From 21bd26b72eefc4b4d12a13f65dca67ff27ad80e0 Mon Sep 17 00:00:00 2001
From: Damien Coles <damien.coles@gmail.com>
Date: Thu, 12 Feb 2026 16:01:22 -0800
Subject: [PATCH] =?UTF-8?q?lock=20down=20install=20directory=20=E2=80=94?=
 =?UTF-8?q?=20strip=20Users=20read=20access=20from=20Nebula=20files?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 install-nebula.ps1 | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/install-nebula.ps1 b/install-nebula.ps1
index 2558847..9e37544 100644
--- a/install-nebula.ps1
+++ b/install-nebula.ps1
@@ -159,6 +159,17 @@ if (-not (Test-Path $InstallDir)) {
     }
 }
 
+# Lock down the directory — only SYSTEM and Administrators need access.
+# Program Files subdirectories inherit broad ACLs (Users: Read & Execute).
+# Take ownership, disable inheritance, and strip everything except SYSTEM and Admins.
+takeown /F $InstallDir /R /A /D Y | Out-Null
+icacls $InstallDir /inheritance:d /T /Q
+icacls $InstallDir /remove:g "BUILTIN\Users" /T /Q
+icacls $InstallDir /remove:g "CREATOR OWNER" /T /Q
+icacls $InstallDir /remove:g "NT SERVICE\TrustedInstaller" /T /Q
+icacls $InstallDir /remove:g "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" /T /Q
+icacls $InstallDir /remove:g "APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES" /T /Q
+
 # --- Copy files ---
 
 try {