archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

win_acl: Fix problems with special IDRef in different languages than english (#57281)

Browse Source 
* Change special id ref recognitionto avoid language diff

* Changelog added

* specialIdRefPrefixes to array

* Changed to the more generic option
pull/58742/head
Shachaf92 5 years ago committed by Jordan Borean
parent e0b8bc1ef9
commit 07edcab051
2 changed files with 5 additions and 15 deletions
Show Stats Download Patch File Download Diff File

2
changelogs/fragments/Make-Win_acl-Ignore-language-diff-in-IDRefs.yml
Unescape Escape View File

@ -0,0 +1,2 @@
bugfixes:
- "win_acl - Change special id ref recognitionto avoid language diff (https://github.com/ansible/ansible/issues/56757)"

18
lib/ansible/modules/windows/win_acl.ps1
Unescape Escape View File

@ -158,27 +158,15 @@ Try {
# Check if the ACE exists already in the objects ACL list # Check if the ACE exists already in the objects ACL list
$match = $false $match = $false
# Workaround to handle special use case 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES' and ForEach($rule in $objACL.GetAccessRules($true, $true, [System.Security.Principal.SecurityIdentifier])){
# 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name (win32 API bug/oddity)
# 'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16
$specialIdRefs = "ALL APPLICATION PACKAGES","ALL RESTRICTED APPLICATION PACKAGES"
ForEach($rule in $objACL.Access){
$idRefShortValue = ($rule.IdentityReference.Value).split('\')[-1]
if ( $idRefShortValue -in $specialIdRefs ) {
$ruleIdentity = (New-Object Security.Principal.NTAccount $idRefShortValue).Translate([Security.Principal.SecurityIdentifier])
}
else {
$ruleIdentity = $rule.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier])
}
If ($path_item.PSProvider.Name -eq "Registry") { If ($path_item.PSProvider.Name -eq "Registry") {
If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { If (($rule.RegistryRights -eq $objACE.RegistryRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
$match = $true $match = $true
Break Break
} }
} else { } else {
If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($ruleIdentity -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) { If (($rule.FileSystemRights -eq $objACE.FileSystemRights) -And ($rule.AccessControlType -eq $objACE.AccessControlType) -And ($rule.IdentityReference -eq $objACE.IdentityReference) -And ($rule.IsInherited -eq $objACE.IsInherited) -And ($rule.InheritanceFlags -eq $objACE.InheritanceFlags) -And ($rule.PropagationFlags -eq $objACE.PropagationFlags)) {
$match = $true $match = $true
Break Break
} }

Write Preview
Loading…
Cancel
Save