New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

When running an execute resource as an alternate user in Windows (chef local-mode), the environment isn't updated to reflect the alternate user's profile #7690

Open
shoreadmin opened this Issue Sep 25, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@shoreadmin

shoreadmin commented Sep 25, 2018

Description

When running an execute resource as an alternate user the environment (eg. USERNAME, USERPROFILE, USER, APPDATA, etc) remains the same as the user who originally executed the chef-client rather than the user specified in the execute resource. I've assigned the SeAssignPrimaryTokenPrivilege to the user executing the script and this doesn't seem to make a difference.

There's a chance that because I'm running this as part of a domain-joined PC, that there's some other group-policy-related stuff happening here to screw things up...

Chef Version

14.5.33

Platform Version

Windows 7 x64

Replication Case

We output the log to a text file because otherwise the output is hidden (due to resource being sensitive)

# Add 'SeAssignPrimaryTokenPrivilege' for the user
Chef::ReservedNames::Win32::Security.add_account_right(<username>, 'SeAssignPrimaryTokenPrivilege')

hasReplaceTokenRight = Chef::ReservedNames::Win32::Security.get_account_right(<username>).include?('SeAssignPrimaryTokenPrivilege')
log "hasReplaceTokenRight = #{hasReplaceTokenRight}" do
  level :warn
end

batch "Capture environment running as username" do
  code "set > C:/temp/env.txt"

  user <username>
  password <password>
end

Client Output

I haven't replicated the file output as part of this step; suffice to say that this output file is pretty much identical to running the same command below directly as the user running the chef-client.

Starting Chef Client, version 14.5.33
resolving cookbooks for run list: ["test"]
Synchronizing Cookbooks:
  - zipfile (0.1.0)
  - test (0.1.0)
Installing Cookbook Gems:
Compiling Cookbooks...
Converging 3 resources
Recipe: test::default
  * chef_gem[rubyzip] action install (up to date)
Recipe: test::install_visual_assist
  * log[hasReplaceTokenRight = true] action write[2018-09-26T08:45:39+10:00] WARN: hasReplaceTokenRight = true
[2018-09-26T08:45:39+10:00] WARN: hasReplaceTokenRight = true

  * batch[Capture environment running as username] action run
    - execute sensitive resource

Running handlers:
Running handlers complete
Chef Client finished, 2/3 resources updated in 11 seconds
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment