Uploaded image for project: 'Modules'
  1. Modules
  2. MODULES-9215

ACL: Cannot update ACL if there is an existing unmanaged ACE for ALL RESTRICTED APPLICATION PACKAGES



    • Bug
    • Status: Open
    • Normal
    • Resolution: Unresolved
    • None
    • None
    • acl
    • Windows Server 2016 



    • Hide

      Should be able to update ACL without error.

      Should be able to update ACL without error.
    • Needs Assessment
    • Needs Assessment


      Module Version: 2.1.0
      Puppet Version: 6.2.0
      OS Name/Version: Windows Server 2016

      I'm trying to add an ACE to the ACL of a file in system32 with the acl puppet module. I'm having issues adding my ACE, because of this known limitation:
      "When referring to accounts in the APPLICATION PACKAGE AUTHORITY, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualifed account names from being used."

      If I type out the full ACL with this workaround then it works: "S-1-15-2-2 or ALL RESTRICTED APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES. This account may only be referenced on Windows 2016 (kernel 10.0) or newer."

      But if I don't, then the ACL cannot be updated and I get the same error as when specifying the fully qualified name. It looks like, to me at least, that the module doesn't apply this fix internally.

      Desired Behavior:

      Should be able to add ACE to the ACL without needing to write out the whole ACL in the manifest.

      Actual Behavior:


      acl { 'c:/windows/system32/windowspowershell/v1.0/powershell.exe': permissions => [   { identity => $sid_iis_iusrs, perm_type => 'deny', rights => ['full']}

      results in this error:


      Error: /Stage[main]/Main/Acl[c:/windows/system32/windowspowershell/v1.0/powershell.exe]: Could not evaluate: Failed to set security descriptor for path 'c:/windows/system32/windowspowershell/v1.0/powershell.exe': undefined method `bytesize' for nil:NilClass


        Issue Links



              Unassigned Unassigned
              MikkelHvid Mikkel Hvid
              1 Vote for this issue
              3 Start watching this issue



                Zendesk Support