Re: [Bug] setup regression #2

[Jon Turney <jon.turney@dronecode.org.uk>]

[-- Attachment #1: Type: text/plain, Size: 1527 bytes --]

On 08/10/2022 17:56, Achim Gratz wrote:
> I think that setup was essentially treating the install as "for this
> user only" since it was created and maintained by a script that can't
> affect that option and the fact it was also in group Adminsitroators
> didn't actually register until now.

Yeah, that seems possible, since some of these changes fix what are 
arguably bugs in how that works (i.e. I suspect that previously, even 
when elevated, if only the registry key 
HKEY_CURRENT_USER\\Software\\Cygwin\\setup\rootdir exists (and not the 
same key under HKLM), we're going to install for "Just Me", irrespective 
of what the UI says)

> The DACL on the server install changed from conferring access to "Everyone" to
> just the install user and SYSTEM IIRC.  It doesn't do that on the
> (non-domain) build machine at home that runs Win10 Pro.

That makes less sense to me.  We should always creating an entry in the 
DACL for 'Everyone' to hold the POSIX permissions for 'other' users.

(See win32.cc:NTSecurity::GetPosixPerms() which translates a file mode 
to a SD)

 >> As long as there's an option to force it to keep the former behaviour
 >> things should be OK, but I haven't really checked if and how this is
 >> possible.
 >
 > Unfortunately, there is no such option.

I wrote some code for this option (attached), but I have a hard time 
seeing how it's functionally different from using '-B/'--no-admin'.

So, I guess a question is, does running with that option work as 
expected in your problematic instance?

[-- Attachment #2: 0001-Add-an-option-to-not-make-files-group-owned-by-Admin.patch --]
[-- Type: text/plain, Size: 3529 bytes --]

From ae547f5b4b4421bf9b7b9f204eb3d303cc6b2673 Mon Sep 17 00:00:00 2001
From: Jon Turney <jon.turney@dronecode.org.uk>
Date: Wed, 2 Nov 2022 22:46:29 +0000
Subject: [PATCH setup] Add an option to not make files group owned by
 Adminstrators

Add an option that, when elevated, do not make files group owned by
Adminstrators (i.e use the primary group of the user running setup
instead).

Fixes: 495b0148
---
 res.pot       | 8 ++++++--
 res/en/res.rc | 1 +
 resource.h    | 1 +
 root.cc       | 7 ++++++-
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/res.pot b/res.pot
index 64079c8..e84c34c 100644
--- a/res.pot
+++ b/res.pot
@@ -3,7 +3,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-08-27 12:54+0100\n"
+"POT-Creation-Date: 2022-11-08 14:36+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -11,7 +11,7 @@ msgstr ""
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
 "X-Accelerator-Marker: &\n"
-"X-Generator: Translate Toolkit 3.7.0\n"
+"X-Generator: Translate Toolkit 3.7.3\n"
 "X-Merge-On: location\n"
 
 #: DIALOG.IDD_SOURCE.CAPTION
@@ -1245,6 +1245,10 @@ msgstr ""
 msgid "Disable creation of desktop shortcut"
 msgstr ""
 
+#: STRINGTABLE.IDS_HELPTEXT_NO_GROUP_CHANGE
+msgid "When elevated, do not make files group owned by Adminstrators"
+msgstr ""
+
 #: STRINGTABLE.IDS_HELPTEXT_NO_REPLACEONREBOOT
 msgid "Disable replacing in-use files on next reboot"
 msgstr ""
diff --git a/res/en/res.rc b/res/en/res.rc
index ef5e8b1..dad5c47 100644
--- a/res/en/res.rc
+++ b/res/en/res.rc
@@ -683,6 +683,7 @@ BEGIN
     IDS_HELPTEXT_MIRROR_MODE "Skip package availability check when installing from local directory (requires local directory to be clean mirror!)"
     IDS_HELPTEXT_NO_ADMIN "Do not check for and enforce running as Administrator"
     IDS_HELPTEXT_NO_DESKTOP "Disable creation of desktop shortcut"
+    IDS_HELPTEXT_NO_GROUP_CHANGE "When elevated, do not make files group owned by Adminstrators"
     IDS_HELPTEXT_NO_REPLACEONREBOOT "Disable replacing in-use files on next reboot"
     IDS_HELPTEXT_NO_SHORTCUTS "Disable creation of desktop and start menu shortcuts"
     IDS_HELPTEXT_NO_STARTMENU "Disable creation of start menu shortcut"
diff --git a/resource.h b/resource.h
index cfe860b..917534f 100644
--- a/resource.h
+++ b/resource.h
@@ -157,6 +157,7 @@
 #define IDS_HELPTEXT_HEADER              1546
 #define IDS_HELPTEXT_FOOTER              1547
 #define IDS_HELPTEXT_NO_WRITE_REGISTRY   1548
+#define IDS_HELPTEXT_NO_GROUP_CHANGE     1549
 
 // Dialogs
 
diff --git a/root.cc b/root.cc
index ccbd6ae..f81c5c9 100644
--- a/root.cc
+++ b/root.cc
@@ -37,8 +37,10 @@
 #include "propsheet.h"
 
 #include "getopt++/StringOption.h"
+#include "getopt++/BoolOption.h"
 
 StringOption RootOption ("", 'R', "root", IDS_HELPTEXT_ROOT, false);
+static BoolOption NoGroupChangeOption (false, '\0', "no-group-change", IDS_HELPTEXT_NO_GROUP_CHANGE);
 
 static ControlAdjuster::ControlInfo RootControlsInfo[] = {
   { IDC_ROOTDIR_GRP,              CP_STRETCH,           CP_TOP      },
@@ -310,7 +312,10 @@ RootPage::OnNext ()
     << (root_scope == IDC_ROOT_USER ? " user" : " system") << endLog;
 
   if (root_scope == IDC_ROOT_SYSTEM)
-    nt_sec.setAdminGroup ();
+    {
+      if (!NoGroupChangeOption)
+        nt_sec.setAdminGroup ();
+    }
   else
     nt_sec.resetPrimaryGroup ();
 
-- 
2.38.1