Fix file permissions on windows (#1758)

* [service] Set file permissions on windows * [service] Fix minor windows permission bugs * [service] Fix permission bugs * [service] Fix windows non admin user start
2024-11-26 17:00:01 +02:00
parent ca88c6d8ad
commit 943b9b7859
9 changed files with 52 additions and 13 deletions
--- a/base/database/storage/fstree/fstree.go
+++ b/base/database/storage/fstree/fstree.go
@@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"

+	"github.com/hectane/go-acl"
 	"github.com/safing/portmaster/base/database/iterator"
 	"github.com/safing/portmaster/base/database/query"
 	"github.com/safing/portmaster/base/database/record"
@@ -288,10 +289,13 @@ func writeFile(filename string, data []byte, perm os.FileMode) error {
 	defer t.Cleanup() //nolint:errcheck

 	// Set permissions before writing data, in case the data is sensitive.
-	if !onWindows {
-		if err := t.Chmod(perm); err != nil {
-			return err
-		}
+	if onWindows {
+		err = acl.Chmod(filename, perm)
+	} else {
+		err = t.Chmod(perm)
+	}
+	if err != nil {
+		return err
 	}

 	if _, err := t.Write(data); err != nil {
--- a/base/updater/fetch.go
+++ b/base/updater/fetch.go
@@ -14,6 +14,7 @@ import (
 	"path/filepath"
 	"time"

+	"github.com/hectane/go-acl"
 	"github.com/safing/jess/filesig"
 	"github.com/safing/jess/lhash"
 	"github.com/safing/portmaster/base/log"
@@ -136,7 +137,12 @@ func (reg *ResourceRegistry) fetchFile(ctx context.Context, client *http.Client,
 		return fmt.Errorf("%s: failed to finalize file %s: %w", reg.Name, rv.storagePath(), err)
 	}
 	// set permissions
-	if !onWindows {
+	if onWindows {
+		err = acl.Chmod(rv.storagePath(), 0o0755)
+		if err != nil {
+			log.Warningf("%s: failed to set permissions on downloaded file %s: %s", reg.Name, rv.storagePath(), err)
+		}
+	} else {
 		// TODO: only set executable files to 0755, set other to 0644
 		err = os.Chmod(rv.storagePath(), 0o0755) //nolint:gosec // See TODO above.
 		if err != nil {
--- a/base/utils/fs.go
+++ b/base/utils/fs.go
@@ -6,6 +6,8 @@ import (
 	"io/fs"
 	"os"
 	"runtime"
+
+	"github.com/hectane/go-acl"
 )

 const isWindows = runtime.GOOS == "windows"
@@ -20,8 +22,9 @@ func EnsureDirectory(path string, perm os.FileMode) error {
 		if f.IsDir() {
 			// directory exists, check permissions
 			if isWindows {
-				// TODO: set correct permission on windows
-				// acl.Chmod(path, perm)
+				// Ignore windows permission error. For none admin users it will always fail.
+				acl.Chmod(path, perm)
+				return nil
 			} else if f.Mode().Perm() != perm {
 				return os.Chmod(path, perm)
 			}
@@ -38,7 +41,13 @@ func EnsureDirectory(path string, perm os.FileMode) error {
 		if err != nil {
 			return fmt.Errorf("could not create dir %s: %w", path, err)
 		}
-		return os.Chmod(path, perm)
+		if isWindows {
+			// Ignore windows permission error. For none admin users it will always fail.
+			acl.Chmod(path, perm)
+			return nil
+		} else {
+			return os.Chmod(path, perm)
+		}
 	}
 	// other error opening path
 	return fmt.Errorf("failed to access %s: %w", path, err)
--- a/base/utils/renameio/writefile.go
+++ b/base/utils/renameio/writefile.go
@@ -1,6 +1,11 @@
 package renameio

-import "os"
+import (
+	"os"
+	"runtime"
+
+	"github.com/hectane/go-acl"
+)

 // WriteFile mirrors os.WriteFile, replacing an existing file with the same
 // name atomically.
@@ -14,7 +19,12 @@ func WriteFile(filename string, data []byte, perm os.FileMode) error {
 	}()

 	// Set permissions before writing data, in case the data is sensitive.
-	if err := t.Chmod(perm); err != nil {
+	if runtime.GOOS == "windows" {
+		err = acl.Chmod(t.path, perm)
+	} else {
+		err = t.Chmod(perm)
+	}
+	if err != nil {
 		return err
 	}