diff options
| author | Adam Edwards <adamed@opscode.com> | 2015-12-12 23:08:24 -0800 |
|---|---|---|
| committer | nimisha <nimisha.sharad@msystechnologies.com> | 2017-02-02 18:00:23 +0530 |
| commit | 8a68a2a8bd043ae0c75d2c21c0b75259942039e4 (patch) | |
| tree | 50e747bb0934744c2d94e838bf954b031fea9d27 /lib/chef/provider/script.rb | |
| parent | 8ed11241ca1236d16a14e5bb32ef1ff16fabfeb9 (diff) | |
| download | chef-8a68a2a8bd043ae0c75d2c21c0b75259942039e4.tar.gz | |
Windows alternate user support for execute resources
Diffstat (limited to 'lib/chef/provider/script.rb')
| -rw-r--r-- | lib/chef/provider/script.rb | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/lib/chef/provider/script.rb b/lib/chef/provider/script.rb index 6ca4e9f6f3..9aee6fe442 100644 --- a/lib/chef/provider/script.rb +++ b/lib/chef/provider/script.rb @@ -16,9 +16,10 @@ # limitations under the License. # -require "tempfile" -require "chef/provider/execute" -require "forwardable" +require 'tempfile' +require 'chef/provider/execute' +require 'chef/win32/security' if Chef::Platform.windows? +require 'forwardable' class Chef class Provider @@ -69,7 +70,36 @@ class Chef # FileUtils itself implements a no-op if +user+ or +group+ are nil # You can prove this by running FileUtils.chown(nil,nil,'/tmp/file') # as an unprivileged user. - FileUtils.chown(new_resource.user, new_resource.group, script_file.path) + if ! Chef::Platform.windows? + FileUtils.chown(new_resource.user, new_resource.group, script_file.path) + else + grant_alternate_user_read_access + end + end + + def grant_alternate_user_read_access + return if new_resource.user.nil? + + # Duplicate the script file's existing DACL + # so we can add an ACE later + securable_object = Chef::ReservedNames::Win32::Security::SecurableObject.new(script_file.path) + aces = securable_object.security_descriptor.dacl.reduce([]) { | result, current | result.push(current) } + + username = new_resource.user + + if new_resource.domain + username = new_resource.domain + '\\' + new_resource.user + end + + # Create an ACE that allows the alternate user read access to the script + # file so it can be read and executed. + user_sid = Chef::ReservedNames::Win32::Security::SID.from_account(username) + read_ace = Chef::ReservedNames::Win32::Security::ACE.access_allowed(user_sid, Chef::ReservedNames::Win32::API::Security::GENERIC_READ | Chef::ReservedNames::Win32::API::Security::GENERIC_EXECUTE, 0) + aces.push(read_ace) + acl = Chef::ReservedNames::Win32::Security::ACL.create(aces) + + # This actually applies the modified DACL to the file + securable_object.dacl = acl end def script_file |