memory: RMM Set-Acl/icacls timeout drops stdout (lost password); generate secrets locally
This commit is contained in:
@@ -55,6 +55,7 @@
|
||||
- [Prefer SSH over RMM](feedback_prefer_ssh_over_rmm.md) — When a target has SSH (key auth) and the task is easier over it, default to `scp script + ssh run` (system OpenSSH); RMM runs as SYSTEM + hits the server-side timeout reaper. Reserve RMM as fallback when SSH/VPN is down.
|
||||
- [Re-clone submodule creds](reclone-submodule-creds.md) — Re-cloning the restructured claudetools (projects now submodules): set `credential.helper=store` GLOBALLY before `git submodule update --init --recursive` or every Gitea submodule fails "could not read Username". Steps in RECLONE.md.
|
||||
- [Bot alerts need a ticket link](feedback_bot_alert_ticket_link.md) — Syncro ticket bot-alerts MUST include a clickable link: https://computerguru.syncromsp.com/tickets/<internal_id> (internal id, not ticket number). post-bot-alert.sh posts raw text; put the URL in the message.
|
||||
- [RMM Set-Acl timeout loses stdout](feedback_rmm_setacl_timeout_password_loss.md) — NTFS ACL propagation (Set-Acl/icacls) on a large folder tree exceeds the RMM command timeout and stdout is dropped, so a password printed in that script is lost. Generate secrets LOCALLY (placeholder-inject) so they survive; isolate the ACL grant into its own long-timeout command.
|
||||
- [Mac RMM authentication fixed](feedback_mac_rmm_auth_fixed.md) — Use `.claude/scripts/rmm-auth.sh` helper instead of heredoc pattern. Heredoc with `--data-binary @-` fails on macOS. Helper uses `jq -n --arg` to build JSON safely. Usage: `eval "$(bash .claude/scripts/rmm-auth.sh)"` sets $TOKEN, $RMM, $REPO_ROOT. Updated in /rmm Phase 0.
|
||||
- [Verify committed state before push](feedback_verify_committed_state_before_push.md) — webhook builds from origin/main: verify the COMMITTED build (git stash + build), not the working tree; bad git-add pathspec silently aborts staging. Stage by directory.
|
||||
- [Scheduling = coord todo, not schedulers](feedback_scheduling_via_coord_todo.md) — Defer future work as a coord todo (POST /api/coord/todos; needs text + created_by_user + created_by_machine) for a later session to pick up. NOT /schedule remote CCR agents (no vault/creds there) or local scheduled tasks.
|
||||
|
||||
29
.claude/memory/feedback_rmm_setacl_timeout_password_loss.md
Normal file
29
.claude/memory/feedback_rmm_setacl_timeout_password_loss.md
Normal file
@@ -0,0 +1,29 @@
|
||||
---
|
||||
name: feedback_rmm_setacl_timeout_password_loss
|
||||
description: RMM Set-Acl/icacls ACL propagation on large folder trees exceeds the command timeout; stdout is dropped on timeout so any value printed in that script (e.g. a generated password) is lost.
|
||||
metadata:
|
||||
type: feedback
|
||||
---
|
||||
|
||||
When dispatching `/rmm` commands that change NTFS ACLs (`Set-Acl`, `icacls /grant`) on a
|
||||
**large folder tree**, ACL inheritance propagation to existing children can take minutes and
|
||||
**exceed `timeout_seconds`** — the agent reaper marks the command `failed` with
|
||||
`"Execution error: Command timeout"`, and **stdout is discarded**. Proven 2026-06-25 setting up
|
||||
Nick's SMB share on REDNOURCARRIEVI (Carrie's `Documents` tree): the same script generated a
|
||||
random password and printed it, then ran `Set-Acl` and timed out — the password was gone twice.
|
||||
|
||||
**Why:** PowerShell `Set-Acl` (and `icacls` even without `/T`) re-stamps inheritable ACEs onto
|
||||
all existing children; on a big tree that blows past 90–120s. `Set-LocalUser`/`New-LocalUser`
|
||||
themselves are instant — the cost is the ACL walk.
|
||||
|
||||
**How to apply:**
|
||||
- **Never depend on a value you can only read back from stdout in a command that might time out.**
|
||||
Generate passwords/secrets **locally** in the Bash tool (retain them), inject via a placeholder
|
||||
in a `<<'PS'` heredoc (`SCRIPT="${SCRIPT/__PW__/$PW}"`) so PowerShell `$env:` survives — then
|
||||
even a timeout doesn't lose the value.
|
||||
- **Isolate the slow ACL step** into its own command with a long `timeout_seconds` (>=600) and
|
||||
poll across multiple Bash calls (each Bash call is capped ~2 min).
|
||||
- For share access, share-level perms (`Grant-SmbShareAccess`) and the account creation are fast;
|
||||
only the NTFS grant is slow.
|
||||
|
||||
See errorlog (`rmm/acl`, --friction) and [[reference_gururmm]].
|
||||
Reference in New Issue
Block a user