nxFile - Does not support unsetting suid/sgid/sticky bits via mode parameters

[coderjoe]

Details of the scenario you tried and the problem that is occurring

I used nxFile to set a mode of 2740 to set sgid on a directory but I need to remove the sticky bit now. When I re-run nxFile with a mode of 00740 to unset the sticky bits it fails saying 00750 is invalid. But the extra 0 is how chmod is told to clear existing sticky bits.

From the manual page man chmod on Ubuntu 22.04:

For directories chmod preserves set-user-ID and set-group-ID bits unless you explicitly specify otherwise. You can set or clear the bits with symbolic modes like u+s and g-s. To clear these bits for directories with a numeric mode requires an additional leading zero, or leading = like 00755 , or =755

So for directories an extra zero or a leading = are valid specifiers.

Verbose logs showing the problem

root@hostname:/tmp/dsc# pwsh test_dsc.ps1
VERBOSE: Populating RepositorySourceLocation property for module nxtools.
VERBOSE: Loading module from path '/root/.local/share/powershell/Modules/nxtools/1.2.0/nxtools.psm1'.
VERBOSE: The Get-DscResource input 'Name' parameter value is 'nxFile'.
VERBOSE: Skipping resource 'Reason' as it does not match the requested name.
VERBOSE: Creating resource 'nxFile'.
VERBOSE: Skipping resource 'nxGroup' as it does not match the requested name.
VERBOSE: Skipping resource 'nxUser' as it does not match the requested name.
VERBOSE: Skipping resource 'nxPackage' as it does not match the requested name.
VERBOSE: Skipping resource 'nxFileLine' as it does not match the requested name.
VERBOSE: Skipping resource 'nxFileContentReplace' as it does not match the requested name.
VERBOSE: Skipping resource 'nxService' as it does not match the requested name.
VERBOSE: Skipping resource 'nxScript' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_LinuxGroup' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_msid110' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_msid121' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_msid232' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_InstalledApplicationLinux' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_NotInstalledApplicationLinux' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_LinuxLogAnalyticsAgent' as it does not match the requested name.
VERBOSE: output:

VERBOSE: Populating RepositorySourceLocation property for module nxtools.
VERBOSE: Loading module from path '/root/.local/share/powershell/Modules/nxtools/1.2.0/nxtools.psm1'.
VERBOSE: The Get-DscResource input 'Name' parameter value is 'nxFile'.
VERBOSE: Skipping resource 'Reason' as it does not match the requested name.
VERBOSE: Creating resource 'nxFile'.
VERBOSE: Skipping resource 'nxGroup' as it does not match the requested name.
VERBOSE: Skipping resource 'nxUser' as it does not match the requested name.
VERBOSE: Skipping resource 'nxPackage' as it does not match the requested name.
VERBOSE: Skipping resource 'nxFileLine' as it does not match the requested name.
VERBOSE: Skipping resource 'nxFileContentReplace' as it does not match the requested name.
VERBOSE: Skipping resource 'nxService' as it does not match the requested name.
VERBOSE: Skipping resource 'nxScript' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_LinuxGroup' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_msid110' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_msid121' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_msid232' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_InstalledApplicationLinux' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_NotInstalledApplicationLinux' as it does not match the requested name.
VERBOSE: Skipping resource 'GC_LinuxLogAnalyticsAgent' as it does not match the requested name.
RebootRequired
--------------
         False
Set-nxMode: Cannot process argument transformation on parameter 'Mode'. Cannot convert value "00740" to type "nxFileSystemMode". Error: "The symbolic string '00740' is invalid."
VERBOSE: output:
         False

root@hostname:/tmp/dsc#

Suggested solution to the issue

Either: Officially support both #### (4 number) style modes in nxFile so we can set suid/sgid/sticky bits AND officially support ##### (5 number) style modes so we can unset them OR Make it clear that neither 4 or 5 number style modes are supported

The DSC configuration that is used to reproduce the issue (as detailed as possible)

$commonParamsSetup = @{
        Name = 'nxFile'
        Property = @{
                DestinationPath = '/tmp/testdirectory'
                Ensure = 'Present'
                Type = 'Directory'
                Mode = '7740'
                Owner = 'root'
                Group = 'root'
                Force = $true
        }
        ModuleName = 'nxTools'
        Verbose = $true
}
Invoke-DscResource @commonParamsSetup -Method Set

$commonParamsTest = @{
        Name = 'nxFile'
        Property = @{
                DestinationPath = '/tmp/testdirectory'
                Ensure = 'Present'
                Type = 'Directory'
                Mode = '00740'
                Owner = 'root'
                Group = 'root'
                Force = $true
        }
        ModuleName = 'nxTools'
        Verbose = $true
}
Invoke-DscResource @commonParamsTest -Method Set

The operating system the target node is running

/tmp/dsc$ uname -a
Linux hostname 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

/tmp/dsc$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:        22.04
Codename:       jammy

Version and build of PowerShell the target node is running

PS /tmp/dsc> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Linux 5.19.0-41-generic #42~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 18 17:40:00 UTC 2
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Version of the DSC module that was used

PS /tmp/dsc> Get-Module -Name 'nxtools' -ListAvailable | ft Name,Version,Path

Name    Version Path
----    ------- ----
nxtools 1.2.0   /root/.local/share/powershell/Modules/nxtools/1.2.0/nxtools.psd1

[gaelcolas]

Yes, 5 number style isn't supported at present and agree it should. Haven't touched this project in a while but could you try to set the Mode = '-t' A bit of a long shot really...

[coderjoe]

I have found no combination of functionality which allows me to unset suid or sgid bits on directories. I think the root cause of my problem is potentially three fold:

1. On directories, the SUID and SGID bits are maintained when changing modes unless explicitly unset
2. The nxFileSystemMode method toOctal() is used to generate the mode to pass to chmod but it does not differentiate between files and directories, so for files it will auto overwrite suid/sgid/sticky but on directories they will be maintained
3. The Set-Chmod only allows the mode set via octal representation from nxFileSystemMode

Therefore while it's possible to set sticky bits on directories, it does not seem possible to unset them.

In the interim I've abandoned trying to use nxFile related functionality and have just written an nxScript to ensure the bits are unset.

[MutemwaRMasheke]

We agree that 5 digits should be supported and are currently looking into this @coderjoe! Thank you for raising this issue with us

[coderjoe]

No problem. Thank you for your time, interest, and hard work. :)