windows minion : rights on c:\salt directory
118 views
Skip to first unread message
Eric Trezel
Feb 21, 2016, 2:45:07 PM2/21/16
to Salt-users
Hi,
During my tests with salt, I tried a windows minion.
Everything works fine, but... I discovered that the c:\salt directory is accessible (read/write) to simple users. That mean they can change configuration files, access to cache file, where you could sometimes find clear passwords...
How do you manage that ?
I tried to find a powershell way. It seems possible, but far from easy. I thought I can't be the only one to notice this security issue, and certainly some of you already fixed this...
Thanks for your help.
E.T.
During my tests with salt, I tried a windows minion.
Everything works fine, but... I discovered that the c:\salt directory is accessible (read/write) to simple users. That mean they can change configuration files, access to cache file, where you could sometimes find clear passwords...
How do you manage that ?
I tried to find a powershell way. It seems possible, but far from easy. I thought I can't be the only one to notice this security issue, and certainly some of you already fixed this...
Thanks for your help.
E.T.
Eric Trezel
Feb 22, 2016, 1:24:42 PM2/22/16
to Salt-users
Hi back,
As it didn't seem to disturb nor inspire someone, I tried to solve the issue by myself.
And it works.
Here is a powershell script, that removes permissions to c:\salt for users :
# Remove NTFS inheritance on directory :
$path = "c:\salt"
$isProtected = $true
$preserveInheritance = $true
$acl = (Get-Item $Path).GetAccessControl("Access")
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
Set-Acl -AclObject $acl $path
# Remove permissions on directory for standard users
$acl = Get-Acl $Path
# For 'BUILTIN\Users'
$acl.Access | Where-Object{ $_.IdentityReference -eq "BUILTIN\Users" } | ForEach-Object{$Acl.RemoveAccessRuleSpecific($_)}
Set-ACL $path $Acl
# For 'NT AUTHORITY\Authenticated Users'
$acl.Access | Where-Object{ $_.IdentityReference -eq "NT AUTHORITY\Authenticated Users" } | ForEach-Object{$Acl.RemoveAccessRuleSpecific($_)}
Set-ACL $path $Acl
I'm French. Maybe I mistranslated the group names. If you want to be sure on your computer, you can use this command :
get-acl $path | format-list
Hope it helps someone
Regards
E.T.
As it didn't seem to disturb nor inspire someone, I tried to solve the issue by myself.
And it works.
Here is a powershell script, that removes permissions to c:\salt for users :
# Remove NTFS inheritance on directory :
$path = "c:\salt"
$isProtected = $true
$preserveInheritance = $true
$acl = (Get-Item $Path).GetAccessControl("Access")
$acl.SetAccessRuleProtection($isProtected, $preserveInheritance)
Set-Acl -AclObject $acl $path
# Remove permissions on directory for standard users
$acl = Get-Acl $Path
# For 'BUILTIN\Users'
$acl.Access | Where-Object{ $_.IdentityReference -eq "BUILTIN\Users" } | ForEach-Object{$Acl.RemoveAccessRuleSpecific($_)}
Set-ACL $path $Acl
# For 'NT AUTHORITY\Authenticated Users'
$acl.Access | Where-Object{ $_.IdentityReference -eq "NT AUTHORITY\Authenticated Users" } | ForEach-Object{$Acl.RemoveAccessRuleSpecific($_)}
Set-ACL $path $Acl
I'm French. Maybe I mistranslated the group names. If you want to be sure on your computer, you can use this command :
get-acl $path | format-list
Hope it helps someone
Regards
E.T.
Shane Lee
Feb 22, 2016, 2:10:04 PM2/22/16
to Salt-users
That's for letting us know. We're looking into what's going on.
Shane Lee
Feb 22, 2016, 3:08:50 PM2/22/16
to Salt-users
Eric,
The windows installer removes all permissions to the C:\Salt directory and gives explicit permission to the System account and the Administrators group.
I just tried to reproduce this issue. I followed the following steps:
1. Uninstall salt
2. Remove C:\Salt directory
3. Install Salt using an installer downloaded from repo.saltstack.com/windows
4. Log off Administrator
5. Log on as normal user
6. Try to access C:\Salt
7. Prompts for Admin Password
I can't access the directory unless I enter a password. If I do enter the password I'm given read/execute privileges to the directory but I still can't edit anything.
If you aren't using the installer to install salt then the onus is on you to configure permission correctly. If you are using the installer, I would make sure your user account doesn't belong to the administrators group.
Let me know if this helps.
Shane
On Monday, February 22, 2016 at 11:24:42 AM UTC-7, Eric Trezel wrote:
Eric Trezel
Feb 24, 2016, 3:15:15 PM2/24/16
to Salt-users
Hi,
My minion's system is Windows7. It works fine on win10 and 2012R2, according to Utahdave (I put down an issue on github yesterday ( #31428), he is investigating)
Which windows version did you test ?
Eric
My minion's system is Windows7. It works fine on win10 and 2012R2, according to Utahdave (I put down an issue on github yesterday ( #31428), he is investigating)
Which windows version did you test ?
Eric
Reply all
Reply to author
Forward
0 new messages