Write permission for Users to global persist dir

[Retia-Adolf]

ScoopInstaller/Extras#1124

[rasa]

files have lines containing trailing whitespace.
RuntimeException: The following 1 lines contain trailing whitespace:
File: C:\projects\scoop\lib\install.ps1, Line: 58

[r15ch13]

This will fail on a German PC 😁

Exception calling "SetAccessRule" with "1" argument(s): "Some or all identity references could not be translated."
At line:1 char:1
+ $acl.SetAccessRule((New-Object System.Security.AccessControl.FileSyst ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : IdentityNotMappedException

Output of Get-Acl without the correct permission:

λ (Get-Acl 'C:\ProgramData\scoop\persist').Access

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : NT-AUTORITÄT\SYSTEM
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : FullControl
AccessControlType : Allow
IdentityReference : VORDEFINIERT\Administratoren
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : 268435456
AccessControlType : Allow
IdentityReference : ERSTELLER-BESITZER
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : InheritOnly

FileSystemRights  : ReadAndExecute, Synchronize
AccessControlType : Allow
IdentityReference : VORDEFINIERT\Benutzer
IsInherited       : True
InheritanceFlags  : ContainerInherit, ObjectInherit
PropagationFlags  : None

FileSystemRights  : Write
AccessControlType : Allow
IdentityReference : VORDEFINIERT\Benutzer
IsInherited       : True
InheritanceFlags  : ContainerInherit
PropagationFlags  : None

It only works by setting the user to VORDEFINIERT\Benutzer, which adds:

FileSystemRights  : Write, Synchronize
AccessControlType : Allow
IdentityReference : VORDEFINIERT\Benutzer
IsInherited       : False
InheritanceFlags  : ObjectInherit
PropagationFlags  : None

[Retia-Adolf]

??! I had thought these user/group names are all the same. Never see differences on a Chinese PC etc.

I think I need to find a way to get the actual Users group name, else it will continue to fail on other European PCs...

[r15ch13]

Found a solution https://stackoverflow.com/questions/40587096/set-output-language-of-get-acl#40588213
$user = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-545'

[r15ch13]

Fixed it Not yet!

Call:

    # persist data
    persist_data $manifest $original_dir $persist_dir
    persist_permission $manifest $global

Function:

# check whether write permission for Users usergroup is set to global persist dir, if not then set
function persist_permission($manifest, $global) {
    if ($manifest.persist -and !$global) {
        return
    }
    $path = persistdir $null $global
    $user = New-Object System.Security.Principal.SecurityIdentifier 'S-1-5-32-545'
    $target_rule = New-Object System.Security.AccessControl.FileSystemAccessRule($user, 'Write', 'ObjectInherit', 'none', 'Allow')
    $acl = Get-Acl -Path $path
    $acl.SetAccessRule($target_rule)
    $acl | Set-Acl -Path $path
}

Edit: Fixed the persistence and global check

[r15ch13]

Fixed the code (See above)
Only providing the SecurityIdentifier works fine (see stackoverflow)
Checking if the permission is already set doesn't work. Adding it again does no harm.

[r15ch13]

...

[r15ch13]

This would result in: R15CH13-PC\VORDEFINIERT\Benutzer

[Retia-Adolf]

Oh, sorry, I wrongly took domain name as computer name before.
(((Sorry, I don't know coding, and actually copy codes in function persist_permission from here.

[r15ch13]

The important part is "testing"
I just installed and uninstalled notepad++ with these changes about 30 times now 😁

[Retia-Adolf]

@r15ch13 Checking permission seems no problem for me:

❯ $path = $PWD
❯ $path

Path
----
C:\Users\Retia\Git\Retia-Adolf

❯ $user = [System.Security.Principal.SecurityIdentifier]'S-1-5-32-545'
❯ $Rights = "Write"
❯ $InheritSettings = "ObjectInherit"
❯ $PropogationSettings = "none"
❯ $RuleType = "Allow"
❯ $acl = Get-Acl -Path $PWD
❯ $perm = $user, $Rights, $InheritSettings, $PropogationSettings, $RuleType
❯ $targetRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $perm
❯ $isSet = $true
❯ ForEach ($existRule in $acl) {
>>     $isSet = ($existRule -match $targetRule) -and $isSet
>> }
❯ $isSet
False

So !($isSet) will equal $true, then if (!($isSet)) should perform. Maybe we could add these codes back:

        $isSet = $true
        ForEach ($existRule in $acl) {
            $isSet = ($existRule -match $targetRule) -and $isSet
        }
        if (!$isSet) {
            $acl.SetAccessRule($targetRule)
            $acl | Set-Acl -Path $path
        }

[r15ch13]

This can't work, because it should be ForEach ($existRule in $acl.Access) instead of ForEach ($existRule in $acl).
Comparing the rules with -match also doesn't work. Add debug ($existRule -match $targetRule) to the Loop and you will see that it always outputs True which it shouldn't.

    ForEach ($existRule in $acl.Accesss) {
        debug ($existRule -match $target_rule)
        $isSet = ($existRule -match $target_rule) -and $isSet
    }
    if (!$isSet) {
        debug "SetAccessRule"
        $acl.SetAccessRule($target_rule)
        $acl | Set-Acl -Path $path
    }

[Retia-Adolf]

Thanks for explaining

[Ash258]

Downloads $ scoop install sysinternals
Installing 'sysinternals' (July.5.2018) [64bit]
SysinternalsSuite.zip (24.0 MB) [=============================================================================] 100%
Checking hash of SysinternalsSuite.zip ... ok.
Extracting SysinternalsSuite.zip ... done.
Linking S:\Scoop\apps\sysinternals\current => S:\Scoop\apps\sysinternals\July.5.2018
Creating shim for 'accesschk'.
...Lots of shims...
Creating shortcut for SysInternals/ProcessExplorer - Enhanced Task Manager (procexp64.exe)
...Lots of shortcuts...
Set-Acl : Attempted to perform an unauthorized operation.
At S:\Scoop\apps\scoop\current\lib\install.ps1:1235 char:12
+     $acl | Set-Acl -Path $path
+            ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (S:\Scoop\persist\:String) [Set-Acl], UnauthorizedAccessException
    + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand

[r15ch13]

@Ash258 oh shit! Fixed with eb7b7cb

[Ash258]

@r15ch13 Everything works fine now 😍

[Retia-Adolf]

Oops, I didn't consider the case that standard user installs app into a custom global app's directory. But just wondering if you don't have rights to modify permission, isn't it impossible to add system environment variable?