OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // mini_installer.exe is the first exe that is run when chrome is being | 5 // mini_installer.exe is the first exe that is run when chrome is being |
6 // installed or upgraded. It is designed to be extremely small (~5KB with no | 6 // installed or upgraded. It is designed to be extremely small (~5KB with no |
7 // extra resources linked) and it has two main jobs: | 7 // extra resources linked) and it has two main jobs: |
8 // 1) unpack the resources (possibly decompressing some) | 8 // 1) unpack the resources (possibly decompressing some) |
9 // 2) run the real installer (setup.exe) with appropriate flags. | 9 // 2) run the real installer (setup.exe) with appropriate flags. |
10 // | 10 // |
11 // In order to be really small the app doesn't link against the CRT and | 11 // In order to be really small the app doesn't link against the CRT and |
12 // defines the following compiler/linker flags: | 12 // defines the following compiler/linker flags: |
13 // EnableIntrinsicFunctions="true" compiler: /Oi | 13 // EnableIntrinsicFunctions="true" compiler: /Oi |
14 // BasicRuntimeChecks="0" | 14 // BasicRuntimeChecks="0" |
15 // BufferSecurityCheck="false" compiler: /GS- | 15 // BufferSecurityCheck="false" compiler: /GS- |
16 // EntryPointSymbol="MainEntryPoint" linker: /ENTRY | 16 // EntryPointSymbol="MainEntryPoint" linker: /ENTRY |
17 // IgnoreAllDefaultLibraries="true" linker: /NODEFAULTLIB | 17 // IgnoreAllDefaultLibraries="true" linker: /NODEFAULTLIB |
18 // OptimizeForWindows98="1" liker: /OPT:NOWIN98 | 18 // OptimizeForWindows98="1" liker: /OPT:NOWIN98 |
19 // linker: /SAFESEH:NO | 19 // linker: /SAFESEH:NO |
20 | 20 |
21 // have the linker merge the sections, saving us ~500 bytes. | 21 // have the linker merge the sections, saving us ~500 bytes. |
22 #pragma comment(linker, "/MERGE:.rdata=.text") | 22 #pragma comment(linker, "/MERGE:.rdata=.text") |
23 | 23 |
24 #include <windows.h> | 24 #include <windows.h> |
25 | |
26 // #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the | |
27 // "Community Additions" comment on MSDN here: | |
28 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx | |
29 #define SystemFunction036 NTAPI SystemFunction036 | |
30 #include <NTSecAPI.h> | |
31 #undef SystemFunction036 | |
32 | |
33 #include <sddl.h> | |
25 #include <shellapi.h> | 34 #include <shellapi.h> |
26 #include <stdlib.h> | 35 #include <stdlib.h> |
27 | 36 |
28 #include "chrome/installer/mini_installer/appid.h" | 37 #include "chrome/installer/mini_installer/appid.h" |
29 #include "chrome/installer/mini_installer/configuration.h" | 38 #include "chrome/installer/mini_installer/configuration.h" |
30 #include "chrome/installer/mini_installer/decompress.h" | 39 #include "chrome/installer/mini_installer/decompress.h" |
31 #include "chrome/installer/mini_installer/exit_code.h" | 40 #include "chrome/installer/mini_installer/exit_code.h" |
32 #include "chrome/installer/mini_installer/mini_installer_constants.h" | 41 #include "chrome/installer/mini_installer/mini_installer_constants.h" |
33 #include "chrome/installer/mini_installer/mini_string.h" | 42 #include "chrome/installer/mini_installer/mini_string.h" |
34 #include "chrome/installer/mini_installer/pe_resource.h" | 43 #include "chrome/installer/mini_installer/pe_resource.h" |
(...skipping 497 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
532 // Deletes given files and working dir. | 541 // Deletes given files and working dir. |
533 void DeleteExtractedFiles(const wchar_t* base_path, | 542 void DeleteExtractedFiles(const wchar_t* base_path, |
534 const wchar_t* archive_path, | 543 const wchar_t* archive_path, |
535 const wchar_t* setup_path) { | 544 const wchar_t* setup_path) { |
536 ::DeleteFile(archive_path); | 545 ::DeleteFile(archive_path); |
537 ::DeleteFile(setup_path); | 546 ::DeleteFile(setup_path); |
538 // Delete the temp dir (if it is empty, otherwise fail). | 547 // Delete the temp dir (if it is empty, otherwise fail). |
539 ::RemoveDirectory(base_path); | 548 ::RemoveDirectory(base_path); |
540 } | 549 } |
541 | 550 |
551 // Returns true if the supplied path supports ACLs. | |
552 bool IsAclSupportedForPath(const wchar_t* path) { | |
553 PathString volume; | |
554 DWORD flags = 0; | |
555 return ::GetVolumePathName(path, volume.get(), volume.capacity()) && | |
556 ::GetVolumeInformation(volume.get(), NULL, 0, NULL, NULL, &flags, | |
557 NULL, 0) && (flags & FILE_PERSISTENT_ACLS); | |
558 } | |
559 | |
560 // Retrieves the SID of the default owner for objects created by this user | |
561 // token (accounting for different behavior under UAC elevation, etc.). | |
562 // NOTE: On success the |sid| parameter must be freed with LocalFree(). | |
563 bool GetCurrentOwnerSid(wchar_t** sid) { | |
564 HANDLE token; | |
565 if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token)) | |
566 return false; | |
567 | |
568 DWORD size = 0; | |
569 TOKEN_OWNER* owner = NULL; | |
570 bool result = false; | |
571 // We get the TokenOwner rather than the TokenUser because e.g. under UAC | |
572 // elevation we want the admin to own the directory rather than the user. | |
573 ::GetTokenInformation(token, TokenOwner, &owner, 0, &size); | |
574 if (size && GetLastError() == ERROR_INSUFFICIENT_BUFFER) { | |
575 if (owner = reinterpret_cast<TOKEN_OWNER*>(::LocalAlloc(LPTR, size))) { | |
576 if (::GetTokenInformation(token, TokenOwner, owner, size, &size)) | |
577 result = ::ConvertSidToStringSid(owner->Owner, sid); | |
578 ::LocalFree(owner); | |
579 } | |
580 } | |
581 ::CloseHandle(token); | |
582 return result; | |
583 } | |
584 | |
585 // Populates |sd| suitable for use when creating directories within |path| with | |
586 // ACLs allowing access to only the current owner, admin, and system. | |
587 // NOTE: On success the |sd| parameter must be freed with LocalFree(). | |
588 bool SetSecurityDescriptor(const wchar_t* path, PSECURITY_DESCRIPTOR* sd) { | |
589 *sd = NULL; | |
590 if (!IsAclSupportedForPath(path)) | |
591 return true; | |
592 | |
593 wchar_t* sid = NULL; | |
594 if (!GetCurrentOwnerSid(&sid)) | |
595 return false; | |
596 | |
597 // The largest SID is under 200 characters, so 300 should give enough slack. | |
598 StackString<300> sddl; | |
599 bool result = sddl.append( // Protected, auto-inherited DACL. | |
600 L"D:PAI(A;;FA;;;BA)" // Admin: Full control. | |
601 L"(A;OICI;GA;;;BA)" | |
602 L"(A;;FA;;;SY)" // System: Full control. | |
603 L"(A;OICI;GA;;;SY)" | |
604 L"(A;OICI;GA;;;CO)" // Owner: Full control. | |
grt (UTC plus 2)
2015/12/14 18:59:26
I haven't digested the nuances around "Creator own
jschuh
2015/12/15 20:58:58
Thinking about it, I'm going to keep the inheritab
| |
605 L"(A;;FA;;;") && sddl.append(sid) && sddl.append(L")"); | |
606 if (result) { | |
607 result = ::ConvertStringSecurityDescriptorToSecurityDescriptor( | |
608 sddl.get(), SDDL_REVISION_1, sd, NULL); | |
609 } | |
610 | |
611 ::LocalFree(sid); | |
612 return result; | |
613 } | |
614 | |
542 // Creates a temporary directory under |base_path| and returns the full path | 615 // Creates a temporary directory under |base_path| and returns the full path |
543 // of created directory in |work_dir|. If successful return true, otherwise | 616 // of created directory in |work_dir|. If successful return true, otherwise |
544 // false. When successful, the returned |work_dir| will always have a trailing | 617 // false. When successful, the returned |work_dir| will always have a trailing |
545 // backslash and this function requires that |base_path| always includes a | 618 // backslash and this function requires that |base_path| always includes a |
546 // trailing backslash as well. | 619 // trailing backslash as well. |
547 // We do not use GetTempFileName here to avoid running into AV software that | 620 // We do not use GetTempFileName here to avoid running into AV software that |
548 // might hold on to the temp file as soon as we create it and then we can't | 621 // might hold on to the temp file as soon as we create it and then we can't |
549 // delete it and create a directory in its place. So, we use our own mechanism | 622 // delete it and create a directory in its place. So, we use our own mechanism |
550 // for creating a directory with a hopefully-unique name. In the case of a | 623 // for creating a directory with a hopefully-unique name. In the case of a |
551 // collision, we retry a few times with a new name before failing. | 624 // collision, we retry a few times with a new name before failing. |
552 bool CreateWorkDir(const wchar_t* base_path, PathString* work_dir) { | 625 bool CreateWorkDir(const wchar_t* base_path, PathString* work_dir, |
626 ProcessExitResult* exit_code) { | |
553 if (!work_dir->assign(base_path) || !work_dir->append(kTempPrefix)) | 627 if (!work_dir->assign(base_path) || !work_dir->append(kTempPrefix)) |
554 return false; | 628 return false; |
555 | 629 |
556 // Store the location where we'll append the id. | 630 // Store the location where we'll append the id. |
557 size_t end = work_dir->length(); | 631 size_t end = work_dir->length(); |
558 | 632 |
559 // Check if we'll have enough buffer space to continue. | 633 // Check if we'll have enough buffer space to continue. |
560 // The name of the directory will use up 11 chars and then we need to append | 634 // The name of the directory will use up 11 chars and then we need to append |
561 // the trailing backslash and a terminator. We've already added the prefix | 635 // the trailing backslash and a terminator. We've already added the prefix |
562 // to the buffer, so let's just make sure we've got enough space for the rest. | 636 // to the buffer, so let's just make sure we've got enough space for the rest. |
563 if ((work_dir->capacity() - end) < (_countof("fffff.tmp") + 1)) | 637 if ((work_dir->capacity() - end) < (_countof("fffff.tmp") + 1)) |
564 return false; | 638 return false; |
565 | 639 |
566 // Generate a unique id. We only use the lowest 20 bits, so take the top | 640 // Add an ACL if supported by the filesystem. Otherwise system-level installs |
567 // 12 bits and xor them with the lower bits. | 641 // are potentially vulnerable to file squatting attacks. |
568 DWORD id = ::GetTickCount(); | 642 SECURITY_ATTRIBUTES sa = {}; |
569 id ^= (id >> 12); | 643 sa.nLength = sizeof(SECURITY_ATTRIBUTES); |
644 if (!SetSecurityDescriptor(base_path, &sa.lpSecurityDescriptor)) { | |
645 *exit_code = ProcessExitResult(UNABLE_TO_SET_DIRECTORY_ACL, | |
646 ::GetLastError()); | |
647 return false; | |
648 } | |
570 | 649 |
571 int max_attempts = 10; | 650 unsigned int id; |
572 while (max_attempts--) { | 651 ::RtlGenRandom(&id, sizeof(id)); |
652 bool result = false; | |
653 for (int max_attempts = 10; max_attempts; --max_attempts) { | |
573 // This converts 'id' to a string in the format "78563412" on windows | 654 // This converts 'id' to a string in the format "78563412" on windows |
574 // because of little endianness, but we don't care since it's just | 655 // because of little endianness, but we don't care since it's just |
575 // a name. | 656 // a name. |
576 if (!HexEncode(&id, sizeof(id), work_dir->get() + end, | 657 if (!HexEncode(&id, sizeof(id), work_dir->get() + end, |
577 work_dir->capacity() - end)) { | 658 work_dir->capacity() - end)) { |
578 return false; | 659 break; |
579 } | 660 } |
580 | 661 |
581 // We only want the first 5 digits to remain within the 8.3 file name | 662 // We only want the first 5 digits to remain within the 8.3 file name |
582 // format (compliant with previous implementation). | 663 // format (compliant with previous implementation). |
583 work_dir->truncate_at(end + 5); | 664 work_dir->truncate_at(end + 5); |
584 | 665 |
585 // for consistency with the previous implementation which relied on | 666 // for consistency with the previous implementation which relied on |
586 // GetTempFileName, we append the .tmp extension. | 667 // GetTempFileName, we append the .tmp extension. |
587 work_dir->append(L".tmp"); | 668 work_dir->append(L".tmp"); |
588 if (::CreateDirectory(work_dir->get(), NULL)) { | 669 |
670 if (::CreateDirectory(work_dir->get(), | |
671 sa.lpSecurityDescriptor ? &sa : NULL)) { | |
589 // Yay! Now let's just append the backslash and we're done. | 672 // Yay! Now let's just append the backslash and we're done. |
590 return work_dir->append(L"\\"); | 673 result = work_dir->append(L"\\"); |
674 break; | |
591 } | 675 } |
592 ++id; // Try a different name. | 676 ++id; // Try a different name. |
593 } | 677 } |
594 | 678 |
595 return false; | 679 if (sa.lpSecurityDescriptor) |
680 LocalFree(sa.lpSecurityDescriptor); | |
681 return result; | |
596 } | 682 } |
597 | 683 |
598 // Creates and returns a temporary directory in |work_dir| that can be used to | 684 // Creates and returns a temporary directory in |work_dir| that can be used to |
599 // extract mini_installer payload. |work_dir| ends with a path separator. | 685 // extract mini_installer payload. |work_dir| ends with a path separator. |
600 bool GetWorkDir(HMODULE module, PathString* work_dir) { | 686 bool GetWorkDir(HMODULE module, PathString* work_dir, |
687 ProcessExitResult* exit_code) { | |
601 PathString base_path; | 688 PathString base_path; |
602 DWORD len = ::GetTempPath(static_cast<DWORD>(base_path.capacity()), | 689 DWORD len = ::GetTempPath(static_cast<DWORD>(base_path.capacity()), |
603 base_path.get()); | 690 base_path.get()); |
604 if (!len || len >= base_path.capacity() || | 691 if (!len || len >= base_path.capacity() || |
605 !CreateWorkDir(base_path.get(), work_dir)) { | 692 !CreateWorkDir(base_path.get(), work_dir, exit_code)) { |
693 *exit_code = ProcessExitResult(UNABLE_TO_GET_WORK_DIRECTORY); | |
606 // Problem creating the work dir under TEMP path, so try using the | 694 // Problem creating the work dir under TEMP path, so try using the |
607 // current directory as the base path. | 695 // current directory as the base path. |
608 len = ::GetModuleFileName(module, base_path.get(), | 696 len = ::GetModuleFileName(module, base_path.get(), |
609 static_cast<DWORD>(base_path.capacity())); | 697 static_cast<DWORD>(base_path.capacity())); |
610 if (len >= base_path.capacity() || !len) | 698 if (len >= base_path.capacity() || !len) |
611 return false; // Can't even get current directory? Return an error. | 699 return false; // Can't even get current directory? Return an error. |
612 | 700 |
613 wchar_t* name = GetNameFromPathExt(base_path.get(), len); | 701 wchar_t* name = GetNameFromPathExt(base_path.get(), len); |
614 if (name == base_path.get()) | 702 if (name == base_path.get()) |
615 return false; // There was no directory in the string! Bail out. | 703 return false; // There was no directory in the string! Bail out. |
616 | 704 |
617 *name = L'\0'; | 705 *name = L'\0'; |
618 | 706 |
619 return CreateWorkDir(base_path.get(), work_dir); | 707 *exit_code = ProcessExitResult(SUCCESS_EXIT_CODE); |
grt (UTC plus 2)
2015/12/14 18:59:26
I don't think this is quite right since CreateWork
jschuh
2015/12/15 20:58:58
I think I checked that all code paths return corre
| |
708 return CreateWorkDir(base_path.get(), work_dir, exit_code); | |
620 } | 709 } |
621 return true; | 710 return true; |
622 } | 711 } |
623 | 712 |
624 // Returns true for ".." and "." directories. | 713 // Returns true for ".." and "." directories. |
625 bool IsCurrentOrParentDirectory(const wchar_t* dir) { | 714 bool IsCurrentOrParentDirectory(const wchar_t* dir) { |
626 return dir && | 715 return dir && |
627 dir[0] == L'.' && | 716 dir[0] == L'.' && |
628 (dir[1] == L'\0' || (dir[1] == L'.' && dir[2] == L'\0')); | 717 (dir[1] == L'\0' || (dir[1] == L'.' && dir[2] == L'\0')); |
629 } | 718 } |
(...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
774 if (!configuration.Initialize(module)) | 863 if (!configuration.Initialize(module)) |
775 return ProcessExitResult(GENERIC_INITIALIZATION_FAILURE); | 864 return ProcessExitResult(GENERIC_INITIALIZATION_FAILURE); |
776 | 865 |
777 // If the --cleanup switch was specified on the command line, then that means | 866 // If the --cleanup switch was specified on the command line, then that means |
778 // we should only do the cleanup and then exit. | 867 // we should only do the cleanup and then exit. |
779 if (ProcessNonInstallOperations(configuration, &exit_code)) | 868 if (ProcessNonInstallOperations(configuration, &exit_code)) |
780 return exit_code; | 869 return exit_code; |
781 | 870 |
782 // First get a path where we can extract payload | 871 // First get a path where we can extract payload |
783 PathString base_path; | 872 PathString base_path; |
784 if (!GetWorkDir(module, &base_path)) | 873 if (!GetWorkDir(module, &base_path, &exit_code)) |
785 return ProcessExitResult(UNABLE_TO_GET_WORK_DIRECTORY); | 874 return exit_code; |
786 | 875 |
787 #if defined(GOOGLE_CHROME_BUILD) | 876 #if defined(GOOGLE_CHROME_BUILD) |
788 // Set the magic suffix in registry to try full installer next time. We ignore | 877 // Set the magic suffix in registry to try full installer next time. We ignore |
789 // any errors here and we try to set the suffix for user level unless | 878 // any errors here and we try to set the suffix for user level unless |
790 // --system-level is on the command line in which case we set it for system | 879 // --system-level is on the command line in which case we set it for system |
791 // level instead. This only applies to the Google Chrome distribution. | 880 // level instead. This only applies to the Google Chrome distribution. |
792 SetInstallerFlags(configuration); | 881 SetInstallerFlags(configuration); |
793 #endif | 882 #endif |
794 | 883 |
795 PathString archive_path; | 884 PathString archive_path; |
(...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
834 #pragma function(memset) | 923 #pragma function(memset) |
835 void* memset(void* dest, int c, size_t count) { | 924 void* memset(void* dest, int c, size_t count) { |
836 void* start = dest; | 925 void* start = dest; |
837 while (count--) { | 926 while (count--) { |
838 *reinterpret_cast<char*>(dest) = static_cast<char>(c); | 927 *reinterpret_cast<char*>(dest) = static_cast<char>(c); |
839 dest = reinterpret_cast<char*>(dest) + 1; | 928 dest = reinterpret_cast<char*>(dest) + 1; |
840 } | 929 } |
841 return start; | 930 return start; |
842 } | 931 } |
843 } // extern "C" | 932 } // extern "C" |
OLD | NEW |