cuprated: private file permissions (Windows)

redsh4de · redsh4de · commit bbe9ef49b87e · 2026-05-05T22:09:09.000+03:00
diff --git a/binaries/cuprated/src/config.rs b/binaries/cuprated/src/config.rs
@@ -130,6 +130,9 @@ pub fn read_config_and_args() -> Config {
 
     let config = args.apply_args(config);
 
+    #[cfg(target_os = "windows")]
+    cuprate_helper::fs::set_private_directory_permissions(&config.writable_directories());
+
     if args.dry_run {
         config.dry_run_check();
     }
@@ -247,6 +250,20 @@ impl Config {
         format!("{HEADER}{doc}")
     }
 
+    /// Returns the directories cuprate writes to.
+    pub fn writable_directories(&self) -> Vec<&Path> {
+        let mut paths = vec![
+            self.fs.fast_data_directory.as_path(),
+            self.fs.slow_data_directory.as_path(),
+            self.fs.cache_directory.as_path(),
+        ];
+        #[cfg(feature = "arti")]
+        if matches!(self.tor.mode, TorMode::Arti | TorMode::Auto) {
+            paths.push(self.tor.arti.directory_path.as_path());
+        }
+        paths
+    }
+
     /// Attempts to read a config file in [`toml`] format from the given [`Path`].
     ///
     /// # Errors
@@ -503,46 +520,9 @@ impl Config {
             }
         }
 
-        match Self::check_dir_permissions(&self.fs.fast_data_directory) {
-            Ok(()) => println!(
-                "Permissions are ok at {}",
-                self.fs.fast_data_directory.display()
-            ),
-            Err(e) => {
-                eprintln_red(&format!("Error: {e}"));
-                error = true;
-            }
-        }
-
-        match Self::check_dir_permissions(&self.fs.slow_data_directory) {
-            Ok(()) => println!(
-                "Permissions are ok at {}",
-                self.fs.slow_data_directory.display()
-            ),
-            Err(e) => {
-                eprintln_red(&format!("Error: {e}"));
-                error = true;
-            }
-        }
-
-        match Self::check_dir_permissions(&self.fs.cache_directory) {
-            Ok(()) => println!(
-                "Permissions are ok at {}",
-                self.fs.cache_directory.display()
-            ),
-            Err(e) => {
-                eprintln_red(&format!("Error {e}"));
-                error = true;
-            }
-        }
-
-        #[cfg(feature = "arti")]
-        if matches!(self.tor.mode, TorMode::Arti | TorMode::Auto) {
-            match Self::check_dir_permissions(&self.tor.arti.directory_path) {
-                Ok(()) => println!(
-                    "Permissions are ok at {}",
-                    self.tor.arti.directory_path.display()
-                ),
+        for path in self.writable_directories() {
+            match Self::check_dir_permissions(path) {
+                Ok(()) => println!("Permissions are ok at {}", path.display()),
                 Err(e) => {
                     eprintln_red(&format!("Error: {e}"));
                     error = true;
diff --git a/binaries/cuprated/src/main.rs b/binaries/cuprated/src/main.rs
@@ -54,6 +54,7 @@ mod version;
 
 fn main() {
     // Set global private permissions for created files.
+    #[cfg(target_family = "unix")]
     cuprate_helper::fs::set_private_global_file_permissions();
 
     // Initialize global static `LazyLock` data.
diff --git a/helper/Cargo.toml b/helper/Cargo.toml
@@ -43,7 +43,13 @@ serde            = { workspace = true, optional = true, features = ["derive"] }
 # [thread] needs to activate one of these libs (windows|libc)
 # although it depends on what target we're building for.
 [target.'cfg(windows)'.dependencies]
-target_os_lib = { package = "windows", version = ">=0.51", features = ["Win32_System_Threading", "Win32_Foundation"], optional = true }
+target_os_lib = { package = "windows", version = ">=0.51", features = [
+    "Win32_Foundation",
+    "Win32_Security",
+    "Win32_Security_Authorization",
+    "Win32_Storage_FileSystem",
+    "Win32_System_Threading",
+], optional = true }
 [target.'cfg(unix)'.dependencies]
 target_os_lib = { package = "libc", version = "0.2", optional = true }
 
diff --git a/helper/src/fs.rs b/helper/src/fs.rs
@@ -236,26 +236,27 @@ pub fn address_book_path(cache_dir: &Path, network: Network) -> PathBuf {
 // `rwxr-x---`
 //
 // # Windows
-// TODO: does nothing.
-#[cfg_attr(
-    target_os = "windows",
-    expect(
-        clippy::missing_const_for_fn,
-        reason = "remove when Windows is implemented"
-    )
-)]
+// Not available. Permissions are set on a per-directory basis in `set_private_directory_permissions`.
+#[cfg(target_family = "unix")]
 pub fn set_private_global_file_permissions() {
-    #[cfg(target_family = "unix")]
     // SAFETY: calling C.
     unsafe {
         target_os_lib::umask(0o027);
     }
+}
 
-    #[cfg(target_os = "windows")]
-    // TODO: impl for Windows.
-    {
-        use target_os_lib as _;
-    }
+// Apply private permissions to `roots`.
+//
+// # Windows
+// Restricts each newly-created directory to the current user, SYSTEM, and Administrators.
+//
+// # Unix
+// Not available. Permissions are set globally by `set_private_global_file_permissions`.
+#[cfg(target_os = "windows")]
+mod windows_perms;
+#[cfg(target_os = "windows")]
+pub fn set_private_directory_permissions(roots: &[&Path]) {
+    windows_perms::apply(roots);
 }
 
 //---------------------------------------------------------------------------------------------------- Tests
diff --git a/helper/src/fs/windows_perms.rs b/helper/src/fs/windows_perms.rs
@@ -0,0 +1,159 @@
+//! Windows ACL implementation for [`super::set_private_directory_permissions`].
+
+//---------------------------------------------------------------------------------------------------- Use
+use std::ffi::OsStr;
+use std::os::windows::ffi::OsStrExt;
+use std::path::Path;
+use std::ptr;
+
+use target_os_lib::core::{Error, Owned, Result, PCWSTR, PWSTR};
+use target_os_lib::Win32::Foundation::{
+    ERROR_ALREADY_EXISTS, ERROR_INSUFFICIENT_BUFFER, E_UNEXPECTED, HANDLE, HLOCAL,
+};
+use target_os_lib::Win32::Security::Authorization::{
+    ConvertSidToStringSidW, ConvertStringSecurityDescriptorToSecurityDescriptorW, SDDL_REVISION_1,
+};
+use target_os_lib::Win32::Security::{
+    GetTokenInformation, TokenUser, PSECURITY_DESCRIPTOR, SECURITY_ATTRIBUTES, TOKEN_ACCESS_MASK,
+    TOKEN_QUERY, TOKEN_USER,
+};
+use target_os_lib::Win32::Storage::FileSystem::CreateDirectoryW;
+use target_os_lib::Win32::System::Threading::{GetCurrentProcess, OpenProcessToken};
+
+//---------------------------------------------------------------------------------------------------- SecurityDescriptor
+/// Security descriptor parsed from SDDL, with its `LocalAlloc` buffer freed on drop.
+struct SecurityDescriptor {
+    psd: PSECURITY_DESCRIPTOR,
+    _buf: Owned<HLOCAL>,
+}
+
+impl SecurityDescriptor {
+    fn from_sddl(sddl: &str) -> Result<Self> {
+        let sddl_w = to_wide_nul(OsStr::new(sddl));
+        let mut psd = PSECURITY_DESCRIPTOR::default();
+        // SAFETY: `sddl_w` is owned and null-terminated; `psd` is a valid out-pointer.
+        unsafe {
+            ConvertStringSecurityDescriptorToSecurityDescriptorW(
+                PCWSTR(sddl_w.as_ptr()),
+                SDDL_REVISION_1,
+                &raw mut psd,
+                None,
+            )
+        }?;
+        Ok(Self {
+            psd,
+            // SAFETY: `psd.0` is a `LocalAlloc` buffer per the function contract.
+            _buf: unsafe { Owned::new(HLOCAL(psd.0)) },
+        })
+    }
+}
+
+//---------------------------------------------------------------------------------------------------- Apply
+/// Apply a private ACL to each path in `roots`.
+///
+/// SYSTEM and Administrators are granted access alongside the user so
+/// Windows backup, antivirus, and indexer services keep working.
+pub(super) fn apply(roots: &[&Path]) {
+    let user = match current_user_sid_string() {
+        Ok(u) => u,
+        Err(e) => {
+            eprintln!("warning: could not retrieve user SID: {e}");
+            return;
+        }
+    };
+    let sddl = format!("O:{user}D:P(A;OICI;FA;;;{user})(A;OICI;FA;;;SY)(A;OICI;FA;;;BA)");
+    let sd = match SecurityDescriptor::from_sddl(&sddl) {
+        Ok(sd) => sd,
+        Err(e) => {
+            eprintln!("warning: could not parse Windows security descriptor: {e}");
+            return;
+        }
+    };
+
+    let sa = SECURITY_ATTRIBUTES {
+        nLength: size_of::<SECURITY_ATTRIBUTES>() as u32,
+        lpSecurityDescriptor: sd.psd.0,
+        bInheritHandle: false.into(),
+    };
+    for root in roots {
+        if let Err(e) = create_private_directory(root, &sa) {
+            eprintln!(
+                "warning: could not create private directory {}: {e}",
+                root.display()
+            );
+        }
+    }
+}
+
+//---------------------------------------------------------------------------------------------------- Helpers
+fn current_user_sid_string() -> Result<String> {
+    let token = open_process_token(TOKEN_QUERY)?;
+
+    let mut len: u32 = 0;
+    // SAFETY: probe call with null buffer; `len` is a valid out-pointer.
+    match unsafe { GetTokenInformation(*token, TokenUser, None, 0, &raw mut len) } {
+        Err(e) if e.code() == ERROR_INSUFFICIENT_BUFFER.to_hresult() => {}
+        Err(e) => return Err(e),
+        Ok(()) => return Err(Error::from_hresult(E_UNEXPECTED)),
+    }
+
+    // `u64` elements satisfy `TOKEN_USER`'s 8-byte alignment.
+    let mut buf: Vec<u64> = vec![0; (len as usize).div_ceil(size_of::<u64>())];
+    // SAFETY: `buf` is sized per the probe and aligned for `TOKEN_USER`.
+    unsafe {
+        GetTokenInformation(
+            *token,
+            TokenUser,
+            Some(buf.as_mut_ptr().cast()),
+            len,
+            &raw mut len,
+        )
+    }?;
+
+    // SAFETY: `buf` was just populated as a `TOKEN_USER` by the call above.
+    let token_user = unsafe { &*buf.as_ptr().cast::<TOKEN_USER>() };
+    let mut sid_pwstr = PWSTR::null();
+    // SAFETY: `token_user.User.Sid` is valid; out-pointer is owned.
+    unsafe { ConvertSidToStringSidW(token_user.User.Sid, &raw mut sid_pwstr) }?;
+    // SAFETY: `sid_pwstr.0` is a `LocalAlloc` buffer per `ConvertSidToStringSidW`.
+    let _sid_guard = unsafe { Owned::new(HLOCAL(sid_pwstr.0.cast())) };
+
+    // SAFETY: `sid_pwstr` was just populated above. The `to_string` failure
+    // case is unreachable for a Windows-emitted SID and maps to `E_UNEXPECTED`.
+    unsafe { sid_pwstr.to_string() }.map_err(|_| Error::from_hresult(E_UNEXPECTED))
+}
+
+fn create_private_directory(path: &Path, sa: &SECURITY_ATTRIBUTES) -> Result<()> {
+    if path.is_dir() {
+        return Ok(());
+    }
+
+    if let Some(parent) = path.parent() {
+        if !parent.as_os_str().is_empty() {
+            create_private_directory(parent, sa)?;
+        }
+    }
+
+    let path_w = to_wide_nul(path.as_os_str());
+    // SAFETY: `path_w` is owned; `sa` outlives this call.
+    unsafe { CreateDirectoryW(PCWSTR(path_w.as_ptr()), Some(ptr::from_ref(sa))) }.or_else(|e| {
+        if e.code() == ERROR_ALREADY_EXISTS.to_hresult() {
+            Ok(())
+        } else {
+            Err(e)
+        }
+    })
+}
+
+fn open_process_token(access: TOKEN_ACCESS_MASK) -> Result<Owned<HANDLE>> {
+    let mut token = HANDLE::default();
+    // SAFETY: `token` is a valid out-pointer; the returned handle is owned
+    // by the resulting `Owned<HANDLE>`.
+    unsafe { OpenProcessToken(GetCurrentProcess(), access, &raw mut token) }?;
+    // SAFETY: `OpenProcessToken` returned Ok; `token` is now owned.
+    Ok(unsafe { Owned::new(token) })
+}
+
+fn to_wide_nul(s: &OsStr) -> Vec<u16> {
+    s.encode_wide().chain(std::iter::once(0)).collect()
+}
