intellij-git-askpass.bat not running due to security policy

Answered

Hello,

On my freshly installed PyCharmCE2019.1, i cannot use git, due to restrictions policy about where .bat files are supposed to be run.

specifically, i cannot run git pull on my project, because of the location of the intellij-git-askpass.bat file

13:05:18.744: [myproject] git -c credential.helper= -c core.quotepath=false -c log.showSignature=false pull --progress --no-stat -v --progress origin master
Ce programme est bloqu� par une strat�gie de groupe. Pour plus d'informations, contactez votre administrateur syst�me.
error: unable to read askpass response from 'C:\Users\xxx\AppData\Local\Temp\intellij-git-askpass.bat'

I believe it is related to this post https://intellij-support.jetbrains.com/hc/en-us/community/posts/360000353390-Problem-with-build-in-git , but applying the relocation of IDE default directories did not help (https://intellij-support.jetbrains.com/hc/en-us/articles/207240985).

How can i relocate this intellij-git-askpass.bat ? or How can i skip the execution of intellij-git-askpass.bat ?

thanks for your help

4 comments
Comment actions Permalink

Hi,

>applying the relocation of IDE default directories did not help

Doesn't that mean that your security policy still applies to new location? I believe you need to change your group polices to allow the execution: http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/

Unfortunately there is no way to relocate intellij-git-askpass.bat, other than relocate whole config directory, which you already did.

0
Comment actions Permalink

hi, thanks for your answer,

Unfortunately, security will not let me change the policy, and i have to deal with it (this restriction is painfull for me and I've already tried to negociate :) )

I edited the idea.properties file to setup these three variables to paths where .bat files can be executed (i am confident about that)

# custom PyCharm properties
idea.config.path=C:/My Program Files/idea/caches/trunk-config
idea.system.path=C:/My Program Files/idea/caches/trunk-system
idea.plugins.path=C:/My Program Files/idea/caches/trunk-plugins

But the intellij-git-askpass.bat is still generated in the directory  C:\Users\xxx\AppData\Local\Temp

Is there another variable that would allow me to manage the location of intellij-git-askpass.bat ?

Note that this did not happen with my previously-installed version (PyCharmCE2018.?) ... Is that a new behaviour that we should be aware of ?

0
Comment actions Permalink

> But the intellij-git-askpass.bat is still generated in the directory  C:\Users\xxx\AppData\Local\Temp

To avoid issues with scripts running, IntelliJ ensures the path to the file does not contain spaces. It first tries to generate in the IDE's temp folder, which with the new settings is C:\My Program Files\idea\caches\trunk-system\tmp - but then finds there are spaces in the path and falls back to the system temp folder which is C:\Users\xxx\AppData\Local\Temp

> Is there another variable that would allow me to manage the location of intellij-git-askpass.bat ?

There is no specific variable for this. It is generated in the corresponding temp folder - IDE's temp when possible, or system temp. You can reassign system TEMP, but I don't think it is the right way to go. A better approach will be to use idea.system.path that contains no spaces.

> Is that a new behaviour that we should be aware of ?

No, it is not new. Generated scripts have been used for Git authentication handling for ages. However, the script is used only when the Git process requires credentials input. What might be the reason for this not to show up before 2019.1 is git credential helper. If there is a helper and it have saved creds, git process will silently use them without a prompt. IntelliJ by default ignores helper since 2019.1 - see https://youtrack.jetbrains.com/issue/IDEA-177665

0
Comment actions Permalink

Many thanks for the explanations.

After several trials and fails to find a workaround, I finally referred to your last point (https://youtrack.jetbrains.com/issue/IDEA-177665#focus=streamItem-27-3423882.0-0) and disabled the git.reset.credential.helper registry key (wich is activated by default)

 

It works well so far, since (if I got it) PyCharm now relies on credentials previously saved in the git helper.

Thanks again.

0

Please sign in to leave a comment.