On Fri, 19 Apr 2024 20:04:57 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> @wangweij , your [comment on >> JDK-8313367](https://bugs.openjdk.org/browse/JDK-8313367?focusedId=14664542&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-14664542) >> indicates you are unable to request a Windows system including a secured >> user. If all your Windows systems are configured with a single user >> requiring Administrators group membership, here are some options to get you >> unblocked: >> >> 1. Request a new domain user account for a role, versus a person. Sometimes >> this is referred to as a service account. Then grant that user "Standard >> User" (_Not Administrator_) access to the Windows test system via the >> Control Panel's "Give other users access to this computer" (_a.k.a. the >> "Advanced User Account Control Panel"_) dialog. You can also modify the >> service user's group memberships via that dialog's Advanced tab (_do not add >> an Administrator's group membership_). Once configured, login as, or >> [switch accounts >> to](https://support.microsoft.com/en-us/windows/how-to-switch-users-accounts-in-windows-660d4dcd-fa8d-7467-10b3-fee0e70e11d4), >> this service user to perform secure environment testing. >> 2. Spawn the test's process as the single user minus their Administrators >> group privilege via the [RunAs.exe command included on all Windows >> systems](https://en.wikipedia.org/wiki/Runas) . >> 3. Spawn the test's process as the single user minus their Administrators >> group privilege using [PsExecs.exe command included with downloadable >> SysInternals >> commands](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec). >> >> For option 2 on Windows 10 or Windows Server: >> `runas /trustlevel:0x20000 "<command line>"` >> For option 2 on Windows 11: >> `runas /machine:amd64 /trustlevel:0x20000 "<command line>"` >> For option 3 on any Windows OS: >> `PsExec -l "<command line>"` >> >> Tips: >> >> - Try option 2 or 3 with `cmd` or `powershell` as the command line. The >> resulting window title will explain the granted access privilege. >> - Option 2 on Windows 11 requires the `/machine` option. "amd64" indicates >> Intel or AMD processors. Type `runas /?` for additonal processor types. >> - If you need to embed quotes, use a backslash to escape them like `"cmd >> "<path to bat script>" "script argument"" `. >> - You can prove these techniques work by using them to execute the commands >> in Step 10 of the steps to reproduce. The jarsigner command should fail >> with "Access Denied". > > @MustavData, thanks a lot for the instructions. @wangweij , @rebarbora-mckvak , @MustavData : I was considering taking this over, but the PR contains additional code that I am not familiar with, however I did review the changes and I think there's at least two issues that need to be addressed (see above comments) ------------- PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-2289970060
