Issue #22064 has been updated by Josh Cooper. Status changed from In Topic Branch Pending Review to Merged - Pending Release Affected Facter version set to development
Merged in <https://github.com/puppetlabs/puppet_for_the_win/commit/bc232471594efaa5b41467494b5ef14917bc7404>. Just to be clear, this does not affect existing users, because facter would never attempt to load executable external facts from the facts.d directory. However, now that we've implemented that in #21699, the installer will now correctly apply the following permissions, both for new installs and upgrades: <pre> C:\>icacls c:\ProgramData\PuppetLabs\facter\facts.d c:\ProgramData\PuppetLabs\facter\facts.d Everyone:(OI)(CI)(RX) BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) </pre> In other words, <b>Administrators</b> and <b>SYSTEM</b> are allowed to write into the `facts.d` directory, while everyone else can read & execute. ---------------------------------------- Bug #22064: Potential Local Escalation issue with Facts.d folder for executable facts on Windows https://projects.puppetlabs.com/issues/22064#change-96511 * Author: Rob Reynolds * Status: Merged - Pending Release * Priority: High * Assignee: Rob Reynolds * Category: * Target version: 1.7.3 * Keywords: windows * Branch: https://github.com/puppetlabs/puppet_for_the_win/pull/50 * Affected Facter version: development ---------------------------------------- When we enable executable facts, we need to ensure the facts.d folder is locked down by the installer. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
