search

ironmansoftware / powershell-universal

Issue tracker for PowerShell Universal
https://powershelluniversal.com
35 stars 3 forks source link

PSU does not confirm on startup if access is granted to create and append to log files in %PROGRAMDATA%\Universal #2086

Open DataTraveler1 opened 1 year ago

DataTraveler1 commented 1 year ago

Steps to Reproduce

PSU does not confirm on startup if access is granted to create and append to log files in %PROGRAMDATA%\Universal

Steps to recreate

  1. On a clean machine, ensure that %PROGRAMDATA%\Universal directory does not exist

  2. Successfully setup and configure PSU in native (Kestrel) mode (meaning not IIS) under a service account "A". Include the service account credentials at the time of installation on the MSI install. This ensures that the %PROGRAMDATA%\Universal directory will be created by service account "A".

  3. Sanity check the installation and ensure functionality is working and logs are written to disk

  4. Stop the PSU services

  5. Change the service account that the PowerShell Universal service is using to a service account "B". This service account is identical to "A" with respect to Group Policy rights (e.g. "Logon as a batch") but it does not have write/append access to the %PROGRAMDATA%\Universal directory*.

  6. Configure ProcMon to monitor Universal.Server.exe for ACCESS DENIED events to %PROGRAMDATA%\Universal

  7. Restart the PSU service

  8. Observe that changes made to resources are not retained after restarting PSU again

  9. Observe that log data is not created

* This is because the PSU was installed under a different account

Expected behavior

PowerShell Universal should alert if it does not have access to create (and append to) log files in %PROGRAMDATA%\Universal

Actual behavior

PowerShell Universal does not alert if it does not have access to create (and append to) log files in %PROGRAMDATA%\Universal

Environment data

PSU 3.7.10

Visuals

image

(figure shows two different tabs from a single ACCESS DENIED entry observed with ProcMon)

Edit 1 fixed typo

DataTraveler1 commented 1 year ago

This issue of the service account not having permissions to required folders on the application drive has been mentioned a few times in the past, but I don't believe there is an open issue for it.

DataTraveler1 commented 1 year ago
The file permissions issue described here can also apply to the repository directory in %PROGRAMDATA%\UniversalAutomation. Below is how that will appear in the log when that occurs (assuming PSU has write rights to the log directory but not the repository directory). ``` 2023-02-12 12:36:55.845 -05:00 [INF] Request starting HTTP/1.1 GET http://192.168.134.6:5000/api/v1/page/view - - 2023-02-12 12:36:55.847 -05:00 [DBG] The request path /api/v1/page/view does not match a supported file type 2023-02-12 12:36:55.847 -05:00 [DBG] The request path does not match the path filter 2023-02-12 12:36:55.847 -05:00 [DBG] Request matched endpoint 'UniversalAutomation.PageController.ViewPages (Universal.Server)' 2023-02-12 12:36:55.849 -05:00 [INF] Executing endpoint 'UniversalAutomation.PageController.ViewPages (Universal.Server)' 2023-02-12 12:36:55.849 -05:00 [INF] Route matched with {action = "ViewPages", controller = "Page"}. Executing controller action with signature Microsoft.AspNetCore.Mvc.IActionResult ViewPages() on controller UniversalAutomation.PageController (Universal.Server). 2023-02-12 12:36:55.849 -05:00 [DBG] Execution plan of authorization filters (in the following order): ["None"] 2023-02-12 12:36:55.849 -05:00 [DBG] Execution plan of resource filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"] 2023-02-12 12:36:55.849 -05:00 [DBG] Execution plan of action filters (in the following order): ["Microsoft.AspNetCore.Mvc.Filters.ControllerActionFilter (Order: -2147483648)","Microsoft.AspNetCore.Mvc.ModelBinding.UnsupportedContentTypeFilter (Order: -3000)"] 2023-02-12 12:36:55.849 -05:00 [DBG] Execution plan of exception filters (in the following order): ["None"] 2023-02-12 12:36:55.849 -05:00 [DBG] Execution plan of result filters (in the following order): ["Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.SaveTempDataFilter"] 2023-02-12 12:36:55.849 -05:00 [DBG] Executing controller factory for controller UniversalAutomation.PageController (Universal.Server) 2023-02-12 12:36:55.849 -05:00 [DBG] Executed controller factory for controller UniversalAutomation.PageController (Universal.Server) 2023-02-12 12:36:55.850 -05:00 [INF] Executed action UniversalAutomation.PageController.ViewPages (Universal.Server) in 0.5833ms 2023-02-12 12:36:55.850 -05:00 [INF] Executed endpoint 'UniversalAutomation.PageController.ViewPages (Universal.Server)' 2023-02-12 12:36:55.850 -05:00 [ERR] An unhandled exception has occurred while executing the request. System.ArgumentNullException: Value cannot be null. (Parameter 'source') at System.Linq.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument) at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate) at UniversalAutomation.PageController.b__8_1(Page m) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Controllers\PageController.cs:line 89 at System.Linq.Enumerable.WhereEnumerableIterator`1.MoveNext() at UniversalAutomation.PageController.ViewPages() in C:\actions-runner\_work\universal\universal\src\Universal.Server\Controllers\PageController.cs:line 90 at lambda_method1788(Closure , Object , Object[] ) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.SyncActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeActionMethodAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeNextActionFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.InvokeFilterPipelineAsync() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Logged|17_1(ResourceInvoker invoker) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Logged|17_1(ResourceInvoker invoker) at Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at PowerShellUniversal.FeatureMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\FeatureMiddleware.cs:line 42 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<b__1>d.MoveNext() --- End of stack trace from previous location --- at PowerShellUniversal.DisallowedModeMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\ModeMiddleware.cs:line 46 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<b__1>d.MoveNext() --- End of stack trace from previous location --- at Universal.Server.Middleware.RoutingMiddleware.Invoke(HttpContext httpContext, IPolicyEvaluator policyEvaluator) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\RoutingMiddleware.cs:line 172 at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext) at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider) at Universal.Server.Middleware.SwaggerAuthenticationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\SwaggerAuthMiddleware.cs:line 35 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<b__1>d.MoveNext() --- End of stack trace from previous location --- at AspNetCoreRateLimit.RateLimitMiddleware`1.Invoke(HttpContext context) in C:\actions-runner\_work\universal\universal\src\AspNetCoreRateLimit\Middleware\RateLimitMiddleware.cs:line 109 at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task) 2023-02-12 12:36:55.852 -05:00 [DBG] The response will be compressed with 'gzip'. 2023-02-12 12:36:55.852 -05:00 [DBG] Connection id "0HMOD3UEM61UE" completed keep alive response. 2023-02-12 12:36:55.852 -05:00 [INF] Request finished HTTP/1.1 GET http://192.168.134.6:5000/api/v1/page/view - - - 500 - text/plain 7.1827ms ```
memphisraynz commented 1 year ago

I have gone through the above, stopped the service and reset permissions. Started the service and still getting the errors. Using procmon shows an access denied to a file but NTFS permissions shows the service account as having full control.

memphisraynz commented 1 year ago

Saving a script from the editor looks to be throwing a lot of issues with git. image