[PUP-9722] Regression: File mode changed on every puppet run - Puppet Jira Server

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: PUP 5.5.10, PUP 5.5.12, PUP 5.5.14
Fix Version/s: PUP 5.5.17, PUP 6.4.4, PUP 6.8.0
Component/s: Catalog Application, Types and Providers, Windows
Labels:
- resolved-issue-added

Master OS:
RHEL 7 (x86_64)
Team:
Night's Watch
Story Points:
3
Sprint:
PR - 2019-06-12, PR - 2019-06-25, PR - 2019-07-10, PR - 2019-07-23, NW - 2019-08-07
Method Found:
Needs Assessment

Release Notes:
Bug Fix
Release Notes Summary:

Hide
When a puppet apply that changes the mode is run on a file inside a protected windows directory, puppet will change the mode on every run, even if the desired mode matches the current mode.

This fix improves the analysis of the file mode, so that if the desired mode matches the current mode, it will not set the mode.

Show
When a puppet apply that changes the mode is run on a file inside a protected windows directory, puppet will change the mode on every run, even if the desired mode matches the current mode. This fix improves the analysis of the file mode, so that if the desired mode matches the current mode, it will not set the mode.

QA Risk Assessment:
Needs Assessment

Description

Puppet Version: 5.5.14, 5.5.10
Puppet Server Version: 5.3.8
OS Name/Version: Windows 10 / 1809

File modes are applied on every puppet run at least if files reside in special folders like "Program Files" and "Windows". This was working in 5.5.1

Reproducible: Always, see example below

Desired Behavior:

File modes are not changed

Actual Behavior:

File modes are changed with every run (mode changed '2000644' to '0644')

Example

C:\Users\administrator>cacls C:\Windows\system32\puppet_facter_pci.ids.gz

C:\Windows\system32\puppet_facter_pci.ids.gz APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(special access:)

                                                                                                            READ_CONTROL

                                                                                                            FILE_READ_DATA

                                                                                                            FILE_READ_EA

                                                                                                            FILE_WRITE_EA                                             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(CI)(IO)(special access:)

                                                                                                            GENERIC_READ                                             BUILTIN\Administrators:(special access:)

                                                                    STANDARD_RIGHTS_ALL

                                                                    DELETE

                                                                    READ_CONTROL

                                                                    WRITE_DAC

                                                                    WRITE_OWNER

                                                                    SYNCHRONIZE

                                                                    STANDARD_RIGHTS_REQUIRED

                                                                    FILE_GENERIC_READ

                                                                    FILE_GENERIC_WRITE

                                                                    FILE_READ_DATA

                                                                    FILE_WRITE_DATA

                                                                    FILE_APPEND_DATA

                                                                    FILE_READ_EA

                                                                    FILE_WRITE_EA

                                                                    FILE_READ_ATTRIBUTES

                                                                    FILE_WRITE_ATTRIBUTES                                             MBOX\Domain Admins:(special access:)

                                                                READ_CONTROL

                                                                SYNCHRONIZE

                                                                FILE_GENERIC_READ

                                                                FILE_READ_DATA

                                                                FILE_READ_EA

                                                                FILE_READ_ATTRIBUTES                                             Everyone:(special access:)

                                                      READ_CONTROL

                                                      SYNCHRONIZE

                                                      FILE_GENERIC_READ

                                                      FILE_READ_DATA

                                                      FILE_READ_EA

                                                      FILE_READ_ATTRIBUTES                                             NT AUTHORITY\SYSTEM:F

C:\Users\administrator>puppet apply -e "file { 'C:\Windows\system32\puppet_facter_pci.ids.gz': mode => '0644'}"

Notice: Compiled catalog for host in environment production in 0.02 seconds

Notice: /Stage[main]/Main/File[C:\Windows\system32\puppet_facter_pci.ids.gz]/mode: mode changed '2000644' to '0644'

Notice: Applied catalog in 0.77 secondsC:\Users\administrator>cacls C:\Windows\system32\puppet_facter_pci.ids.gz

C:\Windows\system32\puppet_facter_pci.ids.gz APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(special access:)

                                                                                                            READ_CONTROL

                                                                                                            FILE_READ_DATA

                                                                                                            FILE_READ_EA

                                                                                                            FILE_WRITE_EA                                             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(CI)(IO)(special access:)

                                                                                                            GENERIC_READ                                             BUILTIN\Administrators:(special access:)

                                                                    STANDARD_RIGHTS_ALL

                                                                    DELETE

                                                                    READ_CONTROL

                                                                    WRITE_DAC

                                                                    WRITE_OWNER

                                                                    SYNCHRONIZE

                                                                    STANDARD_RIGHTS_REQUIRED

                                                                    FILE_GENERIC_READ

                                                                    FILE_GENERIC_WRITE

                                                                    FILE_READ_DATA

                                                                    FILE_WRITE_DATA

                                                                    FILE_APPEND_DATA

                                                                    FILE_READ_EA

                                                                    FILE_WRITE_EA

                                                                    FILE_READ_ATTRIBUTES

                                                                    FILE_WRITE_ATTRIBUTES                                             MBOX\Domain Admins:(special access:)

                                                                READ_CONTROL

                                                                SYNCHRONIZE

                                                                FILE_GENERIC_READ

                                                                FILE_READ_DATA

                                                                FILE_READ_EA

                                                                FILE_READ_ATTRIBUTES                                             Everyone:(special access:)

                                                      READ_CONTROL

                                                      SYNCHRONIZE

                                                      FILE_GENERIC_READ

                                                      FILE_READ_DATA

                                                      FILE_READ_EA

                                                      FILE_READ_ATTRIBUTES                                             NT AUTHORITY\SYSTEM:F

C:\Users\administrator>puppet apply -e "file { 'C:\Windows\system32\puppet_facter_pci.ids.gz': mode => '0644'}"

Notice: Compiled catalog for host in environment production in 0.02 seconds

Notice: /Stage[main]/Main/File[C:\Windows\system32\puppet_facter_pci.ids.gz]/mode: mode changed '2000644' to '0644'

Notice: Applied catalog in 0.75 seconds

Attachments

Activity

People

Assignee:: Dorin Pleava

Reporter:: Daniel Helgenberger

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2019/05/27 9:56 AM

Updated:: 2019/10/03 4:21 AM

Resolved:: 2019/07/31 11:39 PM