Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2075

Windows install corrupting permissions

          Details

          • Release Notes:
            Bug Fix
          • Release Notes Summary:
            Hide
            The previous version of the Windows Puppet agent installer had an internal MSI property resolution issue that could be triggered when a requesting that msiexec install the same version of the Puppet agent package that was already installed on the node. In those rare instances, and when combined with the permission resetting code introduced in PA-2019 as a response to CVE-2018-6513, the Puppet agent package could execute `takeown.exe` and `icacls.exe` against the filesystem root (`C:\`), resulting in incorrectly rewritten permissions across the filesystem.

            Using the Chocolatey package provider to perform an in-place upgrade of the Puppet package during a Puppet run, which is the workflow used by Foreman, most commonly triggered this behavior.

            This version of Puppet agent resolves both of these problems by implementing a workaround of the MSI property resolution issue and making the PA-2019 permission resetting code more defensive.
            Show
            The previous version of the Windows Puppet agent installer had an internal MSI property resolution issue that could be triggered when a requesting that msiexec install the same version of the Puppet agent package that was already installed on the node. In those rare instances, and when combined with the permission resetting code introduced in PA-2019 as a response to CVE-2018-6513, the Puppet agent package could execute `takeown.exe` and `icacls.exe` against the filesystem root (`C:\`), resulting in incorrectly rewritten permissions across the filesystem. Using the Chocolatey package provider to perform an in-place upgrade of the Puppet package during a Puppet run, which is the workflow used by Foreman, most commonly triggered this behavior. This version of Puppet agent resolves both of these problems by implementing a workaround of the MSI property resolution issue and making the PA-2019 permission resetting code more defensive.
          • QA Risk Assessment:
            Needs Assessment

            Description

            Users are reporting that the agent install on Windows is corrupting permissions. See comments in: https://chocolatey.org/packages/puppet-agent

              Attachments

                Issue Links

                relates to

                Bug - A problem which impairs or prevents the functions of the product. PA-2019 Privilege escalation via %ProgramData%\PuppetLabs on Windows

                • Normal - Regular issue, some loss of functionality under specific circumstances.
                • Closed

                Task - A task that needs to be done. PA-2112 Refactor Windows permission reset custom actions to a single vbscript custom action

                • Blocker - Blocks development and/or testing work, production could not run.
                • Closed

                Improvement - An improvement or enhancement to an existing feature or task. PA-2113 Only take ownership / reset Windows permissions once

                • Critical - Crashes, loss of data, severe memory leak.
                • Closed

                  Activity

                    People

                    • Assignee:
                      ethan Ethan Brown
                      Reporter:
                      bradejr Rob Braden
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      22 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved:

                        Zendesk Support