How to grant necessary permission to LOCAL_SERVICE for writing/reading debug logs?
QuestionThe FNP v11.14.0 Release Notes say....
In FlexNet Publisher 2015 (11.13.1), a change was made to run Windows license server services with
LocalService privilege instead of LocalSystem privilege, following the least-privilege security best practice.
One inappropriate consequence is that a lmgrd Windows service, as installed by installs.exe or
lmtools.exe, may not start. This is because a LocalService service does not by default have sufficient
privilege to write the server debug log to (a subdirectory of) Windows Program Files or Users directories.
Flexera therefore recommends following Windows best-practice for writing application data by
specifying debug log and report log locations within a subfolder of %SystemDrive%\ProgramData\.
LocalService services do by default have sufficient privilege to write to ProgramData (sub)directories
Some software vendors cannot place their license file from Program to ProgramData immediately, they are looking for a method to grant necessary privilege to LocalService. Is this possible?
AnswerAs a temporary workaround, software vendors can run the following command to grant the permission to LOCAL SERVICE.
# icacls "C:\Program Files\demo\License" /grant "NT AUTHORITY\LOCAL SERVICE":(OI)(CI)(M)
Since on OS other than English, the service account name may be different from "NT AUTHORITY\LOCAL SERVICE",
it is better to use the following command if software vendors want to add international support.
# icacls "C:\Program Files\Cradle\License" /grant *S-1-5-19:(OI)(CI)(M)
*S-1-5-19 is the SID for LOCAL SERVICE.