Add a restricted ACL to installer temp directory

chrome/installer/mini_installer/mini_installer.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // mini_installer.exe is the first exe that is run when chrome is being
 // installed or upgraded. It is designed to be extremely small (~5KB with no
 // extra resources linked) and it has two main jobs:
 //   1) unpack the resources (possibly decompressing some)
 //   2) run the real installer (setup.exe) with appropriate flags.
 //
 // In order to be really small the app doesn't link against the CRT and
 // defines the following compiler/linker flags:
 //   EnableIntrinsicFunctions="true" compiler: /Oi
 //   BasicRuntimeChecks="0"
 //   BufferSecurityCheck="false" compiler: /GS-
 //   EntryPointSymbol="MainEntryPoint" linker: /ENTRY
 //   IgnoreAllDefaultLibraries="true" linker: /NODEFAULTLIB
 //   OptimizeForWindows98="1"  liker: /OPT:NOWIN98
 //   linker: /SAFESEH:NO
 
 // have the linker merge the sections, saving us ~500 bytes.
 #pragma comment(linker, "/MERGE:.rdata=.text")
 
 #include <windows.h>
+#include <sddl.h>
 #include <shellapi.h>
 #include <stdlib.h>
 
 #include "chrome/installer/mini_installer/appid.h"
 #include "chrome/installer/mini_installer/configuration.h"
 #include "chrome/installer/mini_installer/decompress.h"
 #include "chrome/installer/mini_installer/exit_code.h"
 #include "chrome/installer/mini_installer/mini_installer_constants.h"
 #include "chrome/installer/mini_installer/mini_string.h"
 #include "chrome/installer/mini_installer/pe_resource.h"
@@ skipping 521 matching lines @@
   // Store the location where we'll append the id.
   size_t end = work_dir->length();
 
   // Check if we'll have enough buffer space to continue.
   // The name of the directory will use up 11 chars and then we need to append
   // the trailing backslash and a terminator.  We've already added the prefix
   // to the buffer, so let's just make sure we've got enough space for the rest.
   if ((work_dir->capacity() - end) < (_countof("fffff.tmp") + 1))
     return false;
 
-  // Generate a unique id.  We only use the lowest 20 bits, so take the top
-  // 12 bits and xor them with the lower bits.
-  DWORD id = ::GetTickCount();
-  id ^= (id >> 12);
+  // Add an ACL if supported by the filesystem.
+  SECURITY_ATTRIBUTES sa = {0};

[grt (UTC plus 2), 2015/12/03 21:38:32]

nit: i prefer {} since {0} doesn't mean "initialize everything to zero" like it
looks. i won't force you to change it, though.

[jschuh, 2015/12/04 00:40:27]

Ah, good point.

+  sa.nLength = sizeof(SECURITY_ATTRIBUTES);
+  DWORD flags;
+  if (GetVolumeInformation(work_dir->get(), nullptr, 0, nullptr, nullptr,
+                           &flags, nullptr, 0) &&
+      (flags & FILE_PERSISTENT_ACLS)) {
+    static const wchar_t sddl[] =
+        L"D:AI(A;ID;FA;;;BA)"    // Admin: Full control.
+        L"(A;OICIIOID;GA;;;BA)"
+        L"(A;ID;FA;;;SY)"        // System: Full control.
+        L"(A;OICIIOID;GA;;;SY)"
+        L"(A;ID;FA;;;CO)";       // Owner: Full control.
+        L"(A;OICIIOID;GA;;;CO)";
+    if (!ConvertStringSecurityDescriptorToSecurityDescriptor(
+            sddl, SDDL_REVISION, &sa.lpSecurityDescriptor, NULL)) {
+      return false;

[grt (UTC plus 2), 2015/12/03 21:38:32]

how about falling through to the previous case if this unexpectedly fails?

[jschuh, 2015/12/04 00:40:27]

This is one of those must-never-fail sort of things, so I'd prefer to keep it.

+    }
+  }
 
-  int max_attempts = 10;
-  while (max_attempts--) {
+  bool result = false;
+  unsigned int id;
+  rand_s(&id);

[grt (UTC plus 2), 2015/12/03 21:38:32]

we link with /NODEFAULTLIB. will this work?

[jschuh, 2015/12/04 00:40:27]

Switched it to call RtlGenRandom() directly.

+  for (int max_attempts = 10; max_attempts; --max_attempts) {
     // This converts 'id' to a string in the format "78563412" on windows
     // because of little endianness, but we don't care since it's just
     // a name.
-    if (!HexEncode(&id, sizeof(id), work_dir->get() + end,
-                   work_dir->capacity() - end)) {
-      return false;
+    if (!HexEncode(&id, 3, work_dir->get() + end, work_dir->capacity() - end)) {

[grt (UTC plus 2), 2015/12/03 21:38:32]

nit: omit braces

[jschuh, 2015/12/04 00:40:28]

Switched it back to sizeof.

+      break;
     }
 
     // We only want the first 5 digits to remain within the 8.3 file name
     // format (compliant with previous implementation).
     work_dir->truncate_at(end + 5);
 
     // for consistency with the previous implementation which relied on
     // GetTempFileName, we append the .tmp extension.
     work_dir->append(L".tmp");
-    if (::CreateDirectory(work_dir->get(), NULL)) {
+
+    if (::CreateDirectory(work_dir->get(),
+                          sa.lpSecurityDescriptor ? &sa : nullptr)) {
       // Yay!  Now let's just append the backslash and we're done.
-      return work_dir->append(L"\\");
+      result = work_dir->append(L"\\");
+      break;
     }
     ++id;  // Try a different name.
   }
 
-  return false;
+  if (sa.lpSecurityDescriptor)
+    LocalFree(sa.lpSecurityDescriptor);
+  return result;
 }
 
 // Creates and returns a temporary directory in |work_dir| that can be used to
 // extract mini_installer payload. |work_dir| ends with a path separator.
 bool GetWorkDir(HMODULE module, PathString* work_dir) {
   PathString base_path;
   DWORD len = ::GetTempPath(static_cast<DWORD>(base_path.capacity()),
                             base_path.get());
   if (!len || len >= base_path.capacity() ||
       !CreateWorkDir(base_path.get(), work_dir)) {
@@ skipping 228 matching lines @@
 #pragma function(memset)
 void* memset(void* dest, int c, size_t count) {
   void* start = dest;
   while (count--) {
     *reinterpret_cast<char*>(dest) = static_cast<char>(c);
     dest = reinterpret_cast<char*>(dest) + 1;
   }
   return start;
 }
 }  // extern "C"