[Bug]: pyRevit_CLI_4.8.15.24089_admin_signed shows "repository path is not owned by current user" for private extensions using elevated ps1 script
acco-jpitts opened this issue · 6 comments
✈ Pre-Flight checks
- I don't have SentinelOne antivirus installed (see above for the solution)
- I have searched in the issues (open and closed) but couldn't find a similar issue
- I have searched in the pyRevit Forum for similar issues
- I already followed the installation troubleshooting guide thoroughly
- I am using the latest pyRevit Version
🐞 Describe the bug
Previously used 4.8.8 CLI installer, and then pyRevit_CLI_4.8.15.24043_admin_signed.exe (WIP installer from develop-4) and was able to install on multiple users computers without issue using an elevated powershell script
Using the latest pyRevit_CLI_4.8.15.24089_admin_signed.exe, the "pyrevit extend ui ...." command will clone the repo without issue, but when Revit is started it will show an error "repository path xxxxxxx is not owned by current user".
This was a git change in response to CVE-2022-24765
At first I was unable to reproduce this issue because I have git installed and have the extension repo path set as a [safe] directory.
Once I removed the [safe] directory from my gitconfig, I would get the same issue. Deleting the extension folder and running the exact same "pyrevit extend ui ....." command from a NON-elevated command prompt will clone the repo and Revit will be able to load the extension without issue.
So non-admin script does not need [safe] directory set, but admin does. None of our other users can set a [safe] directory as they do not have git installed.
⌨ Error/Debug Message
"repository path xxxxxxx is not owned by current user"♻️ To Reproduce
To reproduce error:
- if you have git installed, remove any [safe] directories set
you can check by running
git config --list
remove any path after "safe.directory="
- run this command in an elevated powershell script
pyrevit extend ui $ourextname $ourpyrevitext --dest=$pyrevitexts --branch=$ourbranchname --username=$username --password=$personalaccesstoken
- Open Revit and you should see an error
To reproduce fix
-
Delete the extension folder
-
Run the exact same command in cmd.exe (non admin) except replace the variables with the actual values
pyrevit extend ui $ourextname $ourpyrevitext --dest=$pyrevitexts --branch=$ourbranchname --username=$username --password=$personalaccesstoken
- Revit will now load the ribbon
⏲️ Expected behavior
Revit should open without an error
🖥️ Hardware and Software Setup (please complete the following information)
pyrevit env shows the same information whether the error shows or not
==> Registered Clones (full git repos)
==> Registered Clones (deployed from archive/image)
pyRevit | Deploy: "basepublic" | Branch: "master" | Version: "4.8.15.24089+0912" | Path: "C:\pyRevit-Master\pyRevit"
==> Attachments
pyRevit | Product: "24.2" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "23.1.3" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "2022.1.5" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "2021.1.9" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "2020.2.9" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
==> Installed Extensions
ACCO_VC | Type: UIExtension | Repo: "private_repo" | Installed: "C:\pyRevit-Master\extensions\ACCO_VC.extension"
==> Default Extension Search Path
C:\Users\user\AppData\Roaming\pyRevit\Extensions
==> Extension Search Paths
C:\pyRevit-Master\extensions
==> Extension Sources - Default
https://github.com/eirannejad/pyRevit/raw/master/extensions/extensions.json
==> Extension Sources - Additional
==> Installed Revits
24.2 | Version: 24.2.0.63 | Build: 20231029_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2024\"
23.1.3 | Version: 23.1.30.97 | Build: 20230828_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2023\"
2022.1.5 | Version: 22.1.50.17 | Build: 20230915_1530(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2022\"
2021.1.9 | Version: 21.1.90.15 | Build: 20230907_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2021\"
2020.2.9 | Version: 20.2.90.12 | Build: 20220517_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2020\"
==> Running Revit Instances
PID: 14248 | 24.2 | Version: 24.2.0.63 | Build: 20231029_1515(x64) | Language: 0 | Path: "C:\Program Files\Autodesk\Revit 2024"
==> User Environment
Microsoft Windows 10 [Version 10.0.19045]
Executing User: user
Active User: user
Admin Access: No
%APPDATA%: "C:\Users\user\AppData\Roaming"
Latest Installed .Net Framework: 4.8
Installed .Net Target Packs: v3.5 v4.0 v4.5 v4.5.1 v4.5.2 v4.6 v4.6.1 v4.7 v4.7.2 v4.8 v4.8.1 v4.X
Installed .Net-Core Target Packs: v2.1.202 v6.0.420 v8.0.202
pyRevit CLI v4.8.15.24089+0912.f079f5fd51756b988a06d005d4f4cd2961f36e63
### Additional context
This was a git change in response to [CVE-2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/)
I think the previous installers using the older LibGit2Sharp were not affected, but newer ones are now that LibGit2Sharp has been updated
Do you have a possible solution to propose? a fix to the code base?
Well running as non-admin seems to get around this issue, since then the repo is owned by the user account instead of the admin account.
I am going to look into a way to set a safe.directory for users without git installed.
I also just now discovered that if I do a direct clone of the pyrevit master branch (which is what I used to do), then you get an error as well. Not sure if this is the same issue or not. The issue with the repo ownership only showed because I was using the basepublic deployment for pyrevit.
that's a different one IMHO
not related.
the pyRevitCLI is installed from the pyRevit non-Admin or Admin installer, or directly from pyRevit installer (Admin or non Admin?)
so I just had to relearn what windows ACL and SID's are. But I was able to fix this error by calling a second powershell script that changes the ACL of the extension folder and the .git folder from the admin account (from elevated script) back to the user account (script checks for the active user account).
This is for Active Directory. Not sure if this would be different for regular user accounts
here is the script. update the paths to your ".extension" folder and ".extension.git".
change-owner.ps1
try {
$username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
if ([string]::IsNullOrWhiteSpace($username)) {
Write-Error "Failed to obtain the username."
exit
}
$folderPaths = @("C:\path\to\ribbon.extension", "C:\path\to\ribbon.extension\.git")
$newOwner = New-Object System.Security.Principal.NTAccount($username)
function Set-OwnerRecursively {
param (
[String]$path,
[System.Security.Principal.NTAccount]$owner
)
$acl = Get-Acl $path
$acl.SetOwner($owner)
Set-Acl -Path $path -AclObject $acl
Get-ChildItem -Path $path -Recurse -Directory | ForEach-Object {
Set-OwnerRecursively -path $_.FullName -owner $owner
}
}
foreach ($folderPath in $folderPaths) {
Set-OwnerRecursively -path $folderPath -owner $newOwner
}
}
catch {
Write-Error $_.Exception.Message
}
I added a second line to my bat file that elevates to admin to call this second powershell script (didn't work when I added to the end of the install script)
powershell.exe -executionpolicy bypass -Command "& '%scriptPath%\ribbon-installer.ps1'"
powershell.exe -executionpolicy bypass -Command "& '%scriptPath%\change-owner.ps1'"
I'll try and dig it more and see what can be done. looks like there are open PR's from a year ago to implement in LibGit2Sharp though
Thanks for reporting back and explaining your digging.
I guess we can close this out since its not issue with pyRevit, although at least there is a workaround. If that PR ever gets merged in LibGit2Sharp then maybe we can implement a solution on pyRevit side.