Non-administrators users cannot use Azure CLI extensions installed with --system option

[akyamada-ms]

Describe the bug Non-administrators (Users group) other than the administrator who installed an extension cannot use the extension installed with --system option introduced at Azure CLI version 2.6.0.

To Reproduce

1. Install Azure CLI 2.6.0.
2. Run command prompt as administrator.
3. Install an extension with --system option. (ex. az extension add --name azure-devops --system)
4. Switch to another user who is not in the Administrators group.
5. Run any command provided by the extension installed by the step 3. (ex. az devops -h) Then, you’ll see that Azure CLI could not find the extension.
6. Check access permission for extension directory and its sub directory. Then, you’ll see that permissions for sub directories of extensions’ directories are missing as below.

C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure-cli-extensions\azure-devops>icacls . . NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) -- sub directories does not inherit this permission, and uses cannot access files Azure CLI need to access. BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)

C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure-cli-extensions\azure-devops\azext_devops>icacls . . NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Administrators:(OI)(CI)(F) DESKTOP-KMBUKNF\Administrator:(OI)(CI)(F)

Expected behavior Non-administrators (Users group) other than the administrator who installed an extension can use the extension installed with --system option. Also, I think that sub directories of extensions’ directories should inherit permission from parent directory (extension directory).

Environment summary Azure CLI 2.6.0 on windows 10

Additional context Workaround I found so far Grant permissions to the following folders under C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\azure-cli-extensions\azure-devops.

• azext_devops
• azure_devops-0.18.0.dist-info Properties -> Security tab -> Advanced -> Enable inheritance -> Press OK button Again, run any command provided by the extension installed by the step 3. (ex. az devops -h) You can see that the command was executed successfully.

[yonzhan]

@fengzhou-msft please take a look