Fix lookup in libbeat for Administrators group

elastic · Jul 21, 2021 · 80ff3bb · 80ff3bb
1 parent fe7f895
commit 80ff3bb
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 40 deletions.
diff --git a/libbeat/api/npipe/listener_windows.go b/libbeat/api/npipe/listener_windows.go
@@ -101,11 +101,8 @@ func DefaultSD(forUser string) (string, error) {
 	if u.Username == "NT AUTHORITY\\SYSTEM" {
 		// running as SYSTEM, include Administrators group so Administrators can talk over
 		// the named pipe to the running Elastic Agent system process
-		admin, err := user.LookupGroup("Administrators")
-		if err != nil {
-			return "", errors.Wrap(err, "failed to lookup Administrators group")
-		}
-		descriptor += "(A;;GA;;;" + admin.Gid + ")"
+		// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
+		descriptor += "(A;;GA;;;S-1-5-32-544)" // Administrators group
 	}
 	return descriptor, nil
 }
diff --git a/x-pack/elastic-agent/pkg/agent/cmd/run.go b/x-pack/elastic-agent/pkg/agent/cmd/run.go
@@ -9,9 +9,7 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
-	"os/user"
 	"path/filepath"
-	"runtime"
 	"syscall"
 
 	"github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/core/status"
@@ -279,21 +277,10 @@ func setupMetrics(agentInfo *info.AgentInfo, logger *logger.Logger, operatingSys
 		return nil, err
 	}
 
-	// get descriptor on windows
-	descriptor := ""
-	if runtime.GOOS == "windows" {
-		var err error
-		descriptor, err = securityDescriptor()
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	// start server for stats
 	endpointConfig := api.Config{
-		Enabled:            true,
-		Host:               beats.AgentMonitoringEndpoint(operatingSystem, cfg.HTTP),
-		SecurityDescriptor: descriptor,
+		Enabled: true,
+		Host:    beats.AgentMonitoringEndpoint(operatingSystem, cfg.HTTP),
 	}
 
 	s, err := monitoringServer.New(logger, endpointConfig, monitoring.GetNamespace, app.Routes, isProcessStatsEnabled(cfg.HTTP))
@@ -309,23 +296,3 @@ func setupMetrics(agentInfo *info.AgentInfo, logger *logger.Logger, operatingSys
 func isProcessStatsEnabled(cfg *monitoringCfg.MonitoringHTTPConfig) bool {
 	return cfg != nil && cfg.Enabled
 }
-
-func securityDescriptor() (string, error) {
-	u, err := user.Current()
-	if err != nil {
-		return "", errors.New(err, "failed to get current user")
-	}
-	// Named pipe security and access rights.
-	// We create the pipe and the specific users should only be able to write to it.
-	// See docs: https://docs.microsoft.com/en-us/windows/win32/ipc/named-pipe-security-and-access-rights
-	// String definition: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
-	// Give generic read/write access to the specified user.
-	descriptor := "D:P(A;;GA;;;" + u.Uid + ")"
-	if u.Username == "NT AUTHORITY\\SYSTEM" {
-		// running as SYSTEM, include Administrators group so Administrators can talk over
-		// the named pipe to the running Elastic Agent system process
-		// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
-		descriptor += "(A;;GA;;;S-1-5-32-544)" // Administrators group
-	}
-	return descriptor, nil
-}