[TCQA] Update permissions for regular Win2022 agents. (#131)

* Add explicit set of permssions to regualr Windows 2022 agents.
JetBrains · Nov 27, 2023 · 1e13eea · 1e13eea
1 parent d932450
commit 1e13eea
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 1 deletion.
diff --git a/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile b/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile
@@ -95,6 +95,9 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \
 # In order to set system PATH, ContainerAdministrator must be used
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F
 USER ContainerUser
 
 # Trigger first run experience by running arbitrary cmd to populate local package cache

diff --git a/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile b/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile
@@ -105,4 +105,7 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \
 
 USER ContainerAdministrator
 RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME)
-USER ContainerUser
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F
+USER ContainerUser
diff --git a/context/generated/windows/Agent/nanoserver/2022/Dockerfile b/context/generated/windows/Agent/nanoserver/2022/Dockerfile
@@ -85,6 +85,9 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \
 # In order to set system PATH, ContainerAdministrator must be used
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F
 USER ContainerUser
 
 # Trigger first run experience by running arbitrary cmd to populate local package cache

diff --git a/context/generated/windows/Agent/windowsservercore/2022/Dockerfile b/context/generated/windows/Agent/windowsservercore/2022/Dockerfile
@@ -100,4 +100,7 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \
 
 USER ContainerAdministrator
 RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME)
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F
 USER ContainerUser