Registry permission setting

artifacts/ncdns.conf

@@ -1,112 +1,112 @@
-
-### ncdns will look for its configuration file in the following directories.
-### The first configuration file found is used and all others are ignored.
-###
-### /etc/ncdns/ncdns.conf                       ) Non-Windows only
-### /etc/ncdns.conf                             )
-### (executable path)/ncdns.conf
-### (executable path)/../etc/ncdns/ncdns.conf
-### (executable path)/../etc/ncdns.conf
-###
-### You may explicitly specify a path to the configuration file on the
-### command line by passing '-conf=PATH'.
-
-[ncdns]
-### This is a TOML configuration file. Values must be in quotes where shown.
-
-
-### Basic Settings (Required)
-### -------------------------
-
-### The interface to bind to. Defaults to ":53", which causes ncdns to attempt to
-### bind to all interfaces on port 53. Unless you are running ncdns as root you
-### will probably find that this fails. On Linux, you can run the following
-### command on the ncdns binary to authorize it to bind to ports under 1024.
-###
-###   sudo setcap 'cap_net_bind_service=+ep' ./ncdns
-###
-### On BSD, there are sysctls to disable the low port restrictions.
-###
-### IMPORTANT NOTE: For Go versions 1.5.0 and 1.5.1 (but not 1.4.x or earlier
-### or 1.5.2 when released, or any later version, or HEAD) there is a bug which
-### means ncdns cannot listen on privileged ports on Linux systems. This bug
-### manifests as ncdns hanging once executed without ever beginning to serve
-### requests. This bug will manifest whenever ncdns is executed as root or with
-### a non-empty capability set, so it precludes use of setcap to bind to privileged
-### ports just as it precludes the use of conventional privilege dropping.
-###
-#bind="127.0.0.1:53"
-bind="127.0.0.1:5391"
-
-### namecoind access (Required)
-### ---------------------------
-### You must configure the RPC address, username and password ## of a trusted
-### (i.e. local) namecoind instance.
-
-### The address, in "hostname:port" format, of the Namecoin JSON-RPC interface.
-#namecoinrpcaddress="127.0.0.1:8336"
-
-### The username with which to connect to the Namecoin JSON-RPC interface.
-#namecoinrpcusername="user"
-
-### The password with which to connect to the Namecoin JSON-RPC interface.
-#namecoinrpcpassword="password"
-
-### ncdns caches values retrieved from Namecoin. This value limits the number of
-### items ncdns may store in its cache. The default value is 100.
-#cachemaxentries=150
-
-
-### Nameserver Identity (Optional)
-### ------------------------------
-
-### ncdns needs to be able to state the hostname and IP address at which the
-### nameserver lies. If you are only using ncdns locally you can avoid configuring
-### these.
-###
-### If SelfName is specified, ncdns lists the name specified as an NS record at
-### the zone apex:
-###
-###   bit. IN NS ns1.example.com.
-###
-### This requires that you be able to assign the ncdns instance a hostname.
-###
-### If SelfName is left blank (the default), ncdns will generate an internal
-### psuedo-hostname under the zone, which will resolve to the value of SelfIP.
-###
-### The default value of SelfIP is the bogus IP of "127.127.127.127", which will
-### work acceptably in some cases (e.g. with Unbound).
-#selfname="ns1.example.com."
-#selfip="192.0.2.1"
-
-
-### DNSSEC (Optional)
-### -----------------
-### The following options concern DNSSEC and are optional.
-### Leaving them all blank will disable DNSSEC.
-
-### Path to the file containing the KSK public key.
-#publickey="etc/Kbit.+008+12345.key"
-
-### Path to the file containing the KSK private key.
-#privatekey="etc/Kbit.+008+12345.private"
-
-### Path to the file containing the ZSK public key.
-#zonepublickey="etc/Kbit.+008+12345.key"
-
-### Path to the file containing the ZSK private key.
-#zoneprivatekey="etc/Kbit.+008+12345.private"
-
-
-### HTTP server (Optional)
-### ----------------------
-### Use of the HTTP server is optional.
-
-### Set this to enable the HTTP server. If you leave this blank, the HTTP
-### server will not be enabled.
-#httplistenaddr=":8202"
-
-### The template directory is usually detected automatically. If it cannot be found
-### automatically, you must set the full path to it here manually. Paths will be
-### interpreted relative to the configuration file.
-#tplpath="../tpl"
+
+### ncdns will look for its configuration file in the following directories.
+### The first configuration file found is used and all others are ignored.
+###
+### /etc/ncdns/ncdns.conf                       ) Non-Windows only
+### /etc/ncdns.conf                             )
+### (executable path)/ncdns.conf
+### (executable path)/../etc/ncdns/ncdns.conf
+### (executable path)/../etc/ncdns.conf
+###
+### You may explicitly specify a path to the configuration file on the
+### command line by passing '-conf=PATH'.
+
+[ncdns]
+### This is a TOML configuration file. Values must be in quotes where shown.
+
+
+### Basic Settings (Required)
+### -------------------------
+
+### The interface to bind to. Defaults to ":53", which causes ncdns to attempt to
+### bind to all interfaces on port 53. Unless you are running ncdns as root you
+### will probably find that this fails. On Linux, you can run the following
+### command on the ncdns binary to authorize it to bind to ports under 1024.
+###
+###   sudo setcap 'cap_net_bind_service=+ep' ./ncdns
+###
+### On BSD, there are sysctls to disable the low port restrictions.
+###
+### IMPORTANT NOTE: For Go versions 1.5.0 and 1.5.1 (but not 1.4.x or earlier
+### or 1.5.2 when released, or any later version, or HEAD) there is a bug which
+### means ncdns cannot listen on privileged ports on Linux systems. This bug
+### manifests as ncdns hanging once executed without ever beginning to serve
+### requests. This bug will manifest whenever ncdns is executed as root or with
+### a non-empty capability set, so it precludes use of setcap to bind to privileged
+### ports just as it precludes the use of conventional privilege dropping.
+###
+#bind="127.0.0.1:53"
+bind="127.0.0.1:5391"
+
+### namecoind access (Required)
+### ---------------------------
+### You must configure the RPC address, username and password ## of a trusted
+### (i.e. local) namecoind instance.
+
+### The address, in "hostname:port" format, of the Namecoin JSON-RPC interface.
+#namecoinrpcaddress="127.0.0.1:8336"
+
+### The username with which to connect to the Namecoin JSON-RPC interface.
+#namecoinrpcusername="user"
+
+### The password with which to connect to the Namecoin JSON-RPC interface.
+#namecoinrpcpassword="password"
+
+### ncdns caches values retrieved from Namecoin. This value limits the number of
+### items ncdns may store in its cache. The default value is 100.
+#cachemaxentries=150
+
+
+### Nameserver Identity (Optional)
+### ------------------------------
+
+### ncdns needs to be able to state the hostname and IP address at which the
+### nameserver lies. If you are only using ncdns locally you can avoid configuring
+### these.
+###
+### If SelfName is specified, ncdns lists the name specified as an NS record at
+### the zone apex:
+###
+###   bit. IN NS ns1.example.com.
+###
+### This requires that you be able to assign the ncdns instance a hostname.
+###
+### If SelfName is left blank (the default), ncdns will generate an internal
+### psuedo-hostname under the zone, which will resolve to the value of SelfIP.
+###
+### The default value of SelfIP is the bogus IP of "127.127.127.127", which will
+### work acceptably in some cases (e.g. with Unbound).
+#selfname="ns1.example.com."
+#selfip="192.0.2.1"
+
+
+### DNSSEC (Optional)
+### -----------------
+### The following options concern DNSSEC and are optional.
+### Leaving them all blank will disable DNSSEC.
+
+### Path to the file containing the KSK public key.
+#publickey="etc/Kbit.+008+12345.key"
+
+### Path to the file containing the KSK private key.
+#privatekey="etc/Kbit.+008+12345.private"
+
+### Path to the file containing the ZSK public key.
+#zonepublickey="etc/Kbit.+008+12345.key"
+
+### Path to the file containing the ZSK private key.
+#zoneprivatekey="etc/Kbit.+008+12345.private"
+
+
+### HTTP server (Optional)
+### ----------------------
+### Use of the HTTP server is optional.
+
+### Set this to enable the HTTP server. If you leave this blank, the HTTP
+### server will not be enabled.
+#httplistenaddr=":8202"
+
+### The template directory is usually detected automatically. If it cannot be found
+### automatically, you must set the full path to it here manually. Paths will be
+### interpreted relative to the configuration file.
+#tplpath="../tpl"

ncdns.nsi

@@ -90,10 +90,13 @@ Section "ncdns" Sec_ncdns
   #SectionIn RO
 
   SetOutPath $INSTDIR
+  InitPluginsDir
   Call ReinstallCheck
   Call Reg
   Call Service
   Call Files
+  Call TrustConfig
+  Call FilesSecure
   Call ServiceStart
   Call UnboundConfig
 
@@ -105,6 +108,7 @@ SectionEnd
 ##############################################################################
 Section "Uninstall"
   Call un.UnboundConfig
+  Call un.TrustConfig
   Call un.Service
   Call un.Files
   Call un.Reg
@@ -145,7 +149,9 @@ Function Files
   File /oname=$INSTDIR\namecoin.ico media\namecoin.ico
   File /oname=$INSTDIR\bin\ncdns.exe artifacts\ncdns.exe
   File /oname=$INSTDIR\etc\ncdns.conf artifacts\ncdns.conf
+FunctionEnd
 
+Function FilesSecure
   # Ensure only ncdns service and administrators can read ncdns.conf.
   nsExec::ExecToLog 'icacls "$INSTDIR\etc" /inheritance:r /T /grant "NT SERVICE\ncdns:(OI)(CI)R" "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"'
   nsExec::ExecToLog 'icacls "$INSTDIR\etc\ncdns.conf" /reset'
@@ -215,14 +221,17 @@ found:
   File /oname=$UnboundConfPath\rebuild-confd-list.cmd rebuild-confd-list.cmd
   nsExec::ExecToLog '"$UnboundConfPath\rebuild-confd-list.cmd"'
 
-  File /oname=$TEMP\configunbound.ps1 configunbound.ps1
-  FileOpen $4 "$TEMP\configunbound.cmd" w
-  FileWrite $4 'powershell -executionpolicy bypass -noninteractive -file "$TEMP\configunbound.ps1" '
+  File /oname=$PLUGINSDIR\configunbound.ps1 configunbound.ps1
+  # We execute the script via a dynamically written batch file because Windows
+  # command line escaping is very strange and has been behaving strangely if
+  # done directly from NSIS. This behaves consistently.
+  FileOpen $4 "$PLUGINSDIR\configunbound.cmd" w
+  FileWrite $4 'powershell -executionpolicy bypass -noninteractive -file "$PLUGINSDIR\configunbound.ps1" '
   FileWrite $4 '"$UnboundConfPath\unbound.conf" "$UnboundConfPath\confd-list.conf" < nul'
   FileClose $4
-  nsExec::ExecToLog '$TEMP\configunbound.cmd'
-  Delete $TEMP\configunbound.ps1
-  Delete $TEMP\configunbound.cmd
+  nsExec::ExecToLog '$PLUGINSDIR\configunbound.cmd'
+  Delete $PLUGINSDIR\configunbound.ps1
+  Delete $PLUGINSDIR\configunbound.cmd
 
   # Add a config fragment in the newly configured directory.
   WriteRegStr HKLM "Software\Namecoin\ncdns" "UnboundFragmentLocation" "$UnboundConfPath\unbound.conf.d"
@@ -254,6 +263,69 @@ Function un.UnboundConfig
 not_found:
 FunctionEnd
 
+
+# REGISTRY PERMISSION CONFIGURATION FOR NCDNS TRUST INJECTION
+##############################################################################
+Function TrustConfig
+  IfFileExists "$LOCALAPPDATA\Google\Chrome\User Data" found 0
+  IfFileExists "$LOCALAPPDATA\Chromium\User Data" found 0
+  Return
+
+found:
+  MessageBox MB_ICONQUESTION|MB_YESNO "You currently have Chromium or Google Chrome installed.  ncdns can enable HTTPS for Namecoin websites in Chromium/Chrome.  This will protect your communications with Namecoin-enabled websites from being easily wiretapped or tampered with in transit.  Doing this requires giving ncdns permission to modify Windows's root certificate authority list.  ncdns will not intentionally add any certificate authorities to Windows, but if an attacker were able to exploit ncdns, they might be able to wiretap or tamper with your Internet traffic (both Namecoin and non-Namecoin websites).  If you plan to access Namecoin-enabled websites on this computer from any web browser other than Chromium, Chrome, Firefox, or Tor Browser, you should not enable HTTPS for Namecoin websites in Chromium/Chrome.$\n$\nWould you like to enable HTTPS for Namecoin websites in Chromium/Chrome?" /SD IDNO IDYES chose_yes IDNO chose_no
+chose_no:
+  Return
+
+found_again:
+  Delete "$PLUGINSDIR\tutorial-confirm"
+  Goto found
+
+chose_yes:
+  Delete $PLUGINSDIR\tutorial-confirm
+  IfFileExists $PLUGINSDIR\tutorial-confirm found 0
+  File /oname=$PLUGINSDIR\tutorial.ps1 tutorial.ps1
+  File /oname=$PLUGINSDIR\tutorial.html tutorial.html
+  FileOpen $4 "$PLUGINSDIR\tutorial.cmd" w
+  FileWrite $4 'powershell -executionpolicy bypass -noninteractive -sta -file "$PLUGINSDIR\tutorial.ps1" "$PLUGINSDIR\tutorial.html" "$PLUGINSDIR\tutorial-confirm" < nul'
+  FileClose $4
+  nsExec::ExecToLog '"$PLUGINSDIR\tutorial.cmd"'
+
+  Delete $PLUGINSDIR\tutorial.cmd
+  Delete $PLUGINSDIR\tutorial.ps1
+  Delete $PLUGINSDIR\tutorial.html
+  IfFileExists "$PLUGINSDIR\tutorial-confirm" 0 found_again
+  Delete $PLUGINSDIR\tutorial-confirm
+
+  # Configure permissions
+  File /oname=$PLUGINSDIR\regpermrun.ps1 regpermrun.ps1
+  File /oname=$PLUGINSDIR\regperm.ps1 regperm.ps1
+  FileOpen $4 "$PLUGINSDIR\regpermrun.cmd" w
+  FileWrite $4 'powershell -executionpolicy bypass -noninteractive -file "$PLUGINSDIR\regpermrun.ps1" install < nul'
+  FileClose $4
+  nsExec::ExecToLog '"$PLUGINSDIR\regpermrun.cmd"'
+  Delete $PLUGINSDIR\regpermrun.cmd
+  Delete $PLUGINSDIR\regpermrun.ps1
+  Delete $PLUGINSDIR\regperm.ps1
+
+  FileOpen $4 "$INSTDIR\etc\ncdns.conf" a
+  FileSeek $4 0 END
+  FileWrite $4 '$\r$\n$\r$\n## ++TRUST++$\r$\n## Added automatically by installer because truststore mode was enabled.$\r$\n[certstore]$\r$\ncryptoapi=true$\r$\n## ++/TRUST++$\r$\n$\r$\n'
+  FileClose $4
+FunctionEnd
+
+Function un.TrustConfig
+  # Keep this the same as the above (NSIS forces function duplication for the uninstaller, alas.)
+  File /oname=$PLUGINSDIR\regpermrun.ps1 regpermrun.ps1
+  File /oname=$PLUGINSDIR\regperm.ps1 regperm.ps1
+  FileOpen $4 "$PLUGINSDIR\regpermrun.cmd" w
+  FileWrite $4 'powershell -executionpolicy bypass -noninteractive -file "$PLUGINSDIR\regpermrun.ps1" uninstall < nul'
+  FileClose $4
+  nsExec::ExecToLog '"$PLUGINSDIR\regpermrun.cmd"'
+  Delete $PLUGINSDIR\regpermrun.cmd
+  Delete $PLUGINSDIR\regpermrun.ps1
+  Delete $PLUGINSDIR\regperm.ps1
+FunctionEnd
+
 # REINSTALL TESTING
 ##############################################################################
 Function ReinstallCheck

regperm.ps1

@@ -0,0 +1,35 @@
+# Here's the story.
+#
+# We need to grant NT SERVICE\ncdns permission to manipulate
+# HKLM\Software\[Wow6432Node\]Microsoft\EnterpriseCertificates\Root\Certificates.
+# However, extraordinarily, PowerShell has no good way of disabling WOW64
+# registry redirection(!!). Thus PowerShell's nativity to the registry nexus,
+# its ability to manipulate the registry just like the filesystem, via 'cd
+# HKLM:\...', etc. goes to waste.
+#
+# In order to access a specific 'view' of the registry (64-bit or 32-bit) we
+# need to use [Microsoft.Win32.RegistryKey]::OpenBaseKey. This is only
+# available in .NET 4 and later. PowerShell 2 uses .NET 2, not .NET 4. Only
+# PowerShell 2 is guaranteed to be available on Windows 7. Thus, there is
+# seemingly no actual way to access alternate views using the PowerShell which
+# ships with Windows 7.
+#
+# So we have to execute powershell twice, once with the 32-bit version of
+# powershell, and one with the 64-bit version of powershell. This is done in
+# regpermrun.ps1.
+#
+# The following code will access the Wow6432Node view when run under 32-bit
+# PowerShell on a 64-bit system and the non-Wow6432Node view otherwise.
+cd HKLM:\Software\Microsoft\EnterpriseCertificates\Root\Certificates\
+$acl = get-acl .
+
+$inhFlags = [System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor [System.Security.AccessControl.InheritanceFlags]::ObjectInherit
+$rule = new-object System.Security.AccessControl.RegistryAccessRule("NT SERVICE\ncdns", "FullControl", $inhFlags, "None", "Allow")
+
+if ($args[0] -eq "uninstall") {
+  # Removes all rules with the same user and outcome (allow/deny)
+  $acl.RemoveAccessRuleAll($rule)
+} else {
+  $acl.SetAccessRule($rule)
+}
+$acl | set-acl .