Broken file permissions on Windows

[shoddyguard]

On Windows the permissions of the folder C:/ProgramData/icinga2/etc/icinga2 are being incorrectly set to SYSTEM removing other users from the permissions scheme.
This means Puppet is no longer able to manage files under that directory as it runs in the Administrator context not the SYSTEM context.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.31.0
• Ruby: N/A
• Distribution: Windows
• Module version: 6.0.1

How to reproduce (e.g Puppet code you use)

Simply including the icinga2::install class is enough to reproduce.

What are you seeing

A bunch of file permission errors

What behaviour did you expect instead

No errors

Output log

Info: Caching catalog for bs-dc01.brownserve.co.uk
Info: Applying configuration version '1730992358'
Notice: /Stage[main]/Icinga2::Install/Package[icinga2]/ensure: created (corrective)
Notice: /Stage[main]/Icinga2::Install/File[C:/ProgramData/icinga2/etc/icinga2]/mode: mode changed '6000000' to '0750' (corrective)
Warning: /Stage[main]/Icinga2::Config/File[C:/ProgramData/icinga2/etc/icinga2/constants.conf]: Could not stat; permission denied
Error: Could not set 'file' on ensure: Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock (file: /etc/puppetlabs/code/environments/production/ext-modules/icinga2/manifests/config.pp, line: 33)
Error: Could not set 'file' on ensure: Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock (file: /etc/puppetlabs/code/environments/production/ext-modules/icinga2/manifests/config.pp, line: 33)
Wrapped exception:
Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock
Error: /Stage[main]/Icinga2::Config/File[C:/ProgramData/icinga2/etc/icinga2/constants.conf]/ensure: change from 'absent' to 'file' failed: Could not set 'file' on ensure: Permission denied @ dir_s_mkdir - C:/ProgramData/icinga2/etc/icinga2/constants.conf20241107-1312-1whl6u1.lock (file: /etc/puppetlabs/code/environments/production/ext-modules/icinga2/manifests/config.pp, line: 33) (corrective)

Any additional information you'd like to impart

I believe the issue is this line:

puppet-icinga2/manifests/install.pp

Line 40 in eaaca5b

mode => '0750',

I believe this is changing the folder to have SYSTEM only permission (you can see the '6000000' to '0750' in the output above).

This is the permission scheme on a fresh install of the icinga2 package from chocolatey:

After a single Puppet run this is the changed permission scheme:

[shoddyguard]

Can confirm this also affects 6.0.0 as well (which makes sense given this is when #772 was merged that introduced the suspected line at fault)

[lbetz]

Thx a lot, I noticed the same today. With adding selinux in #772 I forget the Windows systems. I will change the permission mode to undef on Windows platforms.

[lbetz]

May you can test the PR #797 ?

[shoddyguard]

Yup, I'll pull this in and test now. Will report back shortly.

[shoddyguard]

Can confirm this fixes the issue 🎉
Thanks for getting this sorted so quickly @lbetz

[lbetz]

No problem and thanks for pointing out the correct code section. Release is coming soon.

[shoddyguard]

For anyone who has unfortunately ended up with your C:/ProgramData/icinga2/etc/icinga2 directory owned by SYSTEM you'll need to do a bit of manual work to get back to normal.

Here's the steps that I took:

• Stop the icinga2 service
• Uninstall icinga2
• Stop the puppet service and make sure not to do any puppet runs in the meantime.
• Install psexec choco install psexec -y (only way I know of to elevate to SYSTEM permission - if anyone knows differently please let me know)
• spawn a SYSTEM process (I chose PowerShell) psexec -s powershell
• Remove the C:\ProgramData\icinga2 directory and it's children Remove-Item -force -recurse c:\programdata\icinga2
• Confirm the directory has gone
• Exit out of psexec and back to your regular shell (you don't want to run puppet as SYSTEM!)
• Ensure you're on the release of puppet/icinga2 that has @lbetz fix (I'm guessing this will be 6.0.2+)
• puppet agent -t

You should be back to normal operation now.

If you're security conscious you may want to choco uninstall psexec -y afterwards (especially as this trips up a lot of enterprise security screening tools).
Also for those not familiar with psexec tab-completion won't work out of the box when using it, and pressing ctrl+c will terminate not just your powershell shell but also the psexec session meaning you'll have to psexec -s powershell again.