What do you use the 'group' attribute for when using the acl module?

60 views
Skip to first unread message

Paul Chernoch

unread,
Sep 9, 2014, 2:30:37 PM9/9/14
to puppet...@googlegroups.com
The acl module has a parameter named 'group'  which takes a list of users, groups or SIDs.
What is it for? When would I need it?
The documentation is fuzzy. This is what it says:

Properties

group

The entity or entities that have access to a particular ACL descriptor. The group identity is also known as a trustee or principal. Valid inputs can be in the form of:

  • User - e.g. 'Bob' or 'TheNet\Bob'
  • Group - e.g. 'Administrators' or 'BUILTIN\Administrators'
  • SID (Security ID) - e.g. 'S-1-5-18'

No default value will be enforced by Puppet. Using the default will allow the group to stay set to whatever it is currently set to (group can vary depending on the original CREATOR GROUP). Since the identity must exist on the system in order to be used, Puppet will make sure they exist by creating them as needed.

NOTE: On Windows the CREATOR GROUP inherited ACE must be set for the creator's primary group to be set as an ACE automatically. Group is not always widely used. By default the group will also need to be specifically set as an explicit managed ACE. See Microsoft's page for instructions on enabling CREATOR GROUP.




Paul

Josh Cooper

unread,
Sep 10, 2014, 12:52:41 AM9/10/14
to puppet...@googlegroups.com
Hi Paul,

On Tue, Sep 9, 2014 at 11:30 AM, Paul Chernoch <pache...@gmail.com> wrote:
The acl module has a parameter named 'group'  which takes a list of users, groups or SIDs.
What is it for? When would I need it?

Windows Security Descriptors support a group to allow for POSIX emulation. Here's some dated, but still accurate info: "The Primary Group field contains the SID for the owner’s primary group. This information is used only by the POSIX subsystem, and it is ignored by the rest of Windows Server 2003." [1]

Since the group can be set on a security descriptor, puppet provides the ability to manage it. That said, it's not something you would typically need to manage, and for most users, it's set to the Nobody/None SID (S-1-0-0).

Note that many windows tools, e.g. icacls, won't show you what the group is, but others do:

C:\> Get-Acl C:\windows | format-list

Path   : Microsoft.PowerShell.Core\FileSystem::C:\windows
Owner  : NT SERVICE\TrustedInstaller
Group  : NT SERVICE\TrustedInstaller
...

The documentation is fuzzy. This is what it says:

Properties

group

The entity or entities that have access to a particular ACL descriptor. The group identity is also known as a trustee or principal. Valid inputs can be in the form of:

  • User - e.g. 'Bob' or 'TheNet\Bob'
  • Group - e.g. 'Administrators' or 'BUILTIN\Administrators'
  • SID (Security ID) - e.g. 'S-1-5-18'

No default value will be enforced by Puppet. Using the default will allow the group to stay set to whatever it is currently set to (group can vary depending on the original CREATOR GROUP). Since the identity must exist on the system in order to be used, Puppet will make sure they exist by creating them as needed.

NOTE: On Windows the CREATOR GROUP inherited ACE must be set for the creator's primary group to be set as an ACE automatically. Group is not always widely used. By default the group will also need to be specifically set as an explicit managed ACE. See Microsoft's page for instructions on enabling CREATOR GROUP.




Paul

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/172c9ce0-bdd3-4f85-8fb5-c84a55d56fe5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Josh

[1] http://technet.microsoft.com/en-us/library/cc781716(v=ws.10).aspx

--
Josh Cooper
Developer, Puppet Labs

Join us at PuppetConf 2014September 20-24 in San Francisco

Paul Chernoch

unread,
Sep 10, 2014, 10:09:09 AM9/10/14
to puppet...@googlegroups.com
Thank you! From what you say, I doubt that I need to mess with it.

Paul

Rob Reynolds

unread,
Sep 15, 2014, 4:55:39 PM9/15/14
to puppet...@googlegroups.com
On Tue, Sep 9, 2014 at 1:30 PM, Paul Chernoch <pache...@gmail.com> wrote:
The acl module has a parameter named 'group'  which takes a list of users, groups or SIDs.

Just a small add on your wording here. Both the owner and group properties only take ONE of (1) a user, (2) a group, or (3) a SID. 

Is this confusing in the documentation? If so, is there a way we could update the documentation to make this more clear?
 

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/172c9ce0-bdd3-4f85-8fb5-c84a55d56fe5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Rob Reynolds
Reply all
Reply to author
Forward
0 new messages