OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // mini_installer.exe is the first exe that is run when chrome is being | 5 // mini_installer.exe is the first exe that is run when chrome is being |
6 // installed or upgraded. It is designed to be extremely small (~5KB with no | 6 // installed or upgraded. It is designed to be extremely small (~5KB with no |
7 // extra resources linked) and it has two main jobs: | 7 // extra resources linked) and it has two main jobs: |
8 // 1) unpack the resources (possibly decompressing some) | 8 // 1) unpack the resources (possibly decompressing some) |
9 // 2) run the real installer (setup.exe) with appropriate flags. | 9 // 2) run the real installer (setup.exe) with appropriate flags. |
10 // | 10 // |
11 // In order to be really small the app doesn't link against the CRT and | 11 // In order to be really small the app doesn't link against the CRT and |
12 // defines the following compiler/linker flags: | 12 // defines the following compiler/linker flags: |
13 // EnableIntrinsicFunctions="true" compiler: /Oi | 13 // EnableIntrinsicFunctions="true" compiler: /Oi |
14 // BasicRuntimeChecks="0" | 14 // BasicRuntimeChecks="0" |
15 // BufferSecurityCheck="false" compiler: /GS- | 15 // BufferSecurityCheck="false" compiler: /GS- |
16 // EntryPointSymbol="MainEntryPoint" linker: /ENTRY | 16 // EntryPointSymbol="MainEntryPoint" linker: /ENTRY |
17 // IgnoreAllDefaultLibraries="true" linker: /NODEFAULTLIB | 17 // IgnoreAllDefaultLibraries="true" linker: /NODEFAULTLIB |
18 // OptimizeForWindows98="1" liker: /OPT:NOWIN98 | 18 // OptimizeForWindows98="1" liker: /OPT:NOWIN98 |
19 // linker: /SAFESEH:NO | 19 // linker: /SAFESEH:NO |
20 | 20 |
21 // have the linker merge the sections, saving us ~500 bytes. | 21 // have the linker merge the sections, saving us ~500 bytes. |
22 #pragma comment(linker, "/MERGE:.rdata=.text") | 22 #pragma comment(linker, "/MERGE:.rdata=.text") |
23 | 23 |
24 #include <windows.h> | 24 #include <windows.h> |
25 | |
26 // #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the | |
27 // "Community Additions" comment on MSDN here: | |
28 // http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx | |
29 #define SystemFunction036 NTAPI SystemFunction036 | |
30 #include <NTSecAPI.h> | |
31 #undef SystemFunction036 | |
32 | |
33 #include <sddl.h> | |
25 #include <shellapi.h> | 34 #include <shellapi.h> |
26 #include <stdlib.h> | 35 #include <stdlib.h> |
27 | 36 |
28 #include "chrome/installer/mini_installer/appid.h" | 37 #include "chrome/installer/mini_installer/appid.h" |
29 #include "chrome/installer/mini_installer/configuration.h" | 38 #include "chrome/installer/mini_installer/configuration.h" |
30 #include "chrome/installer/mini_installer/decompress.h" | 39 #include "chrome/installer/mini_installer/decompress.h" |
31 #include "chrome/installer/mini_installer/exit_code.h" | 40 #include "chrome/installer/mini_installer/exit_code.h" |
32 #include "chrome/installer/mini_installer/mini_installer_constants.h" | 41 #include "chrome/installer/mini_installer/mini_installer_constants.h" |
33 #include "chrome/installer/mini_installer/mini_string.h" | 42 #include "chrome/installer/mini_installer/mini_string.h" |
34 #include "chrome/installer/mini_installer/pe_resource.h" | 43 #include "chrome/installer/mini_installer/pe_resource.h" |
(...skipping 497 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
532 // Deletes given files and working dir. | 541 // Deletes given files and working dir. |
533 void DeleteExtractedFiles(const wchar_t* base_path, | 542 void DeleteExtractedFiles(const wchar_t* base_path, |
534 const wchar_t* archive_path, | 543 const wchar_t* archive_path, |
535 const wchar_t* setup_path) { | 544 const wchar_t* setup_path) { |
536 ::DeleteFile(archive_path); | 545 ::DeleteFile(archive_path); |
537 ::DeleteFile(setup_path); | 546 ::DeleteFile(setup_path); |
538 // Delete the temp dir (if it is empty, otherwise fail). | 547 // Delete the temp dir (if it is empty, otherwise fail). |
539 ::RemoveDirectory(base_path); | 548 ::RemoveDirectory(base_path); |
540 } | 549 } |
541 | 550 |
551 // Returns true if they supplied path supports ACLs. | |
552 bool IsAclSupportedForPath(const wchar_t* path) { | |
553 PathString volume; | |
554 DWORD flags = 0; | |
555 return ::GetVolumePathName(path, volume.get(), volume.capacity()) && | |
556 ::GetVolumeInformation(volume.get(), NULL, 0, NULL, NULL, &flags, | |
557 NULL, 0) || | |
558 (flags & FILE_PERSISTENT_ACLS); | |
559 } | |
560 | |
561 // Retrieves the SID of the current user. If successful, the sid parameter must | |
562 // be freed with ::LocalFree | |
563 bool GetCurrentUserSid(wchar_t** sid) { | |
564 HANDLE token; | |
565 if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token)) | |
566 return false; | |
567 | |
568 DWORD size = 0; | |
569 TOKEN_USER* user = NULL; | |
570 bool result = false; | |
571 ::GetTokenInformation(token, TokenUser, &user, 0, &size); | |
forshaw
2015/12/05 10:26:31
Technically speaking there's a distinction between
jschuh
2015/12/05 18:37:38
This is why I said from the beginning that I *hate
jschuh
2015/12/05 18:49:14
Just to clarify -- since I've mucked this up a few
grt (UTC plus 2)
2015/12/07 14:56:22
I'm far from an expert at the NT security model. B
jschuh
2015/12/11 04:07:24
Yup, we should be good on all cases now. The redun
| |
572 if (size && GetLastError() == ERROR_INSUFFICIENT_BUFFER) { | |
573 if (user = reinterpret_cast<TOKEN_USER*>(::LocalAlloc(LPTR, size))) { | |
574 if (GetTokenInformation(token, TokenUser, user, size, &size)) | |
575 result = ::ConvertSidToStringSid(user->User.Sid, sid); | |
576 ::LocalFree(user); | |
577 } | |
578 } | |
579 ::CloseHandle(token); | |
580 return result; | |
581 } | |
582 | |
583 // Sets an ACL allowing only the current user, admin, and system. | |
584 bool SetSecurityDescriptor(PSECURITY_DESCRIPTOR* sd, const wchar_t* path) { | |
585 *sd = NULL; | |
586 if (!IsAclSupportedForPath(path)) | |
587 return true; | |
588 | |
589 wchar_t* sid = NULL; | |
590 if (!GetCurrentUserSid(&sid)) | |
591 return false; | |
592 | |
593 // The largest SID is under 200 characters, so 300 should give enough slack. | |
594 StackString<300> sddl; | |
595 bool result = sddl.append( | |
596 L"D:PAI(A;ID;FA;;;BA)" // Admin: Full control. | |
597 L"(A;OICIIOID;GA;;;BA)" | |
598 L"(A;ID;FA;;;SY)" // System: Full control. | |
599 L"(A;OICIIOID;GA;;;SY)" | |
600 L"(A;OICIIOID;GA;;;CO)" // Owner: Full control. | |
601 L"(A;ID;FA;;;") && | |
602 sddl.append(sid) && sddl.append(L")"); | |
603 | |
604 if (result) { | |
605 result = ::ConvertStringSecurityDescriptorToSecurityDescriptor( | |
606 sddl.get(), SDDL_REVISION_1, sd, NULL); | |
607 } | |
608 | |
609 ::LocalFree(sid); | |
610 return result; | |
611 } | |
612 | |
542 // Creates a temporary directory under |base_path| and returns the full path | 613 // Creates a temporary directory under |base_path| and returns the full path |
543 // of created directory in |work_dir|. If successful return true, otherwise | 614 // of created directory in |work_dir|. If successful return true, otherwise |
544 // false. When successful, the returned |work_dir| will always have a trailing | 615 // false. When successful, the returned |work_dir| will always have a trailing |
545 // backslash and this function requires that |base_path| always includes a | 616 // backslash and this function requires that |base_path| always includes a |
546 // trailing backslash as well. | 617 // trailing backslash as well. |
547 // We do not use GetTempFileName here to avoid running into AV software that | 618 // We do not use GetTempFileName here to avoid running into AV software that |
548 // might hold on to the temp file as soon as we create it and then we can't | 619 // might hold on to the temp file as soon as we create it and then we can't |
549 // delete it and create a directory in its place. So, we use our own mechanism | 620 // delete it and create a directory in its place. So, we use our own mechanism |
550 // for creating a directory with a hopefully-unique name. In the case of a | 621 // for creating a directory with a hopefully-unique name. In the case of a |
551 // collision, we retry a few times with a new name before failing. | 622 // collision, we retry a few times with a new name before failing. |
552 bool CreateWorkDir(const wchar_t* base_path, PathString* work_dir) { | 623 bool CreateWorkDir(const wchar_t* base_path, PathString* work_dir) { |
553 if (!work_dir->assign(base_path) || !work_dir->append(kTempPrefix)) | 624 if (!work_dir->assign(base_path) || !work_dir->append(kTempPrefix)) |
554 return false; | 625 return false; |
555 | 626 |
556 // Store the location where we'll append the id. | 627 // Store the location where we'll append the id. |
557 size_t end = work_dir->length(); | 628 size_t end = work_dir->length(); |
558 | 629 |
559 // Check if we'll have enough buffer space to continue. | 630 // Check if we'll have enough buffer space to continue. |
560 // The name of the directory will use up 11 chars and then we need to append | 631 // The name of the directory will use up 11 chars and then we need to append |
561 // the trailing backslash and a terminator. We've already added the prefix | 632 // the trailing backslash and a terminator. We've already added the prefix |
562 // to the buffer, so let's just make sure we've got enough space for the rest. | 633 // to the buffer, so let's just make sure we've got enough space for the rest. |
563 if ((work_dir->capacity() - end) < (_countof("fffff.tmp") + 1)) | 634 if ((work_dir->capacity() - end) < (_countof("fffff.tmp") + 1)) |
564 return false; | 635 return false; |
565 | 636 |
566 // Generate a unique id. We only use the lowest 20 bits, so take the top | 637 // Add an ACL if supported by the filesystem. Otherwise system-level installs |
567 // 12 bits and xor them with the lower bits. | 638 // are potentially vulnerable to file squatting attacks. |
568 DWORD id = ::GetTickCount(); | 639 SECURITY_ATTRIBUTES sa = {}; |
569 id ^= (id >> 12); | 640 sa.nLength = sizeof(SECURITY_ATTRIBUTES); |
641 if (!SetSecurityDescriptor(&sa.lpSecurityDescriptor, base_path)) | |
642 return false; | |
jschuh
2015/12/05 01:04:39
@grt - I can make this continue on failure if you
grt (UTC plus 2)
2015/12/07 14:56:22
i'm okay with this as-is, but please rejigger so t
jschuh
2015/12/11 04:07:24
Done.
| |
570 | 643 |
571 int max_attempts = 10; | 644 unsigned int id; |
572 while (max_attempts--) { | 645 RtlGenRandom(&id, sizeof(id)); |
646 bool result = false; | |
647 for (int max_attempts = 10; max_attempts; --max_attempts) { | |
573 // This converts 'id' to a string in the format "78563412" on windows | 648 // This converts 'id' to a string in the format "78563412" on windows |
574 // because of little endianness, but we don't care since it's just | 649 // because of little endianness, but we don't care since it's just |
575 // a name. | 650 // a name. |
576 if (!HexEncode(&id, sizeof(id), work_dir->get() + end, | 651 if (!HexEncode(&id, sizeof(id), work_dir->get() + end, |
577 work_dir->capacity() - end)) { | 652 work_dir->capacity() - end)) { |
578 return false; | 653 break; |
579 } | 654 } |
580 | 655 |
581 // We only want the first 5 digits to remain within the 8.3 file name | 656 // We only want the first 5 digits to remain within the 8.3 file name |
582 // format (compliant with previous implementation). | 657 // format (compliant with previous implementation). |
583 work_dir->truncate_at(end + 5); | 658 work_dir->truncate_at(end + 5); |
584 | 659 |
585 // for consistency with the previous implementation which relied on | 660 // for consistency with the previous implementation which relied on |
586 // GetTempFileName, we append the .tmp extension. | 661 // GetTempFileName, we append the .tmp extension. |
587 work_dir->append(L".tmp"); | 662 work_dir->append(L".tmp"); |
588 if (::CreateDirectory(work_dir->get(), NULL)) { | 663 |
664 if (::CreateDirectory(work_dir->get(), | |
665 sa.lpSecurityDescriptor ? &sa : NULL)) { | |
589 // Yay! Now let's just append the backslash and we're done. | 666 // Yay! Now let's just append the backslash and we're done. |
590 return work_dir->append(L"\\"); | 667 result = work_dir->append(L"\\"); |
668 break; | |
591 } | 669 } |
592 ++id; // Try a different name. | 670 ++id; // Try a different name. |
593 } | 671 } |
594 | 672 |
595 return false; | 673 if (sa.lpSecurityDescriptor) |
674 LocalFree(sa.lpSecurityDescriptor); | |
675 return result; | |
596 } | 676 } |
597 | 677 |
598 // Creates and returns a temporary directory in |work_dir| that can be used to | 678 // Creates and returns a temporary directory in |work_dir| that can be used to |
599 // extract mini_installer payload. |work_dir| ends with a path separator. | 679 // extract mini_installer payload. |work_dir| ends with a path separator. |
600 bool GetWorkDir(HMODULE module, PathString* work_dir) { | 680 bool GetWorkDir(HMODULE module, PathString* work_dir) { |
601 PathString base_path; | 681 PathString base_path; |
602 DWORD len = ::GetTempPath(static_cast<DWORD>(base_path.capacity()), | 682 DWORD len = ::GetTempPath(static_cast<DWORD>(base_path.capacity()), |
603 base_path.get()); | 683 base_path.get()); |
604 if (!len || len >= base_path.capacity() || | 684 if (!len || len >= base_path.capacity() || |
605 !CreateWorkDir(base_path.get(), work_dir)) { | 685 !CreateWorkDir(base_path.get(), work_dir)) { |
(...skipping 228 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
834 #pragma function(memset) | 914 #pragma function(memset) |
835 void* memset(void* dest, int c, size_t count) { | 915 void* memset(void* dest, int c, size_t count) { |
836 void* start = dest; | 916 void* start = dest; |
837 while (count--) { | 917 while (count--) { |
838 *reinterpret_cast<char*>(dest) = static_cast<char>(c); | 918 *reinterpret_cast<char*>(dest) = static_cast<char>(c); |
839 dest = reinterpret_cast<char*>(dest) + 1; | 919 dest = reinterpret_cast<char*>(dest) + 1; |
840 } | 920 } |
841 return start; | 921 return start; |
842 } | 922 } |
843 } // extern "C" | 923 } // extern "C" |
OLD | NEW |