Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Curtail usage of Windows 'Administrators', favor SID instead #269

Open
ChefAustin opened this issue Dec 1, 2021 · 3 comments · May be fixed by #271
Open

Curtail usage of Windows 'Administrators', favor SID instead #269

ChefAustin opened this issue Dec 1, 2021 · 3 comments · May be fixed by #271

Comments

@ChefAustin
Copy link
Contributor

Description

Currently there are a handful of cookbooks which leverage 'Administrators' for defining owner, group, rights, et al. This is problematic when the default language of the Windows device is not set to English.

In order to circumvent this, I believe the gilded approach would be to use SID strings instead of the actual name of the securable resource that the SID would point to (i.e. 'S-1-5-32-544' instead of 'Administrators'). Given that the SIDs for specific builtin groups don't change, methinks this would be a safer approach.

This feature was introduced in Chef Infra client v16.5.64 (See: v16.5.64 release notes under "Windows securable resources").

Chef Version

Chef-client v16.13.16

Platform Version

Windows 10

Replication Case

Setup a Windows machine in a non-English language, run a Chef recipe which relies upon the usage of 'Administrators', 'Everyone', 'SYSTEM' and you should get back errors.

Client Output

Chef::Exceptions::Win32APIError: Não foi feito mapeamento entre os nomes de conta e as identificações de segurança.

Translated to English this becomes:

Chef::Exceptions::Win32APIError: No mapping between account names and security IDs was done.
@nmcspadden
Copy link
Contributor

Good catch for non-English systems especially. We set the internal rule to never allow the use of owner/group on WIndows-only resources in favor of making people use rights, but didn't think about that language issue.

@johnnyramos
Copy link
Contributor

johnnyramos commented Jan 24, 2022
edited

I tried this to no effect. Mind providing an example of usage?

Version 18.0.8, assumes the actual group name is the SID and doesn't understand that SID just maps to the Administrators group. 🤔

@gleason86 gleason86 linked a pull request Jan 28, 2022 that will close this issue
Open
@ChefAustin
Copy link
Contributor Author

I tried this to no effect. Mind providing an example of usage?

Version 18.0.8, assumes the actual group name is the SID and doesn't understand that SID just maps to the Administrators group. 🤔

I'm not following; do you want an example of the offensive code or the non-offensive usage of SID?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updating rights to support non-English OSs gleason86/IT-CPE
3 participants
@nmcspadden @johnnyramos @ChefAustin