Windows 2019: Install-JavaTools.ps1 #3588
Comments
|
Hello, @conradj3 |
|
@al-cheb Its going to take me a little bit to get a pr up to the repo. If there is someone readily available feel free to update. I can submit a pr most likely by end of week if there is not already an update. |
I think it may have been caused by this commit. The same thing happened to me and I had to go back to a previous version. If you can pass me the commands you are executing, I can try to figure it out and do the pull request |
|
It looks like the folders being created during the Install-JavaTools.ps1 which is called in the windows2019.json for packer are being created with the with the default credential for the provisioner, the java adopt jdk zips are extracted with 7z and then are being moved into the the respected hostedtoolscache folder. I've ran the script a couple times as a standard/admin user and it seems to properly do the installation without permission problems, but when executed via packer it appears to have the wrong acls. I have a couple builds running now with modifications, but I wont know for the next couple of hours. |
|
@al-cheb Thank you for the quick pr and write up. |
Description
While the image creation is successful for Windows 2019, There are odd permissions being set over Java_Adopt_Jdk which are stored in C.\hostedtoolcache\windows\Java_Adopt_jdk\
Users / Build Agent accounts trying to access or ls the contents are denied. Each of the users accounts tried are in the Administrators group.
UAC Disabled
Area for Triage:
PowerShell
Question, Bug, or Feature?:
Bug
Virtual environments affected
Image version
OS Version: 10.0.17763 Build 1999
Image Version: 20210608.0
Expected behavior
Java Adopt JDK should be accessible by build agent accounts / authorized accounts.
Actual behavior
The ACLs produced by Install-JavaTools.ps1 seem to limit access to the 3 JDKs installed for Java Adopt. When an Administrative user or build runner account attempts to access the /bin they are denied due to permissions. However, if you run in an elevated session / take ownership the binaries are then able to be executed.
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\hostedtoolcache\windows\Java_Adopt_jdk PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\hostedtoolcache\windows PSChildName : Java_Adopt_jdk PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId : CentralAccessPolicyName : Path : Microsoft.PowerShell.Core\FileSystem::C:\hostedtoolcache\windows\Java_Adopt_jdk Owner : BUILTIN\Administrators Group : adobu8a670007YH\None Access : {System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule, System.Security.AccessControl.FileSystemAccessRule...} Sddl : O:BAG:S-1-5-21-2745346295-2797063176-3674740416-513D:AI(A;ID;0x1301bf;;;AU)(A;OICIIOID;SDGXGW GR;;;AU)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU) AccessToString : NT AUTHORITY\Authenticated Users Allow Modify, Synchronize NT AUTHORITY\Authenticated Users Allow -536805376 NT AUTHORITY\SYSTEM Allow FullControl BUILTIN\Administrators Allow FullControl BUILTIN\Users Allow ReadAndExecute, Synchronize AuditToString : AccessRightType : System.Security.AccessControl.FileSystemRights AccessRuleType : System.Security.AccessControl.FileSystemAccessRule AuditRuleType : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : False AreAuditRulesProtected : False AreAccessRulesCanonical : True AreAuditRulesCanonical : TrueRepro steps
Get-Acl on each individual hostedcachetools/java_adopt-jdk child folder versus the root.
We are currently getting around this with a custom script extension run inside azure to reapply inheritance of the root folder over all child objects.
The text was updated successfully, but these errors were encountered: