Uploaded image for project: 'Puppet Agent'
  1. Puppet Agent
  2. PA-2113

Only take ownership / reset Windows permissions once

    XMLWordPrintable

Details

    • Hide
      • Running the installer a second time after perms are reset should default to not changing permissions
      • The PowerShell script should emit log messages that indicate whether actions were performed
      • Manual verification sufficient
      Show
      Running the installer a second time after perms are reset should default to not changing permissions The PowerShell script should emit log messages that indicate whether actions were performed Manual verification sufficient
    • Windows
    • 1
    • Windows 2018-08-01, Windows 2018-08-08
    • Bug Fix
    • The puppet agent installer now idempotently sets permissions on the install folder on Windows. Previously it would run takeown and icacls against the folder recursively, potentially taking many minutes to run.
    • Needs Assessment

    Description

      As part of PA-2019, code was added to the installer to reset permissions on C:\ProgramData\PuppetLabs by calling a combination of takeown and icacls.

      On hosts that have many filebucket'd files, this can take > 10 minutes, even on extremely fast hardware.

      Therefore, ensure that actions are skipped when not necessary.

       

      At first, it was thought that the installer could use the remembered property pattern that is used for saving other installer state. Instead, discussion led the team to instead use the file system itself as the source of truth.

       

      For instance, before recursively calling takeown against C:\ProgramData\puppetlabs, if the state is as desired, do not perform the action.  There are clearly times this won't work as desired if the parent directory matches the desired state, but children have been manipulated. However, such cases should be rare. Further, to address that problem, additional consideration should be given to the following:

      • An MSI property that overrides the heuristic used to determine whether to call permissions resetting code (in other words, can resetting be forced by supplying an MSI property)
      • Should the MSI repair mode automatically imply that the permissions reset code is run

       

      This ticket is blocked on refactoring the 7 custom actions to a single PowerShell action in PA-2112

      Attachments

        Issue Links

          is blocked by

          Task - A task that needs to be done. PA-2112 Refactor Windows permission reset custom actions to a single vbscript custom action

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. PA-2075 Windows install corrupting permissions

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PA-2019 Privilege escalation via %ProgramData%\PuppetLabs on Windows

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              ethan Ethan Brown
              ethan Ethan Brown
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support