Daniel Bretón Suárez
06/08/2022, 7:51 AMOn a Windows Server 2019 everything seems to work, but on another instance the install succeeds but the upgrade fails to set the ACLs.
I'm not sure what is the specific difference between the instances of the same Windows Server version that seem to not have any problem, versus the one that do, but all the issues are around ACLs.
I think I'm facing the same thing with windows instances. Any tips on that?Stefano Bonicatti
06/09/2022, 2:20 PMallow_unsafe
flag would come into play after deployment, while the issue was around setting the correct ACLs when installing through chocolatey.Daniel Bretón Suárez
06/16/2022, 9:33 AMallow_unsafe
, I didn't realizeStefano Bonicatti
06/16/2022, 10:20 AMALL APPLICATION PACKAGES
and ALL RESTRICTED APPLICATION PACKAGES
), this "normally" works because the MSI removes those from the internal osqueryd
folder and executable.
On my Windows 10 I only have them in the osquery
folder directly inside C:\Program Files
.
Then there are other things on top of this. When triaging https://github.com/osquery/osquery/issues/7165 (so now this is partially related), we stumbled upon a known bug in the WinAPIs with converting some SIDs, and ALL APPLICATION PACKAGES
trigger that bug, which makes difficult via PowerShell to correctly refer to those ACLs and remove them from the folder. In fact this was fixed by fully clearing the ACLs and then reapplying them without the unwanted ones.ALL APPLICATION PACKAGES
been left behind in C:\Program Files\osquery\osqueryd
and C:\Program Files\osquery\osqueryd.exe
and osquery subsequently fails to start?
If yes than this is a new problem, because as far as we knew the MSI seemed to not have this issue, but I might recall incorrectly what we've tried.Daniel Bretón Suárez
06/16/2022, 11:19 AMStart-Process .\osquery-4.9.0.msi -ArgumentList "/quiet" -Wait
I couldn't reproduce it on a fresh Windows Server 2019 with the same build number (version 1809 build 17763.379). So at least, it doesn't seem to be a common issue.
I will ask them about their group policy, because I don't know.
Thank you for your help.Stefano Bonicatti
06/16/2022, 11:21 AM