[PUP-5491] The "client_data" Directory Permissions Incorrect After Installation - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Windows
Labels:
- windows
Environment:

Hide

Puppet Agent: 9c0a93a43b597dca2ce14485b635389b3dfbbeca
PE Version: 2015.2.1
Master OS: CentOS 7 x64
Agent OS: Windows Server 2008 R2 x64

Show
Puppet Agent: 9c0a93a43b597dca2ce14485b635389b3dfbbeca PE Version: 2015.2.1 Master OS: CentOS 7 x64 Agent OS: Windows Server 2008 R2 x64

Epic Link:
Windows NTFS and Permissions Improvements
Team:
Windows
Story Points:
1
Sprint:
Windows 2018-08-01, Windows 2018-08-08

Description

If a user installs the Puppet Agent and allows the service to start after installation the ACE on the "client_data" directory will be incorrect:

C:\ProgramData\PuppetLabs\puppet>icacls.exe cache\client_data

cache\client_data BUILTIN\Administrators:(F)

                  NT AUTHORITY\SYSTEM:(RX)

                  Everyone:(Rc,S,RA)

                  CREATOR OWNER:(CI)(IO)(F)

                  CREATOR GROUP:(CI)(IO)(RX)

                  CREATOR OWNER:(OI)(IO)(R,W,D,WDAC,WO,DC)

                  CREATOR GROUP:(OI)(IO)(R)

Successfully processed 1 files; Failed processing 0 files

Note: This assumes that the "puppet" server does not actually exist. This would happen in the situation where a user will interactively install the MSI and leave the default "puppet" server name. After the installation the user would have to manually update the "puppet.conf" to point to the correct master server.

Attachments

None

Repro Steps

Open a console and install the Puppet Agent onto the SUT (Note: The service is NOT disabled when the agent is installed):
msiexec.exe /i puppet-agent-1.2.7.421.g9c0a93a-x64.msi /qn /L*V C:\Windows\TEMP\install-puppet.log
Get the ACL for the "C:\ProgramData\PuppetLabs\puppet\cache\client_data" directory:
cd C:\ProgramData\PuppetLabs\puppet
icacls.exe cache\client_data

Expect

The ACE for SYSTEM should be full control.

Actual

The ACE for SYSTEM is only RX:

C:\ProgramData\PuppetLabs\puppet>icacls.exe cache\client_data

cache\client_data BUILTIN\Administrators:(F)

                  NT AUTHORITY\SYSTEM:(RX)

                  Everyone:(Rc,S,RA)

                  CREATOR OWNER:(CI)(IO)(F)

                  CREATOR GROUP:(CI)(IO)(RX)

                  CREATOR OWNER:(OI)(IO)(R,W,D,WDAC,WO,DC)

                  CREATOR GROUP:(OI)(IO)(R)

Successfully processed 1 files; Failed processing 0 files

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

PUP-5491 Permissions Notes.jpg
1.06 MB
2015/11/25 1:27 PM

Issue Links

is blocked by

PA-2112 Refactor Windows permission reset custom actions to a single vbscript custom action

Closed

relates to

PUP-9106 Windows file system ACLs should always write SYSTEM: (F)

Closed

PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators

Closed

PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Closed

PUP-5480 Puppet does not apply inheritable SYSTEM permissions to directories it manages on Windows under certain circumstances

Closed

PUP-4684 windows file resource doesn't grant group full permissions

Closed

(1 relates to)

Activity

People

Assignee:: Glenn Sarti

Reporter:: Ryan Gard

Votes:: 1 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 2015/11/10 5:37 PM

Updated:: 2018/09/05 10:42 AM

Resolved:: 2018/08/07 8:47 PM

Details

Description

Description

Attachments

Repro Steps

Expect

Actual

Attachments

Attachments

Issue Links

Activity

People

Dates

Zendesk Support