Skip to content

Backport: Verify write permission on policy settings folder#1627

Merged
SteveL-MSFT merged 9 commits into
PowerShell:release/v3.2from
SteveL-MSFT:v3.2.3
Jul 14, 2026
Merged

Backport: Verify write permission on policy settings folder#1627
SteveL-MSFT merged 9 commits into
PowerShell:release/v3.2from
SteveL-MSFT:v3.2.3

Conversation

@SteveL-MSFT

Copy link
Copy Markdown
Member

PR Summary

Steve Lee (POWERSHELL HE/HIM) (from Dev Box) and others added 7 commits July 14, 2026 09:39
On Linux, check that only root (uid 0) owns the /etc/dsc folder and
that no group or other write bits are set. On Windows, enumerate the
DACL on the ProgramData\dsc folder and verify that only SYSTEM and
Administrators have write access. If the folder is not secure, emit
a localized error message and exit with code 1.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
When the dsc policy folder has insecure permissions, emit a warning
indicating the settings file will not be used and return an empty path
so execution continues without the policy settings.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Adds dsc_settings_policy_security.tests.ps1 that validates on both
Windows and Linux that an insecure dsc policy folder emits a warning
about the settings file not being used, and does not cause a non-zero
exit code. Also fixes minor issue with the t! macro call passing path
to the Windows-specific message.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
- Fix clippy explicit-auto-deref: &(*ace).SidStart -> &ace.SidStart
- Fail closed: return false (insecure) when GetNamedSecurityInfoW,
  GetAce, or fs::metadata fails instead of assuming secure
- Treat NULL DACL as insecure (full access to everyone)
- Add GENERIC_WRITE and GENERIC_ALL to the write mask
- Skip inherit-only ACEs that don't apply to the folder itself
- On Linux, emit warning and return empty on metadata failure
- Tests: save/restore original ACL via Get-Acl/Set-Acl on Windows
- Tests: capture original mode with stat on Linux instead of
  hardcoding 755

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
- Handle non-standard allow ACE types (callback, object ACEs): fail
  closed for any ACE type we cannot reliably parse the SID from
- Skip deny ACE types (1, 6, 10) as they restrict rather than grant
- Remove /T from icacls in test to avoid recursively modifying children
- Gate Linux test context on \False to avoid macOS failures
- Extract verify_linux_permissions helper for testability
- Add Rust unit tests for Linux permission checks covering:
  nonexistent path, non-root owned dir, and missing /etc/dsc scenarios

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The 'Confirm settings override priorities' test creates ProgramData\dsc
which on CI inherits broad write access from the parent. The new ACL
validation now rejects that folder. Fix by explicitly setting a secure
ACL (only SYSTEM, Administrators write; Users read) after creating it.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@SteveL-MSFT SteveL-MSFT merged commit 6454e59 into PowerShell:release/v3.2 Jul 14, 2026
19 checks passed
@SteveL-MSFT SteveL-MSFT deleted the v3.2.3 branch July 14, 2026 19:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant