-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access to the path 'C:\ProgramData\chocolatey\config' is denied (after clean install + restart) #1048
Comments
@ohadschn Is this one I asked you to split off from a different issue? |
I don't think so, the only other choco discussion I've ever participated in was the tab completion issue.. |
I ask because you installed Chocolatey to the default location, which is locked down to administrators only. |
I just did what the installation page said, namely run this from an elevated PS window: Are you saying that this result is expected, and that I should always run |
The result is expected, and if you install to the default install location, you should always run choco from an elevated prompt. #1054 is set up to handle this messaging. |
Ah, I see. Perhaps that could be mentioned in the installation page as well? |
I could almost swear it is, maybe not in all of the sections it should be mentioned in. Right now, mentioned here in number 1 - https://chocolatey.org/install#non-administrative-install |
But perhaps put some considerations up prior to the install text so that folks will have had at least the opportunity to scroll past it, even if they don't read it the first time. |
Apologies, I never reached those sections, and even if I did I'd stop right after the line that said "This option should be a last resort and is considered to be an advanced scenario" :) It would be nice if this were mentioned in the vanilla basic installation text (you already have two notes there, maybe add a third), just my 2 cents.. |
👍 agreed. That's why a suggestion to mention it sooner. |
npm install -g doesnt have this issue, requiring running from elevated prompts all the time Why not adopt their policy? |
We are looking at something we can do here. Chocolatey doesn't require admin rights outside of the default installation directory (unless the program being installed requires it). |
My install was just like the OP, where I followed the installation instructions and ran from an elevated prompt. I believe it installed to its default folder, the ProgramData folder right? (I find it odd that it does require elevated priviledges in the first place when installed there) Good to know it's being considered |
I also experienced this just now. |
So I'm testing this now for using highestAvailable permissions. |
|
Same bad experience here. When I follow https://chocolatey.org/install I see how simple it is and I feel great - a one-line install! I expect A quick fix needed right now: after Running Chocolatey |
I like this. Not a quick fix per say, but that is how Chocolatey works. |
Here is simplest workaround: |
Hi this seems the problem created because access writes, it is work |
If the website was in the repo I'd make a PR now. |
@air the website does have a repo, but docs are in a different location. However, I think you are going to see with 0.10.4 this is unnecessary. It won't run by default unless you are running under elevated context. And we've made some changes to how that file gets written. |
Run cmd as administrator and try again. |
Thanks @lslayer Works like a charm on giving full control for the folder for the current user. |
I followed the install instruction and fell foul of this as well… |
Just had this issue. The install page already has an "Additional Considerations" section. This should definitely include something along the lines of @air 's suggestion. |
You have to run cmd as administrator, so just right click cmd and run as administrator. Run the command again and it should work. |
I was trying it in Powershell and running powershell as Administrator worked me. |
I understand how installing packages requires elevated privileges, but this error also pops up with |
@samhocevar you only have to run choco as admin one time to get config set. Then you can go back to non-admin for search and other items. |
I was able to reasonable resolve it. Appearently chocolatey tries to write data to this location: C:\ProgramData\chocolatey I was able to change it's security by extending read & excute rights to full controll for all users - I am only user so no security issue. Make sure to check inherit option box. PS. Please keep in mind that I was previously trying multiple options which didnt work. I have disabled eventually UAC, and still raised my cmd as admin. It didnt work, I have changed directory access rights to full control and than command choco install minikube --force was successful. Not sure if all steps required, I think full controll over choclatey dir should be enough. |
Choco needs an option to specify system or user install folders, or better, default to user and have -global as a flag to force installing to ProgamData.
…________________________________
From: PiotrGen <[email protected]>
Sent: Monday, July 13, 2020 3:28:22 AM
To: chocolatey/choco <[email protected]>
Cc: The Sharp Ninja <[email protected]>; Comment <[email protected]>
Subject: Re: [chocolatey/choco] Access to the path 'C:\ProgramData\chocolatey\config' is denied (after clean install + restart) (#1048)
I was able to reasonable resolve it.
Appearently chocolatey tries to write data to this location:
C:\ProgramData\chocolatey
I was able to change it's security by extending read & excute rights to full controll for all users - I am only user so no security issue. Make sure to check inherit option box.
PS. Please keep in mind that I was previously trying multiple options which didnt work. I have disabled eventually UAC, and still raised my cmd as admin. It didnt work, I have changed directory access rights to full control and than command
choco install minikube --force
was successful. Not sure if all steps required, I think full controll over choclatey dir should be enough.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#1048 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AD3GCLCCSBV65L3VVVNSQ53R3LASNANCNFSM4CWBUSVQ>.
|
You need to run Windows PowerShell as admin access |
I'm with @sharpninja ... like npm, choco should default to a per user installation as |
What's strange is that I'm running into this issue as admin
|
It may be due to an antivirus issue. |
just Run as administrator |
It makes no sense to require a privileged account for read-only queries to a non-secret database. Things like this encourage bad user habits. |
As I understand it, most things in C:\ProgramData require administrative access. Making an exception to that rule may have security concerns associated with it. |
Where does that understanding come from? According to Microsoft, that location is explicitly for applications to store data for standard users, because it does not require elevated permissions. |
Guess I must have been thinking of something else / got the wrong impression from somewhere. Thanks for the doc! 💖 |
If I were to guess, Chocolatey being in If I understand the overall problem being described here, and why admin is needed the first time: Chocolatey is attempting to read the config that doesn't exist. If the config doesn't exist then it will attempt to write the default config in its place. When you're not running as administrator this is a problem. A potential solution: Perhaps the |
It most certainly requires elevated privileges to write there, but not to read there. Non admin write privileges should only be assumed to be available in the user profile folder and it's children. |
As this issue was opened 5 years ago, there's a lot of bad and outdated information here. Yet the issue persists. Firstly it's important to note that the non-admnistrative install guide is very outdated, and is essentially useless. It recommends setting the chocolatey install path to C:\programdata. however, this has been the default install location since 0.9.8.24 so the guide is useless. Secondly, there are people suggesting to change the C:\programdata\chocolatey permissions to be modifiable by all users. This is a security risk and allows anyone or modify processes that execute as admin. and will leave people vulnerable to a privilege escalation attack. Errors writing to C:\programdata\chocolatey are still common to this day using chocolatey a standard user. This is especially frustrating if you pay for c4b and use chocolatey-agent as a solution to not providing all users administrative privileges. At current state, Chocolatey can only be reliably used by administrators (unless you plan to only install portablized software), and the only thing in this thread (modifying access rights to C:\programdata\chocoaltey) that somewhat helps, is a security risk. |
I fixed just by running my preferred console as Amdinstrator! |
After going through this issue it's clear there are a couple of issues that we look at fixing in the docs:
The original issue has been resolved by running in an administrator context. |
I don't really understand why this was closed. Nothing's been fixed. "resolved by running in an administrator context" is not a suitable solution for us C4B customers that pay money to be able to use chocolatey without administrator accounts. |
@nascentt Perhaps I am misunderstanding, but you are talking about running choco in administrative context by a normal user via the background service provided by Chocolatey Agent? And when running in this way, you are getting access denied error? |
You need to run choco as an admin at least once for operations like creating a package to work such that the default templates can be written the first time. After that things like If you're using choco in the enterprise, we've locked the If you have non-administrative users that need to be able to install/upgrade/uninstall software, this is where the Chocolatey Agent comes into play. By installing the Further to this, there is a In addition to that configuration you also have the ability to limit Uninstalls to only those that a non-admin user has performed themselves. What I mean by this is that if Bob, who is a non-admin in Engineering, uses choco to install the DWGTrueView application from Chocolatey, he has the ability to remove that application via choco. However, if you as the admin installed that application's package on his system, he would not have the ability to remove it, as he is not the one that installed the package. We take security pretty seriously here at Chocolatey, so hopefully I've explained why you're seeing these errors, and understand the steps to take to mitigate seeing those errors in the enterprise. |
I had the same issues with Powershell. I used the CMD with admin rights and was able to install the choco and related tools. |
Environment
Win10 64 bit (1607 build 14393.447)
UAC settings: default (notify me only when apps try to make changes to my computer)
What You Are Seeing?
From a non-elevated cmd shell:
This is not surprising seeing as when I try to create that folder manually, I am greeted with an OS admin access confirmation dialog. If I run the same command from an elevated prompt, everything works.
How Did You Get This To Happen? (Steps to Reproduce)
Installed Chocolatey from an elevated powershell windows, per the recommendation in https://chocolatey.org/docs/installation. Restarted the computer and executed the
choco install
command above.Output Log (debug + verbose)
The text was updated successfully, but these errors were encountered: