From d932450595c72a7aa3ca0b73b6a7227de45f9faa Mon Sep 17 00:00:00 2001
From: Andrey Koltsov <a99920641@gmail.com>
Date: Mon, 27 Nov 2023 15:07:43 +0100
Subject: [PATCH] [TCQA] Change Permissions @ Windows 2022 images (#130)

* Update dockerfiles - add permission for 'Users' and `DefaultUser` groups.
---
 configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile  | 1 +
 .../windowsservercore/WindowsServerCore2022.Dockerfile      | 1 +
 .../MinimalAgent/nanoserver/NanoServer2022.Dockerfile       | 6 ++++++
 configs/windows/Server/nanoserver/NanoServer2022.Dockerfile | 3 +++
 context/generated/windows/Agent/nanoserver/2022/Dockerfile  | 1 +
 .../windows/Agent/windowsservercore/2022/Dockerfile         | 1 +
 .../windows/MinimalAgent/nanoserver/2022/Dockerfile         | 6 ++++++
 context/generated/windows/Server/nanoserver/2022/Dockerfile | 3 +++
 8 files changed, 22 insertions(+)

diff --git a/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile b/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile
index e7b5c015..fb707acb 100644
--- a/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile
+++ b/configs/windows/Agent/nanoserver/NanoServer2022.Dockerfile
@@ -26,6 +26,7 @@ FROM ${powershellImage} AS dotnet
 USER ContainerAdministrator
 
 COPY scripts/*.cs /scripts/
+
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # Based on ${teamcityWindowsservercoreImage}
diff --git a/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile b/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile
index f869e1ee..5e0b301f 100644
--- a/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile
+++ b/configs/windows/Agent/windowsservercore/WindowsServerCore2022.Dockerfile
@@ -83,6 +83,7 @@ EXPOSE 9090
 
 VOLUME C:/BuildAgent/conf
 
+USER ContainerUser
 CMD ["powershell", "./BuildAgent/run-agent.ps1"]
 
     # Configuration file for TeamCity agent
diff --git a/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile b/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile
index c6bd4018..9fb53b23 100644
--- a/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile
+++ b/configs/windows/MinimalAgent/nanoserver/NanoServer2022.Dockerfile
@@ -84,6 +84,12 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp
diff --git a/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile b/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile
index d2543b40..73857962 100644
--- a/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile
+++ b/configs/windows/Server/nanoserver/NanoServer2022.Dockerfile
@@ -121,4 +121,7 @@ CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 # In order to set system PATH, ContainerAdministrator must be used
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r Users:(OI)(CI)F
 USER ContainerUser
\ No newline at end of file
diff --git a/context/generated/windows/Agent/nanoserver/2022/Dockerfile b/context/generated/windows/Agent/nanoserver/2022/Dockerfile
index b72ee86e..28bfc1bc 100644
--- a/context/generated/windows/Agent/nanoserver/2022/Dockerfile
+++ b/context/generated/windows/Agent/nanoserver/2022/Dockerfile
@@ -18,6 +18,7 @@ FROM ${powershellImage} AS dotnet
 USER ContainerAdministrator
 
 COPY scripts/*.cs /scripts/
+
 SHELL ["pwsh", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 ARG teamcityWindowsservercoreImage
diff --git a/context/generated/windows/Agent/windowsservercore/2022/Dockerfile b/context/generated/windows/Agent/windowsservercore/2022/Dockerfile
index 152e3ed9..616b2ff2 100644
--- a/context/generated/windows/Agent/windowsservercore/2022/Dockerfile
+++ b/context/generated/windows/Agent/windowsservercore/2022/Dockerfile
@@ -78,6 +78,7 @@ EXPOSE 9090
 
 VOLUME C:/BuildAgent/conf
 
+USER ContainerUser
 CMD ["powershell", "./BuildAgent/run-agent.ps1"]
 
     # Configuration file for TeamCity agent
diff --git a/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile b/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile
index 126005e4..f965025f 100644
--- a/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile
+++ b/context/generated/windows/MinimalAgent/nanoserver/2022/Dockerfile
@@ -77,6 +77,12 @@ ENV JAVA_HOME="C:\Program Files\Java\OpenJDK" \
 
 COPY --chown=ContainerUser --from=base /BuildAgent /BuildAgent
 
+USER ContainerAdministrator
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\BuildAgent\\* /grant:r Users:(OI)(CI)F
+USER ContainerUser
+
 VOLUME C:/BuildAgent/conf
 VOLUME C:/BuildAgent/work
 VOLUME C:/BuildAgent/temp
diff --git a/context/generated/windows/Server/nanoserver/2022/Dockerfile b/context/generated/windows/Server/nanoserver/2022/Dockerfile
index d252f696..05de8f79 100644
--- a/context/generated/windows/Server/nanoserver/2022/Dockerfile
+++ b/context/generated/windows/Server/nanoserver/2022/Dockerfile
@@ -117,4 +117,7 @@ CMD ["pwsh", "C:/TeamCity/run-server.ps1"]
 # In order to set system PATH, ContainerAdministrator must be used
 USER ContainerAdministrator
 RUN setx /M PATH "%PATH%;%JAVA_HOME%\bin;C:\Program Files\Git\cmd"
+# Grant Permissions for ContainerUser (Default Account), OI - Object Inherit, CI - Contaiber Inherit, F - full control
+RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r DefaultAccount:(OI)(CI)F
+RUN cmd /c icacls.exe C:\\TeamCity\\* /grant:r Users:(OI)(CI)F
 USER ContainerUser