conda / constructor

tool for creating installers from conda packages
https://conda.github.io/constructor/
Other
463 stars 167 forks source link

Running Anaconda 2024.06-1 installer on Windows for "Just Me" messes with installation folder permissions #872

Open lzj-ML opened 1 month ago

lzj-ML commented 1 month ago

Checklist

What happened?

I'm trying to install Anaconda 2024.06-1 on Windows using the official installer, in graphical mode, for "Just Me", but towards the end of the installation the installer shows Setting installation folder permissions..., and after a very long time it finishes, having revoked my write permissions to the Anaconda installation folder. I am thus unable to install or update any packages on the base environment, which is annoying. Checking the constructor source code for this string shows that this step shouldn't even run if the installer was not running with UAC elevation. At no other point in the installation does this conditional check for UAC elevation succeed (i.e., it proceeds as if it was a "Just Me" installation). A very strange situation.

Note that this appears to be a different issue from #828, where the installer was custom-built rather than an official release, was running as SYSTEM, and was run in the "All Users" installation mode.

The code in question that changes file permissions, found in constructor/constructor/nsis/main.nsi.tmpl:

    # To address CVE-2022-26526.
    # Revoke the write permission on directory "$INSTDIR" for Users if this is
    # being run with administrative privileges. Users are:
    #   AU - authenticated users
    #   BU - built-in (local) users
    #   DU - domain users
    ${If} ${UAC_IsAdmin}
        ${Print} "Setting installation directory permissions..."
        AccessControl::DisableFileInheritance "$INSTDIR"
        AccessControl::RevokeOnFile "$INSTDIR" "(AU)" "GenericWrite"
        AccessControl::RevokeOnFile "$INSTDIR" "(DU)" "GenericWrite"
        AccessControl::RevokeOnFile "$INSTDIR" "(BU)" "GenericWrite"
        AccessControl::SetOnFile "$INSTDIR" "(BU)" "GenericRead + GenericExecute"
        AccessControl::SetOnFile "$INSTDIR" "(DU)" "GenericRead + GenericExecute"
    ${EndIf}

Additional Context

No response

marcoesters commented 1 month ago

This is a very strange situation indeed. As far as I understand it, UAC_IsAdmin checks whether you are running the process with elevated privileges on-the-fly, i.e., it is independent of the JUST_ME parameter.

Unless I overlooked something, the lines you mention are the only instance where UAC_IsAdmin is called for a JUST_ME installation of the Anaconda Distribution installer. So, it is not surprising that the rest worked as expected.

The question is whether you acquired admin privileges during the installation (which would be very concerning) or whether you started the installation as administrator, so I have a few questions for you:

  1. What Windows version are you using?
  2. Are you using a normal user account or do you have any additional administrator privileges?
  3. When you executed the installer, did you get a pop-up to ask whether the installer can make changes to your computer?
  4. Have you tried older version or Miniconda?
  5. Have you tried installing via the command line?
lzj-ML commented 1 month ago
  1. Installing on Windows 10 22H2 (build 19045.4894)
  2. Running the installer as a normal domain user account
  3. No UAC prompt upon running the installer, nor at any other point during the installation process
  4. Trying the same procedure with Miniconda py312_24.7.1-0 gives the same results (still goes to "Setting installation directory permissions...")
  5. Installing Miniconda via command line with the relevant arguments (/S /InstallationType=JustMe /RegisterPython=1 /AddToPath=0 /D=D:\\Miniconda) gives the same end result (write permissions revoked from install folder)

(Note that I am trying to install Anaconda/Miniconda to a non-default file path, if that makes a difference)

Other things I have tried with the Miniconda installer (the full Anaconda installer takes too long to run to completion for testing purposes) are:

  1. Deselecting "create shortcuts" in graphical installer
  2. Deselecting "Register as default Python" in graphical installer
  3. Running installer with /RegisterPython=0 via command line
  4. Running installer in graphical mode explicitly as my user account using RUNAS
  5. Running installer via command line explicitly as my user account using RUNAS

All give the same (unwanted) end result.

The only workaround I can find for now is to create the install folder in advance, manually explicitly set my user account to have Full Control, then run the installer. Installation still takes a very long time, because the installer is unnecessarily messing with permissions, but at least this way the installer does not revoke my permissions.

It is still unknown how the installer is able to revoke and set permissions in the first place.

marcoesters commented 1 month ago

(Note that I am trying to install Anaconda/Miniconda to a non-default file path, if that makes a difference)

I have never seen it make a difference, but there may be an edge case here. Can you disclose the location without giving away personal/company information?

There is a simple workaround either way. The current code checks whether the user is administrator, but intent is more important. So, changing ${If} ${UAC_IsAdmin} to ~${If} $InstMode = ${JUST_ME}~ ${If} $InstMode = ${ALL_USERS} should do it.

@jaimergp, do you see any risk here? I don't see a reason for using UAC_IsAdmin here.

lzj-ML commented 1 month ago

The non-default path is just D:\Miniconda\ (I have more free space on that drive). Hardly seems possible to trigger an edge case with such a generic path, but you never know.

I assume the change should be {IfNot} $InstMode = ${JUST_ME} or {If} $InstMode = ${ALL_USERS}

marcoesters commented 1 month ago

After some more investigating, this would unfortunately re-introduce the CVE this part of the code was trying to fix. If you run the installer as administrator and install and run a JustMe installation, you could create an installation into sensitive places with permissions that are too permissive.

Can you confirm that you saw the "Setting installation directory permissions..." line when you installed Miniconda into an empty D:\Miniconda3?

I will try and get on a system with multiple drives to reproduce the error.

lzj-ML commented 1 month ago

Can you confirm that you saw the "Setting installation directory permissions..." line when you installed Miniconda into an empty D:\Miniconda3?

Yes, I confirm that I saw that line when trying to install Miniconda into a previously-created empty D:\Miniconda3\ directory.

Thanks for following up on this, it is very much appreciated.

marcoesters commented 3 weeks ago

Apologies for the delay, I was finally able to test it on a machine with two hard drives. I installed the latest Miniconda (24.9.2) into D:\miniconda3 and cannot reproduce it. Something about how your D:\ drive is configured must interfere with how NSIS detects whether you are administrator.