New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access rights to directory %ProgramData%\Notepad++\plugins are still set incorrectly by the installer #5199
Comments
%ProgramData%\Notepad++\plugins
are still set incorrectly by the installer
The following command sequence (using the ICACLS console tool) would set the access rights of the plugins directory and the plugins\config directory to a desired state. Please note: I don't want to encourage you to actually use ICACLS to accomplish this task, the access rights plugin of NSIS should be able to do the same steps. I am posting this only as a guideline. I have tested the script on a Windows 7 x64 machine without an Active Directory environment. According to this site the user group DOMAINADMINS is a member of the local ADMINISTRATORS user group. Thus, the access rights set by the script should be sufficient in an Active Directory environment. But there could raise up a problem with the DOMAINUSERS user group. This group has no universal SID since the SID of the domain is part of the SID for this user group. Maybe there is a way using the NSIS access rights plugin to set the same access rights for the DOMAINUSERS group like for the local USERS group (SID S-1-5-32-545).
|
Thank you for the info. |
Description of the Issue
Access rights to directory
%ProgramData%\Notepad++\plugins
are still set incorrectly by Notepad++ installer. Thus, normal Windows users are still allowed to write files to it or its subdirectories. It was the intention of commit 589e211 to change that but it was done in the wrong way.Steps to Reproduce the Issue
%ProgramData%\Notepad++\plugins
.Expected Behavior
A UAC dialog should pop up where you have to provide credentials of an admin user because normal users should not be able to drop files to
%ProgramData%\Notepad++\plugins
.Actual Behavior
Copying the file as normal user works without any problem, no UAC dialog pops up.
Debug Information
Applies to Notepad++ v7.6.2
Additional informations
The directory
%ProgramData%\Notepad++\plugins
inherits access rights from the%ProgramData%
directory. There, the user groupCREATOR OWNER
is configured to have all access rights. That means that every user account can write NEW files and subdirectories to%ProgramData%
and its subdirectories. Furthermore, every user account can only delete/overwrite/change files and subdirectories which had been created by itself.It is not possible to simply remove this access right from
%ProgramData%\Notepad++\plugins
or to replace it with a restricted access right like it was tried in commit 589e211. Instead ownership of the directory has to be set to theADMINISTRATORS
user group, the access rights inheritance has to be removed from the directory and a manually configured set of access rights has to be set because after removing access rights inheritance the directory has no access rights at all.I already elaborated about that in this comment at the community forum. Another user stated the same in this comment at the community forum.
Additionally the access rights of the directory
%ProgramData%\Notepad++\plugins\config
have to be reconfigured in a way that writing to it is allowed for all user accounts in order to be able to update the filenppPluginList.dll
.Suggested access rights for directory
%ProgramData%\Notepad++\plugins
:Suggested access rights for directory
%ProgramData%\Notepad++\plugins\config
:The text was updated successfully, but these errors were encountered: