From 1e13eea71efa1276928ce72c2f05cf90e4853223 Mon Sep 17 00:00:00 2001 From: Andrey Koltsov Date: Mon, 27 Nov 2023 18:39:52 +0100 Subject: [PATCH] [TCQA] Update permissions for regular Win2022 agents. (#131) * Add explicit set of permssions to regualr Windows 2022 agents. --- configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile | 3 +++ .../Agent/windowsservercore/WindowsServerCore2022.Dockerfile | 5 ++++- context/generated/windows/Agent/nanoserver/2022/Dockerfile | 3 +++ .../windows/Agent/windowsservercore/2022/Dockerfile | 3 +++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile b/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile index fb707acb..5451a32e 100644 --- a/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile +++ b/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile @@ -95,6 +95,9 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # In order to set system PATH, ContainerAdministrator must be used USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile b/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile index 5e0b301f..568d6ce3 100644 --- a/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile +++ b/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile @@ -105,4 +105,7 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) -USER ContainerUser \ No newline at end of file +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F +USER ContainerUser diff --git a/context/generated/windows/Agent/nanoserver/2022/Dockerfile b/context/generated/windows/Agent/nanoserver/2022/Dockerfile index 28bfc1bc..a1e8ee08 100644 --- a/context/generated/windows/Agent/nanoserver/2022/Dockerfile +++ b/context/generated/windows/Agent/nanoserver/2022/Dockerfile @@ -85,6 +85,9 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # In order to set system PATH, ContainerAdministrator must be used USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/context/generated/windows/Agent/windowsservercore/2022/Dockerfile b/context/generated/windows/Agent/windowsservercore/2022/Dockerfile index 616b2ff2..a646ed89 100644 --- a/context/generated/windows/Agent/windowsservercore/2022/Dockerfile +++ b/context/generated/windows/Agent/windowsservercore/2022/Dockerfile @@ -100,4 +100,7 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F +RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F USER ContainerUser