Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5491

The "client_data" Directory Permissions Incorrect After Installation

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Windows
    • Labels:
    • Environment:
    • Template:
    • Team:
      Windows
    • Story Points:
      1
    • Sprint:
      Windows 2018-08-01, Windows 2018-08-08

      Description

      Description

      If a user installs the Puppet Agent and allows the service to start after installation the ACE on the "client_data" directory will be incorrect:

      C:\ProgramData\PuppetLabs\puppet>icacls.exe cache\client_data
      cache\client_data BUILTIN\Administrators:(F)
                        NT AUTHORITY\SYSTEM:(RX)
                        Everyone:(Rc,S,RA)
                        CREATOR OWNER:(CI)(IO)(F)
                        CREATOR GROUP:(CI)(IO)(RX)
                        CREATOR OWNER:(OI)(IO)(R,W,D,WDAC,WO,DC)
                        CREATOR GROUP:(OI)(IO)(R)
       
      Successfully processed 1 files; Failed processing 0 files

      Note: This assumes that the "puppet" server does not actually exist. This would happen in the situation where a user will interactively install the MSI and leave the default "puppet" server name. After the installation the user would have to manually update the "puppet.conf" to point to the correct master server.

      Attachments

      • None

      Repro Steps

      1. Open a console and install the Puppet Agent onto the SUT (Note: The service is NOT disabled when the agent is installed):

        msiexec.exe /i puppet-agent-1.2.7.421.g9c0a93a-x64.msi /qn /L*V C:\Windows\TEMP\install-puppet.log

      2. Get the ACL for the "C:\ProgramData\PuppetLabs\puppet\cache\client_data" directory:

        cd C:\ProgramData\PuppetLabs\puppet
        icacls.exe cache\client_data
        

      Expect

      The ACE for SYSTEM should be full control.

      Actual

      The ACE for SYSTEM is only RX:

      C:\ProgramData\PuppetLabs\puppet>icacls.exe cache\client_data
      cache\client_data BUILTIN\Administrators:(F)
                        NT AUTHORITY\SYSTEM:(RX)
                        Everyone:(Rc,S,RA)
                        CREATOR OWNER:(CI)(IO)(F)
                        CREATOR GROUP:(CI)(IO)(RX)
                        CREATOR OWNER:(OI)(IO)(R,W,D,WDAC,WO,DC)
                        CREATOR GROUP:(OI)(IO)(R)
       
      Successfully processed 1 files; Failed processing 0 files

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              glenn.sarti Glenn Sarti
              Reporter:
              ryan.gard Ryan Gard
              Votes:
              1 Vote for this issue
              Watchers:
              10 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support