Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2075

Windows install corrupting permissions

    XMLWordPrintable

    Details

    • Template:
    • Epic Link:
    • Team:
      Windows
    • Sprint:
      Windows 2018-06-13
    • Method Found:
      Needs Assessment
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Hide
      The previous version of the Windows Puppet agent installer had an internal MSI property resolution issue that could be triggered when a requesting that msiexec install the same version of the Puppet agent package that was already installed on the node. In those rare instances, and when combined with the permission resetting code introduced in PA-2019 as a response to CVE-2018-6513, the Puppet agent package could execute `takeown.exe` and `icacls.exe` against the filesystem root (`C:\`), resulting in incorrectly rewritten permissions across the filesystem.

      Using the Chocolatey package provider to perform an in-place upgrade of the Puppet package during a Puppet run, which is the workflow used by Foreman, most commonly triggered this behavior.

      This version of Puppet agent resolves both of these problems by implementing a workaround of the MSI property resolution issue and making the PA-2019 permission resetting code more defensive.
      Show
      The previous version of the Windows Puppet agent installer had an internal MSI property resolution issue that could be triggered when a requesting that msiexec install the same version of the Puppet agent package that was already installed on the node. In those rare instances, and when combined with the permission resetting code introduced in PA-2019 as a response to CVE-2018-6513, the Puppet agent package could execute `takeown.exe` and `icacls.exe` against the filesystem root (`C:\`), resulting in incorrectly rewritten permissions across the filesystem. Using the Chocolatey package provider to perform an in-place upgrade of the Puppet package during a Puppet run, which is the workflow used by Foreman, most commonly triggered this behavior. This version of Puppet agent resolves both of these problems by implementing a workaround of the MSI property resolution issue and making the PA-2019 permission resetting code more defensive.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Users are reporting that the agent install on Windows is corrupting permissions. See comments in: https://chocolatey.org/packages/puppet-agent

        Attachments

          Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PA-2019 Privilege escalation via %ProgramData%\PuppetLabs on Windows

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Task - A task that needs to be done. PA-2112 Refactor Windows permission reset custom actions to a single vbscript custom action

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. PA-2113 Only take ownership / reset Windows permissions once

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

            Activity

              People

              Assignee:
              ethan Ethan Brown
              Reporter:
              bradejr Rob Braden
              Votes:
              0 Vote for this issue
              Watchers:
              22 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support