3 files changed, 56 insertions, 33 deletions

diff --git a/lib/chef/config.rb b/lib/chef/config.rb
index 4f06aa9a63..a010d4874d 100644
--- a/lib/chef/config.rb
+++ b/lib/chef/config.rb
@@ -331,10 +331,9 @@ class Chef
     # for file resources, deploy files with either :move or :copy
     file_deploy_with :move
 
-    # do we create /tmp or %TEMP% files, or do we create temp files in the destination directory of the file?
-    #  - on windows this avoids issues with permission inheritance with the %TEMP% directory (do not set this to false)
-    #  - on unix this creates temp files like /etc/.sudoers.X-Y-Z and may create noise and make for itchy neckbeards
-    #  - with selinux and other ACLs approaches it may still be useful or to avoid copying across filesystems
-    file_deployment_uses_destdir ( RUBY_PLATFORM =~ /mswin|mingw|windows/ )
+    # If false file deployment is will be done via tempfiles that are
+    # created under ENV['TMP'] otherwise tempfiles will be created in
+    # the directory that files are going to reside.
+    file_deployment_uses_destdir false
   end
 end
diff --git a/lib/chef/file_access_control/windows.rb b/lib/chef/file_access_control/windows.rb
index be0ece291f..35a16337ab 100644
--- a/lib/chef/file_access_control/windows.rb
+++ b/lib/chef/file_access_control/windows.rb
@@ -218,17 +218,24 @@ class Chef
       def calculate_flags(rights)
         # Handle inheritance flags
         flags = 0
-        case rights[:applies_to_children]
-        when :containers_only
-          flags |= CONTAINER_INHERIT_ACE
-        when :objects_only
-          flags |= OBJECT_INHERIT_ACE
-        when true
-          flags |= CONTAINER_INHERIT_ACE
-          flags |= OBJECT_INHERIT_ACE
-        when nil
-          flags |= CONTAINER_INHERIT_ACE
-          flags |= OBJECT_INHERIT_ACE
+
+        #
+        # Configure child inheritence only if the the resource is some
+        # type of a directory.
+        #
+        if resource.is_a? Chef::Resource::Directory
+          case rights[:applies_to_children]
+          when :containers_only
+            flags |= CONTAINER_INHERIT_ACE
+          when :objects_only
+            flags |= OBJECT_INHERIT_ACE
+          when true
+            flags |= CONTAINER_INHERIT_ACE
+            flags |= OBJECT_INHERIT_ACE
+          when nil
+            flags |= CONTAINER_INHERIT_ACE
+            flags |= OBJECT_INHERIT_ACE
+          end
         end
 
         if rights[:applies_to_self] == false
diff --git a/lib/chef/file_content_management/deploy/mv_windows.rb b/lib/chef/file_content_management/deploy/mv_windows.rb
index 4e4103593d..9449b43832 100644
--- a/lib/chef/file_content_management/deploy/mv_windows.rb
+++ b/lib/chef/file_content_management/deploy/mv_windows.rb
@@ -37,36 +37,53 @@ class Chef
         end
 
         def deploy(src, dst)
-          dst_so = Security::SecurableObject.new(dst)
+          #
+          # At the time of deploy ACLs are correctly configured on the
+          # dst. This would be a simple atomic move operations in
+          # windows was not converting inherited ACLs of src to
+          # non-inherited ACLs in certain cases.See:
+          # http://blogs.msdn.com/b/oldnewthing/archive/2006/08/24/717181.aspx
+          #
+
+          #
+          # First cache the ACLs of dst file
+          #
 
-          # FIXME: catch exception when we can't elevate privs?
-          dst_sd = dst_so.security_descriptor(true)  # get the sd with the SACL
+          dst_so = Security::SecurableObject.new(dst)
+          begin
+            # get the sd with the SACL
+            dst_sd = dst_so.security_descriptor(true)
+          rescue Chef::Exceptions::Win32APIError
+            # Catch and raise if the user is not elevated enough.
+            # At this point we can't configure the file as expected so
+            # we're failing action on the resource.
+            raise Chef::Exceptions::WindowsNotAdmin
+          end
 
           if dst_sd.dacl_present?
             apply_dacl = ACL.create(dst_sd.dacl.select { |ace| !ace.inherited? })
           end
+
           if dst_sd.sacl_present?
             apply_sacl = ACL.create(dst_sd.sacl.select { |ace| !ace.inherited? })
           end
 
-          Chef::Log.debug("applying owner #{dst_sd.owner} to staged file")
-          Chef::Log.debug("applying group #{dst_sd.group} to staged file")
-          Chef::Log.debug("applying dacl #{dst_sd.dacl} to staged file") if dst_sd.dacl_present?
-          Chef::Log.debug("applying dacl inheritance to staged file") if dst_sd.dacl_inherits?
-          Chef::Log.debug("applying sacl #{dst_sd.sacl} to staged file") if dst_sd.sacl_present?
-          Chef::Log.debug("applying sacl inheritance to staged file") if dst_sd.sacl_inherits?
-
-          so = Security::SecurableObject.new(src)
+          #
+          # Then deploy the file
+          #
 
-          so.set_dacl(apply_dacl, dst_sd.dacl_inherits?) if dst_sd.dacl_present?
-
-          so.group = dst_sd.group
+          FileUtils.mv(src, dst)
 
-          so.owner = dst_sd.owner
+          #
+          # Then apply the cached files to the new dst file
+          #
 
-          so.set_sacl(apply_sacl, dst_sd.sacl_inherits?) if dst_sd.sacl_present?
+          dst_so = Security::SecurableObject.new(dst)
+          dst_so.group = dst_sd.group
+          dst_so.owner = dst_sd.owner
+          dst_so.set_dacl(apply_dacl, dst_sd.dacl_inherits?) if dst_sd.dacl_present?
+          dst_so.set_sacl(apply_sacl, dst_sd.sacl_inherits?) if dst_sd.sacl_present?
 
-          FileUtils.mv(src, dst)
         end
       end
     end