Method: Puppet::Util::Windows::Security#set_security_descriptor

Defined in:
lib/puppet/util/windows/security.rb

#set_security_descriptor(path, sd) ⇒ Object

setting DACL requires both READ_CONTROL and WRITE_DACL access rights, and their respective privileges, SE_BACKUP_NAME and SE_RESTORE_NAME.



590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
 
# File 'lib/puppet/util/windows/security.rb', line 590

def set_security_descriptor(path, sd)
  FFI::MemoryPointer.new(:byte, get_max_generic_acl_size(sd.dacl.count)) do |acl_ptr|
    if InitializeAcl(acl_ptr, acl_ptr.size, ACL_REVISION) == FFI::WIN32_FALSE
      raise Puppet::Util::Windows::Error.new(_("Failed to initialize ACL"))
    end

    if IsValidAcl(acl_ptr) == FFI::WIN32_FALSE
      raise Puppet::Util::Windows::Error.new(_("Invalid DACL"))
    end

    with_privilege(SE_BACKUP_NAME) do
      with_privilege(SE_RESTORE_NAME) do
        open_file(path, READ_CONTROL | WRITE_DAC | WRITE_OWNER) do |handle|
          Puppet::Util::Windows::SID.string_to_sid_ptr(sd.owner) do |owner_sid_ptr|
            Puppet::Util::Windows::SID.string_to_sid_ptr(sd.group) do |group_sid_ptr|
              sd.dacl.each do |ace|
                case ace.type
                when Puppet::Util::Windows::AccessControlEntry::ACCESS_ALLOWED_ACE_TYPE
                  #puts "ace: allow, sid #{Puppet::Util::Windows::SID.sid_to_name(ace.sid)}, mask 0x#{ace.mask.to_s(16)}"
                  add_access_allowed_ace(acl_ptr, ace.mask, ace.sid, ace.flags)
                when Puppet::Util::Windows::AccessControlEntry::ACCESS_DENIED_ACE_TYPE
                  #puts "ace: deny, sid #{Puppet::Util::Windows::SID.sid_to_name(ace.sid)}, mask 0x#{ace.mask.to_s(16)}"
                  add_access_denied_ace(acl_ptr, ace.mask, ace.sid, ace.flags)
                else
                  raise "We should never get here"
                  # TODO: this should have been a warning in an earlier commit
                end
              end

              # protected means the object does not inherit aces from its parent
              flags = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION
              flags |= sd.protect ? PROTECTED_DACL_SECURITY_INFORMATION : UNPROTECTED_DACL_SECURITY_INFORMATION

              rv = SetSecurityInfo(handle,
                                   :SE_FILE_OBJECT,
                                   flags,
                                   owner_sid_ptr,
                                   group_sid_ptr,
                                   acl_ptr,
                                   FFI::MemoryPointer::NULL)

              if rv != FFI::ERROR_SUCCESS
                raise Puppet::Util::Windows::Error.new(_("Failed to set security information"))
              end
            end
          end
        end
      end
    end
  end
end