Bug #35935

Symlinks still don't work reliably under Windows

Added by Adrian Föder about 8 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Must have
Category:
Core
Start date:
2012-04-13
Due date:
% Done:

0%

PHP Version:
Has patch:
No
Complexity:

Description

Creation of symlinks under Windows is still not reliable due to, honestly, weird behavior of windows' UAC.
The system command mklink /J seems to be interesting because it doesn't need as much elevated user permissions like mklink /.D does (the opposite is a junction vs. a symlink)

I will gamble around with that a bit.


Related issues

Related to TYPO3.Flow - Bug #33968: Missing privileges to create symlinks in Windows cause exception Closed 2012-02-16
Related to TYPO3.Flow - Task #11683: symlink() is not working on Windows XP Resolved 2010-12-24
Related to TYPO3 Core - Bug #64409: Failing unit tests on windows because of symlinks Closed 2015-01-21

History

#1 Updated by Gerrit Code Review about 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10401

#2 Updated by Adrian Föder about 8 years ago

basically, this entry: http://social.msdn.microsoft.com/Forums/en/os_fileservices/thread/e967ab01-3136-4fda-9677-e5ecaaa2f694 explains why this is.
The problem, mainly, is; even with the Security Policy for creating symbolic links is granted to not only Administrators; that it doesn't work if the intended User is itself a member of the Administrator group.

After giving “Everyone” the privilege “Create symbolic link”, please reboot (or log off) and log in as a standard user, a user who is NOT a member of group “Administrators”. You should be able to create a symbolic link using mklink command in a directory where user has write permissions.

The reason a member of “Administrators” cannot create symbolic link is because “Create symbolic link” privilege is removed from the filtered token since user is a member of “Administrators” group. Section “Access Token Changes” of article at link http://msdn.microsoft.com/en-us/library/bb530410.aspx describes in more details on how filtered token is created.

#3 Updated by Adrian Föder about 8 years ago

In short, a "primitive" user would be able to create Symlinks (with the mentioned secpol.msc setting done), while an Administrator won't (if he's not in Elevated state).

So, setting the Apache service to be run under a deriving user may work; additionally (this is to be checked), it's likely that the default account (which is SYSTEM) has sufficient rights to create symlinks.
The subsequent system() / exec() requests then also would be run under SYSTEM user, hence Symlink creation would work.

So the prescribed configuration could be...

  • open the local policy editor secpol.msc
  • locate Security Settings > Local Policies > User Rights Management > Create symbolic links
    German: Sicherheitseinstellungen > Lokale Richtlinien > Zuweisen von Benutzerrechten > Erstellen symbolischer Verknüpfungen
  • Add the SYSTEM group (or whatever the Apache service is run under, per default it's SYSTEM)
  • Keep in mind that, if you are logged in as Administrator and want to call FLOW3 via the console, you must run the Command Line Prompt elevated (i.e. "Run as Administrator).

#4 Updated by Gerrit Code Review about 8 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/10401

#5 Updated by Karsten Dambekalns about 8 years ago

  • Status changed from Under Review to Closed
  • Assignee set to Karsten Dambekalns

Also available in: Atom PDF