dips/ZabbixAgent2Installer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZabbixAgent2Installer/Public/Set-FileSystemPermission.ps1
code-commit b50aafa06a first commit
2025-09-18 03:03:12 +00:00

146 lines
4.5 KiB
PowerShell
Raw Blame History

function Set-FileSystemPermission {
# This function sets permissions to Administrators and SYSTEM as full control on a specified path
param(
[Parameter(Mandatory=$true)]
[string]$Path,
[Parameter(Mandatory=$true)]
[string]
$Identity,
[Parameter(Mandatory=$true)]
[ValidateSet("FullControl", "ListDirectory", "ReadAndExecute")]
[string]
$Permission,
[ValidateSet('ContainerInherit, ObjectInherit', 'ContainerInherit','ObjectInherit','None')]
$Inheritance = 'ContainerInherit, ObjectInherit',
[switch]
$BreakInheritance
)
try {
Get-item $Path | ForEach-Object {
$acl = Get-Acl $_
if ($Permission -eq 'ListDirectory') {
$inheritance = 'ContainerInherit'
}
$aclRule = New-Object System.Security.AccessControl.FileSystemAccessRule($Identity, $Permission, $inheritance, 'None', 'Allow')
# The first argument is the identity that needs permissions (in this case, administrators)
# The second argument specifies the permissions (FullControl means give full control to the file/folder)
# The third argument forces the permission to be inherited on the child objects
# The fourth argument determines whether the rules should be applied to new files or directories when copying ACLs (it's None, meaning don't change existing permissions)
# The fifth argument is the type of permission ("Allow" means give access)
# Remove all inherited permissions
if ($BreakInheritance){
$acl.SetAccessRuleProtection($true, $false)
}
$acl.AddAccessRule($aclRule)
try {
Set-Acl -Path $_ -AclObject $acl
} catch {
Write-Error "Failed to set permissions for file '$_' with error: $_"
}
}
} catch {
Write-Error "Failed to traverse the path '$Path' with error: $_"
}
}
function Translate-SidToNTAccount {
param (
# SID
[Parameter(Mandatory=$true,
ValueFromPipelineByPropertyName=$true,
Position=0)]
[string]
$SID
)
# list of the Well-known SIDs https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids
$pSID = [System.Security.Principal.SecurityIdentifier]$SID
$pSID.Translate([System.Security.Principal.NTAccount]).Value
}
<#
#region folders
$nameOrg = 'Zabbix'
$nameProduct = 'Agent2'
$fOrg = Join-Path $env:ProgramData $nameOrg
$fProduct = Join-Path $fOrg $nameProduct
$fInstaller = Join-Path $fOrg installer
$folder = [ordered]@{
Org = $fOrg
Installer = $fInstaller
Product = $fProduct
Bin = Join-Path $fProduct 'bin'
Conf = Join-Path $fProduct 'conf'
ConfD = Join-Path (Join-Path $fProduct 'conf') 'zabbix_agent2.d'
Tls = Join-Path $fProduct 'tls'
Log = Join-Path $fProduct 'log'
}
Remove-Item -Recurse $fOrg -Force -ErrorAction SilentlyContinue
foreach ($thisFolder in $folder.Values) {
if (Test-Path $thisFolder) {
Write-Verbose ('Path {0} already exists' -f $thisFolder)
}
else {
New-Item -Path $thisFolder -ItemType Directory -ErrorAction Stop
}
}
#endregion
# This is the well-known SID for the administrators group
$admins = (New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-544').Translate([System.Security.Principal.NTAccount]).Value
# This is a hard-coded string representing the SYSTEM account name
$system = "NT AUTHORITY\SYSTEM"
#users
$users = ([System.Security.Principal.SecurityIdentifier]'S-1-5-32-545').Translate([System.Security.Principal.NTAccount]).Value
$admins = Translate-SidToNTAccount S-1-5-32-544
$users = Translate-SidToNTAccount S-1-5-32-545
$system = Translate-SidToNTAccount S-1-5-18
Set-FileSystemPermission -Path $fOrg -Identity $admins -Permission FullControl -BreakInheritance
Set-FileSystemPermission -Path $fOrg -Identity $system -Permission FullControl
Set-FileSystemPermission -Path $fOrg -Identity $users -Permission ListDirectory
Set-FileSystemPermission -Path ($folder['bin']) -Identity $users -Permission ReadAndExecute
#>
Reference in a new issue View git blame Copy permalink