After doing miktex --admin pagages upgrade with admin privileges the next time I tried to do the same I got: Sorry, but: The package database is locked and cannot be accessed. But that is wrong: the package database is not locked, but because of incorrect acls inaccessible. The database is created from an elevated account, but without granting rights to access this database from this elevated account. acls are created only for system and local administrators, not for administrators of a domain. This is ok, if there are local administrators and domain administrators are part of the local administrators group, but if there are no local administrators the domain administrators have, after upgrading once, no access any more on the just created database. The first update succeeds, the second and all later will fail.
What is wrong with miktex --admin? Simple: this command has to check if it is run as admin with elevation rights, not assume it is run as admin with elevation rights.
Within C:\ProgramData\ everyone has rights to create new files. These files may or may not be accessible to others -- even administrators may not have access rights for files created by users. It is the creating partys tune to make sure access rights are set properly to have all necessary accounts access these files!
You are just leaving access rights as they are. And if a log or database is created by one this one may be the only one having access to this database in future. Windows sets acls this way. If you need something else make sure you chage what windows does -- especially in a locked down environment.
edocevoli
commented
6 months ago
After doing
miktex --admin pagages upgradewith admin privileges the next time I tried to do the same I got:Sorry, but: The package database is locked and cannot be accessed.But that is wrong: the package database is not locked, but because of incorrect acls inaccessible. The database is created from an elevated account, but without granting rights to access this database from this elevated account. acls are created only forsystemandlocal administrators, not for administrators of a domain. This is ok, if there are local administrators and domain administrators are part of the local administrators group, but if there are no local administrators the domain administrators have, after upgrading once, no access any more on the just created database. The first update succeeds, the second and all later will fail.What is wrong with
miktex --admin? Simple: this command has to check if it is run as admin with elevation rights, not assume it is run as admin with elevation rights.Within
C:\ProgramData\everyone has rights to create new files. These files may or may not be accessible to others -- even administrators may not have access rights for files created by users. It is the creating partys tune to make sure access rights are set properly to have all necessary accounts access these files!You are just leaving access rights as they are. And if a log or database is created by one this one may be the only one having access to this database in future. Windows sets acls this way. If you need something else make sure you chage what windows does -- especially in a locked down environment.