Details
Description
Module Version: 2.1.0
Puppet Version: 6.2.0
OS Name/Version: Windows Server 2016
I'm trying to add an ACE to the ACL of a file in system32 with the acl puppet module. I'm having issues adding my ACE, because of this known limitation:
"When referring to accounts in the APPLICATION PACKAGE AUTHORITY, use either their SID values or their unqualified names. The Windows API has well documented bugs preventing the fully qualifed account names from being used."
If I type out the full ACL with this workaround then it works: "S-1-15-2-2 or ALL RESTRICTED APPLICATION PACKAGES, but not APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES. This account may only be referenced on Windows 2016 (kernel 10.0) or newer."
But if I don't, then the ACL cannot be updated and I get the same error as when specifying the fully qualified name. It looks like, to me at least, that the module doesn't apply this fix internally.
Desired Behavior:
Should be able to add ACE to the ACL without needing to write out the whole ACL in the manifest.
Actual Behavior:
acl { 'c:/windows/system32/windowspowershell/v1.0/powershell.exe': permissions => [ { identity => $sid_iis_iusrs, perm_type => 'deny', rights => ['full']} |
]
|
}
|
results in this error:
Error: /Stage[main]/Main/Acl[c:/windows/system32/windowspowershell/v1.0/powershell.exe]: Could not evaluate: Failed to set security descriptor for path 'c:/windows/system32/windowspowershell/v1.0/powershell.exe': undefined method `bytesize' for nil:NilClass
Attachments
Issue Links
- relates to
-
MODULES-5152 ACL: ALL APPLICATION PACKAGES causes issues with puppetlabs-acl module
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
PUP-10899 Retrieve SID for users under 'APPLICATION PACKAGE AUTHORITY'
-
- Resolved
-
