Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators A couple of additional related tickets have been filed to wrap up this effort: PUP-8985 - set manage_internal_file_permissions to false in the packaging so that Puppet doesn't try to manage (and undo) ACLs set by the installer PUP-9068 - make sure that the check for Administrators includes group membership in addition to tokens PUP-9106 - when writing the SYSTEM ACE to the DACL, never write anything other than F Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Given the above resolutions, going to close this as well as PUP-266 as won't fix, since we have alternative means of getting the desired behavior. Furthermore, we don't want any changes as a result of this work to unset the perms laid by down the installer for PA-2019. The only question that remains is what to do for gem workflows running as Administrator? We may have to do something under those circumstances if the directories haven't previously been touched? Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators I discussed manage_internal_file_permissions with Josh Cooper as well. I think we're both in agreement that we shouldn't allow it to be set to true on Windows because of all the potentially problematic side effects. I think we should probably file a couple of additional tickets on this: Warn / fail if manage_internal_file_permissions is true on Windows. I'm leaning toward fail given it will modify the perms work done for PUP-2019 + friends. Change the root? / admin? check on Windows to also vet that the user is part of the local Administrators group. Based on how permissions are now set, touching ProgramData with a user that is not Administrators is not a good idea and will certainly lead to problems. As Josh Cooper points out, the installer already covers adding the service user if it's not already a member of Administrators - https://github.com/puppetlabs/puppet-agent/blob/5e411af0080020f6952294182967d6d930823bb7/resources/windows/wix/users.wxs.erb#L7-L13. We're really only concerned with a few scenarios: Was the service user identity changed after the install (i.e. from SYSTEM to a domain account) Was the user purged from Administrators (could happen accidentally with Puppet for instance) Make sure that we never set SYSTEM perms as anything other than SYSTEM: (F) I think we should still double-check the scenario where Puppet is installed fresh, then the first run is performed from a scheduled task. The inheritable permissions laid down by the installer should be sufficient given they include Administrators: (OI)(CI)(F) and SYSTEM: (OI)(CI)(F), but we want to make sure given we know the owner of the file will be the actual user and not Administrators as new files are created. Windows defaults should allow that to happen without Puppet writing DACLs, but we want to double check that just to be certain, given some users run Puppet on a schedule rather than as a service. Add Comment
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Geoff Nichols Sprint: Windows 2018-06-13, Windows 2018-06-27, Windows 2018-07-05 , Windows 2018-07-11 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators After working some more with the changes Ethan Brown has suggested, I'm beginning to come to the conclusion that this should no longer be worked on. 1. As Ethan pointed out, manage_internal_file_permissions is now set to false by default by the Windows MSI Installer (https://github.com/puppetlabs/puppet-agent-private/pull/9). This means the code that would "break" perms for both this (PUP-6729) and PUP-8939 now longer executes, by default. 2. The remeditation for https://puppet.com/security/cve/CVE-2018-6513 changes the owner to the correct file permissions (so PUP-6729 and PUP-8939 are no longer issues) so "broken" installations are automagically fixed too — *If manage_internal_file_permissions is set to true.* 1. Using the technique Ethan suggested to change the Root username detection works, however not all settings set an owner by default. For example, here's a list of file_settings when you run Puppet (SHA 2b08424711b7ea27824b241af6b1cffebbfd159e) This lists the resource, Owner to set (o=) and Group to set (g=) File[C:/ProgramData/PuppetLabs/puppet/etc] o= g= File[C:/ProgramData/PuppetLabs/code] o= g= File[C:/ProgramData/PuppetLabs/puppet/cache] o=S-1-5-32-544 g= File[C:/ProgramData/PuppetLabs/puppet/var/log] o=S-1-5-32-544 g= File[C:/ProgramData/PuppetLabs/puppet/cache/state] o= g= File[C:/ProgramData/PuppetLabs/puppet/var/run] o=S-1-5-32-544 g= File[C:/ProgramData/PuppetLabs/puppet/cache/lib] o= g= File[C:/ProgramData/PuppetLabs/puppet/etc/hiera.yaml] o= g=
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti assigned an issue to Unassigned Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Glenn Sarti Assignee: Glenn Sarti Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Erick Banks updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Erick Banks Sprint: Windows 2018-06-13, Windows 2018-06-27 , Windows 2018-07-05 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators WIP PR is at https://github.com/puppetlabs/puppet/pull/6892 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Geoff Nichols Sprint: Windows Hopper 2018-06-13 , Windows 2018-06- 13 27 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Geoff Nichols Sprint: Windows 2018-06-13 Hopper , Windows 2018-06- 20 13 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Geoff Nichols Sprint: Windows 2018-06-13 , Windows 2018-06-20 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators I've created PUP-8939 to capture the "Local Admin cannot run Puppet after installed by SYSTEM" Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Yeah, the symptoms are the same, but I think the cause is different. Let's spin off a new ticket for this new repro, which has deviated quite a bit from the original description. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators The ownership is not affected by inheritance either. Created C:\temp\parent directory and set the following; Owner - Administrator Permissions - Everyone:F (Removed all inherited perms) PS C:\temp\parent> get-acl . Path OwnerAccess --- parent WIN-HBIOD5I9GSO\AdministratorEveryone Allow FullControl As Local Administrator created c:\temp\parent\testdir mkdir c:\temp\parent\testdir - Owner is Administrators Path OwnerAccess --- testdir BUILTIN\Administrators Everyone Allow FullControl
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Geoff Nichols updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Geoff Nichols Story Points: 1 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title
Glenn Sarti commented on PUP-6729
Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
So I'm beginning to think we can't fix this within Puppet itself, as getting puppet to magically "modify" the owner of created directories may be problematic. There is definitely a case to modify the simplified installer PowerShell script. There are few instances of puppet being called within the installer, that could just as easily be parsed by pure powershell; By using pure powershell we may be able to get around the file ownership issue. It's not fool proof as the puppet.conf file may still have the wrong owner information. The main culprit is the puppet resource statement to set the puppet service status which is trivially changed to Set-Service and Start-Service Call sites:
...
# Set the specified entry in puppet.conf
Write-Verbose "Setting Puppet config option: ${section}:${setting}=${value}"
& $puppet_bin_dir\puppet config set $setting $value --section $section
break
}
...
# The default behavior of the MSI is to not put the certname in puppet.conf.
# But it's desirable to have certname in there to make troubleshooting and maintenance easier. So, let's put it there.
$certname = & $puppet_bin_dir\puppet config print certname --section main
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti assigned an issue to Glenn Sarti Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Glenn Sarti Assignee: Glenn Sarti Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators So using this simplified repro... I added a simple puts `whoami /all into the source code for the puppet agent so it would pump out the account information on every puppet invocation. Running as scheduled task we get; USER INFORMATION User Name SID === nt authority\system S-1-5-18 GROUP INFORMATION - Group Name Type SID Attributes ==
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Glenn Sarti commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Simplified repro case: Given an already existing puppet agent installation Delete C:\ProgramData\PuppetLabs\puppet\cache Create a scheduled task For the SYSTEM user with Highest Privileges No Triggers Action Program cmd.exe Arguments /c puppet apply -e "" > c:\puppet-out.txt 2>&1 Run the scheduled task The C:\ProgramData\PuppetLabs\puppet\cache should be created The C:\ProgramData\PuppetLabs\puppet\cache\state and reports directory will be owned by SYSTEM Running puppet agent -e "" as a local Administrator will fail now with permission denied in the state directory Repeat the process but run as Local Administrator, or just a normal service run (NET START Puppet) and the permissions on the state directory will have the owner as Administrators Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Erick Banks updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Erick Banks Sprint: Windows 2018-06-13 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title
Ethan Brown updated an issue
Puppet / PUP-6729
NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Change By:
Ethan Brown
Acceptance Criteria:
- Permissions should be laid down simpler - for instance, its typically unnecessary to set both {{Administrators}} and {{SYSTEM}} permissions when they are the same. - Beaker suite workarounds (like those found in pxp-agent and mcollective suites) should be able to be removed
Add Comment
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Ethan Brown Fix Version/s: PUP 5.y Fix Version/s: PUP 6.0.0 Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Nate McCurdy updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Nate McCurdy Attachment: cache ACL after razor install.png Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Owen Rodabaugh CS Priority: Major Normal CS Business Value: 5 4 - $ $ Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Owen Rodabaugh CS Priority: Needs Priority Major CS Impact: Customers might assume that running puppet agent -t it would have the same result as a normal puppet daemon run, but it doesn't because puppet runs as LOCALSYSTEM when it's a daemon, but as the user calling it when it's run as puppet agent -t. It would seem as though we want puppet to assign permissions to the LocalAdministrator group no matter which user it runs under(LOCALSYSTEM or a administrator) to avoid these oddities. CS Severity: 3 - Serious CS Business Value: 5 - $$ CS Frequency: 3 - 25-50% of Customers Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Ethan Brown Priority: Normal Major Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Jarret Lavallee updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Jarret Lavallee CS Priority: Needs Priority Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Chris Denneen commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Definitely running into same issue when running via Services, Orchestrator, or even via Cloudformation steps the ACL get's too restrictive that logging in as local Administrator doesn't have permissions to apply/agent run properly. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Russell Mull updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Russell Mull Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Rodney Treweek updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Rodney Treweek Attachment: perms_systeminstall.log Attachment: perms_admininstall.log Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Rodney Treweek commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators I'm also seeing this in https://puppetlabs.zendesk.com/agent/tickets/25313. I'm attaching the diff of the permissions after installation of the puppet agent as the SYSTEM user which the customer provided (These permissions issues are the result of automated system builds that install the puppet agent as the SYSTEM user, and thus result in several permissions problems). This is a serious issue when trying to upgrade several thousand Windows nodes. The attached diff does not include permissions issues for mcollective, which are also problematic. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown updated an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Change By: Ethan Brown Fix Version/s: PUP 5.y Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Russell Mull commented on PUP-6729 Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators From a different system, which is much fresher, but showing the same issue. In this case, it's trying to copy into clientbucket/9/e/: PS C:\ProgramData\PuppetLabs\puppet\cache> Get-Acl . | select * Get-Acl . | select * PSPath : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache PSParentPath: Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet PSChildName : cache PSDrive : C PSProvider : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId :
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title
Russell Mull commented on PUP-6729
Re: NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
As (I think) a consequence of this issue, if you sometimes run puppet from the service (or from the orchestrator) but sometimes run 'puppet agent -t' as Administrator, the permissions can get mixed up. The case I encountered a few times was corruption of the permissions on puppet/cache/clientbucket: (named .bak here) {pre} C:\ProgramData\PuppetLabs\puppet\cache\clientbucket.bak>ls -l ls -l total 0 drwxr-x---+ 1 Administrators SYSTEM 0 Dec 1 21:38 1 drwxr-x---+ 1 Administrator None 0 Dec 1 20:43 3 drwxr-x---+ 1 Administrator None 0 Dec 1 20:58 4 drwxr-x---+ 1 Administrators SYSTEM 0 Dec 1 21:31 5 drwxr-x---+ 1 Administrator None 0 Dec 1 21:09 6 drwxr-x---+ 1 Administrator None 0 Dec 1 17:25 7 drwxr-x---+ 1 Administrator None 0 Dec 1 21:11 8 drwxr-x---+ 1 Administrator None 0 Dec 1 21:02 9 drwxr-x---+ 1 Administrator None 0 Dec 1 20:54 a drwxr-x---+ 1 Administrators SYSTEM 0 Dec 1 21:39 b drwxr-x---+ 1 Administrators SYSTEM 0 Dec 1 18:27 c{pre}
This resulted in getting 'permission denied' errors when trying to copy a config file into clientbucket before changing it.
This is a very common workflow, and if it can so easily bork the agent installation, we should fix it.
Add Comment
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
--
You received this message because you are subscribed to the Google Groups "Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-bugs@googlegroups.com.
Visit this group at https://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/d/optout.
Jira (PUP-6729) NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators
Title: Message Title Ethan Brown created an issue Puppet / PUP-6729 NTFS permissions should be recalculated given SYSTEM is an implicit member of local Administrators Issue Type: Improvement Assignee: Unassigned Created: 2016/09/22 11:48 AM Priority: Normal Reporter: Ethan Brown Puppet has traditionally been careful to separate out permissions when running as a SYSTEM vs a member of the Administrators group when it tries to emulate a POSIX root. This has led to a number of problems around permissions ordering within an ACL of ACEs, permissions being denied to the Puppet service for certain config files, etc. The current NTFS permission code doesn't take into account that SYSTEM is actually an implicit / hidden member of the Administrators group, making some of the permissions code unnecessarily complex. This ticket would involve refactoring. From my comment on PUP-5491: I found a reference in Mechanics of User Identification and Authentication that explains this. SYSTEM is an implicit / hidden member of the Administrators group, which can be verified by opening a psexec session as SYSTEM and running whoami /groups in it: C:\Users\Administrator\Downloads> psexec -s cmd.exe
