I am working with the automated test suite of a software project. I have an automated test case that should verify that the code works correctly when a specific file is found, but the program does not have proper permission to read the contents of that file. This test case is currently working on Linux and macOS, but I am trying to get it to work on Windows as well.
The file is created by the test process, modified to have the read permission removed, and then the code tries to read the file, and the test verifies that the code fails in the expected way. After the test has run, the permissions are restored (if necessary), and the file is removed.
On Linux and macOS the read permission is removed by chmod 000 unreadable.txt, which makes the file unreadable by everyone (except root). I am trying to find a similar solution on Windows, where I can make this test file unreadable by the current user using command line tools, so the tested program can fail.
From my understanding, a command like icacls unreadable.txt /deny 'Everyone:(RC)' should have done the trick. icacls confirm the deny rule:
Everyone:(DENY)(Rc,S)
but I have nevertheless full access to read the file.
I've tried various incantations of calls to icacls and cacls, with different combinations of trying to explicitly denying for my specific user account, etc. All to no avail.
I'm starting to wondering, is is impossible in Windows to disallow the owner of a file from reading it?
Or, if it is possible, what is the command line I need to make the file unreadable by the owner?
Related
I'm trying to write data to a text file in Windows programatically (either through cmd directly or from a scripting language like Lua), but if I try to open any file with the following conditions, an error occurs, saying permission denied.
the file name ends with .txt or .zip
I try to create the file inside some subfolders of my user folder, e.g. %USERPROFILE%\Documents\**\file.txt or %USERPROFILE%\Pictures\**\file.zip.
this is done programatically (works fine using any GUI).
This happens only on Windows, and even if I run cmd with admin rights.
C:\Users\Username\Pictures>echo aaaa > a.txt
Access denied.
C:\Users\Username\Documents>echo aaaa > a.txt
Access denied.
EDIT: I noticed this was specific to subfolders of %USERPROFILE%, and not related to Lua, which the original text of this question was about. So I rewrote the question to reflect the problem properly.
I still can't find any pattern of which folders are affected by this, currently only Pictures and Documents.
I need to know if it is possible to create a read only directory from windows command line.
I know it is possible to use chmod and make files read only. But what I need is to create a folder and then immediately set it as read only upon creation. Trying to create new files inside this directory should then throw an error.
This can be done manually by modifying folder permissions using the gui. But, I need to do it from cmd for some tests.
I tried
attrib +r dirPath
But this only works for files and not for the whole directory.
Any help is appreciated.
EDIT:
A background to me problem. I need to test the behavior of a software that writes some text files. I want to test a use-case when I ask the software to write to a read only directory. I want to see I handle the exceptions correctly and inform users appropriately.
I want to index some files and keep a registry as part of a utility I am writing in BASH. So, my tool would go to a massive directory and write some essential information about each file it finds there to another file that I would like to call "myregistry." The file would only be rewritten if the user asks it to - since going through a large file structure and "indexing" it this way would take considerable time.
I want this file to not show up when the user does ls in the directory where it is contained. In addition, I want the user to have no privileges with it at all - the user should not be able to open it up on vim or anything, not even to just look at it.
However, if the user executes my script again, I want the user to have the option of getting some information out of the file from there. I also want the script to have the permissions to look at the file and add or delete things from it, if the user prompts it to. But the user should not be able to do anything to it directly.
How can I do this? It would require using chmod but I have no idea how to put it together.
I'm thinking:
# Enable write permission
# Do Something - ensure that no one else is writing to this file
# Disable write permission
On Unix, you're more or less on an equal footing with other processes that run under the same user. Whatever you can do, they can do. If you can hide and unhide something, so can they. Interpreted scripts need read permissions to run, so it's not like you can hide any secrets in your executable. If you can however, distribute your software as a binary, you'll be able to run without being readable. Then you can hardcode a secret into the binary and use it to encrypt and decrypt files. Users will be able to run your binary, but only the superuser will be able to get the secret and decrypt your registry. That's real security (against regular (nonroot) users) (especially if you manage to create and embed the secret at installation time).
Playing with dotfiles and permissions won't fool any advanced user.
Something like this work? write_index and read_index are your work.
cd massive_dir
TFILE=$(mktemp --tmpdir=.)
write_index >$TFILE
mv -f $TFILE .index
chmod a-rw .index
To read
chmod +r .index
read_index .index
chmod -r .index
Note that no locking is needed because of the temp file. mv is atomic.
I am trying to run a bash file from install4j6. install4j does indeed try to run the bash file but it just returns an error at the end of the installation. The error is very generic and has no code reference or anything that will help me determine a solution - just a message that says "Error while executing file."
The only thing I can provide is how I have it setup in install4j6 since I am pretty sure that's my issue.
The bash file is defined in the root of my installation directory distribution tree and is named set_permissions.sh. For the sake of eliminating permissions being a cause, the file permission mode is set to 777 (both in install4j and on the file system).
I believe the issue is related to what I have set as my "working directory". I currently have it set to just ".". Is there a way to debug this further? Maybe get an actual error as to why it's not executing?
Ok, first a few things to check:
make sure that you're running the batch file after the install files step (you mention it being at the root of your install)
best to have the wait for termination checked and a variable for the return code.
redirect stderr to the log file (just in case)
As for working directory, . should work, but you can change it to ${installer:sys.installationDir} to make sure that it references the installation directory chosen by the user. You can also set the executable in the form of ${installer:sys.installationDir}\set_permissions.sh
Also, try and run just your shell script to make sure that it works :)
As per the answer to this question, I am trying to backup a file by renaming it, before I replace it with a new, modified file with the old name.
As per the comments and the documentation here, I am using the following line of code:
File.rename(File.basename(modRaw), File.basename(modRaw)+'.bak')
However, when I do so, I get the following error at runtime:
The program then aborts. (leatherReplacer.rb is the name of my program, and line 88 is the above line of code)
How do I allow my program to rename the files it needs to to run successfully?
Windows has some special rules regarding permissions. The important one at work here, is that the OS prevents moving or renaming a file while the file is open.
Depending on the nature of your code (in size and scope) and the importance of the file you're trying to back up, it may be unfeasible or otherwise not worthwhile to refactor the code in such a way as to make backups possible.
You probably don't want to be calling File.basename in there, that strips off the directory:
Returns the last component of the filename given in *file_name*, which must be formed using forward slashes ("/") regardless of the separator used on the local file system.
So, if modRaw is /where/is/pancakes.house, then you're saying:
File.rename('pancakes.house', 'pancakes.house.bak')
But pancakes.house probably isn't in the script's current directory. Try without the File.basename calls:
File.rename(modRaw, modRaw + '.bak')
If you are owner of that file, use File.chmod to set desired permissions.
I don't know much about ruby, but could you run it under command line/bash with admin privileges, such as "run as administrator" or "su root"?
According to Objectmix and ruby-forum, you should set it to 755 or +x, then perhaps chown to yourself.
try using full file path e.t
File.rename('c:\pancakes.house', 'c:\pancakes.house.bak')
in win7 i encounter same problem