I am creating an msi-package of a Windows service using Wix. I want to run the service under a regular user account without administrative priviliges. For better security I want to put the files of the service in the personal user folders (such as AppData\Local\Programs\CompanyName... for binaries and AppData\Local\CompanyName... for config and data files) with the appropriate file access permissions for the user. I imagine the following scenario:
Start the msi in the per-machine context.
During the client stage of the installation ask for the user name and password.
During the server stage of the installation:
a) create the user
b) change to its context and install the program files to ProgramFilesFolder and the data files to LocalAppDataFolder
c) change back to the admin context and install and configure the service to be run under the user account
I am stuck at the step 3 b) as from what I've learned I can't change the installation context after switching to the server side of the installation. Please could you advice me on how I could achive my goal described in the first lines. In particular if I have to copy files to another user's personal folders, what would be the most reliable way to get their paths? Or maybe I am wrong and installing a service into a personal user folder is bad practice at all?
I am aware of the presence of the built-in Local Service account but would like to narrow the service context even more.
The local appdata folder is the problem. If you create a user account the user folders aren't created until the user does an interactive login, and even then in some environments it may be redirected via policy. I am unaware of any reason that local data is better (in a security sense) then the ProgramFiles folder, which is write-restricted to administrators. I'd just install the service binaries to ProgramFiles. In the UI you can collect credentials and use them when the service is installed. A problem with using external credentials is that things like Repair and sometimes patching will fail unless you have the credentials available, having saved them somewhere safe, because otherwise the property values you use will be empty on repair. If localservice works then use it.
It normally doesn't matter what privileges a service has because it usually knows what it's doing. It's only an issue if it calls unknown external code that may try to do something bad, or if it gets asked to do random things such as "run this program" or "copy this file" without doing any internal validation or having a whitelist of what it's allowed to do. So it might be useful to know if there's a specific problem you're trying to address or just following good practices.
I don't think you're being overcautious, service isolation is definitely a good goal. If you can require Win7/2008R2 or later, then you can run the service under a virtual account. There is no password required for virtual accounts, and they don't have the ability to completely wreck the machine like SYSTEM does. You should be able to use it like this:
<ServiceInstall Account="NT SERVICE\$(var.ServiceName)" Name="$(var.ServiceName)".../>
It's actually better for the service executables to be in Program Files, that way the service can't modify its own exe.
Related
Is it possible to somehow serialize current Thingsboard (let's call it TBoard) configuration, save it and than latter load saved configuration on TBoard startup.
I am specifically interested in loading device profiles, rule chains, and dashboards.
I want to save configuration together with my project in git repository so than latter I could just use docker-compose to start multiple services from project (let's call them sensors) and single TBoard instance with saved configuration which will be used for collecting telemetry from sensors and drawing dashboards.
Another reason for saving configuration is what happens if for some reason TBoard container crashes or somehow get corrupted so it can't be started again, would I have to click on the things again in order to create all device profiles, dashboards, configure rule chains ... etc etc ... ?
Regarding this line
I am specifically interested in loading device profiles, rule chains, and dashboards. I want to save configuration together with my project in git repository
I have just recently implemented version control for my Thingsboard deployment. The way i am doing it is with the python REST client.
I have written functions to export all dashboards/data converters/integrations/rule chains/widgets into json files which I save into a github repository.
I have also written the reverse script to push the stored files to a fresh environment, essentially "flashing" it. Surprisingly, this works perfectly.
I have an idea to publish this as a package, but it's something I've never done before so I'm unsure if I will get to it.
Just letting you know that it is definitely possible to get source control operational via the API.
I use jenkins project-based matrix security.
I have this folder structure (jenkins folders):
folder1/subfolder1A/jobA1
folder1/subfolder1A/jobA2
folder1/subfolder1B/jobB
folder2/subfolder2C/jobC
I can't seem to find a way to give access to a particular user only to subfolder1A or to jobA2 etc.
I tried almost every combination of permissions, the only one that works requires me to add the job readpermission to the user for the root folder1. The permission is inherited and they can now see everything in subfolder1A and subfolder1B etc.
If i don't do that, they see nothing. But If I do that, they have access to all subfolders of folder1 and all their jobs (with read permissions).
Do you know any configuration that would allow a user to access only subfolderA or jobA1 ?
I use the latest jenkins 2.x (2.13 at the time of writing, I'll update to 2.14 possibly today)
I know its too late to answer your question however this might be helpful for others.
You can give access up to one level deep to sub folders using Role Based Access Control plugin. In your case, assume if you want to grant an access to subfolder1A and restrict all other sub-folders then you can create Project Role and use following pattern:
folder1(/subfolder1A.*)?
Suppose, you want to provide access to both subfolder1A and subfolder1B and restrict other sub-folders, then use following pattern:
folder1(/subfolder1A.*|/subfolder1B.*)?
This will allow you to control nested folders up to one level.
Hope this will be useful.
I'm trying to setup Nightly Backups for my TFS 2012.4 development box going off to another server, but it's failing.
The server is has SQL Express and TFS Express on it, trying to send the backups over to a network path on another share.
When going through the Wizard it will successfully pass all of the Readiness Checks, including permissions. It will fail when it tries to run the backup job for the first time under Confirming Permissions.
Error is:
TF401002: The SQL Server Database Engine failed to save the database
backup to path \[share]\c$\TFSBackup. Please grant SQL service
account read/write access to that folder.
I've tried adding "Everyone" with full control to the folder on the backup server, but it still fails with the same error.
Added the full log to http://pastebin.com/80PrYXqx
This may be a problem with using the administrative share path of c$. I suggest you go to your [share] server and make the TFSBackup folder a shared folder, and give your share the appropriate permissions.
Then you can change this:
\\[share]\c$\TFSBackup
To something like this(depending on what you name your share):
\\[share]\TFSBackup$
I know it's an old post, but just incase anyone else has issues. I had the same issue configuring backups. The following resolved it for me:
1) Open up "Services" and note the "Log On As" user for "Sql Server" and "Sql Server Agent"
2) On the folder that your backups are being saved to, go to Properties -> Security -> Edit
3) Add the users from #1, and check "Full Control", Save
We use Jenkins and Active Directory plugin for authentication.
For some reason, I need to add a specific account in Jenkins but not in Active Directory.
Is it possible to use both Active Directory and internal user ?
If it's impossible, I think I can modify the plugin to add an account in it.
I know it's not a good idea, but we need this function.
I think it's in ActiveDirectoryAuthenticationProvider.java's retrieveUser() function.
If you have Jenkins deployed to an app server and the app server supports your use case, you can use the "Delegate to servlet container" option in the Security Realm.
You might be able to utilize the Script Security Realm Plugin
How does ASP.NET MVC, if at all, deal with or provide ways to create your application using multiple environments? For example:
Development environment (local machine, probably run via the built-in web server and talking to a local database)
Testing (runs against a preloaded databse with example data, although this part could be skipped and mocks could be used)
Production database on a real server with real data
Ruby on Rails has the concept of environments and "automagically" can deduce if you're in development or production, so you can specify your connection information (connection string) in a config file and the framework dynamically pulls the appropriate one. Is there a similar way of doing things with .NET MVC? If not then how are professional developers using .NET MVC handling different environments?
The only way I can think of is to manually add an "environment" global method (or use an enum, or something like that, maybe this is a use for something like the State pattern?) and store the different connection strings in the web.config file, and then create a base class which all data access classes derive from which provides a way to obtain the connection string for the current environment; this would then have to be set to production when the time comes to put the application live.
Is there another way? Most of the .NET MVC videos and articles I've seen don't even bother with separate environments but only use a development database and don't indicate how you do it in production.
I'd say this is really a question of your company's internal processes. Since every company is a little bit different it's hard to have a "right" generic way to support dev/test/alpha/production and/or other environments.
One way: Create a setup program that supplies the correct connection string based on the environment chosen during the setup process.
Another way: System Admin edits web.config file to supply correct connection string during install.
Yet ANother Way: Connection strings are stored in the system registry.
Even Another Odd Way: You have all your connection strings for all environments in web.config, then a setting in appSettings the tells you which one to use.
Depending on the client, I've done all of these. There are more but these are the more popular.
(One client wanted to store the connecting string in the data base itself. Really.)
You can use alias for your database. You just point these aliases to different servers in the different environments. Stored in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\Connect if i remember right. Then you use the alias in the connectionstring.
In response to Jason's response:
We use Enterprise Library Environments to configure the different environment paramters and via msbuild invoke the Merge Configuration Tool that generates the different configs for each environment. The deploy process picks the right config file depending on which environment to install.
I was able to solve a similar situation following these steps:
In your Visual Studio, access Build > Configuration Manager
Click in "new"
Choose a name for your configuration, and then copy settings from an existing config. After the configuration creation, it will be available for you to target as build configuration
Create a Web.{env-name-you-chose}.config in your application folder, along with the original Web.config file.
Open your .csproj file with Visual Studio or any text editor
Search for a section that looks like the following and add the highlighted lines, with the config file name you gave previously:
Open your Visual Studio, reload projects if it's required, and now you are able to choose your configuration via CLI or manual publish using Visual Studio.
There is a Publishing Wizard (in Visual Studio) wich let's you change parts of web.config for release build automaticaly. Wich happens to be the feature you are asking about. No magic thou.
What we have done is during our automated build process (Hudson), we alter values in web.config depending on which environment the build is for. Unfortunately there isn't a magical way to do this.
For deployment, which I assume that is what the op was asking about, one creates multiple configurations and in the publish, picks a different configuration. These are called transforms and they operate on the web.config. One would have at least three publish profiles, one for dev, test and prod. One can change more than just the connection string in this way. One can turn on custom errors, turn off debugging and change values of configuration variables. I highly recommend it.
I have a similar question. I have a log table reader. I want it to read log tables in the development, test and production databases. The major difficulty lies in my user account doesn't have permission to look at test and production. It's some silly security thing. The user that I'm impersonating in the application does have permission. I'm struggling trying to tell MVC to build the test and production models using the impersonated user.