为什么“本地系统”帐户缺乏对 NTFS 文件系统的权限(将 java 作为 Windows 服务运行)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4555751/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Why does "Local System" account lack permissions to NTFS Filesystem (running java as windows service)
提问by user331465
I have a problem running a java process as a windows service due to NTFS permissions. (http://community.jboss.org/wiki/RunJBossAsAServiceOnWindows).
由于 NTFS 权限,我在将 Java 进程作为 Windows 服务运行时遇到问题。(http://community.jboss.org/wiki/RunJBossAsAServiceOnWindows)。
The service installs successfully, but has problems starting due to file permissions.
该服务已成功安装,但由于文件权限而启动时出现问题。
- If I change the windows-service "login" to my account (e.g. domain/login), the service runs fine.
- If I change the filesystem permisisons from 755 to 777, the service runs fine.
- 如果我将 Windows 服务“登录”更改为我的帐户(例如域/登录),该服务运行良好。
- 如果我将文件系统权限从 755 更改为 777,则服务运行良好。
Example log
示例日志
08:58:02,250 ERROR [MainDeployer] Could not make local copy for file:/J:/projects/devtools/pe64-jboss-4.2.2.GA/server/solr/conf/jboss-service.xml
java.io.IOException: Access is denied
at java.io.WinNTFileSystem.createFileExclusively(Native Method)
"Yo No Comprende".I thought the "Local System" account was "root". ("Local System" is the default account)
“哟没有理解”。我认为“本地系统”帐户是“root”。(“本地系统”是默认帐户)
"chmod -R 777 <>" is not an option. (security hole)
“chmod -R 777 <>”不是一个选项。(安全漏洞)
So to summarize:
所以总结一下:
- What is the deal with "Local System" and windows NTFS file permissions?
- Can you add "Local System" to "My group"
- Is my local build process doing something wrong? (e.g. the windows version of UMask is bad? )
- Any other gotchas running java as a windows service?
- After 15+ years of windows NT-based OS, why are services still such a pain?
- “本地系统”和 Windows NTFS 文件权限有什么关系?
- 您可以将“本地系统”添加到“我的群组”吗
- 我的本地构建过程做错了吗?(例如 UMask 的 windows 版本不好?)
- 将 Java 作为 Windows 服务运行的任何其他问题?
- 基于 Windows NT 的操作系统已经 15 多年了,为什么服务仍然如此痛苦?
Update/Solution
更新/解决方案
It turn out that in later Windows (Vista and Window 7), MSFT closed a security hole which allowed a service to get at anyone's "temp" files.
事实证明,在后来的 Windows(Vista 和 Window 7)中,MSFT 关闭了一个安全漏洞,该漏洞允许服务获取任何人的“临时”文件。
"Local System" account just doesn't have access to any common/pre-created "temp" directory.
“本地系统”帐户无权访问任何常见/预先创建的“临时”目录。
The solution, in the java world:
解决办法,在java世界:
- create your own temp directory. Grant it adequate permisions)
- pass "-Djava.io.tmpdir=/path/to/my/temp/dir" as a jvm argument.
- 创建您自己的临时目录。授予它足够的权限)
- 将“-Djava.io.tmpdir=/path/to/my/temp/dir”作为 jvm 参数传递。
thanks
谢谢
will
将要
采纳答案by AngerClown
I wouldn't use Cygwin for this. Instead, I use a combination of caclsand ntrights(from the XP resource kit - still works in 2008 / win 7). The only issue is that you have to run Ant as an administrator. This means that you need to either make sure you start an admin level cmd prompt or your installer has to to elevate.
我不会为此使用 Cygwin。相反,我使用的组合cacls以及ntrights(从XP资源工具包-还是在2008年的工作/ WIN 7)。唯一的问题是您必须以管理员身份运行 Ant。这意味着您需要确保启动管理员级别的 cmd 提示符,或者您的安装程序必须提升。
In Ant, I do something like the following:
在 Ant 中,我执行以下操作:
<!-- give the service user full access to install dir -->
<exec executable="cacls" failonerror="true" osfamily="winnt" output="NUL">
<arg line=""${dir.install}" /e /p ${service.username}:f" />
</exec>
<!-- remove the Users group access from the install dir -->
<exec executable="cacls" failonerror="true" osfamily="winnt" output="NUL">
<arg line=""${dir.install}" /e /t /r Users" />
</exec>
<!-- give the service user the right to log on as a service,
remove right to logon through the UI -->
<exec executable="${dir.installer}/install/ntrights">
<arg line="-u ${service.username} +r SeServiceLogonRight" />
</exec>
<exec executable="${dir.installer}/install/ntrights">
<arg line="-u ${service.username} +r SeDenyInteractiveLogonRight" />
</exec>
Note that I couldn't get cacls to work with individual args. I had to specify the whole line. Also note the quote escape to handle directories with spaces (e.g. Program Files).
请注意,我无法让 cacls 与单个 args 一起工作。我必须指定整行。还要注意引号转义以处理带有空格的目录(例如程序文件)。
回答by cHao
"Local System" isn't exactly root. It can be denied (or not granted) permissions, just like any other user, and Windows will enforce those permissions. (Though you better know what you're doing before you do so -- blocking the wrong stuff from it can make your system unusable.) Sometimes, often when you're copying stuff from a privileged location (like your desktop or something), Windows will turn off the "inherit permissions" thingie for the folder, and the account won't get the permissions it'd normally inherit from the root.
“本地系统”并不完全是 root。它可以被拒绝(或不授予)权限,就像任何其他用户一样,Windows 将强制执行这些权限。(尽管在这样做之前你最好知道你在做什么——阻止错误的东西可能会让你的系统无法使用。)有时,通常是当你从一个特权位置(比如你的桌面或其他东西)复制东西时, Windows 将关闭该文件夹的“继承权限”,并且该帐户将无法获得通常从根目录继承的权限。
Make sure the folder grants the Local System account permission to add files to the folder where it wants to create that file. As for how you'd do that with Cygwin...i'm not sure. Does it have something akin to Linux's setfaclcommand?
确保文件夹授予本地系统帐户权限以将文件添加到要创建该文件的文件夹中。至于你如何用 Cygwin 做到这一点......我不确定。它有类似于Linux 的setfacl命令吗?
回答by Powerlord
NTFS permissions work a bit differently than Ext2/3/4 permissions.
NTFS 权限的工作方式与 Ext2/3/4 权限略有不同。
Specifically, the file system doesn't care if you're an administrator or not... if your SID doesn't have the Create Filespermissionor one of the other meta-permissions that include it (i.e. Write) on a directory, you can't create a new file or copy a file from another directory to said folder.
具体来说,文件系统不关心您是否是管理员......如果您的 SID 没有Create Files权限或其他包含它的元权限之一(即Write)在目录中,您可以' t 创建新文件或将文件从另一个目录复制到所述文件夹。
What it does give you is the permission to change the permissions on any folder.
它确实为您提供了更改任何文件夹权限的权限。
