From 32172a6aac81efd61db4f7d5348b7c158332cd08 Mon Sep 17 00:00:00 2001 From: Andrey Koltsov Date: Mon, 25 Mar 2024 16:22:25 +0300 Subject: [PATCH] [TW] Windows 2022 Docker images: update the execution of file permission policies change (#141) [TW] Windows 2022 Docker images: update the execution of file permission policies change (#141) * Add explicit verification of ACLs. * Update 'icacls' syntax for the set up of permissionss. * Apply permission to all build-in groups. * Re-generate configurations. --- .../Agent/nanoserver/NanoServer2022.Dockerfile | 11 +++++++---- .../WindowsServerCore2022.Dockerfile | 9 ++++++--- .../MinimalAgent/nanoserver/NanoServer2022.Dockerfile | 10 +++++++--- .../Server/nanoserver/NanoServer2022.Dockerfile | 11 +++++++---- .../windows/Agent/nanoserver/2022/Dockerfile | 11 +++++++---- .../windows/Agent/windowsservercore/2022/Dockerfile | 9 ++++++--- .../windows/MinimalAgent/nanoserver/2022/Dockerfile | 10 +++++++--- .../windows/Server/nanoserver/2022/Dockerfile | 11 +++++++---- 8 files changed, 54 insertions(+), 28 deletions(-) diff --git a/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile b/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile index 933cb705..f695b682 100644 --- a/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile +++ b/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile @@ -92,12 +92,15 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete (critical for upgrade), /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile b/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile index a7b2f043..dc874dad 100644 --- a/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile +++ b/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile @@ -105,7 +105,10 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe "C:\\BuildAgent\\*" /grant:r 'DefaultAccount:(OI)(CI)F' -RUN cmd /c icacls.exe "C:\\BuildAgent\\*" /grant:r 'Users:(OI)(CI)F' +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'DefaultAccount:(OI)(CI)F' /grant:r 'DefaultAccount:(OI)(CI)D' /T +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'Users:(OI)(CI)F' /grant:r 'Users:(OI)(CI)D' /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser diff --git a/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile b/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile index e0d13982..98281f08 100644 --- a/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile +++ b/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile @@ -84,10 +84,14 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \ COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent +# Use ContainerAdministrator to update permissions USER ContainerAdministrator -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser VOLUME C:/BuildAgent/conf diff --git a/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile b/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile index eecc5c7d..7cfa7a11 100644 --- a/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile +++ b/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile @@ -118,10 +118,13 @@ VOLUME $TEAMCITY_DATA_PATH \ CMD ["pwsh", "C:/TeamCity/run-server.ps1"] -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd" -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r DefaultAccount:(OI)(CI)F -RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r Users:(OI)(CI)F +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\TeamCity\\* USER ContainerUser \ No newline at end of file diff --git a/context/generated/windows/Agent/nanoserver/2022/Dockerfile b/context/generated/windows/Agent/nanoserver/2022/Dockerfile index 4a516192..015047de 100644 --- a/context/generated/windows/Agent/nanoserver/2022/Dockerfile +++ b/context/generated/windows/Agent/nanoserver/2022/Dockerfile @@ -82,12 +82,15 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ # Skip extraction of XML docs - generally not useful within an image/container - helps perfomance NUGET_XMLDOC_MODE=skip -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd;C:\Program Files\dotnet" -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete (critical for upgrade), /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser # Trigger first run experience by running arbitrary cmd to populate local package cache diff --git a/context/generated/windows/Agent/windowsservercore/2022/Dockerfile b/context/generated/windows/Agent/windowsservercore/2022/Dockerfile index ae1aad85..47dede07 100644 --- a/context/generated/windows/Agent/windowsservercore/2022/Dockerfile +++ b/context/generated/windows/Agent/windowsservercore/2022/Dockerfile @@ -100,7 +100,10 @@ ENV CONFIG_FILE="C:\BuildAgent\conf\buildAgent.properties" \ USER ContainerAdministrator RUN setx /M PATH ('{0};{1}\bin;C:\Program Files\Git\cmd;C:\Program Files\Mercurial' -f $env:PATH, $env:JAVA_HOME) -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe "C:\\BuildAgent\\*" /grant:r 'DefaultAccount:(OI)(CI)F' -RUN cmd /c icacls.exe "C:\\BuildAgent\\*" /grant:r 'Users:(OI)(CI)F' +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'DefaultAccount:(OI)(CI)F' /grant:r 'DefaultAccount:(OI)(CI)D' /T +RUN cmd /c icacls.exe "C:\\BuildAgent" /grant:r 'Users:(OI)(CI)F' /grant:r 'Users:(OI)(CI)D' /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser diff --git a/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile index e77a8ec8..32521417 100644 --- a/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile +++ b/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile @@ -77,10 +77,14 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \ COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent +# Use ContainerAdministrator to update permissions USER ContainerAdministrator -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F -RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\BuildAgent /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\BuildAgent\\* USER ContainerUser VOLUME C:/BuildAgent/conf diff --git a/context/generated/windows/Server/nanoserver/2022/Dockerfile b/context/generated/windows/Server/nanoserver/2022/Dockerfile index 8e335bdf..74c16839 100644 --- a/context/generated/windows/Server/nanoserver/2022/Dockerfile +++ b/context/generated/windows/Server/nanoserver/2022/Dockerfile @@ -114,10 +114,13 @@ VOLUME $TEAMCITY_DATA_PATH \ CMD ["pwsh", "C:/TeamCity/run-server.ps1"] -# In order to set system PATH, ContainerAdministrator must be used +# Use ContainerAdministrator to update permissions and PATH USER ContainerAdministrator RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd" -# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, F - full control -RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r DefaultAccount:(OI)(CI)F -RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r Users:(OI)(CI)F +# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Container Inherit, ... +# ... F - full control, D - delete, /T - apply to subfolders & files +RUN cmd /c icacls.exe C:\\TeamCity /grant:r DefaultAccount:(OI)(CI)F /grant:r DefaultAccount:(OI)(CI)D /T +RUN cmd /c icacls.exe C:\\TeamCity /grant:r Users:(OI)(CI)F /grant:r Users:(OI)(CI)D /T +# Applied permission check for logging purposes +RUN cmd /c icacls.exe C:\\TeamCity\\* USER ContainerUser