Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
None
-
Puppet Agent: 9c0a93a43b597dca2ce14485b635389b3dfbbeca
PE Version: 2015.2.1
Master OS: CentOS 7 x64
Agent OS: Windows Server 2008 R2 x64
-
Windows
-
1
-
Windows 2018-08-01, Windows 2018-08-08
Description
Description
If a user installs the Puppet Agent and allows the service to start after installation the ACE on the "client_data" directory will be incorrect:
C:\ProgramData\PuppetLabs\puppet>icacls.exe cache\client_data
|
cache\client_data BUILTIN\Administrators:(F)
|
NT AUTHORITY\SYSTEM:(RX)
|
Everyone:(Rc,S,RA)
|
CREATOR OWNER:(CI)(IO)(F)
|
CREATOR GROUP:(CI)(IO)(RX)
|
CREATOR OWNER:(OI)(IO)(R,W,D,WDAC,WO,DC)
|
CREATOR GROUP:(OI)(IO)(R)
|
|
Successfully processed 1 files; Failed processing 0 files
|
Note: This assumes that the "puppet" server does not actually exist. This would happen in the situation where a user will interactively install the MSI and leave the default "puppet" server name. After the installation the user would have to manually update the "puppet.conf" to point to the correct master server.
Attachments
- None
Repro Steps
- Open a console and install the Puppet Agent onto the SUT (Note: The service is NOT disabled when the agent is installed):
msiexec.exe /i puppet-agent-1.2.7.421.g9c0a93a-x64.msi /qn /L*V C:\Windows\TEMP\install-puppet.log
- Get the ACL for the "C:\ProgramData\PuppetLabs\puppet\cache\client_data" directory:
cd C:\ProgramData\PuppetLabs\puppet
icacls.exe cache\client_data
Expect
The ACE for SYSTEM should be full control.
Actual
The ACE for SYSTEM is only RX:
C:\ProgramData\PuppetLabs\puppet>icacls.exe cache\client_data
|
cache\client_data BUILTIN\Administrators:(F)
|
NT AUTHORITY\SYSTEM:(RX)
|
Everyone:(Rc,S,RA)
|
CREATOR OWNER:(CI)(IO)(F)
|
CREATOR GROUP:(CI)(IO)(RX)
|
CREATOR OWNER:(OI)(IO)(R,W,D,WDAC,WO,DC)
|
CREATOR GROUP:(OI)(IO)(R)
|
|
Successfully processed 1 files; Failed processing 0 files
|
Attachments
Issue Links
- is blocked by
-
PA-2112 Refactor Windows permission reset custom actions to a single vbscript custom action
-
- Closed
-
- relates to
-
PUP-9106 Windows file system ACLs should always write SYSTEM: (F)
-
- Closed
-
-
PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
-
- Closed
-
-
PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases
-
- Closed
-
-
PUP-5480 Puppet does not apply inheritable SYSTEM permissions to directories it manages on Windows under certain circumstances
-
- Closed
-
-
PUP-4684 windows file resource doesn't grant group full permissions
-
- Closed
-