We used the fixlet “Updated BES Client Now Avaiable! (Version 7.0.7) - WinNT/2000/2003/XP/Vista” to upgrade our users to Version 7.0.7 from 7.0.1.376. The issue we ran into is the permissions on the BigFix Enterprise\BES Client directory changed on several machines. The BES Client folder is no longer inheriting permission from its parent folder. Has anyone else ran across this issue yet? The permissions are set to Administrators full control. There are no other permissions granted. The only change we made has been the upgrade fixlet.
By design, the BigFix Agent installer sets the permissions on the agent folder to be available only to the SYSTEM and to the Administrators group. The reason for this is security related because if the permissions were more broad, someone could easily replace the besclient.exe file with another file that would run as the SYSTEM account, which would be a trivial escalation of privilege attack (the same thing should apply to any service running as a privileged account).
I will need to double-check if the upgrade installer resets the permissions, but please note that the danger in having non-admins have write access to the agent folders.
The issue was all Groups were removed from my BES Client folder except Administrators. I don’t want to give non-admins write access, I just need Users to have read access. The parent folder BigFix Enterprise was set properly allowing read access to the Users group but the sub folder were changed.
Let me know if your sub-folder permissions changed? It appeared the option to Inherit from parent option was unchecked after my upgrade.
I just tried the same thing and I was unable to reproduce the issue… but… I looked at another computer that had been previously upgraded and I saw the same thing you are noting… did you originally install with the MSI installer or the setup.exe based installer? That might be the difference…
In any event, it doesn’t look like the modified permissions cause a specific problem, but we can always write a simple Fixlet to change the permissions of the folder to whatever you think works best in your environment. Can you provide me a cacls statement that will adjust the permissions to what you are looking for?
We used an msi to pre-deploy the clients in question. The exact command was “msiexec /i BESClientMSI.msi /passive”. In our case in was a few specific test machines and we caught in right away.
Ben Kus
Hey Robert,
In any event, it doesn’t look like the modified permissions cause a specific problem, but we can always write a simple Fixlet to change the permissions of the folder to whatever you think works best in your environment. Can you provide me a cacls statement that will adjust the permissions to what you are looking for?
Ben
It most certainly will cause problems because “SYSTEM” no longer has access to that directory or below. As a matter of fact when we rebooted the box the BES Client was uninstalled in a very ungraceful manner.
I also think you are misunderstanding what we are doing with the default NTFS permissions. The answer is
nothing
. We have no reason to change the permissions on any directory under %ProgramFiles%. IMHO that’s just asking for application problems.
It looks to me like the upgrade fixlet is removing / changing the permissions and the “inherit from parent” flag is getting removed. (Default)
Originally we just popped on the board to see if anyone else had noticed this.
Right now we’re not going to deploy the fixlet upgrade until we can find out why this is happening.
It most certainly will cause problems because “SYSTEM” no longer has access to that directory or below. As a matter of fact when we rebooted the box the BES Client was uninstalled in a very ungraceful manner.
Based on some tests we ran, the BES Agent folder with only “Administrators” access still allows the agent full read/write access to all the necessary folders/files (I am not incredibly clear why this is the case, but it seems SYSTEM gets access to this folder even without explicitly granting the permission). The ungraceful uninstall you mentioned was probably some other issue that we can look into if you want to contact support (there shouldn’t be any reason that NTFS permissions should cause the agent to uninstall).
Robert_Whelan
I also think you are misunderstanding what we are doing with the default NTFS permissions. The answer is nothing. We have no reason to change the permissions on any directory under %ProgramFiles%. IMHO that’s just asking for application problems.
It looks to me like the upgrade fixlet is removing / changing the permissions and the “inherit from parent” flag is getting removed. (Default)
As mentioned before, you definitely do NOT want default “program files” permissions on the BES Agent folder because it opens a large and easy-to-exploit security hole (for instance, Power Users – or any user with write access to the folder – could easily escalate their privileges to Admin level privileges). The appropriate permissions are “Administrators”=“Full Control” and “SYSTEM”=“Full Control”. I don’t think there is any specific issue with users have read access if that is what you would like.
Robert_Whelan
Right now we’re not going to deploy the fixlet upgrade until we can find out why this is happening.
We will try to get a full explanation of the issue, but it looks like the permissions are being set to “Administrators”=“Full Control” in some cases, but we cannot find any problems that are caused by this issue. Probably the fix will be to set “SYSTEM”=“Full Control” to be safe and we can do that through Fixlets or by modifying the installer… But even if we do this, it sounds like you still are requesting a change to those permissions so that users can read the folder. If this is the case, we can help you guys by giving you a Task to change the permissions to add read access for users (or whatever permissions you like).
And as mentioned before, if you continue to see the upgrade issues with an “ungraceful” uninstall after restart, please contact support for further assistance.