Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9068

Windows admin? check should consider group membership

    Details

    • Template:
    • Acceptance Criteria:
      • A user with elevated / admin tokens, that is not a member of the Administrators group, should write data to their home directory
    • Team:
      Windows
    • Story Points:
      1
    • Sprint:
      Windows 2018-10-3
    • QA Risk Assessment:
      Needs Assessment

      Description

      In PA-2019, the installer was changed to lay down permissions differently so that ProgramData generally has Administrators: (F) and SYSTEM: (F) set recursively.

      It's possible to create an "administrative" user based on their token privileges, but without actually making them part of the Administrators group. The check inside Puppet at for elevated_security? at https://github.com/puppetlabs/puppet/blob/e7839794a1d7d393e6716927764c1276494123c2/lib/puppet/util/windows/process.rb#L183-L205 will then pass, despite the user not being in Administrators.

      If such a user is assigned to the Puppet service, then pandemonium ensues, given how permissions are set on ProgramData\PuppetLabs.

      The admin? check should be altered to ensure the user is part of Administrators or not. This determines where data can be written for that user.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  ethan Ethan Brown
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: