Check-NavContainerHelperPermissions.ps1

<#
 .Synopsis
  Checks Permissions for NavContainerHelper to run
 .Description
  When running NavContainerHelper as administrator, you have access to everything.
  When running NavContainerHelper as a user, that user needs:
  - Full control to C:\ProgramData\NavContainerHelper (in order to create and remove containers)
  - Modify permissions to C:\Windows\System32\drivers\etc\hosts (if you use -updatehosts)
  - Full control to docker engine pipe (in order to run docker commands)
  This script checks these permissions and allows you to fix the permissions by specifying -fix
 .Parameter fix
  Specify fix in order for this script to attempt to fix permissions
 .Parameter silent
  Specify -silent to stay silent on successfull permission checks
 .Parameter ignoreHosts
  Specify -ignoreHosts to ignore checking the permissions for the hosts file
 .Example
  Check-NavContainerHelperPermissions -fix
 .Example
  Check-NavContainerHelperPermissions -fix -ignoreHosts
 .Example
  Check-NavContainerHelperPermissions -silent
#>

function Check-NavContainerHelperPermissions {
    Param(
        [switch] $Fix,
        [switch] $Silent,
        [switch] $IgnoreHosts
    )

    if (!$isAdministrator -or $Fix) {
        if (!$silent) {
            if ($isAdministrator) {
                Write-Host "Running as administrator"
            } else {
                Write-Host "Running as $myUsername"
            }
        }

        # Check access to C:\ProgramData\NavContainerHelper
        if (!$silent) {
            Write-Host "Checking permissions to $hostHelperFolder"
        }
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'FullControl', 3, 'InheritOnly', 'Allow')
        $access = [System.IO.Directory]::GetAccessControl($hostHelperFolder).Access | 
                    Where-Object { $_.IdentityReference -eq $rule.IdentityReference -and $_.FileSystemRights -eq $rule.FileSystemRights -and $_.AccessControlType -eq $rule.AccessControlType -and $_.InheritanceFlags -eq $rule.InheritanceFlags }
        
        if ($access) {
            if (!$silent) {
                Write-Host -ForegroundColor Green "$myUsername has the right permissions to $hostHelperFolder"
            }
        } else {
            Write-Host -ForegroundColor Red "$myUsername does NOT have Full Control to $hostHelperFolder and all subfolders"
            if (!$Fix) {
                Write-Host -ForegroundColor Red "You need to run as administrator or you can run Check-NavContainerHelperPermissions -Fix to fix permissions"
            } else {
                Write-Host -ForegroundColor Yellow "Trying to add permissions"
                $scriptblock = {
                    Param($myUsername, $hostHelperFolder)
                    try {
                        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'FullControl', 3, 'InheritOnly', 'Allow')
                        $acl = [System.IO.Directory]::GetAccessControl($hostHelperFolder)
                        $acl.AddAccessRule($rule)
                        [System.IO.Directory]::SetAccessControl($hostHelperFolder,$acl) 
                        EXIT 0
                    } catch {
                        EXIT 1
                    }
                }
                $exitCode = (Start-Process powershell -ArgumentList "-command & {$scriptblock} -myUsername '$myUsername' -hostHelperFolder '$hostHelperFolder'" -Verb RunAs -wait -WindowStyle Hidden -PassThru).ExitCode
                if ($exitcode -eq 0) {
                    Write-Host -ForegroundColor Green "Permissions successfully added"
                } else {
                    Write-Host -ForegroundColor Red "Error adding permissions"
                }
            }
        }
    
        if (!$IgnoreHosts) {
            # check access to c:\windows\system32\drivers\etc\hosts
            $hostsFile = Join-Path $env:SystemRoot "System32\drivers\etc\hosts"
            if (!$silent) {
                Write-Host "Checking permissions to $hostsFile"
            }
            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'Modify', 'Allow')
            $access = [System.IO.Directory]::GetAccessControl($hostsFile).Access | 
                        Where-Object { $_.IdentityReference -eq $rule.IdentityReference -and $_.FileSystemRights -eq $rule.FileSystemRights -and $_.AccessControlType -eq $rule.AccessControlType }
    
            if ($access) {
                if (!$silent) {
                    Write-Host -ForegroundColor Green "$myUsername has the right permissions to $hostsFile"
                }
            } else {
                Write-Host -ForegroundColor Red "$myUsername does NOT have modify permissions to $hostsFile"
                if (!$Fix) {
                    Write-Host -ForegroundColor Red "You need to run as administrator or you can run Check-NavContainerHelperPermissions -Fix to fix permissions"
                } else {
                    Write-Host -ForegroundColor Yellow "Trying to add permissions"
                    $scriptblock = {
                        Param($myUsername, $hostsFile)
                        try {
                            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'Modify', 'Allow')
                            $acl = [System.IO.Directory]::GetAccessControl($hostsFile)
                            $acl.AddAccessRule($rule)
                            [System.IO.Directory]::SetAccessControl($hostsFile,$acl) 
                            EXIT 0
                        } catch {
                            EXIT 1
                        }
                    }
                    $exitcode = (Start-Process powershell -ArgumentList "-command & {$scriptblock} -myUsername '$myUsername' -hostsFile '$hostsFile'" -Verb RunAs -wait -PassThru -WindowStyle Hidden).ExitCode
                    if ($exitcode -eq 0) {
                        Write-Host -ForegroundColor Green "Permissions successfully added"
                    } else {
                        Write-Host -ForegroundColor Red "Error adding permissions"
                    }
                }
            }
        }

        # Check Access to Docker Deamon Socket
        # Thanks to Tobias Fenster, Axians Infoma for this blog post:
        # https://www.axians-infoma.com/techblog/allow-access-to-the-docker-engine-without-admin-rights-on-windows/
        # Pointing me in the right directions wrt. running docker commands without admin rights
        if (!$silent) {
            Write-Host "Checking permissions to docker commands"
        }
        $npipe = ""
        $dockerOk = $true
        $pre = $errorActionPreference
        $errorActionPreference = 'Continue'
        try{
            $tempFile = [System.IO.Path]::GetTempFileName()
            $ps = docker ps 2> $tempFile
            if ($LASTEXITCODE -ne 0) {
                $dockerOk = $false
                $err = [System.IO.File]::ReadAllText($tempFile)
                Write-Host $err
                Remove-Item -Path $tempFile -ErrorAction Ignore
                $npipeStart = $err.IndexOf('\\.\pipe')
                if ($npipeStart -lt 0) {
                    $npipeStart = $err.IndexOf('//./pipe')
                }
                $npipeEnd = $err.IndexOf(': Access is denied')
                $npipe = $err.SubString($npipeStart, $npipeEnd-$npipeStart)
            }
        } catch {
            $dockerOk = $false
        }
        $errorActionPreference = $pre

        if ($dockerOk) {
            if (!$silent) {
                Write-Host -ForegroundColor Green "$myUsername has the right permissions to run docker commands"
            }
        } else {
            Write-Host -ForegroundColor Red "$myUsername does NOT have permissions to run docker commands"
            if (!$Fix) {
                Write-Host -ForegroundColor Red "You need to run as administrator or you can run Check-NavContainerHelperPermissions -Fix to fix permissions"
            } else {
                if ($npipe -eq "") {
                    Write-Host -ForegroundColor Red "Unable to determine docker deamon socket. Are you sure Docker is running and reachable?"
                } else {
                    Write-Host -ForegroundColor Yellow "Trying to add permissions"
                    $scriptblock = {
                        Param($myUsername, $npipe)
                        try {
                            $rule = New-Object System.Security.AccessControl.FileSystemAccessRule($myUsername,'FullControl', 'Allow')
                            $acl = [System.IO.Directory]::GetAccessControl($npipe)
                            $acl.AddAccessRule($rule)
                            [System.IO.Directory]::SetAccessControl($npipe,$acl) 
                            exit 0
                        } catch {
                            exit 1
                        }
                    }
            
                    $exitcode = (Start-Process powershell -ArgumentList "-command & {$scriptblock} -myUsername '$myUsername' -npipe '$npipe'" -Verb RunAs -wait -PassThru).ExitCode
                    if ($exitcode -eq 0) {
                        Write-Host -ForegroundColor Green "Permissions successfully added"
                    } else {
                        Write-Host -ForegroundColor Red "Error adding permissions"
                    }
                }
            }
        }
    }
}
Export-ModuleMember -Function Check-NavContainerHelperPermissions