Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
s
seph
10/29/2019, 1:41 PMIf that script isn’t working, I’d probably look at setting the permissions manually. What are they set to now?
e
Eva
10/29/2019, 2:38 PMHello Seph,
Yes, I do it. But I can't modify permissions for ALL APPLICATIONS PACKAGES, it have special permissions.
s
seph
10/29/2019, 2:39 PMI am by no means a windows expert.
But I’d start by looking at the permissions, and trying to manually correct them.
What are the permissions there?
e
Eva
10/29/2019, 2:46 PMI try to remove write and delete permisions but it doesn't work. They are:
+ Show folder/read data.
+ Read extended attributes.
+ Write extended attributes.
+ Delete.
+ Read permissions.
s
seph
10/29/2019, 2:48 PMCould you please show what you’re doing? I can’t be a second set of eyes, if I can’t see the commands you’re running
e
Eva
10/29/2019, 2:54 PMThese's the groups which have permisions in
osqueryds
seph
10/29/2019, 2:55 PMCan you manually remove the ALL APPLICATIONS PACKAGES grant there?
e
Eva
10/29/2019, 2:55 PMAnd ALL PACKAGES APPLICATION have the following special permisions are:
Windows doesn't allow
s
seph
10/29/2019, 2:57 PMFrom a powershell window, can you run
icacls.exee
Eva
10/29/2019, 2:59 PMs
seph
10/29/2019, 3:05 PMCan you runn that against the directory, not the binary?
from there
icacls.exe .I’m trying to read docs about what this is, and whether or not it’s possible to remove that permission grant
What version of windows is this?
e
Eva
10/29/2019, 3:10 PMWindows Server 2019
It doesn't work. I think this group is used to can execute the programs. And the permissions could be correct. But I don't know why it fails.
s
seph
10/29/2019, 3:11 PMThat group has write access. osquery doesn’t like that.
You can either remove the write access, or run osquery with
--allow_unsafee
Eva
10/29/2019, 3:14 PMI removed it and it does't work
s
seph
10/29/2019, 3:14 PMRemoved what? The permissions? What do you mean didn’t work? Windows doesn’t support removing it?
e
Eva
10/29/2019, 3:16 PMI removed write permissions and osquery report the same error
s
seph
10/29/2019, 3:16 PMdoes icacls.exe show the permissions as gone?
I’ve copied this information into https://github.com/osquery/osquery/issues/5965 Hopefully more windows oriented people can take a look
e
Eva
10/29/2019, 3:22 PMokay, Thanks!
And yes, without write permission also doesn't work
s
seph
10/29/2019, 3:23 PMCan you show that with icacls?
e
Eva
10/29/2019, 3:26 PMs
seph
10/29/2019, 3:26 PMCan you run that on the enclosing folder, not the binary?
e
Eva
10/29/2019, 3:28 PMs
seph
10/29/2019, 3:30 PMcan you also
get-acle
Eva
10/29/2019, 3:32 PMs
seph
10/29/2019, 3:33 PMAnd the directory please.
e
Eva
10/29/2019, 3:33 PMThis is the directory
s
seph
10/29/2019, 3:34 PMThgat looks like
get-acl osquerydget-acl .e
Eva
10/29/2019, 3:35 PMs
seph
10/29/2019, 3:35 PMThank you. Those permissions seem to match the docs
I don’t know if I’m going to be able to dig into it. but https://github.com/osquery/osquery/issues/5965 exists at least