Jira (PUP-8939) Administrators are not able to run puppet agent when installed as SYSTEM in some cases

[Glenn Sarti (JIRA)]

Glenn Sarti updated an issue

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases Change By: Glenn Sarti Comment: A comment with security level 'Developers' was removed. Add Comment

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)

[Glenn Sarti (JIRA)]

Glenn Sarti created an issue

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Issue Type: Improvement Affects Versions: PUP 5.5.1 Assignee: Glenn Sarti Created: 2018/06/12 6:37 PM Fix Versions: PUP 6.0.0 Priority: Major Reporter: Glenn Sarti This issue was created from the work in PUP-6729 — In some instances when Puppet Agent is installed as SYSTEM, the local administrators are unable to run puppet agent interactively.

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti updated an issue

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Glenn Sarti Comment: As (I think) a consequence of this issue, if you sometimes run puppet from the service (or from the orchestrator) but sometimes run 'puppet agent -t' as Administrator, the permissions can get mixed up. The case I encountered a few times was corruption of the permissions on puppet/cache/clientbucket: (named .bak here) {noformat} C:\ProgramData\PuppetLabs\puppet\cache\clientbucket.bak>ls -l ls -l total 0 drwxr-x---+ 1 Administrators SYSTEM 0 Dec  1 21:38 1 drwxr-x---+ 1 Administrator  None   0 Dec  1 20:43 3 drwxr-x---+ 1 Administrator  None   0 Dec  1 20:58 4 drwxr-x---+ 1 Administrators SYSTEM 0 Dec  1 21:31 5 drwxr-x---+ 1 Administrator  None   0 Dec  1 21:09 6 drwxr-x---+ 1 Administrator  None   0 Dec  1 17:25 7 drwxr-x---+ 1 Administrator  None   0 Dec  1 21:11 8 drwxr-x---+ 1 Administrator  None   0 Dec  1 21:02 9 drwxr-x---+ 1 Administrator  None   0 Dec  1 20:54 a drwxr-x---+ 1 Administrators SYSTEM 0 Dec  1 21:39 b drwxr-x---+ 1 Administrators SYSTEM 0 Dec  1 18:27 c {noformat} I believe the sequence to get to this state was me first running 'puppet agent -t' at the console as Administrator, then later running puppet with the orchestrator. The latter failed, while trying to copy a file into the '4' subdirectory. This resulted in getting 'permission denied' errors when trying to copy a config file into clientbucket before changing it. This is a very common workflow, and if it can so easily bork the agent installation, we should fix it.

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti updated an issue

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Glenn Sarti Comment: Yeah, the symptoms are the same, but I think the cause is different. Let's spin off a new ticket for this new repro, which has deviated quite a bit from the original description.

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti updated an issue

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Glenn Sarti Comment: From a different system, which is much fresher, but showing the same issue. In this case, it's trying to copy into clientbucket/9/e/: {noformat} PS C:\ProgramData\PuppetLabs\puppet\cache> Get-Acl . | select * Get-Acl . | select * PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet PSChildName             : cache PSDrive                 : C PSProvider              : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId   : CentralAccessPolicyName : Path                    : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache Owner                   : QMZMML8VXJ0JTSW\Administrator Group                   : QMZMML8VXJ0JTSW\None Access                  : {System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule...} Sddl                    : O:LAG:S-1-5-21-1327426001-2876377404-380743070-513D:AI(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)(A;                      ID;FA;;;LA)(A;OICIIOID;GA;;;CO)(A;OICIID;0x1200a9;;;BU)(A;CIID;DCLCRPCR;;;BU) AccessToString          : NT AUTHORITY\SYSTEM Allow  FullControl                      BUILTIN\Administrators Allow  FullControl                      QMZMML8VXJ0JTSW\Administrator Allow  FullControl                      CREATOR OWNER Allow  268435456                      BUILTIN\Users Allow  ReadAndExecute, Synchronize                      BUILTIN\Users Allow  Write AuditToString           : AccessRightType         : System.Security.AccessControl.FileSystemRights AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : False AreAuditRulesProtected  : False AreAccessRulesCanonical : True {noformat} {noformat} PS C:\ProgramData\PuppetLabs\puppet\cache\clientbucket> Get-Acl . | select * Get-Acl . | select * PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache PSChildName             : clientbucket PSDrive                 : C PSProvider              : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId   : CentralAccessPolicyName : Path                    : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket Owner                   : BUILTIN\Administrators Group                   : NT AUTHORITY\SYSTEM Access                  : {System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule...} Sddl                    : O:BAG:SYD:PAI(A;;0x120080;;;WD)(A;CIIO;FA;;;CO)(A;OIIO;0x1f01df;;;CO)(A;OIIO;FR;;;CG)(A;CIIO;                      0x1200a9;;;CG)(A;;0x1200a9;;;SY)(A;;FA;;;BA) AccessToString          : Everyone Allow  ReadAttributes, ReadPermissions, Synchronize                      CREATOR OWNER Allow  FullControl                      CREATOR OWNER Allow  DeleteSubdirectoriesAndFiles, Write, Delete, Read, ChangePermissions,                      TakeOwnership, Synchronize                      CREATOR GROUP Allow  Read, Synchronize                      CREATOR GROUP Allow  ReadAndExecute, Synchronize                      NT AUTHORITY\SYSTEM Allow  ReadAndExecute, Synchronize                      BUILTIN\Administrators Allow  FullControl AuditToString           : AccessRightType         : System.Security.AccessControl.FileSystemRights AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : True AreAuditRulesProtected  : False AreAccessRulesCanonical : True AreAuditRulesCanonical  : True {noformat} {noformat} PS C:\ProgramData\PuppetLabs\puppet\cache\clientbucket\9> Get-Acl . | select * Get-Acl . | select * PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket\9 PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket PSChildName             : 9 PSDrive                 : C PSProvider              : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId   : CentralAccessPolicyName : Path                    : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket\9 Owner                   : QMZMML8VXJ0JTSW\Administrator Group                   : QMZMML8VXJ0JTSW\None Access                  : {System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule...} Sddl                    : O:LAG:S-1-5-21-1327426001-2876377404-380743070-513D:AI(A;ID;FA;;;LA)(A;CIIOID;FA;;;CO)(A;ID;0                      x1200a9;;;S-1-5-21-1327426001-2876377404-380743070-513)(A;CIIOID;0x1200a9;;;CG)(A;OIIOID;0x1f                      01df;;;CO)(A;OIIOID;FR;;;CG) AccessToString          : QMZMML8VXJ0JTSW\Administrator Allow  FullControl                      CREATOR OWNER Allow  FullControl                      QMZMML8VXJ0JTSW\None Allow  ReadAndExecute, Synchronize                      CREATOR GROUP Allow  ReadAndExecute, Synchronize                      CREATOR OWNER Allow  DeleteSubdirectoriesAndFiles, Write, Delete, Read, ChangePermissions,                      TakeOwnership, Synchronize                      CREATOR GROUP Allow  Read, Synchronize AuditToString           : AccessRightType         : System.Security.AccessControl.FileSystemRights AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : False AreAuditRulesProtected  : False AreAccessRulesCanonical : True AreAuditRulesCanonical  : True {noformat} for reference, the 'e' directory next to (not under) '9': {noformat} PS C:\ProgramData\PuppetLabs\puppet\cache\clientbucket\e> Get-Acl . | select * Get-Acl . | select * PSPath                  : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket\e PSParentPath            : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket PSChildName             : e PSDrive                 : C PSProvider              : Microsoft.PowerShell.Core\FileSystem CentralAccessPolicyId   : CentralAccessPolicyName : Path                    : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\PuppetLabs\puppet\cache\clientbucket\e Owner                   : BUILTIN\Administrators Group                   : NT AUTHORITY\SYSTEM Access                  : {System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule,                      System.Security.AccessControl.FileSystemAccessRule...} Sddl                    : O:BAG:SYD:AI(A;ID;FA;;;BA)(A;CIIOID;FA;;;CO)(A;ID;0x1200a9;;;SY)(A;CIIOID;0x1200a9;;;CG)(A;OI                      IOID;0x1f01df;;;CO)(A;OIIOID;FR;;;CG) AccessToString          : BUILTIN\Administrators Allow  FullControl                      CREATOR OWNER Allow  FullControl                      NT AUTHORITY\SYSTEM Allow  ReadAndExecute, Synchronize                      CREATOR GROUP Allow  ReadAndExecute, Synchronize                      CREATOR OWNER Allow  DeleteSubdirectoriesAndFiles, Write, Delete, Read, ChangePermissions,                      TakeOwnership, Synchronize                      CREATOR GROUP Allow  Read, Synchronize AuditToString           : AccessRightType         : System.Security.AccessControl.FileSystemRights AccessRuleType          : System.Security.AccessControl.FileSystemAccessRule AuditRuleType           : System.Security.AccessControl.FileSystemAuditRule AreAccessRulesProtected : False AreAuditRulesProtected  : False AreAccessRulesCanonical : True AreAuditRulesCanonical  : True {noformat}

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti commented on PUP-8939

Re: Administrators are not able to run puppet agent when installed as SYSTEM in some cases Cloned PUP-6729 and removed the information that doesn't relate to the SYSTEM to Local Admin issue

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti updated an issue

Puppet / PUP-8939

Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Glenn Sarti Comment:

A comment with security level 'Developers' was removed.

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti commented on PUP-8939

Re: Administrators are not able to run puppet agent when installed as SYSTEM in some cases Hoping that PR https://github.com/puppetlabs/puppet/pull/6892 solves both PUP-6729 and this.

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti commented on PUP-8939

Re: Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Note that the MSI for Puppet 5.5.2+, 5.3.7+ and 1.10.13+ no longer manage file permissions in the settings and rely on the operating system. https://github.com/puppetlabs/puppet-agent/commit/b22df1ae474be73eb936eb563fcecb1e02b5c1ba So for those MSIs this will no longer be an issue.

Add Comment

[Erick Banks (JIRA)]

Erick Banks updated an issue

Puppet / PUP-8939

Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Erick Banks Sprint: Windows 2018-07-18

Add Comment

[Michael Lombardi (JIRA)]

Michael Lombardi assigned an issue to Ethan Brown

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Michael Lombardi Assignee: Glenn Sarti Ethan Brown

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti commented on PUP-8939

Re: Administrators are not able to run puppet agent when installed as SYSTEM in some cases Additional tests PR at; https://github.com/puppetlabs/puppet/pull/6919

Add Comment

[Geoff Nichols (JIRA)]

Geoff Nichols updated an issue

Puppet / PUP-8939

Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Geoff Nichols Sprint: Windows 2018-07-18 , Windows 2018-07-25

Add Comment

[John O'Connor (JIRA)]

John O'Connor commented on PUP-8939

Re: Administrators are not able to run puppet agent when installed as SYSTEM in some cases Merged to 4.10.x at https://github.com/puppetlabs/puppet/commit/4ea977fe90bcf19f1a33c4370ecb1ddc86d7b725

Add Comment

[Kenn Hussey (JIRA)]

Kenn Hussey commented on PUP-8939

Re: Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Ethan Brown please add release notes for this issue if needed, thanks!

Add Comment

[Glenn Sarti (JIRA)]

Glenn Sarti updated an issue

Puppet / PUP-8939

Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Glenn Sarti Release Notes: Not Needed

Add Comment

[Branan Riley (JIRA)]

Branan Riley updated an issue

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Branan Riley Fix Version/s: PUP 4.10.13

Add Comment

[Austin Boyd (JIRA)]

Austin Boyd updated an issue

Puppet / PUP-8939 Administrators are not able to run puppet agent when installed as SYSTEM in some cases

Change By: Austin Boyd Zendesk Ticket IDs: 34512 Zendesk Ticket Count: 1

Add Comment

[Josh Cooper (JIRA)]

Josh Cooper commented on PUP-8939

Re: Administrators are not able to run puppet agent when installed as SYSTEM in some cases For posterity, setting manage_internal_file_permissions=false avoids the issue for directories and files that are managed via puppet's settings catalog, e.g. the client_data directory. But it doesn't fix the issue for files that are not settings and are updated via Puppet::Util.replace_file, which is the case for the cached catalog. See PUP-9719 for more info on that.

Add Comment