-
Notifications
You must be signed in to change notification settings - Fork 683
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
File resource permissions for windows #783
Comments
@mhedgpeth Thanks for reporting. We need to break this down into two cases:
|
The following powershell commands are useful to get this running:
Maybe we could also make our live easier and use CSV and parse the results, because this includes the name of the file permission rights
In addition we need to read the groups of the user to see if he is allowed to access it:
|
A potential integration test would look like:
|
Support for Supporting This algorithm isn't too tricky to write by itself but the twist in the matter is the part where we check a user against a single ACE. An ACE that applies to a group that the user belongs to also applies to the user. So while checking the ACEs above, one also needs to know the group membership of the user in question. Powershell 5.1 has a LocalAccounts module that might make such a query a bit easier. Unfortunately, in the mean time, the way we can look up group membership of users (or arbitrary account names) is to use either ADSI (Active Directory Service Interface) or WMI. The Get-WmiObject Win32_GroupUser interface seems like the best option - see https://gallery.technet.microsoft.com/List-local-group-members-762b48c5 for an example. It only handles local groups though and I have not yet ascertained that it handles transitive group inclusions. The ADSI option is extremely slow to call into - it takes a few seconds per call and that can easily add up. See http://www.lazywinadmin.com/2012/12/get-localgroupmembership-using-adsiwinnt.html for an example. One other possibility when it comes to implementing Given the complications involved, I recommend we not support be_Xable.by_user on windows until we have the time/expertise to sort through the above issues. |
Thanks @ksubrama for this update. I agree, that we need to have a clear path and idea how we do that properly without reinventing the wheel. @mhedgpeth How do you believe we should go forward? |
Also raised by a Chef customer here: https://getchef.zendesk.com/agent/tickets/10932 |
Can we take some inspiration from this perhaps? https://github.com/mizzy/specinfra/search?utf8=✓&q=CheckFileAccessRules |
This is good news, here is a demo of the above working for an equivalent of |
@mhedgpeth @jeremymv2 added file permission support for Windows. Do we need anything else? |
@mhedgpeth I am closing this issue. Please reopen if it continues to be an issue |
Description
Right now permissions can't be tested with inspec on windows.
This won't work:
It gives the error:
InSpec and Platform Version
0.24
Replication Case
Create a cookbook with inspec as the verifier with
ncr/win2008r2
as the virtualization box for kitchen. Runkitchen verify
.Possible Solutions
It's simply not coded yet in the File resource. I assume this is because file permissions on the command line are difficult; it's probably easier on Powershell but I'm not sure how you do that.
The text was updated successfully, but these errors were encountered: