search

ironmansoftware / powershell-universal

Issue tracker for PowerShell Universal
https://powershelluniversal.com
35 stars 3 forks source link

Configuration file permission issues should cause alerts #1865

Open DataTraveler1 opened 1 year ago

DataTraveler1 commented 1 year ago

Steps to Reproduce

Problem

If the account running PSU does not have permission to modify the configuration files (e.g. authentication.ps1) then there will be an error logged but there will not be any indication to the user.

Steps to recreate

  1. Successfully install & configure PSU by MSI using the local system account
  2. Switch the PowerShell Universal service to use a service account which does not have permissions to the configuration files
  3. Restart PowerShell Universal service if it wasn't already restarted from step 2.
  4. Try to change the authentication method using the UI (pictured in Visuals section) but clicking the 'Yes' results in nothing happening (a helpful error message is written to the log though). It is at this moment that it would be ideal if the user could be notified that there is a permissions error occurring.

Log data

2022-12-29 12:54:30.069 -05:00 [ERR] An unhandled exception has occurred while executing the request.
System.UnauthorizedAccessException: Access to the path 'C:\ProgramData\UniversalAutomation\Repository\.universal\authentication.ps1' is denied.
   at Microsoft.Win32.SafeHandles.SafeFileHandle.CreateFile(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options)

Notes

All files in the repository directory should be checked by the PSU instance upon startup that it has the required permissions that it needs (Full Control?)

Checking the effective permissions through a module like https://github.com/rohnedwards/PowerShellAccessControl with Get-EffectiveAccess could be preferrable over a technique such as [io.file]::OpenWrite($filename).close()

Expected behavior

If PowerShell Universal does not have access to a needed configuration file, it should throw an alert

Actual behavior

PowerShell Universal does not throw an alert when it encounters a configuration file that it cannot overwrite.

Environment data

PSU 3.6.2

Visuals

image

figure shows the button which has no effect when the PSU instance does not have modify rights to authentication.ps1
DataTraveler1 commented 1 year ago

Forgot to mention, I am not the first person to report this. However, I am not able to find the original references.

schubfre commented 1 year ago

All files in the repository directory should be checked by the PSU instance upon startup that it has the required permissions that it needs (Full Control?)

Just this week I changed the DEV and then PROD instances from LOCAL SYSTEM to a Service Account. The SA is neither a domain user nor a local admin, just a local user. I gave that user 'Modify' rights on the whole partition where all (except the appsettings.json) of the data (repository, logs, etc.) is stored. And until now it's working fine.

I don't see why the PSU SA should need Full Control to modify ACLs.