Method: Puppet::Util::Windows::Security#set_mode

Defined in:
lib/puppet/util/windows/security.rb

#set_mode(mode, path, protected = true) ⇒ Object

Set the mode of the object referenced by path to the specified mode. The mode should be specified as POSIX-style read, write, and execute modes for the user, group, and other classes, e.g. 0640. The sticky bit, S_ISVTX, is supported, but is only meaningful for directories. If set, group and others are not allowed to delete child objects for which they are not the owner. By default, the DACL is set to protected, meaning it does not inherit access control entries from parent objects. This can be changed by setting protected to false. The owner of the object (with READ_CONTROL and WRITE_DACL access) can always change the mode. Only a user with the SE_BACKUP_NAME and SE_RESTORE_NAME privileges in their process token can change the mode for objects that they do not have read and write access to.



277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
 
# File 'lib/puppet/util/windows/security.rb', line 277

def set_mode(mode, path, protected = true)
  sd = get_security_descriptor(path)
  well_known_world_sid = Puppet::Util::Windows::SID::Everyone
  well_known_nobody_sid = Puppet::Util::Windows::SID::Nobody
  well_known_system_sid = Puppet::Util::Windows::SID::LocalSystem

  owner_allow = FILE::STANDARD_RIGHTS_ALL  |
    FILE::FILE_READ_ATTRIBUTES |
    FILE::FILE_WRITE_ATTRIBUTES
  group_allow = FILE::STANDARD_RIGHTS_READ |
    FILE::FILE_READ_ATTRIBUTES |
    FILE::SYNCHRONIZE
  other_allow = FILE::STANDARD_RIGHTS_READ |
    FILE::FILE_READ_ATTRIBUTES |
    FILE::SYNCHRONIZE
  nobody_allow = 0
  system_allow = 0

  MODE_TO_MASK.each do |k,v|
    if ((mode >> 6) & k) == k
      owner_allow |= v
    end
    if ((mode >> 3) & k) == k
      group_allow |= v
    end
    if (mode & k) == k
      other_allow |= v
    end
  end

  if (mode & S_ISVTX).nonzero?
    nobody_allow |= FILE::FILE_APPEND_DATA;
  end

  # caller is NOT managing SYSTEM by using group or owner, so set to FULL
  if ! [sd.owner, sd.group].include? well_known_system_sid
    # we don't check S_ISYSTEM_MISSING bit, but automatically carry over existing SYSTEM perms
    # by default set SYSTEM perms to full
    system_allow = FILE::FILE_ALL_ACCESS
  end

  isdir = File.directory?(path)

  if isdir
    if (mode & (S_IWUSR | S_IXUSR)) == (S_IWUSR | S_IXUSR)
      owner_allow |= FILE::FILE_DELETE_CHILD
    end
    if (mode & (S_IWGRP | S_IXGRP)) == (S_IWGRP | S_IXGRP) && (mode & S_ISVTX) == 0
      group_allow |= FILE::FILE_DELETE_CHILD
    end
    if (mode & (S_IWOTH | S_IXOTH)) == (S_IWOTH | S_IXOTH) && (mode & S_ISVTX) == 0
      other_allow |= FILE::FILE_DELETE_CHILD
    end
  end

  # if owner and group the same, then map group permissions to the one owner ACE
  isownergroup = sd.owner == sd.group
  if isownergroup
    owner_allow |= group_allow
  end

  # if any ACE allows write, then clear readonly bit, but do this before we overwrite
  # the DACl and lose our ability to set the attribute
  if ((owner_allow | group_allow | other_allow ) & FILE::FILE_WRITE_DATA) == FILE::FILE_WRITE_DATA
    FILE.remove_attributes(path, FILE::FILE_ATTRIBUTE_READONLY)
  end

  dacl = Puppet::Util::Windows::AccessControlList.new
  dacl.allow(sd.owner, owner_allow)
  unless isownergroup
    dacl.allow(sd.group, group_allow)
  end
  dacl.allow(well_known_world_sid, other_allow)
  dacl.allow(well_known_nobody_sid, nobody_allow)

  # TODO: system should be first?
  flags = !isdir ? 0 :
    Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE |
    Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE
  dacl.allow(well_known_system_sid, system_allow, flags)

  # add inherit-only aces for child dirs and files that are created within the dir
  inherit_only = Puppet::Util::Windows::AccessControlEntry::INHERIT_ONLY_ACE
  if isdir
    inherit = inherit_only | Puppet::Util::Windows::AccessControlEntry::CONTAINER_INHERIT_ACE
    dacl.allow(Puppet::Util::Windows::SID::CreatorOwner, owner_allow, inherit)
    dacl.allow(Puppet::Util::Windows::SID::CreatorGroup, group_allow, inherit)

    inherit = inherit_only | Puppet::Util::Windows::AccessControlEntry::OBJECT_INHERIT_ACE
    dacl.allow(Puppet::Util::Windows::SID::CreatorOwner, owner_allow & ~FILE::FILE_EXECUTE, inherit)
    dacl.allow(Puppet::Util::Windows::SID::CreatorGroup, group_allow & ~FILE::FILE_EXECUTE, inherit)
  end

  new_sd = Puppet::Util::Windows::SecurityDescriptor.new(sd.owner, sd.group, dacl, protected)
  set_security_descriptor(path, new_sd)

  nil
end