search

voxpupuli / puppet-icinga2

Puppet module to manage Icinga 2
https://forge.puppet.com/icinga/icinga2
Apache License 2.0
61 stars 94 forks source link

Broken file permissions on Windows #796

Closed shoddyguard closed 2 weeks ago

shoddyguard commented 2 weeks ago

On Windows the permissions of the folder C:/ProgramData/icinga2/etc/icinga2 are being incorrectly set to SYSTEM removing other users from the permissions scheme. This means Puppet is no longer able to manage files under that directory as it runs in the Administrator context not the SYSTEM context.

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

Simply including the icinga2::install class is enough to reproduce.

What are you seeing

A bunch of file permission errors

What behaviour did you expect instead

No errors

Output log

Info: Caching catalog for bs-dc01.brownserve.co.uk
Info: Applying configuration version '1730992358'
Notice: /Stage[main]/Icinga2::Install/Package[icinga2]/ensure: created (corrective)
Notice: /Stage[main]/Icinga2::Install/File[C:/ProgramData/icinga2/etc/icinga2]/mode: mode changed '6000000' to '0750' (corrective)
Warning: /Stage[main]/Icinga2::Config/File[C:/ProgramData/icinga2/etc/icinga2/constants.conf]: Could not stat; permission denied
Error: Could not set 'file' on ensure: Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock (file: /etc/puppetlabs/code/environments/production/ext-modules/icinga2/manifests/config.pp, line: 33)
Error: Could not set 'file' on ensure: Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock (file: /etc/puppetlabs/code/environments/production/ext-modules/icinga2/manifests/config.pp, line: 33)
Wrapped exception:
Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock
Error: /Stage[main]/Icinga2::Config/File[C:/ProgramData/icinga2/etc/icinga2/constants.conf]/ensure: change from 'absent' to 'file' failed: Could not set 'file' on ensure: Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock (file: /etc/puppetlabs/code/environments/production/ext-modules/icinga2/manifests/config.pp, line: 33) (corrective)

Any additional information you'd like to impart

I believe the issue is this line: https://github.com/voxpupuli/puppet-icinga2/blob/eaaca5b4d84059be75ff5447fd80e6b00051a31b/manifests/install.pp#L40 I believe this is changing the folder to have SYSTEM only permission (you can see the '6000000' to '0750' in the output above).

This is the permission scheme on a fresh install of the icinga2 package from chocolatey: image image

After a single Puppet run this is the changed permission scheme: image image

shoddyguard commented 2 weeks ago

Can confirm this also affects 6.0.0 as well (which makes sense given this is when https://github.com/voxpupuli/puppet-icinga2/pull/772 was merged that introduced the suspected line at fault)

lbetz commented 2 weeks ago

Thx a lot, I noticed the same today. With adding selinux in #772 I forget the Windows systems. I will change the permission mode to undef on Windows platforms.

lbetz commented 2 weeks ago

May you can test the PR #797 ?

shoddyguard commented 2 weeks ago

Yup, I'll pull this in and test now. Will report back shortly.

shoddyguard commented 2 weeks ago

Can confirm this fixes the issue 🎉 Thanks for getting this sorted so quickly @lbetz

lbetz commented 2 weeks ago

No problem and thanks for pointing out the correct code section. Release is coming soon.

shoddyguard commented 2 weeks ago

For anyone who has unfortunately ended up with your C:/ProgramData/icinga2/etc/icinga2 directory owned by SYSTEM you'll need to do a bit of manual work to get back to normal.

Here's the steps that I took:

You should be back to normal operation now.

If you're security conscious you may want to choco uninstall psexec -y afterwards (especially as this trips up a lot of enterprise security screening tools). Also for those not familiar with psexec tab-completion won't work out of the box when using it, and pressing ctrl+c will terminate not just your powershell shell but also the psexec session meaning you'll have to psexec -s powershell again.