Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access denied when trying to start globally installed syncthing as a normal user #136036

Open
fluidum opened this issue Jan 24, 2024 · 3 comments
Open

Access denied when trying to start globally installed syncthing as a normal user #136036

fluidum opened this issue Jan 24, 2024 · 3 comments
Labels
Needs-Attention This work item needs to be reviewed by a member of the core team.

Comments

@fluidum
Copy link

fluidum commented Jan 24, 2024

Brief description of your issue

Cannot run syncthing under normal user when installed with --scope machine

Steps to reproduce

As admin: winget install syncthing.syncthing --scope machine
As normal user I run command: syncthing

Expected behavior

syncthing must start under normal user.

Actual behavior

Access is denied.

Environment

C:\Program Files\WinGet\Packages>icacls Syncthing.Syncthing_Microsoft.Winget.Source_8wekyb3d8bbwe
Syncthing.Syncthing_Microsoft.Winget.Source_8wekyb3d8bbwe NT SERVICE\TrustedInstaller:(I)(F)
                                                          NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                                          NT AUTHORITY\SYSTEM:(I)(F)
                                                          NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                          BUILTIN\Administrators:(I)(F)
                                                          BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                          BUILTIN\Users:(I)(RX)
                                                          BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                                          CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files
-----------------------------------------------------------------------------------------------------------------------
C:\Program Files\WinGet\Packages\Syncthing.Syncthing_Microsoft.Winget.Source_8wekyb3d8bbwe>icacls Syncthing.Syncthing_Microsoft.Winget.Source_8wekyb3d8bbwe

C:\Program Files\WinGet\Packages\Syncthing.Syncthing_Microsoft.Winget.Source_8wekyb3d8bbwe>icacls syncthing-windows-amd64-v1.27.2
syncthing-windows-amd64-v1.27.2 GD07\Administrator:(I)(F)
                                GD07\Administrator:(I)(OI)(CI)(IO)(F)
                                BUILTIN\Administrators:(I)(F)
                                BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                NT AUTHORITY\SYSTEM:(I)(F)
                                NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files
-----------------------------------------------------------------------------------------------------------------------

Windows Package Manager v1.6.3482
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19045.3930
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.21.3482.0

Winget Directories
-----------------------------------------------------------------------------------------------------------------------
Logs                               %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\Diag…
User Settings                      %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\sett…
Portable Links Directory (User)    %LOCALAPPDATA%\Microsoft\WinGet\Links
Portable Links Directory (Machine) C:\Program Files\WinGet\Links
Portable Package Root (User)       %LOCALAPPDATA%\Microsoft\WinGet\Packages
Portable Package Root              C:\Program Files\WinGet\Packages
Portable Package Root (x86)        C:\Program Files (x86)\WinGet\Packages
Installer Downloads                %USERPROFILE%\Downloads

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

Admin Setting                             State
--------------------------------------------------
LocalManifestFiles                        Disabled
BypassCertificatePinningForMicrosoftStore Disabled
InstallerHashOverride                     Disabled
LocalArchiveMalwareScanOverride           Disabled
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs-Triage This work item needs to be triaged by a member of the core team. label Jan 24, 2024
@fluidum fluidum changed the title Access denied when trying to start syncthing.syncthing as normal user Access denied when trying to start globally installed as a normal user Jan 24, 2024
@stephengillie
Copy link
Collaborator

This should be moved to winget-pkgs.

@denelon denelon transferred this issue from microsoft/winget-cli Jan 24, 2024
@fluidum fluidum changed the title Access denied when trying to start globally installed as a normal user Access denied when trying to start globally installed syncthing as a normal user Jan 24, 2024
@Trenly
Copy link
Contributor

Trenly commented Jan 24, 2024
edited
Loading

This actually is a winget-cli issue @stephengillie @denelon.

Looking at the manifest for Syncthing.Syncthing, all of the installers are zip->portable installer type. This means that CLI controls the entire install flow.

Based on the ICACLS command, it seems that the permissions for BUILTIN\Users aren't being propagated through all levels of the extracted Zip file. It looks like they are set on the top level folder in the Packages folder, but the folder inside the Syncthing.Syncthing__DefaultSource folder doesn't have an ACL granting users Read/Write access

PS C:\Program Files\WinGet\Packages> icacls.exe .\Syncthing.Syncthing__DefaultSource\
.\Syncthing.Syncthing__DefaultSource\ NT SERVICE\TrustedInstaller:(I)(F)
                                      NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                      NT AUTHORITY\SYSTEM:(I)(F)
                                      NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                      BUILTIN\Administrators:(I)(F)
                                      BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                      BUILTIN\Users:(I)(RX)
                                      BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                      CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                      APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
                                      APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
                                      APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

Successfully processed 1 files; Failed processing 0 files
PS C:\Program Files\WinGet\Packages> cd .\Syncthing.Syncthing__DefaultSource\
PS C:\Program Files\WinGet\Packages\Syncthing.Syncthing__DefaultSource> ls

Directory: C:\Program Files\WinGet\Packages\Syncthing.Syncthing__DefaultSource

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         1/24/2024   4:16 PM                syncthing-windows-amd64-v1.27.2

Successfully processed 1 files; Failed processing 0 files
PS C:\Program Files\WinGet\Packages\Syncthing.Syncthing__DefaultSource> icacls .\syncthing-windows-amd64-v1.27.2\
.\syncthing-windows-amd64-v1.27.2\ 08F2756F-054F-4\WDAGUtilityAccount:(I)(F)
                                   08F2756F-054F-4\WDAGUtilityAccount:(I)(OI)(CI)(IO)(F)
                                   BUILTIN\Administrators:(I)(F)
                                   BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                   NT AUTHORITY\SYSTEM:(I)(F)
                                   NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)

@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs-Attention This work item needs to be reviewed by a member of the core team. label Jan 26, 2024
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Hello fluidum,

Your pull request requires attention from a repository administrator. It has been assigned to a developer for review.

Template: msftbot/manualReview

@stephengillie stephengillie removed the Needs-Triage This work item needs to be triaged by a member of the core team. label Jan 26, 2024
@Trenly Trenly mentioned this issue Feb 15, 2024
Open
@github-account1111 github-account1111 mentioned this issue May 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs-Attention This work item needs to be reviewed by a member of the core team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Trenly @fluidum @stephengillie