Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: pyRevit_CLI_4.8.15.24089_admin_signed shows "repository path is not owned by current user" for private extensions using elevated ps1 script #2191

Closed
5 tasks done
acco-jpitts opened this issue Apr 3, 2024 · 6 comments
Labels
Bug Bug that stops user from using the tool or a major portion of pyRevit functionality [class]

Comments

@acco-jpitts
Copy link
Contributor

✈ Pre-Flight checks

  • I don't have SentinelOne antivirus installed (see above for the solution)
  • I have searched in the issues (open and closed) but couldn't find a similar issue
  • I have searched in the pyRevit Forum for similar issues
  • I already followed the installation troubleshooting guide thoroughly
  • I am using the latest pyRevit Version

🐞 Describe the bug

Previously used 4.8.8 CLI installer, and then pyRevit_CLI_4.8.15.24043_admin_signed.exe (WIP installer from develop-4) and was able to install on multiple users computers without issue using an elevated powershell script

Using the latest pyRevit_CLI_4.8.15.24089_admin_signed.exe, the "pyrevit extend ui ...." command will clone the repo without issue, but when Revit is started it will show an error "repository path xxxxxxx is not owned by current user".
image

This was a git change in response to CVE-2022-24765

At first I was unable to reproduce this issue because I have git installed and have the extension repo path set as a [safe] directory.

Once I removed the [safe] directory from my gitconfig, I would get the same issue. Deleting the extension folder and running the exact same "pyrevit extend ui ....." command from a NON-elevated command prompt will clone the repo and Revit will be able to load the extension without issue.

So non-admin script does not need [safe] directory set, but admin does. None of our other users can set a [safe] directory as they do not have git installed.

⌨ Error/Debug Message

"repository path xxxxxxx is not owned by current user"

♻️ To Reproduce

To reproduce error:

  1. if you have git installed, remove any [safe] directories set
    you can check by running
git config --list

remove any path after "safe.directory="

  1. run this command in an elevated powershell script
pyrevit extend ui $ourextname $ourpyrevitext --dest=$pyrevitexts --branch=$ourbranchname --username=$username --password=$personalaccesstoken
  1. Open Revit and you should see an error

To reproduce fix

  1. Delete the extension folder

  2. Run the exact same command in cmd.exe (non admin) except replace the variables with the actual values

pyrevit extend ui $ourextname $ourpyrevitext --dest=$pyrevitexts --branch=$ourbranchname --username=$username --password=$personalaccesstoken
  1. Revit will now load the ribbon

⏲️ Expected behavior

Revit should open without an error

🖥️ Hardware and Software Setup (please complete the following information)

pyrevit env shows the same information whether the error shows or not

==> Registered Clones (full git repos)
==> Registered Clones (deployed from archive/image)
pyRevit | Deploy: "basepublic" | Branch: "master" | Version: "4.8.15.24089+0912" | Path: "C:\pyRevit-Master\pyRevit"
==> Attachments
pyRevit | Product: "24.2" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "23.1.3" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "2022.1.5" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "2021.1.9" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
pyRevit | Product: "2020.2.9" | Engine: DEFAULT (2711) | Path: "C:\pyRevit-Master\pyRevit" | AllUsers
==> Installed Extensions
ACCO_VC | Type: UIExtension | Repo: "private_repo" | Installed: "C:\pyRevit-Master\extensions\ACCO_VC.extension"
==> Default Extension Search Path
C:\Users\user\AppData\Roaming\pyRevit\Extensions
==> Extension Search Paths
C:\pyRevit-Master\extensions
==> Extension Sources - Default
https://github.com/eirannejad/pyRevit/raw/master/extensions/extensions.json
==> Extension Sources - Additional
==> Installed Revits
24.2 | Version: 24.2.0.63 | Build: 20231029_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2024\"
23.1.3 | Version: 23.1.30.97 | Build: 20230828_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2023\"
2022.1.5 | Version: 22.1.50.17 | Build: 20230915_1530(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2022\"
2021.1.9 | Version: 21.1.90.15 | Build: 20230907_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2021\"
2020.2.9 | Version: 20.2.90.12 | Build: 20220517_1515(x64) | Language: 1033 | Path: "C:\Program Files\Autodesk\Revit 2020\"
==> Running Revit Instances
PID: 14248 | 24.2 | Version: 24.2.0.63 | Build: 20231029_1515(x64) | Language: 0 | Path: "C:\Program Files\Autodesk\Revit 2024"
==> User Environment
Microsoft Windows 10 [Version 10.0.19045]
Executing User: user
Active User: user
Admin Access: No
%APPDATA%: "C:\Users\user\AppData\Roaming"
Latest Installed .Net Framework: 4.8
Installed .Net Target Packs: v3.5 v4.0 v4.5 v4.5.1 v4.5.2 v4.6 v4.6.1 v4.7 v4.7.2 v4.8 v4.8.1 v4.X
Installed .Net-Core Target Packs: v2.1.202 v6.0.420 v8.0.202
pyRevit CLI v4.8.15.24089+0912.f079f5fd51756b988a06d005d4f4cd2961f36e63


### Additional context

This was a git change in response to [CVE-2022-24765](https://github.blog/2022-04-12-git-security-vulnerability-announced/)

I think the previous installers using the older LibGit2Sharp were not affected, but newer ones are now that LibGit2Sharp has been updated
@acco-jpitts acco-jpitts added the Bug Bug that stops user from using the tool or a major portion of pyRevit functionality [class] label Apr 3, 2024
@jmcouffin
Copy link
Contributor

Do you have a possible solution to propose? a fix to the code base?

@acco-jpitts
Copy link
Contributor Author

Well running as non-admin seems to get around this issue, since then the repo is owned by the user account instead of the admin account.

I am going to look into a way to set a safe.directory for users without git installed.

I also just now discovered that if I do a direct clone of the pyrevit master branch (which is what I used to do), then you get an error as well. Not sure if this is the same issue or not. The issue with the repo ownership only showed because I was using the basepublic deployment for pyrevit.
image

@jmcouffin
Copy link
Contributor

that's a different one IMHO
not related.
the pyRevitCLI is installed from the pyRevit non-Admin or Admin installer, or directly from pyRevit installer (Admin or non Admin?)

@acco-jpitts
Copy link
Contributor Author

acco-jpitts commented Apr 3, 2024

so I just had to relearn what windows ACL and SID's are. But I was able to fix this error by calling a second powershell script that changes the ACL of the extension folder and the .git folder from the admin account (from elevated script) back to the user account (script checks for the active user account).

This is for Active Directory. Not sure if this would be different for regular user accounts

here is the script. update the paths to your ".extension" folder and ".extension.git".

change-owner.ps1

try {
    $username = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
    if ([string]::IsNullOrWhiteSpace($username)) {
        Write-Error "Failed to obtain the username."
        exit
    }
    $folderPaths = @("C:\path\to\ribbon.extension", "C:\path\to\ribbon.extension\.git")
    $newOwner = New-Object System.Security.Principal.NTAccount($username)
    function Set-OwnerRecursively {
        param (
            [String]$path,
            [System.Security.Principal.NTAccount]$owner
        )
        $acl = Get-Acl $path
        $acl.SetOwner($owner)
        Set-Acl -Path $path -AclObject $acl

        Get-ChildItem -Path $path -Recurse -Directory | ForEach-Object {
            Set-OwnerRecursively -path $_.FullName -owner $owner
        }
    }
    foreach ($folderPath in $folderPaths) {
        Set-OwnerRecursively -path $folderPath -owner $newOwner
    }
}
catch {
    Write-Error $_.Exception.Message
}

I added a second line to my bat file that elevates to admin to call this second powershell script (didn't work when I added to the end of the install script)


powershell.exe -executionpolicy bypass -Command "& '%scriptPath%\ribbon-installer.ps1'"
powershell.exe -executionpolicy bypass -Command "& '%scriptPath%\change-owner.ps1'"

I'll try and dig it more and see what can be done. looks like there are open PR's from a year ago to implement in LibGit2Sharp though

@jmcouffin
Copy link
Contributor

Thanks for reporting back and explaining your digging.

@acco-jpitts
Copy link
Contributor Author

I guess we can close this out since its not issue with pyRevit, although at least there is a workaround. If that PR ever gets merged in LibGit2Sharp then maybe we can implement a solution on pyRevit side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Bug that stops user from using the tool or a major portion of pyRevit functionality [class]
Projects
None yet
Development

No branches or pull requests

2 participants