From 95862793d0c00ee946ed891a021b8569cae9feab Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Sun, 18 Oct 2015 17:24:27 +0200 Subject: [PATCH 1/6] added module to disable acl inheritance --- windows/win_acl_inheritance.ps1 | 55 ++++++++++++++++++++++++++++++ windows/win_acl_inheritance.py | 59 +++++++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100644 windows/win_acl_inheritance.ps1 create mode 100644 windows/win_acl_inheritance.py diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1 new file mode 100644 index 00000000000..e72570ba3a6 --- /dev/null +++ b/windows/win_acl_inheritance.ps1 @@ -0,0 +1,55 @@ +#!powershell +# This file is part of Ansible +# +# Copyright 2015, Hans-Joachim Kliemeck +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +# WANT_JSON +# POWERSHELL_COMMON + + +$params = Parse-Args $args; + +$result = New-Object PSObject; +Set-Attr $result "changed" $false; + +$path = Get-Attr $params "path" -failifempty $true +$copy = Get-Attr $params "copy" "no" -validateSet "no","yes" -resultobj $result + +If (-Not (Test-Path -Path $path)) { + Fail-Json $result "$path file or directory does not exist on the host" +} + +Try { + $objACL = Get-ACL $path + $alreadyDisabled = !$objACL.AreAccessRulesProtected + + If ($copy -eq "yes") { + $objACL.SetAccessRuleProtection($True, $True) + } Else { + $objACL.SetAccessRuleProtection($True, $False) + } + + If ($alreadyDisabled) { + Set-Attr $result "changed" $true; + } + + Set-ACL $path $objACL +} +Catch { + Fail-Json $result "an error occured when attempting to disable inheritance" +} + +Exit-Json $result diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py new file mode 100644 index 00000000000..784aa5f9877 --- /dev/null +++ b/windows/win_acl_inheritance.py @@ -0,0 +1,59 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright 2015, Hans-Joachim Kliemeck +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +# this is a windows documentation stub. actual code lives in the .ps1 +# file of the same name + +DOCUMENTATION = ''' +--- +module: win_acl_inheritance +version_added: "2.0" +short_description: Disable ACL inheritance +description: + - Disable ACL inheritance and optionally converts ACE to dedicated ACE +options: + path: + description: + - Path to be used for disabling + required: true + copy: + description: + - Indicates if the inherited ACE should be copied to dedicated ACE + required: false + choices: + - no + - yes + default: no +author: Hans-Joachim Kliemeck (@h0nIg) +''' + +EXAMPLES = ''' +# Playbook example +--- +- name: Disable and copy + win_owner: + path: 'C:\\apache\\' + copy: yes + +- name: Disable + win_owner: + path: 'C:\\apache\\' + copy: no +''' From 8de49a5deaa2827407183e8680007e922c19b5d6 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Wed, 21 Oct 2015 21:20:44 +0200 Subject: [PATCH 2/6] suggestions by @marcind --- windows/win_acl_inheritance.ps1 | 4 ++-- windows/win_acl_inheritance.py | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1 index e72570ba3a6..674180e33b9 100644 --- a/windows/win_acl_inheritance.ps1 +++ b/windows/win_acl_inheritance.ps1 @@ -26,7 +26,7 @@ $result = New-Object PSObject; Set-Attr $result "changed" $false; $path = Get-Attr $params "path" -failifempty $true -$copy = Get-Attr $params "copy" "no" -validateSet "no","yes" -resultobj $result +$copy = Get-Attr $params "copy" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool If (-Not (Test-Path -Path $path)) { Fail-Json $result "$path file or directory does not exist on the host" @@ -36,7 +36,7 @@ Try { $objACL = Get-ACL $path $alreadyDisabled = !$objACL.AreAccessRulesProtected - If ($copy -eq "yes") { + If ($copy) { $objACL.SetAccessRuleProtection($True, $True) } Else { $objACL.SetAccessRuleProtection($True, $False) diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py index 784aa5f9877..d55473491b8 100644 --- a/windows/win_acl_inheritance.py +++ b/windows/win_acl_inheritance.py @@ -27,7 +27,7 @@ module: win_acl_inheritance version_added: "2.0" short_description: Disable ACL inheritance description: - - Disable ACL inheritance and optionally converts ACE to dedicated ACE + - Disable ACL (Access Control List) inheritance and optionally converts ACE (Access Control Entry) to dedicated ACE options: path: description: @@ -48,12 +48,12 @@ EXAMPLES = ''' # Playbook example --- - name: Disable and copy - win_owner: + win_acl_inheritance: path: 'C:\\apache\\' copy: yes - name: Disable - win_owner: + win_acl_inheritance: path: 'C:\\apache\\' copy: no ''' From b03c7ebfa12c8b2b4877745e20aa286c9e4aa126 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Wed, 21 Oct 2015 22:43:42 +0200 Subject: [PATCH 3/6] introduced state to differentiate between enabled/disabled inheritance. renamed copy to reorganize, since the meaning for inheritance=enabled is different --- windows/win_acl_inheritance.ps1 | 44 ++++++++++++++++++++++++++------- windows/win_acl_inheritance.py | 33 ++++++++++++++++++------- 2 files changed, 59 insertions(+), 18 deletions(-) diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1 index 674180e33b9..35b6809d0ee 100644 --- a/windows/win_acl_inheritance.ps1 +++ b/windows/win_acl_inheritance.ps1 @@ -26,7 +26,8 @@ $result = New-Object PSObject; Set-Attr $result "changed" $false; $path = Get-Attr $params "path" -failifempty $true -$copy = Get-Attr $params "copy" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool +$state = Get-Attr $params "state" "absent" -validateSet "present","absent" -resultobj $result +$reorganize = Get-Attr $params "reorganize" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool If (-Not (Test-Path -Path $path)) { Fail-Json $result "$path file or directory does not exist on the host" @@ -34,19 +35,44 @@ If (-Not (Test-Path -Path $path)) { Try { $objACL = Get-ACL $path - $alreadyDisabled = !$objACL.AreAccessRulesProtected + $inheritanceEnabled = !$objACL.AreAccessRulesProtected - If ($copy) { - $objACL.SetAccessRuleProtection($True, $True) - } Else { - $objACL.SetAccessRuleProtection($True, $False) - } + If (($state -eq "present") -And !$inheritanceEnabled) { + If ($reorganize) { + $objACL.SetAccessRuleProtection($True, $True) + } Else { + $objACL.SetAccessRuleProtection($True, $False) + } - If ($alreadyDisabled) { + Set-ACL $path $objACL Set-Attr $result "changed" $true; } + Elseif (($state -eq "absent") -And $inheritanceEnabled) { + # second parameter is ignored if first=$False + $objACL.SetAccessRuleProtection($False, $False) + + If ($reorganize) { + # convert explicit ACE to inherited ACE + ForEach($inheritedRule in $objACL.Access) { + If (!$inheritedRule.IsInherited) { + Continue + } + + ForEach($explicitRrule in $objACL.Access) { + If ($inheritedRule.IsInherited) { + Continue + } - Set-ACL $path $objACL + If (($inheritedRule.FileSystemRights -eq $explicitRrule.FileSystemRights) -And ($inheritedRule.AccessControlType -eq $explicitRrule.AccessControlType) -And ($inheritedRule.IdentityReference -eq $explicitRrule.IdentityReference) -And ($inheritedRule.InheritanceFlags -eq $explicitRrule.InheritanceFlags) -And ($inheritedRule.PropagationFlags -eq $explicitRrule.PropagationFlags)) { + $objACL.RemoveAccessRule($explicitRrule) + } + } + } + } + + Set-ACL $path $objACL + Set-Attr $result "changed" $true; + } } Catch { Fail-Json $result "an error occured when attempting to disable inheritance" diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py index d55473491b8..6c03b9c75fd 100644 --- a/windows/win_acl_inheritance.py +++ b/windows/win_acl_inheritance.py @@ -25,17 +25,25 @@ DOCUMENTATION = ''' --- module: win_acl_inheritance version_added: "2.0" -short_description: Disable ACL inheritance +short_description: Change ACL inheritance description: - - Disable ACL (Access Control List) inheritance and optionally converts ACE (Access Control Entry) to dedicated ACE + - Change ACL (Access Control List) inheritance and optionally copy inherited ACE's (Access Control Entry) to dedicated ACE's or vice versa. options: path: description: - - Path to be used for disabling + - Path to be used for changing inheritance required: true - copy: + state: description: - - Indicates if the inherited ACE should be copied to dedicated ACE + - Specify whether to enable I(present) or disable I(absent) ACL inheritance + required: false + choices: + - present + - absent + default: absent + reorganize: + description: + - For P(state) = I(absent), indicates if the inherited ACE's should be copied. For P(state) = I(present), indicates if the inherited ACE's should be simplified. required: false choices: - no @@ -47,13 +55,20 @@ author: Hans-Joachim Kliemeck (@h0nIg) EXAMPLES = ''' # Playbook example --- -- name: Disable and copy +- name: Disable inherited ACE's + win_acl_inheritance: + path: 'C:\\apache\\' + state: absent + +- name: Disable and copy inherited ACE's win_acl_inheritance: path: 'C:\\apache\\' - copy: yes + state: absent + reorganize: yes -- name: Disable +- name: Enable and remove dedicated ACE's win_acl_inheritance: path: 'C:\\apache\\' - copy: no + state: present + reorganize: yes ''' From b4f80a777fb066b604e9a8eb8085c32044576316 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Thu, 22 Oct 2015 14:22:50 +0200 Subject: [PATCH 4/6] fixed bugs with flipped protection attribute --- windows/win_acl_inheritance.ps1 | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1 index 35b6809d0ee..0d808bb8c49 100644 --- a/windows/win_acl_inheritance.ps1 +++ b/windows/win_acl_inheritance.ps1 @@ -38,20 +38,14 @@ Try { $inheritanceEnabled = !$objACL.AreAccessRulesProtected If (($state -eq "present") -And !$inheritanceEnabled) { - If ($reorganize) { - $objACL.SetAccessRuleProtection($True, $True) - } Else { - $objACL.SetAccessRuleProtection($True, $False) - } - - Set-ACL $path $objACL - Set-Attr $result "changed" $true; - } - Elseif (($state -eq "absent") -And $inheritanceEnabled) { # second parameter is ignored if first=$False $objACL.SetAccessRuleProtection($False, $False) If ($reorganize) { + # it wont work without intermediate save, state would be the same + Set-ACL $path $objACL + $objACL = Get-ACL $path + # convert explicit ACE to inherited ACE ForEach($inheritedRule in $objACL.Access) { If (!$inheritedRule.IsInherited) { @@ -59,7 +53,7 @@ Try { } ForEach($explicitRrule in $objACL.Access) { - If ($inheritedRule.IsInherited) { + If ($explicitRrule.IsInherited) { Continue } @@ -70,6 +64,16 @@ Try { } } + Set-ACL $path $objACL + Set-Attr $result "changed" $true; + } + Elseif (($state -eq "absent") -And $inheritanceEnabled) { + If ($reorganize) { + $objACL.SetAccessRuleProtection($True, $True) + } Else { + $objACL.SetAccessRuleProtection($True, $False) + } + Set-ACL $path $objACL Set-Attr $result "changed" $true; } From d2959fb7ed7c565c036e2a25503a8ba952d763f1 Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Wed, 13 Jan 2016 10:39:33 +0100 Subject: [PATCH 5/6] fixed version added and tests --- windows/win_acl_inheritance.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py index 6c03b9c75fd..0837bab3205 100644 --- a/windows/win_acl_inheritance.py +++ b/windows/win_acl_inheritance.py @@ -24,7 +24,7 @@ DOCUMENTATION = ''' --- module: win_acl_inheritance -version_added: "2.0" +version_added: "2.1" short_description: Change ACL inheritance description: - Change ACL (Access Control List) inheritance and optionally copy inherited ACE's (Access Control Entry) to dedicated ACE's or vice versa. @@ -72,3 +72,7 @@ EXAMPLES = ''' state: present reorganize: yes ''' + +RETURN = ''' + +''' \ No newline at end of file From 2ce5b4c5261f1559a55bff0b35d107d52d83d01a Mon Sep 17 00:00:00 2001 From: Hans-Joachim Kliemeck Date: Tue, 22 Mar 2016 09:07:09 +0100 Subject: [PATCH 6/6] suggestion by @nitzmahone to not use Get-Attr in combination with ConvertTo-Bool, improved documentation regarding organize --- windows/win_acl_inheritance.ps1 | 3 ++- windows/win_acl_inheritance.py | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/win_acl_inheritance.ps1 b/windows/win_acl_inheritance.ps1 index 0d808bb8c49..1933a3a5dd4 100644 --- a/windows/win_acl_inheritance.ps1 +++ b/windows/win_acl_inheritance.ps1 @@ -27,7 +27,8 @@ Set-Attr $result "changed" $false; $path = Get-Attr $params "path" -failifempty $true $state = Get-Attr $params "state" "absent" -validateSet "present","absent" -resultobj $result -$reorganize = Get-Attr $params "reorganize" "no" -validateSet "no","yes" -resultobj $result | ConvertTo-Bool +$reorganize = Get-Attr $params "reorganize" "no" -validateSet "no","yes" -resultobj $result +$reorganize = $reorganize | ConvertTo-Bool If (-Not (Test-Path -Path $path)) { Fail-Json $result "$path file or directory does not exist on the host" diff --git a/windows/win_acl_inheritance.py b/windows/win_acl_inheritance.py index 0837bab3205..a4bb90a47b3 100644 --- a/windows/win_acl_inheritance.py +++ b/windows/win_acl_inheritance.py @@ -43,7 +43,8 @@ options: default: absent reorganize: description: - - For P(state) = I(absent), indicates if the inherited ACE's should be copied. For P(state) = I(present), indicates if the inherited ACE's should be simplified. + - For P(state) = I(absent), indicates if the inherited ACE's should be copied from the parent directory. This is necessary (in combination with removal) for a simple ACL instead of using multiple ACE deny entries. + - For P(state) = I(present), indicates if the inherited ACE's should be deduplicated compared to the parent directory. This removes complexity of the ACL structure. required: false choices: - no