I am trying to amend the ACL on a file using icacls. I want this file to be owned by Administrator and be accessible to Administrator only. I found out how to make administrator the owner of the files, and I know how to remove a group from the security list but I don't know how to remove all groups but the administrator group if I don't know the name of the other groups.
I am looking for a way to tell Windows that I only want to let Administrator access the file and remove any other user/group if there is any.
I tried using the wildcard character but it doesn't work.
Here's my script:
$domain = [Environment]::UserDomainName
$user = [Environment]::UserName
icacls $myinvocation.mycommand.path /setowner "$domain\$user" /T
icacls $myinvocation.mycommand.path /grant "$domain\$user"
icacls $myinvocation.mycommand.path
In theory, you can use :r after grant (see Docs). However, in practice I couldn't make this work. I think :r means "Replace permisions only for the specified user".
I've tested the following solution in Powershell and it works fine though.
# Reset the folder to just it's inherited permissions
icaclsname c:\temp\test /reset
# Then, disable inheritance and remove all inherited permissions
icacls c:\temp\test /inheritance:r
# Note the :r after grant. It's not now needed, but I've left it in anyway.
# Permissions replace previously granted explicit permissions.
# Also note the :F, where : is escaped with `. This grants FULL CONTROL.
# You can replace F with whatever level of control is required for you.
icacls c:\temp\test /grant:r $domain\$user`:F
Related
I'm trying to setup a singularity container for an image processing application, and I need it to be able to save images to a specified directory. I had originally tried using a straight -B flag, but that seems to mount a directory as read only if the container wasn't being run as root. Is there a way to either make a bind r/w for any user, or would I need to use some sort of scratch directory or fusemount?
The write permissions for the bound directory match those on the host system. If you want anyone to be able to write to a given directory, set permissions on the host with chmod 777 dir_name. Keep in mind this will allow anyone to read, write and delete files in the directory. Consider adding users to a shared group and using group permissions (chmod g+rwX dir_name) if there are people using the server who should not have access.
If the directory has the right permissions but you still can't write to it when it's bound, you may want to use singularity --debug exec ... to see that everything is being correctly bound to the container.
I write the script directly.(Import-Module ActiveDirectory). It does not work.
Error Message:
(Failed to generate proxies for remote module 'ActiveDirectory'. Files cannot be loaded because running scripts is disabled on this system. Provide a valid certificate with which to sign the files).
Please, tell me the solution.
Also I've tried to execute the command Set-ExecutionPolicy Unrestricted in both cmd 32 and cmd 64.
var shell = PowerShell.Create();
shell.Commands.AddScript("New-Item -Path 'C:\\Distrib\\file.txt' -ItemType 'File'");
This script works:
(PowerShell powerShellInstance = PowerShell.Create())
{powerShellInstance.AddCommand(AppDomain.CurrentDomain.BaseDirectory + \\Powershell\\test.ps1");
test.ps1 does not work:
(New-Item -Path 'C:\\Distrib\\file.txt' -ItemType 'File')
This is not a PowerShell code issue. It is an environment setting.
If you are doing this in an enterprise, then your org has set the policy in your machine for a reason.
Though what JPBlanc would work, unless you have the ability to change this setting by your org admins at the machine level, then you can't change it anyway. You can change it for your user or process level. There are several levels to set for EP and this is well documented.
Set-ExecutionPolicy
Set-ExecutionPolicy
[-ExecutionPolicy] <ExecutionPolicy>
[[-Scope] <ExecutionPolicyScope>]
[-Force]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine
Get-ExecutionPolicy -List
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser RemoteSigned
LocalMachine RemoteSigned
There is little to no reason to ever use unrestricted for day to day PowerShell use case, especially at the machine level. I always recommend CurrentUser or Process.
So, create a new Powershell shortcut to startup using the CurrentUser or Proces scope using the RemoteSigned (which is the current default in Windows 10 even at the machine level).
Even when calling this thru code, use the CurrentUser or Process scope and RemoteSigned.
When I use command sudo vipw to edit my password file, It's always use vi as editor. I don't like this very much and want to change it to vim.
I already tried:
Add export EDITOR=/usr/local/bin/vim in /etc/profile.
But shell told me "export: Command not found". I thought the reason is export is built-in function only in bash. And I don't want to change my shell.
AddEDITOR=/usr/lcoal/bin/vim in default block of /etc/login.conf
Add setenv EDITOR vim in /root/.cshrc, /.cshrc, ~/.cshrc
All above didn't work at all.
I have google for hours but could not find anything help.
Your /etc/sudoers file doesn't keep your EDITOR environment variable.
I personally have an /etc/sudoers.d/local file, something like
# We don't need to worry about wheel users breaking in to get root access because they already have it.
Defaults:%wheel env_keep+="HOME EDITOR",!set_home,shell_noargs
I'm not sure why this isn't the default, since wheel users have already been given full access. But it's apparently prevailing wisdom to continue hassling them.
Note: If you're using an older /etc/sudoers file that doesn't support an /etc/sudoers.d directory, these lines can be dropped in there... or you could add #includedir /etc/sudoers.d as the last line of your /etc/sudoers file to enable an /etc/sudoers.d directory. Um, yes, the # is a required part of that line, because someone thought it was important for that directive to look like a comment.
Try adding this to the root user /root/.chsrc:
setenv EDITOR vim
or to set it globally to all users using shell tcsh/csh add it in /etc/csh.cshrc
From the man:
A login shell begins by executing commands from the system files /etc/csh.cshrc
and /etc/csh.login. It then executes commands from files in the user's home directory:
first ~/.tcshrc or, if ~/.tcshrc is not found, ~/.cshrc ...
Non-login shells read only /etc/csh.cshrc and ~/.tcshrc or ~/.cshrc on startup.
Also verify vim is installed since is not by default, you could try:
pkg install vim-console
setting the EDITOR or VISUAL environment variable is the key.
if you don't want to go to the trouble of modifying config files (which is indeed the long term solution) then you could sudo su - to get to the root prompt and then you could export EDITOR=/usr/bin/vim before running vipw
There is an empty file called .selected_editor in $HOME (/root).
Remove it and the next call to vipw will ask you to select the editor.
I have a strange situation, if I run a Docker project in Visual Studio 2017 I get an error saying: Cannot start service webapplication1: error while creating mount source path '/host_mnt/c/Users/MyUser/vsdbg/vs2017u5': mkdir /host_mnt/c/Users/MyUser/vsdbg/vs2017u5: permission denied
But, if I run the same project with the command docker-compose up -d it works.
It cannot be a permission issue only for Visual Studio.
I just had the same problem - found the solution at https://github.com/docker/for-win/issues/897
Basically, the problem is access to C:\Users\user\vsdbg - not to think too much I gave R/W access for Everyone to this one and C:\Users\user\.nuget, just in case, and it worked like a charm :)
For me absolutely nothing worked, including giving full rights to only the vsdbg and .nuget folders.
My setup is as follows:
I have a primary account called "User" onto which I'm currently
logged in and do my development work
I have a user called "DockerDiskSharing" with full admin rights,
which I intend to use for Docker to run with
What did the trick for me was:
I opened a command prompt with admin rights and added the DockerDiskSharing user to the docker-users group by running
net localgroups docker-users DockerDiskSharing /add
I went to Docker -> Settings -> Shared Drives, I clicked "Reset credentials" and added the DockerDiskSharing user's credentials. I ticked C drive (my main partition) and the D drive (where my project is located)
I opened a command prompt with admin rights and gave full access permissions to the entire Users/User folder by running:
icacls "C:\Users\User" /q /c /t /grant docker-users:F
Still unsure which folders in particular it needs permissions to read/write to though from Users/User...
For other readers getting here which have a forced setup where their primary windows user can't be local admin:
That doesn't work!
After trying out different workarounds, I gave up. Note that I have a local service account which is local admin. If you don't have that, and are not a local admin, I guess you're screwed.
So:
I reset my Docker shared drive, mounted it again with my primary windows credentials
I added my primary user to the local administrators group
And now it works :)
I have managed to extract all attachments from emails being delivered to a certain email to a public folder on my linux server (using postfix->procmail->uudeview). Unfortunately the files themselves are saved with the permissions restricted to the system user that the files were sent to (called 'scans').
How can I build a "chmod 777 /path/to/folder/*.pdf" into my setup so that the files (which are coming from my scanner) are available to anyone?
Is there a better way to do this?
Regards
Frank
Whatever it is that you are doing, chmod 777 is so misdirected as to lose your computer driver's license. It is a serious security problem to make files world-writable and executable.
You are probably looking for Procmail's UMASK variable. If permissions are too tight, set a more relaxed UMASK before delivering. Example:
:0
* some conditions
{
UMASK=003
:0
| uudeview --whatever
}
The umask system call can only strip permissions, not add them. Typically, a C program tries to create a data file using mode 0666 and then the umask is applied, often yielding something like 0644 (meaning the effective umask was something like 0022 or 0033). On Linux, the directory's permissions also somewhat influence the permissions of newly created files. But we are venturing outside of Procmail here. Perhaps you can achieve the end result you require by combining the UMASK facility of Procmail with directory permissions.
If the "attachments" you are extracting are not MIME attachments but actual uuencode, note also that the encoding specifies permissions for every encoded file. If the begin line says 644 then you might have to change that. Procmail to the rescue again!
:0
* some conditions
{
UMASK=003
| sed 's/^begin [0-7][0-7][0-7][0-7]* /begin 664 /' | uudeview --whatever
}
In the end, if even this doesn't help, it may come down to modifying uudeview, perhaps by tweaking its source, or by creating a wrapper which fixes up permissions after writing.