From 71dc56956665b380e1f402cdeb516d1ce534dfe9 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Thu, 15 Oct 2015 12:01:11 +0200 Subject: [PATCH 1/7] fixed problem with sid/windows 2008 by using SID. fixed problems related to default accounts like BUILTIN\SYSTEM --- windows/win_acl.ps1 | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/windows/win_acl.ps1 b/windows/win_acl.ps1 index b08fb03e7f3..994ff255fa8 100644 --- a/windows/win_acl.ps1 +++ b/windows/win_acl.ps1 @@ -55,15 +55,11 @@ Function UserSearch if ($IsLocalAccount -eq $true) { - $localaccount = get-wmiobject -class "Win32_UserAccount" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $AccountName} + # do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too + $localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $AccountName} if ($localaccount) { - return $localaccount.Caption - } - $LocalGroup = get-wmiobject -class "Win32_Group" -namespace "root\CIMV2" -filter "LocalAccount = True"| where {$_.Caption -eq $AccountName} - if ($LocalGroup) - { - return $LocalGroup.Caption + return $localaccount.SID } } ElseIf (($IsDomainAccount -eq $true) -and ($IsUpn -eq $false)) @@ -75,7 +71,13 @@ Function UserSearch if ($result) { - return $accountname + $user = $result.GetDirectoryEntry() + + # get binary SID from AD account + $binarySID = $user.ObjectSid.Value + + # convert to string SID + return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value } } @@ -100,10 +102,10 @@ Else { } If ($params.user) { - $user = UserSearch -AccountName ($Params.User) + $sid = UserSearch -AccountName ($Params.User) # Test that the user/group is resolvable on the local machine - if (!$user) + if (!$sid) { Fail-Json $result "$($Params.User) is not a valid user or group on the host machine or domain" } @@ -174,14 +176,15 @@ Try { $objType =[System.Security.AccessControl.AccessControlType]::Deny } - $objUser = New-Object System.Security.Principal.NTAccount($user) + $objUser = New-Object System.Security.Principal.SecurityIdentifier($sid) $objACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($objUser, $colRights, $InheritanceFlag, $PropagationFlag, $objType) $objACL = Get-ACL $path # Check if the ACE exists already in the objects ACL list $match = $false ForEach($rule in $objACL.Access){ - If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { + $ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) + If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { $match = $true Break } @@ -219,7 +222,7 @@ Try { } } Catch { - Fail-Json $result "an error occured when attempting to $state $rights permission(s) on $path for $user" + Fail-Json $result "an error occured when attempting to $state $rights permission(s) on $path for $($Params.User)" } Exit-Json $result \ No newline at end of file From 21c564848dcc92a6575364531ab76b4e4c6678d5 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Sat, 17 Oct 2015 23:05:51 +0200 Subject: [PATCH 2/7] added userprincipal support --- windows/win_acl.ps1 | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/windows/win_acl.ps1 b/windows/win_acl.ps1 index 994ff255fa8..041e66b9c11 100644 --- a/windows/win_acl.ps1 +++ b/windows/win_acl.ps1 @@ -51,8 +51,7 @@ Function UserSearch $accountname = $env:COMPUTERNAME + "\" + $AccountName $IsLocalAccount = $true } - - + if ($IsLocalAccount -eq $true) { # do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too @@ -62,13 +61,19 @@ Function UserSearch return $localaccount.SID } } - ElseIf (($IsDomainAccount -eq $true) -and ($IsUpn -eq $false)) + ElseIf ($IsDomainAccount -eq $true) { #Search by samaccountname $Searcher = [adsisearcher]"" - $Searcher.Filter = "sAMAccountName=$($accountname.split("\")[1])" - $result = $Searcher.FindOne() - + + If ($IsUpn -eq $false) { + $Searcher.Filter = "sAMAccountName=$($accountname.split("\")[1])" + } + Else { + $Searcher.Filter = "userPrincipalName=$($accountname)" + } + + $result = $Searcher.FindOne() if ($result) { $user = $result.GetDirectoryEntry() @@ -80,7 +85,6 @@ Function UserSearch return (New-Object System.Security.Principal.SecurityIdentifier($binarySID,0)).Value } } - } $params = Parse-Args $args; @@ -225,4 +229,4 @@ Catch { Fail-Json $result "an error occured when attempting to $state $rights permission(s) on $path for $($Params.User)" } -Exit-Json $result \ No newline at end of file +Exit-Json $result From 75163ac5fea4443f23d853b7967a2ab5ccd98521 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Sun, 18 Oct 2015 00:00:47 +0200 Subject: [PATCH 3/7] made win_acl strict compliant --- windows/win_acl.ps1 | 116 +++++++++++++------------------------------- 1 file changed, 34 insertions(+), 82 deletions(-) diff --git a/windows/win_acl.ps1 b/windows/win_acl.ps1 index 041e66b9c11..fa45f023be8 100644 --- a/windows/win_acl.ps1 +++ b/windows/win_acl.ps1 @@ -88,84 +88,36 @@ Function UserSearch } $params = Parse-Args $args; - -$result = New-Object psobject @{ - win_acl = New-Object psobject - changed = $false + +$result = New-Object PSObject; +Set-Attr $result "changed" $false; + +$path = Get-Attr $params "path" -failifempty $true +$user = Get-Attr $params "user" -failifempty $true +$rights = Get-Attr $params "rights" -failifempty $true + +$type = Get-Attr $params "type" -validateSet "allow","deny" -resultobj $result +$state = Get-Attr $params "state" "present" -validateSet "present","absent" -resultobj $result + +$inherit = Get-Attr $params "inherit" "" +$propagation = Get-Attr $params "propagation" "None" -validateSet "None","NoPropagateInherit","InheritOnly" -resultobj $result + +If (-Not (Test-Path -Path $path)) { + Fail-Json $result "$path file or directory does not exist on the host" } - -If ($params.path) { - $path = $params.path.toString() - - If (-Not (Test-Path -Path $path)) { - Fail-Json $result "$path file or directory does not exist on the host" - } + +# Test that the user/group is resolvable on the local machine +$sid = UserSearch -AccountName ($user) +if (!$sid) +{ + Fail-Json $result "$user is not a valid user or group on the host machine or domain" } -Else { - Fail-Json $result "missing required argument: path" + +If (Test-Path -Path $path -PathType Leaf) { + $inherit = "None" } - -If ($params.user) { - $sid = UserSearch -AccountName ($Params.User) - - # Test that the user/group is resolvable on the local machine - if (!$sid) - { - Fail-Json $result "$($Params.User) is not a valid user or group on the host machine or domain" - } -} -Else { - Fail-Json $result "missing required argument: user. specify the user or group to apply permission changes." -} - -If ($params.type -eq "allow") { - $type = $true -} -ElseIf ($params.type -eq "deny") { - $type = $false -} -Else { - Fail-Json $result "missing required argument: type. specify whether to allow or deny the specified rights." -} - -If ($params.inherit) { - # If it's a file then no flags can be set or an exception will be thrown - If (Test-Path -Path $path -PathType Leaf) { - $inherit = "None" - } - Else { - $inherit = $params.inherit.toString() - } -} -Else { - # If it's a file then no flags can be set or an exception will be thrown - If (Test-Path -Path $path -PathType Leaf) { - $inherit = "None" - } - Else { - $inherit = "ContainerInherit, ObjectInherit" - } -} - -If ($params.propagation) { - $propagation = $params.propagation.toString() -} -Else { - $propagation = "None" -} - -If ($params.rights) { - $rights = $params.rights.toString() -} -Else { - Fail-Json $result "missing required argument: rights" -} - -If ($params.state -eq "absent") { - $state = "remove" -} -Else { - $state = "add" +ElseIf ($inherit -eq "") { + $inherit = "ContainerInherit, ObjectInherit" } Try { @@ -173,7 +125,7 @@ Try { $InheritanceFlag = [System.Security.AccessControl.InheritanceFlags]$inherit $PropagationFlag = [System.Security.AccessControl.PropagationFlags]$propagation - If ($type) { + If ($type -eq "allow") { $objType =[System.Security.AccessControl.AccessControlType]::Allow } Else { @@ -193,22 +145,22 @@ Try { Break } } - - If ($state -eq "add" -And $match -eq $false) { + + If ($state -eq "present" -And $match -eq $false) { Try { $objACL.AddAccessRule($objACE) Set-ACL $path $objACL - $result.changed = $true + Set-Attr $result "changed" $true; } Catch { Fail-Json $result "an exception occured when adding the specified rule" } } - ElseIf ($state -eq "remove" -And $match -eq $true) { + ElseIf ($state -eq "absent" -And $match -eq $true) { Try { $objACL.RemoveAccessRule($objACE) Set-ACL $path $objACL - $result.changed = $true + Set-Attr $result "changed" $true; } Catch { Fail-Json $result "an exception occured when removing the specified rule" @@ -226,7 +178,7 @@ Try { } } Catch { - Fail-Json $result "an error occured when attempting to $state $rights permission(s) on $path for $($Params.User)" + Fail-Json $result "an error occured when attempting to $state $rights permission(s) on $path for $user" } Exit-Json $result From a0a51ffd6611e90ef17bf4f0f8b253d5dba380cc Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Sun, 18 Oct 2015 17:06:28 +0200 Subject: [PATCH 4/7] added credits, fixed documentation --- windows/win_acl.ps1 | 2 ++ windows/win_acl.py | 8 +++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/win_acl.ps1 b/windows/win_acl.ps1 index fa45f023be8..fb12ae6cee3 100644 --- a/windows/win_acl.ps1 +++ b/windows/win_acl.ps1 @@ -2,6 +2,8 @@ # This file is part of Ansible # # Copyright 2015, Phil Schwartz +# Copyright 2015, Trond Hindenes +# Copyright 2015, Hans-Joachim Kliemeck # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/windows/win_acl.py b/windows/win_acl.py index df815db0a0f..76c6ffb7293 100644 --- a/windows/win_acl.py +++ b/windows/win_acl.py @@ -1,7 +1,9 @@ #!/usr/bin/python # -*- coding: utf-8 -*- -# (c) 2015, Phil Schwartz +# Copyright 2015, Phil Schwartz +# Copyright 2015, Trond Hindenes +# Copyright 2015, Hans-Joachim Kliemeck # # This file is part of Ansible # @@ -40,7 +42,7 @@ options: default: none state: description: - - Specify whether to add (present) or remove (absent) the specified access rule + - Specify whether to add C(present) or remove C(absent) the specified access rule required: no choices: - present @@ -99,7 +101,7 @@ options: - NoPropagateInherit - InheritOnly default: "None" -author: Phil Schwartz (@schwartzmx), Trond Hindenes (@trondhindenes) +author: Phil Schwartz (@schwartzmx), Trond Hindenes (@trondhindenes), Hans-Joachim Kliemeck (@h0nIg) ''' EXAMPLES = ''' From 84a8902b4831e77ef2d892414ad672fe2af4e13d Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Thu, 5 Nov 2015 17:44:29 +0100 Subject: [PATCH 5/7] fixxed problem with match @ --- windows/win_acl.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/win_acl.ps1 b/windows/win_acl.ps1 index fb12ae6cee3..6e497c417be 100644 --- a/windows/win_acl.ps1 +++ b/windows/win_acl.ps1 @@ -42,7 +42,7 @@ Function UserSearch } } - Elseif ($AccountName -contains "@") + Elseif ($AccountName.contains("@")) { $IsDomainAccount = $true $IsUpn = $true From 0688522eb75cd0e2dda1be992c08a7d71ea084f9 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Tue, 17 Nov 2015 15:36:52 +0100 Subject: [PATCH 6/7] fail if type parameter is empty --- windows/win_acl.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/win_acl.ps1 b/windows/win_acl.ps1 index 6e497c417be..4ea4a2e7c6b 100644 --- a/windows/win_acl.ps1 +++ b/windows/win_acl.ps1 @@ -98,7 +98,7 @@ $path = Get-Attr $params "path" -failifempty $true $user = Get-Attr $params "user" -failifempty $true $rights = Get-Attr $params "rights" -failifempty $true -$type = Get-Attr $params "type" -validateSet "allow","deny" -resultobj $result +$type = Get-Attr $params "type" -failifempty $true -validateSet "allow","deny" -resultobj $result $state = Get-Attr $params "state" "present" -validateSet "present","absent" -resultobj $result $inherit = Get-Attr $params "inherit" "" From fe4429ba3ed7469feece8b79bf742f82eb906e63 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Tue, 12 Jan 2016 09:52:08 +0100 Subject: [PATCH 7/7] fixed problems related to userpricincipalname (user@domain) and undefined variables fixed variable capitalization --- windows/win_acl.ps1 | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/windows/win_acl.ps1 b/windows/win_acl.ps1 index 4ea4a2e7c6b..2e20793e1fe 100644 --- a/windows/win_acl.ps1 +++ b/windows/win_acl.ps1 @@ -27,52 +27,49 @@ #Functions Function UserSearch { - Param ([string]$AccountName) + Param ([string]$accountName) #Check if there's a realm specified - if ($AccountName.Split("\").count -gt 1) + + $searchDomain = $false + $searchDomainUPN = $false + if ($accountName.Split("\").count -gt 1) { - if ($AccountName.Split("\")[0] -eq $env:COMPUTERNAME) + if ($accountName.Split("\")[0] -ne $env:COMPUTERNAME) { - $IsLocalAccount = $true + $searchDomain = $true + $accountName = $accountName.split("\")[1] } - Else - { - $IsDomainAccount = $true - $IsUpn = $false - } - } - Elseif ($AccountName.contains("@")) + Elseif ($accountName.contains("@")) { - $IsDomainAccount = $true - $IsUpn = $true + $searchDomain = $true + $searchDomainUPN = $true } Else { #Default to local user account - $accountname = $env:COMPUTERNAME + "\" + $AccountName - $IsLocalAccount = $true + $accountName = $env:COMPUTERNAME + "\" + $accountName } - if ($IsLocalAccount -eq $true) + if ($searchDomain -eq $false) { # do not use Win32_UserAccount, because e.g. SYSTEM (BUILTIN\SYSTEM or COMPUUTERNAME\SYSTEM) will not be listed. on Win32_Account groups will be listed too - $localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $AccountName} + $localaccount = get-wmiobject -class "Win32_Account" -namespace "root\CIMV2" -filter "(LocalAccount = True)" | where {$_.Caption -eq $accountName} if ($localaccount) { return $localaccount.SID } } - ElseIf ($IsDomainAccount -eq $true) + Else { #Search by samaccountname $Searcher = [adsisearcher]"" - If ($IsUpn -eq $false) { - $Searcher.Filter = "sAMAccountName=$($accountname.split("\")[1])" + If ($searchDomainUPN -eq $false) { + $Searcher.Filter = "sAMAccountName=$($accountName)" } Else { - $Searcher.Filter = "userPrincipalName=$($accountname)" + $Searcher.Filter = "userPrincipalName=$($accountName)" } $result = $Searcher.FindOne()