[Puppet - Bug #11563] (Accepted) Puppet on Windows can drop access control entries if the mode is not specified

[tickets]

Issue #11563 has been updated by Josh Cooper.

Subject changed from Can not create file in Windows 2008 to Puppet on Windows 
can drop access control entries if the mode is not specified
Status changed from Investigating to Accepted

Hi Fei, there is an issue with your exec resource. Running:

<pre>
cmd.exe /c start /i launch.bat
</pre>

results in "Windows cannot find 'launch.bat'". To launch a bat file via start, 
you need to wrap it in an child cmd process:

<pre>
exec { 'cmd /c start /i cmd /c c:\dir\launch.bat':
</pre>

And that works well:

<pre>
notice: /Stage[main]/Module::Start/File[c:\dir\launch.bat]/ensure: defined 
content as '{md5}fececbb772252bdd54bf19b178627929'
debug: /Stage[main]/Module::Start/File[c:\dir\launch.bat]: The container 
Class[Module::Start] will propagate my refresh event
debug: /Schedule[never]: Skipping device resources because running on a host
debug: Exec[cmd /c start /i cmd /c c:\dir\launch.bat](provider=windows): 
Executing 'cmd /c start /i cmd /c c:\dir\launch.bat'
debug: Executing 'cmd /c start /i cmd /c c:\dir\launch.bat'
notice: /Stage[main]/Module::Start/Exec[cmd /c start /i cmd /c 
c:\dir\launch.bat]/returns: executed successfully
</pre>

Also, I was able to reproduce the error you reported earlier -- about how it 
would run successfully once, but fail each time after. And it looks to be a 
bug. The issue is that puppet writes out the result of the erb conversion to 
launch.bat with permissions:

<pre>
  Owner: &lt;user&gt
  Group: None
 
  SYSTEM Full Control
  Administrators Full Control
  &lt;user&gt; Full Control
</pre>

Puppet then attempts to apply the `owner => Administrator` and `group => 
Administrators` parameters specified in the manifest. However, the mode has not 
been specified. Puppet should be applying mode 0770, since the `Adminstrators` 
group had Full Control previously. But puppet is instead converting the mode to 
0700. And since puppet is likely not running as the `Administrator` user, then 
it can't read/write the file the second time around to determine if the file is 
in sync or not.

The workaround is to make sure that you are specifying the owner of the file 
resource to be the same user that puppet is running as. If you are running 
puppet as a service this is likely `SYSTEM`. Alternatively, you can specify the 
mode explicitly as 0770, since `SYSTEM` is an implicit member of the local 
`Administrators` group.
----------------------------------------
Bug #11563: Puppet on Windows can drop access control entries if the mode is 
not specified
https://projects.puppetlabs.com/issues/11563#change-58565

Author: Feifei Jia
Status: Accepted
Priority: Normal
Assignee: Josh Cooper
Category: windows
Target version: 2.7.x
Affected Puppet version: 2.7.9
Keywords: windows file mode permissions
Branch: 


I've tested Puppet client in Windows 2008 recently, on EC2 instance.

One problem I found is that, after I a first time successfully run, I 
encountered "CreateProcess() failed" error:

<pre>
info: Caching catalog for ip-xxxxxxxx.ec2.internal
info: Applying configuration version '1324881415'
err: /Stage[main]//Node[ip-xxxxxxxx.ec2.internal]/Foo::Set_role[chrome]/File 
[c:\download\setup_env.bat]: Could not evaluate: CreateProcess() failed: The 
system cannot find the file specified.
notice: /Stage[main]//Node[ip-xxxxxxxx.ec2.internal]/Foo::Set_role[chrome]/E 
xec[setup_env.bat]: Dependency File[c:\download\setup_env.bat] has failures: 
tru e warning: 
/Stage[main]//Node[ip-xxxxxxxx.ec2.internal]/Foo::Set_role[chrome]/ 
Exec[setup_env.bat]: Skipping because of failed dependencies
</pre>

Related manifests:

<pre>
class foo {
    define set_role ($role) {
        file { 'c:\download\setup_env.bat':
            ensure => file,
            provider => windows,
            content => template("foo/setup_env.bat.erb"),
        }

        exec { 'setup_env.bat':
            cwd => 'c:\download',
            path => 'c:\download;%PATH%',
            provider => windows,
            require => File['c:\download\setup_env.bat'],
        }
    }
}
</pre>

When I remove c:\download\setup_env.bat file, I can retrieve this file from 
Puppet master, and execute well.

Puppet 2.7.9

Facter 1.6.4

Windows 2008 Datacenter SP2

Any hints?


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.