From 9f5fedda06dd92e934a0f460ea132921aea871f6 Mon Sep 17 00:00:00 2001 From: Howard Enos Date: Thu, 25 Jun 2026 19:28:11 -0700 Subject: [PATCH] memory: RMM Set-Acl/icacls timeout drops stdout (lost password); generate secrets locally --- .claude/memory/MEMORY.md | 1 + ...edback_rmm_setacl_timeout_password_loss.md | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+) create mode 100644 .claude/memory/feedback_rmm_setacl_timeout_password_loss.md diff --git a/.claude/memory/MEMORY.md b/.claude/memory/MEMORY.md index cb6f5f75..f1218c7a 100644 --- a/.claude/memory/MEMORY.md +++ b/.claude/memory/MEMORY.md @@ -55,6 +55,7 @@ - [Prefer SSH over RMM](feedback_prefer_ssh_over_rmm.md) — When a target has SSH (key auth) and the task is easier over it, default to `scp script + ssh run` (system OpenSSH); RMM runs as SYSTEM + hits the server-side timeout reaper. Reserve RMM as fallback when SSH/VPN is down. - [Re-clone submodule creds](reclone-submodule-creds.md) — Re-cloning the restructured claudetools (projects now submodules): set `credential.helper=store` GLOBALLY before `git submodule update --init --recursive` or every Gitea submodule fails "could not read Username". Steps in RECLONE.md. - [Bot alerts need a ticket link](feedback_bot_alert_ticket_link.md) — Syncro ticket bot-alerts MUST include a clickable link: https://computerguru.syncromsp.com/tickets/ (internal id, not ticket number). post-bot-alert.sh posts raw text; put the URL in the message. +- [RMM Set-Acl timeout loses stdout](feedback_rmm_setacl_timeout_password_loss.md) — NTFS ACL propagation (Set-Acl/icacls) on a large folder tree exceeds the RMM command timeout and stdout is dropped, so a password printed in that script is lost. Generate secrets LOCALLY (placeholder-inject) so they survive; isolate the ACL grant into its own long-timeout command. - [Mac RMM authentication fixed](feedback_mac_rmm_auth_fixed.md) — Use `.claude/scripts/rmm-auth.sh` helper instead of heredoc pattern. Heredoc with `--data-binary @-` fails on macOS. Helper uses `jq -n --arg` to build JSON safely. Usage: `eval "$(bash .claude/scripts/rmm-auth.sh)"` sets $TOKEN, $RMM, $REPO_ROOT. Updated in /rmm Phase 0. - [Verify committed state before push](feedback_verify_committed_state_before_push.md) — webhook builds from origin/main: verify the COMMITTED build (git stash + build), not the working tree; bad git-add pathspec silently aborts staging. Stage by directory. - [Scheduling = coord todo, not schedulers](feedback_scheduling_via_coord_todo.md) — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks. diff --git a/.claude/memory/feedback_rmm_setacl_timeout_password_loss.md b/.claude/memory/feedback_rmm_setacl_timeout_password_loss.md new file mode 100644 index 00000000..16551c4f --- /dev/null +++ b/.claude/memory/feedback_rmm_setacl_timeout_password_loss.md @@ -0,0 +1,29 @@ +--- +name: feedback_rmm_setacl_timeout_password_loss +description: RMM Set-Acl/icacls ACL propagation on large folder trees exceeds the command timeout; stdout is dropped on timeout so any value printed in that script (e.g. a generated password) is lost. +metadata: + type: feedback +--- + +When dispatching `/rmm` commands that change NTFS ACLs (`Set-Acl`, `icacls /grant`) on a +**large folder tree**, ACL inheritance propagation to existing children can take minutes and +**exceed `timeout_seconds`** — the agent reaper marks the command `failed` with +`"Execution error: Command timeout"`, and **stdout is discarded**. Proven 2026-06-25 setting up +Nick's SMB share on REDNOURCARRIEVI (Carrie's `Documents` tree): the same script generated a +random password and printed it, then ran `Set-Acl` and timed out — the password was gone twice. + +**Why:** PowerShell `Set-Acl` (and `icacls` even without `/T`) re-stamps inheritable ACEs onto +all existing children; on a big tree that blows past 90–120s. `Set-LocalUser`/`New-LocalUser` +themselves are instant — the cost is the ACL walk. + +**How to apply:** +- **Never depend on a value you can only read back from stdout in a command that might time out.** + Generate passwords/secrets **locally** in the Bash tool (retain them), inject via a placeholder + in a `<<'PS'` heredoc (`SCRIPT="${SCRIPT/__PW__/$PW}"`) so PowerShell `$env:` survives — then + even a timeout doesn't lose the value. +- **Isolate the slow ACL step** into its own command with a long `timeout_seconds` (>=600) and + poll across multiple Bash calls (each Bash call is capped ~2 min). +- For share access, share-level perms (`Grant-SmbShareAccess`) and the account creation are fast; + only the NTFS grant is slow. + +See errorlog (`rmm/acl`, --friction) and [[reference_gururmm]].