为什么“本地系统”帐户缺少NTFS文件系统的权限(将java作为Windows服务运行)
[英]Why does “Local System” account lack permissions to NTFS Filesystem (running java as windows service)
问题描述
I have a problem running a java process as a windows service due to NTFS permissions. 
由于NTFS权限,我在运行java进程作为Windows服务时遇到问题。 (http://community.jboss.org/wiki/RunJBossAsAServiceOnWindows). (http://community.jboss.org/wiki/RunJBossAsAServiceOnWindows)。
The service installs successfully, but has problems starting due to file permissions. 该服务安装成功,但由于文件权限而启动时出现问题。
- If I change the windows-service "login" to my account (eg domain/login), the service runs fine. 如果我将Windows服务“登录”更改为我的帐户(例如域/登录),该服务运行正常。
- If I change the filesystem permisisons from 755 to 777, the service runs fine. 如果我将文件系统permisisons从755更改为777,则服务运行正常。
Example log 示例日志
08:58:02,250 ERROR [MainDeployer] Could not make local copy for file:/J:/projects/devtools/pe64-jboss-4.2.2.GA/server/solr/conf/jboss-service.xml
java.io.IOException: Access is denied
at java.io.WinNTFileSystem.createFileExclusively(Native Method)
"Yo No Comprende". “Yo No Comprende”。 I thought the "Local System" account was "root". 我认为“本地系统”帐户是“root”。 ("Local System" is the default account) (“本地系统”是默认帐户)
"chmod -R 777 <>" is not an option. “chmod -R 777 <>”不是一种选择。 (security hole) (安全漏洞)
So to summarize: 总结一下:
- What is the deal with "Local System" and windows NTFS file permissions? 什么是“本地系统”和Windows NTFS文件权限的处理?
- Can you add "Local System" to "My group" 你能为“我的小组”添加“本地系统”吗?
- Is my local build process doing something wrong? 我的本地构建过程是否出错? (eg the windows version of UMask is bad? ) (例如,UMask的Windows版本不好?)
- Any other gotchas running java as a windows service? 运行java作为Windows服务的任何其他陷阱?
- After 15+ years of windows NT-based OS, why are services still such a pain? 经过15年以上基于Windows NT的操作系统,为什么服务仍然如此痛苦?
Update/Solution 更新/解决方案
It turn out that in later Windows (Vista and Window 7), MSFT closed a security hole which allowed a service to get at anyone's "temp" files. 事实证明,在后来的Windows(Vista和Window 7)中,MSFT关闭了一个安全漏洞,允许服务获取任何人的“临时”文件。
"Local System" account just doesn't have access to any common/pre-created "temp" directory. “本地系统”帐户只能访问任何公共/预先创建的“临时”目录。
The solution, in the java world: 解决方案,在java世界中:
- create your own temp directory. 创建自己的临时目录。 Grant it adequate permisions) 给予足够的权利)
- pass "-Djava.io.tmpdir=/path/to/my/temp/dir" as a jvm argument. 将“-Djava.io.tmpdir = / path / to / my / temp / dir”作为jvm参数传递。
thanks 谢谢
will 将
3 个解决方案
解决方案1
2 2010-12-29 16:30:15
"Local System" isn't exactly root. “本地系统”并不完全是根。 It can be denied (or not granted) permissions, just like any other user, and Windows will enforce those permissions. 它可以被拒绝(或不被授予)权限,就像任何其他用户一样,Windows将强制执行这些权限。 (Though you better know what you're doing before you do so -- blocking the wrong stuff from it can make your system unusable.) Sometimes, often when you're copying stuff from a privileged location (like your desktop or something), Windows will turn off the "inherit permissions" thingie for the folder, and the account won't get the permissions it'd normally inherit from the root. (虽然在你这样做之前你最好知道你在做什么 - 阻止它的错误可能会使你的系统无法使用。)有时,通常当你从特权位置(如桌面或其他东西)复制东西时, Windows将关闭该文件夹的“继承权限”,并且该帐户将无法获得它通常从根目录继承的权限。
Make sure the folder grants the Local System account permission to add files to the folder where it wants to create that file. 确保该文件夹授予本地系统帐户权限,以便将文件添加到要创建该文件的文件夹中。 As for how you'd do that with Cygwin...i'm not sure. 至于你如何用Cygwin做到这一点......我不确定。 Does it have something akin to Linux's setfacl command ? 它有类似于Linux的setfacl命令吗?
解决方案2
2 2010-12-29 16:33:31
NTFS permissions work a bit differently than Ext2/3/4 permissions. NTFS权限与Ext2 / 3/4权限的工作方式略有不同。
Specifically, the file system doesn't care if you're an administrator or not... if your SID doesn't have the Create Files permission or one of the other meta-permissions that include it (ie Write ) on a directory, you can't create a new file or copy a file from another directory to said folder. 具体来说,文件系统并不关心您是否是管理员...如果您的SID没有Create Files 权限或其他一个包含它的元权限(即Write )在目录上,您无法创建新文件或将文件从另一个目录复制到该文件夹。
What it does give you is the permission to change the permissions on any folder. 它的作用是允许您更改任何文件夹的权限。
解决方案3
1 已采纳 2010-12-29 17:55:59
I wouldn't use Cygwin for this. 我不会用Cygwin这个。 Instead, I use a combination of cacls and ntrights (from the XP resource kit - still works in 2008 / win 7). 相反,我使用了cacls和ntrights的组合(来自XP资源工具包 - 仍然适用于2008 / win 7)。 The only issue is that you have to run Ant as an administrator. 唯一的问题是您必须以管理员身份运行Ant。 This means that you need to either make sure you start an admin level cmd prompt or your installer has to to elevate. 这意味着您需要确保启动管理员级别cmd提示或者安装程序必须提升。
In Ant, I do something like the following: 在Ant中,我执行以下操作:
<!-- give the service user full access to install dir -->
<exec executable="cacls" failonerror="true" osfamily="winnt" output="NUL">
<arg line=""${dir.install}" /e /p ${service.username}:f" />
</exec>
<!-- remove the Users group access from the install dir -->
<exec executable="cacls" failonerror="true" osfamily="winnt" output="NUL">
<arg line=""${dir.install}" /e /t /r Users" />
</exec>
<!-- give the service user the right to log on as a service,
remove right to logon through the UI -->
<exec executable="${dir.installer}/install/ntrights">
<arg line="-u ${service.username} +r SeServiceLogonRight" />
</exec>
<exec executable="${dir.installer}/install/ntrights">
<arg line="-u ${service.username} +r SeDenyInteractiveLogonRight" />
</exec>
Note that I couldn't get cacls to work with individual args. 请注意,我无法让cacls与单个args一起工作。 I had to specify the whole line. 我必须指定整行。 Also note the quote escape to handle directories with spaces (eg Program Files). 还要注意引用转义以处理带空格的目录(例如Program Files)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.