Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix admin permission check on localized windows #1552

Merged
merged 6 commits into from
Oct 18, 2022
Merged

Fix admin permission check on localized windows #1552

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
7de7468
check for admin rights in groups
michalpristas Oct 18, 2022
66a9985
line ending
michalpristas Oct 18, 2022
8096e0e
deep check
michalpristas Oct 18, 2022
f38b3d3
log failure instead of failing
michalpristas Oct 18, 2022
8927ab6
changelog
michalpristas Oct 18, 2022
b076f5f
Update 1666088774-Fix-admin-permission-check-on-localized-windows.yaml
michalpristas Oct 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
31 changes: 31 additions & 0 deletions changelog/fragments/1666088774-Fix-admin-permission-check-on-localized-windows.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Kind can be one of:
# - breaking-change: a change to previously-documented behavior
# - deprecation: functionality that is being removed in a later release
# - bug-fix: fixes a problem in a previous version
# - enhancement: extends functionality but does not break or fix existing behavior
# - feature: new functionality
# - known-issue: problems that we are aware of in a given version
# - security: impacts on the security of a product or a user’s deployment.
# - upgrade: important information for someone upgrading from a prior version
# - other: does not fit into any of the other categories
kind: bug-fix

# Change summary; a 80ish characters long description of the change.
summary: Fix admin permission check on localized windows

# Long description; in case the summary is not enough to describe the change
# this field accommodate a description without length limits.
#description:

# Affected component; a word indicating the component this changeset affects.
component:

# PR number; optional; the PR number that added the changeset.
# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
# Please provide it if you are adding a fragment for a different PR.
pr: 1552

# Issue number; optional; the GitHub issue related to this changeset (either closes or is part of).
# If not present is automatically filled by the tooling with the issue linked to the PR number.
issue: 857
47 changes: 42 additions & 5 deletions internal/pkg/agent/control/server/listener_windows.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ package server
import (
"net"
"os/user"
"strings"

"github.com/pkg/errors"

Expand All @@ -18,9 +19,14 @@ import (
"github.com/elastic/elastic-agent/pkg/core/logger"
)

const (
NTAUTHORITY_SYSTEM = "S-1-5-18"
ADMINISTRATORS_GROUP = "S-1-5-32-544"
)

// createListener creates a named pipe listener on Windows
func createListener(_ *logger.Logger) (net.Listener, error) {
sd, err := securityDescriptor()
func createListener(log *logger.Logger) (net.Listener, error) {
sd, err := securityDescriptor(log)
if err != nil {
return nil, err
}
Expand All @@ -31,7 +37,7 @@ func cleanupListener(_ *logger.Logger) {
// nothing to do on windows
}

func securityDescriptor() (string, error) {
func securityDescriptor(log *logger.Logger) (string, error) {
u, err := user.Current()
if err != nil {
return "", errors.Wrap(err, "failed to get current user")
Expand All @@ -42,11 +48,42 @@ func securityDescriptor() (string, error) {
// String definition: https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings
// Give generic read/write access to the specified user.
descriptor := "D:P(A;;GA;;;" + u.Uid + ")"
if u.Username == "NT AUTHORITY\\SYSTEM" {

if isAdmin, err := isWindowsAdmin(u); err != nil {
// do not fail, agent would end up in a loop, continue with limited permissions
log.Warnf("failed to detect admin: %w", err)
} else if isAdmin {
// running as SYSTEM, include Administrators group so Administrators can talk over
// the named pipe to the running Elastic Agent system process
// https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
descriptor += "(A;;GA;;;S-1-5-32-544)" // Administrators group
descriptor += "(A;;GA;;;" + ADMINISTRATORS_GROUP + ")"
}
return descriptor, nil
}

func isWindowsAdmin(u *user.User) (bool, error) {
if u.Username == "NT AUTHORITY\\SYSTEM" {
return true, nil
}

if equalsSystemGroup(u.Uid) || equalsSystemGroup(u.Gid) {
return true, nil
}

groups, err := u.GroupIds()
if err != nil {
return false, errors.Wrap(err, "failed to get current user groups")
}

for _, groupSid := range groups {
if equalsSystemGroup(groupSid) {
return true, nil
}
}

return false, nil
}

func equalsSystemGroup(s string) bool {
return strings.EqualFold(s, NTAUTHORITY_SYSTEM) || strings.EqualFold(s, ADMINISTRATORS_GROUP)
}