Grant Authenticated Users read-execute on Protect-Dir paths#177
Conversation
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
WalkthroughThis pull request updates Windows directory permission handling to explicitly grant read and execute access to Authenticated Users while blocking write and privilege-related operations. The implementation in Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@acceptance_test/assets/bwats-release/jobs/check-system/templates/run.ps1`:
- Around line 141-145: The ACL check currently builds $writeBits with only
WriteData/AppendData/WriteExtendedAttributes/WriteAttributes, but it must also
block deletion and ACL/ownership changes; update the bitmask(s) (the $writeBits
definition shown and the similar block at 156-160) to OR in
[System.Security.AccessControl.FileSystemRights]::Delete, ::ChangePermissions,
and ::TakeOwnership (and ::DeleteSubdirectoriesAndFiles if present/applicable)
so Authenticated Users are denied delete and ACL/ownership rights as well.
In `@modules/BOSH.Utils/BOSH.Utils.psm1`:
- Line 116: The icacls invocation is passing $path unquoted via "cmd.exe /c
icacls.exe $path ..." so paths with spaces will break; update the call in
BOSH.Utils.psm1 so $path is properly quoted or avoid going through cmd.exe:
either replace the line with a direct executable call using the PowerShell call
operator (e.g. & icacls.exe $path ...) which preserves spaces, or wrap $path in
escaped quotes when invoking cmd.exe (e.g. "cmd.exe /c icacls.exe `"$path`"
..."), ensuring the unique symbol $path and the existing "cmd.exe /c icacls.exe"
invocation are updated accordingly.
In `@modules/BOSH.Utils/BOSH.Utils.Tests.ps1`:
- Around line 165-176: The test currently only checks the first Authenticated
Users Allow ACE via $authenticatedUsersAccess = ... | Select-Object -First 1
which can miss additional permissive ACEs; change this to collect all matching
ACEs (remove Select-Object -First 1) and assert the collection is not
null/empty, then iterate over each ACE in that collection (or aggregate their
FileSystemRights) to ensure none have any of the forbidden rights; update the
subsequent assertions that reference $authenticatedUsersAccess to validate every
ACE rather than only the first one.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 89c51836-208e-411a-bae9-24dab551bc99
📒 Files selected for processing (3)
acceptance_test/assets/bwats-release/jobs/check-system/templates/run.ps1modules/BOSH.Utils/BOSH.Utils.Tests.ps1modules/BOSH.Utils/BOSH.Utils.psm1
There was a problem hiding this comment.
Pull request overview
This PR updates the Windows stemcell hardening logic to ensure Windows services running as Network Service or Local Service can start successfully at boot by granting NT AUTHORITY\Authenticated Users Read & Execute access on Protect-Dir-protected directories (not write).
Changes:
- Update
Protect-Dirto grantNT AUTHORITY\Authenticated Users:(OI)(CI)RXwhen disabling inheritance. - Update the
Protect-DirPester unit test to assert Authenticated Users exists and has no dangerous rights. - Update the acceptance test ACL allow-list to include Authenticated Users and add a guard to prevent write permissions.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| modules/BOSH.Utils/BOSH.Utils.psm1 | Grants Authenticated Users RX as part of the “tight DACL” applied by Protect-Dir. |
| modules/BOSH.Utils/BOSH.Utils.Tests.ps1 | Updates unit test expectations to require Authenticated Users allow ACE with no forbidden rights. |
| acceptance_test/assets/bwats-release/jobs/check-system/templates/run.ps1 | Updates ACL allow-list to include Authenticated Users and adds a write-bit regression check. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Without Read & Execute for NT AUTHORITY\Authenticated Users on C:\bosh and C:\var, Windows services running as Network Service or Local Service (both members of Authenticated Users) receive ERROR_ACCESS_DENIED during process creation at boot, preventing the BOSH agent service from starting. Confirmed via System.evtx: %%5 (ERROR_ACCESS_DENIED) logged by the SCM against the bosh-agent service on affected stemcells. The fix grants Authenticated Users RX (no write) via icacls /inheritance:r - write access is still blocked — while restoring compatibility with Windows service startup machinery. Unit test updated to assert Authenticated Users is present with Allow ACE but zero write bits. Acceptance test updated to include Authenticated Users in the allow list and guard against write-access regression. ai-assisted=yes [TNZ-94650]
selzoc
force-pushed
the
allow-bosh-agent-startup
branch
from
3f68218 to
777a8f8
Compare
Without Read & Execute for NT AUTHORITY\Authenticated Users on C:\bosh and C:\var, Windows services running as Network Service or Local Service (both members of Authenticated Users) receive ERROR_ACCESS_DENIED during process creation at boot, preventing the BOSH agent service from starting. Confirmed via System.evtx: %%5 (ERROR_ACCESS_DENIED) logged by the SCM against the bosh-agent service on affected stemcells.
The fix grants Authenticated Users RX (no write) via icacls /inheritance:r
Unit test updated to assert Authenticated Users is present with Allow ACE but zero write bits. Acceptance test updated to include Authenticated Users in the allow list and guard against write-access regression.