Fervent Coder

Coding Towards Utopia...by Rob Reynolds
posts - 278 , comments - 431 , trackbacks - 0

My Links


Rob Reynolds

Subscribe to Fervent Coder RSS
Subscribe to Fervent Coder by Email

About Me

I manage several open source projects. Need...
   ...package management for Windows?
   ...automated builds?
   ...database change management (migrations)?
   ...your application to check email?
   ...a monitoring utility?

I also write for

Like what you are reading? Want to buy me a cup of coffee?
PayPal - The safer, easier way to pay online!


Post Categories


Wednesday, July 9, 2014

Puppet ACLs–Mask Specific

Access Control Lists and permissions can get inherently complex. We didn’t want to sacrifice a sufficiently advanced administrator/developer/etc from being able to get to advanced scenarios with ACLs with Puppet’s ACL module. With the ACL module (soon to be) out in the wild, it may be helpful to explain one of the significantly advanced features of the ACL module: mask specific rights. I am going to interchangeably use the term “acl” to mean the module during the rest of this post (and not the Access control list or discretionary access control list).

Say you need very granular rights, not just RX (read, execute), but also to read and write attributes. You get read attributes (FILE_READ_ATTRIBUTES) with read (FILE_GENERIC_READ), see http://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx.  ACL provides you with the ability to specify ‘full’,’modify’,’write’,’read’,’execute’ or ‘mask_specific’. Mask specific is when you can’t get the specific rights you need for an identity (trustee, group, etc.) and need to get more specific.

Let’s take a look at what mask specific looks like:

acl { 'c:/tempperms':
  permissions => [
   { identity => 'Administrators', rights => ['full'] }, #full is same as - 2032127 aka 0x1f01ff but you should use 'full'
   { identity => 'SYSTEM', rights => ['modify'] }, #modify is same as 1245631 aka 0x1301bf but you should use 'modify'
   { identity => 'Users', rights => ['mask_specific'], mask => '1180073' }, #RX WA #0x1201a9
   { identity => 'Administrator', rights => ['mask_specific'], mask => '1180032' }  #RA,S,WA,Rc #1180032  #0x120180
  inherit_parent_permissions => 'false',

Note specifically that “rights=>[‘mask_specific’]” also comes with a mask integer specified as a string e.g. “mask => ‘1180032’”. Now where did that number come from? In this specific case you see it is RA,S,WA,Rc (Read Attributes, Synchronize, Write Attributes, Read Control). Let’s take a look at http://msdn.microsoft.com/en-us/library/aa394063(v=vs.85).aspx to see the Access Mask values (integer and hex).

1048576 (0x100000)

If we look here, 1048576 is the one we want. Let’s whip out our calculators. You knew that math in high school and college was going to be put to good use, right? Okay, calculators out, let’s add those numbers up.

S  = 1048576
Rc =  131072
RA =     128
WA =     256

That’s the same as the number we have above, so we are good. You know how to make mask_specific happen with the acl module should you ever need to. 

Understanding Advanced Permissions

Oh, wait. I should explain a little more advanced scenario. RX, WA – like we started to talk about above. How do you get to that number, where is FILE_GENERIC_READ? Back to http://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx, we can see that it includes FILE_READ_ATTRIBUTES, FILE_READ_DATA, FILE_READ_EA, STANDARD_RIGHTS_READ, and SYNCHRONIZE. FILE_GENERIC_EXECUTE contains FILE_EXECUTE, FILE_READ_ATTRIBUTES, STANDARD_RIGHTS_EXECUTE, and SYNCHRONIZE. Notice the overlap there? Each one of those flags only get added ONCE. This is important.  If you are following along and looking, you have noticed STANDARD_RIGHTS_READ and STANDARD_RIGHTS_EXECUTE are not listed on the page with the rights. Where did those two come from? Take a look at http://msdn.microsoft.com/en-us/library/windows/desktop/aa374892(v=vs.85).aspx down in the C++ section. See if you notice anything? Wait, what?

STANDARD_RIGHTS_READ, STANDARD_RIGHTS_EXECUTE, and STANDARD_RIGHTS_WRITE are all synonyms for READ_CONTROL. What? Why not just call it read control? I don’t know, I’m not the guy that wrote the Access Masks. Anyway, now we know what we have so let’s get our calculators ready again.

RA    =     128
RD    =       1
REa   =       8
StdRd =  131072
S     = 1048756
FE    =      32
REa   =       8
StdEx =  131072
S     = 1048756

Let’s remove the duplicates (and the tricky READ_CONTROL duplicate).

RA  =     128
RD  =       1
REa =       8
Rc  =  131072
S   = 1048756
FE  =      32

That doesn’t quite work out to what we were thinking of ‘1180073’. Did we forget something? Yes, we got a little wrapped up in just getting RX sorted out that we forgot about WA, which adds another 256 to the number.

RA  =     128
RD  =       1
REA =       8
Rc  =  131072
S   = 1048756
FE  =      32
WA  =     256



Parting Thoughts

While the ACL module has a simple interface you can definitely see that it packs some power with it. Having this kind of power is really helpful when you need to get fine-grained with your permissions.

Posted On Wednesday, July 9, 2014 1:04 PM | Comments (0) |

Powered by: