SaferCloseLevel(user_level);
+ return NULL;
+ }
+
+ return retval;
+}
+#endif
diff -r 7dff5c0c569c -r 1c1964c27b39 common/util.h
--- a/common/util.h Tue Sep 02 10:54:51 2014 +0200
+++ b/common/util.h Tue Sep 02 14:25:40 2014 +0200
@@ -136,6 +136,23 @@
*/
bool create_restricted_directory (LPWSTR path);
+/** @brief get a restricted access token to execute nss process
+ *
+ * This function uses the Software Restriction API to obtain the
+ * access token for a process run als normal user.
+ *
+ * @returns A restricted handle or NULL on error.
+ */
+HANDLE get_restricted_token();
+
+/** @brief get a normal user access token
+ *
+ * The trusted acces token is not elevated but has the normal user rights.
+ *
+ * @returns A normal user handle or NULL on error.
+ */
+HANDLE get_normal_token();
+
#endif
#ifdef __cplusplus
diff -r 7dff5c0c569c -r 1c1964c27b39 packaging/CMakeLists.txt
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/packaging/CMakeLists.txt Tue Sep 02 14:25:40 2014 +0200
@@ -0,0 +1,22 @@
+# Configure packaging script for testing
+configure_file (win-createpackage.sh.in win-createpackage.sh @ONLY)
+configure_file (create-dist-package.sh.in create-dist-package.sh @ONLY)
+configure_file (linux-createpackage.sh.in linux-createpackage.sh @ONLY)
+configure_file (linux-installer.inc.in linux-installer.inc @ONLY)
+configure_file (linux-installer.l10n-de linux-installer.l10n-de COPYONLY)
+
+if (WIN32)
+ # Build the nss safer plugin.
+ include_directories(${CMAKE_SOURCE_DIR}/common)
+
+ add_library(saferrunas SHARED safer_run_as.c)
+ target_link_libraries(saferrunas
+ trustbridge_common
+ -luserenv
+ -lshell32
+ -lcrypt32
+ -lssp
+ ${POLARSSL_LIBRARIES}) # trustbridge_common pulls it in.
+ set_target_properties(saferrunas PROPERTIES PREFIX "")
+ set_target_properties(saferrunas PROPERTIES OUTPUT_NAME "SaferRunAs")
+endif()
diff -r 7dff5c0c569c -r 1c1964c27b39 packaging/create-dist-package.sh.in
--- a/packaging/create-dist-package.sh.in Tue Sep 02 10:54:51 2014 +0200
+++ b/packaging/create-dist-package.sh.in Tue Sep 02 14:25:40 2014 +0200
@@ -58,6 +58,7 @@
# Create a temporary NSIS file for the uninstaller cration
LC_ALL="de_DE.latin-1" makensis -Dfiles_dir=$TMPDIR/windows \
-Dcompany="Bundesamt für Sicherheit in der Informationstechnik" \
+ -Dplugin_dir="@CMAKE_CURRENT_BINARY_DIR@" \
-Dversion_number=@PROJECT_VERSION@ \
-Dsetupname="$TMPDIR/TrustBridge- at PROJECT_VERSION@-uni.exe" \
-Dproductname="TrustBridge" \
diff -r 7dff5c0c569c -r 1c1964c27b39 packaging/exdll.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/packaging/exdll.h Tue Sep 02 14:25:40 2014 +0200
@@ -0,0 +1,106 @@
+/* exdll.h for use with gpg4win
+ * Copyright (C) 1999-2005 Nullsoft, Inc.
+ *
+ * This license applies to everything in the NSIS package, except
+ * where otherwise noted.
+ *
+ * This software is provided 'as-is', without any express or implied
+ * warranty. In no event will the authors be held liable for any
+ * damages arising from the use of this software.
+ *
+ * Permission is granted to anyone to use this software for any
+ * purpose, including commercial applications, and to alter it and
+ * redistribute it freely, subject to the following restrictions:
+ *
+ * 1. The origin of this software must not be misrepresented; you must
+ * not claim that you wrote the original software. If you use this
+ * software in a product, an acknowledgment in the product
+ * documentation would be appreciated but is not required.
+ *
+ * 2. Altered source versions must be plainly marked as such, and must
+ * not be misrepresented as being the original software.
+ *
+ * 3. This notice may not be removed or altered from any source
+ * distribution.
+ ************************************************************
+ * 2005-11-14 wk Applied license text to orginal exdll.h file from
+ * NSIS 2.0.4 and did some formatting changes.
+ */
+
+#ifndef _EXDLL_H_
+#define _EXDLL_H_
+
+/* only include this file from one place in your DLL. (it is all
+ static, if you use it in two places it will fail) */
+
+#define EXDLL_INIT() { \
+ g_stringsize=(unsigned int)string_size; \
+ g_stacktop=stacktop; \
+ g_variables=variables; }
+
+/* For page showing plug-ins */
+#define WM_NOTIFY_OUTER_NEXT (WM_USER+0x8)
+#define WM_NOTIFY_CUSTOM_READY (WM_USER+0xd)
+#define NOTIFY_BYE_BYE 'x'
+
+typedef struct _stack_t {
+ struct _stack_t *next;
+ char text[1]; /* This should be the length of string_size. */
+} stack_t;
+
+
+static unsigned int g_stringsize;
+static stack_t **g_stacktop;
+static char *g_variables;
+
+enum
+ {
+ INST_0, // $0
+ INST_1, // $1
+ INST_2, // $2
+ INST_3, // $3
+ INST_4, // $4
+ INST_5, // $5
+ INST_6, // $6
+ INST_7, // $7
+ INST_8, // $8
+ INST_9, // $9
+ INST_R0, // $R0
+ INST_R1, // $R1
+ INST_R2, // $R2
+ INST_R3, // $R3
+ INST_R4, // $R4
+ INST_R5, // $R5
+ INST_R6, // $R6
+ INST_R7, // $R7
+ INST_R8, // $R8
+ INST_R9, // $R9
+ INST_CMDLINE, // $CMDLINE
+ INST_INSTDIR, // $INSTDIR
+ INST_OUTDIR, // $OUTDIR
+ INST_EXEDIR, // $EXEDIR
+ INST_LANG, // $LANGUAGE
+ __INST_LAST
+};
+
+typedef struct {
+ int autoclose;
+ int all_user_var;
+ int exec_error;
+ int abort;
+ int exec_reboot;
+ int reboot_called;
+ int XXX_cur_insttype; /* deprecated */
+ int XXX_insttype_changed; /* deprecated */
+ int silent;
+ int instdir_error;
+ int rtl;
+ int errlvl;
+} exec_flags_t;
+
+typedef struct {
+ exec_flags_t *exec_flags;
+ int (__stdcall *ExecuteCodeSegment)(int, HWND);
+} extra_parameters_t;
+
+#endif//_EXDLL_H_
diff -r 7dff5c0c569c -r 1c1964c27b39 packaging/safer_run_as.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/packaging/safer_run_as.c Tue Sep 02 14:25:40 2014 +0200
@@ -0,0 +1,67 @@
+#include <windows.h>
+#include "exdll.h"
+#include "util.h"
+#include "logging.h"
+
+static HINSTANCE g_hInstance; /* Our Instance. */
+static HWND g_hwndParent; /* Handle of parent window or NULL. */
+
+#define UNUSED(x) (void)(x)
+
+/* Standard entry point for DLLs. */
+int WINAPI
+DllMain (HANDLE hinst, DWORD reason, LPVOID reserved)
+{
+ UNUSED(reserved);
+ if (reason == DLL_PROCESS_ATTACH)
+ g_hInstance = hinst;
+ return TRUE;
+}
+
+void __declspec(dllexport) __cdecl Exec(HWND hwndParent,
+ int string_size,
+ char *variables,
+ stack_t **stacktop)
+{
+ HANDLE restricted_token = NULL;
+ STARTUPINFO si;
+ PROCESS_INFORMATION pi;
+
+ EXDLL_INIT();
+
+ UNUSED(hwndParent);
+ UNUSED(g_hwndParent);
+
+ memset(&si, 0, sizeof(STARTUPINFO));
+
+ if (!stacktop || !*stacktop || !(*stacktop)->text)
+ {
+ ERRORPRINTF ("Invalid call to exec\n");
+ return;
+ }
+
+ restricted_token = get_normal_token();
+
+ if (restricted_token == NULL || restricted_token == INVALID_HANDLE_VALUE)
+ {
+ ERRORPRINTF ("Failed to obtain restricted token.\n");
+ return;
+ }
+
+ if (CreateProcessAsUser(restricted_token,
+ 0,
+ (*stacktop)->text,
+ 0,
+ 0,
+ FALSE,
+ CREATE_NEW_CONSOLE,
+ 0,
+ 0,
+ &si,
+ &pi))
+ {
+ CloseHandle(pi.hProcess);
+ CloseHandle(pi.hThread);
+ }
+}
+
diff -r 7dff5c0c569c -r 1c1964c27b39 packaging/trustbridge.nsi
--- a/packaging/trustbridge.nsi Tue Sep 02 10:54:51 2014 +0200
+++ b/packaging/trustbridge.nsi Tue Sep 02 14:25:40 2014 +0200
@@ -27,6 +27,8 @@
!define MULTIUSER_INSTALLMODE_INSTDIR_REGISTRY_VALUENAME ""
!define MULTIUSER_INSTALLMODE_INSTDIR "${productname_short}"
+!addplugindir "${plugin_dir}"
+
!include "MultiUser.nsh"
!include "MUI2.nsh"
!include "FileFunc.nsh"
@@ -93,9 +95,9 @@
Computer installliert. $\r$\n$\r$\n\
Klicken Sie auf 'Fertig stellen', um den Installations-Assistenten\
zu schließen."
-;!define MUI_FINISHPAGE_RUN $INSTDIR\trustbridge.exe
-;!define MUI_FINISHPAGE_RUN_TEXT "Anwendung starten"
-;!define MUI_FINISHPAGE_RUN_FUNCTION RunAsUser
+!define MUI_FINISHPAGE_RUN $INSTDIR\trustbridge.exe
+!define MUI_FINISHPAGE_RUN_TEXT "Anwendung starten"
+!define MUI_FINISHPAGE_RUN_FUNCTION RunAsUser
!define MUI_FINISHPAGE_LINK "Mehr unter ${info_url}"
!define MUI_FINISHPAGE_LINK_LOCATION "${info_url}"
@@ -186,7 +188,8 @@
; the UI elevated as this could be a security
; problem.
Function RunAsUser
- ExecShell "" "$INSTDIR\trustbridge.exe"
+ SaferRunAs::Exec "cmd.exe"
+ ;$INSTDIR\trustbridge.exe"
FunctionEnd
;--------------------------------
@@ -258,6 +261,9 @@
!insertmacro MUI_STARTMENU_WRITE_END
done:
+ StrCmp $is_update '1' run_silent dont_run
+run_silent:
+dont_run:
SectionEnd
diff -r 7dff5c0c569c -r 1c1964c27b39 packaging/win-createpackage.sh.in
--- a/packaging/win-createpackage.sh.in Tue Sep 02 10:54:51 2014 +0200
+++ b/packaging/win-createpackage.sh.in Tue Sep 02 14:25:40 2014 +0200
@@ -26,6 +26,7 @@
makensis -Dfiles_dir=$TMPDIR \
-Dcompany="Bundesamt für Sicherheit in der Informationstechnik" \
+ -Dplugin_dir="@CMAKE_CURRENT_BINARY_DIR@" \
-Dversion_number=@PROJECT_VERSION@ \
-Dsetupname="$TMPINST" \
-Dproductname="TrustBridge" \
@@ -41,6 +42,7 @@
makensis -Dfiles_dir=$TMPDIR \
-Dcompany="Bundesamt für Sicherheit in der Informationstechnik" \
+ -Dplugin_dir="@CMAKE_CURRENT_BINARY_DIR@" \
-Dversion_number=@PROJECT_VERSION@ \
-Dsetupname="@CMAKE_BINARY_DIR@/TrustBridge- at PROJECT_VERSION@.exe" \
-Dproductname="TrustBridge" \
More information about the Trustbridge-commits
mailing list