GrantAccess and ac_name

[WildByDesign]

This is likely a non-issue and more likely something that I am doing wrong, Fredrik. But I'm wondering if you could let me know how to achieve this.

So with GrantAccess, I am guessing that it suggests (https://github.com/forderud/RunInSandbox/blob/master/GrantAccess/Main.cpp#L27) that I can use ac_name as well as the third argument.

GrantAccess ac D:\Tools\RunInSandbox\test2 appcontainer.launcher

I get the proper "Making path D:\Tools\RunInSandbox\test2 accessible by AppContainer appcontainer.launcher." readout, but no success message after that.

Thank you for your time.

[forderud]

Thank you for reporting this problem. I've just added better diagnostics in 4f399b4af4bd1e678f832c9865a90435f4e2e968 . This doesn't fix the problem though. I'll try to look into it the next few days.

[WildByDesign]

You're welcome. Thanks for looking into it. I don't know of any other CLI tools for setting this permission per AppContainer name, so this will be quite nice.

[forderud]

There seem to be a problem with my code for checking existing permissions for non-builtin AppContainers. Not sure why it's failing though, but I managed to work around it by tweaking the code to more gracefully deal with those situations.

I just uploaded a new v0.11.0 binary release to https://github.com/forderud/RunInSandbox/releases where the reported problem should be resolved. Again, thank you for reporting this problem.

[WildByDesign]

You're welcome, my pleasure. I appreciate your time.

[forderud]

Status update: I think I just managed to fix the problem properly by passing AUTHZ_SKIP_TOKEN_GROUPS to AuthzInitializeContextFromSid.

I just uploaded a new v0.11.1 binary release to https://github.com/forderud/RunInSandbox/releases where the reported problem is properly resolved.

[WildByDesign]

One thing I just noticed also. GrantAccess suggests making paths writable by AC and LI. However, when testing both options it seems to only make those paths Read & execute.

[forderud]

One thing I just noticed also. GrantAccess suggests making paths writable by AC and LI. However, when testing both options it seems to only make those paths Read & execute.

I've now added a new -f command-line parameter for requesting full access in ead8c58c24033b7f055b0f303117947787913aab. Hope this fixes your problem. Haven't tested it properly myself though, so I don't want to create a binary release just yet.

[WildByDesign]

Thank you, sir. Great work. I've just compiled and tested it and everything works as expected. The original errors related to this bug report are gone. Also, the new -f argument results in proper Full control and inheritance. I appreciate it.