From b2ebdeaed2e0dc42c60d1f1aa038ee42310eff4c Mon Sep 17 00:00:00 2001 From: Jack Phillips Date: Thu, 12 Dec 2024 18:27:14 -0500 Subject: [PATCH 1/6] Update ProgramFile Directory permissions --- .../ConfigureUserCustomActions.cs | 96 ++++++++++++++++--- 1 file changed, 83 insertions(+), 13 deletions(-) diff --git a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs index 1447f8a080fd0..9a7594af7c509 100644 --- a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs +++ b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs @@ -375,7 +375,7 @@ private bool RemoveRedundantExplicitAccess(string filePath, FileSystemSecurity f private void GrantAgentAccessPermissions() { // add ddagentuser FullControl to select places - foreach (var filePath in PathsWithAgentAccess()) + foreach (var filePath in Chain(PathsWithAgentAccess())) { if (!_fileSystemServices.Exists(filePath)) { @@ -446,6 +446,46 @@ private void GrantAgentAccessPermissions() } } + private void AddDataDogUserToDataFolder(){ + var dataDirectory = _session.Property("APPLICATIONDATADIRECTORY"); + + FileSystemSecurity fileSystemSecurity; + try + { + fileSystemSecurity = _fileSystemServices.GetAccessControl(dataDirectory, AccessControlSections.All); + } + catch (Exception e) + { + _session.Log($"Failed to get ACLs on {dataDirectory}: {e}"); + throw; + } + // ddagentuser Read and execute permissions, enable child inheritance of this ACE + fileSystemSecurity.AddAccessRule(new FileSystemAccessRule( + _ddAgentUserSID, + FileSystemRights.ReadAndExecute | FileSystemRights.Synchronize, + InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, + PropagationFlags.None, + AccessControlType.Allow)); + + // datadog write on this folder + fileSystemSecurity.AddAccessRule(new FileSystemAccessRule( + _ddAgentUserSID, + FileSystemRights.Write, + InheritanceFlags.ContainerInherit, + PropagationFlags.None, + AccessControlType.Allow)); + try + { + UpdateAndLogAccessControl(dataDirectory, fileSystemSecurity); + } + catch (Exception e) + { + _session.Log($"Failed to set ACLs on {dataDirectory}: {e}"); + throw; + } + + } + private void ConfigureFilePermissions() { try @@ -471,6 +511,7 @@ private void ConfigureFilePermissions() if (_ddAgentUserSID != new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null)) { + AddDataDogUserToDataFolder(); GrantAgentAccessPermissions(); } } @@ -577,19 +618,48 @@ public static ActionResult ConfigureUserRollback(Session session) return new ConfigureUserCustomActions(new SessionWrapper(session), "ConfigureUser").ConfigureUserRollback(); } - private List PathsWithAgentAccess() + private List> PathsWithAgentAccess() { - return new List - { - // agent needs to be able to write logs/ - // agent GUI needs to be able to edit config - // agent needs to be able to write to run/ - // agent needs to be able to create auth_token - _session.Property("APPLICATIONDATADIRECTORY"), - // allow agent to write __pycache__ - Path.Combine(_session.Property("PROJECTLOCATION"), "embedded2"), - Path.Combine(_session.Property("PROJECTLOCATION"), "embedded3"), + var configRoot = _session.Property("APPLICATIONDATADIRECTORY"); + var fsEnum = new List>(); + + // directories to process recursively + var dirs = new List { + Path.Combine(configRoot, "conf.d"), + Path.Combine(configRoot, "checks.d"), + Path.Combine(configRoot, "run"), + Path.Combine(configRoot, "logs"), }; + // Add the directories themselves + fsEnum.Add(dirs); + // add their subdirs/files (recursively) + foreach (var dir in dirs) + { + // add dirs only if they exist (EnumerateFileSystemEntries throws an exception if they don't) + if (_fileSystemServices.Exists(dir)) + { + fsEnum.Add(Directory.EnumerateFileSystemEntries(dir, "*.*", SearchOption.AllDirectories)); + } + } + // add specific files + fsEnum.Add(new List + { + Path.Combine(configRoot, "datadog.yaml"), + Path.Combine(configRoot, "system-probe.yaml"), + Path.Combine(configRoot, "auth_token"), + Path.Combine(configRoot, "install_info"), + } + ); + + fsEnum.Add(new List + { + // allow agent to write __pycache__ + Path.Combine(_session.Property("PROJECTLOCATION"), "embedded2"), + Path.Combine(_session.Property("PROJECTLOCATION"), "embedded3"), + } + ); + + return fsEnum; } /// @@ -668,7 +738,7 @@ public ActionResult UninstallUser() if (securityIdentifier != new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null)) { _session.Log($"Removing file access for {ddAgentUserName} ({securityIdentifier})"); - foreach (var filePath in PathsWithAgentAccess()) + foreach (var filePath in Chain(PathsWithAgentAccess())) { try { From b32fe2c288f3b2c87b082cb78d2bb2f9801168fd Mon Sep 17 00:00:00 2001 From: Jack Phillips Date: Thu, 12 Dec 2024 18:52:57 -0500 Subject: [PATCH 2/6] fix test permissions --- .../tests/windows/install-test/installtester.go | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/test/new-e2e/tests/windows/install-test/installtester.go b/test/new-e2e/tests/windows/install-test/installtester.go index e0fbee6886600..d58dbf89aa0ab 100644 --- a/test/new-e2e/tests/windows/install-test/installtester.go +++ b/test/new-e2e/tests/windows/install-test/installtester.go @@ -466,24 +466,13 @@ func (t *Tester) testInstalledFilePermissions(tt *testing.T, ddAgentUserIdentity path string expectedSecurity func(t *testing.T) windows.ObjectSecurity }{ + //ConfigRoot is only owned by SYSTEM and Administrators { name: "ConfigRoot", path: t.expectedConfigRoot, expectedSecurity: func(tt *testing.T) windows.ObjectSecurity { expected, err := getBaseConfigRootSecurity() require.NoError(tt, err) - if windows.IsIdentityLocalSystem(ddAgentUserIdentity) { - return expected - } - expected.Access = append(expected.Access, - windows.NewExplicitAccessRuleWithFlags( - ddAgentUserIdentity, - windows.FileFullControl, - windows.AccessControlTypeAllow, - windows.InheritanceFlagsContainer|windows.InheritanceFlagsObject, - windows.PropagationFlagsNone, - ), - ) return expected }, }, From cc672d9d3187bd8e14384eb6d6893d60e2f6b38c Mon Sep 17 00:00:00 2001 From: Jack Phillips Date: Thu, 12 Dec 2024 19:15:43 -0500 Subject: [PATCH 3/6] remove recursion of file paths --- .../ConfigureUserCustomActions.cs | 52 +++++-------------- 1 file changed, 13 insertions(+), 39 deletions(-) diff --git a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs index 9a7594af7c509..a5bff126d089f 100644 --- a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs +++ b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs @@ -375,7 +375,7 @@ private bool RemoveRedundantExplicitAccess(string filePath, FileSystemSecurity f private void GrantAgentAccessPermissions() { // add ddagentuser FullControl to select places - foreach (var filePath in Chain(PathsWithAgentAccess())) + foreach (var filePath in PathsWithAgentAccess()) { if (!_fileSystemServices.Exists(filePath)) { @@ -446,7 +446,7 @@ private void GrantAgentAccessPermissions() } } - private void AddDataDogUserToDataFolder(){ + private void AddDatadogUserToDataFolder(){ var dataDirectory = _session.Property("APPLICATIONDATADIRECTORY"); FileSystemSecurity fileSystemSecurity; @@ -511,7 +511,7 @@ private void ConfigureFilePermissions() if (_ddAgentUserSID != new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null)) { - AddDataDogUserToDataFolder(); + AddDatadogUserToDataFolder(); GrantAgentAccessPermissions(); } } @@ -618,48 +618,22 @@ public static ActionResult ConfigureUserRollback(Session session) return new ConfigureUserCustomActions(new SessionWrapper(session), "ConfigureUser").ConfigureUserRollback(); } - private List> PathsWithAgentAccess() + private List PathsWithAgentAccess() { var configRoot = _session.Property("APPLICATIONDATADIRECTORY"); - var fsEnum = new List>(); - // directories to process recursively - var dirs = new List { + return new List { Path.Combine(configRoot, "conf.d"), Path.Combine(configRoot, "checks.d"), Path.Combine(configRoot, "run"), Path.Combine(configRoot, "logs"), - }; - // Add the directories themselves - fsEnum.Add(dirs); - // add their subdirs/files (recursively) - foreach (var dir in dirs) - { - // add dirs only if they exist (EnumerateFileSystemEntries throws an exception if they don't) - if (_fileSystemServices.Exists(dir)) - { - fsEnum.Add(Directory.EnumerateFileSystemEntries(dir, "*.*", SearchOption.AllDirectories)); - } - } - // add specific files - fsEnum.Add(new List - { - Path.Combine(configRoot, "datadog.yaml"), - Path.Combine(configRoot, "system-probe.yaml"), - Path.Combine(configRoot, "auth_token"), - Path.Combine(configRoot, "install_info"), - } - ); - - fsEnum.Add(new List - { - // allow agent to write __pycache__ - Path.Combine(_session.Property("PROJECTLOCATION"), "embedded2"), - Path.Combine(_session.Property("PROJECTLOCATION"), "embedded3"), - } - ); - - return fsEnum; + Path.Combine(configRoot, "datadog.yaml"), + Path.Combine(configRoot, "system-probe.yaml"), + Path.Combine(configRoot, "auth_token"), + Path.Combine(configRoot, "install_info"), + Path.Combine(_session.Property("PROJECTLOCATION"), "embedded2"), + Path.Combine(_session.Property("PROJECTLOCATION"), "embedded3"), + };; } /// @@ -738,7 +712,7 @@ public ActionResult UninstallUser() if (securityIdentifier != new SecurityIdentifier(WellKnownSidType.LocalSystemSid, null)) { _session.Log($"Removing file access for {ddAgentUserName} ({securityIdentifier})"); - foreach (var filePath in Chain(PathsWithAgentAccess())) + foreach (var filePath in PathsWithAgentAccess()) { try { From a50a8b7b390603d7632dfff1d7231e179bd35779 Mon Sep 17 00:00:00 2001 From: Jack Phillips Date: Thu, 12 Dec 2024 20:37:07 -0500 Subject: [PATCH 4/6] update formating --- .../CustomActions/ConfigureUserCustomActions.cs | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs index a5bff126d089f..7b3479f2beb5d 100644 --- a/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs +++ b/tools/windows/DatadogAgentInstaller/CustomActions/ConfigureUserCustomActions.cs @@ -446,7 +446,8 @@ private void GrantAgentAccessPermissions() } } - private void AddDatadogUserToDataFolder(){ + private void AddDatadogUserToDataFolder() + { var dataDirectory = _session.Property("APPLICATIONDATADIRECTORY"); FileSystemSecurity fileSystemSecurity; @@ -466,7 +467,7 @@ private void AddDatadogUserToDataFolder(){ InheritanceFlags.ContainerInherit | InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow)); - + // datadog write on this folder fileSystemSecurity.AddAccessRule(new FileSystemAccessRule( _ddAgentUserSID, @@ -633,7 +634,7 @@ private List PathsWithAgentAccess() Path.Combine(configRoot, "install_info"), Path.Combine(_session.Property("PROJECTLOCATION"), "embedded2"), Path.Combine(_session.Property("PROJECTLOCATION"), "embedded3"), - };; + }; ; } /// From dbce6c6d685f72cfff8f4882e268d29e8113782f Mon Sep 17 00:00:00 2001 From: Jack Phillips Date: Thu, 12 Dec 2024 22:38:08 -0500 Subject: [PATCH 5/6] fix test permissions --- .../windows/install-test/installtester.go | 41 ++++++++++++++++++- 1 file changed, 39 insertions(+), 2 deletions(-) diff --git a/test/new-e2e/tests/windows/install-test/installtester.go b/test/new-e2e/tests/windows/install-test/installtester.go index d58dbf89aa0ab..da974eeeb200b 100644 --- a/test/new-e2e/tests/windows/install-test/installtester.go +++ b/test/new-e2e/tests/windows/install-test/installtester.go @@ -473,6 +473,22 @@ func (t *Tester) testInstalledFilePermissions(tt *testing.T, ddAgentUserIdentity expectedSecurity: func(tt *testing.T) windows.ObjectSecurity { expected, err := getBaseConfigRootSecurity() require.NoError(tt, err) + expected.Access = append(expected.Access, + windows.NewExplicitAccessRuleWithFlags( + ddAgentUserIdentity, + windows.FileReadAndExecute|windows.SYNCHRONIZE, + windows.AccessControlTypeAllow, + windows.InheritanceFlagsContainer|windows.InheritanceFlagsObject, + windows.PropagationFlagsNone, + ), + windows.NewExplicitAccessRuleWithFlags( + ddAgentUserIdentity, + windows.FileWrite, + windows.AccessControlTypeAllow, + windows.InheritanceFlagsContainer, + windows.PropagationFlagsNone, + ), + ) return expected }, }, @@ -486,11 +502,17 @@ func (t *Tester) testInstalledFilePermissions(tt *testing.T, ddAgentUserIdentity return expected } expected.Access = append(expected.Access, - windows.NewInheritedAccessRule( + windows.NewExplicitAccessRule( ddAgentUserIdentity, windows.FileFullControl, windows.AccessControlTypeAllow, ), + // extra inherited rule for ddagentuser + windows.NewInheritedAccessRule( + ddAgentUserIdentity, + windows.FileReadAndExecute|windows.SYNCHRONIZE, + windows.AccessControlTypeAllow, + ), ) return expected }, @@ -505,13 +527,28 @@ func (t *Tester) testInstalledFilePermissions(tt *testing.T, ddAgentUserIdentity return expected } expected.Access = append(expected.Access, - windows.NewInheritedAccessRuleWithFlags( + windows.NewExplicitAccessRuleWithFlags( ddAgentUserIdentity, windows.FileFullControl, windows.AccessControlTypeAllow, windows.InheritanceFlagsContainer|windows.InheritanceFlagsObject, windows.PropagationFlagsNone, ), + // extra inherited rule for ddagentuser + windows.NewInheritedAccessRuleWithFlags( + ddAgentUserIdentity, + windows.FileReadAndExecute|windows.SYNCHRONIZE, + windows.AccessControlTypeAllow, + windows.InheritanceFlagsContainer|windows.InheritanceFlagsObject, + windows.PropagationFlagsNone, + ), + windows.NewInheritedAccessRuleWithFlags( + ddAgentUserIdentity, + windows.FileWrite, + windows.AccessControlTypeAllow, + windows.InheritanceFlagsContainer, + windows.PropagationFlagsNone, + ), ) return expected }, From e5f58b7ce686bc3a409a51ffb05befce92639c52 Mon Sep 17 00:00:00 2001 From: Jack Phillips Date: Fri, 13 Dec 2024 07:45:05 -0500 Subject: [PATCH 6/6] update localsystem install test --- test/new-e2e/tests/windows/install-test/installtester.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/new-e2e/tests/windows/install-test/installtester.go b/test/new-e2e/tests/windows/install-test/installtester.go index da974eeeb200b..daa337eeac0b7 100644 --- a/test/new-e2e/tests/windows/install-test/installtester.go +++ b/test/new-e2e/tests/windows/install-test/installtester.go @@ -473,6 +473,9 @@ func (t *Tester) testInstalledFilePermissions(tt *testing.T, ddAgentUserIdentity expectedSecurity: func(tt *testing.T) windows.ObjectSecurity { expected, err := getBaseConfigRootSecurity() require.NoError(tt, err) + if windows.IsIdentityLocalSystem(ddAgentUserIdentity) { + return expected + } expected.Access = append(expected.Access, windows.NewExplicitAccessRuleWithFlags( ddAgentUserIdentity,