Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -266,11 +266,14 @@ urlencoding = { version = "2.1" }
which = { version = "8.0.4" }
# dsc-lib
ipnetwork = { version = "0.21" }
# WindowsUpdate, windows_service
# WindowsUpdate, windows_service, dsc-lib (ACL checks)
windows = { version = "0.62", features = [
"Win32_Foundation",
"Win32_NetworkManagement_WindowsFirewall",
"Win32_Security",
"Win32_Security_Authorization",
"Win32_System_Com",
"Win32_System_Memory",
"Win32_System_Ole",
"Win32_System_Services",
"Win32_System_Variant",
Expand Down
14 changes: 14 additions & 0 deletions dsc/tests/dsc_settings.tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,20 @@ Describe 'tests for dsc settings' {
if ($IsWindows) { #"Setting policy on Linux requires sudo"
$script:policyDirPath = $script:policyFilePath | Split-Path
New-Item -ItemType Directory -Path $script:policyDirPath | Out-Null
# Set secure ACLs: only SYSTEM and Administrators have write access
$acl = Get-Acl -Path $script:policyDirPath
$acl.SetAccessRuleProtection($true, $false)
$acl.Access | ForEach-Object { $acl.RemoveAccessRule($_) } | Out-Null
$systemRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"NT AUTHORITY\SYSTEM", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$adminsRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"BUILTIN\Administrators", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow")
$usersReadRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
"BUILTIN\Users", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$acl.AddAccessRule($systemRule)
$acl.AddAccessRule($adminsRule)
$acl.AddAccessRule($usersReadRule)
Set-Acl -Path $script:policyDirPath -AclObject $acl
}

#create backups of settings files
Expand Down
94 changes: 94 additions & 0 deletions dsc/tests/dsc_settings_policy_security.tests.ps1
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

Describe 'tests for policy folder security validation' {
BeforeDiscovery {
$isElevated = if ($IsWindows) {
([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
[Security.Principal.WindowsBuiltInRole]::Administrator)
} else {
(id -u) -eq 0
}
}

Context 'Windows policy folder with insecure ACL emits warning' -Skip:(!$IsWindows -or !$isElevated) {
BeforeAll {
$script:policyDirPath = Join-Path $env:ProgramData "dsc"
$script:policyFilePath = Join-Path $script:policyDirPath "dsc.settings.json"
$script:existedBefore = Test-Path $script:policyDirPath

if ($script:existedBefore) {
$script:originalAcl = Get-Acl -Path $script:policyDirPath
} else {
New-Item -ItemType Directory -Path $script:policyDirPath -Force | Out-Null
}
Comment thread
SteveL-MSFT marked this conversation as resolved.

# Write a simple policy settings file
@{ tracing = @{ level = "TRACE" } } | ConvertTo-Json -Depth 5 | Set-Content -Path $script:policyFilePath

# Grant Everyone write access to make the folder insecure
icacls $script:policyDirPath /grant "Everyone:(OI)(CI)(W)" | Out-Null
}

AfterAll {
Remove-Item -Path $script:policyFilePath -ErrorAction SilentlyContinue

if ($script:existedBefore) {
Set-Acl -Path $script:policyDirPath -AclObject $script:originalAcl
} else {
Remove-Item -Recurse -Force -Path $script:policyDirPath -ErrorAction SilentlyContinue
}
}

It 'Should emit a warning about insecure policy folder' {
dsc -l warn resource list 2> $TestDrive/tracing.txt
"$TestDrive/tracing.txt" | Should -FileContentMatch "is not secure, settings file will not be used"
}

It 'Should not exit with an error code' {
dsc -l warn resource list 2> $TestDrive/tracing.txt
$LASTEXITCODE | Should -Be 0
}
}

Context 'Linux policy folder with insecure permissions emits warning' -Skip:(!$IsLinux -or !$isElevated) {
BeforeAll {
$script:policyDirPath = "/etc/dsc"
$script:policyFilePath = Join-Path $script:policyDirPath "dsc.settings.json"
$script:existedBefore = Test-Path $script:policyDirPath

if ($script:existedBefore) {
$script:originalMode = (stat -c '%a' $script:policyDirPath)
} else {
New-Item -ItemType Directory -Path $script:policyDirPath -Force | Out-Null
}
Comment thread
SteveL-MSFT marked this conversation as resolved.

# Write a simple policy settings file
@{ tracing = @{ level = "TRACE" } } | ConvertTo-Json -Depth 5 | Set-Content -Path $script:policyFilePath

# Make the folder world-writable (insecure)
chmod 777 $script:policyDirPath
}

AfterAll {
if ($script:existedBefore) {
chmod $script:originalMode $script:policyDirPath
}

Remove-Item -Path $script:policyFilePath -ErrorAction SilentlyContinue
if (-not $script:existedBefore) {
Remove-Item -Recurse -Force -Path $script:policyDirPath -ErrorAction SilentlyContinue
}
}

It 'Should emit a warning about insecure policy folder' {
dsc -l warn resource list 2> $TestDrive/tracing.txt
"$TestDrive/tracing.txt" | Should -FileContentMatch "is not secure, settings file will not be used"
}

It 'Should not exit with an error code' {
dsc -l warn resource list 2> $TestDrive/tracing.txt
$LASTEXITCODE | Should -Be 0
}
}
}
4 changes: 4 additions & 0 deletions lib/dsc-lib/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,7 @@ tree-sitter-dscexpression = { workspace = true }

[target.'cfg(windows)'.dependencies]
registry = { workspace = true }
windows = { workspace = true }

[dev-dependencies]
serde_yaml = { workspace = true }
Expand All @@ -62,5 +63,8 @@ pretty_assertions = { workspace = true }
# Enables parameterized test cases
test-case = { workspace = true }

[target.'cfg(not(target_os = "windows"))'.dev-dependencies]
nix = { workspace = true, features = ["user"] }

[build-dependencies]
cc = { workspace = true }
3 changes: 3 additions & 0 deletions lib/dsc-lib/locales/en-us.toml
Original file line number Diff line number Diff line change
Expand Up @@ -931,6 +931,9 @@ settingNotFound = "Setting '%{name}' not found"
failedToAbsolutizePath = "Failed to absolutize path '%{path}'"
executableNotFoundInWorkingDirectory = "Executable '%{executable}' not found with working directory '%{cwd}'"
executableNotFound = "Executable '%{executable}' not found"
policyFolderNotSecure = "Policy folder '%{path}' is not secure, settings file will not be used. Required permissions: %{required}"
policyFolderNotSecureLinux = "Only root should have write access (no group/other write bits)"
policyFolderNotSecureWindows = "Only SYSTEM and Administrators should have write access"

[types.date_version]
invalidDay = "day `%{day}` for month `%{month}` is invalid - must be between `01` and `%{max_days}`"
Expand Down
Loading
Loading