golden hour
/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils
⬆️ Go Up
Upload
File/Folder
Size
Actions
__init__.py
237 B
Del
OK
__pycache__
-
Del
OK
aggregation.py
5.17 KB
Del
OK
ansible.py
1.48 KB
Del
OK
args.py
18.33 KB
Del
OK
asynchronous.py
4.06 KB
Del
OK
atomicfile.py
5.33 KB
Del
OK
aws.py
20.37 KB
Del
OK
azurearm.py
11.42 KB
Del
OK
beacons.py
517 B
Del
OK
boto3mod.py
8.36 KB
Del
OK
boto_elb_tag.py
3.02 KB
Del
OK
botomod.py
7.98 KB
Del
OK
cache.py
11.49 KB
Del
OK
channel.py
489 B
Del
OK
cloud.py
116.3 KB
Del
OK
color.py
2.72 KB
Del
OK
compat.py
1.89 KB
Del
OK
configcomparer.py
3.88 KB
Del
OK
configparser.py
10.82 KB
Del
OK
context.py
6.8 KB
Del
OK
crypt.py
5 KB
Del
OK
ctx.py
1.42 KB
Del
OK
data.py
53.03 KB
Del
OK
dateutils.py
2.3 KB
Del
OK
debug.py
4.19 KB
Del
OK
decorators
-
Del
OK
dictdiffer.py
16.48 KB
Del
OK
dicttrim.py
3.9 KB
Del
OK
dictupdate.py
11.33 KB
Del
OK
dns.py
35.21 KB
Del
OK
doc.py
2.25 KB
Del
OK
dockermod
-
Del
OK
entrypoints.py
1.83 KB
Del
OK
environment.py
2.2 KB
Del
OK
error.py
1.18 KB
Del
OK
etcd_util.py
33.25 KB
Del
OK
event.py
52.45 KB
Del
OK
extend.py
8.87 KB
Del
OK
extmods.py
6.04 KB
Del
OK
filebuffer.py
3.15 KB
Del
OK
files.py
27.94 KB
Del
OK
find.py
22.08 KB
Del
OK
fsutils.py
3.29 KB
Del
OK
functools.py
6.02 KB
Del
OK
gitfs.py
130.41 KB
Del
OK
github.py
1.52 KB
Del
OK
gzip_util.py
2.86 KB
Del
OK
hashutils.py
5.91 KB
Del
OK
http.py
33.9 KB
Del
OK
iam.py
1.22 KB
Del
OK
icinga2.py
754 B
Del
OK
idem.py
1.22 KB
Del
OK
immutabletypes.py
2.46 KB
Del
OK
itertools.py
2.36 KB
Del
OK
jid.py
3 KB
Del
OK
jinja.py
33.92 KB
Del
OK
job.py
6.89 KB
Del
OK
json.py
3.78 KB
Del
OK
kickstart.py
41.04 KB
Del
OK
kinds.py
493 B
Del
OK
lazy.py
3.06 KB
Del
OK
listdiffer.py
10.9 KB
Del
OK
locales.py
2.06 KB
Del
OK
mac_utils.py
14.01 KB
Del
OK
mako.py
3.97 KB
Del
OK
master.py
29.7 KB
Del
OK
mattermost.py
1.77 KB
Del
OK
memcached.py
3.56 KB
Del
OK
migrations.py
1.46 KB
Del
OK
mine.py
3.68 KB
Del
OK
minion.py
4.13 KB
Del
OK
minions.py
43.38 KB
Del
OK
mount.py
1.15 KB
Del
OK
msazure.py
5.36 KB
Del
OK
msgpack.py
4.69 KB
Del
OK
nacl.py
13.65 KB
Del
OK
namecheap.py
4.32 KB
Del
OK
napalm.py
23.22 KB
Del
OK
nb_popen.py
7.24 KB
Del
OK
network.py
73.86 KB
Del
OK
nxos.py
12.94 KB
Del
OK
nxos_api.py
4 KB
Del
OK
odict.py
13.21 KB
Del
OK
openstack
-
Del
OK
oset.py
6.41 KB
Del
OK
pagerduty.py
3.03 KB
Del
OK
parsers.py
122.69 KB
Del
OK
path.py
11.24 KB
Del
OK
pbm.py
9.81 KB
Del
OK
pkg
-
Del
OK
platform.py
5.84 KB
Del
OK
powershell.py
4.15 KB
Del
OK
preseed.py
2.64 KB
Del
OK
process.py
40.76 KB
Del
OK
profile.py
3.21 KB
Del
OK
proxy.py
331 B
Del
OK
psutil_compat.py
3.63 KB
Del
OK
pushover.py
4.51 KB
Del
OK
pycrypto.py
5.41 KB
Del
OK
pydsl.py
13.74 KB
Del
OK
pyobjects.py
10.75 KB
Del
OK
reactor.py
18.99 KB
Del
OK
reclass.py
752 B
Del
OK
roster_matcher.py
3.55 KB
Del
OK
rsax931.py
8.42 KB
Del
OK
s3.py
8.78 KB
Del
OK
saltclass.py
14.27 KB
Del
OK
sanitizers.py
2.51 KB
Del
OK
schedule.py
71.81 KB
Del
OK
schema.py
54.26 KB
Del
OK
sdb.py
4.04 KB
Del
OK
slack.py
3.58 KB
Del
OK
smb.py
11.16 KB
Del
OK
smtp.py
3.27 KB
Del
OK
ssdp.py
14.75 KB
Del
OK
ssh.py
769 B
Del
OK
state.py
8.43 KB
Del
OK
stringio.py
355 B
Del
OK
stringutils.py
16.95 KB
Del
OK
systemd.py
5.51 KB
Del
OK
templates.py
24.03 KB
Del
OK
textformat.py
5.03 KB
Del
OK
thin.py
31.91 KB
Del
OK
timed_subprocess.py
4.06 KB
Del
OK
timeout.py
1.53 KB
Del
OK
timeutil.py
2.4 KB
Del
OK
url.py
5 KB
Del
OK
user.py
11.86 KB
Del
OK
validate
-
Del
OK
value.py
247 B
Del
OK
vault.py
21.74 KB
Del
OK
verify.py
25.34 KB
Del
OK
versions.py
17.17 KB
Del
OK
virt.py
3.24 KB
Del
OK
virtualbox.py
22.43 KB
Del
OK
vmware.py
129.74 KB
Del
OK
vsan.py
17.18 KB
Del
OK
vt.py
31.47 KB
Del
OK
vt_helper.py
4.4 KB
Del
OK
win_chcp.py
3.7 KB
Del
OK
win_dacl.py
95.49 KB
Del
OK
win_dotnet.py
4.74 KB
Del
OK
win_functions.py
12.69 KB
Del
OK
win_lgpo_auditpol.py
8.48 KB
Del
OK
win_lgpo_netsh.py
17.87 KB
Del
OK
win_lgpo_reg.py
16.98 KB
Del
OK
win_network.py
16.35 KB
Del
OK
win_osinfo.py
2.83 KB
Del
OK
win_pdh.py
13.85 KB
Del
OK
win_reg.py
30.82 KB
Del
OK
win_runas.py
10.53 KB
Del
OK
win_service.py
5.2 KB
Del
OK
win_system.py
14.47 KB
Del
OK
win_update.py
40.36 KB
Del
OK
winapi.py
818 B
Del
OK
x509.py
73.19 KB
Del
OK
xdg.py
316 B
Del
OK
xmlutil.py
13.91 KB
Del
OK
yaml.py
349 B
Del
OK
yamldumper.py
3.37 KB
Del
OK
yamlencoding.py
1.55 KB
Del
OK
yamllint.py
1.61 KB
Del
OK
yamlloader.py
6.04 KB
Del
OK
yamlloader_old.py
8.15 KB
Del
OK
yast.py
619 B
Del
OK
zeromq.py
1.74 KB
Del
OK
zfs.py
19.15 KB
Del
OK
Edit: verify.py
""" A few checks to make sure the environment is sane """ import errno import itertools import logging import os import re import socket import stat import sys import salt.defaults.exitcodes import salt.utils.files import salt.utils.path import salt.utils.platform import salt.utils.user from salt._logging import LOG_LEVELS from salt.exceptions import CommandExecutionError, SaltClientError, SaltSystemExit # Original Author: Jeff Schroeder <jeffschroeder@computer.org> try: import win32file import salt.utils.win_reg except ImportError: import resource log = logging.getLogger(__name__) ROOT_DIR = "c:\\salt" if salt.utils.platform.is_windows() else "/" DEFAULT_SCHEMES = ["tcp://", "udp://", "file://"] def zmq_version(): """ ZeroMQ python bindings >= 2.1.9 are required """ try: import zmq except Exception: # pylint: disable=broad-except # Return True for local mode return True ver = zmq.__version__ # The last matched group can be None if the version # is something like 3.1 and that will work properly match = re.match(r"^(\d+)\.(\d+)(?:\.(\d+))?", ver) # Fallthrough and hope for the best if not match: log.warning("Using untested zmq python bindings version: '%s'", ver) return True major, minor, point = match.groups() if major.isdigit(): major = int(major) if minor.isdigit(): minor = int(minor) # point very well could be None if point and point.isdigit(): point = int(point) if major == 2 and minor == 1: # zmq 2.1dev could be built against a newer libzmq if "dev" in ver and not point: log.warning("Using dev zmq module, please report unexpected results") return True elif point and point >= 9: return True elif major > 2 or (major == 2 and minor > 1): return True # If all else fails, gracefully croak and warn the user log.critical("ZeroMQ python bindings >= 2.1.9 are required") if "salt-master" in sys.argv[0]: log.critical( "The Salt Master is unstable using a ZeroMQ version " "lower than 2.1.11 and requires this fix: http://lists.zeromq." "org/pipermail/zeromq-dev/2011-June/012094.html" ) return False def lookup_family(hostname): """ Lookup a hostname and determine its address family. The first address returned will be AF_INET6 if the system is IPv6-enabled, and AF_INET otherwise. """ # If lookups fail, fall back to AF_INET sockets (and v4 addresses). fallback = socket.AF_INET try: hostnames = socket.getaddrinfo( hostname or None, None, socket.AF_UNSPEC, socket.SOCK_STREAM ) if not hostnames: return fallback h = hostnames[0] return h[0] except socket.gaierror: return fallback def verify_socket(interface, pub_port, ret_port): """ Attempt to bind to the sockets to verify that they are available """ addr_family = lookup_family(interface) for port in pub_port, ret_port: sock = socket.socket(addr_family, socket.SOCK_STREAM) try: sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind((interface, int(port))) except Exception as exc: # pylint: disable=broad-except msg = "Unable to bind socket {}:{}".format(interface, port) if exc.args: msg = "{}, error: {}".format(msg, str(exc)) else: msg = "{}, this might not be a problem.".format(msg) msg += "; Is there another salt-master running?" log.warning(msg) return False finally: sock.close() return True def verify_logs_filter(files): """ Filter files to verify. """ to_verify = [] for filename in files: verify_file = True for scheme in DEFAULT_SCHEMES: if filename.startswith(scheme): verify_file = False break if verify_file: to_verify.append(filename) return to_verify def verify_log_files(files, user): """ Verify the log files exist and are owned by the named user. Filenames that begin with tcp:// and udp:// will be filtered out. Filenames that begin with file:// are handled correctly """ return verify_files(verify_logs_filter(files), user) def _get_pwnam(user): """ Get the user from passwords database """ if salt.utils.platform.is_windows(): return True import pwd # after confirming not running Windows try: return pwd.getpwnam(user) except KeyError: print( "Failed to prepare the Salt environment for user {}. " "The user is not available.".format(user), file=sys.stderr, flush=True, ) sys.exit(salt.defaults.exitcodes.EX_NOUSER) def verify_files(files, user): """ Verify that the named files exist and are owned by the named user """ if salt.utils.platform.is_windows(): return True # after confirming not running Windows pwnam = _get_pwnam(user) uid = pwnam[2] for fn_ in files: dirname = os.path.dirname(fn_) try: if dirname: try: os.makedirs(dirname) except OSError as err: if err.errno != errno.EEXIST: raise if not os.path.isfile(fn_): with salt.utils.files.fopen(fn_, "w"): pass except OSError as err: if os.path.isfile(dirname): msg = "Failed to create path {}, is {} a file?".format(fn_, dirname) raise SaltSystemExit(msg=msg) if err.errno != errno.EACCES: raise msg = 'No permissions to access "{}", are you running as the correct user?'.format( fn_ ) raise SaltSystemExit(msg=msg) except OSError as err: # pylint: disable=duplicate-except msg = 'Failed to create path "{}" - {}'.format(fn_, err) raise SaltSystemExit(msg=msg) stats = os.stat(fn_) if uid != stats.st_uid: try: os.chown(fn_, uid, -1) except OSError: pass return True def verify_env( dirs, user, permissive=False, pki_dir="", skip_extra=False, root_dir=ROOT_DIR ): """ Verify that the named directories are in place and that the environment can shake the salt """ if salt.utils.platform.is_windows(): return win_verify_env( root_dir, dirs, permissive=permissive, skip_extra=skip_extra ) # after confirming not running Windows pwnam = _get_pwnam(user) uid = pwnam[2] gid = pwnam[3] groups = salt.utils.user.get_gid_list(user, include_default=False) for dir_ in dirs: if not dir_: continue if not os.path.isdir(dir_): try: with salt.utils.files.set_umask(0o022): os.makedirs(dir_) # If starting the process as root, chown the new dirs if os.getuid() == 0: os.chown(dir_, uid, gid) except OSError as err: msg = 'Failed to create directory path "{0}" - {1}\n' sys.stderr.write(msg.format(dir_, err)) sys.exit(err.errno) mode = os.stat(dir_) # If starting the process as root, chown the new dirs if os.getuid() == 0: fmode = os.stat(dir_) if fmode.st_uid != uid or fmode.st_gid != gid: if permissive and fmode.st_gid in groups: # Allow the directory to be owned by any group root # belongs to if we say it's ok to be permissive pass else: # chown the file for the new user os.chown(dir_, uid, gid) for subdir in [a for a in os.listdir(dir_) if "jobs" not in a]: fsubdir = os.path.join(dir_, subdir) if "{}jobs".format(os.path.sep) in fsubdir: continue for root, dirs, files in salt.utils.path.os_walk(fsubdir): for name in itertools.chain(files, dirs): if name.startswith("."): continue path = os.path.join(root, name) try: fmode = os.stat(path) if fmode.st_uid != uid or fmode.st_gid != gid: if permissive and fmode.st_gid in groups: pass else: # chown the file for the new user os.chown(path, uid, gid) except OSError: continue # Allow the pki dir to be 700 or 750, but nothing else. # This prevents other users from writing out keys, while # allowing the use-case of 3rd-party software (like django) # to read in what it needs to integrate. # # If the permissions aren't correct, default to the more secure 700. # If acls are enabled, the pki_dir needs to remain readable, this # is still secure because the private keys are still only readable # by the user running the master if dir_ == pki_dir: smode = stat.S_IMODE(mode.st_mode) if smode != 448 and smode != 488: if os.access(dir_, os.W_OK): os.chmod(dir_, 448) else: log.critical( 'Unable to securely set the permissions of "%s".', dir_ ) if skip_extra is False: # Run the extra verification checks zmq_version() def check_user(user): """ Check user and assign process uid/gid. """ if salt.utils.platform.is_windows(): return True if user == salt.utils.user.get_user(): return True # after confirming not running Windows pwuser = _get_pwnam(user) try: if hasattr(os, "initgroups"): os.initgroups(user, pwuser.pw_gid) # pylint: disable=minimum-python-version else: os.setgroups(salt.utils.user.get_gid_list(user, include_default=False)) os.setgid(pwuser.pw_gid) os.setuid(pwuser.pw_uid) # We could just reset the whole environment but let's just override # the variables we can get from pwuser if "HOME" in os.environ: os.environ["HOME"] = pwuser.pw_dir if "SHELL" in os.environ: os.environ["SHELL"] = pwuser.pw_shell for envvar in ("USER", "LOGNAME"): if envvar in os.environ: os.environ[envvar] = pwuser.pw_name except OSError: log.critical('Salt configured to run as user "%s" but unable to switch.', user) return False return True def list_path_traversal(path): """ Returns a full list of directories leading up to, and including, a path. So list_path_traversal('/path/to/salt') would return: ['/', '/path', '/path/to', '/path/to/salt'] in that order. This routine has been tested on Windows systems as well. list_path_traversal('c:\\path\\to\\salt') on Windows would return: ['c:\\', 'c:\\path', 'c:\\path\\to', 'c:\\path\\to\\salt'] """ out = [path] (head, tail) = os.path.split(path) if tail == "": # paths with trailing separators will return an empty string out = [head] (head, tail) = os.path.split(head) while head != out[0]: # loop until head is the same two consecutive times out.insert(0, head) (head, tail) = os.path.split(head) return out def check_path_traversal(path, user="root", skip_perm_errors=False): """ Walk from the root up to a directory and verify that the current user has access to read each directory. This is used for making sure a user can read all parent directories of the minion's key before trying to go and generate a new key and raising an IOError """ for tpath in list_path_traversal(path): if not os.access(tpath, os.R_OK): msg = "Could not access {}.".format(tpath) if not os.path.exists(tpath): msg += " Path does not exist." else: current_user = salt.utils.user.get_user() # Make the error message more intelligent based on how # the user invokes salt-call or whatever other script. if user != current_user: msg += " Try running as user {}.".format(user) else: msg += " Please give {} read permissions.".format(user) # We don't need to bail on config file permission errors # if the CLI # process is run with the -a flag if skip_perm_errors: return # Propagate this exception up so there isn't a sys.exit() # in the middle of code that could be imported elsewhere. raise SaltClientError(msg) def check_max_open_files(opts): """ Check the number of max allowed open files and adjust if needed """ mof_c = opts.get("max_open_files", 100000) if sys.platform.startswith("win"): # Check the Windows API for more detail on this # http://msdn.microsoft.com/en-us/library/xt874334(v=vs.71).aspx # and the python binding http://timgolden.me.uk/pywin32-docs/win32file.html mof_s = mof_h = win32file._getmaxstdio() else: mof_s, mof_h = resource.getrlimit(resource.RLIMIT_NOFILE) accepted_keys_dir = os.path.join(opts.get("pki_dir"), "minions") accepted_count = len(os.listdir(accepted_keys_dir)) log.debug("This salt-master instance has accepted %s minion keys.", accepted_count) level = logging.INFO if (accepted_count * 4) <= mof_s: # We check for the soft value of max open files here because that's the # value the user chose to raise to. # # The number of accepted keys multiplied by four(4) is lower than the # soft value, everything should be OK return msg = ( "The number of accepted minion keys({}) should be lower than 1/4 " "of the max open files soft setting({}). ".format(accepted_count, mof_s) ) if accepted_count >= mof_s: # This should never occur, it might have already crashed msg += "salt-master will crash pretty soon! " level = logging.CRITICAL elif (accepted_count * 2) >= mof_s: # This is way too low, CRITICAL level = logging.CRITICAL elif (accepted_count * 3) >= mof_s: level = logging.WARNING # The accepted count is more than 3 time, WARN elif (accepted_count * 4) >= mof_s: level = logging.INFO if mof_c < mof_h: msg += ( "According to the system's hard limit, there's still a " "margin of {} to raise the salt's max_open_files " "setting. ".format(mof_h - mof_c) ) msg += "Please consider raising this value." log.log(level=level, msg=msg) def _realpath_darwin(path): base = "" for part in path.split(os.path.sep)[1:]: if base != "": if os.path.islink(os.path.sep.join([base, part])): base = os.readlink(os.path.sep.join([base, part])) else: base = os.path.abspath(os.path.sep.join([base, part])) else: base = os.path.abspath(os.path.sep.join([base, part])) return base def _realpath_windows(path): base = "" for part in path.split(os.path.sep): if base != "": try: # Need to use salt.utils.path.readlink as it handles junctions part = salt.utils.path.readlink(os.path.sep.join([base, part])) base = os.path.abspath(part) except OSError: base = os.path.abspath(os.path.sep.join([base, part])) else: base = part # Python 3.8 added support for directory junctions which prefixes the # return with `\\?\`. We need to strip that off. # https://docs.python.org/3/library/os.html#os.readlink if base.startswith("\\\\?\\"): base = base[4:] return base def _realpath(path): """ Cross platform realpath method. On Windows when python 3, this method uses the os.readlink method to resolve any filesystem links. All other platforms and version use ``os.path.realpath``. """ if salt.utils.platform.is_darwin(): return _realpath_darwin(path) elif salt.utils.platform.is_windows(): return _realpath_windows(path) return os.path.realpath(path) def clean_path(root, path, subdir=False): """ Accepts the root the path needs to be under and verifies that the path is under said root. Pass in subdir=True if the path can result in a subdirectory of the root instead of having to reside directly in the root """ real_root = _realpath(root) if not os.path.isabs(real_root): return "" if not os.path.isabs(path): path = os.path.join(root, path) path = os.path.normpath(path) real_path = _realpath(path) if subdir: if real_path.startswith(real_root): return real_path else: if os.path.dirname(real_path) == os.path.normpath(real_root): return real_path return "" def valid_id(opts, id_): """ Returns if the passed id is valid """ try: if any(x in id_ for x in ("/", "\\", "\0")): return False return bool(clean_path(opts["pki_dir"], id_)) except (AttributeError, KeyError, TypeError, UnicodeDecodeError): return False def safe_py_code(code): """ Check a string to see if it has any potentially unsafe routines which could be executed via python, this routine is used to improve the safety of modules suct as virtualenv """ bads = ("import", ";", "subprocess", "eval", "open", "file", "exec", "input") for bad in bads: if code.count(bad): return False return True def insecure_log(): """ Return the insecure logs types """ insecure = [] for level, value in LOG_LEVELS.items(): if value < LOG_LEVELS.get("info", 20): insecure.append(level) return insecure def verify_log(opts): """ If an insecre logging configuration is found, show a warning """ level = LOG_LEVELS.get(str(opts.get("log_level")).lower(), logging.NOTSET) if level < logging.INFO: log.warning( "Insecure logging configuration detected! Sensitive data may be logged." ) def win_verify_env(path, dirs, permissive=False, pki_dir="", skip_extra=False): """ Verify that the named directories are in place and that the environment can shake the salt """ import salt.utils.path import salt.utils.win_dacl import salt.utils.win_functions # Make sure the file_roots is not set to something unsafe since permissions # on that directory are reset # `salt.utils.path.safe_path` will consider anything inside `C:\Windows` to # be unsafe. In some instances the test suite uses # `C:\Windows\Temp\salt-tests-tmpdir\rootdir` as the file_roots. So, we need # to consider anything in `C:\Windows\Temp` to be safe system_root = os.environ.get("SystemRoot", r"C:\Windows") allow_path = "\\".join([system_root, "TEMP"]) if not salt.utils.path.safe_path(path=path, allow_path=allow_path): raise CommandExecutionError( "`file_roots` set to a possibly unsafe location: {}".format(path) ) # Create the root path directory if missing if not os.path.isdir(path): os.makedirs(path) current_user = salt.utils.win_functions.get_current_user() # Set permissions to the registry key if salt.utils.win_functions.is_admin(current_user): reg_path = "HKLM\\SOFTWARE\\Salt Project\\salt" if not salt.utils.win_reg.key_exists( hive="HKLM", key="SOFTWARE\\Salt Project\\salt" ): salt.utils.win_reg.set_value( hive="HKLM", key="SOFTWARE\\Salt Project\\salt" ) try: # Make the Administrators group owner # Use the SID to be locale agnostic salt.utils.win_dacl.set_owner( obj_name=reg_path, principal="S-1-5-32-544", obj_type="registry" ) except CommandExecutionError: log.critical("Unable to securely set the owner of '%s'.", reg_path) try: # Get a clean dacl by not passing an obj_name dacl = salt.utils.win_dacl.dacl(obj_type="registry") # Add aces to the dacl, use the GUID (locale non-specific) # Administrators Group dacl.add_ace( principal="S-1-5-32-544", access_mode="grant", permissions="full_control", applies_to="this_key_subkeys", ) # System dacl.add_ace( principal="S-1-5-18", access_mode="grant", permissions="full_control", applies_to="this_key_subkeys", ) # Owner dacl.add_ace( principal="S-1-3-4", access_mode="grant", permissions="full_control", applies_to="this_key_subkeys", ) # Save the dacl to the object dacl.save(obj_name=reg_path, protected=True) except CommandExecutionError: log.critical("Unable to securely set the permissions of '%s'.", reg_path) # Set permissions to the root path directory if salt.utils.win_functions.is_admin(current_user): try: # Make the Administrators group owner # Use the SID to be locale agnostic salt.utils.win_dacl.set_owner(obj_name=path, principal="S-1-5-32-544") except CommandExecutionError: log.critical('Unable to securely set the owner of "%s".', path) if not permissive: try: # Get a clean dacl by not passing an obj_name dacl = salt.utils.win_dacl.dacl() # Add aces to the dacl, use the GUID (locale non-specific) # Administrators Group dacl.add_ace( principal="S-1-5-32-544", access_mode="grant", permissions="full_control", applies_to="this_folder_subfolders_files", ) # System dacl.add_ace( principal="S-1-5-18", access_mode="grant", permissions="full_control", applies_to="this_folder_subfolders_files", ) # Owner dacl.add_ace( principal="S-1-3-4", access_mode="grant", permissions="full_control", applies_to="this_folder_subfolders_files", ) # Save the dacl to the object dacl.save(obj_name=path, protected=True) except CommandExecutionError: log.critical("Unable to securely set the permissions of '%s'", path) # Create the directories for dir_ in dirs: if not dir_: continue if not os.path.isdir(dir_): try: os.makedirs(dir_) except OSError as err: msg = 'Failed to create directory path "{0}" - {1}\n' sys.stderr.write(msg.format(dir_, err)) sys.exit(err.errno) # The PKI dir gets its own permissions if dir_ == pki_dir: try: # Make Administrators group the owner salt.utils.win_dacl.set_owner(obj_name=path, principal="S-1-5-32-544") # Give Admins, System and Owner permissions # Get a clean dacl by not passing an obj_name dacl = salt.utils.win_dacl.dacl() # Add aces to the dacl, use the GUID (locale non-specific) # Administrators Group dacl.add_ace( principal="S-1-5-32-544", access_mode="grant", permissions="full_control", applies_to="this_folder_subfolders_files", ) # System dacl.add_ace( principal="S-1-5-18", access_mode="grant", permissions="full_control", applies_to="this_folder_subfolders_files", ) # Owner dacl.add_ace( principal="S-1-3-4", access_mode="grant", permissions="full_control", applies_to="this_folder_subfolders_files", ) # Save the dacl to the object dacl.save(obj_name=dir_, protected=True) except CommandExecutionError: log.critical("Unable to securely set the permissions of '%s'.", dir_) if skip_extra is False: # Run the extra verification checks zmq_version()
Save