Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: A better win_acl module #622

Open
Yannik opened this issue Jun 25, 2024 · 1 comment
Open

Feature request: A better win_acl module #622

Yannik opened this issue Jun 25, 2024 · 1 comment

Comments

@Yannik
Copy link

Yannik commented Jun 25, 2024

The current win_acl module is quite simple: you can add/delete a single ACE at the time.
Unfortunately, this is not really suitable for most more advanced use-cases.

I would like to gather some ideas for an improved acl module:

Managing multiple ACEs at once

Managing a single ACE at the time naturally makes managing large ACLs quite slow. Being able to provide a list of ACEs to add/remove would be great.

Set/Replace mode

It would be really great to have a "set/replace/exclusive" functionality to ensure that only the ACEs that you want are set on an object, and reliably getting rid of old/unwanted ACEs.

Recursive mode

From a security POV, ensuring that only the ACEs you want and have configured in your IaC is quite important.
To solve this, having some kind of recursive mode to remove all non-inherited/non-managed ACEs recursively would be really nice. I am not quite sure how to design this in a way that we can set ACLs on different depths of the filesystem tree, but remove non-inherited ACEs from all other nodes. Options I can see:

  • Setting ACLs for a whole part of the tree within a single call to the module
  • having a recursive_ignore option which takes a regex (or a list of regexes) with files/directories to ignore.

I Hope this was atleast somewhat understandable. :D
@Yannik Yannik mentioned this issue Jun 25, 2024
Open
@cloneluke
Copy link

Yes, I would like to pass multiple groups into win_acl to apply the same permission at the same time to multiple groups

https://g.co/gemini/share/db9cc6d8a8d0


// Replace 'path' with the actual file or directory path
string path = "your/file/path";

// Define permissions (replace with your desired rights)
FileSystemRights rights = FileSystemRights.Read | FileSystemRights.Write;

// Define group names (replace with your groups)
string[] groupNames = { "Group1", "Group2" };

// Get SIDs for each group name
IdentityReference[] groupSIDs = new IdentityReference[groupNames.Length];
for (int i = 0; i < groupNames.Length; i++)
{
  groupSIDs[i] = new SecurityIdentifier(groupNames[i]); // Assuming local groups
  // For domain groups, use GetActiveDirectoryGroup method
}

// Create a single rule for multiple groups (using SIDs)
FileSystemAccessRule rule = new FileSystemAccessRule(groupSIDs, rights, InheritanceFlags.None, PropagationFlags.None, AccessControlType.Allow);

// Get the existing ACL (optional, but recommended)
FileSystemSecurity acl = File.GetAccessControl(path);

// Add the rule to the ACL
acl.AddAccessRule(rule);

// Set the modified ACL back to the file system object
File.SetAccessControl(path, acl);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Yannik @cloneluke