Module: Puppet::Util::Windows::Security
- Extended by:
- Security
- Includes:
- SID, Windows::File, Windows::Handle, Windows::MSVCRT::Buffer, Windows::Memory, Windows::Process, Windows::Security, Windows::Volume
- Included in:
- Security
- Defined in:
- lib/vendor/puppet/util/windows/security.rb
Constant Summary collapse
- S_IRUSR =
file modes
0000400
- S_IRGRP =
0000040
- S_IROTH =
0000004
- S_IWUSR =
0000200
- S_IWGRP =
0000020
- S_IWOTH =
0000002
- S_IXUSR =
0000100
- S_IXGRP =
0000010
- S_IXOTH =
0000001
- S_IRWXU =
0000700
- S_IRWXG =
0000070
- S_IRWXO =
0000007
- S_ISVTX =
0001000
- S_IEXTRA =
represents an extra ace
02000000
- PROTECTED_DACL_SECURITY_INFORMATION =
constants that are missing from Windows::Security
0x80000000
- UNPROTECTED_DACL_SECURITY_INFORMATION =
0x20000000
- NO_INHERITANCE =
0x0
- MASK_TO_MODE =
{ FILE_GENERIC_READ => S_IROTH, FILE_GENERIC_WRITE => S_IWOTH, (FILE_GENERIC_EXECUTE & ~FILE_READ_ATTRIBUTES) => S_IXOTH }
- MODE_TO_MASK =
{ S_IROTH => FILE_GENERIC_READ, S_IWOTH => FILE_GENERIC_WRITE, S_IXOTH => (FILE_GENERIC_EXECUTE & ~FILE_READ_ATTRIBUTES), }
Constants included from SID
Puppet::Util::Windows::SID::ERROR_INVALID_SID_STRUCTURE, Puppet::Util::Windows::SID::ERROR_NONE_MAPPED
Instance Method Summary collapse
- #add_access_allowed_ace(acl, mask, sid, inherit = NO_INHERITANCE) ⇒ Object
- #add_access_denied_ace(acl, mask, sid) ⇒ Object
- #add_attributes(path, flags) ⇒ Object
- #change_sid(old_sid, new_sid, info, path) ⇒ Object
- #get_attributes(path) ⇒ Object
- #get_dacl(handle) ⇒ Object
- #get_dacl_ptr(handle) ⇒ Object
-
#get_group(path) ⇒ Object
Get the group of the object referenced by
path
. -
#get_mode(path) ⇒ Object
Get the mode of the object referenced by
path
. -
#get_owner(path) ⇒ Object
Get the owner of the object referenced by
path
. -
#get_security_info(handle, info) ⇒ Object
Get the SID string, e.g.
- #get_sid(info, path) ⇒ Object
-
#open_file(path, access) ⇒ Object
Open an existing file with the specified access mode, and execute a block with the opened file HANDLE.
- #remove_attributes(path, flags) ⇒ Object
-
#set_acl(path, protected = true) ⇒ Object
setting DACL requires both READ_CONTROL and WRITE_DACL access rights, and their respective privileges, SE_BACKUP_NAME and SE_RESTORE_NAME.
- #set_attributes(path, flags) ⇒ Object
-
#set_group(group_sid, path) ⇒ Object
Set the owner of the object referenced by
path
to the specifiedgroup_sid
. -
#set_mode(mode, path, protected = true) ⇒ Object
Set the mode of the object referenced by
path
to the specifiedmode
. -
#set_owner(owner_sid, path) ⇒ Object
Set the owner of the object referenced by
path
to the specifiedowner_sid
. -
#set_privilege(privilege, enable) ⇒ Object
Enable or disable a privilege.
-
#set_security_info(handle, info, ptr) ⇒ Object
Set the security info on the specified handle.
- #supports_acl?(path) ⇒ Boolean
-
#with_privilege(privilege) ⇒ Object
Execute a block with the specified privilege enabled.
-
#with_process_token(access) ⇒ Object
Execute a block with the current process token.
Methods included from SID
#name_to_sid, #sid_ptr_to_string, #sid_to_name, #string_to_sid_ptr, #valid_sid?
Instance Method Details
#add_access_allowed_ace(acl, mask, sid, inherit = NO_INHERITANCE) ⇒ Object
416 417 418 419 420 421 422 423 424 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 416 def add_access_allowed_ace(acl, mask, sid, inherit = NO_INHERITANCE) string_to_sid_ptr(sid) do |sid_ptr| raise Puppet::Util::Windows::Error.new("Invalid SID") unless IsValidSid(sid_ptr) unless AddAccessAllowedAceEx(acl, ACL_REVISION, inherit, mask, sid_ptr) raise Puppet::Util::Windows::Error.new("Failed to add access control entry") end end end |
#add_access_denied_ace(acl, mask, sid) ⇒ Object
426 427 428 429 430 431 432 433 434 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 426 def add_access_denied_ace(acl, mask, sid) string_to_sid_ptr(sid) do |sid_ptr| raise Puppet::Util::Windows::Error.new("Invalid SID") unless IsValidSid(sid_ptr) unless AddAccessDeniedAce(acl, ACL_REVISION, mask, sid_ptr) raise Puppet::Util::Windows::Error.new("Failed to add access control entry") end end end |
#add_attributes(path, flags) ⇒ Object
198 199 200 201 202 203 204 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 198 def add_attributes(path, flags) oldattrs = get_attributes(path) if (oldattrs | flags) != oldattrs set_attributes(path, oldattrs | flags) end end |
#change_sid(old_sid, new_sid, info, path) ⇒ Object
165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 165 def change_sid(old_sid, new_sid, info, path) if old_sid != new_sid mode = get_mode(path) string_to_sid_ptr(new_sid) do |psid| with_privilege(SE_RESTORE_NAME) do open_file(path, WRITE_OWNER) do |handle| set_security_info(handle, info, psid) end end end # rebuild dacl now that sid has changed set_mode(mode, path) end end |
#get_attributes(path) ⇒ Object
190 191 192 193 194 195 196 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 190 def get_attributes(path) attributes = GetFileAttributes(path) raise Puppet::Util::Windows::Error.new("Failed to get file attributes") if attributes == INVALID_FILE_ATTRIBUTES attributes end |
#get_dacl(handle) ⇒ Object
436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 436 def get_dacl(handle) get_dacl_ptr(handle) do |dacl_ptr| # REMIND: need to handle NULL DACL raise Puppet::Util::Windows::Error.new("Invalid DACL") unless IsValidAcl(dacl_ptr) # ACL structure, size and count are the important parts. The # size includes both the ACL structure and all the ACEs. # # BYTE AclRevision # BYTE Padding1 # WORD AclSize # WORD AceCount # WORD Padding2 acl_buf = 0.chr * 8 memcpy(acl_buf, dacl_ptr, acl_buf.size) ace_count = acl_buf.unpack('CCSSS')[3] dacl = [] # deny all return dacl if ace_count == 0 0.upto(ace_count - 1) do |i| ace_ptr = [0].pack('L') next unless GetAce(dacl_ptr, i, ace_ptr) # ACE structures vary depending on the type. All structures # begin with an ACE header, which specifies the type, flags # and size of what follows. We are only concerned with # ACCESS_ALLOWED_ACE and ACCESS_DENIED_ACEs, which have the # same structure: # # BYTE C AceType # BYTE C AceFlags # WORD S AceSize # DWORD L ACCESS_MASK # DWORD L Sid # .. ... # DWORD L Sid ace_buf = 0.chr * 8 memcpy(ace_buf, ace_ptr.unpack('L')[0], ace_buf.size) ace_type, ace_flags, size, mask = ace_buf.unpack('CCSL') # skip aces that only serve to propagate inheritance next if (ace_flags & INHERIT_ONLY_ACE).nonzero? case ace_type when ACCESS_ALLOWED_ACE_TYPE sid_ptr = ace_ptr.unpack('L')[0] + 8 # address of ace_ptr->SidStart raise Puppet::Util::Windows::Error.new("Failed to read DACL, invalid SID") unless IsValidSid(sid_ptr) sid = sid_ptr_to_string(sid_ptr) dacl << {:sid => sid, :type => ace_type, :mask => mask} else Puppet.warning "Unsupported access control entry type: 0x#{ace_type.to_s(16)}" end end dacl end end |
#get_dacl_ptr(handle) ⇒ Object
500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 500 def get_dacl_ptr(handle) dacl = [0].pack('L') sd = [0].pack('L') rv = GetSecurityInfo( handle, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, nil, nil, dacl, #dacl nil, #sacl sd) #sec desc raise Puppet::Util::Windows::Error.new("Failed to get DACL") unless rv == ERROR_SUCCESS begin yield dacl.unpack('L')[0] ensure LocalFree(sd.unpack('L')[0]) end end |
#get_group(path) ⇒ Object
Get the group of the object referenced by path
. The returned value is a SID string, e.g. “S-1-5-32-544”. Any user with read access to an object can get the group. Only a user with the SE_BACKUP_NAME privilege in their process token can get the group for objects they do not have read access to.
146 147 148 149 150 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 146 def get_group(path) return unless supports_acl?(path) get_sid(GROUP_SECURITY_INFORMATION, path) end |
#get_mode(path) ⇒ Object
Get the mode of the object referenced by path
. The returned integer value represents the POSIX-style read, write, and execute modes for the user, group, and other classes, e.g. 0640. Any user with read access to an object can get the mode. Only a user with the SE_BACKUP_NAME privilege in their process token can get the mode for objects they do not have read access to.
230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 230 def get_mode(path) return unless supports_acl?(path) owner_sid = get_owner(path) group_sid = get_group(path) well_known_world_sid = Win32::Security::SID::Everyone well_known_nobody_sid = Win32::Security::SID::Nobody with_privilege(SE_BACKUP_NAME) do open_file(path, READ_CONTROL) do |handle| mode = 0 get_dacl(handle).each do |ace| case ace[:sid] when owner_sid MASK_TO_MODE.each_pair do |k,v| if (ace[:mask] & k) == k mode |= (v << 6) end end when group_sid MASK_TO_MODE.each_pair do |k,v| if (ace[:mask] & k) == k mode |= (v << 3) end end when well_known_world_sid MASK_TO_MODE.each_pair do |k,v| if (ace[:mask] & k) == k mode |= (v << 6) | (v << 3) | v end end if File.directory?(path) and (ace[:mask] & (FILE_WRITE_DATA | FILE_EXECUTE | FILE_DELETE_CHILD)) == (FILE_WRITE_DATA | FILE_EXECUTE) mode |= S_ISVTX; end when well_known_nobody_sid if (ace[:mask] & FILE_APPEND_DATA).nonzero? mode |= S_ISVTX end else #puts "Warning, unable to map SID into POSIX mode: #{ace[:sid]}" mode |= S_IEXTRA end # if owner and group the same, then user and group modes are the OR of both if owner_sid == group_sid mode |= ((mode & S_IRWXG) << 3) | ((mode & S_IRWXU) >> 3) #puts "owner: #{group_sid}, 0x#{ace[:mask].to_s(16)}, #{mode.to_s(8)}" end end #puts "get_mode: #{mode.to_s(8)}" mode end end end |
#get_owner(path) ⇒ Object
Get the owner of the object referenced by path
. The returned value is a SID string, e.g. “S-1-5-32-544”. Any user with read access to an object can get the owner. Only a user with the SE_BACKUP_NAME privilege in their process token can get the owner for objects they do not have read access to.
124 125 126 127 128 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 124 def get_owner(path) return unless supports_acl?(path) get_sid(OWNER_SECURITY_INFORMATION, path) end |
#get_security_info(handle, info) ⇒ Object
Get the SID string, e.g. “S-1-5-32-544”, for the specified handle and type of information (owner, group).
536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 536 def get_security_info(handle, info) sid = [0].pack('L') sd = [0].pack('L') rv = GetSecurityInfo( handle, SE_FILE_OBJECT, info, # security info info == OWNER_SECURITY_INFORMATION ? sid : nil, info == GROUP_SECURITY_INFORMATION ? sid : nil, nil, #dacl nil, #sacl sd) #sec desc raise Puppet::Util::Windows::Error.new("Failed to get security information") unless rv == ERROR_SUCCESS begin return sid_ptr_to_string(sid.unpack('L')[0]) ensure LocalFree(sd.unpack('L')[0]) end end |
#get_sid(info, path) ⇒ Object
182 183 184 185 186 187 188 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 182 def get_sid(info, path) with_privilege(SE_BACKUP_NAME) do open_file(path, READ_CONTROL) do |handle| get_security_info(handle, info) end end end |
#open_file(path, access) ⇒ Object
Open an existing file with the specified access mode, and execute a block with the opened file HANDLE.
560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 560 def open_file(path, access) handle = CreateFile( path, access, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, # security_attributes OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, 0) # template raise Puppet::Util::Windows::Error.new("Failed to open '#{path}'") if handle == INVALID_HANDLE_VALUE begin yield handle ensure CloseHandle(handle) end end |
#remove_attributes(path, flags) ⇒ Object
206 207 208 209 210 211 212 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 206 def remove_attributes(path, flags) oldattrs = get_attributes(path) if (oldattrs & ~flags) != oldattrs set_attributes(path, oldattrs & ~flags) end end |
#set_acl(path, protected = true) ⇒ Object
setting DACL requires both READ_CONTROL and WRITE_DACL access rights, and their respective privileges, SE_BACKUP_NAME and SE_RESTORE_NAME.
391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 391 def set_acl(path, protected = true) with_privilege(SE_BACKUP_NAME) do with_privilege(SE_RESTORE_NAME) do open_file(path, READ_CONTROL | WRITE_DAC) do |handle| acl = 0.chr * 1024 # This can be increased later as needed unless InitializeAcl(acl, acl.size, ACL_REVISION) raise Puppet::Util::Windows::Error.new("Failed to initialize ACL") end raise Puppet::Util::Windows::Error.new("Invalid DACL") unless IsValidAcl(acl) yield acl # protected means the object does not inherit aces from its parent info = DACL_SECURITY_INFORMATION info |= protected ? PROTECTED_DACL_SECURITY_INFORMATION : UNPROTECTED_DACL_SECURITY_INFORMATION # set the DACL set_security_info(handle, info, acl) end end end end |
#set_attributes(path, flags) ⇒ Object
214 215 216 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 214 def set_attributes(path, flags) raise Puppet::Util::Windows::Error.new("Failed to set file attributes") unless SetFileAttributes(path, flags) end |
#set_group(group_sid, path) ⇒ Object
Set the owner of the object referenced by path
to the specified group_sid
. The group sid should be of the form “S-1-5-32-544” and can either be a user or group. Any user with WRITE_OWNER access to the object can change the group (regardless of whether the current user belongs to that group or not).
135 136 137 138 139 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 135 def set_group(group_sid, path) old_sid = get_group(path) change_sid(old_sid, group_sid, GROUP_SECURITY_INFORMATION, path) end |
#set_mode(mode, path, protected = true) ⇒ Object
Set the mode of the object referenced by path
to the specified mode
. The mode should be specified as POSIX-stye read, write, and execute modes for the user, group, and other classes, e.g. 0640. The sticky bit, S_ISVTX, is supported, but is only meaningful for directories. If set, group and others are not allowed to delete child objects for which they are not the owner. By default, the DACL is set to protected, meaning it does not inherit access control entries from parent objects. This can be changed by setting protected
to false. The owner of the object (with READ_CONTROL and WRITE_DACL access) can always change the mode. Only a user with the SE_BACKUP_NAME and SE_RESTORE_NAME privileges in their process token can change the mode for objects that they do not have read and write access to.
306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 306 def set_mode(mode, path, protected = true) owner_sid = get_owner(path) group_sid = get_group(path) well_known_world_sid = Win32::Security::SID::Everyone well_known_nobody_sid = Win32::Security::SID::Nobody owner_allow = STANDARD_RIGHTS_ALL | FILE_READ_ATTRIBUTES | FILE_WRITE_ATTRIBUTES group_allow = STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES | SYNCHRONIZE other_allow = STANDARD_RIGHTS_READ | FILE_READ_ATTRIBUTES | SYNCHRONIZE nobody_allow = 0 MODE_TO_MASK.each do |k,v| if ((mode >> 6) & k) == k owner_allow |= v end if ((mode >> 3) & k) == k group_allow |= v end if (mode & k) == k other_allow |= v end end if (mode & S_ISVTX).nonzero? nobody_allow |= FILE_APPEND_DATA; end isdir = File.directory?(path) if isdir if (mode & (S_IWUSR | S_IXUSR)) == (S_IWUSR | S_IXUSR) owner_allow |= FILE_DELETE_CHILD end if (mode & (S_IWGRP | S_IXGRP)) == (S_IWGRP | S_IXGRP) and (mode & S_ISVTX) == 0 group_allow |= FILE_DELETE_CHILD end if (mode & (S_IWOTH | S_IXOTH)) == (S_IWOTH | S_IXOTH) and (mode & S_ISVTX) == 0 other_allow |= FILE_DELETE_CHILD end end # if owner and group the same, then map group permissions to the one owner ACE isownergroup = owner_sid == group_sid if isownergroup owner_allow |= group_allow end # if any ACE allows write, then clear readonly bit, but do this before we overwrite # the DACl and lose our ability to set the attribute if ((owner_allow | group_allow | other_allow ) & FILE_WRITE_DATA) == FILE_WRITE_DATA remove_attributes(path, FILE_ATTRIBUTE_READONLY) end set_acl(path, protected) do |acl| #puts "ace: owner #{owner_sid}, mask 0x#{owner_allow.to_s(16)}" add_access_allowed_ace(acl, owner_allow, owner_sid) unless isownergroup #puts "ace: group #{group_sid}, mask 0x#{group_allow.to_s(16)}" add_access_allowed_ace(acl, group_allow, group_sid) end #puts "ace: other #{well_known_world_sid}, mask 0x#{other_allow.to_s(16)}" add_access_allowed_ace(acl, other_allow, well_known_world_sid) #puts "ace: nobody #{well_known_nobody_sid}, mask 0x#{nobody_allow.to_s(16)}" add_access_allowed_ace(acl, nobody_allow, well_known_nobody_sid) # add inherit-only aces for child dirs and files that are created within the dir if isdir inherit = INHERIT_ONLY_ACE | CONTAINER_INHERIT_ACE add_access_allowed_ace(acl, owner_allow, Win32::Security::SID::CreatorOwner, inherit) add_access_allowed_ace(acl, group_allow, Win32::Security::SID::CreatorGroup, inherit) inherit = INHERIT_ONLY_ACE | OBJECT_INHERIT_ACE add_access_allowed_ace(acl, owner_allow & ~FILE_EXECUTE, Win32::Security::SID::CreatorOwner, inherit) add_access_allowed_ace(acl, group_allow & ~FILE_EXECUTE, Win32::Security::SID::CreatorGroup, inherit) end end nil end |
#set_owner(owner_sid, path) ⇒ Object
Set the owner of the object referenced by path
to the specified owner_sid
. The owner sid should be of the form “S-1-5-32-544” and can either be a user or group. Only a user with the SE_RESTORE_NAME privilege in their process token can overwrite the object’s owner to something other than the current user.
113 114 115 116 117 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 113 def set_owner(owner_sid, path) old_sid = get_owner(path) change_sid(old_sid, owner_sid, OWNER_SECURITY_INFORMATION, path) end |
#set_privilege(privilege, enable) ⇒ Object
Enable or disable a privilege. Note this doesn’t add any privileges the user doesn’t already has, it just enables privileges that are disabled.
587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 587 def set_privilege(privilege, enable) return unless Puppet.features.root? with_process_token(TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY) do |token| tmpLuid = 0.chr * 8 # Get the LUID for specified privilege. unless LookupPrivilegeValue("", privilege, tmpLuid) raise Puppet::Util::Windows::Error.new("Failed to lookup privilege") end # DWORD + [LUID + DWORD] tkp = [1].pack('L') + tmpLuid + [enable ? SE_PRIVILEGE_ENABLED : 0].pack('L') unless AdjustTokenPrivileges(token, 0, tkp, tkp.length , nil, nil) raise Puppet::Util::Windows::Error.new("Failed to adjust process privileges") end end end |
#set_security_info(handle, info, ptr) ⇒ Object
Set the security info on the specified handle.
522 523 524 525 526 527 528 529 530 531 532 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 522 def set_security_info(handle, info, ptr) rv = SetSecurityInfo( handle, SE_FILE_OBJECT, info, (info & OWNER_SECURITY_INFORMATION) == OWNER_SECURITY_INFORMATION ? ptr : nil, (info & GROUP_SECURITY_INFORMATION) == GROUP_SECURITY_INFORMATION ? ptr : nil, (info & DACL_SECURITY_INFORMATION) == DACL_SECURITY_INFORMATION ? ptr : nil, nil) raise Puppet::Util::Windows::Error.new("Failed to set security information") unless rv == ERROR_SUCCESS end |
#supports_acl?(path) ⇒ Boolean
152 153 154 155 156 157 158 159 160 161 162 163 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 152 def supports_acl?(path) flags = 0.chr * 4 root = Pathname.new(path).enum_for(:ascend).to_a.last.to_s # 'A trailing backslash is required' root = "#{root}\\" unless root =~ /[\/\\]$/ unless GetVolumeInformation(root, nil, 0, nil, nil, flags, nil, 0) raise Puppet::Util::Windows::Error.new("Failed to get volume information") end (flags.unpack('L')[0] & Windows::File::FILE_PERSISTENT_ACLS) != 0 end |
#with_privilege(privilege) ⇒ Object
Execute a block with the specified privilege enabled
578 579 580 581 582 583 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 578 def with_privilege(privilege) set_privilege(privilege, true) yield ensure set_privilege(privilege, false) end |
#with_process_token(access) ⇒ Object
Execute a block with the current process token
608 609 610 611 612 613 614 615 616 617 618 619 620 621 |
# File 'lib/vendor/puppet/util/windows/security.rb', line 608 def with_process_token(access) token = 0.chr * 4 unless OpenProcessToken(GetCurrentProcess(), access, token) raise Puppet::Util::Windows::Error.new("Failed to open process token") end begin token = token.unpack('L')[0] yield token ensure CloseHandle(token) end end |