[PUP-6729] NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators - Puppet Tickets

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Won't Fix
Affects Version/s: None
Fix Version/s: PUP 6.0.0
Component/s: None
Labels:
None

Acceptance Criteria:
Hide

Permissions should be laid down simpler - for instance, its typically unnecessary to set both Administrators and SYSTEM permissions when they are the same.

Beaker suite workarounds (like those found in pxp-agent and mcollective suites) should be able to be removed
Show
Permissions should be laid down simpler - for instance, its typically unnecessary to set both Administrators and SYSTEM permissions when they are the same. Beaker suite workarounds (like those found in pxp-agent and mcollective suites) should be able to be removed
Epic Link:
Windows NTFS and Permissions Improvements
Team:
Windows
Story Points:
1
Sprint:
Windows 2018-06-13, Windows 2018-06-27, Windows 2018-07-05, Windows 2018-07-11

CS Priority:
Normal
CS Frequency:
3 - 25-50% of Customers
CS Severity:
3 - Serious
CS Business Value:
4 - $$$$$
CS Impact:

Hide
Customers might assume that running puppet agent -t it would have the same result as a normal puppet daemon run, but it doesn't because puppet runs as LOCALSYSTEM when it's a daemon, but as the user calling it when it's run as puppet agent -t.

It would seem as though we want puppet to assign permissions to the LocalAdministrator group no matter which user it runs under(LOCALSYSTEM or a administrator) to avoid these oddities.

Show
Customers might assume that running puppet agent -t it would have the same result as a normal puppet daemon run, but it doesn't because puppet runs as LOCALSYSTEM when it's a daemon, but as the user calling it when it's run as puppet agent -t. It would seem as though we want puppet to assign permissions to the LocalAdministrator group no matter which user it runs under(LOCALSYSTEM or a administrator) to avoid these oddities.

Description

Puppet has traditionally been careful to separate out permissions when running as a SYSTEM vs a member of the Administrators group when it tries to emulate a POSIX root. This has led to a number of problems around permissions ordering within an ACL of ACEs, permissions being denied to the Puppet service for certain config files, etc.

The current NTFS permission code doesn't take into account that SYSTEM is actually an implicit / hidden member of the Administrators group, making some of the permissions code unnecessarily complex. This ticket would involve refactoring.

From my comment on ~~PUP-5491~~:

I found a reference in Mechanics of User Identification and Authentication that explains this. SYSTEM is an implicit / hidden member of the Administrators group, which can be verified by opening a psexec session as SYSTEM and running whoami /groups in it:

C:\Users\Administrator\Downloads> psexec -s cmd.exe

PsExec v2.11 - Execute processes remotely

Copyright (C) 2001-2014 Mark Russinovich

Sysinternals - www.sysinternals.com

Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami

nt authority\system

C:\Windows\system32>whoami /groups

GROUP INFORMATION

-----------------

Group Name                             Type             SID          Attributes

====================================== ================ ============ ==================================================

BUILTIN\Administrators                 Alias            S-1-5-32-544 Enabled by default, Enabled group, Group owner

Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group

NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group

Mandatory Label\System Mandatory Level Label            S-1-16-16384

So my unverified theory is that some of the problems we've seen around permission management might be due to the ordering of the ACEs inside the DACL, since an explicit grant to Administrators should also cover SYSTEM in theory as well.

As a refresher, The Old New Thing talks about canonical ACE ordering and evaluation

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

cache ACL after razor install.png
680 kB
2017/10/05 9:16 PM
perms_admininstall.log
13 kB
2017/04/25 11:57 AM
perms_systeminstall.log
11 kB
2017/04/25 11:57 AM

Issue Links

relates to

PA-1165 Windows - pxp-agent.conf & server.cfg can only be accessed by local system account

Needs Information

BKR-1478 beaker-pe should not backup the client_data directory

Resolved

PA-910 windows agent permission errors

Closed

PA-2019 Privilege escalation via %ProgramData%\PuppetLabs on Windows

Closed

PUP-7793 Puppet agent replacing transactionstore.yaml on first run after boot

Closed

PUP-9106 Windows file system ACLs should always write SYSTEM: (F)

Closed

PUP-8771 Write integration/acceptance tests for NTFS permissions for PUP-6729

Closed

PUP-9068 Windows admin? check should consider group membership

Closed

PUP-5491 The "client_data" Directory Permissions Incorrect After Installation

Resolved

PUP-8966 Windows security integration tests fail when the user does not have elevated rights

Resolved

PUP-266 Allow puppet to manage owner & group file settings (Redmine 18342)

Closed

PUP-4684 windows file resource doesn't grant group full permissions

Closed

PUP-8985 manage_internal_file_permissions should default to the new packaging default

Closed

PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Closed

(9 relates to)

NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Zendesk Support