Today I tested Policy Plus's Acquire ADMX Files feature on a new computer. It successfully downloaded and unpacked the MSI, but when it tried to move the ADMX files, it died. I had forgotten that the PolicyDefinitions folder is by default owned by TrustedInstaller, which is the only principal that can write to it. I hadn't noticed this before because on my main computer I temporarily moved PolicyDefinitions for testing so I wouldn't overwrite it.
The solution is, of course, to adjust the ACLs on the destination folder before trying to move things there. The trick in this case is that administrators don't have write-DAC privileges on it, so SeTakeOwnershipPrivilege has to be enabled first, allowing the program to set the owner to the Administrators group. I refactored the privilege-enabling parts out of PolicyLoader into a new Privileges class for ease of enabling any privilege. (In this case, I also enabled SeRestorePrivilege so the DACL could be updated at the same time as the owner.)
I also found a bug that caused the move to fail if an overwrite was needed. That was easily fixed by first deleting files that need to be replaced. Everything works now.
The changes are live on GitHub.
No comments:
Post a Comment