Bug #35935
Symlinks still don't work reliably under Windows
Status: | Closed | Start date: | 2012-04-13 | |
---|---|---|---|---|
Priority: | Must have | Due date: | ||
Assigned To: | Karsten Dambekalns | % Done: | 0% |
|
Category: | Core | |||
Target version: | TYPO3 Flow Base Distribution - 1.1 | |||
PHP Version: | Complexity: | |||
Has patch: | No | Affected Flow version: | Git master |
Description
Creation of symlinks under Windows is still not reliable due to, honestly, weird behavior of windows' UAC.
The system command mklink /J
seems to be interesting because it doesn't need as much elevated user permissions like mklink /.D
does (the opposite is a junction vs. a symlink)
I will gamble around with that a bit.
Related issues
History
#1 Updated by Gerrit Code Review over 3 years ago
- Status changed from New to Under Review
Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10401
#2 Updated by Adrian Föder over 3 years ago
basically, this entry: http://social.msdn.microsoft.com/Forums/en/os_fileservices/thread/e967ab01-3136-4fda-9677-e5ecaaa2f694 explains why this is.
The problem, mainly, is; even with the Security Policy for creating symbolic links is granted to not only Administrators; that it doesn't work if the intended User is itself a member of the Administrator group.
After giving “Everyone” the privilege “Create symbolic link”, please reboot (or log off) and log in as a standard user, a user who is NOT a member of group “Administrators”. You should be able to create a symbolic link using mklink command in a directory where user has write permissions.
The reason a member of “Administrators” cannot create symbolic link is because “Create symbolic link” privilege is removed from the filtered token since user is a member of “Administrators” group. Section “Access Token Changes” of article at link http://msdn.microsoft.com/en-us/library/bb530410.aspx describes in more details on how filtered token is created.
#3 Updated by Adrian Föder over 3 years ago
In short, a "primitive" user would be able to create Symlinks (with the mentioned secpol.msc setting done), while an Administrator won't (if he's not in Elevated state).
So, setting the Apache service to be run under a deriving user may work; additionally (this is to be checked), it's likely that the default account (which is SYSTEM) has sufficient rights to create symlinks.
The subsequent system()
/ exec()
requests then also would be run under SYSTEM user, hence Symlink creation would work.
So the prescribed configuration could be...¶
- open the local policy editor
secpol.msc
- locate Security Settings > Local Policies > User Rights Management > Create symbolic links
German: Sicherheitseinstellungen > Lokale Richtlinien > Zuweisen von Benutzerrechten > Erstellen symbolischer Verknüpfungen - Add the
SYSTEM
group (or whatever the Apache service is run under, per default it'sSYSTEM
) - Keep in mind that, if you are logged in as Administrator and want to call FLOW3 via the console, you must run the Command Line Prompt elevated (i.e. "Run as Administrator).
#4 Updated by Gerrit Code Review over 3 years ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10401
#5 Updated by Karsten Dambekalns about 3 years ago
- Status changed from Under Review to Closed
- Assigned To set to Karsten Dambekalns