Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-9215

ACL: Cannot update ACL if there is an existing unmanaged ACE for ALL RESTRICTED APPLICATION PACKAGES

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: acl
    • Labels:
    • Environment:

      Windows Server 2016 

       

       

    • Template:
      MODULES Bug Template
    • Acceptance Criteria:
      Hide

      Should be able to update ACL without error.

      Show
      Should be able to update ACL without error.
    • Method Found:
      Needs Assessment
    • QA Risk Assessment:
      Needs Assessment

      Description

      Module Version: 2.1.0
      Puppet Version: 6.2.0
      OS Name/Version: Windows Server 2016

      I'm trying to add an ACE to the ACL of a file in system32 with the acl puppet module. I'm having issues adding my ACE, because of this known limitation:
      "When referring to accounts in the APPLICATION PACKAGE AUTHORITY, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualifed account names from being used."

      If I type out the full ACL with this workaround then it works: "S-1-15-2-2 or ALL RESTRICTED APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES. This account may only be referenced on Windows 2016 (kernel 10.0) or newer."

      But if I don't, then the ACL cannot be updated and I get the same error as when specifying the fully qualified name. It looks like, to me at least, that the module doesn't apply this fix internally.

      Desired Behavior:

      Should be able to add ACE to the ACL without needing to write out the whole ACL in the manifest.

      Actual Behavior:

       

      acl { 'c:/windows/system32/windowspowershell/v1.0/powershell.exe': permissions => [   { identity => $sid_iis_iusrs, perm_type => 'deny', rights => ['full']}
       ]
      }

      results in this error:

       

      Error: /Stage[main]/Main/Acl[c:/windows/system32/windowspowershell/v1.0/powershell.exe]: Could not evaluate: Failed to set security descriptor for path 'c:/windows/system32/windowspowershell/v1.0/powershell.exe': undefined method `bytesize' for nil:NilClass

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              MikkelHvid Mikkel Hvid
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:

                  Zendesk Support