Temp location can change unexpectedly when using System credentials #2044
Comments
|
I modified I can't submit a PR because I can't sign the CLA (due to a technical problem reason, not legal reasons), but it should work. |
|
Can you see if setting cacheLocation removes this entirely? I'm guessing (without looking) that you are grabbing the current temp and then setting it back? Is the clahub down? Looks lime we'll need an alternate means of CLA signing. 😢 |
|
Actually, I suspect And yes, clahub appears to be down. |
|
@teknowledgist we've just fixed the CLA issue - see #2036. |
|
Found this thread as a result of having issues installing anaconda3 with choco in PS DSC. Many other choco packages in the same DSC install fine, except anaconda3. Even tried setting the --cache-location in choco settings, and providing as parameter for installing anaconda3, but the download still goes to C:\WINDOWS\system32\config\systemprofile\AppData\Local\Temp\anaconda3\ and hence installation fails: Logs: After manually rebooting the VM, the same installation picks up correct cache location and succeeds. |
(chocolateyGH-2044) This fixes a problem when a package is installed under the System credentials (typically how centralized management software -- e.g. SCCM -- operate): Running as `SYSTEM`, the `$env:Temp` variable is normally *C:\Windows\Temp*. If the **first** package to ever use `Update-SessionEnvironment.ps1` happens to be running as `SYSTEM`, the location of `$env:Temp` changes to *C:\Windows\system32\config\systemprofile\AppData\Local\Temp* for the duration of the session. This change to `$env:Temp` does not occur in subsequent calls to `Update-SessionEnvironment.ps1`. It is unknown why this change occurs at all and likewise is unknown why it occurs for only the first time. The `Update-SessionEnvironment.ps1` normally gives priority to user-scope environment variables over machine-scope environment variables. Changes in this commit eliminates the gathering of the `User` scope environment variables when running as the `SYSTEM` account on the belief that reason to be operating under the `SYSTEM` account is to do machine-wide activities, and there is no reason to see `SYSTEM` as a "user". On a clean system, the only User-scope environment variables under `SYSTEM` are *path*, *temp*, and *tmp* which are already defined under the Machine-scope, and in general, there shouldn't be any new User-scope variables for the SYSTEM account because it's not a "normal" account. Basically, there should be little reason to expect this change to break anything.
Running as `SYSTEM`, the `$env:Temp` variable is normally *C:\Windows\Temp*. If the **first** package to ever use `Update-SessionEnvironment.ps1` happens to be running as `SYSTEM`, the location of `$env:Temp` changes to *C:\Windows\system32\config\systemprofile\AppData\Local\Temp* for the duration of the session. This change to `$env:Temp` does not occur in subsequent calls to `Update-SessionEnvironment.ps1`. It is unknown why this change occurs at all and likewise is unknown why it occurs for only the first time. The `Update-SessionEnvironment.ps1` normally gives priority to user-scope environment variables over machine-scope environment variables. Changes in this commit eliminates the gathering of the `User` scope environment variables when running as the `SYSTEM` account on the belief that reason to be operating under the `SYSTEM` account is to do machine-wide activities, and there is no reason to see `SYSTEM` as a "user". On a clean system, the only User-scope environment variables under `SYSTEM` are *path*, *temp*, and *tmp* which are already defined under the Machine-scope, and in general, there shouldn't be any new User-scope variables for the SYSTEM account because it's not a "normal" account. Basically, there should be little reason to expect this change to break anything.
…GH2112 * 'GH2112' of https://github.com/steviecoaster/choco: (chocolatey#2112) Add msp support to Install helper (maint) Switch to using a Regex match (maint) Change formatting (maint) Remove use of PowerShell aliases (maint) Replace " with ' (chocolatey#2044) Fix for changing $env:Temp (chocolatey#2259) Switched to versioned NuGet.Core (chocolatey#2111) Deep copy config (chocolatey#2244) Add Mac build into main workflow (chocolatey#2238) Mono build don't hardcode xbuild path (maint) Fix artifact paths on AppVeyor (chocolatey#2244) Fix syntax for running on Windows (chocolatey#2244) Initial workflow for Windows and Ubuntu (doc) Remove Mono instructions for other distributions (doc) Add Ubuntu 20.04 mono install instructions (chocolatey#2227) Bump Mono version in Dockerfile and README (chocolatey#2236) Mono test work with merged usr systems (chocolatey#2190) Clarify help for SpecificFolder parameter (chocolatey#1962) Use different message on error (chocolatey#1861) Improves terminology in help documentation (chocolatey#1998) Add authorization header to Get-WebFile (maint) Repalce RawGit with raw.githack.com CDN (chocolatey#1899) Remove unused variables (chocolateyGH-1060) Add BeforeInstall parameter to Install-ChocolateyPackage.ps1 (maint) Improve log message (chocolateyGH-2092) Take all registry keys into account (chocolateyGH-1364) Template create .nuspec encoded without BOM (chocolatey#1866) Limit pending package removal to top level (chocolateyGH-2203) Get-ChocolateyUnzip add unzipLocation alias (chocolateyGH-1889) Fix: Removal of ApiKey broken (chocolatey#2114) Remove unused variable (chocolateyGH-2048) update deprecation note to outdated (maint) Spelling and grammar fixes (maint) Replace tabs with spaces (chocolatey#2078) Skip importing Chocolatey GUI Extension (chocolatey#2227) Use latest Mono and Ubuntu on Travis (chocolatey#2205) Remove mention of private repository (chocolatey#2205) Update remaining URLs to new location (maint) Remove unnecessary whitespace (chocolatey#2231) Change default repository URL (maint) Remove unnecessary whitespace (chocolatey#2205) Update all chocolatey.org/docs URLs (maint) Remove unnecessary whitespace (chocolatey#2205) Update automatic-packages docs links (doc) Update to prefer # rather than GH- (maint) Fix replacement (maint) Revert change to earlier commit (maint) Fix spelling mistake (maint) Fix spelling mistake (doc) Update script to Statiq format (maint) Add missing backtick in example (maint) Added explicit link to new function name (maint) Fix spelling mistake (maint) Fix spelling mistake (maint) Fix spelling mistake (maint) Fix spelling mistake (maint) Fix spelling mistake (maint) Fix spelling mistake (maint) Remove generated docs files (maint) Add docs/generated folder to ignore list (chocolateyGH-2105) Update link to Chocolatey workshop
gep13
changed the title
What You Are Seeing?
The value of
$env:Tempwhen running as SYSTEM changes for the session in whichGet-ToolsLocationis first run. (I encountered this problem withGet-ToolsLocationand wrote most of this around that, but really any other script/function that callsUpdate-SessionEnvironmentwill create the same problem.)Running as SYSTEM, the
$env:Tempvariable is normallyC:\Windows\Temp. If the first package to ever useGet-ToolsLocationhappens to be running as SYSTEM, the location of$env:Tempchanges toC:\Windows\system32\config\systemprofile\AppData\Local\Tempfor the duration of the session. This appears to cause some packages to fail (for unknown reasons).Future sessions have the correct
$env:Tempregardless of calls toGet-ToolsLocation.What is Expected?
$env:Tempshouldn't change (especially in the middle of the ChocolateyInstall.ps1) unless it is requested by the user.How Did You Get This To Happen? (Steps to Reproduce)
Everyday users won't be running Chocolatey as SYSTEM, but most centralized desktop management software will. To test this manually requires opening cmd or PoSh windows as SYSTEM as follows:
pstools /s /i cmd.exe(orpstools /s /i powershell). (If using runassystem, double click and enter either cmd.exe or powershell.)From the new console window now running as SYSTEM, you can attempt to install the anaconda3 package (
choco install anaconda3). It will fail with the new path displaying. (If you try it again, in a new window -- as SYSTEM -- it will work.) (There may be other packages broken by this, but it would be a PITA to test.)Easier to see the change is to reset the system and:
Install the chocolateypowershell utility package
Open the chocolateypowershell console (as SYSTEM), check the
$env:temppath, runGet-ToolsLocationand again check$env:temp. The output of that is as follows:[ChocolateyPS] C:> $env:temp
C:\Windows\TEMP
[ChocolateyPS] C:> get-toolslocation
C:\tools
[ChocolateyPS] C:> $env:temp
C:\Windows\system32\config\systemprofile\AppData\Local\Temp
If you open a second chocolateypowershell console, and repeat the commands above, $env:temp does not change. (It only changes the first time.)
The problem stems from the
Set-Item "Env:$($_)" -Value (Get-EnvironmentVariable -Scope $scope -Name $_)line (line 74) in the Update-SessionEnvironment.ps1 script.Although
C:\Windows\system32\config\systemprofile\AppData\Local\Tempis the$env:tempvalue for the SYSTEM user, until Update-SessionEnvironment runs (and for the first time only) as SYSTEM,$env:Tempis always the value from the Machine or Process scope. I have no idea why.I suspect this could be easily fixed by skipping updating environment variables for the User scope when running as SYSTEM. When Chocolatey is run as SYSTEM, clearly the intent is to do machine-wide activities, and there is no reason to see SYSTEM as a "user". On a clean system, the only User scope environment variables under SYSTEM are
path,temp, andtmp, and in general, there shouldn't be any new ones for the SYSTEM account because it's not a "normal" account.Thanks.
(Edit: clarity)
The text was updated successfully, but these errors were encountered: