Skip to content

Commit

Permalink
(GH-398) Allow append for users on logs directory
Browse files Browse the repository at this point in the history
To see errors and otherwise, allow users permission to append to log
files.
  • Loading branch information
ferventcoder committed Jun 16, 2016
1 parent 8abfd96 commit 69266f3
Show file tree
Hide file tree
Showing 3 changed files with 10 additions and 2 deletions.
1 change: 0 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ If you were using any of the functions in a non-recommended way or not compliant
* [Security] Explicit permissions - remove inheritance/lock down to admins - see [#398](https://github.com/chocolatey/choco/issues/398)

This further restricts the default installation location by removing all permissions and inheritance of permissions, explicitly giving Administrator/LocalSystem to Full access, and Users are granted Read and Execute.
In prior installations, we ensured Modify access to the installing user, but that has been removed for security reasons. Should you need the previous behavior, set `$env:ChocolateyInstallAllowCurrentUser="true"`.

### KNOWN ISSUES

Expand Down
1 change: 0 additions & 1 deletion nuget/chocolatey/chocolatey.nuspec
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,6 @@ If you were using any of the functions in a non-recommended way or not compliant
* [Security] Explicit permissions - remove inheritance/lock down to admins - see [#398](https://github.com/chocolatey/choco/issues/398)

This further restricts the default installation location by removing all permissions and inheritance of permissions, explicitly giving Administrator/LocalSystem to Full access, and Users are granted Read and Execute.
In prior installations, we ensured Modify access to the installing user, but that has been removed for security reasons. Should you need the previous behavior, set `$env:ChocolateyInstallAllowCurrentUser="true"`.

### KNOWN ISSUES

Expand Down
10 changes: 10 additions & 0 deletions nuget/chocolatey/tools/chocolateysetup.psm1
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,7 @@ param(
$rightsFullControl = [Security.AccessControl.FileSystemRights]::FullControl
$rightsModify = [Security.AccessControl.FileSystemRights]::Modify
$rightsReadExecute = [Security.AccessControl.FileSystemRights]::ReadAndExecute
$rightsAppend = [Security.AccessControl.FileSystemRights]::AppendData

Write-Output "Restricting write permissions to Administrators"
$builtinAdmins = Get-LocalizedWellKnownPrincipalName -WellKnownSidType ([Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid)
Expand Down Expand Up @@ -252,6 +253,15 @@ param(

# this is idempotent
(Get-Item $folder).SetAccessControl($acl)

# set an explicit append permission on the logs folder
$logsFolder = "$folder\logs"
Create-DirectoryIfNotExists $logsFolder
$logsAcl = (Get-Item $logsFolder).GetAccessControl('Access')
$usersAppendAccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($builtinUsers, $rightsAppend, $inheritanceFlags, $propagationFlags, "Allow")
$logsAcl.SetAccessRule($usersAppendAccessRule)
$logsAcl.SetAccessRuleProtection($false, $true)
(Get-Item $logsFolder).SetAccessControl($logsAcl)
} catch {
Write-ChocolateyWarning "Not able to set permissions for $folder."
}
Expand Down

0 comments on commit 69266f3

Please sign in to comment.