• s

    seph

    2 years ago
    If that script isn’t working, I’d probably look at setting the permissions manually. What are they set to now?
  • e

    Eva

    2 years ago
    Hello Seph, Yes, I do it. But I can't modify permissions for ALL APPLICATIONS PACKAGES, it have special permissions.
  • s

    seph

    2 years ago
    I am by no means a windows expert.
  • But I’d start by looking at the permissions, and trying to manually correct them.
  • What are the permissions there?
  • e

    Eva

    2 years ago
    I try to remove write and delete permisions but it doesn't work. They are:+ Show folder/read data. + Read extended attributes. + Write extended attributes. + Delete. + Read permissions.
  • s

    seph

    2 years ago
    Could you please show what you’re doing? I can’t be a second set of eyes, if I can’t see the commands you’re running
  • e

    Eva

    2 years ago
    These's the groups which have permisions in
    osqueryd
    directory:
  • s

    seph

    2 years ago
    Can you manually remove the ALL APPLICATIONS PACKAGES grant there?
  • e

    Eva

    2 years ago
    And ALL PACKAGES APPLICATION have the following special permisions are:
  • Windows doesn't allow
  • s

    seph

    2 years ago
    From a powershell window, can you run
    icacls.exe
    with the directory osquery is in?
  • e

    Eva

    2 years ago
    message has been deleted
  • s

    seph

    2 years ago
    Can you runn that against the directory, not the binary?
  • from there
    icacls.exe .
    should work
  • I’m trying to read docs about what this is, and whether or not it’s possible to remove that permission grant
  • What version of windows is this?
  • e

    Eva

    2 years ago
    Windows Server 2019
  • It doesn't work. I think this group is used to can execute the programs. And the permissions could be correct. But I don't know why it fails.
  • s

    seph

    2 years ago
    That group has write access. osquery doesn’t like that.
  • You can either remove the write access, or run osquery with
    --allow_unsafe
    flag. I’m less sure whether this represents an osquery bug.
  • e

    Eva

    2 years ago
    I removed it and it does't work
  • s

    seph

    2 years ago
    Removed what? The permissions? What do you mean didn’t work? Windows doesn’t support removing it?
  • e

    Eva

    2 years ago
    I removed write permissions and osquery report the same error
  • s

    seph

    2 years ago
    does icacls.exe show the permissions as gone?
  • I’ve copied this information into https://github.com/osquery/osquery/issues/5965 Hopefully more windows oriented people can take a look
  • e

    Eva

    2 years ago
    okay, Thanks! And yes, without write permission also doesn't work
  • s

    seph

    2 years ago
    Can you show that with icacls?
  • e

    Eva

    2 years ago
    message has been deleted
  • s

    seph

    2 years ago
    Can you run that on the enclosing folder, not the binary?
  • e

    Eva

    2 years ago
    message has been deleted
  • s

    seph

    2 years ago
    can you also
    get-acl
    in that directory?
  • e

    Eva

    2 years ago
    message has been deleted
  • s

    seph

    2 years ago
    And the directory please.
  • e

    Eva

    2 years ago
    This is the directory
  • s

    seph

    2 years ago
    Thgat looks like
    get-acl osqueryd
    which is the binary. Can you also
    get-acl .
  • e

    Eva

    2 years ago
    message has been deleted
  • s

    seph

    2 years ago
    Thank you. Those permissions seem to match the docs
  • I don’t know if I’m going to be able to dig into it. but https://github.com/osquery/osquery/issues/5965 exists at least