Description
This further restricts the default installation location by removing all permissions and inheritance of permissions, explicitly giving Administrator/LocalSystem to Full access, and Users are granted Read and Execute.
In prior installations, we ensured Modify access to the installing user, but that has been removed for security reasons. Should you need the previous behavior, set $env:ChocolateyInstallAllowCurrentUser="true".
- If non-default install location, skip changing security entirely with a warning for user to do that themselves
- If attempting to install to default location without administrative token, throw an error
- Remove inheritance with no copy of existing inherited permissions
- Remove all existing explicit permissions
- Explicitly set permissions to Administrators/SYSTEM Full "
(OI)(CI)(F)", Users Read/Execute "(OI)(CI)(RX)" - Replace ACL Owner with Administrators
- Do not set user modify without an explicit environment variable -
$env:ChocolateyInstallAllowCurrentUser="true".
I owe @jberezanski a debt of gratitude for his tireless work in providing code, examples and testing all the scenarios to find security holes.
Details
A non-admin can write to the programdata folder, but they cannot modify or append to existing files. They are also not able to delete existing files they did not put there (and possibly not even those files).
Lock down the default folder even more so that by default, non-admins can not even write to the folder.