memory: RMM Set-Acl/icacls timeout drops stdout (lost password); generate secrets locally

This commit is contained in:
2026-06-25 19:28:11 -07:00
parent b24239eef9
commit 9f5fedda06
2 changed files with 30 additions and 0 deletions

View File

@@ -55,6 +55,7 @@
- [Prefer SSH over RMM](feedback_prefer_ssh_over_rmm.md) — When a target has SSH (key auth) and the task is easier over it, default to `scp script + ssh run` (system OpenSSH); RMM runs as SYSTEM + hits the server-side timeout reaper. Reserve RMM as fallback when SSH/VPN is down.
- [Re-clone submodule creds](reclone-submodule-creds.md) — Re-cloning the restructured claudetools (projects now submodules): set `credential.helper=store` GLOBALLY before `git submodule update --init --recursive` or every Gitea submodule fails "could not read Username". Steps in RECLONE.md.
- [Bot alerts need a ticket link](feedback_bot_alert_ticket_link.md) — Syncro ticket bot-alerts MUST include a clickable link: https://computerguru.syncromsp.com/tickets/<internal_id> (internal id, not ticket number). post-bot-alert.sh posts raw text; put the URL in the message.
- [RMM Set-Acl timeout loses stdout](feedback_rmm_setacl_timeout_password_loss.md) — NTFS ACL propagation (Set-Acl/icacls) on a large folder tree exceeds the RMM command timeout and stdout is dropped, so a password printed in that script is lost. Generate secrets LOCALLY (placeholder-inject) so they survive; isolate the ACL grant into its own long-timeout command.
- [Mac RMM authentication fixed](feedback_mac_rmm_auth_fixed.md) — Use `.claude/scripts/rmm-auth.sh` helper instead of heredoc pattern. Heredoc with `--data-binary @-` fails on macOS. Helper uses `jq -n --arg` to build JSON safely. Usage: `eval "$(bash .claude/scripts/rmm-auth.sh)"` sets $TOKEN, $RMM, $REPO_ROOT. Updated in /rmm Phase 0.
- [Verify committed state before push](feedback_verify_committed_state_before_push.md) — webhook builds from origin/main: verify the COMMITTED build (git stash + build), not the working tree; bad git-add pathspec silently aborts staging. Stage by directory.
- [Scheduling = coord todo, not schedulers](feedback_scheduling_via_coord_todo.md) — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks.

View File

@@ -0,0 +1,29 @@
---
name: feedback_rmm_setacl_timeout_password_loss
description: RMM Set-Acl/icacls ACL propagation on large folder trees exceeds the command timeout; stdout is dropped on timeout so any value printed in that script (e.g. a generated password) is lost.
metadata:
type: feedback
---
When dispatching `/rmm` commands that change NTFS ACLs (`Set-Acl`, `icacls /grant`) on a
**large folder tree**, ACL inheritance propagation to existing children can take minutes and
**exceed `timeout_seconds`** — the agent reaper marks the command `failed` with
`"Execution error: Command timeout"`, and **stdout is discarded**. Proven 2026-06-25 setting up
Nick's SMB share on REDNOURCARRIEVI (Carrie's `Documents` tree): the same script generated a
random password and printed it, then ran `Set-Acl` and timed out — the password was gone twice.
**Why:** PowerShell `Set-Acl` (and `icacls` even without `/T`) re-stamps inheritable ACEs onto
all existing children; on a big tree that blows past 90120s. `Set-LocalUser`/`New-LocalUser`
themselves are instant — the cost is the ACL walk.
**How to apply:**
- **Never depend on a value you can only read back from stdout in a command that might time out.**
Generate passwords/secrets **locally** in the Bash tool (retain them), inject via a placeholder
in a `<<'PS'` heredoc (`SCRIPT="${SCRIPT/__PW__/$PW}"`) so PowerShell `$env:` survives — then
even a timeout doesn't lose the value.
- **Isolate the slow ACL step** into its own command with a long `timeout_seconds` (>=600) and
poll across multiple Bash calls (each Bash call is capped ~2 min).
- For share access, share-level perms (`Grant-SmbShareAccess`) and the account creation are fast;
only the NTFS grant is slow.
See errorlog (`rmm/acl`, --friction) and [[reference_gururmm]].