Jira (PUP-9297) Audit and fix locations where set_mode is called with inappropriate permissions on Windows

[Glenn Sarti (JIRA)]

Glenn Sarti created an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows Issue Type: Bug Assignee: Unassigned Created: 2018/11/01 12:58 AM Environment: Windows 10 - 1803 Puppet 5.5.x gem Ruby 2.4 Priority: Normal Reporter: Glenn Sarti PUP-9216 was merged earlier, which sets System ACE entries to full control. This triggers a failure in pxp-agent's tasks.run_puppet.rb test, specifically here based on the stack trace. Representative job link: https://jenkins-platform.delivery.puppetlabs.net/view/puppet-agent/view/Acceptance%20Suites/view/5.5.x/view/Suite/job/platform_puppet-agent_puppet-agent-integration-suite_daily-5.5.x/232/RMM_COMPONENT_TO_TEST_NAME=pxp_agent,SLAVE_LABEL=beaker,TEST_TARGET=windows10ent-64a/ Representative failure output: Successful task expected to have no output on stderr. --- expected +++ actual @@ -1 +1,2 @@ -nil +"\e[1;33mWarning: An attempt to set mode 416 on item C:/ProgramData/PuppetLabs/puppet/cache/reports/xln2koezj7avuqx.delivery.puppetlabs.net/201810110803.yaml would result in the group, SYSTEM, to have less than Full Control rights. This attempt has been corrected to Full Control\e[0m +" — Pull Request https://github.com/puppetlabs/puppet/pull/7167 was raised to fix one place where set_mode was used, however some other testing exposed there are other places where set_mode is used to set inappropriate permissions on Windows platforms; e.g. https://github.com/puppetlabs/puppet/pull/7167#issuecomment-430682091 This issue will track the work to find all of the set_mode call sites and audit them for appropriate-ness on Windows platforms. And then raise fix PRs where needed. Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Glenn Sarti (JIRA)]

Glenn Sarti updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Glenn Sarti Story Points: 1 Team: Windows Sprint: Windows Grooming Method Found: Needs Assessment Manual Test

Add Comment

[Erick Banks (JIRA)]

Erick Banks updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Erick Banks Sprint: Windows Grooming

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-9297

Re: Audit and fix locations where set_mode is called with inappropriate permissions on Windows There are only a few remaining places: lib/puppet/configurer.rb: Puppet::Util.replace_file(Puppet[:lastrunfile], mode) do |fh| lib/puppet/provider/service/rcng.rb: Puppet::Util.replace_file(rcfile, 0644) do |f| lib/puppet/provider/service/rcng.rb: Puppet::Util.replace_file(rcfile, 0644) do |f| lib/puppet/provider/service/upstart.rb: Puppet::Util.replace_file(file, 0644) do |f| lib/puppet/provider/user/user_role_add.rb: Puppet::Util.replace_file(target_file_path, 0640) do |fh| lib/puppet/ssl/host.rb: Puppet::Util.replace_file(file_path, 0644) do |f| lib/puppet/ssl/host.rb: Puppet::Util.replace_file(certificate_request_location(name), 0644) do |file| lib/puppet/ssl/host.rb: Puppet::Util.replace_file(crl_path, 0644) do |file| lib/puppet/type/file.rb: Puppet::Util.replace_file(self[:path], mode_int, staging_location: self[:staging_location], validate_callback: validate_callback) do |file| lib/puppet/util/reference.rb: Puppet::Util.replace_file("/tmp/puppetdoc.txt") {|f| f.puts text } The code in lib/puppet/ssl/host.rb can be ignored, because it will be deleted soon.

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-9297

Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Josh Cooper Labels: beginner

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Josh Cooper Team: Windows Night's Watch

Add Comment

[Mihai Buzgau (Jira)]

Mihai Buzgau updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Mihai Buzgau Sprint: PR - Triage

Add Comment

[Josh Cooper (Jira)]

Josh Cooper updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Josh Cooper Labels: beginner

Add Comment

[Bogdan Irimie (Jira)]

Bogdan Irimie updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Bogdan Irimie Sprint:

Add Comment

[Bogdan Irimie (Jira)]

Bogdan Irimie updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Bogdan Irimie Sprint: ready for triage

Add Comment

[Ciprian Badescu (Jira)]

Ciprian Badescu updated an issue

Puppet / PUP-9297 Audit and fix locations where set_mode is called with inappropriate permissions on Windows

Change By: Ciprian Badescu Sprint: ready for triage

Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)