Add list capabilities to directories for interactive users

[michalpristas]

This PR addresses a failure case where OSQuery breaks due to invalid permissions on the Extensions directory.

Per the OSQuery implementation, permissions on the directory are validated, and the check fails if any non-Administrator identity has write access. On Windows, this can occur as a side effect of how File Explorer operates.

When a user who is a member of the Administrators group but not elevated uses File Explorer, Explorer runs under a filtered token. If that user navigates to the Agent directory, which requires Administrator access, a UAC prompt is triggered. To avoid running whole explorer process with full administrative privileges, Windows applies a workaround that adds a copy of the Administrator ACE to the directory ACL, scoped to the user SID.

This behavior introduces an additional identity with write permissions, which causes the OSQuery validation to fail.

This PR works around the issue in a deliberately simple way. It adds an ACE for the INTERACTIVE (logged-in) user with List Directory and Traverse permissions only. This does not allow file reads, only directory listing, which is not sensitive. With this in place, no UAC prompt is raised and the DACL is not modified in a way that breaks OSQuery validation.

Downside of this is that user won't be prompted with UAC and when opening a log files they will run into access denied in their editor. They either need to change perms for log, run elevated editor and open it directly or use our tools like diagnostics or logs subcommand which is in my opinion preferred way.

Fixes #7260
Fixes: #6792

[mergify]

This pull request does not have a backport label. Could you fix it @michalpristas? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[ebeahan]

@michalpristas how backport friendly is this fix? It'd be nice to have a fix land in past versions, if possible.

[michalpristas]

Should not be an issue. Let's do backport active and close prs that turns out problematic

[cmacknz]

I am fine with this as the current best path we have to stop this problem from happening, I do this we need to document it a bit more.

[blakerouse]

Nice, this is a really smart idea for this.

This PR has an updated beats submodule, did you mean for that?

[michalpristas]

no i just hate submodules

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: f054b87

Failed CI Steps

• Unit tests - macOS 15 ARM
• x86_64:sudo: fleet-privileged
• arm:sudo: fleet

History

• 💚 Build #33716 succeeded 02d0cd4
• 💔 Build #33713 failed b533948
• 💚 Build #33340 succeeded da8f5e6
• 💔 Build #33159 failed 93171cc
• 💔 Build #33157 failed d7a7e8f
• 💔 Build #33154 failed 6b5cb3f

cc @michalpristas

[github-actions]

@Mergifyio backport 8.19 9.2 9.3

[mergify]

backport 8.19 9.2 9.3

✅ Backports have been created

Details

• #12435 [8.19] (backport #12189) Add list capabilities to directories for interactive users has been created for branch 8.19
• #12436 [9.2] (backport #12189) Add list capabilities to directories for interactive users has been created for branch 9.2
• #12437 [9.3] (backport #12189) Add list capabilities to directories for interactive users has been created for branch 9.3