win_updates - Fix missing SeSecurityPrivilege error (#680)

Removes the need to have the SeSecurityPrivilege privilege present when running the win_updates module. This privilege is not needed for setting the temporary directory ACL and can be skipped.
ansible-collections · Oct 29, 2024 · 402897e · 402897e
1 parent 5f859d1
commit 402897e
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/changelogs/fragments/win_updates-acl.yml b/changelogs/fragments/win_updates-acl.yml
@@ -0,0 +1,5 @@
+bugfixes:
+  - >-
+    win_updates - Only set the Access control sections on the temporary
+    directory created by the module. This avoids the error when the
+    ``SeSecurityPrivilege`` privilege isn't present.
diff --git a/plugins/modules/win_updates.ps1 b/plugins/modules/win_updates.ps1
@@ -2108,7 +2108,17 @@ $startupWait = {
 # The scheduled task might need to fallback to run as SYSTEM so grant that SID rights to tmpdir
 $systemSid = (New-Object -TypeName Security.Principal.SecurityIdentifier -ArgumentList @(
         [Security.Principal.WellKnownSidType ]::LocalSystemSid, $null))
-$outputDirAcl = Get-Acl -LiteralPath $module.Tmpdir
+
+# .NET 5+ uses a different mechanism to get/set the ACLs. We cannot use
+# Set-Acl as it may try and set the SACL which requires SeSecurityPrivilege
+# which the user may not have.
+$tempDirectory = Get-Item -LiteralPath $module.Tmpdir
+if ($PSVersionTable.PSVersion -lt [Version]'6.0') {
+    $outputDirAcl = $tempDirectory.GetAccessControl('Access')
+}
+else {
+    $outputDirAcl = [System.IO.FileSystemAclExtensions]::GetAccessControl($tempDirectory, 'Access')
+}
 $systemAce = $outputDirAcl.AccessRuleFactory(
     $systemSid,
     [System.Security.AccessControl.FileSystemRights]'Modify,Read,ExecuteFile,Synchronize',
@@ -2118,7 +2128,12 @@ $systemAce = $outputDirAcl.AccessRuleFactory(
     [System.Security.AccessControl.AccessControlType]::Allow
 )
 $outputDirAcl.AddAccessRule($systemAce)
-Set-Acl -LiteralPath $module.Tmpdir -AclObject $outputDirAcl
+if ($PSVersionTable.PSVersion -lt [Version]'6.0') {
+    $tempDirectory.SetAccessControl($outputDirAcl)
+}
+else {
+    [System.IO.FileSystemAclExtensions]::SetAccessControl($tempDirectory, $outputDirAcl)
+}
 
 $updateParameters = @{
     Category = $categoryNames

diff --git a/tests/sanity/ignore-2.19.txt b/tests/sanity/ignore-2.19.txt
@@ -0,0 +1 @@
+tests/integration/targets/win_dsc/files/xTestCompositeDsc/1.0.0/DSCResources/xTestComposite/xTestComposite.schema.psm1 pslint!skip # Pwsh cannot parse DSC to MOF on Linux
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		tests/integration/targets/win_dsc/files/xTestCompositeDsc/1.0.0/DSCResources/xTestComposite/xTestComposite.schema.psm1 pslint!skip # Pwsh cannot parse DSC to MOF on Linux