Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Won't Fix
-
None
-
None
-
None
-
-
Windows
-
1
-
Windows 2018-06-13, Windows 2018-06-27, Windows 2018-07-05, Windows 2018-07-11
-
Normal
-
3 - 25-50% of Customers
-
3 - Serious
-
4 - $$$$$
-
Description
Puppet has traditionally been careful to separate out permissions when running as a SYSTEM vs a member of the Administrators group when it tries to emulate a POSIX root. This has led to a number of problems around permissions ordering within an ACL of ACEs, permissions being denied to the Puppet service for certain config files, etc.
The current NTFS permission code doesn't take into account that SYSTEM is actually an implicit / hidden member of the Administrators group, making some of the permissions code unnecessarily complex. This ticket would involve refactoring.
From my comment on PUP-5491:
I found a reference in Mechanics of User Identification and Authentication that explains this. SYSTEM is an implicit / hidden member of the Administrators group, which can be verified by opening a psexec session as SYSTEM and running whoami /groups in it:
C:\Users\Administrator\Downloads> psexec -s cmd.exe
|
|
PsExec v2.11 - Execute processes remotely
|
Copyright (C) 2001-2014 Mark Russinovich
|
Sysinternals - www.sysinternals.com
|
|
|
Microsoft Windows [Version 6.1.7601]
|
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
|
C:\Windows\system32>whoami
|
nt authority\system
|
|
C:\Windows\system32>whoami /groups
|
|
GROUP INFORMATION
|
-----------------
|
|
Group Name Type SID Attributes
|
|
====================================== ================ ============ ==================================================
|
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
|
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
|
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
|
Mandatory Label\System Mandatory Level Label S-1-16-16384
|
So my unverified theory is that some of the problems we've seen around permission management might be due to the ordering of the ACEs inside the DACL, since an explicit grant to Administrators should also cover SYSTEM in theory as well.
As a refresher, The Old New Thing talks about canonical ACE ordering and evaluation
Attachments
Issue Links
- relates to
-
PA-1165 Windows - pxp-agent.conf & server.cfg can only be accessed by local system account
-
- Needs Information
-
-
BKR-1478 beaker-pe should not backup the client_data directory
-
- Resolved
-
-
PA-910 windows agent permission errors
-
- Closed
-
-
PA-2019 Privilege escalation via %ProgramData%\PuppetLabs on Windows
-
- Closed
-
-
PUP-7793 Puppet agent replacing transactionstore.yaml on first run after boot
-
- Closed
-
-
PUP-9106 Windows file system ACLs should always write SYSTEM: (F)
-
- Closed
-
-
PUP-8771 Write integration/acceptance tests for NTFS permissions for PUP-6729
-
- Closed
-
-
PUP-9068 Windows admin? check should consider group membership
-
- Closed
-
-
PUP-5491 The "client_data" Directory Permissions Incorrect After Installation
-
- Resolved
-
-
PUP-8966 Windows security integration tests fail when the user does not have elevated rights
-
- Resolved
-
-
PUP-266 Allow puppet to manage owner & group file settings (Redmine 18342)
-
- Closed
-
-
PUP-4684 windows file resource doesn't grant group full permissions
-
- Closed
-
-
PUP-8985 manage_internal_file_permissions should default to the new packaging default
-
- Closed
-
-
PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases
-
- Closed
-