Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9068

Windows admin? check should consider group membership

    XMLWordPrintable

Details

      • A user with elevated / admin tokens, that is not a member of the Administrators group, should write data to their home directory
    • Windows
    • 1
    • Windows 2018-10-3
    • Needs Assessment

    Description

      In PA-2019, the installer was changed to lay down permissions differently so that ProgramData generally has Administrators: (F) and SYSTEM: (F) set recursively.

      It's possible to create an "administrative" user based on their token privileges, but without actually making them part of the Administrators group. The check inside Puppet at for elevated_security? at https://github.com/puppetlabs/puppet/blob/e7839794a1d7d393e6716927764c1276494123c2/lib/puppet/util/windows/process.rb#L183-L205 will then pass, despite the user not being in Administrators.

      If such a user is assigned to the Puppet service, then pandemonium ensues, given how permissions are set on ProgramData\PuppetLabs.

      The admin? check should be altered to ensure the user is part of Administrators or not. This determines where data can be written for that user.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. PA-2019 Privilege escalation via %ProgramData%\PuppetLabs on Windows

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PUP-9106 Windows file system ACLs should always write SYSTEM: (F)

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              ethan Ethan Brown
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support