search

ansible-collections / ansible.windows

Windows core collection for Ansible
https://galaxy.ansible.com/ansible/windows
GNU General Public License v3.0
245 stars 166 forks source link

Feature request: A better win_acl module #622

Open Yannik opened 3 months ago

Yannik commented 3 months ago

The current win_acl module is quite simple: you can add/delete a single ACE at the time.
Unfortunately, this is not really suitable for most more advanced use-cases.

I would like to gather some ideas for an improved acl module:

Managing multiple ACEs at once

Managing a single ACE at the time naturally makes managing large ACLs quite slow. Being able to provide a list of ACEs to add/remove would be great.

Set/Replace mode

It would be really great to have a "set/replace/exclusive" functionality to ensure that only the ACEs that you want are set on an object, and reliably getting rid of old/unwanted ACEs.

Recursive mode

From a security POV, ensuring that only the ACEs you want and have configured in your IaC is quite important. To solve this, having some kind of recursive mode to remove all non-inherited/non-managed ACEs recursively would be really nice. I am not quite sure how to design this in a way that we can set ACLs on different depths of the filesystem tree, but remove non-inherited ACEs from all other nodes. Options I can see:

I Hope this was atleast somewhat understandable. :D

cloneluke commented 2 months ago

Yes, I would like to pass multiple groups into win_acl to apply the same permission at the same time to multiple groups

https://g.co/gemini/share/db9cc6d8a8d0


// Replace 'path' with the actual file or directory path
string path = "your/file/path";

// Define permissions (replace with your desired rights)
FileSystemRights rights = FileSystemRights.Read | FileSystemRights.Write;

// Define group names (replace with your groups)
string[] groupNames = { "Group1", "Group2" };

// Get SIDs for each group name
IdentityReference[] groupSIDs = new IdentityReference[groupNames.Length];
for (int i = 0; i < groupNames.Length; i++)
{
  groupSIDs[i] = new SecurityIdentifier(groupNames[i]); // Assuming local groups
  // For domain groups, use GetActiveDirectoryGroup method
}

// Create a single rule for multiple groups (using SIDs)
FileSystemAccessRule rule = new FileSystemAccessRule(groupSIDs, rights, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow);

// Get the existing ACL (optional, but recommended)
FileSystemSecurity acl = File.GetAccessControl(path);

// Add the rule to the ACL
acl.AddAccessRule(rule);

// Set the modified ACL back to the file system object
File.SetAccessControl(path, acl);