Search code examples
javawindows-servicesfile-permissionsntfs

Why does "Local System" account lack permissions to NTFS Filesystem (running java as windows service)

I have a problem running a java process as a windows service due to NTFS permissions. (http://community.jboss.org/wiki/RunJBossAsAServiceOnWindows).

The service installs successfully, but has problems starting due to file permissions.

  • If I change the windows-service "login" to my account (e.g. domain/login), the service runs fine.
  • If I change the filesystem permisisons from 755 to 777, the service runs fine.

Example log

08:58:02,250 ERROR [MainDeployer] Could not make local copy for file:/J:/projects/devtools/pe64-jboss-4.2.2.GA/server/solr/conf/jboss-service.xml
java.io.IOException: Access is denied
    at java.io.WinNTFileSystem.createFileExclusively(Native Method)

"Yo No Comprende". I thought the "Local System" account was "root". ("Local System" is the default account)

"chmod -R 777 <>" is not an option. (security hole)

So to summarize:

  • What is the deal with "Local System" and windows NTFS file permissions?
  • Can you add "Local System" to "My group"
  • Is my local build process doing something wrong? (e.g. the windows version of UMask is bad? )
  • Any other gotchas running java as a windows service?
  • After 15+ years of windows NT-based OS, why are services still such a pain?

Update/Solution

It turn out that in later Windows (Vista and Window 7), MSFT closed a security hole which allowed a service to get at anyone's "temp" files.

"Local System" account just doesn't have access to any common/pre-created "temp" directory.

The solution, in the java world:

  • create your own temp directory. Grant it adequate permisions)
  • pass "-Djava.io.tmpdir=/path/to/my/temp/dir" as a jvm argument.

thanks

will

Solution

  • I wouldn't use Cygwin for this. Instead, I use a combination of cacls and ntrights (from the XP resource kit - still works in 2008 / win 7). The only issue is that you have to run Ant as an administrator. This means that you need to either make sure you start an admin level cmd prompt or your installer has to to elevate.

    In Ant, I do something like the following:

    <!-- give the service user full access to install dir -->
<exec executable="cacls" failonerror="true" osfamily="winnt" output="NUL">
  <arg line="&quot;${dir.install}&quot; /e /p ${service.username}:f" />
</exec>

<!-- remove the Users group access from the install dir -->
<exec executable="cacls" failonerror="true" osfamily="winnt" output="NUL">
  <arg line="&quot;${dir.install}&quot; /e /t /r Users" />
</exec>

<!-- give the service user the right to log on as a service,
     remove right to logon through the UI -->
<exec executable="${dir.installer}/install/ntrights">
  <arg line="-u ${service.username} +r SeServiceLogonRight" />
</exec>
<exec executable="${dir.installer}/install/ntrights">
  <arg line="-u ${service.username} +r SeDenyInteractiveLogonRight" />
</exec>

    Note that I couldn't get cacls to work with individual args. I had to specify the whole line. Also note the quote escape to handle directories with spaces (e.g. Program Files).