Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9106

Windows file system ACLs should always write SYSTEM: (F)



      • New spec tests that demonstrate a SYSTEM octal mode other than 7 is always written as (F)
      • A new warning message is emitted under scenarios where an attempt is made to write SYSTEM other than F
    • Windows
    • 1
    • Windows 2018-09-19, Windows 2018-09-26, Windows 2018-10-3, Windows 2018-10-10, Windows 2018-10-17, Windows 2018-10-24
    • Needs Assessment
    • Bug Fix
    • It was possible to create files and directories on Windows computers which restricted access to the Local System account. Now Puppet will detect when this happens and automatically grant Local System full rights.
    • Needs Assessment


      When creating Windows ACLs when writing file permissions, the current code allows for the SYSTEM ACE to be written as something other than F (Full Control). This can be problematic as it can result in files that cannot have permissions reset, or that may be inaccessible to Puppet itself (which typically runs as SYSTEM).

      In practical terms, there is no good reason to set SYSTEM permissions to anything other than F and Puppet should disallow that.

      At one point the Puppet code was modified as part of https://projects.puppetlabs.com/issues/15559 (related to PUP-5480) in https://github.com/puppetlabs/puppet/commit/b578ed48ac9585edb86b296e99f8aeeecc02fb4e#diff-a788175040b15f1e899dae62e4c1b8c6 to re-add a missing SYSTEM if it wasn't already specified.

      We never took the additional step of making sure that SYSTEM can only be set to F, which in hindsight, seems like the right approach, given what is now known about permissions management and the work that was done as part of PA-2019 and PUP-5985.

      One thing to note is that this will technically be a breaking change. This could cause idempotency issues under a few (highly unlikely) circumstances:

      • If SYSTEM is explicitly managed and set to an octal mode other than 7
      • If an octal mode is set inconsistently for a file where the user and group are both SYSTEM (this would have already been a problem)
      • On older Puppet versions with manage_internal_file_permissions set to true on Windows (this is not a concern now though given work in PUP-5985) where Puppet tried to manage its own files

      Given the low likelihood of a manifest explicitly specifying SYSTEM other than F, but the Puppet code actually writing F as a result of this fix - this should be corrected.

      In addition, a debug message should be emitted that an attempt to set SYSTEM other than F was intercepted and corrected (at the very least, this may help find some internal bugs that should be fixed as well)


        Issue Links



              erick Erick Banks
              ethan Ethan Brown
              0 Vote for this issue
              5 Start watching this issue



                Zendesk Support