https://github.com/osquery/osquery logo
s

seph

10/29/2019, 1:41 PM
If that script isn’t working, I’d probably look at setting the permissions manually. What are they set to now?
e

Eva

10/29/2019, 2:38 PM
Hello Seph, Yes, I do it. But I can't modify permissions for ALL APPLICATIONS PACKAGES, it have special permissions.
s

seph

10/29/2019, 2:39 PM
I am by no means a windows expert.
But I’d start by looking at the permissions, and trying to manually correct them.
What are the permissions there?
e

Eva

10/29/2019, 2:46 PM
I try to remove write and delete permisions but it doesn't work. They are: + Show folder/read data. + Read extended attributes. + Write extended attributes. + Delete. + Read permissions.
s

seph

10/29/2019, 2:48 PM
Could you please show what you’re doing? I can’t be a second set of eyes, if I can’t see the commands you’re running
e

Eva

10/29/2019, 2:54 PM
These's the groups which have permisions in
osqueryd
directory:
s

seph

10/29/2019, 2:55 PM
Can you manually remove the ALL APPLICATIONS PACKAGES grant there?
e

Eva

10/29/2019, 2:55 PM
And ALL PACKAGES APPLICATION have the following special permisions are:
Windows doesn't allow
s

seph

10/29/2019, 2:57 PM
From a powershell window, can you run
icacls.exe
with the directory osquery is in?
e

Eva

10/29/2019, 2:59 PM
s

seph

10/29/2019, 3:05 PM
Can you runn that against the directory, not the binary?
from there
icacls.exe .
should work
I’m trying to read docs about what this is, and whether or not it’s possible to remove that permission grant
What version of windows is this?
e

Eva

10/29/2019, 3:10 PM
Windows Server 2019
It doesn't work. I think this group is used to can execute the programs. And the permissions could be correct. But I don't know why it fails.
s

seph

10/29/2019, 3:11 PM
That group has write access. osquery doesn’t like that.
You can either remove the write access, or run osquery with
--allow_unsafe
flag. I’m less sure whether this represents an osquery bug.
e

Eva

10/29/2019, 3:14 PM
I removed it and it does't work
s

seph

10/29/2019, 3:14 PM
Removed what? The permissions? What do you mean didn’t work? Windows doesn’t support removing it?
e

Eva

10/29/2019, 3:16 PM
I removed write permissions and osquery report the same error
s

seph

10/29/2019, 3:16 PM
does icacls.exe show the permissions as gone?
I’ve copied this information into https://github.com/osquery/osquery/issues/5965 Hopefully more windows oriented people can take a look
e

Eva

10/29/2019, 3:22 PM
okay, Thanks! And yes, without write permission also doesn't work
s

seph

10/29/2019, 3:23 PM
Can you show that with icacls?
e

Eva

10/29/2019, 3:26 PM
s

seph

10/29/2019, 3:26 PM
Can you run that on the enclosing folder, not the binary?
e

Eva

10/29/2019, 3:28 PM
s

seph

10/29/2019, 3:30 PM
can you also
get-acl
in that directory?
e

Eva

10/29/2019, 3:32 PM
s

seph

10/29/2019, 3:33 PM
And the directory please.
e

Eva

10/29/2019, 3:33 PM
This is the directory
s

seph

10/29/2019, 3:34 PM
Thgat looks like
get-acl osqueryd
which is the binary. Can you also
get-acl .
e

Eva

10/29/2019, 3:35 PM
s

seph

10/29/2019, 3:35 PM
Thank you. Those permissions seem to match the docs
I don’t know if I’m going to be able to dig into it. but https://github.com/osquery/osquery/issues/5965 exists at least
2 Views